I was tasked to ditching the MPLS subscription that we use for connection between 3 main sites, and to replacing it with a new solution (budget issue, to minimize the company’s OPEX)
Our company has a network configuration on these 3 sites like this bellow:
Site 1 - Head Office (Backbone network and worked as data center)
Start → ISP
-> (Firewall) device: Cisco ASA 5515-X
-> (Internet Router & WAN Router) devices: Cisco ISR 4331 (2 pcs)
-> 2 Core Switch (Juniper)
-> Users PC → End
Site 2
Start → ISP
-> (Firewall) device: Cisco ASA 5512-X
-> (Internet Router) Cisco ISR 4321
-> 2 Core Switch
-> Users PC → End
Site 3
Start → ISP
-> (Firewall) device: Cisco ASA 5512-X
-> (Router) Cisco ISR 4321
-> 2 Core Switch
-> Users PC → End
*Notes: Each site uses a VPN IP (MPLS) service that comes from an ISP provider, to give Site 2 & 3 access to Site 1 server.
Site 4,5, & 6 (smaller sites)
ISP → MIkroTik router → Switch → User
Connected to Site 1 Cisco Router, using VPN tunnel over internet.
My idea is to create a new connection between 3 main sites using VPN tunnel over the internet, like site 4,5, & 6. What do you think about this plan when it comes to replacing MPLS?
Now the issue I have is, I’m totally new to networking and my boss wants me to learn and do this job.
If you think switching to a multi site VPN is a good move, how long does it generally take to get enough knowledge to do this? And is it necessary to take Cisco certification?
In making the solution, it seems I have to do a simulation first before going to the production router. Is using software such as CPT or GNS3 sufficient to simulate the actual configuration, and ensure the configuration is safe to deploy? (Because our company does not have an extra Cisco router to do lab configuration and testing)
Please give me your thoughts on this, or insights or advice, I would really appreciate it.
I’ve got some bad news for ya… Those 5512 and 5515 are full eol and eos this august…
Site to site vpns are the way to go for budget and ease of management.
I’d recommend replacing the firewalls with fortigates. Then you can build sd-wan vpns between them over redundant internet connections. Fortigates would be quite a bit easier for someone fairly green to configure as well.
No offence, but it looks like you’re trying to modify the system without the understanding of how it was built and what for At least nothing of it in your first post.
MPLS circuit is usually not only “basic connectivity” usually it’s all about SLAs and guarantees (curtain delay, jitter, bandwidth).
You should try to find any documentation (or at least verbal answers) about: “Why does the enterprise chose to implement MPLS in the first place.”
It also would be nice to figure out the real needs of the business (users and applications) for current situation, besides the “money savings”. If traffic is segregated somehow (marking, policies etc) you have to know how and why.
And finally when you’ll fully understand the why’s and demands, you could try to find alternative ways to solve the needs.
It’s not about take this devices instead of this. It’s about what services you have to support for your users with this equipment and circuits. The hardware is only a tool to solve the real life needs
As others mentioned, your ASA are not sold or supported anymore. And you seem to imply you’re not paying for vendor support, which is kinda like not getting insurance: you save money if everything is totally fine, but you’re going to miss support the moment bad things happen.
There is a variety of approaches you can use, from DMVPN to SDWAN to plain hardcoded IPSec tunnels. Analyze all the options and don’t forget to take into account costs (new equipment, new licenses,…) in addition to HA, ease of management, and so on.
You should definitely test that at least on GNS3. You can never be 100% sure (bugs,…) but labbing gives some confidence. Draft a migration plan that minimizes downtime and allows you to roll back if needed.
If this seems way over head get in touch with a VAR or vendor professional services.
Sounds like moving towards a VPN approach is the correct one to go for, however there’s a couple of things you need to consider: -
What resilience do you need upstream? Two (or more) internet connections? Tolerate chassis failure?
Do you want to make use of both internet connections for active/active forwarding?
What are your throughput requirements?
What presentation types do you have? Ethernet, Fibre etc
Do you want to backhaul internet traffic to your datacentre, or would you like local internet breakout?
If local internet breakout, are there any value adds which you need - URL filtering, malware detection etc?
Once you’ve considered the above, this should lead you towards a chassis choice which will meet your requirements.
For example, you could absolutely terminate the internet connection on your ASA’s, but you’d be restricted (potentially) by value adds such as support for URL filtering etc.
My two cents, get your thoughts on the above questions, then reach out to a Meraki representative of some description. You can demo their products, completely free of charge, then you can lab everything up with real kit - plus it’s pretty straight forward to learn.
I agree with u/yankmywire, your boss is setting you up for failure.
The company should invest in some professional services to assist you with a transition like this. They also may come up with alternative ideas like moving servers to the cloud. This may cost a bit more upfront, but can save a lot of money long-term and also help minimize downtime, which is also expensive.
Get two different ISP business internet lines for redundancy per site. Get Meraki firewalls or similar so you can build easy secure connections to all. Yes you have to pay yearly, but you have to pay someone. I saved big money doing this. I had old Cisco gear also under no contract and spares in case of fail. MPLS is old and slow and expensive and even ISPs are getting away from these lines themselves. Verizon did.
>If you think switching to a multi site VPN is a good move, how long does it generally take to get enough knowledge to do this? And is it necessary to take Cisco certification?
This part is concerning. It totally depends on what you do. Are you a network engineer? Kind of sounds like you’re not.
I can guarantee that there are people who could not figure it out, period. Cisco ASA is not a user friendly platform for novices. It assumes a fundamental understanding of every aspect of VPN configuration, and there are a lot of moving parts. ISAKMP, IPSEC, Tunnel interfaces, Routing, ACL, subnets. Without a foundational knowledge of networking, it would be hard to implement. Cisco ASA is not Sonicwall, it is not point and click in a GUI.
If using fortigates firewall, do u have preference or suggestions of how to determine the device specification series that we need to buy to replace the existing router and firewall?
Or in general how to measure the spec that needed.
If you have some suggestion how to do this, please tell.
You’d also want to go with an ISP that supports jumbo frames. At the very least, so you don’t have any unexpected issues with an effective MTU below 1500, but better performance for high throughput data transfers would also be a major benefit.
After following ur suggestion about looking for why using MPLS in the first place, there is no documentation I could find that stating why we specifically using MPLS.
The only information I could get from our senior IT, MPLS is more stable, because it runs on a different network than the internet. (and he says he is not certain because it was used before he joined).
And our MPLS happen to be very stable and rarely having any trouble.
Also you’re right about SLA and guarantee. Our MPLS service provider guarantee it, if there is happen to be a trouble, the downtime will be very minimal, maximum half a day.
Thank you for your suggestion
I will try to simulate using GNS3 and create a migration plan. Do u think it’s better than using Packet Tracer?
Also what you mentioned is correct, we are trying to save money by cutting cost on vendor support. i’m still weighing some option here wether to continue on our own or to reactivate the vendor support
A year ago, my employer decided to cut cost on Cisco annual maintenance services.
I mean, we should be ready now for transition with the vendor that we use back in the days.
But now I was assigned to learn and do the job, do u think I should just told my employer to rehire the vendor? But I did not included in the discussion of why the vendor maintenance is being cut in the first place
Sure, basically 5512 and 5515 is out performed by even an entry level fortigate these days. An FG-60F would provide better throughput than either. There is also an 80F and a 100F. I tend to pick models based off of Internet connection requirements.
Google “fortigate matrix” for a detailed list of the specs to compare them. You can also Google “ASA 5512x datasheet” for similar on the ASA.
At least nothing of it in your first post.