Solved

Suggestions for Best VPN Solution(MPLS or other type)

Posted on 2014-01-10
10
286 Views
Last Modified: 2014-03-29
Dear Experts,

I am looking for a best VPN solution to implement for my office sites to connect.
Scenario is:

HQ = 200 users
Site-1 = 50 user
Site-2 = 50 users
Site-3 = 10 users
Site-4= 100 users
Site-5 = 20 users

to connect all these sites via VPN, please suggest me any best solution. I am thinking about MPLS to imlement but have not to much idea about MPLS that what are the requirements.

thanks
0
Comment
Question by:nainasipra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 10

Expert Comment

by:convergint
ID: 39772974
MPLS is offered by many vendors and work well.  It can be either Layer 2 where you can full control (and thus responsibility) of the routing.  I think of it like a super long fiber connection connecting the sites to the HQ.  Or it can be Layer 3 where the ISP manages all the routes and you just plug your network into their router.

Depending on how complicated your network is, with a layer 3 scenario you might only need basic layer 2 switches and a firewall.  In a layer 2 scenario you would need more expensive layer 3 switches and some knowledge to program your own routing.

MPLS can run over many different technologies so the requirements really depend on the bandwidth you require, the budget you have and what is physically available at each site (ie, cable, fiber, etc)

I've heard really good things with metro Ethernet but unfortunately it is not available up here in Canada so we don't have that option.  There's a small matrix here that summarizes many points between Ethernet vs MPLS: http://searchenterprisewan.techtarget.com/feature/MPLS-vs-Ethernet-Which-WAN-connectivity-option-is-best
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39774206
it depends on your requirements.  MPLS is generally more expensive.  Are there requirements like VOIP or other applications that require a more "guaranteed" performance between sites?  If not, is there a reason simple IPSec VPN in full mesh between sites wouldn't work.  This requires a bit more config than MPLS, but will use a "normal" internet line from your ISP and will as a result be cheaper.  However because your site-to-site links are going over the internet, you can't guarantee performance between sites and thus VoIP and other latency sensitive applications would be affected a lot I'm sure even if you give that traffic priority within your LANs.
0
 

Author Comment

by:nainasipra
ID: 39774252
dear cyclop,

if i plan to implement IPSec VPN, then what are the requirements like devices and internet lines etc ?
0
Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39774264
quite minimal actually.  ipsec vpn is extremely common these days so all corporate level firewalls will be able to do it.  there is no specific requirement for the internet line either.  all it does is encrypt the traffic and send it from one site to another site where it is then decrypted.  MPLS is a "dedicated" line that will actually link all of our sites without that traffic going over lines shared with others.  I put dedicated in quotes only because you do technically share lines even in MPLS, but due to the way it works, your traffic is never intermixed with anyone elses, like what happens with internet traffic.

i'm not sure what you plan to use for your gateway device at your sites but chances are if you're looking into MPLS, you're already getting devices that can do ipsec vpn.
0
 

Author Comment

by:nainasipra
ID: 39774268
if i will have ASA 5510(HQ) and Cisco Router on all branch offices then i can implement IPSec Solution, what about internet lines any leased line or normal broadband connections will work for this solution also?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39774281
yes.  as long as that line puts your site on the internet, you can do ipsec vpn.

keep in mind though.  ipsec vpn's pro may be that it is cheap because it doesn't require anything special to work.  It's con is that it doesn't work well with latency sensitive applications.  Also, technically speaking MPLS is more secure than ipsec vpn because even though ipsec vpn is encrypted it still goes over the internet with everyone elses data. MPLS, your provider keeps everything separate so less chance of bad people getting it and trying to see what the message is.
0
 
LVL 10

Expert Comment

by:convergint
ID: 39775232
We have been using an IPsec VPN with our link between country sites and it has been good and very reliable but we are going over a leased T1 line.  The old saying goes, you do get what you pay for.  If all you really need to do is connect the sites for file access and intranet then there's not really a need for MPLS.  However if you have critical services running over the links then you need to do some analysis of uptime guarantees and downtime financial costs.

Your equipment will be fine as long as you have enough licenses for all the site to site vpns you want to create.  Any internet connection will work as long as you have static IP addresses.
0
 

Author Comment

by:nainasipra
ID: 39775694
May i required static IP for all sites or HQ site only is enough because if i will buy static IP its mean leased line, and leased line connection is costly.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39776962
you can purchase whatever you want from your ISP(s).  or you can maintain all server services at HQ (unless otherwise required what I would recommend.  If those servers don't require low latency performance but high availability you may want to look into a second link.  a backup link via satellite isn't too bad.  latency is bad but you don't have to worry about if the primary link gets cut that the secondary is cut with it (you could also do multiple links coming in from separate areas of the building too)

Keep in mind MPLS won't necessarily give a better performance than IPsec VPN either depending on where your sites are located.  For that to happen you would have to pay more and get an SLA negotiated as well for a certain QoS, quality of service.

"if i will buy static IP its mean leased line, and leased line connection is costly."

MPLS will definitely be more still.  What were you thinking for a line?  Better yet, can you elaborate on your network requirements?  Right now we're guessing as to what you want.  If you give us specifically what you're needing we can better recommend what to go with.  yes, it may cost, but that is the cost of doing business.
0
 
LVL 10

Accepted Solution

by:
convergint earned 500 total points
ID: 39777434
If you don't have a static IP, it means that you will need some kind of dynamic DNS service on those sites.  The dynamic DNS service will continuously update the IP associated with a DNS name.

Basically without a static IP, the provider could change your IP address at any time without telling you.  Since each the VPN needs to know where to connect to at all times, the VPN will break when/if the provider changes your IP address.

I'm not sure where you are located, but even a basic business ADSL or Cable connection will have an option for a static IP so the cost really should not be that much more.
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question