VPNs, VLLs and VPLSs – enabling companies to connect several sites
For companies with multiple branches, efficient collaboration across various sites is crucially important. To ensure this, the sites must be networked with one another. The most common networking setups are virtual private networks (VPNs), virtual leased lines (VLLs) and virtual private LAN services (VPLSs). When selecting the appropriate method, it is important to take into account the advantages and disadvantages of each alternative, not to mention the security, quality and cost requirements.
Companies with more than one site need to ensure smooth data and communication transfer between the individual sites. If employees at site A are to have access to the same documents as employees at site B, the two sites must be networked with one another. This network can be implemented in various ways. Each method has its own advantages and disadvantages.
Site networking over a virtual private network (VPN)
Networking over a virtual private network (VPN) is a common method of site networking. A VPN establishes a secure connection between the sender and the recipient by encrypting the data packets using what is known as a tunneling protocol, packing them into another data packet and transmitting them over the internet. Basically, it constructs a tunnel through the public internet that is not visible from the outside.
The advantages and disadvantages of site networking over a VPN
VPN encryption protects the connection from public access. However, this requires a great deal of processor power and the associated energy consumption is high. Inexpensive VPN gateways also have limited data throughput. Despite common 10 Gb internet connections, data throughput often dwindles to just megabits as soon as the VPN is switched on. Higher-performance VPN gateways, which can have very complex configurations, are correspondingly expensive.
While a VPN works across providers, its performance depends on the quality of the interconnection between the providers involved. If the data packets are not transported from A to B in the best possible way (suboptimal routing), this can negatively impact the experience that users have of the VPN.
Site networking over a virtual leased line (VLL)
A virtual leased line is a dedicated point-to-point connection between two sites that is facilitated by a single provider. The two sites can communicate with one another as if they were connected by a direct line.
A VLL connection acts like a very long, direct Ethernet cable. If several sites are connected, several VLLs are used and a main site is usually defined.
One part of the VLL connection is implemented over a physical line, while the other is established over a virtual line. A physical line is leased between the sites and the provider’s nearest point of presence (PoP). This is usually an optical fiber from the local FTTH infrastructure.
The part between the PoPs (i.e. the majority of the route) is implemented over a virtual line on the provider’s network (more precisely, on the backbone). What makes this ‘virtual’ is the fact that part of the provider’s network capacity is virtually assigned to the VLL.
Suppose a company has two sites (one in Zurich, and another in Geneva) and it would like to connect them with a VLL solution from Init7. In this case, Init7 provides the company with a physical line from the Zurich site to the nearest Init7 point of presence (PoP) in Zurich and from the Geneva site to the nearest Init7 PoP in Geneva. The connection between the two PoPs (i.e. between Zurich and Geneva) is established over a virtual line. For the sites, however, this works as though they were connected directly over a LAN.
Routing is not always optimal
Data transfer usually works something like this: The data (e.g. an email) that someone sends is divided into small data packets. Each data packet is given a header. The header contains information that is relevant for processing the packet. For example, it defines the sender and destination addresses.
The data packets pass through multiple routers until they reach their destination. Each router reads the packet’s headers, before forwarding the packets to the next router using a routing table.
This type of routing is “destination-based”. In other words, the sender of the data cannot determine which path their packets will take. So, often, data packets are not forwarded along the best possible path (suboptimal routing). For example, data packets between Winterthur and Zurich might take a detour via London. In technical jargon, this is often cynically referred to as “scenic routing”. VPN connections can be negatively affected as a result.
VLL based on multiprotocol label switching (MPLS)
This is not the case with multiprotocol label switching (MPLS). Here, the path that the data packets take is defined in advance by the provider.
Labels that specify a specific path (a label-switched path (LSP)) are assigned to the data packets. This information is packed into a header above the “normal” header. The routers in the provider’s backbone only read this MPLS header and forward the packets to the next correspondingly predefined router.
Because MPLS only runs within the provider network, the provider has control over the connection quality. Accordingly, very high data throughput can be expected.
