There’s a price for everything in this world, and ADSL IP VPNs are no exception. While ADSL IP VPNs are a cheaper alternative to any MPLS service type, it doesn’t necessarily mean they’re for everyone, as customer requirements always vary. In this article, I will explain both the ADSL IP VPN advantages and disadvantages.
Let’s take a look at a few ADSL IP VPN advantages over most WAN MPLS circuits:
- Cheaper rates. Internet service providers (ISPs) provide a simple ADSL connection to the Internet, using the highest possible speed with—usually—a static IP address. The price for a 24 Mbps/1 Mbps (download/upload) ADSL line is considerably cheaper than almost any WAN MPLS service, making it extremely attractive for companies seeking to cut telecommunication costs.
- Fully configurable. WAN engineers have total control over the VPN tunnel created between sites. They are able to perform on-the-fly configuration changes to compensate for any network problems or help rectify any problem that might arise. With full access to the VPN, terminating equipment like routers and firewalls, engineers have the ability to see the condition of the ADSL line and take any action(s) deemed necessary.
- VPN backup included. For mission-critical sites, ISDN backup is possible if your ADSL connection is over ISDN. In case of a failure, the router can be programmed to automatically issue an ISDN dial backup, connecting the site via ISDN temporarily until the ADSL line is back online. In slightly more complex setups with multiple ADSL lines per site, the VPN can automatically be re-routed via an alternative ADSL connection. Time response for the backup line to come online is configurable by the network engineer, and there is no need to wait for the ISP to fix a line so your company can continue working.
- Two-in-one. When configuring the site-to-site VPN, engineers can also configure remote VPN access for users traveling around the country or world, a feature most companies would have to pay additional money for to receive from their service providers.
- Upgradable features. Perhaps one of the strongest advantages is the fact that your site-to-site VPN characteristics are strictly dependant on those that your VPN routers/firewall support. This means that as new features are introduced with the newer router operating systems (i.e., Cisco IOS), they will be available to your engineers to implement. For example, QoS pre-classification was a feature Cisco introduced in its IOS that fixed a number of QoS features for different services running over IPsec VPN tunnels. Dynamic Multiple VPN (DMVPN ) was another great feature allowing scalable IPsec VPN tunnels between multiple sites. DMVPN allows every endpoint to dynamically build a VPN tunnel with any of its other peers, providing a low-cost mesh VPN solution.
If the brief list of the above ADSL IP VPN advantages seems overwhelming and you feel you need to switch to this technology as soon as possible, don’t rush until you have read a few of its disadvantages.
Here is a list of a few disadvantages of ADSL IP VPNs over almost all WAN MPLS circuits:
- Limited QoS. In order to have a fully functional QoS model, you need to have control of all equipment and paths that your VPN packets run through. In the ADSL IP VPN model, QoS is effective in each site’s LAN, up until the ADSL interface of the routers. From there on, packets enter the ISP’s network, and your ISP will clearly state that there is no QoS for such connections. Everything is based on a "best effort" delivery mechanism and you can’t argue about that. Any QoS parameters inserted in your WAN packets are, in most cases, ignored by the ISP.
- Possible bottlenecks and low speeds. In an ADSL IP VPN scenario, your company connects to a single Digital Subscriber Line Access Multiplexer, or DSLAM—a device that uses multiplexing techniques over telephone lines to provide high-speed Internet connections—that provides ADSL connectivity to your ISP. Every other user in the area, including business and home users, connects to that same DSLAM. If there is heavy traffic on that DSLAM node, chances are you might experience low speeds during peak-hour times. Again, there is no guarantee of the speeds you will receive on your ADSL connection.
- Asymmetrical speeds. ADSL offers great download speeds, but its upload is always limited. This is a big disadvantage for the headquarters where all remote VPNs terminate. With limited upload bandwidth, it’s almost impossible to have all remote sites connecting to one ADSL line, unless the traffic between the sites and headquarters is limited. Depending on the number of sites, remote users and services to be run over the ADSL IP VPN tunnels, it might be necessary to split the remote sites over two or more ADSL connections at the headquarters.
- Forget SLAs. With the ADSL IP VPN running over a normal Internet connection, you can forget about any service level agreement (SLA) with the provider. There is no service provider that will sign any type of SLA for an ADSL Internet connection.
- VPN and router/firewall security. ADSL Internet connections are exposed directly to the Internet. This means that the security of your VPN and terminating equipment (routers and/or firewalls) are your responsibility. If your engineers do not take the necessary measures to secure the equipment correctly, this can lead to the exposure of your company to the Internet. This is not a topic to be taken lightly, as the damage can be devastating. It is extremely important to understand the risk involved and to have the required technical expertise to ensure the job is performed correctly. Under ideal circumstances, where the equipment is correctly configured, there is no need to worry—you’re safe.
- Denial of service attacks. With a direct Internet connection, you are exposed to any denial of service (DoS) attack. All attempts can be successfully repelled; however, keep in mind that the traffic will have to reach your router/firewall first. This means that the heaviest damage that can be produced by a DoS attack—for a correctly configured endpoint—is to create a bottleneck on your ADSL connection and greatly reduce speeds for the duration of the attack.
Examine whether cheaper ADSL IP VPN alternatives are better than ISP-supported ADSL MPLS VPNs in the final article of this series: MPLS vs. VPNs. For more information, Firewall.cx offers a number of VPN and security configuration articles in its Cisco router section.
This was first published in July 2011