MPLS alternative
- 
 @scottalanmiller said in MPLS alternative: @Dashrender said in MPLS alternative: Basically if Hobbit is going to do this - he needs to get management to buy into a completely new paradigm of the design. which would be great, but a hard sell. One of my already filmed, but not yet published videos, is specifically for IT to show to their management about why it is wrong to refuse to do what is good for the company unless IT can "sell" them on doing the right thing. Taking the default position of screwing the company unless IT can convince them not to, it's absolutely insane and has no place in a business. Management should never act against IT unless they have a reason to do so. I can't wait to see this video. I'm not sure I would intentionally show any of your videos to my management for fear of them feeling stupid and retaliating on me. I am lucky, I do have one person, perhaps two that help run other companies that I have little/no risk in showing them and getting their feedback on your yet to be released video to see what their reaction will be. 
- 
 @scottalanmiller said in MPLS alternative: With what we do, there are literally no files anywhere in the process (till we send them to file-based organizations.) But even dealing with our partners, we are often able to remain fileless because of sharing mechanisms that we can leverage. We have nothing like OneDrive because we don't have files to put in it (as mentioned we do HAVE NextCloud, but only a couple users use it at all and it's for special case large file items, mostly for marketing with big image files that we haven't gotten fileless yet.) Are you using purely Zoho/Google Docs/O365 online type services and everything is just on their systems. 
- 
 @hobbit666 said in MPLS alternative: @scottalanmiller said in MPLS alternative: With what we do, there are literally no files anywhere in the process (till we send them to file-based organizations.) But even dealing with our partners, we are often able to remain fileless because of sharing mechanisms that we can leverage. We have nothing like OneDrive because we don't have files to put in it (as mentioned we do HAVE NextCloud, but only a couple users use it at all and it's for special case large file items, mostly for marketing with big image files that we haven't gotten fileless yet.) Are you using purely Zoho/Google Docs/O365 online type services and everything is just on their systems. NTG is pushing as much as they can into Zoho... at least that's what he told me yesterday. I think they are already there for the most part. 
- 
 @scottalanmiller said in MPLS alternative: MPLS is the alternative here. MPLS acts identically to a VPN aggregator in a mesh edge VPN gateway design. So on the very, very rare case that you want to replicate MPLS, you simple use the VPN design that MPLS is modeled on. So there is one "difference". MPLS as a private line WILL honor your DSCP (QoS Tagging at layer 3) tags over the WAN. Historically for latency-sensitive apps (Voice) you could do stuff like Tag SIP control traffic to EF (Expedited Forwarding) and tag AF31 (priority) to RTP (the voice payload) and the CoS to DSCP mappings at your MPLS router would make sure that that if anything was going to drop or have issues with buffering the Voice traffic would "ride through" with priority. When your alternative was a T1 for 500, paying 800 for a MPLS T1 was "worth it" because to get the equivalent experience you'd probably need a 10Mbps Fiber handoff that back in 200x was going to cost you 8K a month or something insane. Now a TON of people who buy MPLS doesn't realize. - You gotta tag your traffic.
- you need to CALL YOUR PROVIDER and find out what the priority queues and tags they support and profile look like (or apply one). By default they often just ignore tags.
- In most of the world these days it's cheaper to just buy more bandwidth, and aggregate links from multiple providers, and do dynamic traffic shaping with VPN meshes across them. You can also do stuff like inject parity into streams that have packet loss on bulk traffic, and for skinny flows that you need 100% delivery on (Voice) do things like double deliver the packets (If I've got a 64Kbps voice call, sending that down both the Cable Modem and the 5G connection isn't really a big deal).
 What does all these magical things? SD-WAN. SD-WAN is a marketing term for next-generation magic bandwidth massaging router/mesh systems that generally have a really nice central control. Could you do similar things with ISRs and Performance-based routing and DMVPN meshes? (ehhhh, maybe 1/2 of it, but it would cost a fortune and require a damn CCIE to manage) My employer is a player in this space (NSX SD-WAN, formerly VeloCloud). There's also Cisco Viptela and a ton of other players (RiverBed, F5 networks, HPE bought someone I'm forgetting). A thing to note on SD-WAN is you can "buy it" yourself, but also a lot of Telcos and bandwidth aggregators will sell it to you (Then you just get a CPE box, and they handle the billing and sourcing of backup providers). There are pro-cons to how much ownership you want of this (PacketPushers has had some strong opinions on why you want to own, but given the savings vs. MPLS if you need to get out of a contract now even a MSP managed one is going to be 1000x better than renewing a MPLS line). The general trend I'm seeing is people get Fiber if they can, COAX if they can't and then they bolt 2-3 different wireless dongles onto the box and they prioritize the circuits they don't pay per packet on, but have options if things go sideways. 5G having 4 major network operators is going to make wireless be an even player against Fiber and Coax soon enough (AT&T/T-Mobile/Verizon/Dish/cable company in a 5 way bidding war will get fun). 
