WAN Design - Hub and Spoke vs. Partial Mesh vs. Full Mesh
-
At the moment, our network is a hub and spoke design, and I have been wondering if this design is best based on what we are running.
Our company as a whole is a group of companies operating under different names but part of the same master company (same owner for all except one company that is co-owned by our owner and a 3rd party). The company continues to grow through acquisition, with IT being centralized in Fort Worth at HQ.
The main site and remote sites 1-7 are in the Dallas / Fort Worth metroplex. Remote sites 8-10 are in Mississippi. The sites in Mississippi may eventually need to be connected to each other. At the moment, all sites with an ASA 5505 are connected back to HQ via site-to-site VPNs. This approach has worked pretty well for the most part.
The limitation on ASA 5510s for site-to-site vpns is 10. If we continue to grow, we are going to outgrow our firewall gear. There is only one ISP connection at each site.
Main site - ASA 5510, 50/50 fiber (Charter Spectrum)
Two ESXi hosts located here that provide AD, Exchange, Sharepoint, file servers, web server, VMs for Engineering software, VPN access, ERP system, a Barracuda 410 appliance, PBX, security cameras, Veeam, etc.Remote site 1 - ASA 5505, 10/10 fiber (Time Warner)
One ESXi host here that provides file servers and VMs for Engineering software to this site only, including a DCRemote site 2 - ASA 5505, 10/10 fiber (Verizon)
Remote site 3 - ASA 5505, 35/5 coax (Time Warner) - site to be shut down in next six months (in the process of moving to site 4)
Remote site 4 - ASA 5505, 35/5 coax (Time Warner)
Soon to have an ESXi host for local storage, AD, and Engineering software VMsRemote site 5 - ASA 5505, 50/5 coax (Charter Spectrum)
Security camerasRemote site 6 - ASA 5505, single T1 (Vergent Communications) - site to be shut down in next 6 months
Remote site 7 - coming in early 2016 and is 2 miles from HQ, no ISP yet
Remote site 8 - ASA 5505, 15/3 coax (some communications company in Mississippi)
Remote site 9 - no connection to HQ (currently on DSL, ATT I think)
Remote site 10 - no connection to HQ (currently on DSL, ATT I think)
In the next six months we will go from 11 sites total to 9 sites total (including HQ). I'm looking to future proof our WAN so it makes getting new sites online easier. As you can see, we have a potpourri of ISPs since each site was turned up at a different time. We tend to shop around for a deal rather than trying to go with the same ISP everywhere.
Some folks connect their sites with MPLS, point-to-point connections through an ISP, or gear that can do site-to-site VPNs. With services becoming more and more distributed here, is the hub and spoke approach really going to be the best for us? Newer gear may not make connections between sites faster, but I think it would allow us to turn up new sites and get them connected to HQ or other sites if needed easier than the Cisco gear we have currently.
Routing and switching is an area where I could really improve. I normally have to contract new firewall setups to a 3rd party but can manage them pretty well once initially configured.
For those of you with many sites to manage, what made you decide between hub and spoke, partial mesh, and full mesh? And additionally, what made you decide between connecting the sites leveraging ISP connections or with your own routing gear? I'd love to hear some feedback from others on this.
-
I've got a couple of articles underway that talk about exactly or nearly this and the biggest thing that I have to ask is... is an extended LAN the right way to go in the future? The idea of the traditional LAN was having everything exposed to everything else because it makes things easy. But it also creates a lot of risk. Do you need to have all of your desktops talk to each other? Do you need a big LAN extended over VPN or MPLS links to each other? What are the actual resources being shared that you need to provide to the end users?
-
@NetworkNerd said:
For those of you with many sites to manage, what made you decide between hub and spoke, partial mesh, and full mesh?
We are in the process of moving from what used to be a hub and spoke to a full mesh and now into the world of the "zero LAN."
-
We are a full mesh here.
-
I think that most large companies are full mesh. Most smaller ones with a very clear HQ are hub and spoke. Or those with a single or single group of datacenters.
