Post on 30-Mar-2015
BellSouthBellSouth®® Managed Managed
Network VPN Network VPN ServiceService
Next-Generation Network Services for Today’s Business Needs
Presentation Overview
• Traditional WAN Solutions
• VPN Overview
• MPLS Overview
• BellSouth Network VPN
• Value Added Services
• SLA and CNM
• Customer Scenario
• Summary
Traditional WAN SolutionsTraditional WAN Solutions
The Case for Change: It’s Complicated and Expensive for Both of Us
• Historically…
– Separate edge and core networks built for each service offering
– Services and networks that address single applications well but do not individually address a broad range of customer needs
– Individually highly scalable, robust and stable network platforms
• Forcing Customers to…
– Invest time, money and resources into different platforms
– Purchase disparate networks based on service need
– Perform network integration and their own access aggregation
– Split applications based on networking capabilities
– Prioritize investments across applications
We never met a network we didn’t like…
DSL
DIA
GigE
Voice
Frame Relay
ATM/Frame Relay
Internet
• Solutions– Management simplification – one platform– Enables network and applications
convergence– Shifts complexity/investments to
the provider– Connectionless architecture –
more efficient– Inter-LATA, limitless reach
• Challenges– Integrating disparate networks– Managing disparate networks– Capacity planning, extending connectivity– Costly, complex CPE– Multiple WAN connections cost and
complexity
Data Network Migration Strategy
Desired State:Network IP VPN Environment
Managed IP Connectivity Services
ATM
PrivateLines
Frame Relay
Current Environment
Internet Access
Ethernet
Internet Access
Access Frame Relay, DSL,
Private Line
Access Frame Relay, DSL,
Private Line
Access Frame Relay, DSL,
Private Line
Access Frame Relay, DSL,
Private Line
“Migration Path”
Internet Access
Internet Access
Evolving Network Solutions
Private Line
• High performance
• High security
Frame Relay/ATM
• Lower cost
• Improved scalability
• Quality of service
• High performance
• High security
MPLS IP VPN• Class of Service for IP
• Simplified connectivity (easy any-to-any connectivity)
• Simplified addressing
• Simplified network topology
• Simplified L2 and L3 administration
• Increased flexibility (more access options)
• IP-based network recovery
• Simple migration from Frame Relay
• Lower cost
• Improved scalability
• Quality of service
• High performance
• High security
Fu
nct
ion
alit
y
Time
MPLS IP VPNs build upon tra
ditional L
ayer 2 te
chnologies,
promising a higher order o
f service capabiliti
es
Market Assessment
VPN OverviewVPN Overview
A VPN By Any Other Name…
• ATM• Frame Relay
• Managed Network VPN Service
– MPLS/BGP (RFC 2547)
• Routers• Firewalls• VPN Concentrators• IPSec Client Software
VPN Types
Network Based VPNs
CPE Based VPNs (IPSec)
Layer 2 VPNs(Point-to-Point)
Layer 3 (IP-VPNs)
IP VPN Models – CPE vs. Network
• First Generation IP VPN network
• Implemented over the public Internet
• Security is provided via IPSec
• Can be difficult to scale
• May require expensive CPE
• Difficult to control QoS
• Next Generation MPLS network
• Implemented over a private IP backbone
• Intelligence resides in the cloud
• Provides Any-to-Any connectivity
• Designed for converged IP services
• Provides QoS/CoS capabilities
IP Partitioning/Tunnel
Branches
Headquarters
IP Tunnel
Branches
Headquarters
Network-based VPNCPE-based VPN
InternetInternetCarrier’s Carrier’s BackboneBackbone
Network VPN Drivers
Capability Customer Needs
Secure WAN Connectivity
• Cost-effective WAN connectivity for branch offices & business partners
• Access options• Nationwide coverage
Remote User Connectivity • Secure connectivity for remote users • Cost-effective end-user helpdesk • Secure Internet access for remote users• Ubiquitous coverage
Internet Access • Secure Internet access for all sites/users• Single, integrated solution from one provider• Segmentation of private WAN traffic from Internet
traffic
Network Management • Performance Guarantees• Network performance reports• User administration tools
MPLS OverviewMPLS Overview
What is MPLS?
