Suggestions for Best VPN Solution(MPLS or other type)

Dear Experts,

I am looking for a best VPN solution to implement for my office sites to connect.
Scenario is:

HQ = 200 users
Site-1 = 50 user
Site-2 = 50 users
Site-3 = 10 users
Site-4= 100 users
Site-5 = 20 users

to connect all these sites via VPN, please suggest me any best solution. I am thinking about MPLS to imlement but have not to much idea about MPLS that what are the requirements.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MPLS is offered by many vendors and work well.  It can be either Layer 2 where you can full control (and thus responsibility) of the routing.  I think of it like a super long fiber connection connecting the sites to the HQ.  Or it can be Layer 3 where the ISP manages all the routes and you just plug your network into their router.

Depending on how complicated your network is, with a layer 3 scenario you might only need basic layer 2 switches and a firewall.  In a layer 2 scenario you would need more expensive layer 3 switches and some knowledge to program your own routing.

MPLS can run over many different technologies so the requirements really depend on the bandwidth you require, the budget you have and what is physically available at each site (ie, cable, fiber, etc)

I've heard really good things with metro Ethernet but unfortunately it is not available up here in Canada so we don't have that option.  There's a small matrix here that summarizes many points between Ethernet vs MPLS:
Cyclops3590Sr Software EngineerCommented:
it depends on your requirements.  MPLS is generally more expensive.  Are there requirements like VOIP or other applications that require a more "guaranteed" performance between sites?  If not, is there a reason simple IPSec VPN in full mesh between sites wouldn't work.  This requires a bit more config than MPLS, but will use a "normal" internet line from your ISP and will as a result be cheaper.  However because your site-to-site links are going over the internet, you can't guarantee performance between sites and thus VoIP and other latency sensitive applications would be affected a lot I'm sure even if you give that traffic priority within your LANs.
nainasipraAuthor Commented:
dear cyclop,

if i plan to implement IPSec VPN, then what are the requirements like devices and internet lines etc ?
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Cyclops3590Sr Software EngineerCommented:
quite minimal actually.  ipsec vpn is extremely common these days so all corporate level firewalls will be able to do it.  there is no specific requirement for the internet line either.  all it does is encrypt the traffic and send it from one site to another site where it is then decrypted.  MPLS is a "dedicated" line that will actually link all of our sites without that traffic going over lines shared with others.  I put dedicated in quotes only because you do technically share lines even in MPLS, but due to the way it works, your traffic is never intermixed with anyone elses, like what happens with internet traffic.

i'm not sure what you plan to use for your gateway device at your sites but chances are if you're looking into MPLS, you're already getting devices that can do ipsec vpn.
nainasipraAuthor Commented:
if i will have ASA 5510(HQ) and Cisco Router on all branch offices then i can implement IPSec Solution, what about internet lines any leased line or normal broadband connections will work for this solution also?
Cyclops3590Sr Software EngineerCommented:
yes.  as long as that line puts your site on the internet, you can do ipsec vpn.

keep in mind though.  ipsec vpn's pro may be that it is cheap because it doesn't require anything special to work.  It's con is that it doesn't work well with latency sensitive applications.  Also, technically speaking MPLS is more secure than ipsec vpn because even though ipsec vpn is encrypted it still goes over the internet with everyone elses data. MPLS, your provider keeps everything separate so less chance of bad people getting it and trying to see what the message is.
We have been using an IPsec VPN with our link between country sites and it has been good and very reliable but we are going over a leased T1 line.  The old saying goes, you do get what you pay for.  If all you really need to do is connect the sites for file access and intranet then there's not really a need for MPLS.  However if you have critical services running over the links then you need to do some analysis of uptime guarantees and downtime financial costs.

Your equipment will be fine as long as you have enough licenses for all the site to site vpns you want to create.  Any internet connection will work as long as you have static IP addresses.
nainasipraAuthor Commented:
May i required static IP for all sites or HQ site only is enough because if i will buy static IP its mean leased line, and leased line connection is costly.
Cyclops3590Sr Software EngineerCommented:
you can purchase whatever you want from your ISP(s).  or you can maintain all server services at HQ (unless otherwise required what I would recommend.  If those servers don't require low latency performance but high availability you may want to look into a second link.  a backup link via satellite isn't too bad.  latency is bad but you don't have to worry about if the primary link gets cut that the secondary is cut with it (you could also do multiple links coming in from separate areas of the building too)

Keep in mind MPLS won't necessarily give a better performance than IPsec VPN either depending on where your sites are located.  For that to happen you would have to pay more and get an SLA negotiated as well for a certain QoS, quality of service.

"if i will buy static IP its mean leased line, and leased line connection is costly."

MPLS will definitely be more still.  What were you thinking for a line?  Better yet, can you elaborate on your network requirements?  Right now we're guessing as to what you want.  If you give us specifically what you're needing we can better recommend what to go with.  yes, it may cost, but that is the cost of doing business.
If you don't have a static IP, it means that you will need some kind of dynamic DNS service on those sites.  The dynamic DNS service will continuously update the IP associated with a DNS name.

Basically without a static IP, the provider could change your IP address at any time without telling you.  Since each the VPN needs to know where to connect to at all times, the VPN will break when/if the provider changes your IP address.

I'm not sure where you are located, but even a basic business ADSL or Cable connection will have an option for a static IP so the cost really should not be that much more.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.