Solved

WAN Upgrade Options, MPLS verses site-to-site VPN or something else.

Posted on 2013-01-15
6
385 Views
Last Modified: 2013-01-23
Experts,
I need some advice please. I am in the process of gathering quotes for upgrading (replacing) our network. We currently have three locations in a hub and spoke configuration. Sites A, B and C where A is the hub, B and C are the spokes (remotes). We currently use a fiber solutions from Verizon which is a transparent LAN services circuit with A having 100/100mbps and remotes having 10/10mbps. This hasn’t been a bad setup but it does not meet or current needs of 100mbps at the remote. I can upgrade the remotes to 100mbps and the hub to 1gig but the cost is prohibitive.  Also in the scenario is a 40/40 fiber internet connection from another vender which serves all three locations. I do not (but would like to) offer wifi at the remotes. I don’t now because I don't want to slow the WAN connection down any farther then they already are. The internet connection is also used to connect a couple of web sites we host internally and to connect 6 small site-to-site VPNs and SSL VPN clients through a Sonicwall NSA appliance.

I am looking into going the MPLS route with site A on 200/200 and B and C on 100/100 with all three sites using a firewall internet gateway (in the cloud) of 100/100 for internet access.

I am also exploring getting higher bandwidth Internet connection at each location again 200/200 at A and 100/100 at B and C and using NSA’s to connect site-to-site VPNs.

Also in the mix is an older PBX/IP hybrid phone system (PRI at each location) which has an ACD group at site A uses the network for 4 digit dialing, auto attendant 70+ digital extensions and 4 IP phones.

I am having trouble deciding what the best options are, I am using a couple of consultants to explore options and pricing for me. The goal is to have the 100/100 at the remotes for our business traffic which is general file sharing, email hosted at site A and large image files (200+mb per file, multiple files per day). We hope to be replacing the phone system over the next year or two and I want to put in place a network that can handle the large image traffic and also be a solid foundation for a more robust phone system in the future weather that is cloud based or hosted, digital PBX or IP based (prefer going to IP phone route for email client integration).

Using the information supplied can I please get advice on what you think are the best options to build the network? Cost is a consideration.

Thank You for you time and input.
0
Comment
Question by:xrayeyes
  • 3
  • 3
6 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 38783532
MPLS based solutions offer allot of flexibility.  I am unsure based on your description if you will have separate firewalls and internet connections at each site?

Of course a viable solution would be to centralize the security and internet stacks, like a traditional hub and spoke however leveraging MPLS for WAN transport. one internet connection, one security cluster, one PBX, etc ...Are the sites relatively closely located geographically? Are you currently really pushing 100Mbps at each remote or are you also allowing for growth?

harbor235 ;}
0
 

Author Comment

by:xrayeyes
ID: 38783768
Harbor,

Thank you for responding. I have been presented with two options for internet in the MPLS model. One with a cloud based firewall so that all three sites are funneled through that for internet access. I like this option for security and cost reasons but I am unsure how to handle the current sit-to-site VPN with this but that is because I do understand the model well enough. The other has each site with a separate internet hand off from the venders managed equipment to a firewall I would manage on site. I kind of like the second option but it would be more expensive buying and keeping maintenance and security services contracts on those devices. I am posing the question because I am looking for feedback on what the best option is.

We are installing a new application that recommends being on a 100mbps WAN connection we are currently on a 10mbps connection at remotes and 100mbps connection at hub. There are times during the day that the remote circuits are saturated. I am looking to have all of the connections on a gig loop so we can expand the bandwidth in the future should we have the need (and the money).  The sites are within 15/20 miles radius of each other.

Thanks.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 38784404
The cloud firewall is attractive from a pricing perspective, and I can tell you that I have worked with this solution in the past. Cloud is a catch all phrase now days, in essence the provider will provide a FW between you and the internet peering routers. This is a sound solution and is mature, the questions I would ask are as follows:

1) Is the firewall solution a shared or dedicated solution?
2) Is this a high availability solution?
3) Are there restrictions on policy changes?
4) Are there additional costs when making policy changes?
5) How much time is required to schedule a policy change?
6) Do they provide traffic analysis and reporting capabilities?

The dedicated firewall and internet solution provides better access to the devices and no single point of failure for external access, in other words this solution provides better control of the infrastructure.

It will all depend on what is more important, cost or control?


harbor235 ;}
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:xrayeyes
ID: 38787048
Harbor,

Again thank you for your input. If I am reading your post correctly you are saying.

Option 1 - Vender controlled internet firewall/gateway (cloud) is a good solutions but look out for hidden charges related to change control and do my homework related to speed and policy control. Also presents as one portal for internet access which translates to when the one is down all are down (internet).

Option 2 - Vender hands off to me and with a firewall I purchase, I control internet access policies.

So thinking this through on this post if I want better control and access of site-to-site vpns and other vpn client access at my admin site (site A) Option 2 looks better. At my remote sites putting in a basic firewall for wireless access for customers and having more control over that firewall again option 2 looks better. The difference is that Option 2 is traditionally more expensive (although the quotes I have look comparable between option 1 and 2) than Option 1.

Thanks.
0
 

Author Comment

by:xrayeyes
ID: 38809870
Although I was hoping for more input to my post Harbor did respond and the input is helpful so thank you.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 38810243
xrayeyes,

What other information do you need, I can continue this thread if you like.

harbor235 ;}
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now