Mike Rinken would like nothing more than to say goodbye to MPLS.
It's been a rocky relationship from the start. Shortly after upgrading to a 10 Mbps managed MPLS service, Rinken, director of IT at the engineering and design firm Mazzetti Inc., based in San Francisco, saw traffic on his wide area network (WAN) slow to a crawl. It took some investigating, but he eventually found the culprit: His service provider had set up Quality of Service (QoS) policies by default, without any notification. Those policies had caused dropped packets to form a bottleneck in the outbound traffic stream.
"Given the complexity of [MPLS], I would rather find whatever I can find at every office and just get as fast a pipe as possible -- even if it's Internet," Rinken says. "If I had engineered the solution that we have now, which I didn't -- I inherited it -- I would have gone in that direction."
Not too long ago, the prospect of replacing a reliable, private MPLS WAN link at the branch office with a virtual private network (VPN) over basic Internet access would make many networking professionals laugh. These days, however, more enterprises are having trouble saying no to business-class or even consumer-grade Internet services, which offer more bandwidth than traditional WAN services at a fraction of the cost and with faster provisioning.
The shift is not just anecdotal. Two years ago, 30% of companies were using an Internet connection in place of a traditional WAN link in at least one location, according to Nemertes Research. That number climbed to 50% in 2013 and could reach 55% this year.
It's tempting to look at those numbers and conclude that the private WAN's days are numbered. But for most enterprises, the reality is far less radical.
"There is a trend toward using the Internet, but it's nowhere near as dramatic as: ‘The private WAN is dead. Long live the Internet!'" says Johna Till Johnson, president and founder of Nemertes. "[The growth] is interesting and provocative, but doesn't necessarily mean people are using the Internet as a WAN."
For all its headaches, MPLS will continue to play a major role in WAN architectures. Enterprises will likely favor a "hybrid WAN" model that uses both MPLS and high-speed Internet or carrier Ethernet in a single location or alternates between them throughout the WAN, according to Andrew Lerner, a research director at Gartner.
"[MPLS] is not dead," Lerner says. "It's still a backbone of most WANs. It's just being supplemented with other technologies like Ethernet and Internet."
Rinken finds the hybrid model compelling. Hooking up new buildings with standard Internet connections and site-to-site VPNs instead of MPLS saves money and speeds up provisioning, and he says he can always deploy Riverbed Technology's Steelhead WAN optimization appliances at those sites to mitigate performance concerns. But financial, cultural and logistical barriers will prevent him from replacing all his MPLS links, especially those that are tied to long-term contracts.
"I think in 10 years we'll still have MPLS WANs. We'll still cling to that known quantity, so to speak, because we're not risky enough to take that leap," Rinken says. "But that may be a consideration, where I just say that all our future acquisitions and future branches go out through [the Internet]."
Cloud challenges old WAN model
While MPLS isn't close to being fossilized, experts say several trends are making a total or partial Internet-as-WAN approach increasingly viable.
With the growing popularity of public cloud services, employees are often going straight to the Internet anyway to access corporate data and applications.
"If you've moved the majority of your applications out to the cloud service, that's where life gets really interesting," says Till Johnson. "That's where having a private WAN may not make any sense."
Software as a Service applications like Microsoft 365, Salesforce.com and Google Apps have created inefficient traffic flows on traditional WAN architectures, says Gartner's Lerner, who notes clients typically name application performance as their biggest WAN challenge these days.
"It's no coincidence that traditional WAN architecture doesn't map to the prevailing [model of] compute and applications. There are still a ton of apps in the corporate data center, but there are also a ton of apps in the cloud," Lerner says. "If you go with the traditional WAN architecture, the cloud apps will suffer. If you go all Internet VPN architecture, the corporate apps suffer."
The hybrid WAN model addresses these concerns, he adds. Network equipment vendors are also making it easier to "load share," or segment specific types of traffic for a given connection, so the MPLS link isn't clogged with incoming traffic from YouTube cat videos, Lerner says. It has been easy enough to choose which pipes send outbound requests to the Internet, but ensuring those policies remain intact when that traffic comes back in had been a challenge until recently.
Cost savings drive move to Internet
The challenges of conventional WAN services -- complexity, high cost and long provisioning times -- are well-known. But several factors are exacerbating these problems and leading more networking pros to consider alternative connectivity options.
Bandwidth requirements are set to grow dramatically and rapidly. Gartner estimates enterprises will need 28% more bandwidth, a compounded annual growth rate, each year through 2017.
"Budgets aren't keeping up with that rate," notes Danellie Young, a research director at Gartner. Cost is the top reason companies may use the Internet as a WAN connection, with 80% of IT pros who have made the leap identifying savings as their main motivator, says Nemertes' Till Johnson.
"Whereas five years ago you would not think twice about dropping an MPLS connection to a small office," she says, "these days you might be saying, ‘Hey, can we get that sales office interconnected over the Internet?'"
For many enterprises, a WAN that uses both MPLS and Internet services is an acceptable compromise.
