BellSouth® Managed Network VPN Service
Download
Report
Transcript BellSouth® Managed Network VPN Service
Next-Generation Network Services for
Today’s Business Needs
®
BellSouth Managed
Network VPN
Service
Presentation Overview
• Traditional WAN Solutions
• VPN Overview
• MPLS Overview
• BellSouth Network VPN
• Value Added Services
• SLA and CNM
• Customer Scenario
• Summary
Traditional WAN Solutions
The Case for Change: It’s Complicated
and Expensive for Both of Us
• Historically…
– Separate edge and core networks built for
each service offering
– Services and networks that address single
applications well but do not individually
address a broad range of customer needs
We never met a network we didn’t like…
Frame Relay
– Individually highly scalable, robust and stable
network platforms
• Forcing Customers to…
DIA
GigE
Internet
– Invest time, money and resources into different
platforms
– Purchase disparate networks based on service
need
– Perform network integration and their own
access aggregation
– Split applications based on networking
capabilities
– Prioritize investments across applications
ATM/
Frame Relay
Voice
DSL
Data Network Migration Strategy
Current Environment
Internet
Access
Access
Internet
Access
Frame Relay, DSL,
Private Line
Ethernet
Private
Lines
Frame Relay
“Migration Path”
Access
Frame Relay, DSL,
Private Line
Managed IP
Connectivity Services
Internet
Access
Access
Frame Relay, DSL,
Private Line
Access
ATM
• Challenges
–
–
–
–
–
Internet
Access
Desired State:
Network IP VPN Environment
Integrating disparate networks
Managing disparate networks
Capacity planning, extending connectivity
Costly, complex CPE
Multiple WAN connections cost and
complexity
Frame Relay, DSL,
Private Line
• Solutions
– Management simplification – one platform
– Enables network and applications
convergence
– Shifts complexity/investments to
the provider
– Connectionless architecture –
more efficient
– Inter-LATA, limitless reach
Evolving Network Solutions
Market Assessment
MPLS IP VPN
• Class of Service for IP
• Simplified connectivity
(easy any-to-any connectivity)
• Simplified addressing
Functionality
• Simplified network topology
• Simplified L2 and L3 administration
• Increased flexibility
(more access options)
Frame Relay/ATM
• Lower cost
Private Line
• Improved scalability
• IP-based network recovery
• Simple migration from Frame Relay
• Lower cost
• Improved scalability
• High
performance
• Quality of service
• Quality of service
• High performance
• High performance
• High security
• High security
• High security
Time
VPN Overview
A VPN By Any Other Name…
CPE Based
VPNs (IPSec)
•
•
•
•
Routers
Firewalls
VPN Concentrators
IPSec Client Software
VPN Types
Network Based
VPNs
Layer 2 VPNs
(Point-to-Point)
Layer 3
(IP-VPNs)
• ATM
• Frame Relay
• Managed Network VPN Service
– MPLS/BGP (RFC 2547)
IP VPN Models – CPE vs. Network
CPE-based VPN
Network-based VPN
Branches
Branches
Carrier’s
Backbone
Internet
IP Tunnel
IP Partitioning/Tunnel
Headquarters
Headquarters
• First Generation IP VPN network
• Next Generation MPLS network
• Implemented over the public Internet
• Implemented over a private IP backbone
• Security is provided via IPSec
• Intelligence resides in the cloud
• Can be difficult to scale
• Provides Any-to-Any connectivity
• May require expensive CPE
• Designed for converged IP services
• Difficult to control QoS
• Provides QoS/CoS capabilities
Network VPN Drivers
Capability
Customer Needs
Secure WAN Connectivity • Cost-effective WAN connectivity for branch offices &
business partners
• Access options
• Nationwide coverage
Remote User Connectivity • Secure connectivity for remote users
• Cost-effective end-user helpdesk
• Secure Internet access for remote users
• Ubiquitous coverage
Internet Access
• Secure Internet access for all sites/users
• Single, integrated solution from one provider
• Segmentation of private WAN traffic from Internet traffic
Network Management
• Performance Guarantees
• Network performance reports
• User administration tools
MPLS Overview
What is MPLS?
Multiprotocol Label Switching
MPLS Core Network
CE
CE
VRF
• A standard for switching packets
over an IP Network using labels
or tags that contain forwarding
information attached to IP
packets
PE
PE
LSR
LSR
CE
PE
CE
How Does It Work?
