MPLS hub & spoke topology

WildMonkey365

Commendable
Aug 30, 2016
77
0
1,640
I have to replace an MPLS for a 7 site Dr's office. 6 branch sites connect to 1 corporate site and can only communicate to corporate and not with each other. Corporate can also communicate with all sites "obviously" as it serves DNS to windows A.D environment for all sites. I'm trying to emulate what they have with an SD WAN router at all sites which uses a feature called Virtual-MPLS. My problem is I'm not fully understanding how MPLS works from a functionality perspective. I keep hearing the word "Host" and I'm wondering if all branch sites are only getting out to the internet through the corporate router/firewall. Another words, is the Corporate "Host" site a bottleneck/gateway for the other branch sites? I'm assuming that the branch sites do not directly go out over the internet but the traffic runs through corporate "Host" site first. Is this how a traditional MPLS works?
 
Solution
MPLS can be pretty much setup to work anyway you want. The configuration you mention is not common the most common is any-any.

Who does the setup greatly depends on your contract. Some MPLS networks are fully manged so your provider owns all the routers and does all the setup. Others the provider only configures their core router and all the edge devices are owned and maintained by the customer.

You also have to remember internet and MPLS are not generally connected. So internet traffic may follow a different traffic pattern than inter company traffic. It is very common for a company to force all the internet traffic through a common central internet connection. This makes the network much more secure because only 1...


This is when you hire a consultant that knows what he is doing.
A medical network is not where you want to just wing it.
 


I suppose your right. Are you familiar with MPLS? Is the Corporate site the gateway for incoming/outgoing traffic on the branch sites as mentioned above? I assume the branch sites can not reach the internet directly. I will most likely get my data vendor involved but at the same time I want to understand how traffic is managed in a typical MPLS set up.
 
MPLS can be pretty much setup to work anyway you want. The configuration you mention is not common the most common is any-any.

Who does the setup greatly depends on your contract. Some MPLS networks are fully manged so your provider owns all the routers and does all the setup. Others the provider only configures their core router and all the edge devices are owned and maintained by the customer.

You also have to remember internet and MPLS are not generally connected. So internet traffic may follow a different traffic pattern than inter company traffic. It is very common for a company to force all the internet traffic through a common central internet connection. This makes the network much more secure because only 1 firewall must be maintained and protected.

Now with a medical network you have to deal with hippa rules. Almost everyone who sets these up run encryption on top of the MPLS network to ensure even the network provider employees can not look at the data. Because it is messy to get any-any to work many people setup up vpn tunnels over the mpls to only the central site. You can do any-any with DMVPN but only a expert can set it up and it is only supported on a small number of commercial router..mostly cisco.

As mentioned above with medical network you want run away as fast as you can or charge a fortune to implement them. You make a tiny mistake and violate the hippa laws and you will be in the courts for years. Only someone very skilled in networks should even think to touch any network that has medical data on it.
 
Solution


You say the most common MPLS set up is "any-any" when I hear any-any I think of my Firewall Rules. What do you mean by any any?
 
Pretty much exactly that. All machines at all sites have the ability to contact each other. It really just means that the provider routers and many times the local router have full routing tables will all the addresses for all the sites in them. The traffic will appear to go directly from any site to any other site with no other routers inbetween. Of course it really doesn't work that way there are many provider routers in the path but they are using the MPLS tags to transfer date rather than the more common ip routers so you can't see them.
 


That sounds more like a meshed network as opposed to a hub and spoke technology. The firewalls my company use supports either "hub & spoke" or "meshed" Im waiting to hear from an engineer to verify if I can or cannot duplicate the MPLS set up that the customer currently has which is hub & spoke with all devices at all locations trafficking through corporate for literally everything. I'm already thinking of a plan B and I'm pretty sure I'm going to have to explain to the data vendor that all devices at all sites go directly out to the WAN on their own accord. My next step would be setting up a secure rule base at each location.
 
The main purpose of MPLS is the full mesh traffic. You can have the provider set it up as hub and spoke if you really want it to. They can either do it with actual MPLS tags or they can just use simple routing filters. With MPLS all the connections are virtual so you can pretty much do what you want. Physically each location hooks to the MPLS provider "cloud" network at the nearest point and then traffic is send between sites based on what you want.

The have all kinds of options. They generally even allow multiple classes of service so for example video conferencing or VoIP can take different data paths than normal traffic.

Pretty much you can have anything you can think of....especially if you are buying a manged service where the vendor controls the first on site router.