WAN Upgrade Options, MPLS verses site-to-site VPN or something else.

Posted on 2013-01-15
Last Modified: 2013-01-23
I need some advice please. I am in the process of gathering quotes for upgrading (replacing) our network. We currently have three locations in a hub and spoke configuration. Sites A, B and C where A is the hub, B and C are the spokes (remotes). We currently use a fiber solutions from Verizon which is a transparent LAN services circuit with A having 100/100mbps and remotes having 10/10mbps. This hasn’t been a bad setup but it does not meet or current needs of 100mbps at the remote. I can upgrade the remotes to 100mbps and the hub to 1gig but the cost is prohibitive.  Also in the scenario is a 40/40 fiber internet connection from another vender which serves all three locations. I do not (but would like to) offer wifi at the remotes. I don’t now because I don't want to slow the WAN connection down any farther then they already are. The internet connection is also used to connect a couple of web sites we host internally and to connect 6 small site-to-site VPNs and SSL VPN clients through a Sonicwall NSA appliance.

I am looking into going the MPLS route with site A on 200/200 and B and C on 100/100 with all three sites using a firewall internet gateway (in the cloud) of 100/100 for internet access.

I am also exploring getting higher bandwidth Internet connection at each location again 200/200 at A and 100/100 at B and C and using NSA’s to connect site-to-site VPNs.

Also in the mix is an older PBX/IP hybrid phone system (PRI at each location) which has an ACD group at site A uses the network for 4 digit dialing, auto attendant 70+ digital extensions and 4 IP phones.

I am having trouble deciding what the best options are, I am using a couple of consultants to explore options and pricing for me. The goal is to have the 100/100 at the remotes for our business traffic which is general file sharing, email hosted at site A and large image files (200+mb per file, multiple files per day). We hope to be replacing the phone system over the next year or two and I want to put in place a network that can handle the large image traffic and also be a solid foundation for a more robust phone system in the future weather that is cloud based or hosted, digital PBX or IP based (prefer going to IP phone route for email client integration).

Using the information supplied can I please get advice on what you think are the best options to build the network? Cost is a consideration.

Thank You for you time and input.
Question by:xrayeyes
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 32

Expert Comment

ID: 38783532
MPLS based solutions offer allot of flexibility.  I am unsure based on your description if you will have separate firewalls and internet connections at each site?

Of course a viable solution would be to centralize the security and internet stacks, like a traditional hub and spoke however leveraging MPLS for WAN transport. one internet connection, one security cluster, one PBX, etc ...Are the sites relatively closely located geographically? Are you currently really pushing 100Mbps at each remote or are you also allowing for growth?

harbor235 ;}

Author Comment

ID: 38783768

Thank you for responding. I have been presented with two options for internet in the MPLS model. One with a cloud based firewall so that all three sites are funneled through that for internet access. I like this option for security and cost reasons but I am unsure how to handle the current sit-to-site VPN with this but that is because I do understand the model well enough. The other has each site with a separate internet hand off from the venders managed equipment to a firewall I would manage on site. I kind of like the second option but it would be more expensive buying and keeping maintenance and security services contracts on those devices. I am posing the question because I am looking for feedback on what the best option is.

We are installing a new application that recommends being on a 100mbps WAN connection we are currently on a 10mbps connection at remotes and 100mbps connection at hub. There are times during the day that the remote circuits are saturated. I am looking to have all of the connections on a gig loop so we can expand the bandwidth in the future should we have the need (and the money).  The sites are within 15/20 miles radius of each other.

LVL 32

Accepted Solution

harbor235 earned 500 total points
ID: 38784404
The cloud firewall is attractive from a pricing perspective, and I can tell you that I have worked with this solution in the past. Cloud is a catch all phrase now days, in essence the provider will provide a FW between you and the internet peering routers. This is a sound solution and is mature, the questions I would ask are as follows:

1) Is the firewall solution a shared or dedicated solution?
2) Is this a high availability solution?
3) Are there restrictions on policy changes?
4) Are there additional costs when making policy changes?
5) How much time is required to schedule a policy change?
6) Do they provide traffic analysis and reporting capabilities?

The dedicated firewall and internet solution provides better access to the devices and no single point of failure for external access, in other words this solution provides better control of the infrastructure.

It will all depend on what is more important, cost or control?

harbor235 ;}
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.


Author Comment

ID: 38787048

Again thank you for your input. If I am reading your post correctly you are saying.

Option 1 - Vender controlled internet firewall/gateway (cloud) is a good solutions but look out for hidden charges related to change control and do my homework related to speed and policy control. Also presents as one portal for internet access which translates to when the one is down all are down (internet).

Option 2 - Vender hands off to me and with a firewall I purchase, I control internet access policies.

So thinking this through on this post if I want better control and access of site-to-site vpns and other vpn client access at my admin site (site A) Option 2 looks better. At my remote sites putting in a basic firewall for wireless access for customers and having more control over that firewall again option 2 looks better. The difference is that Option 2 is traditionally more expensive (although the quotes I have look comparable between option 1 and 2) than Option 1.


Author Comment

ID: 38809870
Although I was hoping for more input to my post Harbor did respond and the input is helpful so thank you.
LVL 32

Expert Comment

ID: 38810243

What other information do you need, I can continue this thread if you like.

harbor235 ;}

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Messaging apps are amazing tools with the power to do a lot of good, but the truth is the process of collaborating with coworkers requires relationships established through meaningful communication - the kind of communication that only happens face-…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question