MPLS alternative
-
@hobbit666 said in MPLS alternative:
How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.
Anything you do with MPLS is just copying what was already a standard design via VPN. Remember, MPLS was a later way for ISPs to make something that acted like a VPN, but that they could charge a lot of money for.
MPLS is the alternative here. MPLS acts identically to a VPN aggregator in a mesh edge VPN gateway design. So on the very, very rare case that you want to replicate MPLS, you simple use the VPN design that MPLS is modeled on.
-
@hobbit666 said in MPLS alternative:
Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.
Depends on what you want to do. Both models will look and feel like MPLS to the individual networks.
-
@hobbit666 said in MPLS alternative:
*semi managed with high SLA.
These are things you never want. "Managed" by the ISP is part of the key reasons for avoiding this. MPLS was specifically because people knew how bad the idea of managed VPN was, so they had to come up with something to make it sound better and since you can't build your own MPLS, it was perfect. Just complicated enough to confuse people, but cheaper to build than a VPN because it "does nothing."
-
@hobbit666 said in MPLS alternative:
3 sites have 20+ users these are served by 100mb leased lines, would like to keep these.
Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.
-
@hobbit666 said in MPLS alternative:
Main traffic that goes over is Citrix Xen Desktop. Also access to 365.
Neither of these would have any benefits from MPLS or a VPN set to work like MPLS.
I get the impression that the entire network design may need to be re-evaluated. It feels like the cart before the horse right now...
Like, first the ISP is chosen, then all services and design based on what would funnel the most money to the ISP. Unless I'm missing something huge, no component of the design.. MPLS, mesh networking, PBX hosting, leased lines, etc. have any business function. They all exist for the benefit of the ISP, nothing for the benefit of the customer.
For all of the pieces mentioned, the "go to" solution would not have anything like this. It would be all colocation hosted servers centrally with no VPN, no leased lines, no MPLS, etc. None of it.
-
@hobbit666 said in MPLS alternative:
Basics are the Citrix/SQL/DC are all at main site then a DR site at another site.
None of those would benefit from the design that you have today. In any fashion. Unless we are missing something huge.
MPLS or Mesh VPN to replicate it would be if you have servers sprinkled through all the sites or people moving files directly using desktop to desktop file sharing or something awful like that.
Since every workload that you are mentioning would normally scream "No VPN, No MPLS", I think a description of why any of this exists or why any of it should be replicated is needed. Your key workloads give us nothing to work with. There has to be a niche workload that is a problem that drove these decisions. Without knowing about that, we can't help much other than to keep repeating that you should ditch absolutely everything and start fresh. Don't try to build off of anything currently in place.
-
One of the reasons that MPLS is so unfavorable is that it, like the VPN people often replace it with, are remnants of 1990's LAN-based thinking. Modern networks with security are zero-trust (aka LANless) in design and VPN/MPLS would not serve any purpose.
This is why stepping back and starting from the beginning to talk about "what good looks like" and actually focusing on business goals is necessary. Trying to keep vendors, lines, design, etc. that are based on mistakes will just make for more bad design. Sure, we can improve MPLS by replacing it with VPN. But that's likes replacing your legacy PBX with a VoIP PBX but still buying your lines from your ISP - sure it's an improvement, but you miss the entire picture. Saving $5 instead of $50,000.
-
@hobbit666 said in MPLS alternative:
So following on from another thread.
I'm today's modern day how would you handle:-
*Multiple site connections around 60 sites.
*Internet access via a firewall for "security" either at a single point or something per connection? Nice to have Intruction detection blah blah blah
and content filtering. Will need to allow certain ports in and out (I know this is normally standard on Firewalls/UTMs but worth mentioning)
*semi managed with high SLA.How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.
This kind of thing makes me laugh a little, because it seems all the worst hacks and breaches to companies and networks have nothing to do with someone breaking into the network in all the ways your entire post is putting about LAN based security.
Why no intent towards a Zero Trust architecture?
-
I only said VPN because Scott mentioned it several times in the other thread.
If we didn't have VPN/MPLS how would we serve our Citrix farm at the main site?
-
@scottalanmiller said in MPLS alternative:
These are things you never want. "Managed"
This I kind of disagree with, if we have an issue with a connection we phone it in and they sort withing the SLA. Down time means £££ loss.
Currently with the MPLS we have 4hr replacement on hardware and high SLA with BT on the pstn lines.But looking at replacing that with possible 4g backups so we can wait 48hr for BT to fix
-
@scottalanmiller said in MPLS alternative:
@hobbit666 said in MPLS alternative:
3 sites have 20+ users these are served by 100mb leased lines, would like to keep these.
Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.
Because we "couldn't" get a line above 5mb so Replication to the DR site would be impossible. Also handling the traffic from all the sites, like print servers, smb shares etc
(most of these are getting replaced slowly with things like o365) -
@Obsolesce said in MPLS alternative:
Why no intent towards a Zero Trust architecture
Because I've never heard of it
. Now I have I've got 3yrs to look into it. -
@scottalanmiller said in MPLS alternative:
Neither of these would have any benefits from MPLS or a VPN set to work like MPLS.
Agreed with o365 but I mainly mentioned as its one of our main traffic usage now
-
So what about SDWAN? Would this be an alternative too?
-
@scottalanmiller said in MPLS alternative:
1990's LAN-based thinking. Modern networks with security are zero-trust (aka LANless) in design and VPN/MPLS would not serve any purpose.
I'll put my hand up and agree this is me, but will be looking at LANless/zero-trust on Monday and learn what it means fully.
-
@hobbit666 said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
1990's LAN-based thinking. Modern networks with security are zero-trust (aka LANless) in design and VPN/MPLS would not serve any purpose.
I'll put my hand up and agree this is me, but will be looking at LANless/zero-trust on Monday and learn what it means fully.
Yeah that's really the only route to go anymore
-
Any link to good reading on zero-trust stuff?
-
@hobbit666 said in MPLS alternative:
Any link to good reading on zero-trust stuff?
This is a good start:
-
@scottalanmiller said in MPLS alternative:
@hobbit666 said in MPLS alternative:
Basics are the Citrix/SQL/DC are all at main site then a DR site at another site.
None of those would benefit from the design that you have today. In any fashion. Unless we are missing something huge.
MPLS or Mesh VPN to replicate it would be if you have servers sprinkled through all the sites or people moving files directly using desktop to desktop file sharing or something awful like that.
Since every workload that you are mentioning would normally scream "No VPN, No MPLS", I think a description of why any of this exists or why any of it should be replicated is needed. Your key workloads give us nothing to work with. There has to be a niche workload that is a problem that drove these decisions. Without knowing about that, we can't help much other than to keep repeating that you should ditch absolutely everything and start fresh. Don't try to build off of anything currently in place.
LOL - You know that's not likely true.. The chances are greater that someone was just trying to bandaid (and possible not even a good bandaid) something at the beginning and as time went on, they simply continued down the previous course.
-
@hobbit666 said in MPLS alternative:
I only said VPN because Scott mentioned it several times in the other thread.
If we didn't have VPN/MPLS how would we serve our Citrix farm at the main site?
You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.
