Many businesses use MPLS networks to deliver applications, email, and other services to their users (usually in-house, but also to some customers). The initial and ongoing costs that MPLS networks demand are potentially very high, so businesses are always looking at ways to reduce these costs significantly. One way to do this is to look to the internet for a solution. This, however, brings a new dimension of security and performance issues.
It’s standard practice to have a resilient MPLS network from two different service providers, so there is a trend developing where businesses are using one MPLS network and utilising the internet as a backup for non-business-critical traffic. However, this still needs to perform at certain levels, so there are a few steps to take before this becomes a viable option.
When running side by side, it’s good practice to ensure you are satisfied with both the performance and security of the internet connected topology. Migrating apps over one by one is a good way to check this, rather than taking a big bang approach.
Ideally you should not rely on your end users to tell you if the new (internet) network is better or worse than the old (MPLS). By baselining the existing MPLS networks performance, this will give you an indication as to what to expect on the internet, so having a before and after comparison (FTP transfers are a good way to test this, or running VoIP and measuring jitter and delay) is a good way to compare the two options.
Internet performance and availability
Often, internet traffic is sent down the same physical lines as MPLS traffic and service providers will prioritise certain types of traffic. Premium internet and MPLS offerings will typically have priority over standard internet offerings.
Where possible, use the same network operator to deliver ALL the primary internet links from your internet-connected locations. This is important, as it reduces the number of interconnects your traffic has to pass through, thus decreasing bottlenecks, latency and additional hops.
Application visibility and traffic shaping
Most application and network monitoring solutions require either a plugin to monitor apps, or netflow/tap processes to monitor the traffic details/flow. Unfortunately this is not available on the internet, due to the fact that service providers will not support this type of intrusive configuration for businesses to manipulate. It is important to keep in mind the fact that by using the internet, you lose some visibility of your apps and performance data, and maintaining SLAs can be extremely difficult.
Some premium internet offerings will allow users to shape traffic at the edge; however some ISPs strip the type of service headers from packets en route which can render this service pretty much useless.
All traffic that traverses the internet should be highly-encrypted to mitigate man-in-the-middle attacks (where criminals tap into the data flow and steal valuable information) the other issues we see with the hybrid networks is that on traditional MPLS networks, it’s pretty much an ethernet connection between offices using dark fibre or dedicated bandwidth, which businesses trust. When using an internet circuit, consideration has to be made to put the circuits demarcation into a DMZ, that is firewalled off (both network and application types) and often with intrusion detection equipment, as the internet is looked at as being totally untrusted.
Migrating from MPLS to Internet can save you a lot of money and should be considered by businesses when reviewing network design. Frequently Network performance increases, because well-managed Internet connections can outperform poorly-managed MPLS networks.