Wednesday, November 6, 2019

Moving from private MPLS to SD-WAN

We've built our own MPLS network on top of ISPs L2 connections:

https://i.snipboard.io/MjhKfI.jpg

All the branch/HQ routers do L3VPNs, and we have VRF at the branch sites for each use cases. One for standard workstations, one for printers, one for APs, one for HVAC, one for some kinds of medical devices, one for other kinds etc etc.

Currently it's sort of easy to limit traffic between the different segments as we just create a VRF and then do the same on the DCs end and terminate it to the HQ FW cluster.

While it works OK, there's not that much load balancing at the branch (we usually get 2x 100-1000Mbps MPLS + LTE to each site). Also visibility to the traffic is quite minimal on the branch end and we really don't know how the clients are there.

That's why I'm thinking about these SD-WAN solutions, mainly FortiGates as we've used them and using "SD-WAN" is not an extra cost. Maybe in the smaller places even use their switches and APs... Aruba could be another option, but if I remember correctly you can't use the same controller device as a SD-WAN gateway and WLAN controller, so we would need two devices. Or 4 for HA.

What I'm wondering is how you would do the VRF thing, or is it 90's calling back and today we should do the segmentation in completely different way :) ?

Or any thoughts at all about the setup or the SD-WAN idea? Thanks!



No comments:

Post a Comment