Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Next-Generation VPNs: Safer, Cheaper, Faster

Here's a conundrum to mull over. Tomorrow's application and networking requirements will increasingly demand direct connections between offices. At the same time, CIOs are more paranoid than ever about security and privacy. So what mainstream WAN architecture can an IT architect recommend that will satisfy both design and security requirements?

The answer is none--at least none for the responsibly paranoid IT architect. Frame relay is practical only when interconnecting offices through a central site. Layer-3 Multiprotocol Label Switching (MPLS) VPNs such as AT&T's IP-Enabled Frame Relay, Sprint's Global MPLS VPN, and MCI's Private IP certainly come closer to meeting those requirements, but while they can connect offices directly to one another, they also require enterprises to expose their routing infrastructure to their service providers.

But that's all going to change, as anybody who attended last month's Supercomm trade show can attest. This year's buzz was about the IETF's Virtual Private LAN Service (VPLS) and how service providers can deliver national, multipoint, switched Ethernet networks by carrying Ethernet frames across their MPLS networks. And unlike today's layer-3 VPNs, these layer-2 VPNs don't require IP encapsulation. Masergy Communications went live early last year with the first commercially available national VPLS offering. Time Warner Telecom followed suit last summer, and Broadwing Communications just announced its service in June. More services are expected in 2006.

When combined with Ethernet access, VPLS transforms the WAN into a large Ethernet switch, says Dean Lissner, director of IT at storage networking vendor Emulex, an early customer of Masergy's inControl VPLS. Just like an Ethernet switch, IT architects can adapt the WAN to match application flows. For example, VoIP traffic can be sent directly between sites, while point-of-sale applications can still be structured to interact with servers in the regional hub or headquarters. All the while, a company's disaster recovery plan can be improved by removing the single point of failure--the WAN hub--in the network design. As for pricing, preliminary research suggests that multipoint, switched layer-2 VPNs will run about 20 percent less than their layer-3 counterparts (see "Ethernet Service Pricing").

All this can be done without significant personnel investment in learning a WAN technology. "It's made our WAN so easy. We didn't have to do any BGP [Border Gateway Protocol] configuration or PVC [Permanent Virtual Circuit] configuration--just added another VLAN to our LAN that represented the Masergy network and routed between them," says Lissner.

  • 1