-
I am in @scottalanmiller's camp on this subject. Why do you even need the sites connected? What is truly shared between the sites. Once you really look into how things are shared, you may find better ways to handle it. I find that very little is shared real time ever.
One of my clients is setup hub/spoke but technically, with only a little work, they really will not even need a permanent connection between sites.
It will be a bigger issue retraining users to not expect a "P" drive and such.
First go to AD via Azure. Or lacking that, keep the hub and spoke but only care about it for AD authentication.
For file sharing, one simple solution is to setup say ownCloud and sync the file server to it. Then at the sites with their own file server, you can sync the directories required to the local file server and share locally via SMB from there. For the sites without a file server, you can either install ownCloud on all workstations as needed, or pick one to run ownCloud (in a folder the user cannot see) and then share it out from there.
You get the idea.
-
I would be interested in the articles, for sure. I get the idea behind Zero Lan and no local storage, I'm just not sure I'm 100% on board yet.
-
Zero LAN?
yeah for the OP, I was wondering if going to a cloud solution would be workable.
Moving to Azure AD requires all the endpoints to move to Windows 10, or ditch Windows altogether and move to Linux.
-
@Dashrender said:
Zero LAN?
yeah for the OP, I was wondering if going to a cloud solution would be workable.
Moving to Azure AD requires all the endpoints to move to Windows 10, or ditch Windows altogether and move to Linux.
I don't know that Azure AD is feasible for us at the moment. Keep in mind we are a manufacturing company that often times needs to support legacy software which works with machines out in our shops. Windows 10 for everyone is not really an option just yet.
-
@NetworkNerd said:
@Dashrender said:
Zero LAN?
yeah for the OP, I was wondering if going to a cloud solution would be workable.
Moving to Azure AD requires all the endpoints to move to Windows 10, or ditch Windows altogether and move to Linux.
I don't know that Azure AD is feasible for us at the moment. Keep in mind we are a manufacturing company that often times needs to support legacy software which works with machines out in our shops. Windows 10 for everyone is not really an option just yet.
Right, so you can easily keep the hub and spoke and only use it for AD authentication and such.
Really you need to look at what you are pushing over the pipes.
-
@scottalanmiller said:
I've got a couple of articles underway that talk about exactly or nearly this and the biggest thing that I have to ask is... is an extended LAN the right way to go in the future? The idea of the traditional LAN was having everything exposed to everything else because it makes things easy. But it also creates a lot of risk. Do you need to have all of your desktops talk to each other? Do you need a big LAN extended over VPN or MPLS links to each other? What are the actual resources being shared that you need to provide to the end users?
End users need e-mail, a place to store files, access to Sharepoint, access to our internal web server, access to the ERP system (whether connecting directly to it or via RDS), VOIP (centralized PBX), etc. There's not a great deal of printing from one site to another with the exception of using our Bartender server in conjunction with our webserver to print labels to kiosks out in the shops. We're using LogMeIn or RDP to manage machines at remote sites. We also use Spiceworks and have a remote collector at each location that pushes inventory data back to the central server at HQ (which can run over the WAN link and would not need site-to-site VPN with proper NAT and ACLs).
I forgot about AV. We have a central server with VIPRE installed. But we may be moving to Webroot this month (I hope) and can kill that one.
-
@JaredBusch said:
@NetworkNerd said:
@Dashrender said:
Zero LAN?
yeah for the OP, I was wondering if going to a cloud solution would be workable.
Moving to Azure AD requires all the endpoints to move to Windows 10, or ditch Windows altogether and move to Linux.
I don't know that Azure AD is feasible for us at the moment. Keep in mind we are a manufacturing company that often times needs to support legacy software which works with machines out in our shops. Windows 10 for everyone is not really an option just yet.
Right, so you can easily keep the hub and spoke and only use it for AD authentication and such.
Really you need to look at what you are pushing over the pipes.