LSR = Label Switch Router LSR
PE = Provider Edge Device
CE = Customer Edge Device
VRF = Virtual Route Forwarding
LSR
• Combines the security and reliability of traditional Layer 2 services
(i.e. frame relay, ATM) with the efficiencies of IP networking
• Forwards packets based on labels
• Packets are switched, not routed
• Labels represent destination and may carry service attributes
(CoS, Privacy-VPNs, traffic engineering)
What Does MPLS Provide?
Capability
MPLS Provides
Secure WAN
Connectivity
• MPLS securely segments traffic using customer
specific labels to ensure that traffic is not visible to
other customers or across the public Internet
Outsourcing of
complexity
• MPLS moves routing decisions away from CPE to the
provider network allowing for any-to-any
configurations without complex and potentially
expensive CPE
Scalability
• MPLS is scaleable, supporting thousands of VPNs
Building block
for converged
services
• MPLS is designed to transport a variety of application
types, i.e. VoIP, Video over IP, email, SAP, etc.
BellSouth Managed Network
VPN Services
The BellSouth Regional IP Backbone
Louisville
SDF
Owensboro
OWB
Georgetown
BGK
Nashville
BNA
Memphis
MEM
Huntsville
HSV
Jackson
JAN
Baton Rouge
BTR
Lafayette
LFT
Athens
AHN
Stone Mt
ASM
Macon
MCN
Shreveport
SHV
Slidell
SLD
New Orleans
MSY
Biloxi
BIX
Montgomery
MGM
Mobile
MOB
Pensacola
PNS
Greensboro
GSO
Arden
ARD
Chattanooga
CHA
Birmingham
BHM
Winston Salem
INT
Knoxville
TYS
Charlotte
CLT
Spartanburg
SBG
Greenville
Florence
GSP
Columbia
CAE
Augusta
AGS
Raleigh
RDU
Wilmington
ILM
FLO
Customer Benefits…
Charleston
CHS
Savannah
SAV
Albany
ABY
Panama City
PFN
Gainesville
GNV
Attributes:
• 3 high speed IPOPs provide diversity and
redundancy (Atlanta, Miami, and New Orleans)
• Consolidation of multiple IntraLATA IP networks into
1 core IP network enables BellSouth to maintain
control of network traffic from end-to-end
• Overcomes LATA
boundaries
Jacksonville
JAX
Daytona Beach
DAB
Orlando
MCO
Cocoa Beach
COI
Stuart
SUA
• Redundancy for high
reliability
West Palm Beach
PBI
Boca Raton
BCT
Ft. Lauderdale
FLL
Miami
MIA
• Cornerstone for future
information service
capabilities
• Moves routing complexity
into the BellSouth network
Network VPN Nationwide Availability
BellSouth Network VPN Service
Out-of-Franchise
In-Franchise
Network VPN is:
– Available across the continental United States via close to 1200
access POPs
– A BellSouth Managed Network Services (MNS) offering on a
single contract and single bill for ALL customer locations
BellSouth Managed Network VPN
®
Connecting the Entire Organization
Branch Office
Headquarters
Extranet Partner
(IPSec)
Branch Office
Firewall &
IPSec Gateway
Branch Office
(IPSec)
Internet
BellSouth
MPLS Network
Remote User
(IPSec client)
Branch Office
Network-based
Internet Access Service
Customer benefits…
• Consolidated remote user access and site-to-site networking
• Flexibility to aggregate multiple access types (i.e. Private Line, Frame Relay, DSL, Metro E)
• “Off-Net” capabilities for connecting remote users and Extranet partners via the BellSouth
IPSec Gateway
• Integrated Internet access via network-based firewall
®
Site-to-Site Service
Branch Office
Extranet Partner
(IPSec)
Branch Office
2
1
Headquarters
1
2
Firewall &
IPSec Gateway
Branch Office
(IPSec)
Internet
1
BellSouth
MPLS Network
Branch Office
1
Network-based
Internet Access Service
Site-to-Site Service Access Options:
1. Frame Relay, Private Line, DSL, Metro Ethernet (2Q06), ATM (limited availability)
2. IPSec Access via BellSouth IPSec gateway
Optional Services:
– eMRS Complementary Managed Router Service (soft-bundle) option
– Internet access with firewall feature
– Equipment purchase, installation and maintenance services
Access Types – Site-to-Site
Managed Network VPN Site-to-Site Service Access Types
In-Franchise
Site-to-Site Private IP DSL
BellSouth Private Line Service
BellSouth Frame Relay Service
Metro Ethernet (2Q06)
ATM (limited availability)
BellSouth Integrated Solutions
(BIS-T1)
Out-of-Franchise
DSL (in limited areas)
Private Line
Net VPN with BSLD* Extension
– Frame Relay
