Considering the move from VPN to MPLS

In this article I will be discussing managed MPLS (multi-protocol label switching) services with particular emphasis on its application within an SME business. As a side project, I am currently reading through all the Internet Engineer Task Force (IETF) requests for comment (RFCs) - currently up to RFC 230 which is around four per cent of the way through! At some point, I should find MPLS described in RFC 3031 (like many protocols derived from RFC it is further refined in a slew of later RFC).

But what is MPLS?

In its simplest form, MPLS is a technique to provide private network connections over a public interface, often described as an alternative to virtual private networks (VPNs), but it goes further than that. When a packet is transmitted through the MPLS it is labelled by a label switch router (LSR). These LSRs interconnect to form a label switch path (LSP) through which the packet is directed. Various decisions can be made, based on the label designation, as to what happens to the packet. An MPLS can be formed by any number of connections including mega-stream, frame relay, and ATM devices.

By attaching labels to packets of data, MPLS allows routing to be pushed into lower network layers, which should provide a simpler, more intelligent and (I am told), faster routing mechanism. Higher network layers are still required to sort out error correction and sequencing so it can become a little more complicated.

Why is it relevant to our business?

Managing network infrastructure across multiple sites and with more than a handful of roaming users can become time-consuming requiring nitty-gritty attention to detail in all things ranging from physical equipment specification through installation and ongoing service maintenance to logical aspects of security control, access control, and resilience. Presently, we manage everything ourselves, something of a handful when your IT team is small. This management problem can be magnified when dealing with dozens of remote workers and many multiple sites; more often than not including temporary locations. This problem of provision and management is a primary factor which led us toward managed MPLS services.

We have a number of aims and objectives in mind when looking at a managed MPLS service, including:

• Connecting offices seamlessly, quickly and easily with improved connection speeds
• Connecting remote and mobile workers seamlessly, quickly and easily
• Overcoming management problems with existing disparate devices
• Bringing critical business resources together into one "virtual" environment
• The provision of a secure, easily manageable and resilient technical infrastructure with quality of service (QoS)
• Minimising points of potential failure and improving disaster recovery and time-to-fix.
• Common and consistent internet filtering and other malware protection policies
• A more secure connection method than offered by existing VPN

Managing ever-increasing traffic demands

One other factor to bear in mind is that we have been using voice over IP (VoIP) on our primary site for more than five years, based around the 3Com NBX series, and it would be great to roll it out to remote sites but, historically, the wide area network just isn’t capable especially as the VoIP equipment requires multicasting. We are also seeing a lot more audio and video traffic coming into the network – primarily from news sites.

I have spent a number of years driving traffic away from our router by rethinking and devolving aspects of our network; locking off protocol ports and services one by one and migrating services away – all to make the best use of the megastream connection we rely on day to day and provide some resiliency should it fail. Gone are our self hosted web sites, our public FTP server, and incoming public mail connector.

With all that done we are still using more bandwidth than ever.

Potential suppliers' sales representatives have described managed MPLS services as “plug-and-play VPN with all the hassle taken out”, but I have doubts anything can be that simple so I expect to tread carefully in our investigation.

Some of the services offered by a managed MPLS service include:

• Communication traffic engineering and prioritisation
• Virtual private networking
• Centralised reporting and device monitoring
• Improved and centralised management
• Increases in perceived throughput and speed
• Redundancy and resiliency of essential services
• Better security as MPLS is not publicly addressable

A number of additional services can be tacked onto an MPLS service offering including centralised internet access control and co-location of our servers.

Where are we now?

At the moment I can sit and draw a diagram of how our network is interconnected and everything makes sense, is clear and logical. A big concern is that once we migrate to MPLS a huge empty cloud appears in the middle of the diagram and we no longer have any sight, or knowledge, of what is going on.

On the positive side much of the more time consuming technical stuff is taken away but on the other hand - much of the technical stuff is taken away. One of our strengths in technology has always been our ability to react quickly to changing business requirements as we control much of our own infrastructure. Having to pre-book visits to a datacentre or queue up waiting for service support personnel can take its toll and lead us to feeling somewhat distant from our equipment. This could impact our ability to react quickly to business changes – however we need to weigh this up with the clear advantages MPLS could offer. So, the jury is still out on MPLS for us at the moment.

Some of the concerns I plan to look into further include:

• Is our traffic isolated from other businesses traffic?
• How do we manage access to our network?
• What is to stop unwanted devices turning up on our network?
• How can we see them or grasp an idea of where they might be?
• What about any unusual sub-netting taking place?
• How are mobile and roaming users handled (with no fixed point of presence)?
• Are there any QoS issues we need to be aware of?
• How much control do we have (and how straightforward is management) of protection services?
• Does MPLS support multi-casting, for example in our VoIP environment?
• What are the service or software licensing implications?
• Can we provision a third-party backup internet connection to our head office?
• How do we switch over to this service? Directly or in parallel?

What are your experiences of MPLS? Have you implemented a managed MPLS service?