IP VPN over Internet vs MPLS, there’s a price for everything in this world, and Internet based IP VPNs are no exception. While IP VPNs over Internet are a cheaper alternative to any MPLS network, it doesn’t necessarily mean they’re for everyone, as customer requirements always vary. In this posting, I will explain both the Internet IP VPN advantages and disadvantages.
Let’s take a look at a few IP VPN over Internet advantages over most MPLS circuits:
- Cheaper rates. Internet service providers provide a simple NxT1, Ethernet or Cable connection to the Internet, using the highest possible speed with. The price for internet connectivity is considerably cheaper than almost any WAN MPLS service, making it extremely attractive for companies seeking to cut telecom costs.
- Fully configurable. WAN engineers have total control over the VPN tunnel created between sites. They are able to perform on-the-fly configuration changes to compensate for any network problems or help rectify any problem that might arise. With full access to the VPN, terminating equipment like routers and firewalls, engineers have the ability to see the condition of the internet circuit and take any action(s) deemed necessary…provided they have the staff resources and skills.
- VPN backup included. For mission-critical sites, backup via another internet circuit is possible if your primary connection fails. Time response for the backup line to come online is configurable by the network engineer, and there is no need to wait for the ISP to fix a line so your company can continue working.
- Two-in-one. When configuring the site-to-site VPN, engineers can also configure remote VPN access for users traveling around the country or world, a feature most companies would have to pay additional money for to receive from their service providers.
- Upgradable features. Perhaps one of the strongest advantages is the fact that your site-to-site VPN characteristics are strictly dependant on those that your VPN routers/firewall support. This means that as new features are introduced with the newer router operating systems (i.e., Cisco IOS), they will be available to your engineers to implement. For example, QoS pre-classification was a feature Cisco introduced in its IOS that fixed a number of QoS features for different services running over VPN tunnels. Dynamic Multiple VPN (DMVPN) was another great feature allowing scalable IPsec VPN tunnels between multiple sites. DMVPN allows every endpoint to dynamically build a VPN tunnel with any of its other peers, providing a low-cost mesh VPN solution.
If the brief list of the above of Internet IP VPN advantages seems overwhelming , you have read a few of its disadvantages.
Here is a list of a few disadvantages of Internet IP VPNs over almost all WAN MPLS circuits:
- Limited QoS. In order to have a fully functional QoS model, you need to have control of all equipment and paths that your VPN packets run through. In the IP VPN over Internet model, QoS is effective in each site’s LAN, up until the L interface of the routers. From there on, packets enter the ISP’s network, and your ISP will clearly state that there is no QoS for such connections. Everything is based on a “best effort” delivery mechanism and you can’t argue about that. Any QoS parameters inserted in your WAN packets are, in most cases, ignored by the ISP.
- No Class of Service Prioritization. It’s the internet, sorry. Though some technologies that utilize multiple internet access circuits at each location can compensate for this surprisingly well.
- Higher Packet Loss and Latency. If you use interactive applications, video, voice domestically or are connecting to locations more than 3,000 miles away, the MPLS network will outperform the IP VPN over Internet hands down. That is, unless you have multiple internet circuits using the right technology.
- Undependable voice and video. If you use voice or video over your network, the MPLS network will outperform the IP VPN, hands down with dependable and consistent performance.
- Possible bottlenecks and low speeds. In an Internet IP VPN scenario, your company connects to the Internet, which has quite a variation of performance. If there is heavy traffic on the Internet, chances are you might experience lower speeds during peak-hour times. Again, there is no guarantee of the performance.
- VPN and router/firewall security. You are exposed directly to the Internet. This means that the security of your VPN and terminating equipment (routers and/or firewalls) are your responsibility. If your engineers do not take the necessary measures to secure the equipment correctly, this can lead to the exposure of your company to the Internet. This is not a topic to be taken lightly, as the damage can be devastating. It is extremely important to understand the risk involved and to have the required technical expertise to ensure the job is performed correctly. Under ideal circumstances, where the equipment is correctly configured, there is no need to worry—you’re safe.
- Denial of service attacks. With a direct Internet connection, you are exposed to any denial of service (DoS) attack. All attempts can be successfully repelled; however, keep in mind that the traffic will have to reach your router/firewall first. This means that the heaviest damage that can be produced by a DoS attack—for a correctly configured endpoint—is to create a bottleneck on your connection and greatly reduce speeds for the duration of the attack.
- Management of many different ISP bills
If you want a rock-solid WAN with almost no packet loss and the lowest possible latency and quality, consider an MPLS network. If your budget does not permit the cost of an MPLS network, speak to MPLS-Experts to learn about how we can utilize multiple Internet access circuits to provide the quality of service and redundancy that you would expect from an MPLS network, at a much lower cost.
Some other related reading:
- Hybrid networks using IP-Sec VPN and MPLS
- IP-Sec VPN local loop access to MPLS networks
- WANs using IP-Sec VPN over Internet vs MPLS