WAN Services: Frame Relay or VPN?
META Trend: The stability and affordability of wide-area network (WAN) services will accelerate data center consolidation and administrative centralization, increasing WAN costs. Frame relay services will remain strong through 2004, with selective use of IPSec-based virtual private networks (VPNs - extranets, remote access) and MPLS-based VPNs (2003). International data rates will rise during 2002/03, as users move from international to regional service providers. Domestic US consolidation among IXCs, CLECs, and ILECs will continue across all market segments, with ILECs further establishing territorial monopolies (2005/06).
During 2002/03, MPLS technology will be more of a concern for carriers than enterprise customers. Current solutions such as frame relay, private line, or ATM services provide cost-effective, reliable data transport services, meeting the needs of most applications over the distributed WAN (see Figure 1). However, clients should monitor IP VPN services to determine their applicability to new locations (e.g., extranets, small offices), to new applications (e.g., converged voice/data/video), in disaster recovery, and for specialized high-capacity needs. The majority of organizations will support a mix of public and private services.
There are two major categories of IP VPNs used for interconnecting sites (e.g., LAN-to-LAN). The first is customer-premises-based VPNs over the public Internet, using IPSec protocols for traffic isolation and encryption. The second is network-based VPNs served over a common carrier backbone, providing traffic isolation (but not encryption) between customers based on MPLS labels, BGP (Border Gateway Protocol) routes, IPSec, or virtual router instances. Network-based VPNs are further broken down into Layer 3 services providing support for IP only, and Layer 2 services supporting multiple protocols. By 2004, most carriers will offer a combination of customer premises equipment (CPE)-based and network-based services.
CPE-Based IP VPNs
In the CPE-based approach, customers use public Internet services to transport IPSec tunnels with encryption, either via routers or purpose-built appliances. Clients must also firewall each site (though typically built into VPN products, firewalling complicates management), and should provide back-end intrusion detection. Although using the Internet reduces carrier fees, there are several downsides, especially lower reliability (two to six hours of additional downtime/month) and higher cost of equipment and support (estimated at $850-$6,000 per site annually - $350-$2,900 per year more than frame relay). Clients adopting this approach should use IPSec-based equipment and avoid proprietary tunneling techniques. Small networks (<50 sites) may be based on general-purpose routers, while larger networks should use specialized VPN appliances. Best-practice uses are for fixed remote sites, small sites (<10 workers), remote access, and extranets. Customers should not adopt this approach for large-scale site-to-site installations exclusively. However, planners should consider a hybrid frame relay/Internet VPN installation to provide additional capacity to the frame relay network as well as failover between both networks, especially when a high percentage of traffic is non-interactive (e.g., file transfer, replication, messaging).
Network-Based IP VPNs
The network-based VPN approach avoids the complexity and expense of customer-premises-based tunneling and encryption by providing traffic isolation in the cloud, preferably on a carrier's non-Internet backbone facilities. Customers can use existing router equipment and access circuits to access these new services. However, some carriers (e.g., Equant) do not allow customers to manage Layer 3 VPN access. A hybrid of frame relay and network-based VPN service is also an alternative. Thus, a single site could take advantage of both approaches.
As a general class, most network-based VPNs provide better reliability and security than Internet-based options. However, security and reliability are slightly less than frame relay - due to immature carrier operational processes, single points of failure between carrier backbones, and back-end exposures to the Internet (some carrier MPLS networks use common fiber and platforms for Internet and MPLS VPN services, increasing administrative security risks). Thus, customers seeking to use network-based VPNs may still need to encrypt end to end, via IPSec or other techniques (frame relay customers may need to consider this as well).
Despite the substantial technical differences between network-based VPNs and frame relay services from the carrier's perspective, the differences are not yet significant to most buyers. By 2004, value-added services such as firewalling, authentication, Web filtering, and antivirus services will mature within network-based VPN offerings from major carriers. Most enterprises will find frame relay services adequate for their needs, and we anticipate 15%-20% growth for frame relay through 2004. For moderately sized private networks, frame relay can provide all the benefits of MPLS VPNs, though current pricing is an inhibitor.
Adoption of the MPLS Pricing Model in Frame Relay Will Slow VPN Migration
The true difference between these services lies in the pricing model. Although all offerings charge a fee for access and network ports, MPLS services require only a single permanent virtual circuit (PVC) per traffic class for access to the entire network. In contrast, frame relay services charge for a PVC between each site as needed, favoring networks with a hub-and-spoke topology. Carriers that wish to extend the life of their frame relay backbones will simply adopt the new pricing model for frame relay (e.g., WorldCom Bundled Frame Relay). Frame relay users should push carriers toward these simplified pricing models. Longer term, as MPLS grows in carrier networks and service providers seek to consolidate backbones, they will incentivize customers to migrate to VPN services (2005-08).
Business Impact: Networking costs should be controlled by selective use of alternative wide-area network technologies.
Bottom Line: Although frame relay will dominate enterprisewide-area networking through 2004, clients should selectively use IP VPN services to control costs and enhance network service delivery.
Addendum - Figure 2 Distributed WAN Service Scorecard (Higher Scores Are Better)
META Group originally published this article on 9 July 2002