Centralized/ De-Centralized Internet Access and Inter-branch WAN Connectivity for Enterprises

Most of the companies have multiple branches. And almost all of them connect to each other over WAN (Wide Area Network). Each branch needs Internet connectivity as well. So, what kind of connectivity architecture do companies adopt? Which architecture is better – MPLS WAN Connectivity and Centralized Internet Access (or) De-centralized Internet Access at each branch, while still connecting to other branches using MPLS Links (or) Virtual Private Networks using just Internet Leased Lines at all branches? We will find out, in this article.

A number of companies still have Point to Point Leased Lines to connect to other branches but we are not considering that architecture here as MPLS connectivity is clearly a better (and a more cost effective) option these days – Click here to read the advantages of MPLS Circuits over point to point Leased Lines. Also, click here if you are new to Internet Leased Lines – We have listed their advantages over broadband connectivity for Internet Access.

MPLS WAN Connectivity and Centralized Internet Access

MPLS WAN Connectivity and Centralized Internet Access - Architecture DiagramIn this architecture, each branch including the head office are connected to each other (in a mesh, actually) through the MPLS Circuits. Just one MPLS circuit is enough for one location though. The Internet Leased Line is taken at the head office and all the individual branches can access Internet by accessing the head office network first (through MPLS network) and then accessing the Internet Leased Line from there. So, the branches do not have direct (individual) Internet connections.

The main advantage of this architecture is the centralization of the Internet Access Policies and the Security Policies – They can be applied from one location in the head office, which gives more control to the head office over what is/ can be accessed over the entire network. This is also a cost effective option, as the Internet at the head office is shared between the multiple branches and since companies pay in full for the capacity ordered (2 Mbps for example), the under utilization of available bandwidth at any point of time can be minimized.

The main disadvantage is that the speed of Internet access at the branches can be quite slow (especially during peak access times). Since the same circuit is carrying both Internet traffic as well as real time traffic like voice and video, data traffic (Internet) might slow down the real time traffic, especially if end to end QoS parameters are not configured.

MPLS WAN Connectivity and De-centralized Internet Access (Internet connectivity at every branch)

De-centralized Internet Access along with MPLS Connectivity for each branch - Architecture DiagramThis WAN Connectivity architecture is similar to the previous one as each branch is connected to every other branch using MPLS circuits. But instead of having centralized Internet access, each branch has its own Internet access using Internet Leased Lines/ broadband connections. So, the inter-branch communications (ERP, VOIP, Video Conferencing, etc) travel in the MPLS circuits between the branches and the Internet traffic goes to the Internet Leased Lines from the branches itself without disturbing the MPLS circuits.

The main advantage of this architecture is, if planned well, can give the best performance for real time traffic, data traffic and Internet traffic. The users in the branches would no longer experience slow Internet access. This architecture also enables to maintain a good performance without increasing the costs too much by having broadband connections at smaller branches for Internet access instead of Internet leased lines, as broadband connections are much cheaper. This method is very effective especially if all the branches are within a single country.

The disadvantages could be the higher costs and more chances of not utilizing the bandwidth capacity paid for in each branch (for Internet Leased Lines). The costs for global MPLS connectivity is very high, and hence it is difficult to implement for companies with multiple branches across the globe.

Virtual Private Networks using Internet Leased Lines at all the branches

Virtual Private Networks using Internet Leased Lines and Routers/ UTM in all branches - Architecture DiagramThis WAN architecture is gaining a lot of traction, of late. Here, all the branches and the head office procure Internet Leased Lines and get connected to the Internet that way. A Virtual Private Network is then established using a variety of methods, with each branch connecting to all other branches securely over the Internet. For example, if Routers are used to terminate the Internet Leased Lines, then they also support a certain number of IPSec/ SSL VPN Sessions between them (two or more such devices). The number of concurrent session licenses can also be upgraded in most of the Routers. The VPN network can also be created by using UTM – Unified Threat Management devices, VPN Concentrators, Wireless LAN Controllers, etc. So, using techniques like Tunneling and Encryption, a secure network is formed over the Internet for all the inter-branch communications. The Internet traffic is allowed to go to the Internet as usual, without any encryption.

The obvious advantage of this architecture is the cost reduction as one network can do the tasks of inter-branch secure communications as well as giving Internet access, at each branch. This is architecture is especially useful for globally spread enterprises. This architecture also allows remote access of the network by workers on the field and those working from home as IPSec/ SSL VPN’s can be set up between the branches and roaming employees with proper network access credentials. The cost of Internet Leased Lines are coming down rapidly. Redundancy can be established by having multiple Internet Leased Line connections from different ISP’s and most of them give SLA – Service Level Agreements which ensures that the network is up for maximum possible time.

