Question Need advice for replacing current network router and network firewall Routing

[michael-antony]

Hi Experts,
I need your advice, what do you think if asked to replace the current network router and network firewall with another type of router and firewall.
This is a more or less summary of the current network system:

Head Office
Start -> ISP -> (Firewall) device: Cisco ASA 5515-X -> (Internet Router & WAN Router) devices: Cisco ISR 4331 (2 pcs) -> 2 Core Switch (Juniper) -> Users PC -> End

Branch 1
Start -> ISP -> (Firewall) device: Cisco ASA 5512-X -> (Internet Router) Cisco ISR 4321 -> 2 Core Switch -> Users PC -> End

Branch 2
Start -> ISP -> (Firewall) device: Cisco ASA 5512-X -> (Router) Cisco ISR 4321 -> 2 Core Switch -> Users PC -> End

*Notes: Each site uses a VPN IP (MPLS) service that comes from an ISP provider, to give branch office access to Head Office server.

All devices use Cisco, as well as maintenance and replacement of devices using the services of vendors. The company management wants to save costs by replacing existing devices with other brands, so that maintenance can be carried out by the company's internal IT. Also to replace existing VPN IP subscriptions, by creating a site-to-site VPN over the internet, implemented on new devices.

Now this is the problem,
I stopped at this task, because I am a software engineer and have very little experience about networking. I was asked to learn from scratch and hopefully can handle the task. Also all the IT team doesn't understand Cisco at all, so they don't dare touch the device, let alone do the configuration. Because it's currently being used in production/live operation, it shouldn't experience trouble or downtime.

Please give me your thoughts on this, or insights or advice, I would really appreciate it.

Best Regards,
Antony

 

[JackMDS]

I do Not think that such Network in a commercial office can be solved by asking questions on open Forum.

1. We do not know the exact capacity of the IT personal of the company. There is No point to suggest hardware that they might not be able to handle.

2. Solving design of such Network in the open can create security problems to a commercial entity.

 

[mxnerd]

What you are looking at probably is SD-WAN.

However we don't know what your environment is like, what's the service speed and how many users at headquarters and branch offices, whether you have dedicated lines at each site. As Jack has said, it's hard to recommend. You better consult local SD-WAN providers.
It's definitely a tough job, if not done right, you/company may face some unhappy consequences.

https://www.youtube.com/results?search_query=mpls+vs+sd-wan

mpls vs sd-wan performance reliability - Google Suche

10 Best SD-WAN Vendors

SD-WANs offer an easy, cost-effective way to unify the networks of a multi-site business. Find out which SD-WAN systems will get your LANs merged into a WAN.

www.comparitech.com

SD-WAN Solutions

Find out about our carefully developed combination of products & technologies that can help you build SD-WAN networks with unmatched deployment flexibility.

www.peplink.com

Another option is a list of VPN that's based on software which can be run on x86/ARM CPU platforms):
but they probably can not be considered enteprise grade
Wireguard -- pretty fast, close to IPSEC, still in beta though.
SoftEther -- supports IPSEC (should be fast), OpenVPN
ZeroTier -- a bit faster than OpenVPN
OpenVPN -- very slow, forget about it.

Youtube got a lof of tutorials.

 

[sdifox]

Good old we want Cisco certified level staff without paying for it...

 

[Tech Junky]

So, let me get this right.....

Your IT dept wants a SW engineer to redesign the network and you don't have expertise in networking?

Sounds like your company needs to hire a NE that's capable of redesigning things. Cisco is prevalent in this space because it's widely used and a standardized setup. VPN = subscription unless you go off the beaten path and configure things yourself w/o enterprise level support. You break it, you fix it doesn't tend to go over well with leadership goals of uptime and being non-disruptive. Cisco offers speedy replacement of HW if it dies, a TAC case get you support if you configure it incorrectly, and just about any NE can jump into Cisco to resolve issues.

There are providers though that can redesign the solution in a packaged "service" where you pay a monthly fee and they manage everything. Considering the 55xx FW's though this seems to be a low throughput operation when it comes to bandwidth.

MPLS provides a secure transport between locations using RFC1918 IP addresses that aren't routable / accessible outside of the ISP / corporate network. This alone provides security against outside actors. The main office is likely where the "WAN" to the outside world exists and all of the branch offices route out through this connection. However, providing internet at each location directly would speed things up for external traffic. Setting up S2S VPN and splicing off the internet traffic is possible and would provide a better user experience but, also might cost more on the ISP level to bring in the connections.

Being an NE I made my own router out of a PC / Linux and secured it properly based off my experience in dealing with a variety of networking gear over the years. All devices like Cisco / Juniper / etc. run off Linux when you strip off the skin for the commands being entered as aliases. The $ being paid is for the aliases / support / HW replacement in a timely manner. The advantage of spinning up a PC as a router is you can determine the capabilities of the device by the HW you put into it and how you configure the OS. I rolled several functions into my "router" over the past few years from WIFI internal cards being hosted as AP's to NAS functionality with Raid in the OS.

Taking the DIY road means you have to have people that are familiar with the OS and the facets of securing the systems properly and keeping them up to date w/ expectation there may be an issue with a Kernel release now and then. You'll want to keep at least 1 separate "lab" version to test new releases on prior to deployment for testing. Figuring out which "VPN" you want to use adds another step to the mix. I use WG through Nord but, you can setup your own S2S profiles in it w/o a subscription. The alternative mentioned above hiring a company to manage everything or decentralize things into the cloud is an option as well. Moving your infrastructure to a DC and then pointing endpoints to the DC means less chance of "IT" mucking things up in the central location causing an outage in the process impacting all sites. However going the DC route allows them to point all traffic for the business to the DC and simplifies office configurations for connectivity to a central point and redirecting traffic as needed. The other advantage of the DC setup is you'll have more selection of ISP options / pricing for better bandwidth since it's an aggregation point for most major ISP's.

This isn't going to be a simple task though moving all of these pieces around to save a couple of bucks. It's going to take a decent budget to get things changed over before realizing any savings in CAPEX / OPEX compared to the minor charges being paid currently for the Cisco gear. Considering the IT people don't know anything about Cisco they may not know anything about networking in general other than how to swap out an Ethernet drop / patch cable.