Advantages of mpls vpn in isolation

Comparison and Analysis of mpls vpn and VLAN + ACL

Scope of application: VLAN is essentially a LAN technology and is suitable for LAN isolation. However, VLAN alone cannot guarantee the isolation of IP services and must be used with ACL. In this way, all business systems are in the same IP address space, which is visible to each other and not truly isolated, leaving hidden risks for network security. Mpls vpn is based on IP layer information and routing isolation. The IP addresses of different VPNs are independent from each other. The hosts in the VPN do not feel the presence of other VPN members, thus realizing real isolation. At the same time, mpls vpn is based on layer-3 routing isolation and uses BGP extension protocol to automatically spread VPN member information. Therefore, mpls vpn is applicable to wide area networks, man networks, and other large-scale networks.
Flexibility: VLAN can only be used for Ethernet networking, while mpls vpn is an IP-based technology. It has unique flexibility in IP technology and supports various links. At the same time, because VLAN is a layer-2 network technology and vlan id requires unified planning, it is difficult to meet complex business isolation requirements. In practical applications, VLAN isolation technology is also used within the local/campus scope and cannot meet complex isolation requirements. Using BGP's route target attribute and BGP's rich control policies in mpls vpn can easily achieve these isolation requirements.
Maintainability: To isolate the IP layers of different service systems, a large number of ACL entries must be configured for each VLAN, and each layer-3 Node, configuration work increases in N (N-1) mode as the number of business systems to be isolated (N) increases. Mpls vpn relies on route forwarding instances for automatic isolation. You do not need to configure an ACL for each CIDR block. In addition, you can manually configure different VLANs and ACLs, because the mpls vpn isolation and route diffusion are implemented through the dynamic routing protocol, there is no problem of configuring N square meters. When the network size is large, the configuration workload is greatly reduced.
Scalability: Like ATM/fr vpn, VLAN + ACL is configured with N-square, each time a new VLAN or business system is added, the configurations of all previous business systems must be modified, resulting in serious scalability problems. When a new node or VPN is added to an mpls vpn, the existing VPN configuration is not affected and the scalability is excellent.
Security: because all VLANs in the same broadcast domain have serious security problems, mpls vpn is implemented based on three layers, and broadcast packets are naturally isolated, there is no such security problem. At the same time, VLAN + ACL requires all hosts to be in the same address space, which provides network attackers with the possibility of using mpls vpn for isolation. users outside the VPN cannot feel the existence of the VPN, it cannot attack the Intranet of the VPN. Mpls vpn can also work seamlessly with various existing security technologies (such as IPSec) to ensure data transmission security.
Network Stability: in VLAN networks, it is prone to broadcast storms. This is also why VLAN technology cannot be used in wide area networks or other large networks. Mpls vpn is based on layer-3 isolation and has a clear hierarchical structure, so there is no broadcast storm problem.
QoS: the VLAN uses 802.1p to indicate the service level of the service. At the same time, the queue technology supports congestion management. However, due to the limitation of the ASIC chip, the number and type of queues supported are limited, in complex business applications, QoS support is limited. MPLS QoS supports mature DiffServ QoS models and can be used with other IP/MPLS QoS technologies (such as RTP real-time queues, CBWFQ, and LFI for Real-Time Speech services ), it can ensure the service QoS of complex applications.
Network management implementation: VLAN-based network management is simple, supports cluster management, and is easy to implement device-level management. mpls vpn is more complex than VLAN-level management, but can provide management based on VPN topology, this facilitates the global view and network planning of the network.

Comparison between mpls vpn and IP Tunnel VPN

The ip vpn based on the ip tunnel technology represented by GRE is suitable for creating a VPN with a limited scale and a simple topology.
Mpls vpn uses automatic LSP (Label forwarding tunnel) to forward VPN packets in the public network, and uses MP-BGP protocol to realize the spread of VPN private network information, this greatly reduces the configuration workload of a single node. At the same time, due to the use of dynamic protocols to establish a VPN tunnel (LSP) and the spread of VPN private network, when a new node is added, you do not need to modify the configuration of the original node. Therefore, compared with other VPN technologies, VPN built using MPLS technology has better maintainability and scalability. mpls vpn is more suitable for building large-scale complex VPN networks.