Multiple Office WAN re-design

Unanswered Question
Dec 17th, 2008

Good day.

I wish to seek some advice as we evaluate a re-design of our WAN structure.

Currently we have multiple offices around the world. Our current design is a full-mesh IPSec network over the commodity internet.

We now have 3 offices designated as data-centers that all other offices will access. However, we also have a requirement that every office be able to access every other office.

Given three datacenters the thought would have been a distributed hub-and-spoke, as an alternative to the full mesh, but the management of that is as duanting as the full mesh topology.

Can anyone suggest a simpler way to connect every office to every other office in a manageable fashion?

My first thought was laying out an MPLS VPN structure to provide connectivity and easy management, but I have no experience with MPLS.

Thank you so much for your time.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 12/17/2008 - 08:57

Benjamin

An MPLS VPN solution would certainly meet the requirements you have outlined here. Each site simply needs one connection to the MPLS cloud and then can talk to any other of your sites. Note that with MPLS VPN's you can pick subsets within your sites so sites 1,2,3 can talk to every other site whereas 4,5 can only talk to the DC's.

How you connect to the MPLS network is largely a matter of discussing with your Service Provider. Some may require you to use BGP, others may be okay with static routing, others may have a range of options from static to IGP's eg. EIGRP/OSPF through to BGP.

Note that you routers that connect to the MPLS cloud do not need to support MPLS functionality and you will not need to configure MPLS on those routers but they may need to run certain routing protocols as above so you need to check the requirements from the ISP.

The management of this setup is as you rightly point out a lot simpler than trying to maintain a full or distributed mesh. If your security needs dictate it there is nothing to stop you running IPSEC with the MPLS network - your choice.

If you have any other follow up question then don't hesitate to ask.

Jon

bsisco Wed, 12/17/2008 - 09:16

Jon,

Thank you for confirming my thoughts on this. Might you be able to provide me with some resources to learn more about MPLS and implementation?

Thanks again!

pauloroque Fri, 01/09/2009 - 06:51

Hi Bsisco.

Have you considered DMVPN? DMVPN is a scalable technique for VPN and it implements spoke-to-spoke communucation naturally. I think it is the best choice for you.

Paulo Roque

bsisco Fri, 01/09/2009 - 08:01

Thank you Paulo.

I will definitely look into this as an option, one, because of the cost of MPLS, and rumors that MPLS as a technology is only finding limited success because of the requirements for individual connectivity (Hard if not impossible to use with each office using a different ISP).

Actions

This Discussion