ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    MPLS alternative

    Scheduled Pinned Locked Moved IT Discussion
    mplsvpnmutli site
    172 Posts 13 Posters 30.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @hobbit666
      last edited by

      @hobbit666 said in MPLS alternative:

      @scottalanmiller said in MPLS alternative:

      All that traffic from the sites can be handled by normal VPNs. But that begs the question, why are you doing things like printing over the WAN in the first place? Or SMB shares over the WAN? These are LAN-focused, 1990s technologies. I get that things linger, but this feels more and more like one basic mistake that no one evaluated and then piling mistakes on top of that layer after layer. None of it matches anything remotely modern, secure, or affordable but each mistake relies on another mistake as the excuse for itself.

      Agreed but unfortunately i'm not management, i can only recommend better ways of doing it. If the Management have the mind set of "if it works don't break it" i have to work with what we have.

      Another fundamental flaw of the business in general: "management have never liked." Management's job here is to make sure that "what is good for the business"

      Their mind set is to keep the business running, i.e. if it's working why change? (I'm not disagreeing with you but we live in the real world)

      Because save money, and as reliable or more.

      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @hobbit666
        last edited by

        @hobbit666 said in MPLS alternative:

        So if we were looking at a green field.

        We've got 300 end points in 60 locations that need access to the Citrix Server at a single location. They also have documents that everyone needs access to (Some Read some Read/Write).

        E-mails/Word/Excel etc are already handled by Office365.

        So would you say, don't even look at AD. Move all the documents to SharePoint for the shared documents & OneDrive for "personal" files.
        Then for Citrix just publish the ICA part so people just connect via the internet.

        How do you handle Username/Passwords for accessing the Citrix with out AD? Then are we going to have different credentials for SharePoint and Office365
        (Think this is where my LAN thinking is failing me)

        Yeah, What you mention is doable.share point/OD4B.
        I’m not sure if RDS/Citrix can use AAD, but that could be an option for your central Authentication.

        hobbit666H 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender
          last edited by

          What is your Citrix environment providing you? What are you deploying using it?

          hobbit666H 1 Reply Last reply Reply Quote 0
          • hobbit666H
            hobbit666 @Dashrender
            last edited by

            @Dashrender said in MPLS alternative:

            Is your internet charge a different charge on top of the MPLS?

            No, we get charged for the line and service as one.

            If so you should be able to get leased lines with internet for the same or less cost, because they are dropping the MPLS component.

            Yes if we dropped the MPLS side and just had them as "Internet" it would be cheaper. But still x10 the cost of ADSL/FTTC.

            My point was to Scott's comment

            Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

            We can't in the UK it's either copper line or Fibre, copper has speed limits the further from the BT exchanges you get. If that's not good enough then your only option (well it was until 4G came along, but coverage not great) is install fibre. We had a quote for one site was £12K+.
            I think we may be getting terminology mixed from US and UK. To us a leased line is a direct Fibre connection to the BT Exchange this then gives you internet access and what ever speed you pay for.

            DashrenderD 1 Reply Last reply Reply Quote 0
            • hobbit666H
              hobbit666 @Dashrender
              last edited by

              @Dashrender said in MPLS alternative:

              What is your Citrix environment providing you? What are you deploying using it?

              We use MS Dynamics GP. So instead of installing this on 300+ computers (then having to update 300+ computers when updated keys and modules come out) we have 15 Citrix Xen Desktop servers that these computers access to get onto the GP stuff. They've always used Citrix instead of RDS as "apparently" ICA protocol uses less bandwidth.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • hobbit666H
                hobbit666 @Dashrender
                last edited by

                @Dashrender said in MPLS alternative:

                Yeah, What you mention is doable sharepoint/OD4B.

                Yeah we moving more to this everyday, especially when replacing machines/deploying new ones.

                I’m not sure if RDS/Citrix can use AAD, but that could be an option for your central Authentication.

                Why AAD instead of on site AD? As i thought you didn't want AD doing the central point for security/authentication?
                Or is AAD a better choice as it's protected in the cloud?

                DashrenderD 1 Reply Last reply Reply Quote 0
                • hobbit666H
                  hobbit666
                  last edited by

                  I'd guess we still would want a Firewall of some sorts at each site?

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @hobbit666
                    last edited by

                    @hobbit666 said in MPLS alternative:

                    @Dashrender said in MPLS alternative:

                    Is your internet charge a different charge on top of the MPLS?

                    No, we get charged for the line and service as one.

                    If so you should be able to get leased lines with internet for the same or less cost, because they are dropping the MPLS component.

                    Yes if we dropped the MPLS side and just had them as "Internet" it would be cheaper. But still x10 the cost of ADSL/FTTC.

                    My point was to Scott's comment

                    Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

                    We can't in the UK it's either copper line or Fibre, copper has speed limits the further from the BT exchanges you get. If that's not good enough then your only option (well it was until 4G came along, but coverage not great) is install fibre. We had a quote for one site was £12K+.
                    I think we may be getting terminology mixed from US and UK. To us a leased line is a direct Fibre connection to the BT Exchange this then gives you internet access and what ever speed you pay for.

