Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
5

MPLS vs VPN ?

Hi,

From what I understand MPLS and VPN like a site to site VPN gives the same solution. May I ask why would companies still use MPLS? if VPN is a free and secured solution

5 comments
73% Upvoted
What are your thoughts? Log in or Sign uplog insign up

Why are they the same in your opinion? They are very different.

Ipsec is used on the internet, while MPLS is a virtual network (kinda like a switch where you connect all your devices).

In MPLS you don't need ipsec because it is a network dedicated only to you, other customers cannot see your traffic. MPLS is also more reliable, has high SLAs, you can use qos and latency is also better (you can run voip in your company).

Lan to lan vpn is used on the internet, which has low SLAs, does not have qos and is also not a guaranteed service, so you cannot complain just because your voice packets arrive out of order, or they have high latency or jitter. In MPLS you can do these as the services are guaranteed.

Also l2l ipsec is not as dynamic as MPLS. In MPLS remote sites can reach each other directly through the MPLS network,in ipsec you usually have connectivity from remote sites to your hub devices, so there is one more hop which adds to the latency.

Mpls and lan to lan vpn is very different even in their usage, dmvpn is more similar to mpls than l2l is(it is dynamic, remote sites can reach each other directly).

As IWAN is getting more widely used the general practice is you want to use MPLS for business critical applications, that need a dedicated, reliable line. For all other remote sites you would go with DMVPN (mGRE tunnel running inside and ipsec tunnel) because it provides remote to remote connections like MPLS.

Here is a comparison between MPLS and DMVPN.

In MPLS you don't need ipsec because it is a network dedicated only to you

This is not exactly true. You are separated from other customers in a similar sense as two VLANs on a switch are separated from each other (e.g. one or more tags (route-targets in the case of MPLS L3VPN)), but it's still a shared underlying infrastructure.

MPLS L3VPN provides a logical separation, but traffic is not encrypted across the shared network. Organizations utilizing MPLS L3VPN that also have higher security requirements will run IPsec over MPLS L3VPN. This has the added benefit of security in the event of a misconfiguration somewhere within the L3VPN environment, or a malicious actor in the middle.

For instance, using the example of a typical service provider offering MPLS L3VPN services. If the service provider accidentally misconfigures the route-targets, it's possible for two different customers to see each other's traffic, even though they are supposed to be two separate networks (this is sometimes done on purpose, such as the case of an extranet between two or more organizations).

Likewise, even if the route-targets are configured correctly and your L3VPN service is dedicated just to the single organization end-to-end, anyone with the right access on the service provider side can still reach into your "network" as it traverses the service provider's infrastructure, and view all of your traffic. If this is a concern for the organization, they will typically run IPsec over the MPLS L3VPN service to prevent this from happening. The SP can still see the traffic, but it will be encrypted.

Yeah, I was taking in high level, didn't want to get into details, I could have worded it better though. If you need security in the MPLS cloud and the benefits of MPLS you would run getvpn, only downside is that you lose QOS inside the MPLS cloud. I have also seen places where mpls was implemented inside getvpn too and only the CE addresses were sent to PE routers. It all depends what the requirements are.

Using an MPLS VPN from a service provider will private a "private" network that offers a service level agreement, however the privacy of the network in practice is always a consideration. By running an IPSEC VPN across the Internet, you have no real service agreement, certainly not end-to-end. However by running MPLS VPN's w/o IPSEC, you don't really have privacy; it's completely possible and somewhat likely that your VPN will end up being reconfigured at some point which would allow a third party access. If you had high value data, you'd want to do both (DMVPN or GetVPN/GDOI over MPLS VPN would be a good idea).

0 points · 11 days ago

Are we talking about Multiprotocol Label Switching as in the thing you implement yourself on your own kit, or L3VPN services as a WAN product you buy for site interconnect (often called 'MPLS' as a product name)?

If the latter, it's a dedicated network, with different SLAs to an overlay network over internet connections.

If the former, it's a completely different thing; it's an overlay network that lets you do all sorts of Neat Stuff. The biggest thing we get out of it is it lets us hide most of our topology from most of our routing processes; if we lose a core link, the LSPs shuffle around, but nothing changes as far as the routing protocols around the edges are concerned, so there's no reconvergence required, so things happen fast.

Community Details

6.0k

Subscribers

41

Online

Create Post
r/ccnp Rules
1.
No posting of illegal materials
2.
No posting of "braindumps"
3.
Be courteous and helpful
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.