Need advice for replacing MPLS for multi site connection using new solution

[michael_antony]

Hi experts,
I need your advice on this.

I was tasked to ditching the MPLS subscription that we use for connection between 3 main sites, and to replacing it with a new solution (budget issue, to minimize the company's OPEX)
Our company has a network configuration on these 3 sites like this bellow:

1. Site 1 - Head Office (Backbone network and worked as data center)
Start -> ISP
-> (Firewall) device: Cisco ASA 5515-X
-> (Internet Router & WAN Router) devices: Cisco ISR 4331 (2 pcs)
-> 2 Core Switch (Juniper)
-> Users PC -> End
2. Site 2
Start -> ISP
-> (Firewall) device: Cisco ASA 5512-X
-> (Internet Router) Cisco ISR 4321
-> 2 Core Switch
-> Users PC -> End
3. Site 3
Start -> ISP
-> (Firewall) device: Cisco ASA 5512-X
-> (Router) Cisco ISR 4321
-> 2 Core Switch
-> Users PC -> End
*Notes: Each site uses a VPN IP (MPLS) service that comes from an ISP provider, to give Site 2 & 3 access to Site 1 server.

4. Site 4,5, & 6 (smaller sites)
ISP -> MIkroTik router -> Switch -> User
Connected to Site 1 Cisco Router, using VPN tunnel over internet.

My idea is to create a new connection between 3 main sites using VPN tunnel over the internet, like site 4,5, & 6. What do you think about this plan when it comes to replacing MPLS?

Now the issue I have is, I'm totally new to networking and my boss wants me to learn and do this job.

If you think switching to a multi site VPN is a good move, how long does it generally take to get enough knowledge to do this? And is it necessary to take Cisco certification?

In making the solution, it seems I have to do a simulation first before going to the production router. Is using software such as Cisco Packet Tracer or GNS3 sufficient to simulate the actual configuration, and ensure the configuration is safe to deploy? (Because our company does not have an extra Cisco router to do lab configuration and testing)

Please give me your thoughts on this, or insights or advice, I would really appreciate it.

[Otanx]

At a high level the plan seems fine. A lot of companies do VPNs over the internet instead of paying for dedicated circuits. If it will work in your case is dependent on your requirements, and quality of internet.

Using GNS3 should let you lab up your plan. I am not sure about Packet Tracer as I have not used it in years, but if it supports the commands you want it should be fine as well. You should be able to just duplicate your network in GNS3, and then work on it until you get a working configuration for what you want. How long it would take is a hard question to answer. We don't know what base of knowledge you are starting with. You have an example to build off of with your sites 4 - 6 so use that as a template to build on top of. In my environment I would expect a new junior team member to give me a working lab in a week. Maybe a little more if he needs to build the lab up from scratch.

-Otanx

[deanwebb]

I'd ask if you truly need a VPN. On-prem apps can migrate to the cloud, so you would not need a VPN to reach those, but a cloud security solution like Netskope or Zscaler. The benefit there is that workers can work from anywhere and there's less overhead in terms of both costs and technical skill required to maintain.

There's also the question of SD-WAN - have you looked into that?

[michael_antony]

Hi deanwebb,
Thanks for ur response.

I already have a plan to migrate the on-prem ERP app to the cloud as well.
But I think if I want to moving from MPLS, I still need the replacement. Because we are using:
- folder sharing between those company sites
- software network licenses (Autocad, solidworks)
- tax software (this could also be moved to cloud I think)

What do u think of this requirement?

[michael_antony]

Hi Otanx,
Thanks for ur response.

At a high level the plan seems fine. A lot of companies do VPNs over the internet instead of paying for dedicated circuits.

Can u explain what you mean by high level? Do you mean the experience of the network engineer (or team and such)?

If it will work in your case is dependent on your requirements, and quality of internet.

So I should get the correct requirement first of the current network? (is this including throughput, bandwidth, usage, etc?)
Do you have suggestion on what and how I should measure to get the correct requirement before moving to the vpn over internet?

We don't know what base of knowledge you are starting with.

Honestly I dont't have any experience in networking, I have some knowledge in basic networking from school though but it was years ago.

[deanwebb]

Folder sharing between sites can be done via Box with a provider like Okta doing SSO in front of it. Even workflow requirements can be worked to use a cloud share instead of a network share - and they would likely be more secure going through the cloud with MFA.

If the licenses require a connection to an on-prem licensing server, there can still be CASB/SASE/SSE solutions that will have users connect to them first, and then handle the VPN to the private network. Again, this would be with MFA, so possibly more secure for you.

[Otanx]

High level plan just means it covers the basics of what you want to do, but not the details. You should always have the requirements first. A network always supports the company and must do so correctly. If you don't know what you have to support you can't build the network correctly. For your example you know where the network has to connect. Now you need to know what kind of bandwidth and latency is acceptable for what the business is going to use the network for. You wouldn't run a 1000 user office off a cable modem, and you wouldn't install a 10G internet circuit for a 5 user office that just needs to check their email.

In your reply to deanwebb you identified some of the requirements. You need to have your clients access an ERP system currently on-prem, but moving to the cloud. File sharing, etc. Figuring out all the requirements is partly knowledge of the environment that you already possess, and talking to users on how they use the systems.

Now you can look to modify those requirements. This is what deanwebb is talking about. Move all of that to the cloud, and then the cross office connectivity requirements change, and you can potentially change the design by not having links between the offices at all.

You will never have all the requirements for the network. At least I have never had them. So to help mitigate that you can try to do testing. In your case you could setup the tunnels over the internet, and configure the routers to prefer those instead of the MPLS links. Then if there are issues you can just change the preference back to the MPLS links, and figure out what happened. Once everything is working over the new tunnels, then you put in the paperwork to get rid of the MPLS.

With basic networking skills CCNA is probably 6 months or so of study. I did mine too many years ago so I might be off on that.

-Otanx