Multiprotocol Label Switching
• A standard for switching packets over an IP Network using labels or tags that contain forwarding information attached to IP packets
LSR = Label Switch RouterPE = Provider Edge DeviceCE = Customer Edge DeviceVRF = Virtual Route Forwarding
MPLS Core Network
LSR
PE
PE
PE
CE
CE
CE
CE
VRF
LSR
LSR LSR
VRF
VRF
How Does It Work?• Combines the security and reliability of traditional Layer 2 services
(i.e. frame relay, ATM) with the efficiencies of IP networking• Forwards packets based on labels• Packets are switched, not routed• Labels represent destination and may carry service attributes
(CoS, Privacy-VPNs, traffic engineering)
What Does MPLS Provide?
Capability MPLS Provides
Secure WAN Connectivity
• MPLS securely segments traffic using customer specific labels to ensure that traffic is not visible to other customers or across the public Internet
Outsourcing of complexity
• MPLS moves routing decisions away from CPE to the provider network allowing for any-to-any configurations without complex and potentially expensive CPE
Scalability • MPLS is scaleable, supporting thousands of VPNs
Building block for converged services
• MPLS is designed to transport a variety of application types, i.e. VoIP, Video over IP, email, SAP, etc.
BellSouth Managed Network BellSouth Managed Network VPN ServicesVPN Services
The BellSouth Regional IP Backbone
AugustaAGS
New OrleansMSY
Baton RougeBTR
BiloxiBIXSlidell
SLD
Cocoa BeachCOIOrlando
MCO
JacksonvilleJAXGainesville
GNV Daytona BeachDAB
MiamiMIA
Ft. LauderdaleFLL
Boca RatonBCT
West Palm BeachPBI
StuartSUA
AthensAHN
MaconMCN
AlbanyABY
SavannahSAV
MontgomeryMGM
BirminghamBHM
HuntsvilleHSV
ChattanoogaCHA
Panama CityPFN
PensacolaPNS
MobileMOB
NashvilleBNA Knoxville
TYS
LouisvilleSDF Georgetown
BGKOwensboro
OWB
FlorenceFLO
CharlestonCHS
Columbia CAE
GreenvilleGSP
SpartanburgSBG
CharlotteCLT
ArdenARD
JacksonJAN
GreensboroGSO
Winston SalemINT
WilmingtonILM
RaleighRDU
ShreveportSHV
Stone MtASM
LafayetteLFT
MemphisMEM
Attributes:
• 3 high speed IPOPs provide diversity and redundancy (Atlanta, Miami, and New Orleans)
• Consolidation of multiple IntraLATA IP networks into 1 core IP network enables BellSouth to maintain control of network traffic from end-to-end
Customer Benefits…
• Redundancy for high reliability
• Overcomes LATA boundaries
• Cornerstone for future information service capabilities
• Moves routing complexity into the BellSouth network
Network VPN Nationwide Availability
Network VPN is:– Available across the continental United States via close to
1200 access POPs– A BellSouth Managed Network Services (MNS) offering on a
single contract and single bill for ALL customer locations
BellSouth Network VPN ServiceBellSouth Network VPN ServiceBellSouth Network VPN ServiceBellSouth Network VPN Service
Out-of-FranchiseOut-of-Franchise
In-FranchiseIn-Franchise
BellSouth® Managed Network VPN
Customer benefits…
• Consolidated remote user access and site-to-site networking
• Flexibility to aggregate multiple access types (i.e. Private Line, Frame Relay, DSL, Metro E)
• “Off-Net” capabilities for connecting remote users and Extranet partners via the BellSouth®
IPSec Gateway
• Integrated Internet access via network-based firewall
Connecting the Entire Organization
Headquarters
InternetBellSouth
MPLS Network
Firewall &IPSec Gateway
Branch Office
Branch Office(IPSec)
Branch Office
Extranet Partner(IPSec)Branch Office
Network-based Internet Access Service
Remote User(IPSec client)
Site-to-Site Service
Site-to-Site Service Access Options:
1. Frame Relay, Private Line, DSL, Metro Ethernet (2Q06), ATM (limited availability)
2. IPSec Access via BellSouth IPSec gateway
Optional Services:– eMRS Complementary Managed Router Service (soft-bundle) option
– Internet access with firewall feature
– Equipment purchase, installation and maintenance services
Headquarters
Internet
BellSouth MPLS Network
Firewall &IPSec Gateway
Branch Office
Branch Office(IPSec)
Branch Office
Extranet Partner(IPSec)Branch Office
Network-based Internet Access Service
22
2211
11
11
11
Access Types – Site-to-Site
Managed Network VPN Site-to-Site Service Access Types
In-Franchise Out-of-Franchise
Site-to-Site Private IP DSL BellSouth Private Line Service BellSouth Frame Relay Service Metro Ethernet (2Q06) ATM (limited availability) BellSouth Integrated Solutions