– Private Line
– DSL
– Frame over DSL
Off-Net
IPSec connectivity to the MPLS cloud via BellSouth IPSec gateway
Remote User Service (Off-Net IPSec)
Remote User
(IPSec client)
Internet
Remote User
(IPSec client)
BellSouth
MPLS Network
Firewall &
IPSec Gateway
Remote User Service:
• Available via any Internet connection (BellSouth or third party ISP) using
BellSouth provided IPSec client software
• AAA User Authentication required – customer provided (AAA Proxy) or
BellSouth hosted
• Tiered pricing based on minimum number of unique users per month
• Optional: network-based Internet access with managed firewall feature
Class of Service
CoS is an optional service that allows for prioritization of traffic on a
per application basis:
1. Real-Time: Suitable for IP voice applications
2. Interactive: Suitable for IP video applications
3. Priority Business: Suitable for business critical data applications
4. Best Effort: Suitable for non-critical data (e.g. email, general web surfing)
BellSouth Network VPN offers Three levels of service to meet your
CoS needs:
1. Standard: Single class (Best Effort)
2. CoS Basic: Two classes (Best Effort and Business Priority)
3. CoS Premium: Four classes (Best Effort, Business Priority, Interactive,
Real-Time)
Class of Service
Network VPN CoS Levels of Service
Standard
CoS Basic
CoS Premium
Transport Types
Private Line, Frame
Relay, DSL, ATM,
Metro Ethernet (when
available)
Private Line, Frame
Relay, ATM, Metro
Ethernet (when available)
(min speed: 128K)
Private Line, Frame
Relay, ATM, Metro
Ethernet (when available)
(min speed: 128K)
Classes
Supported
Best effort
Priority business
Best effort
Real-time
Interactive
Priority business
Best effort
SLAs
Core (availability SLA
includes access and
CPE)
Core (availability SLA
includes access and CPE)
Core and CoS Premium
access SLAs for sites
with: >= 768K and
P+A+CPE
Packages
Port Only
Port + Access
Port + Access + CPE
Port Only
Port + Access
Port + Access + CPE
Port Only
Port + Access
Port + Access + CPE
Value-Added Services
Secure Internet Access
Secure Internet Access via Network-based Firewall
• Internet access is provided via the Network VPN “cloud”
• Two levels of firewall service are available; Basic and Advanced
• Subscription to a firewall service is required for Internet access
Firewall Features
Basic Internet Access Features
• Provisioning and configuration
• Outbound Only Rule Set
• Initial design and implementation of rule
base
• DNS Caching
• Support for Network Address Translation
(NAT)
• 24X7 Monitoring of the firewall platform
• Firewall administration and backup
• Help desk support
• Firewall logging
• Service level agreements
• (1) Public IP address
Advanced Internet Access Features
• Inbound and Outbound Rule Sets
• DNS Caching or DNS hosting
• Support for inbound NAT translation
• Support for physical DMZ
• Up to (15) Public IP addresses
Additional Value Added Services
• Equipment and Professional Services
– Equipment: Cisco, Nortel, Telco, Adtran
– Professional Services:
• Staging, Configuration, Installation and
Project Management
• Equipment Maintenance
• Managed Router Service
– Real-time Monitoring and Management
of Customer Routers
– For all “On-Net” site-to-site transport
types (Private Line, frame relay, and
DSL)
SLAs and CNM
Network VPN SLAs/SLOs
Core SLA’s - Regional (In-Franchise) & National "On-Net" S2S Services
Measurement
Best Effort
Priority Business
Interactive
Real-Time
Latency (roundtrip)
<=55 ms
<=50 ms
<=50 ms
<=45ms
Jitter (roundtrip)
NA
NA
NA
<=2 ms
Packet Delivery
>=99.60%
>=99.70%
>=99.80%
>=99.90%
Access SLA’s - Regional (In-Franchise) "On-Net" S2S Services
Access Circuit SLA Targets
Targets for Real Time Class of Service
(Regional Network VPN Service)
Measurement
Latency (roundtrip)
<=50ms
Jitter (roundtrip)
<=5 ms
Packet Delivery
>=99.90%
• Core SLA’s apply from edge to edge of the MPLS network. This summarized information is outlined in
the actual SLA and is subject to the limitations set forth in the Network VPN Service Description.
• SLA’s Exclude Private IP Site-to-Site DSL
Network VPN SLAs/SLOs (Cont.)
