Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Performance IPSec vs. MPLS

Imagine user in San Francisco connects to New York via IPsec tunnel (Internet):

a) If I go via a MPLS network instead, is the latency about the same than the IPSec?

b) How about average performance? How many % performance decrease in applications should I consider when compared to MPLS given the encryption demanded by the IPsec tunnel?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Performance IPSec vs. MPLS

Marlon

This is a difficult question to answer precisely. What can be said is that there are no preformance guarantees on the Internet whereas with MPLS you will have some sort of SLA's with your service provider.

Other thing to bear in mind when comparing MPLS to Internet is availability.

As for performance, there will always be an additional overhead when using IPSEC but it can be somewhat alleviated by having a dedicated hardware module for the VPN encryption/decryption.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Performance IPSec vs. MPLS

Marlon

This is a difficult question to answer precisely. What can be said is that there are no preformance guarantees on the Internet whereas with MPLS you will have some sort of SLA's with your service provider.

Other thing to bear in mind when comparing MPLS to Internet is availability.

As for performance, there will always be an additional overhead when using IPSEC but it can be somewhat alleviated by having a dedicated hardware module for the VPN encryption/decryption.

Jon

Super Bronze

Re: Performance IPSec vs. MPLS

As Jon notes, this is difficult because in any one instance, one might be better than the other.

In general, IPSec will add some latency for actual encryption and decryption, but with hardware it's usually little, but this also assumes that addition fragmentation isn't incurred because of IPSec. (Even then, IPSec with hardware performs well, but the platforms might not with general fragmentation.)

The two big factors for actual latency is overall distance (how the traffic actually physically flows end-to-end) and actual congestion.

In a place like the US, the latency is often very close although because of typical MPLS SLAs, MPLS latency is often less variable.

In a place far, far out, like some remote jungle, surprisingly Internet IPSec often performs better because there's more demand for Internet locally than private WAN. (I.e. the physical Internet build out is often better.)

616
Views
0
Helpful
2
Replies