MPLS vs Site-to-Site
-
The most common Site to Site VPN technology is IPSec. But you can use others too, OpenVPN's SSL VPN technology can also work well for this, for example. You can make a Site to Site VPN using Hamachi and, I believe, ZeroTier, too.
But it is generally assumed that IPSec will be used and almost always it is handled by a hardware firewall to set up the VPN connections on either end. You can do this with nearly any business class firewall including entry level devices like Netgear ProSafe, DD-WRT devices, Ubiquiti Edge devices, etc.
-
MPLS is a service that you buy from your ISP so you never "see" it in any way. To you it would look identically as if you bought a managed VPN service from the ISP where they kept the VPN gear at their location instead of at yours.
-
@scottalanmiller said:
MPLS is a service that you buy from your ISP so you never "see" it in any way. To you it would look identically as if you bought a managed VPN service from the ISP where they kept the VPN gear at their location instead of at yours.
I know what you're talking about, but man, if I didn't I could see where this would be confusing.
I'm wondering if I should try to explain it another way.
-
okay, i'm good at making things easy cause i'm dumb. so here you go!
MPLS = a service you buy from 1 ISP(same vendor). The ISP provides you with routers, and all of the infrastructure at each location. When it's finished your sites can all talk to eachother.
Site 2 Site VPN - this is where you or someone on your team has to know their stuff. you have to have internet at each location (vendor isn't important). You then will provide your own router/firewall at each location, configured (usually IPSEC) by you or your networking guy. The routers then use the internet and your configuration to create a secure tunnel between the two sites, when you're said and done the sites work together without any more interaction from you.
Benefits
MPLS is managed by someone else, you don't have to muck with it just monitor. this is good and bad. If their customer and quality of service are high this is great. If it's not high...you're gonna be bummed out when/if bad things happen. MPLS will more than likely have lower latency because you've got dedicated copper for the most part.S2S VPN is usually less expensive, and if your sites are geographicly seperate, you can use different vendors for your internet connection at each site. Just make sure your bandwidth is similar on each end.
Negatives
MPLS is not gonna be cheap, but you're paying for a service that you shouldn't have to manage, configure, etc. and it's a dedicated serviceS2S is going to be slower in my experience, you have to manage your routing equipment (not really a negative), more latency in my experience.
I'm tired now
-
oh, then there's VPLS
-
-
Let's not forget that Snowden has basically told us that if we care about privacy, we MUST encrypt anything we send over an MPLS, leased line.
Google had MPLS/leased lines, etc between their datacenters. Google rented these services from whatever companies could provide it. Those companies allowed the NSA to tap into those private lines and see/do anything they wanted with flowing data.
Today, Google/MS, etc all encrypt all data as it leaves their internally controlled network to stop this snooping.
-
Absolutely, you must assume that your ISP is your worst enemy. That's why I don't worry about coffee shops, no different than any other ISP.
-
@scottalanmiller said:
Absolutely, you must assume that your ISP is your worst enemy. That's why I don't worry about coffee shops, no different than any other ISP.
So do you use a VPN client to use a known entry point to the internet when at a coffee shop? Or just not care about things like ML and other sites that don't use TLS? And for the sites you do care about, of course ensure the TLS connection is live?
I know reading this it might sound flippant, it's not meant to be.
-
@Dashrender said:
So do you use a VPN client to use a known entry point to the internet when at a coffee shop?
Of course, its called a web browser and it is an SSL application specific VPN. Just use HTTPS instead of HTTP and you get a single port, application specific, end to end encrypted VPN.
-
@scottalanmiller said:
@Dashrender said:
So do you use a VPN client to use a known entry point to the internet when at a coffee shop?
Of course, its called a web browser and it is an SSL application specific VPN. Just use HTTPS instead of HTTP and you get a single port, application specific, end to end encrypted VPN.
LOL of course But then we can't go to places like Mangolassi from the Coffee shop, because it doesn't have HTTPS.
-
@art_of_shred said:
@Lakshmana Any site-to-site configuration, whether it is MPLS, VPN, or a cable running between the 2 buildings, should create a single LAN on the user side. You should see anything on the network at the other site just as you would see it if it was on a desk in the next room.