                    They may be expensive - but that doesn't make him wrong - he said same cost or less - you just said they would be cheaper.. so where was he wrong?

                    Sure it's not super cheap, but he never said it would be, only that it would be the "same or less", which you've already said it is.

                    One thing we need to make sure not to inject is personal expectations - like something getting cheap.
                    Scott's primary point was to point out that a leased line (even the UK definition) is still just a connection back to the Exchange, from there, the vendor either connects it to their internet equipment or they connect it to some other routing solution, but the line is the same.

                    hobbit666H 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @hobbit666
                      last edited by

                      @hobbit666 said in MPLS alternative:

                      @Dashrender said in MPLS alternative:

                      What is your Citrix environment providing you? What are you deploying using it?

                      We use MS Dynamics GP. So instead of installing this on 300+ computers (then having to update 300+ computers when updated keys and modules come out) we have 15 Citrix Xen Desktop servers that these computers access to get onto the GP stuff. They've always used Citrix instead of RDS as "apparently" ICA protocol uses less bandwidth.

                      Yep, that's been generally true ICA has used less bandwidth than RDP (*pssst - the server side still has RDS installed on it as far as I know - they just add the Citrix stuff on top of RDS to gain access to ICA and other Citrix stuff)

                      1 Reply Last reply Reply Quote 1
                      • DashrenderD
                        Dashrender @hobbit666
                        last edited by

                        @hobbit666 said in MPLS alternative:

                        @Dashrender said in MPLS alternative:

                        Yeah, What you mention is doable sharepoint/OD4B.

                        Yeah we moving more to this everyday, especially when replacing machines/deploying new ones.

                        I’m not sure if RDS/Citrix can use AAD, but that could be an option for your central Authentication.

                        Why AAD instead of on site AD? As i thought you didn't want AD doing the central point for security/authentication?
                        Or is AAD a better choice as it's protected in the cloud?

                        AAD =/= AD

                        Azure AD is a completely different beast than AD.

                        That said, I know of many larger networks 1000+ users (could easily be 5000+, I just don't know) that do exactly what you're looking at. They have on prem AD, which syncs with AAD, and that same credential is what they use to access all of their systems as they have SSO'ed them all together.

                        @scottalanmiller said in MPLS alternative:

                        Someone accidentally ties the Citrix ICA authentication to AD. They then expose AD to the Internet.

                        I'm not sure what he means by the expose AD to the internet? I would hope that he doesn't simply mean that Citrix's exposure is exposing AD to the internet?

                        Frankly, at this level I don't know where good practices sit.

                        You have 300+ users, and since Citrix runs on Windows (the Citrix product we are talking about anyway) I can't imagine not using AD to manage those users on the 15 Citrix servers. You could use SAMBA instead, it might be a bit more secure, but by it's nature of being compatible with AD, I "feel" that seems unlikely.

                        @scottalanmiller what would your system look like that does this? 15 Citrix server farm, 300+ users. Assuming everyone has a laptop provided and managed by the company - what are you doing for those devices?

                        1 Reply Last reply Reply Quote 0
                        • hobbit666H
                          hobbit666 @Dashrender
                          last edited by

                          @Dashrender said in MPLS alternative:

                          Look at the full convisation.
                          I said we had some site with 100Mb leased lines.

                          He then asked

                          Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.

                          Which i explained

                          Because we "couldn't" get a line above 5mb so Replication to the DR site would be impossible. Also handling the traffic from all the sites, like print servers, smb shares etc

                          he then said

                          Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

                          Which lead me to explain we can only get ADSL with no bandwidth or Leased line for MPLS OR Internet access.

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @hobbit666
                            last edited by

                            @hobbit666 said in MPLS alternative:

                            @Dashrender said in MPLS alternative:

                            Look at the full convisation.
                            I said we had some site with 100Mb leased lines.

                            He then asked

                            Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.

                            Which i explained

                            Because we "couldn't" get a line above 5mb so Replication to the DR site would be impossible. Also handling the traffic from all the sites, like print servers, smb shares etc

                            he then said

                            Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

                            Which lead me to explain we can only get ADSL with no bandwidth or Leased line for MPLS OR Internet access.

                            Let me digest this in Scott terms:
                            Scott

                            Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.

                            hobbit

                            because we can't get more than 5 Mb (great answer)

                            This is where Scott could have said - OK - that sucks, but at least that explains why you have leased lines. But he skipped that part as assumed, because you just said it.

                            now Scott moved onto

                            Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

                            and you replied

                            Wrong!!! We are in the UK and bound by Openreach infrastructure, where some site only have ADSL products and long line lengths. If we need more bandwidth we have to pay for better lines. Thankfully 4G coverage is getting better and that's a good alternative.

                            that does say this

                            we can only get ADSL with no bandwidth or Leased line for MPLS OR Internet access.

                            but a bit less straight forward.

                            In the end, I think you are both on the same page.

                            Scott says don't use leased lines unless you have no other choice - you declare you have no other choice - check!

                            Now we move forward and look at the MPLS component of the lease line contract, can you ditch it?

