Good morning,
Overview here is we're a national retail outlet with approx 1000 stores with the ambition to continue growing in our country, we're a franchised model with the equity business owning around 50 stores the rest being franchised across different partners.
Our store WAN is four models, one franchisee runs multi branded sites and handles their networking entirely, they have a VPN to us for the services and apps we provide. Other franchisees mostly use a service we provide through a national telco which is broadband tails (60/40 ADSL/FttC with some leased lines and a couple of FttP tails) onto a private MPLS with all traffic going through our WAN onto our DCs for internet eggress. Some franchisees still insist on using their own broadband with VPN utilising Cisco 800 routers as VPN devices, we manage the VPN devices the franchisee manages the ADSL router (usually a draytek).
The final franchise is the disrupter, they're a larger business with outlets across Europe and North America and have their own WAN vendor, they have bought out a significant % of stores recently from another franchisee and are now rolling out their solution to their new stores. This is their broadband tail, using a Mako 6600. We specify a Cisco firepower 1010 to segregate the store traffic from their network.
Services use to be 95% hosted by us but over the past 4 years have become more SaaS / Public cloud based and that is only going to become more predominent and internet traffic is increasing in both importance and volume, we're in a bit of a race at the moment to increase our MPLS tails into the DCs to keep up.
I've recently been told (after mentioning it for over a year, before the disruptor turned up) that I can look into an SD-WAN solution, the goals mostly being;
Lower Capex for the outlets.
Lower Opex for our MPLS core.
Reduce the dependancy on our two DCs for access to services.
Support business decision to translate to a more public cloud delivered services environment.
Improve network agility (i.e. reduce time taken to bring up new vendor connections or drop connections into other public clouds).
To me this supports an SD-WAN approach were we can have virtualised SD-WAN appliances in AWS (and possibly Azure) with on appliance NGFW/UTM features. Our vendor is going to suggest Meraki at which point i'll push back with Fortinet (largely due to another part of the business in the US being fortinet based and Fortinet AWS appliance being able to call AWS Lambda functions when network conditions change, i.e outlet drops off the network turn off online delivery for that outlet).
The issue here is the disruptor and the franchisee that runs their own networks, the latter i suspect we can just put a virtual appliance in on a DMZ on their network and let them route traffic through that, that then shoves traffic as required. The franchisee running the Mako's though, not sure.
Currently this franchisee wants to route all AWS traffic via us not over the internet (their cellular failover uses dhcp addresses, our AWS team whitelist IP addresses). I'd like to avoid this (if for example we used AWS Global Accelerator to get a static IP address for AWS) as this would keep our DCs as a point of a failure for access to services. Note they are still buying the firepower 1010 and only started rolling them out last quarter 2020 so have no interest in buying a new device.
Could the Mako 6600s themselves create multiple VPNs and route traffic appropriately? How smart are these devices ? they seem awfully cheap.
No comments:
Post a Comment