MPLS networks are really semi-private, not 100% private. I would still recommend encryption within an MPLS network, and most carriers offer that option.
-ASB: http://XeeSM.com/AndrewBaker On Thu, May 13, 2010 at 5:53 PM, James Hill <[email protected]>wrote: > To me the fact you don't need vpn is one of the main selling point for > these products (and mpls networks in general). > > MPLS networks seem to have been more common place here in Aus than the US > until recently. I certainly haven't bothered with vpn's for many years now > as they just add more complexity. > > I can understand why some people add the extra layer of security though. > However if you feel you have to run a vpn then I'd say get a better > provider. > > > -----Original Message----- > From: Matthew W. Ross [mailto:[email protected]] > Sent: Friday, 14 May 2010 6:34 AM > To: NT System Admin Issues > Subject: Hijacked Thread: All WAN over VPN? (Was: RE: Network/WAN question) > > I have a related question: > > If you are separated, site to site, with a large layer 2 fiber network... > would you put the traffic between routers over a VPN? Or is it common place > for companies to "trust their providers" not to have a man in the middle, > and just route? > > I can't imagine anybody actually does this without an IPSec or OpenVPN > tunnel of some kind... But I'm curious if there are. > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: Kim Longenbaugh > [mailto:[email protected]] > To: NT System Admin Issues > [mailto:[email protected]] > Sent: Thu, 13 May 2010 > 13:05:09 -0700 > Subject: RE: Network/WAN question > > > > It sounds like you have 10 PPP circuits to your remote sites, each > > currently a T1. You're replacing the T1s with Ethernet circuits. > > > > Just replace this: > > >Main Site (172.20.x.x) ------ T1 Wan link (192.168.x.x) ------ Remote > > Site > > >(172.21.x.x) > > > > With this: > > >Main Site (172.20.x.x) ------ Ethernet "Wan" link (192.168.x.x) > > >------ > > Remote Site > > >(172.21.x.x) > > > > Your broadcast and collision domains would remain separate, just like > > they are now. > > > > Unless your existing routers have the Ethernet port to handle the new > > Ethernet "Wan", you'd have to do your routing with the L3 switches > > anyway, so why not dump the routers and have just one piece of network > > gear at each remote site to manage. > > > > > > How would this work without routing? How's traffic on 172.20.x.x get > > to 172.21.x.x, since those are separate subnets? > > > > >When setting up the Fiber, because layer 2, I do NOT have to have a > > >seperate network for that WAN link anymore. I can set it up like: > > >Main Site (172.20.x.x) ------ Fiber Link ------- Remote Site > > (172.21.x.x) > > > > > > > > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > Sent: Thursday, May 13, 2010 2:42 PM > > To: NT System Admin Issues > > Subject: Network/WAN question > > > > > > Hello. Looking for input on our current/proposed network. > > > > We have 10 sites. Each site is connected via T1 lines. There is a > > router at each site that handles the routing. > > > > We are replacing the T1 lines with fiber. The company leasing us the > > fiber is handing off an ethernet port at each site (all layer 2). > > > > My question is... Our current WAN setup with the T1s looks like this: > > > > Main Site (172.20.x.x) ------ T1 Wan link (192.168.x.x) ------ Remote > > Site > > (172.21.x.x) > > > > The WAN link itself is on it's own network. > > > > When setting up the Fiber, because layer 2, I do NOT have to have a > > seperate network for that WAN link anymore. I can set it up like: > > Main Site (172.20.x.x) ------ Fiber Link ------- Remote Site > > (172.21.x.x) > > > > The downside with this is, broadcasts would still travel over the > > Fiber link since the WAN link is not on a seperate network. It does > > however, simplify things for me a bit. > > > > The question is, which of the two methods would you use? Putting the > > Fiber WAN link on it's own network or, not? > > > > One other question. Since my HP switches at the main/remote sites are > > able to do IP Routing, would you also remove the routers (which are > > needed with the current T1 WAN links) completly from the enviroment > > and do all routing at the switch level? I'm leaning towards doing > > this and ditching the routers. > > > > Thanks. > > J > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