Managed Network VPN Service Level Agreements
Installation
Network availability
>= 90% of all sites on time
>= 99.90%
Internet Access with Firewall Feature SLA's
Firewall rule base change
implementation
Proactive firewall monitoring
Basic: <= 12 hours
Advanced: <= 4 hours
<= 15 minutes
Customer Network Management (CNM)
CNM is a secure Internet-based
portal that allows customers to
view their BellSouth Network
VPN service functionality
Including:
• Remote User Management
& Reporting
• IPSec Client Download
• Security Management
• Network Performance
Reporting
• Trouble Management
• Order Status
Example Customer Scenario
Pre/Post Network VPN
Example Company – Acme, Inc.
Scenario: New network deployment, extending current network
to other locations or overhaul of existing network
Customer Network Needs:
Key Network Decision Drivers:
• LAN to LAN connectivity
• Utilize most cost effective access method
to connect sites
– 5 sites growing to 10
– 1HQ, 2 branch offices and 2
remote offices
• Remote access connectivity
– 20 Users growing to 200
– Mix of both company provided
and end user provided transport
• Secure Internet access for all
sites and remote users
– DS1 growing to Fractional DS3
• Minimize complexity in order to minimize
management costs
• Scaleable solution without requiring
significant upgrade costs
• Minimize capital expenditures
• Long term, Acme would like to migrate to
one network for voice, video and data
• Will require a fully meshed network
Pre-Network VPN Solution
Remote
Users
Branch /Remote Sites
Frame Relay
(128K)
Frame Relay
(128K)
Router
Customer IP Network
DSL, dial, ISDN
or cable access
IPSec
Client
Internet
Frame Relay Network
Layer 2 Only
Branch
Offices
Frame Relay
(128K)
Frame Relay
Customer
(128K)
Premise
Router
Frame Relay
(DS1)
(1) DS1 with
(2) PVCs
VPN Device
Headquarters
Network VPN Solution
Remote Users
“On-Net”
Branch /Remote Sites
Remote Users
“Off-Net”
Frame Relay
(128K)
®
BellSouth
FastAccess DSL/
FastAccess
Telecommute DSL
IPSec
Client
®
®
DSL, dial, ISDN
or cable access
Private Line
Internet
BellSouth MPLS
Network
Branch
Offices
S2S Private
IP DSL
Customer
Premise
Router
S2S Private
IP DSL
Headquarters
BellSouth
IPSec
Gateway
®
Frame Relay
(DS1)
BellSouth Managed Network
VPN Summary
Network VPN Summary - BellSouth Delivers
Capability
Customer Needs
Network VPN Provides
Secure WAN
Connectivity
• Cost-effective WAN connectivity for
branch offices & business partners
• Access options
• Nationwide coverage
• Single network for intranet & extranet
connectivity
• Nationwide Support for multiple access types
(i.e. DSL, Frame Relay, Private Line)
• IPSec connectivity for “Off-Net” locations
Remote User
Connectivity
• Secure connectivity for remote users
• Cost-effective end-user helpdesk
• Secure Internet access for remote users
• Ubiquitous coverage
• IPSec client & AAA authentication
• 24x7 end-user helpdesk
• Internet access via network-based firewall
• Connectivity using any Internet access
Internet
Access
• Secure Internet access for all sites/users
• Single, integrated solution from one
provider
• Segmentation of private WAN traffic
from Internet traffic
• Customized network-based firewall
• Single port for WAN & Internet connectivity
• Virtual firewall technology segments WAN
traffic from the public Internet
Network
Management
• Performance Guarantees
• Network performance reports
• User administration tools
• Competitive Proactive SLA’s
• Performance reports via web-based portal
• Network management via web-based portal
Back-up Materials
Traditional Approach Using Frame Relay
Typical Deployment
Desired State
• Cost and complexity typically result in less than optimal network topologies
(i.e. hub and spoke with multiple PVCs, overbuilt hubs, costly NNI arrangements)
• Potential bottlenecks and single points of failure
• Responsibility for functional integration and network management typically falls on
the customer
– Does not address remote access needs
– Access aggregation and integration further increases cost and complexity
Who Benefits from the BellSouth
Managed Network VPN Service?
