The previous example represents one of the many attractive features of VPNs. The ability to provide new communications, nearly instantly, for no increased financial charge is an enormous leap over conventional WAN technology.
Compare the previous scenario with a Frame Relay-based topology. All the offices and the remote plants have Frame Relay connectivity that has some form of cost. Each plant has a PVC connecting it to the home office. The cost of the PVC is directly related to the CIR and total port speed allocation. Assume that these costs are equal to the Internet connection being provided at the sites.
However, a major difference is realized when connection from one plant to another is required. A new PVC must be purchased and allocated by the provider; this represents an additional annual cost. Not only are there monetary costs, but there are situations in which getting a PVC allocated can take excessive time; meanwhile, the existing PVC is providing a dual purpose by connecting the plants to the home office and commu-nication between each other. Given the added commucommu-nication, it can be assumed that the CIR is being surpassed and the charge of the existing PVC has increased.
For one PVC, this may seem overindulgent and unrealistic. The provisioning of new PVCs happens everyday for many organizations moving through changes, yet each scenario represents another PVC. In some organizations, it is necessary to allocate a PVC for each office connecting it to each of the others. When a PVC exists between Exhibit 5-6. VPN providing access to WAN sites utilizing the VPN.
each site, it is called a fully meshed environment (see Exhibit 5-7). In this example, there are 11 sites that could be fully meshed. A simple formula can be applied to the number of sites to determine the number of PVCs, n(n – 1)/2, where n is the number of sites that will participate in the mesh. Therefore, (11 × 10)/2 = 110/2 = 55 PVCs.
This is an extreme example and many organizations have learned how to accom-modate communications while avoiding a fully meshed environment. However, there are still many situations in which a partially meshed WAN is necessary.
This example network can illustrate an example of a partially meshed network (see Exhibit 5-8). The four offices could have a meshed network that consists of six PVCs that provide connectivity and a form of limited redundancy, while the plants have a single PVC connecting them to the home office.
Redundancy Concepts. The offices are provided limited redundancy by the fact there is an alternate route to each of the offices if one were to become unavailable.
In an earlier example, the remote offices maintained connectivity through a single PVC to the home office. If the home office were to go down, all communications Exhibit 5-7. Fully meshed Frame Relay.
Exhibit 5-8. Partial mesh Frame Relay.
would stop enterprisewide. However, by having PVCs between each office, there is no single point of failure in the WAN structure.
Unfortunately, the redundancy is provided at Layer 2 and can become misleading.
The connection to the WAN is typically provided by a single connection that all the virtual circuits operate. A portion of the redundancy applies to the connectivity being provided by the PVCs. If a physical connection were to fail, none of the PVCs would be accessible. Granted, this does not affect the entire enterprise and only has an impact on the local office, but the redundancy provided by the multiple PVCs is limited. This discussion has evolved over many arguments comparing VPN connectivity to PVC connectivity. The simple fact is that each typically relies on a single physical connection to provide access to a group of virtual connections that are multiplexed into that single connection.
The clear advantage that VPNs have over Frame Relay is the use of multiple connec-tions to the Internet from completely different providers. Having different connecconnec-tions from different providers allows for continued connectivity in the event a wire is cut or a provider’s system fails. It is possible to provide separate lines for Frame Relay networks to eliminate a single point of failure, but the configuration can become complex and expensive.
In the event that a Frame Relay circuit goes down and the alternate must take over, PVCs must be reallocated. This is sometimes referred to as “swinging a PVC” over to a new network. Depending on the technology, some PVCs can be created on demand;
but typically, dormant PVCs must be allocated to act as a “hot standby” in the event of primary failure. As one might imagine, this can get very expensive.
On the other hand, IPSec VPNs operate at the network layer and are completely oblivious to the lower layer concerns. Unlike Frame Relay, which directly interacts and provides some Layer 2 functionality, IPSec is simply responsive to the overall path and not to the physical aspects of the communication. Routers can be implemented that handle the Layer 2 and 3 aspects of the communication failure. In an incredibly short period of time, all data can be routed through a secondary circuit. The VPN that was established will typically break and a new one will need to appear. However, this limitation is commonly associated with the product implementation of IPSec; it is feasible to realign the VPN after a short break in communications. As long as the endpoints of the VPN do not change and the Layer 3 configuration at the endpoints remains static, a VPN can continue over new circuitry. This should be apparent, given the connectionless aspects of the IP, but IPSec can be very sensitive to certain critical changes. If these are avoided, the VPN should continue to operate.
Reevaluating the WAN. In the above example, the support for a Frame Relay WAN must be questioned. The plants require very little bandwidth and the cost of providing a PVC to ten remote locations could become expensive compared to the service usage.
The fully meshed cloud between the offices is required for business information needs and continuity of service. However, once the Frame Relay PVCs are meshed, each additional PVC can be considered direct overhead when compared to a VPN. A single PVC implemented for each site is efficient and cost-effective. VPN connectivity cannot add much more in the arena of cost and, given the current Internet environment, VPN does not offer better performance. As the number of PVCs increases, the cost accrued for each is frivolous when compared to VPNs.
The commonalities between Frame Relay and VPNs are the connection cost and the ISP charge compared to the first PVC. The local loop, or the connection from the site to the service point, is common between the two technologies and the costs, for augmentation sake, can cancel out each other. The cost of a PVC to a remote location can be related to the cost of the ISP charges for access service. These are not absolutes and the cost can vary; but as the number of PVCs added to the aggregate of the single connection increases, the cost of VPN connectivity decreases.