The common theory is that in networks, MPLS is preferred in terms of speed. But why is MPLS faster (or believed to be)? This is because it operates at layer 2.5, inserting a “shim” between layer 2 and layer 3. This shim is the FEC (Forwarding Equivalency Class). With each packet, a table builds up mapping the FEC with the packet, and where it should be routed to. When the router encounters packets that match the FEC, they consult this table, rather than the layer 3 routing table. Sounds reasonable, right?
The problem I have with this theory is that how can adding more complexity actually make MPLS faster? It is like having a ladder and saying that it takes too long to get to the top of the ladder. Someone then comes up with the brilliant plan to add more rungs on the ladder, between the existing rungs. The ladder is the same height, but now you don’t need to stretch so far to get to the next rung. But you do have more rungs.
So, is MPLS faster than regular routing?
To test the theory, I will copy two files, one of one MB, another of ten MB from one machine (Site-B’s server) to another (Site-A’s server), and compare the speeds of OSPF routing, an IPSec VPN and MPLS.
Topology:
I have set this up in EVE-NG (because VIRL just pisses me off with its over-complexity), with two Ubuntu machines and three CSR-1000v routers. The same hardware, platform, and everything will be the same through all the tests. The load on the server does not change at any stage, so I think this is a fair comparison.
Default IP addressing and configs:
Site-A (Server): 10.1.1.10/24 GW 10.1.1.1
Site-A (Router):
Site-A(config-if)#do sh ip int bri | i up GigabitEthernet1 10.1.1.1 YES manual up up GigabitEthernet2 1.1.1.10 YES manual up up Site-A(config-if)#
ISP:
ISP#sh ip int bri | i up GigabitEthernet1 1.1.1.1 YES NVRAM up up GigabitEthernet2 2.2.2.2 YES NVRAM up up ISP#
Site-B (router):
Site-B#sh ip int bri | i up GigabitEthernet1 2.2.2.20 YES NVRAM up up GigabitEthernet2 20.2.2.2 YES NVRAM up up Site-B#
Site-B (Server): 20.2.2.20/24 GW 20.2.2.2
You will also need to install the OpenSSH server on the Site-B server in order to use SCP:
sudo apt-get install openssh-server
The files are all downloaded using the following commands (and then deleted ready for the next test):
scp -v [email protected]:/home/osboxes/onemegfile . scp -v [email protected]:/home/osboxes/tenmegfile .
Test 1: Regular routing
In this test, there will be end-to-end OSPF routing.
Configuration
Site-A(config)#router ospf 1 Site-A(config-router)#network 0.0.0.0 0.0.0.0 area 0 Site-A(config-router)# ISP(config)#router ospf 1 ISP(config-router)#network 0.0.0.0 0.0.0.0 area 0 ISP(config-router)# Site-B(config)#router ospf 1 Site-B(config-router)#network 0.0.0.0 0.0.0.0 area 0 Site-B(config-router)#
Results
One Meg file: 93.9 seconds – receiving 11193.6 bytes per second
Ten Meg file: 931.5 seconds – receiving 11266.0 bytes per second
Test 2: VPN
Now we will remove the OSPF configuration, add some static routes and set up an IPSec VPN between Site-A and Site-B.
Configuration
ISP(config)#no router ospf 1 ISP(config)# Site-A(config)#no router ospf 1 Site-A(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1 Site-A(config)# Site-A(config)#crypto isakmp policy 10 Site-A(config-isakmp)# hash md5 Site-A(config-isakmp)# authentication pre-share Site-A(config-isakmp)# Site-A(config-isakmp)#crypto isakmp key vpnuser address 2.2.2.20 Site-A(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac Site-A(cfg-crypto-trans)#exit Site-A(config)#crypto map mymap 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Site-A(config-crypto-map)# set peer 2.2.2.20 Site-A(config-crypto-map)# set transform-set myset Site-A(config-crypto-map)# match address 100 Site-A(config-crypto-map)# Site-A(config-crypto-map)#exit Site-A(config)#ip access-list extended 100 Site-A(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 20.2.2.0 0.0.0.255 Site-A(config)#int gi 2 Site-A(config-if)# crypto map mymap Site-A(config-if)# *Aug 3 19:00:17.774: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Site-A(config-if)# Site-B(config)#no router ospf 1 Site-B(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.2 Site-B(config)#crypto isakmp policy 10 Site-B(config-isakmp)# hash md5 Site-B(config-isakmp)# authentication pre-share Site-B(config-isakmp)# Site-B(config-isakmp)#crypto isakmp key vpnuser address 1.1.1.10 Site-B(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac Site-B(cfg-crypto-trans)# Site-B(cfg-crypto-trans)#crypto map mymap 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Site-B(config-crypto-map)# set peer 1.1.1.10 Site-B(config-crypto-map)# set transform-set myset Site-B(config-crypto-map)# match address 100 Site-B(config-crypto-map)# Site-B(config-crypto-map)# Site-B(config-crypto-map)#int gi 1 Site-B(config-if)# crypto map mymap Site-B(config-if)#exit Site-B(config)#ip access-list extended 100 Site-B(config-ext-nacl)#1 permit ip 20.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 Site-B(config)# *Aug 3 19:00:42.027: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Site-B(config)#
Results
One Meg file: 101.1 seconds – receiving 10399.9 bytes per second
Ten Meg file: 995.3 seconds – receiving 10543.7 bytes per second
Test 3: MPLS
Now, let’s remove the VPN configuration, and set up MPLS. The easiest way to do this is reboot the routers (if you haven’t saved your work).