Encryption is not required for VLL to meet normal needs
Unlike VPNs, VLLs are not encrypted. However, as the data only flows across the provider’s infrastructure and not through the public internet, it is adequate to engage a trustworthy VLL provider.
As mentioned above, the data transmitted over an MPLS is marked with a label and it arrives at the destination address only. It is like luggage on an airplane. The suitcase label defines the destination, but the airline (the provider) can (in theory – this does not happen in practice) view the contents of the suitcase using an X-ray machine.
In the worst-case scenario, incorrect configuration might mean that the labels are confused, and the data packet arrives at the wrong destination. But this would be noticed immediately due to the resulting malfunction. So there is only a low security risk.
High-security encryption possible over a VLL
For local connections with stricter security requirements, for the likes of banking purposes, encryption using additional devices is possible. Special encryptors that completely encode the data traffic are connected to the VLL connections. This type of encryption is as secure as if a bank card’s PIN was changed every minute. In this case, the company does not even have to trust its VLL provider anymore.
However, high-performance encryptors with no loss of data throughput are expensive and cost a five-figure sum for each pair. On the other hand, they can run practically maintenance-free over several years. A market overview of encryptors was published some time ago by inside-it.ch.
Combining with internet access is a sensible move
In addition to site networking, it is also possible to combine an internet connection with the VLL solution. For example, in the diagram above, it would look something like this: The Zurich site would be connected to the internet, but the Geneva site would not.
When an employee in Geneva accesses a web page, the traffic first of all goes through the VLL to Zurich, from there to the public internet, and then back through the VLL from Zurich to Geneva.
Although this increases latency (delay time) by a few milliseconds, it also cuts costs because money only needs to be invested in the firewall infrastructure at a single site. In addition, security is increased as the attack vectors are minimized.
The advantages and disadvantages of site networking over a VLL
VLLs offer a high degree of flexibility and scalability, as they are easy to set up. From a user’s perspective, it is a plug-and-play solution without a complicated configuration. Very often, VLLs are more affordable than conventional dedicated leased lines, since less infrastructure has to be procured. The areas of use for the local FTTH infrastructure are increased.
Another advantage of site networking over a VLL is the fact that the individual sites are connected to one another as if they were connected by a 1 or 10 Gb direct attach cable. Unlike with VPNs, data throughput is not negatively affected.
However, there is a risk that the VLL provider’s backbone will become overloaded, causing data bottlenecks. Bottlenecks do not occur with reputable providers during normal operations. Compared to a conventional VPN solution, a VLL is always much more powerful. However, the VLL provider must be trustworthy, because a VLL is not encrypted unless additional measures are taken.
Site networking using a virtual private LAN service (VPLS)
With VPLS networking, all of a company’s different sites are networked with one another. Every single site is connected to every other one. As is the case with the VLL solution, the sites are networked as if they were connected directly over a LAN.
Unlike networking over a VLL, VPLS solutions are not managed. In other words, the provider only provides the connection. The company has to route the data traffic itself.
A VPLS is like an Ethernet cable with more than two ends. The company must ensure itself that the data arrives at the right place.
The advantages and disadvantages of site networking over a VPLS
Compared to a VLL, configuring a VPLS is more complex for both the company and the provider. A VPLS is typically suitable for networking a few sites. It is less appropriate when a large number of different sites need to be connected. The routing logic has to be provided by the company itself, making networking much more complex.
Site networking with Init7
We connect our customers’ sites with flexible and scalable VLLs that boast unrivaled low-cost pricing. They are suitable for both small and large companies. We do not offer VPLSs due to the disadvantages mentioned above.
If customers require several sites to be networked, we use several VLLs. While this boosts the reliability, it does not increase the costs, because our billing model is calculated per site and not per connection. We offer 1 Gb and 10 Gb VLLs at the same price, in line with our MaxFix guarantee. So the bandwidth selected only depends on the customer’s LAN equipment. Find out more on our website