If your branch offices are spread all over the country, or indeed, the globe, then trying to get a consistent set of services delivered to these offices can be even more daunting.
Too often, we allow this collage of services to dictate how we assemble our Wide Area Network, and how we architect our enterprise. But if you understand the Let’s take a look at the most common, modern WAN serviceslatest WAN services, and apply them correctly, you can make the services work for you instead of the other way around. Let’s take a look at the most common, modern WAN services here in the UK and abroad and see what they are, and how they fit together.
Multi Protocol Label Switching - MPLS
The first technology you’ll hear pitched fairly often is MPLS, which stands for Multi-Protocol Label Switching. MPLS is a method providers use to create “fast paths” through a large routed network. When a packet is first inserted into an MPLS network (domain) the first router in the chain (ingress router) puts a label on the outside of the packet and forwards it to the next router. Then at each step through the provider network, each router only has to read the label (not the full packet headers) to determine where the packet should be forwarded. These label lookups are a more efficient way of pushing traffic through the provider network. MPLS gives the provider better traffic engineering, quality of service, and very fast recovery times in the event of a link failure in the network. It also provides your enterprise with a number of “virtual private networks” between branches.
What does that mean for your enterprise? Your branch offices may all be tied into a large provider’s “cloud”, and some of that traffic may even traverse routers carrying commodity internet traffic. However, your enterprise traffic is being “fast-tracked” in these label switched paths (LSPs). The LSP provides isolation, better quality of service, and faster recovery in the event of a link failure than the traditional routing protocols being used by the commodity traffic running alongside. The provider network is acting as a “pseudo wire” (or a set of them) between your branch offices. Unlike just commodity internet connections, you can be sure that these pseudo wires will provide a guaranteed amount of bandwidth from one office to another.
One important note here is that MPLS by itself, does provide some isolation from other traffic, but does NOT provide encryption (at least not natively). So, you will still need to consider your own security needs and policies for traffic in this MPLS VPN. Your data is kept LOGICALLY separate (and thus private) from other user traffic as it passes through the provider network. Some enterprise customers hear MPLS VPN and automatically assume encryption. The MPLS VPN works more like VLANS through a set of Layer 2 switches. I’m not crazy about the VLAN analogy, because it’s not a perfect one. Some may find it relatable, and an MPLS VPN certainly works more like a VLAN, than it does an IPSEC VPN.
Virtual Private LAN Services - VPLS
The next technology that is frequently pitched for your UK or global offices is Virtual Private LAN service (VPLS). Virtual Private LAN service is used to connect all of your branch offices together and present the last mile into each location as an Ethernet circuit. Then the provider provisions their network to look like a “cloud switch” between those locations. Since the provider network is a “cloud switch” for your Layer 2 network, the provider network learns mac addresses just like a local switch would and forwards frames between your local (and remote) devices based on mac-address, not IP address. Virtual Private LAN Service is one of two MPLS technologies that providers typically deploy to provide you with an MPLS VPN. As such, you might consider it a subset of MPLS.
What does this mean for the Enterprise? In the VPLS setup, each of your branch offices sees the others as “locally connected to the LAN” at Layer 2 (albeit with some added latency, since that other branch may be in Hong Kong). When using a VPLS, you may not need a Layer 3 router boundary between your branches. They could all share a single IP subnet, or perhaps you want just your phones at each branch to share a subnet. The VPLS can also be a good option for some legacy applications that still require that devices be “in the local broadcast domain” or employ legacy protocols like appletalk.
IPSec VPN - IP Security
Another technology you might deploy is an IPSEC VPN. You might deploy this technology on your own, or it might be sold by a provider as a managed service. The IPSEC VPN uses a gateway device to act as a VPN endpoint at each end of a virtual tunnel. All traffic passing through the tunnel is encrypted. The IPSEC VPN doesn’t provide you connectivity from branch A to branch B, it simply secures that connectivity. The actual connectivity to that branch office might be an MPLS circuit, a commodity Internet connection, or even an LTE cellular connection.
What does an IPSEC VPN mean for your enterprise? Remember when I said that (at least natively) those MPLS circuits (or VPNs) don’t provide encryption across the provider backbone? Many modern enterprises require encryption for data while in-flight across someone else’s network. Even though the MPLS VPN is logically separate from other user traffic, any number of internal or external security regulations may require that you encrypt your data anyway. Maybe you’ll need to encrypt all of it, maybe just the critical data containing personally identifiable information. But at some point, you’re going to have a need to encrypt some data between these branch offices. IPSEC VPN tunnels are the most widely deployed method for doing that.
SD WAN - Software Defined Wide Area Network
We moved up a network layer to talk about IPSEC VPN, and now we’re going to move up another layer. SD WAN is a technology that doesn’t provide connectivity to any of your branch offices. SD WAN acts as an overlay helping you to manage the connectivity you’ve already acquired and make the best use of it. SD WAN stands for Software Defined Wide Area Networking. It’s an offshoot of the SDN technologies that matured in datacenters over the last decade. An SD WAN solution takes all of your disparate WAN connections, spread across multiple providers (and maybe multiple continents) and allows you to manage them in one, pane of glass. In general, in SD WAN solutions, the decision making (control plane) doesn’t exist at each branch office anymore. It’s been separated out so that the CPE on-site at each branch is only a control plane forwarding data as it’s been instructed.
What does this mean for your enterprise? SD WAN can allow you to put much cheaper routers or gateways at your branches, because the actual decision making is done in software located elsewhere. Imagine a new branch office coming online, and all you need to know is the IP address of the new (light) CPE at the site. In few clicks you can provision all of your enterprise wide security policies, set up an IPSEC tunnel to the corporate datacenter, and push all of that to the site CPE in minutes. Another benefit of SD WAN is the ability to “steer” packets onto the best circuit for that traffic type.
Let’s assume Branch A has (1) MPLS VPN circuit at 40Mb/s, (1) commodity Internet circuit at 1Gb/s and (1) 4G LTE circuit at 50Mb/s. You can use your SD WAN deployment to ensure that VOIP, email, and nightly backups use the MPLS circuit. You can make sure that everything else uses the commodity Internet circuit (since that’s your cheapest connectivity). You can also ensure that the 4G LTE circuit is only used in an emergency when both of the other connectivity types are down. All of this (across 3 providers) can be configured, deployed, changed, and managed in a single management interface.
You have a lot of options to consider when purchasing WAN services for your enterprise. You might be considering MPLS, VPLS, IPSEC VPN, SD WAN, or ABBA (alright, that last one is a band, were you paying attention?). Whichever technologies are presented to you, I would remind you that these technologies are intended to serve you. Your choice of technology should be tailored to the needs of your organization. Not the other way around.