• Organizations that need wide area connectivity
• Organizations seeking cost-effective backup/disaster recovery
solutions for their existing legacy WANs
• Organizations forming extranets with highly dynamic and meshed
network traffic requirements
• Organizations with strong telecommuting initiatives
• Organizations deploying new IP-based applications:
– Supply Chain Management (SCM)
– Enterprise Resource Planning (ERP)
– Customer Relationship Management (CRM)
BellSouth Managed Network VPN Service
Summary of Benefits
• Reduced complexity in your network operations
– BellSouth provides all necessary equipment, facilities and support – one fixed monthly fee
(includes ongoing network monitoring and administration)
– Fully meshed networks can be easily deployed without the cost and complexity associated
with traditional Layer 2 networking services
– SLAs assure service quality
• Greater flexibility to support a wide range of applications
– Extended reach to branch offices, remote workers, customers, suppliers and partners
– New sites and users can be quickly and easily deployed
– Class of Service capabilities allow application specific prioritization
• Lower total cost of ownership
– Shift complexity from customer premise to provider’s network
– Reduce capital investments (All customers need is a basic router at their premise)
– Enables future convergence of voice and data services via a robust integrated
IP/MPLS-based network
Companies can leverage the capabilities of a carrier class, shared IP infrastructure
while maintaining the "look and feel" of their own private network.
WAN Technologies Comparison
“Layer 2” Services
Criteria
Private Line
Frame Relay
IP VPN Services
CPE-based
Network-based
Perceived
Cost
Highest cost
solution
Viewed as cost
effective for hub-andspoke networks
Perceived to be less
expensive than Frame
since it leverages the
Internet for connectivity
• Lowered capital expenditure
and operational expenditure
(due to limited number of
VPN devices at customer
premise)
• Viewed as cost effective
Scalability
Least scalable
solution
Scalable for hub-and
spoke designs
IP is scalable but
configuring individual
location CPE is an
administrative challenge
• Highest scalability for large
networks
• Network-based IP VPNs are
fully meshed in nature and
pre-configure
• IP VPN virtually defined by
the provider within its
network
Perceived
Security
Perceived to be
secure due to
dedicated circuits
but lack
encryption and
authentication
Perceived to be
secure but lack
encryption and
authentication
IPSec is perceived to be
very secure but additional
CPE (i.e. firewalls) may
be required to effectively
guard against Internet
based threats
• Basic configuration perceived
as secure from POP to POP
and on par with Frame Relay
• Lack of end to end
encryption may be perceived
as less secure than CPEbased solutions
Source: TeleChoice (March 2002)
Content Source: BellSouth In$ite
CNM Back-up Materials
Remote User Management and Reports
Types of Reports
• Audit Report
– By date
– By user
• Average Session Length Trend
• Hosted Usage
• Hosted User Session
• Session Graph Trend
• Top 15 Usage
• Usage Graph Trend
Note: Ability to export to excel
Example SLA Report
Phase I:
Sent via
e-mail
CNM – User Administration
Add New User to a Department
Step 1: Select Department
Step 2: Add User Information
Step 3: Save New User
CNM Remote User – Client Download
CNM: Firewall Policy Change Request
CNM: Submit Trouble Ticket
Network VPN CNM –
User Administration Tool
Types Of Users
Company
Administrator
End User
Department
Administrator
Role/Capabilities
•
•
•
•
•
Set up new departments
Assign department administrator
Add/delete users by department
Password reset
Generate Usage Reports
• Add/delete users by department
• Password reset
• Generate Usage Reports
• Download IPSec Client
• Password reset
BellSouth is Listening
Your needs are our
concerns
Private Lines Coverage for Out of Region Sites
– Private Line
• Nationwide Network VPN service has 100% PL coverage of the
Continental US
• Nationwide Network VPN service can be accessed from close to
1200 domestic POPs, including 50 in BellSouth territory
– Initially Continental US locations supported only
• Can support International sites via IPSec access to MPLS network
Nationwide DSL Coverage for Out of Region Sites
• Coverage in 60 markets
• DSL access requires specific supported CPE make and
models
Seattle
Portland
Minneapolis
Milwaukee Grand
Rapids
Chicago
Sacramento
Detroit
Indianapolis
San
Francisco
San Jose
Salt Lake
City
Kansas
City
Denver
Las Vegas
St. Louis
Santa Barbara
Phoenix
Los Angeles
Albuquerque
Memphis
San Diego
Tucson
Pittsburg
h
Louisville
Richmond
Norfolk
Greensboro
Raleigh
Charlotte
Greenville
Columbia
Nashville
Birmingha
m
Dallas
Boston/
Providence
Hartford
New York
Newark
Philadelphia/Harrisbur
g Baltimore / DC
Columbus
Dayton
Cleveland
Atlanta Charleston
Jacksonville
Austin
Orlando
San Antonio
DSL Speed
Routers
1.5M x 384Kbps
Broadxent 8120
192 x 192 Kbps
384 x 384 Kbps
768 x 768 Kbps
Efficient Networks: 5851
Netopia 4652-T
Houston
New
Orleans
Tampa
Miami