(BIS-T1)
DSL (in limited areas) Private Line Net VPN with BSLD* Extension
– Frame Relay– Private Line– DSL– Frame over DSL
Off-Net
IPSec connectivity to the MPLS cloud via BellSouth IPSec gateway
Remote User Service (Off-Net IPSec)
Remote User Service:
• Available via any Internet connection (BellSouth or third party ISP) using BellSouth provided IPSec client software
• AAA User Authentication required – customer provided (AAA Proxy) or BellSouth hosted
• Tiered pricing based on minimum number of unique users per month
• Optional: network-based Internet access with managed firewall feature
Internet
BellSouth MPLS Network
Firewall &IPSec Gateway
Remote User(IPSec client)
Remote User(IPSec client)
Class of Service
CoS is an optional service that allows for prioritization of traffic on a per
application basis:
1. Real-Time: Suitable for IP voice applications
2. Interactive: Suitable for IP video applications
3. Priority Business: Suitable for business critical data applications
4. Best Effort: Suitable for non-critical data (e.g. email, general web surfing)
BellSouth Network VPN offers Three levels of service to meet your CoS
needs:
1. Standard: Single class (Best Effort)
2. CoS Basic: Two classes (Best Effort and Business Priority)
3. CoS Premium: Four classes (Best Effort, Business Priority, Interactive, Real-
Time)
Class of ServiceNetwork VPN CoS Levels of Service
Standard CoS Basic CoS Premium
Transport Types Private Line, Frame Relay, DSL, ATM, Metro Ethernet (when available)
Private Line, Frame Relay, ATM, Metro Ethernet (when available) (min speed: 128K)
Private Line, Frame Relay, ATM, Metro Ethernet (when available) (min speed: 128K)
Classes Supported
Best effort Priority businessBest effort
Real-timeInteractive Priority business Best effort
SLAs Core (availability SLA includes access and CPE)
Core (availability SLA includes access and CPE)
Core and CoS Premium access SLAs for sites with: >= 768K andP+A+CPE
Packages Port OnlyPort + AccessPort + Access + CPE
Port OnlyPort + AccessPort + Access + CPE
Port OnlyPort + AccessPort + Access + CPE
Value-Added ServicesValue-Added Services
Secure Internet Access
Basic Internet Access Features
• Outbound Only Rule Set
• DNS Caching
• (1) Public IP address
Advanced Internet Access Features• Inbound and Outbound Rule Sets• DNS Caching or DNS hosting• Support for inbound NAT translation• Support for physical DMZ• Up to (15) Public IP addresses
Firewall Features
• Provisioning and configuration
• Initial design and implementation of rule base
• Support for Network Address Translation (NAT)
• 24X7 Monitoring of the firewall platform
• Firewall administration and backup
• Help desk support
• Firewall logging
• Service level agreements
Secure Internet Access via Network-based Firewall • Internet access is provided via the Network VPN “cloud”• Two levels of firewall service are available; Basic and Advanced• Subscription to a firewall service is required for Internet access
Additional Value Added Services
• Equipment and Professional Services
– Equipment: Cisco, Nortel, Telco, Adtran
– Professional Services:
• Staging, Configuration, Installation and Project Management
• Equipment Maintenance
• Managed Router Service
– Real-time Monitoring and Management of Customer Routers
– For all “On-Net” site-to-site transport types (Private Line, frame relay, and DSL)
SLAs and CNMSLAs and CNM
Network VPN SLAs/SLOs
• Core SLA’s apply from edge to edge of the MPLS network. This summarized information is outlined in the actual SLA and is subject to the limitations set forth in the Network VPN Service Description.
• SLA’s Exclude Private IP Site-to-Site DSL
Core SLA’s - Regional (In-Franchise) & National "On-Net" S2S Services
Measurement Best Effort Priority Business Interactive Real-Time
Latency (roundtrip)
<=55 ms <=50 ms <=50 ms <=45ms
Jitter (roundtrip) NA NA NA <=2 ms
Packet Delivery >=99.60% >=99.70% >=99.80% >=99.90%
Access SLA’s - Regional (In-Franchise) "On-Net" S2S Services
Access Circuit SLA Targets Targets for Real Time Class of Service(Regional Network VPN Service)
Measurement
Latency (roundtrip) <=50ms
Jitter (roundtrip) <=5 ms
Packet Delivery >=99.90%
Network VPN SLAs/SLOs (Cont.)