In a hub and spoke design, do folks often allow VPN access to the hub but then allow the vpn connected clients to connect to other site resources as well (i.e. might need access to a file server at each location)?
-
@NetworkNerd said:
@JaredBusch said:
@NetworkNerd said:
@Dashrender said:
Zero LAN?
yeah for the OP, I was wondering if going to a cloud solution would be workable.
Moving to Azure AD requires all the endpoints to move to Windows 10, or ditch Windows altogether and move to Linux.
I don't know that Azure AD is feasible for us at the moment. Keep in mind we are a manufacturing company that often times needs to support legacy software which works with machines out in our shops. Windows 10 for everyone is not really an option just yet.
Right, so you can easily keep the hub and spoke and only use it for AD authentication and such.
Really you need to look at what you are pushing over the pipes.
In a hub and spoke design, do folks often allow VPN access to the hub but then allow the vpn connected clients to connect to other site resources as well (i.e. might need access to a file server at each location)?
This is why you see @scottalanmiller pushing for things like ownCloud or SharePoint, et al... It doesn't matter where you are connected from... as long as you have internet, you can access your ownClooud / Sharepoint instances.
-
@dafyre said:
@NetworkNerd said:
@JaredBusch said:
@NetworkNerd said:
@Dashrender said:
Zero LAN?
yeah for the OP, I was wondering if going to a cloud solution would be workable.
Moving to Azure AD requires all the endpoints to move to Windows 10, or ditch Windows altogether and move to Linux.
I don't know that Azure AD is feasible for us at the moment. Keep in mind we are a manufacturing company that often times needs to support legacy software which works with machines out in our shops. Windows 10 for everyone is not really an option just yet.
Right, so you can easily keep the hub and spoke and only use it for AD authentication and such.
Really you need to look at what you are pushing over the pipes.
In a hub and spoke design, do folks often allow VPN access to the hub but then allow the vpn connected clients to connect to other site resources as well (i.e. might need access to a file server at each location)?
This is why you see @scottalanmiller pushing for things like ownCloud or SharePoint, et al... It doesn't matter where you are connected from... as long as you have internet, you can access your ownClooud / Sharepoint instances.
Yeah but that doesn't work for everyone. Mosltly SMBs that can get away with that.
-
@Jason said:
@dafyre said:
@NetworkNerd said:
@JaredBusch said:
@NetworkNerd said:
@Dashrender said:
Zero LAN?
yeah for the OP, I was wondering if going to a cloud solution would be workable.
Moving to Azure AD requires all the endpoints to move to Windows 10, or ditch Windows altogether and move to Linux.
I don't know that Azure AD is feasible for us at the moment. Keep in mind we are a manufacturing company that often times needs to support legacy software which works with machines out in our shops. Windows 10 for everyone is not really an option just yet.
Right, so you can easily keep the hub and spoke and only use it for AD authentication and such.
Really you need to look at what you are pushing over the pipes.
In a hub and spoke design, do folks often allow VPN access to the hub but then allow the vpn connected clients to connect to other site resources as well (i.e. might need access to a file server at each location)?
This is why you see @scottalanmiller pushing for things like ownCloud or SharePoint, et al... It doesn't matter where you are connected from... as long as you have internet, you can access your ownClooud / Sharepoint instances.
Yeah but that doesn't work for everyone. Mosltly SMBs that can get away with that.
Are we not an SBM centric forum?
-
@Jason said:
@dafyre said:
@NetworkNerd said:
@JaredBusch said:
@NetworkNerd said:
@Dashrender said:
Zero LAN?
yeah for the OP, I was wondering if going to a cloud solution would be workable.
Moving to Azure AD requires all the endpoints to move to Windows 10, or ditch Windows altogether and move to Linux.
I don't know that Azure AD is feasible for us at the moment. Keep in mind we are a manufacturing company that often times needs to support legacy software which works with machines out in our shops. Windows 10 for everyone is not really an option just yet.
Right, so you can easily keep the hub and spoke and only use it for AD authentication and such.
Really you need to look at what you are pushing over the pipes.
