Mpls vs ip_sec VPN's
- 1. Site-to-site connectivity: MPLS vs. IPSec by David Davis, CCIE, MCSE When it comes to connecting multiple sites with WAN links, there are now a variety of viable choices. Naturally, the solution that is right for your business will vary depending on the size of your company, the type of traffic you need to transmit, and your preferences for security, latency, and reliability. In the not-too-distant past, a business could choose from dial-up circuits, dedicated point-to-point circuits, and ultra-expensive ATM. In the late 1990s, frame relay generally replaced dedicated point-to-point circuits as the top choice because of its ability to create a fully or partially meshed network that provided better fault tolerance. However, with the popular spread of the Internet and the increasingly low cost of connecting to it, encrypted site-to-site VPN tunnels have taken the top spot from frame relay. The drawbacks to encrypted VPN tunnels are that there is overhead (latency) associated with the encryption, security is of much greater concern, and reliability can be decreased due to the complexities of the Internet. For example, some companies even choose DSL Internet circuits to run site-to-site VPN tunnels over. While DSL Internet circuits may be a good fit for a small company or a telecommuter, they are usually inadequate for a business to depend on for critical data, due to their poor SLAs and low priority for repair by telecom companies. All of these options have their negatives. I know about these negatives because my company (a 70-location retail company) has made this progression from dedicated point-to-point, to frame-relay, and to IPSec VPN over DSL Internet and dedicated Internet T1 circuits. Now, my company is about to make the transition to Multiprotocol Label Switching (MPLS). MPLS is usually done by giving the customer a dedicated IP circuit with private IP addressing on it. Any traffic sent from the customer to the carrier, on that circuit, is labeled. That labeled packet is sent across a labeled switch path (LSP) to a label switch router (LSR). That router routes the packet to its label edge router (LER), where the label is removed and the packet is delivered to the customer’s destination router. What this does for the customer is create a private network without any encryption required. For the customer’s router to know what networks are available, it runs a routing protocol like OSPF or BGP and receives routes from routers in the MPLS cloud (or the provider can do static routing). One of the top benefits of MPLS is that it creates a fully meshed network by default. So by being connected to your MPLS network, you have a direct connection to all your remote locations without any of the additional cost or configuration you would need with frame-relay or IPSec VPN tunnels. An application that most benefits from this "any-to-any" connectivity is Voice-over-IP (VoIP). VoIP is challenging to implement over IPSec site-to-site VPN tunnels because the encryption and going through multiple Internet carriers can cause too much latency. Of course, an infinite number of applications might benefit from the built-in any-to-any connectivity of MPLS. The other main benefit of MPLS is the quality of service (QoS). Either the carrier will offer QoS in its standard offering or it will be an add-on feature. With the QoS of MPLS, you can prioritize certain traffic all the way through the carrier’s network. To help you size up the similarities, differences, and pros and cons of MPLS and IPSec VPN, I've put together the comparison chart on page 2.
- 2. Author's note For the purposes of this article, when I say “IPSec VPN,” I'm talking about “IPSec site-to-site VPN tunneling.” That would be using VPN concentrators/routers to encrypt traffic over the Internet to connect multiple remote LANs. Undoubtedly, standard IPSec VPN servers are great for allowing remote access to individual users, but we aren't comparing that here. Feature MPLS VPN IPSec site-to-site VPN Reliability You will have to receive all MPLS circuits through a single carrier, which helps with reliability. However, some carriers offer MPLS using DSL as the local loop, and choosing this can result in less reliability. In general, MPLS will be more reliable than IPSec VPNs because there is less complication in the tunneling and firewall configuration. Receiving all your IPSec VPN circuits through the same carrier will increase reliability (but decrease fault tolerance) over using multiple Internet carriers. But due to the multiple VPN concentrators and the encryption configuration, an IPSec VPN can be less reliable than MPLS. Cost The cost for the local loops for each choice will be the same. The MPLS tunneling, through the carrier, will have a price tag associated with it, but it shouldn’t be more than a managed IPSec VPN service from a carrier or more than the staff required to manage and troubleshoot an IPSec VPN. Unlike MPLS, IPSec VPN requires VPN concentrators, which will boost the upfront cost. Once you have the hardware, the staff required to maintain and troubleshoot the IPSec VPN tunnels may be the same as, or more than, the MPLS service from the carrier. Security MPLS should be more secure than IPSec VPN tunnels, if you don’t allow your MPLS circuits to connect directly to the Internet, which some carriers offer through the carrier’s MPLS cloud. For the best security, use MPLS as a private network only. Used as a private network, MPLS offers the same security as a frame relay network. However, keep in mind that as with frame relay, data sent over an MPLS network is not encrypted. Network intrusions are a greater concern with IPSec VPN tunnels since you are running them through an Internet circuit. That Internet circuit is open to connections from around the world. A misconfigured firewall can open your IPSec VPN network to the Internet. Security is of even higher concern if you use split tunneling on your VPN concentrators. However, IPSec VPN tunnels beat out MPLS when it comes to protecting the data that is traversing the WAN, because the IPSec VPN data will be encrypted with IPSec. The MPLS data is not encrypted, only tunneled. QoS QoS may be included with the carrier’s MPLS offering or it may cost extra. Either way, with MPLS QoS, you can prioritize certain traffic all the way through the carrier’s network. This is great for latency- sensitive applications, like VoIP. QoS features are limited. Once you send your encrypted data over the Internet, little can be done to prioritize it. To get more details on the various MPLS options, check out shopforbandwidth.com.