Saturday, 6 August 2016

Internet Access and Inter-branch WAN Connectivity

Most of the companies have multiple branches. And almost all of them connect to each other over WAN (Wide Area Network). Each branch needs Internet connectivity as well. So, what kind of connectivity architecture do companies adopt? Which architecture is better – MPLS WAN Connectivity and Centralized Internet Access (or) De-centralized Internet Access at each branch, while still connecting to other branches using MPLS Links (or) Virtual Private Networks using just Internet Leased Lines at all branches? We will find out, in this article.
A number of companies still have Point to Point Leased Lines to connect to other branches but we are not considering that architecture here as MPLS connectivity is clearly a better (and a more cost effective) option these days.

MPLS WAN Connectivity and Centralized Internet Access

MPLS WAN Connectivity and Centralized Internet Access - Architecture DiagramIn this architecture, each branch including the head office are connected to each other (in a mesh, actually) through the MPLS Circuits. Just one MPLS circuit is enough for one location though. The Internet Leased Line is taken at the head office and all the individual branches can access Internet by accessing the head office network first (through MPLS network) and then accessing the Internet Leased Line from there. So, the branches do not have direct (individual) Internet connections.
The main advantage of this architecture is the centralization of the Internet Access Policies and the Security Policies – They can be applied from one location in the head office, which gives more control to the head office over what is/ can be accessed over the entire network. This is also a cost effective option, as the Internet at the head office is shared between the multiple branches and since companies pay in full for the capacity ordered (2 Mbps for example), the under utilization of available bandwidth at any point of time can be minimized.
The main disadvantage is that the speed of Internet access at the branches can be quite slow (especially during peak access times). Since the same circuit is carrying both Internet traffic as well as real time traffic like voice and video, data traffic (Internet) might slow down the real time traffic, especially if end to end QoS parameters are not configured.

MPLS WAN Connectivity and De-centralized Internet Access (Internet connectivity at every branch)

De-centralized Internet Access along with MPLS Connectivity for each branch - Architecture DiagramThis WAN Connectivity architecture is similar to the previous one as each branch is connected to every other branch using MPLS circuits. But instead of having centralized Internet access, each branch has its own Internet access using Internet Leased Lines/ broadband connections. So, the inter-branch communications (ERP, VOIP, Video Conferencing, etc) travel in the MPLS circuits between the branches and the Internet traffic goes to the Internet Leased Lines from the branches itself without disturbing the MPLS circuits.
The main advantage of this architecture is, if planned well, can give the best performance for real time  traffic, data traffic and Internet traffic. The users in the branches would no longer experience slow Internet access. This architecture also enables to maintain a good performance without increasing the costs too much by having broadband connections at smaller branches for Internet access instead of Internet leased lines, as broadband connections are much cheaper. This method is very effective especially if all the branches are within a single country.
The disadvantages could be the higher costs and more chances of not utilizing the bandwidth capacity paid for in each branch (for Internet Leased Lines). The costs for global MPLS connectivity is very high, and hence it is difficult to implement for companies with multiple branches across the globe.

Virtual Private Networks using Internet Leased Lines at all the branches

Virtual Private Networks using Internet Leased Lines and Routers/ UTM in all branches - Architecture DiagramThis WAN architecture is gaining a lot of traction, of late. Here, all the branches and the head office procure Internet Leased Lines and get connected to the Internet that way. A Virtual Private Network is then established using a variety of methods, with each branch connecting to all other branches securely over the Internet. For example, if Routers are used to terminate the Internet Leased Lines, then they also support a certain number of IPSec/ SSL VPN Sessions between them (two or more such devices). The number of concurrent session licenses can also be upgraded in most of the Routers. The VPN network can also be created by using UTM – Unified Threat Management devices, VPN Concentrators, Wireless LAN Controllers, etc. So, using techniques like Tunneling and Encryption, a secure network is formed over the Internet for all the inter-branch communications. The Internet traffic is allowed to go to the Internet as usual, without any encryption.
The obvious advantage of this architecture is the cost reduction as one network can do the tasks of inter-branch secure communications as well as giving Internet access, at each branch. This is architecture is especially useful for globally spread enterprises. This architecture also allows remote access of the network by workers on the field and those working from home as IPSec/ SSL VPN’s can be set up between the branches and roaming employees with proper network access credentials. The cost of Internet Leased Lines are coming down rapidly. Redundancy can be established by having multiple Internet Leased Line connections from different ISP’s and most of them give SLA – Service Level Agreements which ensures that the network is up for maximum possible time.
The main disadvantage is the performance – especially for real time applications like voice and video – The Internet is an unpredictable network and there will always be packet losses. Apart from that, there is no way of establishing End to End Quality of Service (QoS) parameters as the Internet is a public network and the connections pass through a number of Routers in between. Another disadvantage is using one connection for all the applications – if there is a lot of data traffic, the voice/video traffic gets delayed!