Over the past few weeks I’ve had the chance to come up from my rabbit hole of deployment projects and catch up on the tech news. In particular, the announcement at Interop New York where Cisco announced the new ISR 4400 family of routers along with a few other articles got me to thinking about how far branch office connectivity has come in the past decade or so and to a question: is one method of branch connectivity better than another?

In the Beginning…

In the past decade or so we have seen substantial change in how we connect to the internet and how fast we do so. Early on (circa early 2000s) the internet was fairly flat. Real time voice and video were still a thing of science fiction. In the enterprise we connected remote offices back to the central office via leased lines over a frame relay network. T1s were considered good and if you had a DS-3 link you must have been in a big IT shop. Compute services were limited to corporate email (Outlook/Exchange were the new kids on the block) and client/server based systems.

Fast forward a few years (2005-ish) and we begin to see the emergence of this new thing called Voice-over-IP. With it came the frustrations of jitter and one-way audio. Video conferencing was still done over ISDN but some glimpses into the future were beginning to emerge (NetMeeting anyone?). Technologies such as QoS and MPLS came about to address the challenges of providing guarantee of bandwidth to these latency sensitive services.

In the last four years or so we have seen an even greater increase in speeds offered up by service providers with the push towards Metro Ethernet as they retire the legacy TDMA services (thankfully). Going to a provider to get a raw internet link at 10Mbps, 100Mbps, or even 1Gbps is becoming more common place. This a good thing as we are seeing more and more rich content services that need bandwidth. Businesses are now relying on real-time communications to connect remote workforces that are all over the globe. Video conferencing and instant messaging is no longer an option, they are core services.

How We Connect in the Fast Lane

Today there are basically two models for connectivity: Internet with VPN overlay or private WAN services via MPLS or VPLS. Each of these have their own advantages and disadvantages.

Internet with VPN Overlay is, usually, cheaper and faster to deliver. Speeds offered from a business class broadband or Direct Internet Access (DIA) from a Tier 1 provider are fast and easy to upgrade in most instances. Utilizing well designed DMVPN solution makes an overlay solution much more scalable and easier to manage. These two factors combine for a very compelling business argument for VPN Overlay. The downside? It’s much more difficult to guarantee quality of service to those applications that need it (voice and video, I’m looking at you). This can be offset somewhat by doing QoS end-to-end in both directions across the VPN tunnels but you are still at the mercy of the provider. Based on first hand experience, if you have a Tier 1 provider giving you a DIA link you will likely be okay. But still, it’s something that needs to be considered in the cost-benefit analysis.

Private WAN services provide a set SLA guarantee for services with the ability to have some control over QoS through the provider network. With a service such as VPLS it’s even easier since, on the enterprise side it’s just one big fat ethernet segment. With most of my experience with private WAN deployments, speed hasn’t been a major issue as most of my sites are in large metro areas. Costs on the other hand can be a lot more as you are paying for that SLA and honoring of QoS across the provider network.

Is There One to Rule Them All?

In short, no. As with any good network question the real answer is it depends. It depends on what services you are offering, the size of the office, and how your backend infrastructure is designed. In my current environment we have a mix of VPN Overlay and VPLS. Both work very well and we have had very few issues with connectivity and continuity of services. But they do have their limits. Most of our VPN connected sites have a very small user base and in some instances are not service by our VPLS provider. For our larger sites the VPLS solution is the best solution as these are sites where we need the additional control over the network given the density and make up of users (think C-suite).

What I can say, based on my experience, is that VPN Overlay is becoming a more viable option each year from a cost and speed perspective. When you throw in the Cisco ISR 4400s with the capability of IWAN, PfR, and service containers that argument becomes even more compelling.


Ed Weadon

Sr. Network Engineer