- 
 @scottalanmiller said in MPLS alternative: Exactly. And once LANless, there is no need for XenApp to sit on your LAN at all. You can move it to colo or cloud whenever you want. Ours is in colo and uses zero LAN resources. Xenapp can be thirsty on bandwidth to the home site with certain apps. I've seen someone hit their data transfer allowance with Comcast entirely using Xenapp (Geologist looking at 3D models all day though). 
- 
 @scottalanmiller said in MPLS alternative: Right, those would be the options. Obviously the colo approach is cheap and easy and going to AWS/Azure would require the gift of a firstborn child, but technically both work. You put VDI in public cloud for a few reasons: - 
You have some shitty DB2 based app that requires 1ms of latency from the app to the DB and the dataset is in that cloud (and for political/gravity reasons you can't move it) 
- 
At a certain scale being able to spin up a Desktop pool for 8 hours then shut it down (and not pay for it) for 16 a day (and roll through regions and follow employees) you can do some wacky things to cut costs. 
- 
Microsoft licensing being punitive as hell for some things that are not in Azure, or Oracle kinda forcing people to put things in Oracle Cloud and you want desktops that are "close" to other applications. 
 
- 
- 
 @StorageNinja said in MPLS alternative: @scottalanmiller said in MPLS alternative: Exactly. And once LANless, there is no need for XenApp to sit on your LAN at all. You can move it to colo or cloud whenever you want. Ours is in colo and uses zero LAN resources. Xenapp can be thirsty on bandwidth to the home site with certain apps. I've seen someone hit their data transfer allowance with Comcast entirely using Xenapp (Geologist looking at 3D models all day though). In that case, the home user upgrades to no cap or to a business connection, at least with Cox that solves the cap problem. On Cox it's about $50/m to go no cap. 
- 
 @Dashrender said in MPLS alternative: you meant that they somehow exposed those AD servers directly to the Internet - which is just crazy. But leaving them in the background behind the RDS/ICA servers should be pretty secure.? Normally the RDS/ICA don't sit on the internet at all either and they hide behind reverse proxy's (Netscaler/F5/AVI etc for Citrix as they deprecated CSG) at the scale you'll want something that can do the load balancing and have some awareness of server load (more than just session count). 
- 
 @Dashrender said in MPLS alternative: In that case, the home user upgrades to no cap or to a business connection, at least with Cox that solves the cap problem. On Cox it's about $50/m to go no cap. He moved to AT&T Fiber. No caps on their gigabit product. 
- 
 @StorageNinja said in MPLS alternative: @Dashrender said in MPLS alternative: In that case, the home user upgrades to no cap or to a business connection, at least with Cox that solves the cap problem. On Cox it's about $50/m to go no cap. He moved to AT&T Fiber. No caps on their gigabit product. Nice - sadly not the case with Cox, their gig product has the typical 1 TB cap, which really, if you think about it - if you need the 1 gig, that cap is ridiculous! 
- 
 @Dashrender said in MPLS alternative: Nice - sadly not the case with Cox, their gig product has the typical 1 TB cap, which really, if you think about it - if you need the 1 gig, that cap is ridiculous! When we move to 5G and we just put a 5G Modem in EVERYTHING eventually it will just be "buy a bucket of xxx TB" and stop paying per device, or per peering connection. 
- 
 @hobbit666 said in MPLS alternative: So following on from another thread. I'm today's modern day how would you handle:- 
 *Multiple site connections around 60 sites.
 *Internet access via a
 for "security" either at a single point or something per connection? Nice to have Intruction detection blah blah blah and content filtering.  Will need to allow certain ports in and out (I know this is normally standard on Firewalls/UTMs but worth mentioning) and content filtering.  Will need to allow certain ports in and out (I know this is normally standard on Firewalls/UTMs but worth mentioning)
 *semi managed with high SLA.How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device. About two years ago, we stopped using MPLS in favor of site-to-site virtual private networks. Costs are decreasing, speeds are increasing, and visibility is improving. We're using Fortigates for the firewalls, but you should be able to use whichever firewall you're comfortable maintaining. Similar use profile in terms of traffic type (Citrix ICA). We used hub and spoke vpn architecture, which works well for us; what works best for you will rely on the rest of your infrastructure topology. 

