Answer the question
In order to leave comments, you need to log in
M
M
m0ps2012-10-05 15:33:29
m0ps, 2012-10-05 15:33:29
MPLS vs Internet for unification of a distributed network. Need arguments?
Need help with an argument to management regarding building a distributed enterprise network over the Internet using static IP on the hub and spocks.
There was a conversation with the head about the issue of upgrading the distributed network of the enterprise across the region. Now there is MPLS from the national provider plus a few more leased lines around the city where the head office is located. Branches are Cisco 851/857/881 (IPSEC VTI with RIP as dynamic routing). MPLS from a national provider and a dedicated line from a local leader considers reliable communication channels (in terms of security), but their prices are much higher than the prices for Internet from the same national provider.
At the central office, it is planned to upgrade the network infrastructure with the replacement of equipment with Juniper SRX240+EX4200+EX2200
I propose to abandon MPLS and leased lines, turn on mega-cheap and much faster Internet everywhere (compared to the speed of MPLS-a), replace routers with Juniper SRX100 and also organize a reserve in branches via GPRS (there are a number of Conel ER75i GPRS routers which can also work as ordinary modems).
The result is the following scheme:
Route-Based IPsec between the head office and branches with OSPF and redundant communication channels via GPRS.
According to my calculations, savings on replacing MPLS-a with the Internet (taking into account the introduction of backup channels via GPRS) per year will be about the cost of two new Juniper SRX 100B. Brunch 8 pieces. It turns out that in 4 years the cost of buying SRXs will pay off, then profit. Considering that we have been using MPLS for more than 4 years (2 points for 5 years already) and we are not going to curtail the business, but only expand - with the initial use of the Internet, we could save a decent amount and then it will only increase.
Guides are tempted by the idea of saving on communication, but:
1) Negatively treat the idea of using the Internet with a static address in branches (they say this increases the likelihood of hacking), and suggests using dynamic addresses in branches.
2) There is a desire to leave everything on old cats (they say it's a pity to "throw out" the existing equipment).
I would like to hear feedback / criticism about my idea, as well as ask the respected community for help in compiling arguments in favor of my idea.
I would also like to hear comments on what threatens the presence of a dynamic IP in branches. Right off the bat, I see only one problem - IPSEC can only be installed from the branch side.
5 answer(s)
@m0ps
It's disgusting.
Migrate to DMVPN+EIGRP/OSPF.
Juniper has something similar.
ACL allowing packets only from the CO. You can also stupidly not make a route to 0/0 on the Internet, making only host routes to the central routers.
DMVPN.
On hubs, you cannot specify a list of brunch addresses in the ACL. A tolerable workaround is to find out from operators the ranges of possible addresses. But in fact, shining nodes on the Internet is not as dangerous as it seems, if you don’t do something stupid.
Well, DMVPN even breaks through NAT - I tested it.
@GreekLatinos
@m0ps
Not much to change, but 860 is also only RIP. OSPF - 870/880 with AdvIPServices.
The head office will move and all equipment will change to Juniper - because. the old one is already morally and physically obsolete (the choice fell on the juniper because of the price of the project - unconditionality wins over cisco).
And this is exactly the argument that I wanted to hear. Thank you!
@SLIDERWEB
I don't think it matters what equipment to use. The main thing is that responsible employees know how to cook it correctly.
I personally, recently faced such a task - to explain to the management. Especially it did not rest, the leadership is. I just explained that using someone else's (operator's) MPLS / VPN is an additional column in the risk map. Nothing but conscience prevents the operator from breaking into our private network + the cost of its MPLS is 60 times cheaper (in our case).
As a result, I prepared a “hodgepodge” of Dual Hub DMVPN + MPLS + EIGRP + QoS on existing cats. At first, the management had doubts, because the public on both channels is less stable by orders of magnitude compared to the rented MPLS, however, after the first three months of the KSPD uptime and the horrific statistics on the drop in channels (which did not affect the SLA in any way) - quite the final result.
J
JDima, 2012-10-05 @m0ps
distributed network of the enterprise via the Internet using static IP on the hub and spocks.
It's disgusting.
Branches are Cisco 851/857/881 (IPSEC VTI with RIP as dynamic routing).
Migrate to DMVPN+EIGRP/OSPF.
Juniper has something similar.
1) Be negative about the idea of using the Internet with a static address in brunches (they say this increases the likelihood of hacking)
ACL allowing packets only from the CO. You can also stupidly not make a route to 0/0 on the Internet, making only host routes to the central routers.
There is a desire to leave everything on old cats (they say it's a pity to "throw out" the existing equipment).
DMVPN.
I would like to hear comments about what threatens the presence of a dynamic IP in brunches.
On hubs, you cannot specify a list of brunch addresses in the ACL. A tolerable workaround is to find out from operators the ranges of possible addresses. But in fact, shining nodes on the Internet is not as dangerous as it seems, if you don’t do something stupid.
Well, DMVPN even breaks through NAT - I tested it.
G
Greek Latinos, 2013-12-04 @GreekLatinos
And what is the amount of traffic in the channels?
Have you considered options with Mikrotik? It's cheap and flexibly customizable.
M
m0ps, 2012-10-05 @m0ps
You can give up on the same 860s. Much to replace?
Not much to change, but 860 is also only RIP. OSPF - 870/880 with AdvIPServices.
As I said, I don’t really see the point in switching to junipers if the ciskin infrastructure has already been deployed.
The head office will move and all equipment will change to Juniper - because. the old one is already morally and physically obsolete (the choice fell on the juniper because of the price of the project - unconditionality wins over cisco).
I have hundreds of brunches. Nowhere has this ever happened. None of my friends have ever heard of spocky attacks either.
And how does the attacker find out the static address of Spock? It is unknown to internal employees (except administrators), and they cannot find it out. No requests to third-party resources from this address can go. It does not respond to any external influences, except from the hub (or, in phase 2, from other spocks).
Bottom line: an attack is EXCLUSIVELY unlikely. Well, no one will do it. Rather, they will clog the central channel, which is pointed to by MX and A records of the global DNS.
And this is exactly the argument that I wanted to hear. Thank you!
V
Vladimir Pilipchuk, 2012-10-05 @SLIDERWEB
I need to provide strong arguments in favor of my option (replacing brunch cats with srx100 + channels via the Internet with static in brunches)
I don't think it matters what equipment to use. The main thing is that responsible employees know how to cook it correctly.
I personally, recently faced such a task - to explain to the management. Especially it did not rest, the leadership is. I just explained that using someone else's (operator's) MPLS / VPN is an additional column in the risk map. Nothing but conscience prevents the operator from breaking into our private network + the cost of its MPLS is 60 times cheaper (in our case).
As a result, I prepared a “hodgepodge” of Dual Hub DMVPN + MPLS + EIGRP + QoS on existing cats. At first, the management had doubts, because the public on both channels is less stable by orders of magnitude compared to the rented MPLS, however, after the first three months of the KSPD uptime and the horrific statistics on the drop in channels (which did not affect the SLA in any way) - quite the final result.
Similar questions
C
A
B
P
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question