Not quite.. Some of them will be L2 and can be the same subnet.. others will have to be layer 3 with a router in between.
-
@Jason said:
@art_of_shred said:
@Lakshmana Any site-to-site configuration, whether it is MPLS, VPN, or a cable running between the 2 buildings, should create a single LAN on the user side. You should see anything on the network at the other site just as you would see it if it was on a desk in the next room.
Not quite.. Some of them will be L2 and can be the same subnet.. others will have to be layer 3 with a router in between.
Yes, but the end result is that you have a single functioning LAN. I didn't want to add another layer of complexity into the equation for him.
-
@Lakshmana said:
If I need to check the status of the Desktop or Laptop which is connected to the MPLS or Site-to-Site,how can I check?
How would you check if it was on the LAN with you?
-
@art_of_shred said:
@Jason said:
@art_of_shred said:
@Lakshmana Any site-to-site configuration, whether it is MPLS, VPN, or a cable running between the 2 buildings, should create a single LAN on the user side. You should see anything on the network at the other site just as you would see it if it was on a desk in the next room.
Not quite.. Some of them will be L2 and can be the same subnet.. others will have to be layer 3 with a router in between.
Yes, but the end result is that you have a single functioning LAN. I didn't want to add another layer of complexity into the equation for him.
Wouldn't that be the WAN?. LAN is usually the single site/subnet.. People have confused the terms though because most people think of "WAN" as internet.
-
If I have two LANs in the same building, I wouldn't call them a WAN, I'd say I have two local subnets.
I agree with Jason - mentioning that you might have routers and be on a different subnet I felt was something that was missing from the discussion.
Though with Switches I suppose one could argue for a single flat large LAN instead of two or more smaller ones and routing.
-
@Jason said:
@art_of_shred said:
@Jason said:
@art_of_shred said:
@Lakshmana Any site-to-site configuration, whether it is MPLS, VPN, or a cable running between the 2 buildings, should create a single LAN on the user side. You should see anything on the network at the other site just as you would see it if it was on a desk in the next room.
Not quite.. Some of them will be L2 and can be the same subnet.. others will have to be layer 3 with a router in between.
Yes, but the end result is that you have a single functioning LAN. I didn't want to add another layer of complexity into the equation for him.
Wouldn't that be the WAN?. LAN is usually the single site/subnet.. People have confused the terms though because most people think of "WAN" as internet.
It's a LAN that stretches over the WAN. Most LANs have routers separating subnets. That a LAN is a single subnet is actually pretty rare and only an SMB thing.
-
We call ours a WAN because the strict definition of LAN means computers within a limited geographic area, and WAN is a network in a large geographic area.
-
@Jason said:
We call ours a WAN because the strict definition of LAN means computers within a limited geographic area, and WAN is a network in a large geographic area.
That's very true. A single site would remain a LAN regardless of routers. A site with many geographic locations that are non-local to one another would be a WAN. In between the two, added years later, is the MAN concept of an area too big to be a single LAN but too small to call it a WAN.
-
MPLS is good to use if you have a multiple sites separated by a WAN and need VoIP traffic sent between them (Cisco, Avaya, Shortel, etc). MPLS generally has low latency which is well suited for VoIP. Broadband is getting better in general, but there are still blips in latency and availability. Most people don't like the idea of losing voice service or quality but they tolerate data outages.
I've seen people use VoIP over broadband and it works fine, but alot of times you get better performance on MPLS since you can pay for QoS.
MPLS is a WAN switching technology but most people use carrier routing on top of it...you don't have to. Several implementations I've dealt with have multiple sites and need a routing protocol so you don't have to configure piles and piles of routes. Alot of people do BGP peering with the carrier router in a "private cloud" so you only get the routes that relate to your sites.
Carrier Ethernet is a similar technology to MPLS. In a sense you're just plugging in a really long Ethernet cable between 2 sites. You would most likely have a router on each side but you don't have to. You can even do VLAN's over carrier Ethernet...remember it's just 1 really long cable.