chris - Fotolia


Understanding the basics of a hybrid VPN

In part two of a three-part series, an expert looks at how hybrid VPNs are impacted by the shift from private services to the public Internet.

Editor's note: This is the second in a three-part series examining the evolution of the hybrid WAN. This installment describes some of the most popular technologies used within typical hybrid VPN deployments. Part one examined the benefits of hybrid WAN while the concluding installment will discuss tips to help you avoid problems when using a hybrid approach. For additional information, request Robert Sturt's step-by-step WAN procurement Field Guide.

As enterprises grapple with growing traffic and multiplying traffic sources, IT teams are increasingly examining hybrid WAN architectures relying on both private services and the public Internet. What does this shift mean to the hybrid VPN?

First, let's discuss some of the services within a hybrid virtual private network (VPN):

IPSec -- IPSec is in the limelight as a result of the huge growth of mobile traffic. In the late 1990s -- when a majority of enterprise WAN networks were built on managed devices -- IPSec tunnels only existed between national and global offices. With the advent of multiprotocol label switching (MPLS)-based VPNs, quality of service (QoS) features tempted IT teams away from using public IP backbones for their WANs. However, these days, IPSec is deemed secure enough for the majority of applications and organizations -- the only exceptions being government and financial institutions. The growth of unified communications, together with the requirement that applications are ubiquitously accessible, is driving IPSec's inclusion within the hybrid VPN.

The downside of encrypting traffic includes a loss of control from a QoS perspective and the overhead created with the encryption. Providing your traffic flow is distributed across a single backbone, performance should be fairly predictable in an Internet-based VPN. That's not the case when traffic traverses the IP backbones of multiple carriers. And as applications become more sophisticated, some may withhold or restrict access until they determine that connectivity and throughput is sufficient.

MPLS Layer 3 VPN -- The Layer 3-anchored MPLS VPN has been the staple of enterprise WAN communications for a number of years now -- due to its security, "any-to-any" topology and the ability to prioritize applications using QoS. With support for multiple routing protocols, together with service level agreements that guarantee throughput of traffic, uptime, jitter and latency on a global basis, it is easy to understand why MPLS VPN has become so popular.

Virtual private LAN service (VPLS) Layer 2 VPN -- With the removal of Layer 3, enterprises can extend their LANs over geographical distances on an any-to-any basis. The use case for Layer 2 VPNs is based on the requirement to extend the data link layer or to provide a self-managed Layer 3 capability. Consider a cloud-based global data center deployment. In this case, VPLS would enable LAN to LAN connectivity, allowing resources such as additional servers to be added in any of the locations served by the VPLS. With clients running complex routed setups or running non-standard requirements, VPLS allows an organization to layer on their own routing.

Carrier Ethernet products -- In the mix of a hybrid WAN design, carrier Ethernet represents one of the key building blocks. Options include:

  • SDH/SONET -- Leveraging carriers' SDH and SONET capabilities has resulted in a large proportion of Ethernet being provisioned using the scale of legacy networks. SDH and SONET translate into services that provide good uptime due to high availability.
  • Ethernet over MPLS/Virtual leased lines (VLL) -- This emulates point-to-point and multipoint Ethernet circuits across the scale of a provider's MPLS network. Commonly known as pseudowires, these circuits offer the same capability as VPLS, absent the any-to-any properties.
  • Carrier Ethernet transport -- The most pure form of Ethernet because the traffic originates and terminates as Ethernet, ideal within metro areas.

Please keep this in mind, that in order to understand your own network architecture, a diagnostic approach is required to align the specifics of your organization's strategy, technological resources and budget. Without a diagnostic workflow, a business is at risk of implementing technology that could act as a bottleneck rather than an advantage -- throughout the life of the service contract.

Next up: The dos and don'ts of setting up a hybrid WAN.

Next Steps

Hybrid WAN basics

A glossary of the VPN terminology you need to know

This was last published in June 2015

Dig Deeper on WAN technologies and services