Solved: WAN NETWORK DESIGN BEST PRACTICES

pep87 · ‎01-29-2018

Hi everybody. This is my first post. I am studying a Engineer Networking degree on Collage. I would like to know best practices for a corporate WAN design. I am really newbie. Some questions:

1- In real life what is more recommendable in almost cases: a centralized internet access over the HQ internet connection or direct internet access on each branch?. Please specify advantages of the most recommendable option.

2- If I implement direct internet access on each branch I suppose I should use a router for WAN connections (for internet access and WAN connection to HQ) instead of a layer 3 switch because I would need NAT, etc,?

3-In case of centralized Internet access, which is better option to connect branches to HQ, routers or layer 3 switches? Please specify advantages of the most recommendable option.

4- In a small to medium corporate network is recommendable to use static routing instead of ospf or eigrp?

Thanks in advance

Francesco Molino · ‎01-31-2018

Hi

For centralized or not internet access. It depends on how far are your branch sites and what kind of application you're using. I mean, if you're using a lot cloud based application, today every services are delivered through a CDN network. The goal is to forward the traffic to the best and the closest DC.

Let's take an example. If your HQ is on the Canada east coast and your branch are in central and west coast, and you're using Office 365; you don't want to slow down your user connection and you would prefer to your west coast to access Microsoft DC on west coast and not coming to the east coast and do a back and forth.

In terms of firewall, with a centralized internet connection, you will get a firewall at your HO to filter all connections passing through. If you'll have a dedicated link at each site, then you can also decide to go with small NGFW to be able to filter malware, web url,... However, if your concern is to do basic firewalls, you can also, instead of NGFW, leverage your WAN router with ZBF capabilities.

To your question 3, it would be preferable having a router than a switch. With a switch you'll be limited in WAN and Security feature while you can accomplish all with a router. If you decide to go with small NGFW boxes, they will be able to do the job as well.

In terms of routing, and I guess you have multiple branches, I will highly recommend going with dynamic routing. In addition to that, you would like probably to interconnect all your sites using DMVPN, iWAN or FlexVPN ... solutions for internal traffic and it will be much easier if you have dynamic routing implemented from end to end. Now, which routing protocol, it will be more based on your skills. All RIP, OSPF, EIGRP or BGP will have a perfect fit. However, just take into consideration to use a standard protocol in case you have non Cisco boxes in your network ortherwise you'll need to deal with routing redistribution.

Hope I answered clearly all your points.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Joseph W. Doherty · ‎01-30-2018

#1 I've seen both. The HQ Internet access approach minimizes equipment and usually operational support costs, but the remote approach often provides better Internet access performance, especially if the branch if far from the HQ.

#2 Yes, or you might use a FW. Typical L3 switches are usually not very suitable for direct Internet connection usage.

#3 Again, L3 switches are often not a good choice. Also again, you might use a router or a FW appliance.

#4 I would recommend using a dynamic routing protocol over static routing except in very small networks. RIP might also be used over OSPF of EIGRP except when the network is larger than small.

Francesco Molino · ‎01-31-2018

Hi

For centralized or not internet access. It depends on how far are your branch sites and what kind of application you're using. I mean, if you're using a lot cloud based application, today every services are delivered through a CDN network. The goal is to forward the traffic to the best and the closest DC.

Let's take an example. If your HQ is on the Canada east coast and your branch are in central and west coast, and you're using Office 365; you don't want to slow down your user connection and you would prefer to your west coast to access Microsoft DC on west coast and not coming to the east coast and do a back and forth.

In terms of firewall, with a centralized internet connection, you will get a firewall at your HO to filter all connections passing through. If you'll have a dedicated link at each site, then you can also decide to go with small NGFW to be able to filter malware, web url,... However, if your concern is to do basic firewalls, you can also, instead of NGFW, leverage your WAN router with ZBF capabilities.

To your question 3, it would be preferable having a router than a switch. With a switch you'll be limited in WAN and Security feature while you can accomplish all with a router. If you decide to go with small NGFW boxes, they will be able to do the job as well.

In terms of routing, and I guess you have multiple branches, I will highly recommend going with dynamic routing. In addition to that, you would like probably to interconnect all your sites using DMVPN, iWAN or FlexVPN ... solutions for internal traffic and it will be much easier if you have dynamic routing implemented from end to end. Now, which routing protocol, it will be more based on your skills. All RIP, OSPF, EIGRP or BGP will have a perfect fit. However, just take into consideration to use a standard protocol in case you have non Cisco boxes in your network ortherwise you'll need to deal with routing redistribution.

Hope I answered clearly all your points.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question