Installation >= 90% of all sites on timeNetwork availability >= 99.90%
Basic: <= 12 hoursAdvanced: <= 4 hours
Proactive firewall monitoring <= 15 minutes
Managed Network VPN Service Level Agreements
Internet Access with Firewall Feature SLA'sFirewall rule base change implementation
Customer Network Management (CNM)
CNM is a secure Internet-based portal that allows customers to view their BellSouth Network VPN service functionality Including:
• Remote User Management & Reporting
• IPSec Client Download• Security Management• Network Performance
Reporting• Trouble Management• Order Status
Example Customer Scenario Example Customer Scenario Pre/Post Network VPN Pre/Post Network VPN
Example Company – Acme, Inc.
Customer Network Needs:
• LAN to LAN connectivity
– 5 sites growing to 10
– 1HQ, 2 branch offices and 2 remote offices
• Remote access connectivity
– 20 Users growing to 200
– Mix of both company provided and end user provided transport
• Secure Internet access for all sites and remote users
– DS1 growing to Fractional DS3
Key Network Decision Drivers:
• Utilize most cost effective access method to connect sites
• Minimize complexity in order to minimize management costs
• Scaleable solution without requiring significant upgrade costs
• Minimize capital expenditures
• Long term, Acme would like to migrate to one network for voice, video and data
• Will require a fully meshed network
Scenario: New network deployment, extending current network to other locations or overhaul of existing network
Pre-Network VPN Solution
Internet
Customer Premise Router (1) DS1 with
(2) PVCs
Frame Relay NetworkLayer 2 Only
Branch Offices
Frame Relay(128K)
Frame Relay (DS1)
Router
IPSec Client
Branch /Remote Sites
VPN Device
Headquarters
Customer IP Network
Remote Users
Frame Relay(128K)
Frame Relay(128K)
Frame Relay(128K)
DSL, dial, ISDN or cable access
Network VPN Solution
Internet
Customer Premise Router
BellSouth MPLS Network
Branch Offices
S2S PrivateIP DSL
Frame Relay (DS1)
IPSec Client
Branch /Remote Sites
Headquarters
BellSouth®
IPSec
GatewayS2S Private
IP DSL
Frame Relay(128K)
Private Line
BellSouth® FastAccess®
DSL/FastAccess®
Telecommute DSL
Remote Users “On-Net” Remote Users
“Off-Net”
DSL, dial, ISDN or cable access
BellSouth Managed Network BellSouth Managed Network VPN SummaryVPN Summary
Network VPN Summary - BellSouth DeliversCapability Customer Needs Network VPN Provides
Secure WAN Connectivity
• Cost-effective WAN connectivity for branch offices & business partners
• Access options• Nationwide coverage
• Single network for intranet & extranet connectivity
• Nationwide Support for multiple access types (i.e. DSL, Frame Relay, Private Line)
• IPSec connectivity for “Off-Net” locations
Remote User Connectivity
• Secure connectivity for remote users • Cost-effective end-user helpdesk• Secure Internet access for remote users• Ubiquitous coverage
• IPSec client & AAA authentication• 24x7 end-user helpdesk• Internet access via network-based firewall • Connectivity using any Internet access
Internet Access
• Secure Internet access for all sites/users• Single, integrated solution from one
provider• Segmentation of private WAN traffic
from Internet traffic
• Customized network-based firewall • Single port for WAN & Internet connectivity• Virtual firewall technology segments WAN
traffic from the public Internet
Network Management
• Performance Guarantees• Network performance reports• User administration tools
• Competitive Proactive SLA’s• Performance reports via web-based portal• Network management via web-based portal
Back-up Materials
• Cost and complexity typically result in less than optimal network topologies (i.e. hub and spoke with multiple PVCs, overbuilt hubs, costly NNI arrangements)
• Potential bottlenecks and single points of failure
• Responsibility for functional integration and network management typically falls on the customer
– Does not address remote access needs
– Access aggregation and integration further increases cost and complexity
Traditional Approach Using Frame Relay
Desired StateTypical Deployment
Who Benefits from the BellSouth Managed Network VPN Service?
