Is MPLS faster?

The common theory is that in networks, MPLS is preferred in terms of speed. But why is MPLS faster (or believed to be)? This is because it operates at layer 2.5, inserting a “shim” between layer 2 and layer 3. This shim is the FEC (Forwarding Equivalency Class). With each packet, a table builds up mapping the FEC with the packet, and where it should be routed to. When the router encounters packets that match the FEC, they consult this table, rather than the layer 3 routing table. Sounds reasonable, right?

The problem I have with this theory is that how can adding more complexity actually make MPLS faster? It is like having a ladder and saying that it takes too long to get to the top of the ladder. Someone then comes up with the brilliant plan to add more rungs on the ladder, between the existing rungs. The ladder is the same height, but now you don’t need to stretch so far to get to the next rung. But you do have more rungs.

So, is MPLS faster than regular routing?

To test the theory, I will copy two files, one of one MB, another of ten MB from one machine (Site-B’s server) to another (Site-A’s server), and compare the speeds of OSPF routing, an IPSec VPN and MPLS.

Topology:

I have set this up in EVE-NG (because VIRL just pisses me off with its over-complexity), with two Ubuntu machines and three CSR-1000v routers. The same hardware, platform, and everything will be the same through all the tests. The load on the server does not change at any stage, so I think this is a fair comparison.

MPLS faster: Topology

Default IP addressing and configs:

Site-A (Server): 10.1.1.10/24 GW 10.1.1.1

Site-A (Router):

Site-A(config-if)#do sh ip int bri | i up
GigabitEthernet1 10.1.1.1 YES manual up up
GigabitEthernet2 1.1.1.10 YES manual up up
Site-A(config-if)#

ISP:

ISP#sh ip int bri | i up
GigabitEthernet1 1.1.1.1 YES NVRAM up up
GigabitEthernet2 2.2.2.2 YES NVRAM up up
ISP#

Site-B (router):

Site-B#sh ip int bri | i up
GigabitEthernet1 2.2.2.20 YES NVRAM up up
GigabitEthernet2 20.2.2.2 YES NVRAM up up
Site-B#

Site-B (Server): 20.2.2.20/24 GW 20.2.2.2

You will also need to install the OpenSSH server on the Site-B server in order to use SCP:

sudo apt-get install openssh-server

The files are all downloaded using the following commands (and then deleted ready for the next test):

scp -v [email protected]:/home/osboxes/onemegfile .

scp -v [email protected]:/home/osboxes/tenmegfile .

Test 1: Regular routing

In this test, there will be end-to-end OSPF routing.

Configuration

Site-A(config)#router ospf 1
Site-A(config-router)#network 0.0.0.0 0.0.0.0 area 0
Site-A(config-router)#

ISP(config)#router ospf 1
ISP(config-router)#network 0.0.0.0 0.0.0.0 area 0
ISP(config-router)#

Site-B(config)#router ospf 1
Site-B(config-router)#network 0.0.0.0 0.0.0.0 area 0
Site-B(config-router)#

Results

One Meg file: 93.9 seconds – receiving 11193.6 bytes per second

MPLS faster: test 1: One Meg

Ten Meg file: 931.5 seconds – receiving 11266.0 bytes per second

MPLS faster: test 1: Ten Meg

 

Test 2: VPN

Now we will remove the OSPF configuration, add some static routes and set up an IPSec VPN between Site-A and Site-B.

Configuration

ISP(config)#no router ospf 1
ISP(config)#

Site-A(config)#no router ospf 1
Site-A(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1
Site-A(config)#
Site-A(config)#crypto isakmp policy 10
Site-A(config-isakmp)# hash md5
Site-A(config-isakmp)# authentication pre-share
Site-A(config-isakmp)#
Site-A(config-isakmp)#crypto isakmp key vpnuser address 2.2.2.20
Site-A(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac
Site-A(cfg-crypto-trans)#exit
Site-A(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Site-A(config-crypto-map)# set peer 2.2.2.20
Site-A(config-crypto-map)# set transform-set myset
Site-A(config-crypto-map)# match address 100
Site-A(config-crypto-map)#
Site-A(config-crypto-map)#exit
Site-A(config)#ip access-list extended 100
Site-A(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 20.2.2.0 0.0.0.255
Site-A(config)#int gi 2
Site-A(config-if)# crypto map mymap
Site-A(config-if)#
*Aug 3 19:00:17.774: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Site-A(config-if)#

Site-B(config)#no router ospf 1
Site-B(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.2
Site-B(config)#crypto isakmp policy 10
Site-B(config-isakmp)# hash md5
Site-B(config-isakmp)# authentication pre-share
Site-B(config-isakmp)#
Site-B(config-isakmp)#crypto isakmp key vpnuser address 1.1.1.10
Site-B(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac
Site-B(cfg-crypto-trans)#
Site-B(cfg-crypto-trans)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Site-B(config-crypto-map)# set peer 1.1.1.10
Site-B(config-crypto-map)# set transform-set myset
Site-B(config-crypto-map)# match address 100
Site-B(config-crypto-map)#
Site-B(config-crypto-map)#
Site-B(config-crypto-map)#int gi 1
Site-B(config-if)# crypto map mymap
Site-B(config-if)#exit
Site-B(config)#ip access-list extended 100
Site-B(config-ext-nacl)#1 permit ip 20.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Site-B(config)#
*Aug 3 19:00:42.027: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Site-B(config)#

Results

One Meg file: 101.1 seconds – receiving 10399.9 bytes per second

MPLS faster: test 2: One Meg

Ten Meg file: 995.3 seconds – receiving 10543.7 bytes per second

MPLS faster: test 2: Ten Meg

 

Test 3: MPLS

Now, let’s remove the VPN configuration, and set up MPLS. The easiest way to do this is reboot the routers (if you haven’t saved your work).

