difference between L2TP/GRE/MPLS (2024)

we are going to use both ipsec and MPLS, any difference betweenL2TP and GRE, which is more cheap and more secure? besides L2TP and GRE, any other IPsec technique we can use?

what's the advantage of MPLS over ipsec, if we have to choose either mpls or ipsec, which one is more cost effective? thanks

• Labels:
• Routing Protocols

0Helpful

You are asking about three significantly different technologies. L2TP and GRE are both tunneling technogies and the primary difference is that L2TP is a layer 2 protocol and GRE is a layer 3 protocol.Neither of theseprotocols encrypt traffic to provide protection for the data being tunneled. If you want to protect the traffic then you need to run something like IPSec in addition to L2TP or GRE.

MPLS is a protocol for transporting traffic while IPSec is a set of protocols to encrypt traffic. So it makes little sense to ask whether there are advantages of one over the other. They are intended to do very different things. If you want to encrypt traffic then you need IPSec and MPLS is not helpful for this goal. If you want to send traffic from point A to point B then MPLS would be an option and IPSec is not helpful for this goal.

HTH

Rick

0Helpful

Richard was absolutely right and clear in its explanations, as usual, of course; I'd like to add just that MPLS it's very useful when connecting overlapping network; in fact one of its main goal is to achieve ISP to create VPN (like old Frame Relay and ATM networks) over an IP infrastructure. In this scenario it is highly probable the ISP's customer has overlapping network.

Moreover if your question was if it is better to connect remote site via a IPSec VPN or an MPLS VPN, the answer, as always is "depends on the scenario" so it's hard to say which is the more effective for you; in any case consider at least the following difference:

• costs: as you wrote IPSEC VPN based on Internet connectivity is very cheap compared to MPLS VPN
• bandwidth: usually ISP give a guaranteed bandiwdth while IPSec VPN has none
• security: MPLS network could be considered in some way "safer" then Internet; this is not complexity true because MPLS network does not give encryption and authentication so some risk that someone in the ISP backbone can sniff your data or try some kind of attack is still there. Moreover IPSec VPN can be indirectly affected by some type of attack like DOS that could disrupt connectivity due to overwhelming network resource (no more bandwidth available for IPSec traffic, ...)
• topology & scalability: MPLS are any-to-any networks so it is easier to connect new sites scaling to hundreds or thousands of site. Consider also that in some case router need just a default route to the ISP's backbone and therfore you can use less expensive router. At the opposite IPSEC is CPU intensive (may require additional cards or a dedicated appliance)
• availability and time to repair: usually MPLS network are managed by a single ISP how manage the whole network so its likely that a fail or a performance downgrade could be recovered faster; usually ISP offer SLA on MPLs network and does not on Internet access (at least on cheaper ones).

Bye

Enrico

please rate if useful

0Helpful

In response to e.ciollaro

Thanks,

if I want to build subsidary to headquarter site to site VPN, do I have to use MPLS VPN or IPSEC VPN, and there are no other aletrnatives?

if I use MPLS VPN, the traffic first go toADSLinternet router , then CE router, PE router, P router?

or it first go to CE router, then ADSL internet router, then PE router?

0Helpful

In response to petercinvest

There are multiple alternatives that are possible. Which ones make the most sense depends on what service you want to contract. If you have contracted with a provider for MPLS service then you should use the MPLS to transport data between your sites. You could also consider whether your data is so sensitive that it should be encrypted. If you have contracted with a provider for Internet access then you should consider the IPsec tunnel alternatives.

How the traffic will go out depends on what service you have contracted and what equipment is provided by that contract. But it is most common from your network to CE to PE. So if the ADSL is how you will communicate with them then it would seem that it would be ADSL to CE to PE.

HTH

Rick

0Helpful

In response to petercinvest

Hi,

as Richard sad there are many technologies you can use, for example if your site is not too far you can use also a point-to-point radio link (like a microwave links); as an extreme alternative see also http://www.bbc.com/news/technology-11325452 (of course it's a kind of joke but not completely).

Firs step is to understand your connection requirements at least in terms of bandwidth, availability, security (which comprise many things: data integrity, data encryption, protecting your Internet access...).

In my own experience MPLS tend to be considered better then IPSec but, again, it's not a rule. For example if you need a very fast deployment and you already have Internet access on both side, then IPSec could be the best choice.

Bye,

enrico

please rate if useful

0Helpful