• Organizations that need wide area connectivity
• Organizations seeking cost-effective backup/disaster recovery solutions for their existing legacy WANs
• Organizations forming extranets with highly dynamic and meshed network traffic requirements
• Organizations with strong telecommuting initiatives
• Organizations deploying new IP-based applications:
– Supply Chain Management (SCM)
– Enterprise Resource Planning (ERP)
– Customer Relationship Management (CRM)
BellSouth Managed Network VPN ServiceSummary of Benefits • Reduced complexity in your network operations
– BellSouth provides all necessary equipment, facilities and support – one fixed monthly fee (includes ongoing network monitoring and administration)
– Fully meshed networks can be easily deployed without the cost and complexity associated with traditional Layer 2 networking services
– SLAs assure service quality
• Greater flexibility to support a wide range of applications– Extended reach to branch offices, remote workers, customers, suppliers and partners
– New sites and users can be quickly and easily deployed
– Class of Service capabilities allow application specific prioritization
• Lower total cost of ownership– Shift complexity from customer premise to provider’s network
– Reduce capital investments (All customers need is a basic router at their premise)
– Enables future convergence of voice and data services via a robust integrated IP/MPLS-based network
Companies can leverage the capabilities of a carrier class, shared IP infrastructure while maintaining the "look and feel" of their own private network.
Source: TeleChoice (March 2002)Content Source: BellSouth In$ite
WAN Technologies Comparison
Criteria“Layer 2” Services IP VPN Services
Private Line Frame Relay CPE-based Network-based
Perceived Cost
Highest cost solution
Viewed as cost effective for hub-and-spoke networks
Perceived to be less expensive than Frame since it leverages the Internet for connectivity
• Lowered capital expenditure and operational expenditure (due to limited number of VPN devices at customer premise)
• Viewed as cost effective
Scalability Least scalable solution
Scalable for hub-and spoke designs
IP is scalable but configuring individual location CPE is an administrative challenge
• Highest scalability for large networks
• Network-based IP VPNs are fully meshed in nature and pre-configure
• IP VPN virtually defined by the provider within its network
Perceived Security
Perceived to be secure due to dedicated circuits but lack encryption and authentication
Perceived to be secure but lack encryption and authentication
IPSec is perceived to be very secure but additional CPE (i.e. firewalls) may be required to effectively guard against Internet based threats
• Basic configuration perceived as secure from POP to POP and on par with Frame Relay
• Lack of end to end encryption may be perceived as less secure than CPE-based solutions
CNM Back-up Materials
Remote User Management and Reports
Note: Ability to export to excel
Types of Reports
• Audit Report
– By date
– By user
• Average Session Length Trend
• Hosted Usage
• Hosted User Session
• Session Graph Trend
• Top 15 Usage
• Usage Graph Trend
Example SLA Report
Phase I: Sent via
CNM – User Administration
Step 1: Select Department
Step 2: Add User Information
Step 3: Save New User
Add New User to a Department
CNM Remote User – Client Download
CNM: Firewall Policy Change Request
CNM: Submit Trouble Ticket
Network VPN CNM – User Administration Tool
Company Administrator
Types Of Users• Set up new departments
• Assign department administrator
• Add/delete users by department
• Password reset
• Generate Usage Reports
DepartmentAdministrator
End User
Role/Capabilities
• Add/delete users by department
• Password reset
• Generate Usage Reports
• Download IPSec Client
• Password reset
BellSouth is Listening
Your needs are our concerns
Private Lines Coverage for Out of Region Sites
– Private Line• Nationwide Network VPN service has 100% PL coverage of the
Continental US
• Nationwide Network VPN service can be accessed from close to 1200 domestic POPs, including 50 in BellSouth territory
– Initially Continental US locations supported only• Can support International sites via IPSec access to MPLS network
Nationwide DSL Coverage for Out of Region Sites
• Coverage in 60 markets• DSL access requires specific supported CPE make and
models
Los Angeles
Santa Barbara
San Diego
SanFrancisco
Sacramento
Portland
Seattle
Salt Lake City
Phoenix
Tucson
Las Vegas
Albuquerque
Denver
Dallas
San AntonioHouston
Austin
KansasCity
Minneapolis Milwaukee GrandRapids
Detroit
St. Louis
NewOrleans
Memphis Nashville
Louisville
Indianapolis
Chicago
Tampa
Orlando
Miami
Boston/Providence
HartfordNew York
Philadelphia/HarrisburgBaltimore / DC
Richmond
RaleighGreensboro
Charlotte
Charleston
GreenvilleColumbia
AtlantaBirmingham
Jacksonville
ColumbusDaytonCleveland
Pittsburgh
NorfolkSan Jose
Newark
DSL Speed Routers
1.5M x 384Kbps Broadxent 8120
192 x 192 Kbps384 x 384 Kbps768 x 768 Kbps
Efficient Networks: 5851
Netopia 4652-T