Centralized versus Decentralized WAN topology in an Enterprise
Many times, enterprise WAN topology grows without much forethought, expanding on an existing infrastructure. Changing topologies mid-stream is often costly and falls behind other initiatives. Because of that, it’s important for the CIOs and network architects to have a good handle on the topology options and some of the benefits and drawbacks of each.
Meshed WAN/VPN On Top of the Internet
The pervasive availability of reliable Internet bandwidth provides an attractive option for interconnecting global offices. Particularly in countries such as India, Brazil, and much of Europe, it is considerably cheaper to procure Internet bandwidth from local sources. For many reasons, the big players like ATT and Verizon Business simply cannot be competitive in certain countries due to local telecom laws, partnership agreements, etc. The cost savings can be substantial.
Certain tools, like Checkpoint’s Firewall-1 make not only securing and managing the distributed firewall base easy to handle, but also abstracts inter-office VPN transport.
The pro’s:
- Monthly recurring fees are typically cheaper
- Still get the connection savings from using a central supplier, like ATT, where they are the cheaper option.
- Capacity costs are considerably less that in the private line, frame or MPLS world.
The con’s:
- Requires an Internet gateway at each site, and all associated management, equipment and process that an organization places on such a thing.
- Implementation of new Internet security devices (data loss prevention, for example) requires the investment needed to duplicate the environment across all sites. This may create situations where new technology cannot be deployed, or cannot be deployed consistently across all sites.
- Complex environment that often requires local staff to manage ISP contracts and equipment.
MPLS WAN with Geographic theater-based Internet gateways
In the past, private lines and frame relay connections were point to point - completely hub and spoke. Redundancy, fail-over, etc, were made difficult by that fact. MPLS has essentially provided organizations with a “private Internet”, where each site can connect into and route to any other site, allowing a great degree of flexibility on issues like fail-over and keeping costs down relative to point to point connections.
In this architecture, each site has an MPLS connection to a provider’s network. Certain sites act as a bridge to the Internet. Routing can geographically segregate ingress and egress points to the nearest available Internet gateway, and provide the ability to fail over to another site, in the event of an outage.
The pro’s:
- the ability to centrally manage and deploy new Internet security devices.
- provides a very homogeneous WAN environment, which can simplify WAN management, it can leveraged for reducing costs on contract negotiations or allow for total environment outsourcing.
The con’s:
- typically, much more will be spent on monthly line costs vs. Internet-based, site-to-site VPN’s.
What’s the best option?
The best option will vary from one organization to the next. Large, process driven organizations will want to go with an MPLS WAN, in general. Entrepreneurial companies will find the lower cost and local control of the site-to-site VPN much more appealing.
What do you think?
