Hi Guys,

Contemplating X.O communications MPLS service for our Medium-sized office environment, with about 200 employees - will MPLS be more beneficial compared to other WAN services? Does MPLS focus on Site-to-Site only connections?

Sorry for the N00b questions, Don't have much experience with MPLS.

What is the end goal? Internet connectivity? Connecting multiple offices geographically spread out? A few more details might be nice

HI, thanks for the reply.

Scalability, Internet and Voice. Tunneling from Home-users, but thinking to purchase a Cisco ASA for that.

yes.

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

MPLS is transparent to you , as a customer , so you don't need to configure complex VPN stuff. Also MPLS isn't really a WAN service it's the internet architecture of your provider. There are a number of ways that they could do site-to-site connectivity and the result would be the same for your HQ and branches. My 2c

_________________
Stay the curse !

really the biggest issue is whether you want to manage your own internet connection or if you want XO to manage
your internet connection, these are two different configurations in an service provider MPLS environment.

pro/con
you may require a second circuit for managing you own internet access,
or may have to call XO if you need firewall changes.

you downstream sites can go through the MPLS cloud to get to the internet provided from HQ,
or they can each have their own internet access, with an increase in administrative costs ( i.e. multiple firewalls)

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

No to stead the OPs thread here, but what are some of the pros / cons of having the internet leave one central location vs having an internet connect at each location. I've only ever set it up that each location has it's own internet and then a separate connection into the MPLS cloud. I would see where it would be nice to have internet from one location, but could see it filling up a smaller pipe pretty quick between internal data traffic / voip / internet traffic

It's very handy. You can have a single place to control all firewall polices for all sites very easily. A site simply becomes an address block to create rules for.

You can also have people VPN into a single core firewall, where you have rules to give access to any part of your network.

If you're working with a 3rd party and need an IPSec tunnel to them, you only need 1 tunnel from the core firewall, and all sites have access through that tunnel.

You can have a block of IP's which get NAT'd to servers/DMZ's at any part of your internal network. Need to move a server from site A to B? You can do that and just need to change the internal NAT address. Outside stays the same.

Yes you'll need a bigger pipe, but you're not paying for access from all your other sites. Is it a single point of failure? Not if you're running the firewall in an HA pair across 2 datacentres.


So yes, the advantages are plenty. I thoroughly recommend a core hosted firewall for whatever design I'm doing for our customers

_________________
www.mellowd.co.uk/ccie/

How big is big enough of a pipe back to the main site? I know there are alot of factors there, but average what do you run into?

cons, your managed firewall provider is unresponsive, every time you need to make a firewall change you have to call your provider, sit in some queue, get a tick opened, and wait a few days for the implementation. you can't control the security aspects of your firewall, unless of course your provider is running a multi context firewall and provides you with direct access to your context so you can manage it yourself.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

You can always run your own firewalls, but hosted

_________________
www.mellowd.co.uk/ccie/

Too many factors to say. Completely depends on size of company and expected utilisation. As well as how much money they are willing to spend

_________________
www.mellowd.co.uk/ccie/

X.O Quoted their IP-Flex, which comes with 10megs - for approx. $1200.
Not sure about the size of Pipe back to H.Q, since we merged with the H.Q not too long ago and we do not access their equipment, besides typical Exchange, Asset-management.

BTW: Does Vfirewalls have a Client, to which the User can connect? Something along the lines of PnPVPN?

I was kind of hoping that wasn't the answer.. Something I've always wondered about, but have either got the running internet over your mpls is stupid or always depends

It's difficult to figure out without knowing what the company is going to use.

For example we have 1 company that takes only 4Mb access. A pittance really. But their traffic profile is pretty much 98% inter-site traffic and 2% internet traffic.

Then on the other end we have a media company that has 2 1Gb connections through their firewalls.


Both work perfectly the same. I don't know why anyone would think it's stupid to run your internet through your MPLS. MPLS is just a structure to run whatever you want on top of it.

_________________
www.mellowd.co.uk/ccie/

MPLS is probably being run on the provider's network anyway I would assume so the P routers don't need a full internet routing table. (mellow would know about this more than me I would think)

_________________
Freedom to all the people. Brave, true and strong.
Freedom to all the people. Unless I think you're wrong

dhimes.com

The P routers wouldn't need to know about the full internet anyway. The firewalls would be injecting a default route to all CPE's on the customer site. The firewalls then have a default route out to the internet. The ISP has a static/dynamic route for the customers public IP range back to the untrust of the firewalls

_________________
www.mellowd.co.uk/ccie/