A new breed of VPN based on Multi-protocol Label Switching is emerging as an alternative to traditional VPNs based on IP Security. To further complicate the issue, MPLS-based VPNs come in two flavours: Layer 2 and Layer 3.
So what are the differences between the various types of VPNs, and what’s the best choice for your network?
Service providers typically offer two VPN alternatives to traditional WAN offerings such as frame relay, ATM or leased line: IPSec-encrypted tunnel VPNs and MPLS VPNs.
The IPSec Option
IPSec tunnel-based VPNs are sometimes referred to as client-premises equipment-based VPNs because the service provider typically places equipment at the client site.
This device handles encryption and decryption of traffic before it goes out over the service providers’ network. Traffic within the service provider network is routed the same as any other IP traffic, and the service provider has no visibility into the IP tunnel. Nor does the service provider network need to be configured in any special manner to support IPSec VPNs.
Because traffic in an IPSec-based VPN is encrypted, it is generally considered secure to use IPSec to transport sensitive traffic over a public IP network.
You have two choices when deploying IPSec VPNs: managed vs. roll-your-own. With a managed VPN, one service provider deploys and manages customer client-premise equipment, and all traffic is carried over that provider’s network. This lets the provider offer service-level guarantees for assured performance.
In a roll-your-own scenario, the company deploys its own VPN devices and does not necessarily rely on a single service provider. Roll-your-own approaches are recommended for connecting branch offices that only have one Internet connection.
The disadvantages to roll-your-own are that the company is responsible for managing VPN configurations, and because traffic is transversing the Internet, there are no performance guarantees. Moreover, it typically is difficult to support latency-sensitive traffic, such as voice.
However, a roll-your-own approach lets corporations establish a VPN to any site that has access to the Internet.
Because IPSec requires each end of the tunnel to have a unique address, special care must be taken when implementing IPSec VPNs in environments using private IP addressing based on network address translation. Fortunately, several vendors offer solutions to this problem. However, they add more management complexity.
The MPLS Method
MPLS-based VPNs come in two classes: Layer 2 and Layer 3. Layer 2 VPNs based on the Internet Engineering Task Force’s (IETF) Martini draft or Kompella draft simply emulate Layer 2 services such as frame relay, ATM or Ethernet.
Typically, Layer 2 MPLS VPNs are invisible to the end user, much in the same way the underlying ATM infrastructure is invisible to frame relay users. The customer is still buying frame relay or ATM, regardless of how the provider provisions the service.
With Layer 3 MPLS VPNs (also known as “IP-enabled” or “Private-IP” VPNs), service providers assign labels to IP traffic flows. These labels represent unique identifiers and allow for the creation of virtual IP circuits or Label Switched Paths (LSP) within an IP network.
By using labels, a service provider can create closed paths that are isolated from other traffic within the service provider’s network, providing the same level of security as other private virtual circuit (PVC)-style services such as frame relay or ATM.
Because MPLS VPNs require the service provider to modify its network, they are considered network-based VPNs. MPLS-based VPNs require no client devices, and tunnels usually terminate at the service provider edge-router.
Layer 3 VPNs offer significant advantages to traditional Layer 2 services. Because they rely on IP routing to build paths, they easily can be used to create fully or partially meshed networks within a service provider cloud, with only one entry point into the cloud from each location. This eliminates the problem of setting up and managing multiple PVCs that plague fully or partially meshed networks created with ATM or frame relay. The IETF has defined standards that let MPLS VPNs support Differentiated Services, which let providers enable prioritization of voice and/or other latency-sensitive traffic.
Providers also can use MPLS to perform traffic engineering, which can provide predictable performance characteristics for individual classes of traffic.
1. If you are using frame relay or ATM, and you need to incorporate meshing, you generally can do so at a lower cost with MPLS-based VPNs, assuming you can get connectivity from one provider to all your locations. Otherwise, MPLS VPNs may not offer any advantage to your current service.
2. For small remote sites with high Layer 2 service costs (such as international locations), or sites with strong security requirements, IPSec VPNs are an ideal way to provide connectivity, although there are generally no performance guarantees unless all traffic is carried by a single provider.
Irwin Lazar is a senior consultant for The Burton Group Corp., where he focuses on strategic planning and network architecture for Fortune 500 companies and large service providers. He can be reached at[email protected].