In a hub and spoke design, do folks often allow VPN access to the hub but then allow the vpn connected clients to connect to other site resources as well (i.e. might need access to a file server at each location)?
This is why you see @scottalanmiller pushing for things like ownCloud or SharePoint, et al... It doesn't matter where you are connected from... as long as you have internet, you can access your ownClooud / Sharepoint instances.
Yeah but that doesn't work for everyone. Mosltly SMBs that can get away with that.
@Jason said:
@dafyre said:
@NetworkNerd said:
@JaredBusch said:
@NetworkNerd said:
@Dashrender said:
Zero LAN?
yeah for the OP, I was wondering if going to a cloud solution would be workable.
Moving to Azure AD requires all the endpoints to move to Windows 10, or ditch Windows altogether and move to Linux.
I don't know that Azure AD is feasible for us at the moment. Keep in mind we are a manufacturing company that often times needs to support legacy software which works with machines out in our shops. Windows 10 for everyone is not really an option just yet.
Right, so you can easily keep the hub and spoke and only use it for AD authentication and such.
Really you need to look at what you are pushing over the pipes.
In a hub and spoke design, do folks often allow VPN access to the hub but then allow the vpn connected clients to connect to other site resources as well (i.e. might need access to a file server at each location)?
This is why you see @scottalanmiller pushing for things like ownCloud or SharePoint, et al... It doesn't matter where you are connected from... as long as you have internet, you can access your ownClooud / Sharepoint instances.
Yeah but that doesn't work for everyone. Mosltly SMBs that can get away with that.
True. There's never a 1-size fits all scenario. I can see the merits of doing it though, both for a backup location, as well as for live storage. In some cases it would make sense to use it for live storage, and others it would make more sense to use it only for backups.
I think that any business can use O365 / ACD / ownCloud for this type of thing. It's just a question as to what features are needed. By and large, though, in the SMB shops, they don't have folks (nor do they have the money to spend on third parties) that can do the risk-analysis of doing a Zero Lan + O365 vs doing a Traditional Lan + File Servers + Backups, etc.
-
@dafyre said:
True. There's never a 1-size fits all scenario. I can see the merits of doing it though, both for a backup location, as well as for live storage. In some cases it would make sense to use it for live storage, and others it would make more sense to use it only for backups.
There are colo's as well as data services for backups. Normal "cloud" type stuff is better at processing than massive storage with long (or forever) retention periods.
-
@Jason said:
@dafyre said:
True. There's never a 1-size fits all scenario. I can see the merits of doing it though, both for a backup location, as well as for live storage. In some cases it would make sense to use it for live storage, and others it would make more sense to use it only for backups.
There are colo's as well as data services for backups. Normal "cloud" type stuff is better at processing than massive storage with long (or forever) retention periods.
One could argue that both ways. Something like ownCloud would be awesome in a Colo... but then you are responsible for backups. ACD could be good for long-term storage (at least for the moment), they are still unlimited.
-
@dafyre said:
One could argue that both ways. Something like ownCloud would be awesome in a Colo... but then you are responsible for backups. ACD could be good for long-term storage (at least for the moment), they are still unlimited.
Own Cloud isn't true backup. It's just replication. That's like saying our replicated SAN systems are backups. They aren't. If there's an issue one place that is not at the hardware level it will be replicated to the other.
-
@Jason said:
@dafyre said:
One could argue that both ways. Something like ownCloud would be awesome in a Colo... but then you are responsible for backups. ACD could be good for long-term storage (at least for the moment), they are still unlimited.
Own Cloud isn't true backup. It's just replication. That's like saying our replicated SAN systems are backups. They aren't. If there's an issue one place that is not at the hardware level it will be replicated to the other.
I wasn't calling it a backup (although re-reading it, it does seem that way). You are responsible for backing up your ownCloud instance if you have it in a Colo.
If you are using Amazon, they claim to have your stuff backed up somewhere (I am unsure as the retention / how often the backups are taken, etc).
