MPLS or IPsec VPN: which is the best?
These days, you can get an extremely fast, fiber, business Internet connection for a relatively low cost. So, should you ditch your company's expensive MPLS Wide Area Network and replace it with an IPsec VPN over giant fiber Internet circuits at each site?
Scouring the online IT forums, it’s hard not to get sucked-in to all the talk about how MPLS is too expensive and can easily be replaced with high-bandwidth, fiber Internet circuits and an IPsec VPN. If you currently have an MPLS network, it almost makes you want to throw a blanket over it and hope nobody notices your “antiquated” Wide Area Network. [blushing]
The final straw was when you read how username Pauly-Packet-Loss just saved thousands by scrapping his company’s MPLS and it works great. [single tear rolls down your cheek]
You desperately want to ask someone what to do but you wouldn’t dare post anything on an online networking forum. Any post starting with “My MPLS network…” is certain to get snarky responses like, “You still have an MPLS network?” or “Having an MPLS network is your first problem.”
Before you assume your MPLS network is soon-to-be scrap-piled, let me assure you MPLS is still the best option for certain applications. I know, that’s “crazy talk” these days but yes, there are times when MPLS is still the way to go.
When MPLS is the best
I first started hearing the rumblings of “MPLS is dead” a few years ago when everyone started noticing how cheap bandwidth was getting. Around 2010, high speed fiber Internet (for business), started dropping at a rate of 30 percent per year, as several business ISPs (like AT&T and Verizon) were building out fiber into every major metropolitan area, replacing their corroding copper infrastructure.
It wasn’t uncommon to hear an IT professional say something similar to “we got rid of our 20M MPLS network and replaced it with 100M fiber Internet connections at each site… and cut our bills in half!”
What a testimony! This got my attention. It got yours too, right?
And I agree, this is a great idea… with 1 exception: If your company is running critical, real-time applications across the network (such as voice, video or remote desktop), moving off MPLS and into the public Internet may not be a good idea.
Sure, adding more bandwidth is never a bad thing but keep in mind, the most common culprits of bad quality (for real-time apps), are:
Real-time applications require much lower levels of these three network boogers, compared to your other applications. Real-time apps are delicate creatures and the slightest delay or mix-up in their packets creates total chaos in the user’s experience.
And no matter how large your Internet connection is, there is zero guaranteed of your levels of latency, packet loss and jitter over the public Internet. The IPsec VPN will keep your WAN traffic private but it doesn’t provide QoS for your sensitive little real-time packets as they make their journey across the big, scary public Internet.
The only way to guarantee your real-time traffic maintains low levels of latency, packet loss, and jitter, is to keep those applications running on a private network, where you have total control over the entire route the packets traverse. MPLS is one such WAN.
What about SD-WAN, you say? Good idea but that’s a topic for another article. The quick answer is technically, no. Not even SD-WAN can guarantee low levels of packet loss, latency, or jitter. Especially if your real-time apps are running on an on-prem server (as opposed to a cloud service). Stay tuned to my blog for more on MPLS vs. SD-WAN and other WAN technologies. [smirk with one eyebrow raised]
Can you throw caution to the wind, and try sending real-time applications over an IPsec VPN? Sure. But put some thought into whether your salespeople will freak when a call drops while on an important phone call… or if users will continually hound your IT department with tickets for their remote desktop screen having blackouts… or if the execs will go psycho if the video bridge is glitching during a board meeting. And no, bumping up to 10G dedicated fiber Internet connections may not fix it.
If your real-time apps are a big part of everyday life for users in your company, don’t believe the hype [as Flava Flav yells “yeaaaah boy!”] and dump your MPLS network without thorough testing. Ask yourself questions like “Will having unreliable call quality hurt our customers’/prospective customers’ impression when they call our company, as they review a bid from our competitor?” Or “Will it slow our employees down if their app is unreliable or slow?”
Those little things make for big losses. Put it this way… if your company has sales of only $25 million/year, a mere 1 percent loss in sales (due to lost customers, etc.), equates to a $250,000 loss. Add this to money lost from lost employee payroll efficiency and you can see how the execs will not be happy with dropped calls, glitchy apps, etc. And a $25 million company doesn’t have a big enough WAN to save $250,000+ from ditching their MPLS.
I know I’ve just opened myself up to those same critics who will laugh at me, pointing, as I stand next to you and your MPLS network… but I don’t care. They probably aren’t in any of these scenarios and shouldn’t be so quick to assume all WANs can be treated the same. In my opinion, your MPLS network is more necessary than they think.
This article is published as part of the IDG Contributor Network.