                            hobbit666H 1 Reply Last reply Reply Quote 0
                            • hobbit666H
                              hobbit666 @Dashrender
                              last edited by

                              @Dashrender said in MPLS alternative:

                              Now we move forward and look at the MPLS component of the lease line contract, can you ditch it?

                              Yes if we ditch the MPLS, but what will we replace it with 😄 that's the big question 😄

                              DashrenderD scottalanmillerS 3 Replies Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @hobbit666
                                last edited by

                                @hobbit666 said in MPLS alternative:

                                @Dashrender said in MPLS alternative:

                                Now we move forward and look at the MPLS component of the lease line contract, can you ditch it?

                                Yes if we ditch the MPLS, but what will we replace it with 😄 that's the big question 😄

                                First things first - do you need to replace it with anything? Do you need LAN level connection between your locations for a specific reason? If the answer is yes, then you'll use your own firewalls that create site to site VPNs. I've been doing this since 2001. It works great.

                                Question: do you have any firewall(s) today? One could potentially have managed firewall services as part of MPLS as well, since you say internet access is all part of that same connection.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @hobbit666
                                  last edited by

                                  @hobbit666 said in MPLS alternative:

                                  @Dashrender said in MPLS alternative:

                                  Now we move forward and look at the MPLS component of the lease line contract, can you ditch it?

                                  Yes if we ditch the MPLS, but what will we replace it with 😄 that's the big question 😄

                                  1. Replace it with not needing it.
                                  2. If you can't do #1, then standard everyday VPN. There's no other rational option and you should not be digging for you. VPN is the one and only reasonable answer to this.
                                  1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @hobbit666
                                    last edited by

                                    @hobbit666 said in MPLS alternative:

                                    @Dashrender said in MPLS alternative:

                                    Now we move forward and look at the MPLS component of the lease line contract, can you ditch it?

                                    Yes if we ditch the MPLS, but what will we replace it with 😄 that's the big question 😄

                                    One option would be to move your entire environment to LAN infrastructure.

                                    1. You install a firewall to put a guard between the leased line and your company,
                                    2. The PCs use RMM for centralized management, and a local user account (makes sharing computers a bit harder, but not impossible)
                                    3. You use AAD for access to email/word/excel/OD4B/Sharepoint/etc
                                    4. You use "something" to manage user account on Citrix - let's see Scott's answer on this
                                    5. printing is all local or could be cloud managed (there are newer services for this).
                                    6. VOIP phones connect directly over the internet to a PBX

                                    in that setup, there would be no reason to have direct connections from the branches to the home offices.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @hobbit666
                                      last edited by

                                      @hobbit666 said in MPLS alternative:

                                      I'd guess we still would want a Firewall of some sorts at each site?

                                      Every LAN should have a firewall (and has to have one, it is the firewall that makes it a network, it's literally impossible to have a network without a firewall.)

                                      Note: This is because all firewalls are routers and all routers are firewalls. Technically you can make a router exist without being a firewall, but not if you need standard network addressing and no one has made one of these for decades because it would be useless. So while yes, they aren't the same thing in reality, they absolutely are in practice.

                                      DashrenderD 1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @hobbit666
                                        last edited by

                                        @hobbit666 said in MPLS alternative:

                                        Yes it does, we've used it several times when we were with BT foe the MPLS. We log a call and WITHIN 4hrs the hardware is replaced.

                                        You don't understand. You cannot use what has happened to determine what it means. I have outages all the time without an SLA and it never takes four hours. By your logic, the SLA is what makes them do it in 4 hours. My point is, it isn't.

                                        Even if you did this a thousand times, while that does show a good trend, it never tells you what guarantee there is under the hood and how risky it is before they fail. Every supply chain breaks at some point. You are using "got lucky" to denote "can't go wrong."

                                        1 Reply Last reply Reply Quote 1
                                        • DashrenderD
                                          Dashrender @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in MPLS alternative:

                                          @hobbit666 said in MPLS alternative:

                                          I'd guess we still would want a Firewall of some sorts at each site?

                                          Every LAN should have a firewall (and has to have one, it is the firewall that makes it a network, it's literally impossible to have a network without a firewall.)

                                          Note: This is because all firewalls are routers and all routers are firewalls. Technically you can make a router exist without being a firewall, but not if you need standard network addressing and no one has made one of these for decades because it would be useless. So while yes, they aren't the same thing in reality, they absolutely are in practice.

                                          I can't agree with you here scott - only thing required to make a network is NICs and some type of connectivity between them. Now if you're talking about one that access the internet or other networks - then I agree with you.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @hobbit666
                                            last edited by

                                            @hobbit666 said in MPLS alternative:

                                            Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

                                            Wrong!!! We are in the UK and bound by Openreach infrastructure, where some site only have ADSL products and long line lengths. If we need more bandwidth we have to pay for better lines. Thankfully 4G coverage is getting better and that's a good alternative.

                                            Sure, but it doesn't have to be a private line, it can be an Internet line. I didn't say you didn't have to pay more than ADSL, just saying you don't need private lines that don't go to the Internet because any line that can be private, can be Internet.

                                            hobbit666H 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 8
                                            • 9
                                            • 3 / 9
                                            • First post
                                              Last post