The main disadvantage is the performance – especially for real time applications like voice and video – The Internet is an unpredictable network and there will always be packet losses. Apart from that, there is no way of establishing End to End Quality of Service (QoS) parameters as the Internet is a public network and the connections pass through a number of Routers in between. Another disadvantage is using one connection for all the applications – if there is a lot of data traffic, the voice/video traffic gets delayed!

This article talks about the different architectures available for wide area network connectivity. You could read about the various options available for wide area network connectivity here.

What has been your experience with WAN Connectivity? Have you considered other options like 3G Networks ? Please do share your experiences in the comments section. You could also contact us using the contact form.

You could stay up to date with the various computer network technologies by subscribing to this blog – Please enter your email address in the box that’s titled “Get email updates when new articles are published” and we’ll send you the title and summary of a new article when its published.


  • avishek roy

    I am just planed the same as u described in 1st scenario. So i have done some preliminary job for getting new MPLS VPN connection. But they are now quote for some port charge along with yearly recurring charge of MPLS VPN network. So my query is what is this port charge, i mean- it will be very helpful if you describe the port details regarding the MPLS VPN network in this topics too..
    Any help will be appreciated. Thanks in advance.

    • admin


      Have a look at this:

      MPLS Network consists of individual ports (connectivity to the service provider’s router) at individual locations. Each port is charged at a certain cost (depending on bandwidth) per year because you are actually using the service providers network / lines to create a private network for yourself to transmit your company data. So, the charges are per port (location) per year. Its always been like that.

      But, are you creating the MPLS network just to share Internet connection? Or do you have any applications (like ERP/ CRM, etc) running on the head office servers that needs to be accessed by the branch offices? Creating an MPLS network only for Internet sharing may not be a very effective – Consider taking an Internet Leased Line in the head office and broadband lines in the branch offices, in that case. This will be quite cost effective. What is the exact purpose of the MPLS Network?

      • avishek roy

        Thanks for your quick reply.
        After reading your comments i think you are telling that port charge is equals to ‘a rental for the MPLS connection charge of any particular site per yr or quarter basis.’ Is it So..??
        Our main purpose is HD Video Conferencing. We first tried to implement that based on broadband service but our site office are located in so rural areas where any mobile connections hardly catch. So that we lean towards MPLS network. And we are planning to implement ERP in our organizations very soon.
        Do you like to share any suggestion regarding Video Conferencing?

        • admin

          Yes, it refers to rental charges per year per port.

          Broadband networks are not suitable even for SD video conferencing that’s because of their higher download rates and very less upload rates. You need symmetric network on both sides (equal upload and download rates) for VC.

          You can achieve this using MPLS. But since you don’t have any other application for MPLS, I feel it might be an overkill. Why not look at taking an Internet Leased Line in all the locations? The Internet Leased Lines are suitable for video conferencing and when they are not used for VC, they can be used for accessing the Internet. Besides, charges of ILL is less than equivalent MPLS charges.

          The only concern is the privacy, but many organizations that I know is quite fine about using the Internet for their VC requirements. If you are very concerned you can create a VPN network between the two sites (Using site to site VPN feature in cisco routers, for example). But this is optional and can be done later as well, when you introduce ERP.

          • avishek roy

            Yes, you are absolutely right. ILL is also suitable for VC, but here in Kolkata-India, the recurring deference between ILL & MPLS is quiet low. And in our conference we planned for simultaneous conference with different sites which is easy to handle in MPLS netwok. So we are going with MPLS vpn in all site, making our kolktata site a back hole and taking a ILL in kolkata office as well for Internet access in all site.

            We implement ERP after making this VC projects live.

          • admin

            MPLS is good enough – no doubt. People do go for centralized Internet access and besides all the Internet access policies / monitoring can be done at the HO itself. But in case people find it slow, you can take a business broadband at the individual locations later on, in addition to the central ILL from the HO. Maybe you can do some load-balancing between the two.

  • avishek roy

    @admin- i personally found this website very helpful. But could not found any option to be a member in this site. Is there any option to become a member in this site so that i can read any post or post my query ??

    • admin

      You can see a “Get email updates when new articles are published” box in the right sidebar. You can enter your email address there to follow this site.

      But you can click on any category on the top and click the topic to read any article – there is no membership restriction for the same. Use the comment form (this one) or the contact form (just below logo) to ask a question publicly or privately, respectively.

      I had a forum earlier, but due to non participation of people I stopped it. I will try to introduce it back one of these days if there are enough people wanting to use it.