Site-to-site connectivity: MPLS vs.

IPSec

by David Davis, CCIE, MCSE

When it comes to connecting multiple sites with WAN links, there are now a variety of viable choices.
Naturally, the solution that is right for your business will vary depending on the size of your company, the
type of traffic you need to transmit, and your preferences for security, latency, and reliability.

In the not-too-distant past, a business could choose from dial-up circuits, dedicated point-to-point circuits,
and ultra-expensive ATM. In the late 1990s, frame relay generally replaced dedicated point-to-point
circuits as the top choice because of its ability to create a fully or partially meshed network that provided
better fault tolerance. However, with the popular spread of the Internet and the increasingly low cost of
connecting to it, encrypted site-to-site VPN tunnels have taken the top spot from frame relay.

The drawbacks to encrypted VPN tunnels are that there is overhead (latency) associated with the
encryption, security is of much greater concern, and reliability can be decreased due to the complexities
of the Internet. For example, some companies even choose DSL Internet circuits to run site-to-site VPN
tunnels over. While DSL Internet circuits may be a good fit for a small company or a telecommuter, they
are usually inadequate for a business to depend on for critical data, due to their poor SLAs and low
priority for repair by telecom companies. All of these options have their negatives. I know about these
negatives because my company (a 70-location retail company) has made this progression from dedicated
point-to-point, to frame-relay, and to IPSec VPN over DSL Internet and dedicated Internet T1 circuits.
Now, my company is about to make the transition to Multiprotocol Label Switching (MPLS).

MPLS is usually done by giving the customer a dedicated IP circuit with private IP addressing on it. Any
traffic sent from the customer to the carrier, on that circuit, is labeled. That labeled packet is sent across a
labeled switch path (LSP) to a label switch router (LSR). That router routes the packet to its label edge
router (LER), where the label is removed and the packet is delivered to the customer’s destination router.
What this does for the customer is create a private network without any encryption required. For the
customer’s router to know what networks are available, it runs a routing protocol like OSPF or BGP and
receives routes from routers in the MPLS cloud (or the provider can do static routing).

One of the top benefits of MPLS is that it creates a fully meshed network by default. So by being
connected to your MPLS network, you have a direct connection to all your remote locations without any of
the additional cost or configuration you would need with frame-relay or IPSec VPN tunnels. An application
that most benefits from this "any-to-any" connectivity is Voice-over-IP (VoIP). VoIP is challenging to
implement over IPSec site-to-site VPN tunnels because the encryption and going through multiple
Internet carriers can cause too much latency. Of course, an infinite number of applications might benefit
from the built-in any-to-any connectivity of MPLS. The other main benefit of MPLS is the quality of service
(QoS). Either the carrier will offer QoS in its standard offering or it will be an add-on feature. With the QoS
of MPLS, you can prioritize certain traffic all the way through the carrier’s network.

To help you size up the similarities, differences, and pros and cons of MPLS and IPSec VPN, I've put
together the comparison chart on page 2.
 Author's note
For the purposes of this article, when I say “IPSec VPN,” I'm talking about “IPSec site-to-site VPN
tunneling.” That would be using VPN concentrators/routers to encrypt traffic over the Internet to connect
multiple remote LANs. Undoubtedly, standard IPSec VPN servers are great for allowing remote access
to individual users, but we aren't comparing that here.
Feature MPLS VPN
Reliability You will have to receive all MPLS circuits
through a single carrier, which helps with
reliability. However, some carriers offer
MPLS using DSL as the local loop, and
choosing this can result in less reliability.
In general, MPLS will be more reliable
than IPSec VPNs because there is less
complication in the tunneling and firewall
configuration.
Cost The cost for the local loops for each
choice will be the same. The MPLS
tunneling, through the carrier, will have a
price tag associated with it, but it shouldn’t
be more than a managed IPSec VPN
service from a carrier or more than the
staff required to manage and troubleshoot
an IPSec VPN.
Security MPLS should be more secure than IPSec
VPN tunnels, if you don’t allow your MPLS
circuits to connect directly to the Internet,
which some carriers offer through the
carrier’s MPLS cloud. For the best
security, use MPLS as a private network
only. Used as a private network, MPLS
offers the same security as a frame relay
network. However, keep in mind that as
with frame relay, data sent over an MPLS
network is not encrypted.
QoS QoS may be included with the carrier’s
MPLS offering or it may cost extra. Either
way, with MPLS QoS, you can prioritize
certain traffic all the way through the
carrier’s network. This is great for latency-
sensitive applications, like VoIP.
To get more details on the various MPLS options, check out shopforbandwidth.com.
IPSec site-to-site VPN
Receiving all your IPSec VPN circuits
through the same carrier will increase
reliability (but decrease fault tolerance)
over using multiple Internet carriers. But
due to the multiple VPN concentrators and
the encryption configuration, an IPSec
VPN can be less reliable than MPLS.
Unlike MPLS, IPSec VPN requires VPN
concentrators, which will boost the upfront
cost. Once you have the hardware, the
staff required to maintain and troubleshoot
the IPSec VPN tunnels may be the same
as, or more than, the MPLS service from
the carrier.
Network intrusions are a greater concern
with IPSec VPN tunnels since you are
running them through an Internet circuit.
That Internet circuit is open to connections
from around the world. A misconfigured
firewall can open your IPSec VPN network
to the Internet. Security is of even higher
concern if you use split tunneling on your
VPN concentrators. However, IPSec VPN
tunnels beat out MPLS when it comes to
protecting the data that is traversing the
WAN, because the IPSec VPN data will be
encrypted with IPSec. The MPLS data is
not encrypted, only tunneled.
QoS features are limited. Once you send
your encrypted data over the Internet, little
can be done to prioritize it.