MPLS alternative
-
@hobbit666 said in MPLS alternative:
3 sites have 20+ users these are served by 100mb leased lines, would like to keep these.
Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.
-
@hobbit666 said in MPLS alternative:
Main traffic that goes over is Citrix Xen Desktop. Also access to 365.
Neither of these would have any benefits from MPLS or a VPN set to work like MPLS.
I get the impression that the entire network design may need to be re-evaluated. It feels like the cart before the horse right now...
Like, first the ISP is chosen, then all services and design based on what would funnel the most money to the ISP. Unless I'm missing something huge, no component of the design.. MPLS, mesh networking, PBX hosting, leased lines, etc. have any business function. They all exist for the benefit of the ISP, nothing for the benefit of the customer.
For all of the pieces mentioned, the "go to" solution would not have anything like this. It would be all colocation hosted servers centrally with no VPN, no leased lines, no MPLS, etc. None of it.
-
@hobbit666 said in MPLS alternative:
Basics are the Citrix/SQL/DC are all at main site then a DR site at another site.
None of those would benefit from the design that you have today. In any fashion. Unless we are missing something huge.
MPLS or Mesh VPN to replicate it would be if you have servers sprinkled through all the sites or people moving files directly using desktop to desktop file sharing or something awful like that.
Since every workload that you are mentioning would normally scream "No VPN, No MPLS", I think a description of why any of this exists or why any of it should be replicated is needed. Your key workloads give us nothing to work with. There has to be a niche workload that is a problem that drove these decisions. Without knowing about that, we can't help much other than to keep repeating that you should ditch absolutely everything and start fresh. Don't try to build off of anything currently in place.
-
One of the reasons that MPLS is so unfavorable is that it, like the VPN people often replace it with, are remnants of 1990's LAN-based thinking. Modern networks with security are zero-trust (aka LANless) in design and VPN/MPLS would not serve any purpose.
This is why stepping back and starting from the beginning to talk about "what good looks like" and actually focusing on business goals is necessary. Trying to keep vendors, lines, design, etc. that are based on mistakes will just make for more bad design. Sure, we can improve MPLS by replacing it with VPN. But that's likes replacing your legacy PBX with a VoIP PBX but still buying your lines from your ISP - sure it's an improvement, but you miss the entire picture. Saving $5 instead of $50,000.
-
@hobbit666 said in MPLS alternative:
So following on from another thread.
I'm today's modern day how would you handle:-
*Multiple site connections around 60 sites.
*Internet access via a firewall for "security" either at a single point or something per connection? Nice to have Intruction detection blah blah blah and content filtering. Will need to allow certain ports in and out (I know this is normally standard on Firewalls/UTMs but worth mentioning)
*semi managed with high SLA.How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.
This kind of thing makes me laugh a little, because it seems all the worst hacks and breaches to companies and networks have nothing to do with someone breaking into the network in all the ways your entire post is putting about LAN based security.
Why no intent towards a Zero Trust architecture?
-
I only said VPN because Scott mentioned it several times in the other thread.
If we didn't have VPN/MPLS how would we serve our Citrix farm at the main site?
-
@scottalanmiller said in MPLS alternative:
These are things you never want. "Managed"
This I kind of disagree with, if we have an issue with a connection we phone it in and they sort withing the SLA. Down time means £££ loss.
Currently with the MPLS we have 4hr replacement on hardware and high SLA with BT on the pstn lines.But looking at replacing that with possible 4g backups so we can wait 48hr for BT to fix
-
@scottalanmiller said in MPLS alternative:
@hobbit666 said in MPLS alternative:
3 sites have 20+ users these are served by 100mb leased lines, would like to keep these.
Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.
Because we "couldn't" get a line above 5mb so Replication to the DR site would be impossible. Also handling the traffic from all the sites, like print servers, smb shares etc
(most of these are getting replaced slowly with things like o365) -
@Obsolesce said in MPLS alternative:
Why no intent towards a Zero Trust architecture
Because I've never heard of it . Now I have I've got 3yrs to look into it.
-
@scottalanmiller said in MPLS alternative:
Neither of these would have any benefits from MPLS or a VPN set to work like MPLS.
Agreed with o365 but I mainly mentioned as its one of our main traffic usage now
-
So what about SDWAN? Would this be an alternative too?
-
@scottalanmiller said in MPLS alternative:
1990's LAN-based thinking. Modern networks with security are zero-trust (aka LANless) in design and VPN/MPLS would not serve any purpose.
I'll put my hand up and agree this is me, but will be looking at LANless/zero-trust on Monday and learn what it means fully.
-
@hobbit666 said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
1990's LAN-based thinking. Modern networks with security are zero-trust (aka LANless) in design and VPN/MPLS would not serve any purpose.
I'll put my hand up and agree this is me, but will be looking at LANless/zero-trust on Monday and learn what it means fully.
Yeah that's really the only route to go anymore
-
Any link to good reading on zero-trust stuff?
-
@hobbit666 said in MPLS alternative:
Any link to good reading on zero-trust stuff?
This is a good start:
-
@scottalanmiller said in MPLS alternative:
@hobbit666 said in MPLS alternative:
Basics are the Citrix/SQL/DC are all at main site then a DR site at another site.
None of those would benefit from the design that you have today. In any fashion. Unless we are missing something huge.
MPLS or Mesh VPN to replicate it would be if you have servers sprinkled through all the sites or people moving files directly using desktop to desktop file sharing or something awful like that.
Since every workload that you are mentioning would normally scream "No VPN, No MPLS", I think a description of why any of this exists or why any of it should be replicated is needed. Your key workloads give us nothing to work with. There has to be a niche workload that is a problem that drove these decisions. Without knowing about that, we can't help much other than to keep repeating that you should ditch absolutely everything and start fresh. Don't try to build off of anything currently in place.
LOL - You know that's not likely true.. The chances are greater that someone was just trying to bandaid (and possible not even a good bandaid) something at the beginning and as time went on, they simply continued down the previous course.
-
@hobbit666 said in MPLS alternative:
I only said VPN because Scott mentioned it several times in the other thread.
If we didn't have VPN/MPLS how would we serve our Citrix farm at the main site?
You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.
-
Just happened to think back,
The emergency system (911) used MPLS between the county sites and the main server.
How would a VPN have replaced this? Down time is one thing, but down time and no ability to get emergency calls passed,... that’s serious
-
-
Also the entire internet is a mesh of sorts.
There are multiple ways to go from point A to point B if you are connected the right way.