Expert Chris Partsenidis hashes out the MPLS vs. VPN debate to determine whether cheaper ADSL VPN alternatives...
are better than ISP-supported ADSL MPLS VPNs for your wide area network (WAN).
MPLS vs. VPN
Because service providers saw the upcoming threat of ADSL IP VPNs—as discussed in my previous article, ADSL IP VPN advantages—they decided to take action and introduce new MPLS IP VPNs via ADSL connections to enterprises that had been long paying for the more expensive MPLS IP VPN lines. These new MPLS IP VPNs via ADSL connections are basically the MPLS IP VPN as we know it, but over a cheaper medium, that is, ADSL.
These types of connections are directly comparable to ADSL IP VPNs because they use the same WAN technology medium—ADSL technology. The MPLS vs. VPN question here asks whether each of the two choices have true advantages. Feelings in the industry are slightly mixed, but be sure that your service provider will bring a lot of examples to convince you why it’s better to purchase the service from them, rather than implement it yourself.
Here are the facts you should be aware of:
Both solutions use the same medium: ADSL. Since both IP VPN and MPLS solutions use ADSL to provide service, they will both suffer from the ADSL bottleneck effect. If you utilize ADSL VPN lines heavily, you’ll quickly realize you need more ADSL lines. In addition, all ADSL connections at each end will end up terminating at the same DSLAM (Digital Subscriber Line Access Multiplexer), which means if that DSLAM fails, you’ll lose any type of ADSL connection no matter what.
QoS(Quality of Service). Your service provider will explain that special prioritization is provided for ADSL MPLS IP VPN circuits. This might be true, but you’ll need to try both solutions head-on in order to compare and see the real difference. There are many cases where the performance is so similar between MPLS and VPN solutions that you probably won't be able to tell the difference.
Denial of service (DoS) attacks. It’s true that ADSL MPLS IP VPNs are less prone to DoS attacks, for one reason only: The IP addressing of the circuits are not exposed to the Internet and therefore are not reachable. Even if a DoS attack occurred in a situation where Internet was also provided by the MPLS service provider, the provider could keep it from reaching your network, saving you valuable bandwidth on your ADSL MPLS IP VPN connection(s). In the case of ADSL IP VPNs, you’re on your own until the attack is over.
Flexibility. ADSL MPLS IP VPNs are considered less flexible when compared with ADSL IP VPNs for many reasons. Here are some of the most important ones:
- ADSL MPLS IP VPNs are configured by the service provider with a fixed static configuration. You usually have no access to the configuration of the equipment for security and quality assurance issues. Any changes required must be sent to the service provider; then you are notified once they have been completed. If any incorrect changes are made, the same path is taken: You notify the service provider and wait.
- It’s up to the service provider to notify and inform you of new features offered by VPN services—i.e., new features on the router from an IOS upgrade. In most cases, the service provider will never change or update the router operating system.
Security. ADSL MPLS IP VPNs can also carry Internet traffic. In such scenarios, direct Internet access is provided by the routers connecting the local network to the MPLS/Internet. Since you have no direct access to the router itself, there is no way of knowing what security configuration has been used to protect the local network from possible intrusion attempts. With ADSL IP VPNs, you fully set up the router, thus it’s possible to examine the security measures taken.
As it might be evident, most facts show very little difference between ADSL MPLS IP VPN and ADSL IP VPN implementations. In the first case, you pay a bit more and have the service provider deal with everything, whereas in the second case, the costs are considerably lower and you have total control.
For more information on networking, VPN security and firewalls, visit Firewall.cx, one of the few websites recommended by Cisco Systems in its world class Cisco Academy program.
MPLS vs. VPN: Which one is best for your enterprise WAN?
It is always highly advisable to take a careful approach when dealing with new implementations you have never tried before. Switching over to a new solution such as an ADSL IP VPN, without trying it, is never a good idea because you cannot foresee the problems heading your way.
Take a safer approach; give it a try and experiment with the service. If your service provider can give you a clean ADSL line on all endpoints, you’re off to a good start. Set up the VPN network between all sites and slowly migrate to the more cost-effective solution like many companies are doing.
Don’t forget the WAN backup lines (ISDN) that will ensure your WAN network will keep on running during difficult times of service-down periods.
In the end, it is all about what you need to achieve and how much you want to explore the different options available.
Challenge your service provider and show them you have readily available alternatives. This might even score you a better deal for an ADSL MPLS IP VPN and bring you closer to the cheaper alternative—an ADSL IP VPN—leaving the headache of setting up and maintaining the WAN to your service provider.
You can read up on Cisco VPN client configuration at Firewall.cx, or if you're wondering whether or not you should build out MPLS internally, check out these tips by expert Ivan Pepelnjak:
- When should companies consider building MPLS networks into their WANs?
- How to prepare enterprise WANs for MPLS/VPN integration
- Troubleshooting MPLS WAN services: VPLS, pseudowires, and Layer-3 VPNs