A Better Build

Back when we designed our retail networks, we realized that we had to also create a scalable and robust WAN architecture for our retail expansion. With this, came the tough decision of which technologies to use: basic IPSEC tunnels, dynamic VPN protocols, or a managed MPLS network—to top it off, we had limited experience with all of them. We struggled with decisions for months and researched everything under the sun (or, actually, just the internet). But, finally, we arrived at a decision.

As we continue to expand (and our retail ambitions grow), we are moving to embrace a more scalable corporate WAN architecture than our basic Checkpoint IPSEC tunnels.

Throughout our search, we kept in mind these three key requirements:

  1. Our WAN needs to be highly scalable
  2. Our WAN traffic must be protected; it contains sensitive customer billing and prescription data
  3. Our WAN needs to be highly available and capable of withstanding ISP and hardware failures

We compared a few options that we thought could meet these requirements:

  1. Private MPLS network (a managed network through a single ISP)
  2. Cisco DMVPN (a Cisco-proprietary, distributed VPN protocol)
  3. GETVPN (an open alternative to DMVPN)

After an extensive internal review—plus support from multiple external network consultants—we were able to establish a summary of our findings (below).




  • Scales to hundreds of sites (when using distributed head ends)
  • ISP-agnostic
  • Utilizes typical commercial circuits, which are more cost effective
  • Can easily create a simple template for rolling out new sites
  • All sites can communicate directly via dynamic created tunnels
  • Scales to hundreds of sites
  • Highly reliable with guaranteed vendor SLAs
  • Guaranteed latency provides excellent service (such as for real time multimedia across the WAN, VOIP, etc.)
  • No decryption overhead for MPLS necessary
  • All sites can communicate directly through MPLS network


  • Cannot guarantee latency (with commercial lines)
  • Potentially dealing with many ISPs (SLAs, etc.)
  • Encryption overhead requires correct sizing of head ends
  • Requires large initial investment for head ends
  • Expensive circuits (3x the price of commercial lines at the same bandwidth)
  • May require backup IPSEC VPN for redundancy
  • Powerful/expensive VPN endpoints needed at DC (for backup VPN)
  • Locked in long-term with one ISP
  • Long lead time for MPLS line installation (90-120 days)
  • MPLS provider may not be available in all locations

The main advantage of MPLS is the fully managed network from a single provider. This allows unparalleled network performance, especially relating to network latency, which is critical for streaming real-time multimedia protocols such as VOIP and audio/video streaming.

However, this advantage comes at a cost. From our analysis, MPLS circuits cost much more than their unmanaged counterparts by a factor of three or more. These circuits would be too expensive to justify redundant MPLS links for all sites, so we would need a second, more affordable ISP for a backup IPSEC network. This would require management of two systems, which greatly complicates management and is not ideal. From reference conversations with other companies that used MPLS, we learned management can still take quite a bit of work—an increased cost does not always lead to reduced headaches.

The main advantage for DMVPN or GETVPN is that they are ISP agnostic. When choosing new retail sites, we can be reasonably assured that one or two ISP providers will be available—something we could not guarantee with a single MPLS provider. In addition, these commercial circuits are much more cost effective in a dollars/mbps comparison.

Due to the nature of DMVPN and GETVPN, it is simple to have two overlapping DMVPN networks for redundancy. Conveniently, this eliminates the need to manage two separate topologies.

The main disadvantage is that these commercial circuits make no latency guarantees. This can cause problems when using real time multimedia protocols. However, based on our usage projections, we decided this drawback did not outweigh the benefits of DMVPN or GETVPN.

In the end, both MPLS and DMVPN/GETVPN offered many of the same advantages and met all of our design goals. However, we felt that the excellent performance guarantees provided by MPLS did not justify increased cost, vendor lock in, installation difficulties, inflexibility, and the need for a backup VPN.

As for the decision between DMVPN and GETVPN, upon comparison they share many of the same advantages and disadvantages. The subtle differences between these two technologies could warrant its own article, but technical advantages, lower costs, and the open nature of GETVPN eventually won out to prevent vendor lock in.

Posted Under:

Posted on