One of the most common questions that I am asked is what type of VPN an organization should deploy. So, in the hope that it will save some people some time, I thought I’d just go through some of the most basic considerations when choosing a VPN protocol.
Let’s suppose you’ve decided to deploy a VPN to connect your organization’s/customers’ sites (a site-to-site VPN). But you are not sure which VPN technology and type you should deploy – should it be IPsec, MPLS layer-3, MPLS layer-2, L2TPv3-based, or another technology?
Some of the first questions that you will want to ask yourself when you are choosing a site-to-site VPN technology or protocol include:
1. Is cost is a primary concern?
2. Is encryption and authentication required for your traffic?
3. Is “native” multiprotocol transport or layer-2 connectivity important?
4. Are you a service provider wishing to consolidate legacy and IP/MPLS network infrastructures?
5. Is any-to-any (layer 3) connectivity required between sites?
6. Is end-to-end quality of service (QoS) required?
7. Is full control of routing between customer edge routers is required?
8. Is simplified WAN routing desirable?
9. Are additional managed services such as firewalled internet access/voice services required/desirable?
10. Do you need to transport multicast traffic over your VPN?
There are many other questions that you must ask yourself, but in order to keep this brief enough for a blog post, I’ll just stick with discussing the above.
1. Is cost is a primary concern?
Cost is almost always important, but if it is a primary concern then an Internet-based IPsec VPN is often a good choice. Internet connectivity is relatively cheap, but because the Internet is insecure you’ll need IPsec to protect your traffic.
2. Is encryption and authentication required for your traffic?
If you need authentication and encryption for your site-to-site VPN traffic then IPsec is the way go. An IPsec VPN could be a standard IPsec VPN; it could be based on Cisco’s Dynamic Multipoint VPN (DMVPN) technology; or it could even be an MPLS or L2TP-based VPN with traffic protected using IPsec. But whatever the specific form of site-to-site VPN, you’re going to need IPsec if you require authentication and encryption.
3. Is “native” multiprotocol transport or layer-2 connectivity important?
The next question is whether ‘native’ multiprotocol transport or layer-2 connectivity is important. If it is then a layer-2 VPN type such as a Virtual Private LAN Service (VPLS) or Virtual Private Wire Service (VPWS) based VPN may be a good option.
It’s also possible to transport multiprotocol traffic over MPLS layer-3 and IPsec VPNs using GRE tunnels.
4. Are you a service provider wishing to consolidate legacy and IP/MPLS network infrastructures?
If you are a service provider looking to consolidate legacy infrastructure such as ATM/Frame Relay networks with your IP/MPLS infrastructure, as well as deploy newer services such as Ethernet over MPLS/L2TPv3 (EoMPLS/EoL2TPv3), then layer-2 VPNs may very well be the answer. This is because both MPLS and L2TPv3 pseudowires (emulated circuits) can carry layer-2 traffic such as Ethernet, Frame Relay, ATM, HDLC, PPP, and even X.25.
5. Is any-to-any (layer 3) connectivity required between sites?
Any-to-any WAN connectivity can be advantageous for applications and traffic types such as voice and interactive video. If you would like any-to-any connectivity between sites then MPLS layer-3 VPNs or multipoint-to-multipoint layer-2 VPNs (VPLS) are good options. Other technologies such as DMVPN can also provide this type of connectivity.
6. Is end-to-end quality of service (QoS) required?
QoS can often be important to ensure that traffic and applications performance requirements in terms of latency, jitter (variable delay), and packet loss are met. QoS is especially important for traffic types such as voice. While QoS can be supported in a variety of VPN deployments, end-to-end QoS guarantees for specific applications and traffic types are commonly available with MPLS layer-3 VPNs.
7. Is full control of routing between customer edge (CE) routers is required?
If you absolutely need full control of routing between your sites then IPsec and MPLS/L2TPv3-based layer-2 VPNs are all possibilities. MPLS Layer-3 (RFC 2547bis/RFC 4364) VPNs are not an option if full control of routing is important because service provider edge (PE) routers will be involved in your routing, and you will therefore have some loss of control. This loss of control is often considered insignificant when compared to the advantages of deploying MPLS layer-3 VPNs, but it’s worth noting.
8. Is simplified WAN routing desirable?
Configuring WAN routing when there is any-to-any connectivity and routing adjacencies between (many) sites can be challenging. One way around this is, of course, to deploy a hub-and-spoke topology, but then advantages of any-to-any connectivity are lost. MPLS Layer-3 VPNs can provide any-to-any connectivity as well as providing simplified WAN routing. This is because, while IP traffic is forwarded over label-switched paths (LSPs) directly between sites over the service provider backbone network, customer edge (CE) routers peer only with their directly connected provider edge (PE) routers rather than with each other.
9. Are additional managed services such as firewalled internet access/voice services required/desirable?
Service providers can offer a variety of managed services to their customers such as firewalled Internet access and voice services. These managed services are most easily provided and most often available via MPLS Layer-3 VPNs.
10. Do you need to transport multicast traffic over your VPN?
MPLS layer-3 and IPsec VPNs do not natively support multicast. If you need to transport multicast traffic in an MPLS layer-3 VPN then you’ll need GRE tunnels or support for multicast VPNs (MVPNs). If you need to transport multicast over an IPsec VPN then you’ll need to use technologies such as GRE tunnels or Virtual Tunnel Interfaces (VTIs).
Next time, I’ll look at some of the main considerations when selecting a remote access VPN technology.
Needless to say, if you have got any thoughts on this subject then please leave a comment or email me.
Mark