After having just spent months setting up a fairly complex VPN, I'm beginning to look at alternatives for the future. Some of my network providers use MPLS to connect to us, and I suppose it works fairly well. I know many ATM (automated teller machine) networks use MPLS, which I suppose it a vote of confidence for its security properties.
http://en.wikipedia.org/wiki/MPLS_VPN is rather succinct:
"MPLS VPN is a family of methods for harnessing the power of Multiprotocol Label Switching (MPLS) to create Virtual Private Networks (VPNs). MPLS is well suited to the task as it provides traffic isolation and differentiation without substantial overhead.[citation needed]
Layer 3 MPLS VPN
A layer 3 MPLS VPN, also known as L3VPN, combines enhanced BGP signaling, MPLS traffic isolation and router support for VRFs (Virtual Routing/Forwarding) to create an IP based VPN. Compared to other types of VPN such as IPSec VPN or ATM, MPLS L3VPN is more cost efficient and can provide more services to customers."
My question is : how cumbersome / expensive is it to set up an MPLS network? Is it the kind of thing where you can buy the hardware and DIY, or do you really need to go to a service provider? I can get "managed" VPN's for $100/month right now (which I have no idea if this is good or bad), my five partner IPSEC "hairpin" topology thereby costs me 6,000 a year. Would that be better invested in MPLS?
Typical MPLS networks that I've been involved with (AT&T and Qwest-based) function as a "turnkey" network, with CPE being provided and configured by the network service provider. The experience I've had with MPLS networks has been the same as "managed" networks, both VPN and frame-relay based.
In practice, it's never been cumbersome for me at all-- just costly. The provider brings in a router, a circuit, and typically hands off as Ethernet. You let them know about your topology before hand, and they configure the "cloud" to switch your site-to-site traffic. Most MPLS offerings have an optional Internet service component such that you can offer Internet access to each site across the "cloud", or require that remote sites route their traffic through a virtual "hub" site to centralize Internet traffic for filtering / accounting / logging, etc.
Typically MPLS providers can provide some type of QoS for site-to-site traffic flows, alleviating the need for you to do that in your own equipment.
Providers tout the uptime of their MPLS solutions. Typically, failures occur at the local loop, though, and not in the MPLS "cloud" itself. Your mileage with local loops will vary, dramatically, based on the CO's where the loops originate. I deal with loops coming from CO's that never have any problems and I deal with loops coming from CO's that have an outage every 6 months like clockwork.
You're relying wholly on the service provider's MPLS "cloud" to keep your traffic secure and segregated from their other MPLS customers. You could run additional tunneling protocols over their network, if you wanted to, but then you'd lose any QoS functionality that provider offers on the site-to-site traffic flows (since you'd be making your traffic into an opaque stream of encrypted traffic).
Cost / benefit should guide you. If you can get the service you need with the uptime you need at a cost that you like, jump on it. You should be "shopping" around connectivity options (keeping in mind existing contract terms) and seeing what's available that can give you better cost / benefit ratios.
If you're doing MPLS you either need to control the network from end to end or you need to work with your providers and have them facilitate setting up the MPLS tunnels from site to site. Mostly it's either you do it or they do it and if they do it you're not really doing MPLS as much as you're just buying a service from a vendor and it could be running on magic fungus as far as you know, as long as they meet their SLAs.