Configuration

Site-A:

hostname Site-A
!
ip vrf InterSite
  rd 65000:100
  route-target export 65000:100 
  route-target import 65000:100
!
interface Loopback0
  ip address 101.101.101.101 255.255.255.255
!
interface GigabitEthernet1
  ip vrf forwarding InterSite
  ip address 10.1.1.1 255.255.255.0
  ip ospf 100 area 0
  negotiation auto
!
interface GigabitEthernet2
  ip address 1.1.1.10 255.255.255.0
  negotiation auto
  mpls ip
!
router ospf 100 vrf InterSite
  router-id 1.1.1.1
  redistribute bgp 65000 subnets
!
router ospf 1
  network 1.1.1.0 0.0.0.255 area 0
  network 101.101.101.101 0.0.0.0 area 0
!
router bgp 65000
  bgp log-neighbor-changes
  neighbor 111.111.111.111 remote-as 65000
  neighbor 111.111.111.111 update-source Loopback0
  !
  address-family vpnv4
    neighbor 111.111.111.111 activate
    neighbor 111.111.111.111 send-community extended
    exit-address-family
  !
  address-family ipv4 vrf InterSite
    redistribute ospf 100
    exit-address-family
!
end

ISP:

hostname ISP
!
ip vrf InterSite
  rd 65000:100  
  route-target export 65000:100
  route-target import 65000:100
!
interface Loopback0
  ip address 110.110.110.110 255.255.255.255
!
interface GigabitEthernet1
  ip address 1.1.1.1 255.255.255.0
  negotiation auto  
  mpls ip
!
interface GigabitEthernet2
  ip address 2.2.2.2 255.255.255.0
  negotiation auto
  mpls ip
!
router ospf 1
  network 0.0.0.0 255.255.255.255 area 0
!
end

Site-B:

hostname Site-B
!
ip vrf InterSite
  rd 65000:100
  route-target export 65000:100
  route-target import 65000:100
!
interface Loopback0
  ip address 111.111.111.111 255.255.255.255
!
interface GigabitEthernet1
  ip address 2.2.2.20 255.255.255.0
  negotiation auto
  mpls ip
!
interface GigabitEthernet2
  ip vrf forwarding InterSite
  ip address 20.2.2.2 255.255.255.0
  ip ospf 100 area 0
  negotiation auto
!
router ospf 100 vrf InterSite
  router-id 3.3.3.3
  redistribute bgp 65000 subnets
!
router ospf 1
  network 2.2.2.0 0.0.0.255 area 0
  network 111.111.111.111 0.0.0.0 area 0
!
router bgp 65000
  bgp log-neighbor-changes
  neighbor 101.101.101.101 remote-as 65000
  neighbor 101.101.101.101 update-source Loopback0
  !
  address-family vpnv4
    neighbor 101.101.101.101 activate
    neighbor 101.101.101.101 send-community extended
    exit-address-family
  !
  address-family ipv4 vrf InterSite
    redistribute ospf 100
    exit-address-family
  !
end

Results:

One Meg file: 94.1 seconds – receiving 11180.8 bytes per second

MPLS faster: test 3: One Meg

Ten Meg file: 940.0 seconds – receiving 11164.5 bytes per second

MPLS faster: test 3: Ten Meg

 

Overall Results comparison

Speed (seconds)
Routing IPSec VPN MPLS
 One Meg file 93.9 101.1 94.1
 Ten Meg file 931.5 995.3 940.0

Winner: Routing.

Bytes per Second
Routing IPSec VPN MPLS
 One Meg file 11193.6 10399.9 11180.8
 Ten Meg file 11266.0 10543.7 11164.5

Winner: IPSec VPN.

Is MPLS faster? Conclusion

In the tests, MPLS performed slightly better than IPsec VPNs in terms of overall speed, but lower than standard OSPF routing. When we look at bytes per second, it was faster than OSPF routing but slower than the IPSec VPN, which is actually a little surprising, given that MPLS uses a smaller overhead than IPSec does.

Which ever way you look at it, MPLS was not faster than the other solutions. MPLS is a great technology, don’t get me wrong. It works well when you need to maintain separation of data that uses the same subnets, but the idea that it is faster than other solutions is unwarranted. It’s just shifting the table lookups higher up.

5 Comments

  1. Tom August 6, 2017
    • Stuart Fordham August 6, 2017
  2. Steve September 15, 2017
    • Martin March 8, 2018
  3. Craig March 31, 2019

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.