Configuration
Site-A:
hostname Site-A
!
ip vrf InterSite
rd 65000:100
route-target export 65000:100
route-target import 65000:100
!
interface Loopback0
ip address 101.101.101.101 255.255.255.255
!
interface GigabitEthernet1
ip vrf forwarding InterSite
ip address 10.1.1.1 255.255.255.0
ip ospf 100 area 0
negotiation auto
!
interface GigabitEthernet2
ip address 1.1.1.10 255.255.255.0
negotiation auto
mpls ip
!
router ospf 100 vrf InterSite
router-id 1.1.1.1
redistribute bgp 65000 subnets
!
router ospf 1
network 1.1.1.0 0.0.0.255 area 0
network 101.101.101.101 0.0.0.0 area 0
!
router bgp 65000
bgp log-neighbor-changes
neighbor 111.111.111.111 remote-as 65000
neighbor 111.111.111.111 update-source Loopback0
!
address-family vpnv4
neighbor 111.111.111.111 activate
neighbor 111.111.111.111 send-community extended
exit-address-family
!
address-family ipv4 vrf InterSite
redistribute ospf 100
exit-address-family
!
end
ISP:
hostname ISP ! ip vrf InterSite rd 65000:100 route-target export 65000:100 route-target import 65000:100 ! interface Loopback0 ip address 110.110.110.110 255.255.255.255 ! interface GigabitEthernet1 ip address 1.1.1.1 255.255.255.0 negotiation auto mpls ip ! interface GigabitEthernet2 ip address 2.2.2.2 255.255.255.0 negotiation auto mpls ip ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 ! end
Site-B:
hostname Site-B ! ip vrf InterSite rd 65000:100 route-target export 65000:100 route-target import 65000:100 ! interface Loopback0 ip address 111.111.111.111 255.255.255.255 ! interface GigabitEthernet1 ip address 2.2.2.20 255.255.255.0 negotiation auto mpls ip ! interface GigabitEthernet2 ip vrf forwarding InterSite ip address 20.2.2.2 255.255.255.0 ip ospf 100 area 0 negotiation auto ! router ospf 100 vrf InterSite router-id 3.3.3.3 redistribute bgp 65000 subnets ! router ospf 1 network 2.2.2.0 0.0.0.255 area 0 network 111.111.111.111 0.0.0.0 area 0 ! router bgp 65000 bgp log-neighbor-changes neighbor 101.101.101.101 remote-as 65000 neighbor 101.101.101.101 update-source Loopback0 ! address-family vpnv4 neighbor 101.101.101.101 activate neighbor 101.101.101.101 send-community extended exit-address-family ! address-family ipv4 vrf InterSite redistribute ospf 100 exit-address-family ! end
Results:
One Meg file: 94.1 seconds – receiving 11180.8 bytes per second
Ten Meg file: 940.0 seconds – receiving 11164.5 bytes per second
Overall Results comparison
| Routing | IPSec VPN | MPLS | |
|---|---|---|---|
| One Meg file | 93.9 | 101.1 | 94.1 |
| Ten Meg file | 931.5 | 995.3 | 940.0 |
Winner: Routing.
| Routing | IPSec VPN | MPLS | |
|---|---|---|---|
| One Meg file | 11193.6 | 10399.9 | 11180.8 |
| Ten Meg file | 11266.0 | 10543.7 | 11164.5 |
Winner: IPSec VPN.
Is MPLS faster? Conclusion
In the tests, MPLS performed slightly better than IPsec VPNs in terms of overall speed, but lower than standard OSPF routing. When we look at bytes per second, it was faster than OSPF routing but slower than the IPSec VPN, which is actually a little surprising, given that MPLS uses a smaller overhead than IPSec does.
Which ever way you look at it, MPLS was not faster than the other solutions. MPLS is a great technology, don’t get me wrong. It works well when you need to maintain separation of data that uses the same subnets, but the idea that it is faster than other solutions is unwarranted. It’s just shifting the table lookups higher up.
I don’t tink performance tests like these should be run in a virtual environment. Real hardware uses ASIC’s to offload some tasks so you will get completely different results depending on which hardware platforms you use.
But surely, running these tests without the benefit of ASICs keeps everything even? Besides, what came first, the ASIC to help MPLS, or the idea of MPLS? Extracting the benefit of ASICs should mean a truer result.
Early implementations of label switching were said to be quicker than switching IP packets on a CPU, due to added complexity of an IP lookup vs a label lookup.
With today’s implementations and advancements in ASIC technologies, speed is a non-issue. Things like BGP-free core become MPLS drivers.
You can read more about it in MPLS Fundamentals by Luc de Ghein
Hi, I’m having kind of mixed feelings about the book. Not due to it’s contents, but more so due to it’s age – and therefore lack of newer insights/comparisons, etc.
Would you recommend reading the book you stated or do you have any other, more up-to-date one? (of course there is Stuart’s book too).
Thanks.
Bytes per second winner ???? Routing not IPSec VPN.