Today, most of the attention in the virtual private network (VPN) market is focused on Internet-based VPNs. Don't be fooled. Such VPNs are over-hyped and are definitely not ready to be your customer's IP backbone for mission-critical applications requiring high reliability, consistent low latency and minimum bandwidth guarantees between sites.
The good news is there are other VPN architectures to choose from, so let's look at these and make an educated decision.
The first class of Internet-based VPNs overlays the Internet via IP tunnelling. This approach is very attractive from economic and connectivity standpoints. However, Internet-based VPNs have little real value as enterprise IP backbones because of the Net's unpredictability and vulnerability to intruders. The same considerations apply to roll-your-own VPNs, where the user owns and manages the tunnelling router or security platform.
A second class of overlay VPN involves IP tunnelling over an ISP's network. These VPNs generally don't support any form of class of service (CoS), can't offer bandwidth guarantees and are vulnerable to access bandwidth intruders.
Virtual circuit tunnelling
A third VPN architecture involves a different form of tunnelling: virtual circuit tunnelling, this time over Layer 2 frame relay or ATM permanent virtual circuits. This approach addresses enterprise requirements for availability, latency, CoS and security but suffers from two major problems: limited network knowledge and scalability.
IP and virtual circuit tunnelling severely limit the service provider's ability to monitor, troubleshoot and generate reports on a per-customer basis because what flows in the tunnels is only visible at the end points.
Scalability is limited by the number of routing adjacencies as the number of sites grows, and also by the need to manage a potentially large number of tunnels or connections, one per each pair of sites.
So what's a customer to do? Overlay Internet-based VPNs are only an option if low cost is their objective and best-effort service is adequate.
If your customer has fewer than 10 sites, consider overlay VPNs from service providers that specialise in VPN service or Layer 2 VPNs. If they have more than 10 sites, Layer 3 VPNs with their scalable security and SLA guarantees are for you.