"A lot of people ask us, ‘Why am I paying $250 a month for a T1 on MPLS when I go home and, for $69.99, I get 50 megs?' It's hard to argue with 30, 40 times the bandwidth at one-fourth the cost," Lerner says. "That doesn't mean you have to go to every branch and install an Internet circuit -- because that's hard to manage and it's hard to secure. Some people are doing it, but it's not the only approach."
As part of a recent acquisition, Rinken is getting ready to add an office in Seattle to Mazzetti's WAN. After his service provider told him that getting MPLS turned up there would take 90 days, the Internet connectivity already available on site started to look pretty good.
"We've got 100 megs in the building [we] can have right now for $600 a month. Why would I not do that when we'd be paying $1,500 or $1,600 a month for that MPLS link?" he says. "Yeah, I get that there's a Quality of Service that comes along with [MPLS], but at the end of the day, if we give them a ton of bandwidth -- well, it doesn't negate latency, but it kind of negates a lot of other [issues]."
Sometimes the cost savings of high-speed Internet services are overstated, however. Gartner estimates that the price gap between MPLS and business-class Internet services ranges from 5% to 30%, depending on geography. The gap is greater when comparing MPLS to consumer-grade Internet services, where the savings range from 20% to 40%, but the service quality gap is also more pronounced. Cost calculations, however, involve more than monthly fees and annual contracts, according to Greg Ferro, a U.K.-based freelance network engineer, blogger and podcast producer. Operational expenses of private WAN services can also add up.
"Complexity is expensive. Every time you take a WAN and add a router to it, you've made it more complicated," Ferro said while speaking to an audience during a presentation at Interop Las Vegas in April. "And every time we add [additional] tools -- a proxy server, QoS configurations, dynamic routing or redundant links -- we actually build complexity and, inherently, failure into our systems."
Weighing performance and reliability
Few enterprises make their networking decisions solely on cost, however. The biggest barrier to the Internet displacement of private WAN links is the possibility of poor performance. Thirty-eight percent of IT pros do not use the Internet as a WAN for that reason, according to Nemertes' Till Johnson.
MPLS providers offer several guarantees in the form of service-level agreements, typically specifying uptime metrics, performance benchmarks and trouble-ticket response time. While business-class Internet services do offer some customer service perks over consumer-grade Internet, no one can guarantee performance or availability on the Internet. It is, by definition, a best-effort service that no single entity controls.
MPLS services support end-to-end QoS. While network engineers can implement QoS on their edge routers to give some Internet-bound traffic priority over others, they lose control once it hits the Internet.
But as carriers invest more in the network infrastructure that supports Internet services, with Google and more recently AT&T committing to the Gigabit Internet market, some say the old fears about constant outages and crippling congestion are dissipating.
"If you think about 15 or 20 years ago -- even 10 years ago -- people were really concerned about that reliability factor, and it's just simply not an issue anymore," says Wes Durrett, senior IT operations manager at Room to Read, a San Francisco-based nonprofit that works to improve literacy and education opportunities in Asia and Africa. "For my office in New York, we could have any type of connection we wanted. We have just a straight Internet connection for which the round trip to our data center in California is usually less than 20 milliseconds. It's reliable, it's up all the time, and there are zero issues with it."
Durrett exclusively uses Internet connections with site-to-site VPNs throughout his WAN -- a decision largely driven by cost and the availability of services where Room to Read does its work. Several branches also have Riverbed Steelhead appliances deployed for WAN optimization, and the network as a whole supports Citrix XenApp-delivered applications and voice services via Microsoft Lync without issue. He acknowledges that his approach may not work for an enterprise with strict latency requirements or highly sensitive applications, but Durrett believes it's "definitely doable" for most organizations.
"It works fine for us, and I don't think we would ever go back and change that now, even if other services were available," he says. "If somebody's making a call in New York, that traffic is coming all the way to San Francisco and going out our voice gateway there -- and it's perfect."
Private WANs: Still safer than the Internet?
Security is also frequently cited as a reason to stick with MPLS. Although an MPLS network is a shared medium, it is not directly exposed to the Internet and all the dangers that lurk on it, ranging from denial of service attacks to the recently uncovered Heartbleed vulnerability. Carriers generally have better support for security issues on private links.
"The general consensus among our clients is that private WAN is safer, but that VPN over public Internet is almost just as safe," says Gartner's Lerner.
Ferro, who advocates for an all-Internet WAN, argues that last year's revelations from former CIA contractor Edward Snowden have chipped away at the notion that MPLS is more secure than the Internet. Meanwhile, he adds, the next generation of HTTP, HTTP/2, will have Transport Layer Security (TLS) encryption enabled by default.
"You can no longer assume your WAN services are secure, but for the sake of convenience, we do continue to do so," Ferro says. "Since Snowden's come around, privacy is now an issue because we now know that the government, for better or for worse, is probably looking into your circuits -- and by extension, if it's not the government, it is your competitors or Anonymous or somebody else. It's actually quite easy to hack into a carrier and take control of those WAN services."
- Synergy between Network Design and Security –MASERGY
- Designing an Application Centric Network –KEMP Technologies
- Designing your Network for the Hybrid Cloud –TechTarget
- How to Design and Maintain a Secure ICS Network –SecurityMatters