Solved

Suggestions for Best VPN Solution(MPLS or other type)

Posted on 2014-01-10
10
281 Views
Last Modified: 2014-03-29
Dear Experts,

I am looking for a best VPN solution to implement for my office sites to connect.
Scenario is:

HQ = 200 users
Site-1 = 50 user
Site-2 = 50 users
Site-3 = 10 users
Site-4= 100 users
Site-5 = 20 users

to connect all these sites via VPN, please suggest me any best solution. I am thinking about MPLS to imlement but have not to much idea about MPLS that what are the requirements.

thanks
0
Comment
Question by:nainasipra
  • 4
  • 3
  • 3
10 Comments
 
LVL 10

Expert Comment

by:convergint
ID: 39772974
MPLS is offered by many vendors and work well.  It can be either Layer 2 where you can full control (and thus responsibility) of the routing.  I think of it like a super long fiber connection connecting the sites to the HQ.  Or it can be Layer 3 where the ISP manages all the routes and you just plug your network into their router.

Depending on how complicated your network is, with a layer 3 scenario you might only need basic layer 2 switches and a firewall.  In a layer 2 scenario you would need more expensive layer 3 switches and some knowledge to program your own routing.

MPLS can run over many different technologies so the requirements really depend on the bandwidth you require, the budget you have and what is physically available at each site (ie, cable, fiber, etc)

I've heard really good things with metro Ethernet but unfortunately it is not available up here in Canada so we don't have that option.  There's a small matrix here that summarizes many points between Ethernet vs MPLS: http://searchenterprisewan.techtarget.com/feature/MPLS-vs-Ethernet-Which-WAN-connectivity-option-is-best
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39774206
it depends on your requirements.  MPLS is generally more expensive.  Are there requirements like VOIP or other applications that require a more "guaranteed" performance between sites?  If not, is there a reason simple IPSec VPN in full mesh between sites wouldn't work.  This requires a bit more config than MPLS, but will use a "normal" internet line from your ISP and will as a result be cheaper.  However because your site-to-site links are going over the internet, you can't guarantee performance between sites and thus VoIP and other latency sensitive applications would be affected a lot I'm sure even if you give that traffic priority within your LANs.
0
 

Author Comment

by:nainasipra
ID: 39774252
dear cyclop,

if i plan to implement IPSec VPN, then what are the requirements like devices and internet lines etc ?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39774264
quite minimal actually.  ipsec vpn is extremely common these days so all corporate level firewalls will be able to do it.  there is no specific requirement for the internet line either.  all it does is encrypt the traffic and send it from one site to another site where it is then decrypted.  MPLS is a "dedicated" line that will actually link all of our sites without that traffic going over lines shared with others.  I put dedicated in quotes only because you do technically share lines even in MPLS, but due to the way it works, your traffic is never intermixed with anyone elses, like what happens with internet traffic.

i'm not sure what you plan to use for your gateway device at your sites but chances are if you're looking into MPLS, you're already getting devices that can do ipsec vpn.
0
 

Author Comment

by:nainasipra
ID: 39774268
if i will have ASA 5510(HQ) and Cisco Router on all branch offices then i can implement IPSec Solution, what about internet lines any leased line or normal broadband connections will work for this solution also?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39774281
yes.  as long as that line puts your site on the internet, you can do ipsec vpn.

keep in mind though.  ipsec vpn's pro may be that it is cheap because it doesn't require anything special to work.  It's con is that it doesn't work well with latency sensitive applications.  Also, technically speaking MPLS is more secure than ipsec vpn because even though ipsec vpn is encrypted it still goes over the internet with everyone elses data. MPLS, your provider keeps everything separate so less chance of bad people getting it and trying to see what the message is.
0
 
LVL 10

Expert Comment

by:convergint
ID: 39775232
We have been using an IPsec VPN with our link between country sites and it has been good and very reliable but we are going over a leased T1 line.  The old saying goes, you do get what you pay for.  If all you really need to do is connect the sites for file access and intranet then there's not really a need for MPLS.  However if you have critical services running over the links then you need to do some analysis of uptime guarantees and downtime financial costs.

Your equipment will be fine as long as you have enough licenses for all the site to site vpns you want to create.  Any internet connection will work as long as you have static IP addresses.
0
 

Author Comment

by:nainasipra
ID: 39775694
May i required static IP for all sites or HQ site only is enough because if i will buy static IP its mean leased line, and leased line connection is costly.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39776962
you can purchase whatever you want from your ISP(s).  or you can maintain all server services at HQ (unless otherwise required what I would recommend.  If those servers don't require low latency performance but high availability you may want to look into a second link.  a backup link via satellite isn't too bad.  latency is bad but you don't have to worry about if the primary link gets cut that the secondary is cut with it (you could also do multiple links coming in from separate areas of the building too)

Keep in mind MPLS won't necessarily give a better performance than IPsec VPN either depending on where your sites are located.  For that to happen you would have to pay more and get an SLA negotiated as well for a certain QoS, quality of service.

"if i will buy static IP its mean leased line, and leased line connection is costly."

MPLS will definitely be more still.  What were you thinking for a line?  Better yet, can you elaborate on your network requirements?  Right now we're guessing as to what you want.  If you give us specifically what you're needing we can better recommend what to go with.  yes, it may cost, but that is the cost of doing business.
0
 
LVL 10

Accepted Solution

by:
convergint earned 500 total points
ID: 39777434
If you don't have a static IP, it means that you will need some kind of dynamic DNS service on those sites.  The dynamic DNS service will continuously update the IP associated with a DNS name.

Basically without a static IP, the provider could change your IP address at any time without telling you.  Since each the VPN needs to know where to connect to at all times, the VPN will break when/if the provider changes your IP address.

I'm not sure where you are located, but even a basic business ADSL or Cable connection will have an option for a static IP so the cost really should not be that much more.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now