Redundancy of Interoffice Links (Site-to-Site VPN, MPLS, Dark Fiber)

We’ve already discussed how to ensure reliable connectivity within a single building. Now let’s look at a more complex but equally critical topic: redundancy of communication links between geographically distributed offices or branches. This is crucial for companies where employees across locations need to exchange data, access shared resources (such as a central CRM, file servers, or IP telephony), and work as a unified whole.

A failure in interoffice connectivity can paralyze entire departments, cause data loss, and lead to serious financial and reputational damage.

The Specific Challenge: Distributed Branches

The key challenge here is reliance on external providers and public networks. Your infrastructure is no longer limited to the walls of a single building. This introduces risks such as:

• Provider backbone cable cuts.
• Provider equipment failures.
• Routing issues on the public Internet.
• Latency and packet loss over long distances.

Common Solutions for Resilient Interoffice Connectivity

To ensure uninterrupted communication between branches, consider the following approaches:

1. Two Independent Internet Providers in Each Office

This is a foundational step. Each office you want to connect should have two independent Internet connections from different providers.

• Separate physical entry points: If possible, cables from different providers should enter the building from different sides and/or via different routes.
• Different Autonomous Systems (AS): This ensures the providers use different paths through the global Internet, reducing the chance of a single major outage affecting both.

2. Multiple VPN Tunnels (IPsec/OpenVPN)

VPN (Virtual Private Network) is the most common way to securely connect offices over the public Internet. For redundancy:

• Two VPN tunnels via different providers: Set up two separate VPN tunnels between each office — one over the primary provider, the other over the backup.
• Dynamic routing over VPN (OSPF/BGP): Use dynamic routing protocols (like OSPF or BGP) over the VPN tunnels to automate failover. Routers will detect tunnel failure and redirect traffic via the other tunnel. This enables automatic failover.
• VPN Load Balancing/Failover: Some routers or firewalls allow load balancing or automatic switchover between VPN tunnels.

3. MPLS VPN (Multi-Protocol Label Switching)

MPLS VPN is a more advanced solution provided by telecom providers, creating a private network over their infrastructure.

• Two separate MPLS circuits: You can order two MPLS circuits from one or multiple providers. MPLS often offers more predictable performance and better security than VPN over public Internet.
• Advantages: High performance, low latency, guaranteed quality of service (QoS).
• Disadvantages: More expensive, more complex to configure and manage.

4. Dark Fiber

For mission-critical infrastructure requiring maximum bandwidth, minimal latency, and full control, companies may lease dark fiber — fiber optic cables laid by a provider but not connected to active equipment.

• Your control: You install your own active equipment (switches, multiplexers) at both ends.
• Maximum redundancy: You can lease two independent fibers over separate physical routes.
• Disadvantages: Very expensive, requires significant technical expertise and equipment.

5. SD-WAN Solutions (Software-Defined Wide Area Network)

SD-WAN is a modern approach that allows centralized management of multiple WAN connections (DSL, fiber, LTE, MPLS) from different providers.

• Intelligent routing: The SD-WAN controller dynamically selects the best path for traffic (based on latency, packet loss, bandwidth) and switches traffic between links as needed.
• Load balancing: Distributes traffic across multiple connections to increase total throughput.
• Advantages: Simplifies complex multi-link setups, improves performance and resilience.
• Disadvantages: Requires specialized hardware or software and can be expensive.

6. Redundant Routers/Firewalls

Even with two WAN links, they’re useless if the single network device they connect to fails.

• Use redundant routers or firewalls in each office.
• Configure high-availability protocols like VRRP (Virtual Router Redundancy Protocol) or HSRP (Hot Standby Router Protocol) to ensure automatic gateway failover.
• Firewall clustering also provides seamless redundancy.

What Can Fail at This Level?

• Link outages on the provider’s side (local or backbone).
• Provider equipment failures (routers, switches, DSLAMs).
• Your network hardware failures (routers, firewalls) in branch offices.
• Configuration or software issues that bring down VPN tunnels.

Failover Scenarios

• Automatic: Ideal. Achieved via BGP, OSPF, VRRP/HSRP, or intelligent SD-WAN solutions. Downtime is measured in milliseconds or seconds.
• Semi-automatic/Manual: Requires admin intervention to activate the backup link. Downtime may last minutes or hours. Includes route changes or manually enabling VPN tunnels.

Monitoring

Continuous and proactive monitoring is critical:

• Remote site availability: Ping or TCP checks to key services.
• Latency and packet loss: For each link, to detect degradation before complete failure.
• VPN tunnel status: Are they active? Any errors?
• BGP/OSPF neighbor status: Are routing protocols operating properly?

Conclusion

Ensuring resilient interoffice connectivity is complex but vital. It requires a multilayered approach, including provider redundancy, multiple VPN tunnels (ideally with dynamic routing), consideration of MPLS or SD-WAN for critical environments, and redundancy in on-site networking equipment. A well-designed and well-monitored interoffice network becomes the foundation for a reliable distributed business.

In our final article of this series, we’ll discuss Internet connection redundancy for your web services and data centers — the pinnacle of high availability in the global network.