Working on a plan for connecting two sites together via MPLS. Site 2 (Office) will be connected to Site 1 (Data center) over MPLS. Site two will get Internet access via the Internet Bandwidth at site 1 over the MPLS cloud between the sites. Users at site 2 will gain access to all DC resources over this MPLS link. Going with MPLS because there exists the potential that we will need to bring in a third site in the future and I thought MPLS would be easier to integrate in the future.I have put together an initial design diagram to illustrate what I am trying to do and would like to throw it out to the forum for a quick sanity check to see if there are any glaring deficiencies with this idea and to open it up for comments on perhaps better solutions available.
Also would like for any one to weigh in on some WAN optimization solutions for an office of about 50 to 55 users currently that I could use to keep the BW usage down across the MPLS cloud. The plan at the moment is to go with dual DS3 links into the MPLS cloud at both sites and take advantage of QoS techniques across the MPLS network. I would like to also load share between the two links. I think BGP can do this but if I understand correctly it can only be done between two routers and not done between 4 routers using the maximum paths configuration. I would like to have my two CE routers at each site connect to dual PE routers on the providers side so I am not sure the max paths configuration would work this way. I may get an additional link to the Internet at Site 2 and use the MPLS link for pure site to site connectivity but would like to avoid purchasing more BW if I could.
Again just looking for some feedback on this from folks smarter than me. Thanks in advance for any help here.
Got a couple questions/comments...
I'm assuming that you did some type of traffic analysis to determine how much bandwidth you need at this remote site correct? Just asking because a DS3 is a whole lot of bandwidth for 50-100 users...and you want to load share across 2 of them. I'm not necessarily saying to get rid of the DS3s, but might be more worth the money to start out with a subrate that can be scaled up if needed. I would definitely try to avoid doing any BGP load sharing as it is not going to buy you anything except complexity unless you need the bandwidth. In fact what you have shown in the diagram won't do load sharing bidirectionally, which will cause you big problems if you do implement some type of WAN optimization.
Another thing, is I think you should run an IGP at each site between the MPLS CE routers and the L3 switches (and redistribute BGP in to the IGP)...this will remove the requirement for all the statics and the HSRP.
Also, what is the L2 firewalls for at the remote site? Unless you just really don't trust anyone at this site I would ditch them, but I guess that is up to whatever security policy you have in place...I would question the implementation of them though.
Last, the different 1918 subnets you're using? I'm definitely a little confused as to why you would not just continue to use the 10 space. You typically want to always use the same one within your network to avoid all of the confusion and problems it will bring on later in the event that the business grows.
For WAN optimization I always recommend Riverbed...they have the best product on the market. Cisco should dump the WAAS and buy Riverbed.
Thanks very much for the reply DBass. The DS3s will probably be subrate, not full DS3. Want to use the DS3 local loop for the ability to scale up as needed. But they will probably be more like 10MB per side. There are two at each site just for link redundancy.
Agreed on the IGP at both sites. Would be a better way to go with this solution. Thanks for the suggestion.
The L2 FW was just to be able to control traffic from remote site to DC, not so much to keep out unwanted stuff. It may be overkill but we already own the gear and would like to make use of it.
As far as the Address space, this is an effort to avoid renumbering a bunch of hosts. What I did not mention is we already have a site that uses this scheme with a L3 VPN across the Internet and just had it set to keep things this way. But you are correct there is no reason to do this other than convienience.
Thanks very much for the reply and looking at this. Other than what you pointed out, you see no reason that this would not work correct?