From: Colm O'Leary (Colm.O'Leary@anpost.ie)
Date: Wed Aug 16 2006 - 08:20:27 ART
Yoshi,
We recently migrated a 200 site branch network from Leased Line to
Leased Line into MPLS. In our scenario we created internet access at two
headend locations. All firewall, internet proxy, anti-virus, webscense,
ids, acl functions are kept centrally. The cost of ownership of such a
solution is much less, than having these services distributed. It also
provides for better security as the overlap from trusted/untrusted only
exists in two locations as opposed to multiple locations and the chances
of a misconfiguration on one/two nodes causing a meltdown is a lot less
than on 20 nodes.
The cost of installing 20 additional internet links needs to be
weighed up against the cost of the additional bandwidth required at the
internet links at the headend and also the additional bandwidth required
from the CE to PE connection to faciliate internet b/w back to the
center.
Routing may will be more complex for a 20 site internet solution, and
will most likely result in the requirement to have a proxy server
located in each site. This will introduce a singe point of failure along
with the internet link itself at the remote site and will make dynamic
failover more complex than a headend solution.
Other web based services such as your organisations SMTP, VPN's, FTP
etc should also be factored into your decision. It will probably not be
feasible to distribute all these services to all branch locations,
therefore bandwidth will be required for these services at the headend
anyway.
By keeping all web-based sevices centrally located, it will mean that
you can purchase differing sla's off the telco for different types of
traffic, for example SMTP could be given higher precedence over
http/https traffic in times of congestion.
HTH,
Colm
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Michael Stout
Sent: 15 August 2006 15:57
To: jjrinehart@hotmail.com; supernet@comcast.net; cisco@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: RE: Migrating to MPLS
I would prefer the topo Joe outlined.
However the design with 21 internet sites will work too.
I would just make sure you dont use you corp net as an internet transit
area.
--------------------------------------------------------------------
From: "Joe Rinehart" <jjrinehart@hotmail.com>
Reply-To: "Joe Rinehart" <jjrinehart@hotmail.com>
To: <supernet@comcast.net>, <cisco@groupstudy.com>
CC: <ccielab@groupstudy.com>
Subject: RE: Migrating to MPLS
Date: Mon, 14 Aug 2006 10:09:47 -0700
I used to work for AT&T and designed MPLS WANs for
customers. Usually there
are two basic topologies when it comes to Internet access,
centralized and
distributed, which is what they are suggesting here. Sometimes the
reasons
for suggesting a centralized model has to do with scalability
(maintaining
just one potential point of incursion as opposed to many), but it can
mask
an additional reason, namely propagation of a default route. I know
the way
AT&T had implemented MPLS only allowed a single active default route
to be
used, per region (the network had regions for the US, EMEA, AP, and
CALA).
It used to raise some eyebrows but since most had centralized
Internet
access it was not as big a concern.
Personally I think having two sites, a primary and a secondary, makes
sense
and isn't the management nightmare you are implying here.
Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
supernet@comcast.net
Sent: Sunday, August 13, 2006 6:01 PM
To: cisco@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: Migrating to MPLS
My company has 21 branch office worldwide. We currently run on frame
relay
network and all the sites access the Internet via our main office. My
company recently hired a consulting company to migrate our network to
MPLS.
Their plan is to use MPLS for the internal traffic but add Internet
access
at each branch office (install 21 firewalls, IDSes etc). Does it make
sense?
I think it'll be management nightmare to control 21 sets of
firewall/ids.
Any advice? Thanks. Yoshi
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART