T E C H N O L O G Y W H I T E P A P E R Flexible Service Access for Business VPNs Operators face many challenges as they strive to keep pace with demand for business services from small, medium and large enterprises. In this very dynamic market, operators must respond with solutions that meet many criteria, including high availability, security, cost effectiveness, quality, manageability, and scalability. This white paper focuses specifically on the flexible service access options for business services delivering Layer 2 and Layer 3 virtual private networks (VPNs). To succeed in the business services market, operators must offer Layer 2 and Layer 3 VPN services that relate directly to corporate business objectives. These services must be available to the business regardless of its size or location; operators must provide a range of service access options to suit any situation. The Alcatel-Lucent IP/MPLS solution enables operators to support a rich set of applications and service connectivity models, which can be augmented and scaled quickly to support the dynamic service access needs of enterprises.
Table of contents 1 1. Introduction 3 2. Carrier and Layer 3 VPN services 5 3. Flexible access options for business services 6 3.1 Extending access with end-to-end 8 3.2 MPLS-enabled Carrier and native over Fiber 10 3.3 Interworking legacy Frame Relay and deployments 11 3.4 Integrated IPSec VPNs 13 3.5 Extending business VPN services over xdsl with 15 4. Common management for flexible services access 16 5. Conclusion 17 6. Abbreviations
1. Introduction To succeed in the business services market, operators must offer Layer 2 and Layer 3 virtual private network (VPN) services that relate directly to corporate business objectives. These services must be available to the business, regardless of its size or location; operators must provide a range of service access options to suit any situation. Enterprises rely on the successful and cost-effective deployment of information technology (IT) applications to drive sales, improve customer relationships, cut operating costs and simplify procurement. These applications are the lifeblood of enterprises and need unhindered circulation across all enterprise locations. Reduced flexibility, caused by limited service access options or poor SLA s, could compromise an enterprise s operations and competitiveness. Flexible access to business services enable enterprises to: Converge voice, data and video services onto a single VPN Converge all services over a common access technology Connect all sites via access technologies that are tailored to each site s specific requirements Operators must ensure that their service offerings meet all enterprise customer needs and they must provide these services via a full range of access options as shown in Figure 1. Figure 1. Enterprise access requirements Data services between large sites Data services from small sites Wireless 3% Copper 7% Private Line 35% Private Line 22% 65% IP VPN 54% 14% Source: Alcatel-Lucent, July 2006 Enterprises are increasingly moving away from legacy TDM private line services towards nextgeneration MPLS-enabled Carrier VPN and IP VPN services. To meet the broad range of enterprise requirements cost effectively, operators need a flexible, IP/MPLS-enabled infrastructure, such as the Alcatel-Lucent solution shown in Figure 2. Flexible Service Access for Business VPNs Technology White Paper 1
Figure 2. The Alcatel-Lucent IP/MPLS-enabled architecture supports flexible service access options Access options for business VPN services Metro (fiber) Research nets, grid computing e-learning, imaging, simulation Education CRM, data warehousing, outsourcing Telemedicine, e-learning, collaboration, digital media delivery and management, secure payer networks E-government, video arraignment, data/record management ERP, SCM/RFID, collaboration, e-learning Finance Medical Govt. Manuf. TDM/ SONET xdsl FR/ Multiservice edge PE IP/MPLS service edge IP VPN Layer 2 VPN E-LAN () E-line (PWE3) Internet IPSec Digital publishing, digital media delivery, digital asset management and archiving Media Wireless CRM, SCM/RFID, POS kiosks, surveillance Retail Cable (DOCSIS) With this infrastructure, operators can address the requirements of small, medium and large enterprises and generate additional revenue by broadening the range of business services offered. By extending the reach of their existing and Frame Relay/ services to new sites attached to the packet network, operators can reduce capital expenditures (CAPEX) and operating expenditures (OPEX). Operators worldwide are experiencing the benefits of converging existing and new services onto a common IP/MPLS network. The IP/MPLS infrastructure s multiservice capabilities help simplify the operational burden. Driven by the operator s business need to maximize profitability while minimizing risk, the IP/MPLS network enables revenue generated from the broadest range of traditional and new services over a fixed-cost infrastructure. This infrastructure minimizes the need to roll out a new network for each new service, and reduces the number of skilled personnel required to operate the network. The IP/MPLS infrastructure also reduces the number of network nodes that must be deployed and operated, and the time-to-market for new services. Operators are under pressure to calibrate their offerings to meet customer demands, rather than relying on customers to tailor their expectations to the available services. The Alcatel-Lucent IP/MPLS solution enables the operator to support a rich set of applications and service connectivity models that can be augmented and scaled quickly to support small, medium or large enterprises. Competition in the enterprise market is intensifying, particularly in the small-to-medium enterprise (SME) sector, where cable network operators are aggressively pursuing business opportunities. The Alcatel-Lucent IP/MPLS solution helps operators maintain their market position. 2 Flexible Service Access for Business VPNs Technology White Paper
With our introduction of BiLAN VPN we maintain our competitive lead, and are able to fully address our enterprise customer requirements by enriching our VPN service mix with. Alcatel s expertise and strong market leadership combined with exceptional product performance during the trial made them the ideal partner for our Premium IP VPN and VPN services. Hendrik Van De Velde, Head of Product Management, Belgacom 2. Carrier and Layer 3 VPN services Before considering the different service access options, this section reviews the Carrier and Layer 3 business VPN services that are supported between the smallest branch or remote office and the rest of the enterprise and data center. Cost cuts, improved service quality and new functionality push enterprises to consider business VPN services to carry their voice, data and video traffic. To meet enterprises needs, operators are moving from VPN service offerings based on dedicated point-to-point links over TDM networks to deterministic, virtual point-to-point and multipoint connectivity over packet networks. The Alcatel-Lucent solution supports simultaneous IPv4 and IPv6 routing. This assists operators to evolve to packet-based network architectures as part of their IP network transformation process. This approach enables operators to support the convergence of IP voice, data and video over Layer 2 and/or Layer 3 business VPN services. It also enables the operator to tailor VPN service offerings to each enterprise s unique requirements. The following VPN service options are supported by the Alcatel-Lucent IP/MPLS solution and can be simultaneously offered to expand the operator s service portfolio and to generate revenue: IP VPN (multipoint Layer 3 VPN) Layer 3 VPN services were one of the first applications to leverage MPLS. The Alcatel-Lucent solution provides a comprehensive dual IPv4/IPv6 stack. This gives operators the flexibility to migrate seamlessly, on a per-customer basis, from an IPv4-based virtual private routed network (VPRN) to the more scalable IPv6 VPRN. At the same time, operators preserve the virtual routing and forwarding () instances that separate customer routers over a common routed infrastructure. IPSec VPN IPSec VPNs can be deployed for both point-to-point and point-to-multipoint IP Layer 3 traffic. IPSec VPNs enable the secure extension of a corporate VPN over uncontrolled or untrusted private and public networks. The Alcatel-Lucent solution provides secure VPN deployment options for user access, site access, and site-to-site communication. Virtual Private LAN Service () (multipoint Layer 2 VPN) The Metro Forum (MEF) refers to as an E-LAN Carrier service. is a cost-effective means of extending the reach of business applications to multiple sites. It enables the connection of multiple sites in a single bridged domain over an operator-managed IP/MPLS network. uses an interface as the customer handoff, simplifying the LAN/WAN boundary. is protocol independent and supports the use of IP and non-ip applications. With, enterprises maintain complete control over their routing. is an alternative for enterprises who want to move beyond point-to-point Frame Relay services but whose needs are not satisfied by a routed IP VPN service. eases the operator s management responsibilities, as the operator has no awareness of, or participation in, an enterprise s IP addressing space and routing. Flexible Service Access for Business VPNs Technology White Paper 3
Virtual Leased Line () (point-to-point Layer 2 VPN) The MEF refers to a as an E-Line Carrier service. A uses, Frame Relay or pseudowires to tunnel over an MPLS network. A is protocol independent and supports the use of IP and non-ip applications. can also carry legacy technologies like Frame Relay and, so that transparent LAN services (TLS) can migrate onto a converged IP/MPLS network in a structured manner. To secure brand leadership in the business VPN market and to ensure their own revenue growth, operators must offer targeted services based on the enterprise s specific profile and needs. Table 1 illustrates how enterprise requirements drive VPN service selection. Table 1. Enterprise requirements for business MPLS VPN service selection Enterprise profile Service Enterprise benefits POINT-TO-POINT CONNECTIVITY LAYER 3 MULTIPOINT CONNECTIVITY LAYER 2 MULTIPOINT CONNECTIVITY Small number of sites Medium-to-large number of sites Medium-to-large number of sites Migrating from point-to-point Frame Running IP-based applications only Running IP- or non-ip-based applications Relay service Requires full mesh connectivity Migrating from transparent LAN services May not use VPN services today Willing to share routing responsibility Requires full mesh connectivity Usually requires a hub-and-spoke Unable or unwilling to share routing network topology responsibility handoff (E-Line) IP VPN (E-LAN) Point-to-point Carrier, Multipoint routed solution Multipoint Carrier and Frame Relay service over MPLS Dual IPv4/IPv6 stack RFC 4762 RFC 3916 (PWE3) RFC 4364 Flexible bandwidth upgrades in fine increments (for example, 1 Mb/s) Service performance guarantees Service interworking provides faster migration/integration Easy upgrade path to other MPLSenabled VPN services Offload complex information technology (for example, routing) responsibilities to service provider Fully meshed service supports multiple access types Option of or maintain Frame Relay to access WAN All the advantages of an IP VPN solution plus: Addition of new sites requires no change to existing sites Enterprise retains control over routing functionality Multiprotocol service supports the use of non-ip applications Can make changes to the network without involving service provider Service interworking between Frame Relay, and allows gradual site-by-site migration, minimizing service disruption The Alcatel-Lucent IP/MPLS solution enables operators to deliver service-aware Layer 2 and Layer 3 business VPNs over different access technologies while maintaining service level agreement (SLA) consistencies. For example, large Enterprises sometimes require a Business VPN solution that supports both Carrier and IP VPNs. Small or remote locations connect using sub- speeds over an IP VPN, whereas their regional and HQ sites connect using Carrier VPNs such as or. This flexibility helps the operator address the varying service access requirements of small offices-home offices (SOHOs), SMEs and large enterprises without compromise. 4 Flexible Service Access for Business VPNs Technology White Paper
3. Flexible access options for business services Access options are an important aspect of all VPN services. An operator can expand their footprint to as many enterprise locations as possible by offering different ways of accessing business VPN services, (see Figure 3). Using existing infrastructures, which may include SONET/SDH, Frame Relay,, DSL, cable, and/or MPLS, operators can extend their VPN footprints to enterprise locations where direct fiber access is not yet available or feasible. To expand their footprints, operators can also use interworking between legacy Frame Relay or services and Layer 3 VPNs or Layer 2 VPNs. In many cases, regardless of the access technology in use, an operator might want to choose one type of customer-located equipment (CLE) for the demarcation point with the enterprise customer. For example, an operator can select one demarcation device as the handoff and collocate it with the physical access termination at the customer location (for example, a DSL modem with an demarcation). This approach provides a uniform service definition and experience for all enterprise locations, regardless of the access technology. Figure 3. Varying service bandwidth requirements of SOHOs, SMEs and large enterprises 10/100 Mb/s DSL 10/100 Mb/s DOCSIS 1 Gb/s 10/100 Mb/s Cable Dialup 10/100/1000 Mb/s 10/100 Mb/s DSL MPLS SONET/SDH Native IP/MPLS Layer 2 and Layer 3 VPNs Wireless Internet Frame Relay Frame Relay DSL 10 Mb/s 100 Mb/s 10 Mb/s 10 Mb/s The Alcatel-Lucent IP/MPLS solution enables the following capabilities for ensuring flexible VPN reach: Deliver an end-to-end interface that can be supported across different last mile technologies and provide a common handoff for: over fiber, SONET/SDH, copper (DSL), cable, or wireless connected sites interworking with legacy Frame Relay and connected sites to ensure legacy Frame Relay and access options are integrated into the IP/MPLS business VPN services infrastructure backhaul for a Layer 3 IP VPN service Flexible Service Access for Business VPNs Technology White Paper 5
Expanded service reach: The branch/remote office is becoming a strategic center of IT investments as front line business needs continue to scale and evolve. Support for IPSec and Pointto-Point Protocol over () extend the range of access options available, allowing the operator to reach more enterprises with business services. 3.1 Extending access with end-to-end The Alcatel-Lucent solution enables operators to migrate from simple access to robust Carrier business access. This helps increase customer demand and lower costs, while providing greater bandwidth flexibility. By delivering end to end access over a range of technology options and interworking with legacy technologies, operators can address different types of business customers ranging from SOHOs and SMEs, to large enterprises. As shown in Figure 4, the Alcatel- Lucent industry-leading service switch/router platforms deliver point-to-point and multipoint Layer 2 or Layer 3 business VPN services over a variety of access technologies. Figure 4. Service access flexibility with the Alcatel-Lucent business VPN solution Layer 2 and Layer 3 business VPN services Large enterprise Fiber VLAN Internet (IPSec) Internet IPv4 IPv6 10 GigE Data center SOHO Small to medium enterprise Fiber copper DSL PON 7210 SAS Universal access Service aggregation 7450 ESS IPv4 IPv6 IP/MPLS IP VPN (E-LAN) (E-Line) HSI 7705 SAR Wireless 7705 SAR IPv4 IPv6 TDM MEF 9 E-Line and E-LAN services MEF 14 QoS and traffic management GigE HQ 6 Flexible Service Access for Business VPNs Technology White Paper
Point-to-point and multipoint Layer 2 or Layer 3 business VPN services are delivered via: Fiber Native over fiber is the simplest access into the VPN. The customer handoff is provided at the demarcation point using direct fiber to the provider edge (PE) router at the operator s point of presence (POP). PON Passive Optical Networks (PONs) is a shared passive fiber network technology that provides increased access bandwidth to the customer premises. The Alcatel-Lucent PON includes PON (EPON) and Gigabit-capable PON (GPON). It is an access solution that provides a common access network for residential and business customers (for T1/E1 and services) which, therefore, reduces the number of discrete overlay access networks necessary to provide services to each group. Copper Carrier over Copper solutions allow operators to simply and cost-effectively meet the demand for broadband by utilizing the existing copper infrastructure. The Alcatel-Lucent IP/MPLS solution enables the operator to deliver broadband services to businesses over the existing last-mile, copper infrastructure to fully leverage the benefits of offering data, voice over IP, and video services over an network. Copper is relatively inexpensive to install and it scales to offer point-to-point and multipoint applications serving hundreds of customers. SDH/SONET Existing SONET or SDH networks are being leveraged as access to business VPN services. The Alcatel-Lucent business services solution supports over SDH/ over SONET. Wireless Wireless access enables operators to address locations without fixed access. Wireless (for example, Wifi Alliance WiFi or WiMax) access to a business VPN is a useful option, particularly for competitive players creating their own access networks. DSL For small business sites, the bandwidth offered by the various low speed DSL technologies can be sufficient to extend the VPN to remote sites, at a lower cost than T1- or E1-based solutions. The Alcatel-Lucent solution provides DSLAM aggregation with sessions terminated on the service router and mapped to the corporate VPN or high-speed Internet (HSI). Cable (Data over Cable Service Interface Specification (DOCSIS)) Cable multiple service operators (MSOs) use the cable hybrid fiber coax (HFC) plant to deliver VPNs primarily to SMEs in their regions, while fiber is used to reach larger sites. For small business sites, the bandwidth offered over cable can be sufficient to extend the VPN to remote sites, at a lower cost than T1- or E1-based solutions. The Alcatel-Lucent solution provides Cable Modem Termination System (CMTS) aggregation on the service switch/router, with virtual LANs (VLANs) mapped to the MPLS-based VP; that is the, or IP VPN. Internet A common option for accessing VPN services can be via the Internet accessed through either a broadband or dial-up connection. This enables a mobile workforce to access the enterprise VPN regardless of location. With this method, the VPN is enabled using IPSec in order to secure the access to the VPN. The IPSec sessions are terminated on the Alcatel-Lucent service router and mapped to the larger corporate IP VPN. Interworking with Frame Relay and Offering Frame Relay and services as access to VPN services is an approach that has been particularly effective for Layer 3 VPNs. The ability to use these legacy services was key to the original VPN service footprint expansion to include locations where fiber access was not available or cost-effective, especially for lower-speed services. These reasons remain valid, and Frame Relay and services can similarly be offered as access to Layer 2 VPNs. In addition, over Frame Relay or can effectively support a gradual migration of sites to high-speed native. Pseudowire technology, and service interworking, can be implemented across an MPLS network. Flexible Service Access for Business VPNs Technology White Paper 7
The Alcatel-Lucent solution provides the flexibility to allow operators to leverage their existing copper or cable plants along with new fiber infrastructures to deliver more competitive business Layer 2 and Layer 3 VPN services. For example, copper or cable access could connect small or some medium enterprises, and fiber-based access could connect medium or large enterprises. The Alcatel-Lucent 7750 Service Router (SR), Alcatel-Lucent 7710 SR and Alcatel-Lucent 7450 Service Switch (ESS) have a complete range of Media Dependent Adapters (MDAs) to provide the appropriate physical interface. In addition, Any Service Any Port (ASAP) MDA supports multiple protocols integrated on one card and has configurable ports and channels to provide true any service over any port functionality. The ASAP MDA supports Frame Relay,, Point-to-Point Protocol (PPP) or high-level data link control (HDLC) for service termination. As a result, it is unnecessary to dedicate or limit interfaces to specific service types, which helps minimize interconnection costs. This flexibility simplifies consolidation and lets the operator scale the access type to address the varying service bandwidth requirements of SOHOs, SMEs and large enterprises. It also enables the Carrier VPN to successfully interwork with existing services offered over legacy technologies such as Frame Relay or. 3.2 MPLS-enabled Carrier and native over Fiber Operators can now offer native over fiber or cost-effectively extend MPLS-enabled Carrier services right to the customer edge (CE). As shown in Figure 5, the Alcatel-Lucent VPN solution with the 7210 SAS empowers the operator to offer the native ethernet access option with the 7210 SAS-E or extend MPLS over with the 7210 SAS-M to support the following: LAN (E-LAN aka ) and spoke access into hierarchical-virtual private LAN services (H-) Point-to-point services such as Line (E-Line) and Virtual leased line services () access to enhanced highspeed Internet services Backhaul to Internet Protocol virtual private network (IP-VPN) services By extending over MPLS (EoMPLS) to the customer premise with the 7210 SAS-M, the Alcatel-Lucent solution enables the stringent SLAs that are required for end-to-end service delivery; SLAs with differentiation based on reliability, quality of service (QoS), operation, administration and maintenance (OAM) tools and streamlined management. To meet the reliability and performance requirements of enhanced MPLS/-based VPN services for mission critical applications, the solution also supports: Fast reroute (FRR) and pseudowire redundancy over dual homed connections. This delivers sub-50 msec failover into the customer edge for end-to-end highly available service delivery. MPLS traffic engineering with Resource Reservation Protocol Traffic Engineering (RSVP-TE). Operators can enable VPN services end-to-end across an IP/MPLS network with guaranteed QoS per application within a single SLA. Per-service OAM along with IEEE 802.3ah (EFM) and IEEE 802.1ag (CFM) ensures end-to-end operational consistency, rapid troubleshooting and detailed performance measurement for further service differentiation. VLANs (802.1Q), stacked VLAN (QinQ), Provider Backbone Bridges (MAC in MAC) for maximum interoperability with standards based legacy deployments. The Alcatel-Lucent solution enables operators to offer and charge for premium business VPN services, while delivering these services efficiently and economically. 8 Flexible Service Access for Business VPNs Technology White Paper
Figure 5. Integrated approach to host native and EoMPLS connectivity 5620 Service Aware Manager MPLS-enabled Carrier CPNs extended to the Customer Edge (CE) Enterprise (VLAN-A) 7210 SAS-M H- VLAN (QinQ) 7210 SAS-E Enterprise (VLAN-Z) Enterprise A 7210 SAS-E 7450 ESS VLAN (QinQ) VLAN (QinQ) aggregated into IP/MPLS Provider Edge (PE) 7450 ESS IP/MPLS H- 7210 SAS-M 7210 SAS-M With Alcatel-Lucent s solution, operators can deliver an integrated approach to host native connectivity with 7210 SAS-E in one part of the network, and over MPLS (EoMPLS 7210 SAS-M) in another part of the network or a combination of the two. This is done without geographically restricting VPN connectivity or impacting VPN service consistency for a customer across all their sites, with the following benefits: 7210-SAS-M extends MPLS to the customer edge (Enterprise VLAN A) to provide end-toend traffic engineering, reliability, scaling and further differentiation advantages with seamless service extension capabilities with 7450 ESS, and 7710 SR solutions, including application-aware VPNs Provides flexibility to support both Carrier VPNs or provision pseudowires to backhaul IP VPNs to the Service Router Simplifies enterprise networking complexity with user-centric SLAs to support a full suite of demanding enterprise applications over a single connection FRR/MC-LAG ensures uplink redundancy to separate aggregation devices for highly available service delivery Relies on the 5620 service aware management (SAM) system to oversee all Carrier services end-to-end. This greatly enhances the operator s ability to activate, modify and troubleshoot VPN services, as well as enables customer service portals. The Alcatel-Lucent Carrier over Fiber solution addresses the needs of operators and helps them meet the challenges of keeping pace with the demand for -based business services from small, medium and large enterprises. In this dynamic market, operators can maximize the re-use of existing assets by allowing sites from the same VPN to connect, regardless of metro network technology in the region. Flexible Service Access for Business VPNs Technology White Paper 9
3.3 Interworking legacy Frame Relay and deployments Operators can generate additional revenue by broadening the range of services offered by the IP/MPLS network. This extends the reach of existing and Frame Relay/ VPN services to new sites attached to the packet network. It also helps the operator reduce CAPEX and OPEX. The Alcatel-Lucent solution supports the termination of existing Frame Relay/ VPNs into a Layer 3 IP VPN or a Carrier VPN such as over a common IP/MPLS network using pseudowires (). The solution enables the operator to generate revenue from the broadest range of traditional and emerging business VPN services over a fixed-cost infrastructure. It minimizes the need to roll out a new network for each new service and reduces the number of skilled personnel required to operate the network. The solution also reduces the number of network nodes that must be deployed and operated, as well as the time-to-market for new services. The multiservice capabilities of the Alcatel-Lucent solution reduce operational complexity in the converged network. This is due to embedded operations, administration and maintenance (OAM) capabilities on the service router that provide cohesive support of the different connection types and VPN services. Convergence of existing Frame Relay/ and new VPN services on a common IP/MPLS network requires the transparent transport of existing Frame Relay/ services. This is necessary for operators to maintain and expand their revenues by offering seamless service interworking at the user, control and management planes. Figure 6 illustrates the Alcatel-Lucent solution leveraging PWE3 for Frame Relay-- service and network interworking. This solution supports the termination of routed or routed-bridged encapsulation of Frame Relay/ traffic into an IP VPN or service instance. Figure 6. PWE3 for frame relay-- service and network interworking IP VPN HSI IP VPN HSI Frame relay IP-PW IP/MPLS network Frame relay LSP Frame relay Frame relay/ IP-PW Frame relay PW PW PW 10 Flexible Service Access for Business VPNs Technology White Paper
The Alcatel-Lucent solution offers the operator a cap-and-grow strategy, which enables the operator to augment their existing multiservice network with a new multiservice IP/MPLS network. Existing connections are tunneled, using pseudowires, across the IP/MPLS network so that they are accessagnostic. Existing customers with sites attached to both the legacy Frame Relay/ network and the new IP/MPLS network are interworked during a transition period to ensure termination onto the common enterprise Layer 2 or Layer 3 VPN. Interworking ensures both service and feature transparency between the existing Frame Relay/ and the new MPLS networks are maintained. At the end of the transition period, all customers can be migrated to the new IP/MPLS network, thereby reducing the operational burden and enabling further simplification of the infrastructure. The interworking deployment options for the cap-and-grow strategy are supported by the Alcatel- Lucent solution through a wide range of features: Core network upgrade Links in the multiservice network are selectively upgraded to MPLS to take advantage of higher bandwidth and levels of aggregation over a Packet over SONET (POS) or link layer. This approach leverages the underlying transport network resources in a manner that is agnostic to the Layer 2 protocols. Enable out-of-region expansion The operator builds out new regional IP/MPLS networks to extend existing services to new geographic areas. Evolve and grow the network Existing multiservice switches are maintained, while ports are selectively upgraded to MPLS over. New Layer 2 and Layer 3 VPN services can then be added to the network. The Alcatel-Lucent solution enables the operator to support (pseudowire) interworking with legacy Frame Relay and deployments to support different enterprise requirements, as identified in Figure 6. 3.4 Integrated IPSec VPNs Enterprises are turning to managed VPN services as a way to reduce the cost and complexity of managing their own network infrastructures. At the same time, they are deploying new businesscritical applications and services that increase efficiency and meet the business needs of their employees, partners, suppliers and customers. This is driving the demand for secure IPSec VPNs by large, medium and small enterprises who want the ability to add or remove sites, users and services as quickly as possible, in a secure way over uncontrolled or untrusted private and public networks. The Alcatel-Lucent solution supports IPSec VPNs to allow operators to deliver secure, flexible, always-on, managed VPN services that meet enterprises business-critical communications requirements efficiently and cost-effectively (see Figure 7). Integrated remote access VPNs are a significant source of revenue for many wireline and wireless operators. With the Alcatel-Lucent solution supporting integrated IPSec VPNs, operators can support an enterprise s remote locations and/or its mobile users. This removes the concern over the security implications of any untrusted networks or islands connecting to their trusted enterprise or operator network. The Alcatel-Lucent solution gives operators the flexibility to support multiple enterprise VPNs such as IP VPN, IPSec, and over a single converged, multiservice infrastructure. This provides greater network efficiency and helps reduce costs without sacrificing control, performance and resiliency. Flexible Service Access for Business VPNs Technology White Paper 11
Figure 7. Secure service access through the Internet with integrated IPSec VPNs 5620 SAM, managed end-to-end service Provider managed router DOCSIS Enterprise #2 IPSec clients Enterprise #2 Site 1 CMTS Internet Provider managed router Enterprise #1 Site 2 Provider managed router DSL GigE DSLAM 7450 ESS PW IP/MPLS metro IES IP/MPLS backbone IES / FR PPP Provider managed router Enterprise #1 Site 3 Provider managed router Enterprise #3 HQ MTU 7450 ESS PW 7710 SR Enterprise #2 Site 2 Enterprise #3 Site 1 Enterprise #3 Site 2 FR Frame relay IPSec IPSec Network-to-network encrypted security Partner networks, content partner, mobile backhaul IPSec Site-to-site encrypted security Between multiple sites Remote access concentrator Remote sites, mobile workers The Alcatel-Lucent solution enables the operator to deliver integrated IPSec VPN services alongside other Layer 2 and Layer 3 premium business VPN services (both point-to-point and multipoint). This allows operators to address the needs of small, medium and large enterprises in the metro, nationally and internationally. In Figure 7, Enterprise #2 has remote locations that deploy secure IPSec connections, over the Internet, to its corporate IP VPN. This could be from its remote sites, roaming users or partners. Since the Alcatel-Lucent solution supports a wide selection of IPSec devices and clients, the IPSec sessions are terminated in the operator s network on the Alcatel-Lucent service router and securely connected to the enterprise s corporate IP VPN. This solution allows the operator to expand the scope and revenue of their managed VPN service. The Alcatel-Lucent IPSec VPN solution enables operators to: Leverage the existing IP/MPLS or Carrier services edge to offer virtualized IPSec VPN services in tandem with other revenue-generating business services such as Internet Enhanced Services, IP VPN, and. This allows highly efficient use of existing assets. Avoid the cost and complexity of standalone security devices and disparate management platforms. Thanks to the solution s fully integrated and virtualized behavior, operators can provide rapid IPSec VPN service delivery. 12 Flexible Service Access for Business VPNs Technology White Paper
Guarantee high service performance and scalability as IPSec encryptions and decryptions are done via hardware to deliver line-rate security to enterprises. Leverage the highly-resilient IP/MPLS network and the industry-leading service router reliability with IPSec session protection support to minimize customer impact. Ensure service differentiation, with a rich IPSec VPN implementation that exceeds market requirements and delivers higher value and loyalty by providing enterprises with: Consistent service operations, delivery and SLA guarantees Privacy of data over public IP networks, with easy addition and removal of sites and users Proven service and billing support from the same operator for added business VPN services Manage the network using a single service aware management system for all Layer 2 and Layer 3 business VPNs (IP VPN,, and IPSec). This provides a common view of the network and services, and enables the operator to apply end-to-end policies. This end-to-end view from a central network operations center (NOC) can also help reduce the time to identify and fix service issues. Benefit from a lower cost of ownership and operation due to the integrated and virtualized service delivery approach. 3.5 Extending business VPN services over xdsl with The branch office has become a strategic center of IT investments as front line business needs continue to scale and evolve. This changes the role of the network and storage infrastructure serving the branch and remote sites. The Alcatel-Lucent solution provides an array of service access technologies to serve the evolving nature of branch and remote offices with the same stringent SLA consistencies. From an operator s perspective, the network should offer a full set of service access options to ensure they can meet the reach and feature requirements of their enterprise customers for business VPN services. For small business sites, the bandwidth offered by the various low speed DSL technologies can be sufficient to extend the business VPN at a lower cost than T1- or E1-based solutions. The Alcatel-Lucent solution broadens the operator s metro service access options, on the IP network, with DSL access using to extend the routed VPN. Point-to-Point Protocol over (RFC 2516) is a network protocol for encapsulating PPP frames inside frames. Specifically, small branch offices or remote locations can be connected to the operator s metro network via the DSL modem to deliver business VPN services. Using, the branch or remote site establishes a routed point-to-point connection, over a shared Layer 2 network, to the corporate IP VPN or HSI service and then securely transports data packets over the connec tion. The Alcatel-Lucent solution ensures access control and billing functionality in a manner similar to IP VPNs delivered over any other access technology such as fiber, Frame Relay or. The Alcatel-Lucent solution, shown in Figure 8, establishes a session between the branch site CPE (for example Enterprise 1) and the Alcatel-Lucent (PE) located in the operator s network. The Alcatel-Lucent terminates the session on the corporate IP VPN allowing the branch office to connect to its corporate IP VPN. Alternatively, the session can be terminated on the HSI link, allowing the branch office to connect to the World Wide Web. Flexible Service Access for Business VPNs Technology White Paper 13
Figure 8. to backhaul traffic from DSL-based branch or remote office to corporate IP VPN Branch enterprise 1 DSL Branch enterprise 2 DSL Remote enterprise 3 DSL DSLAM Metro network GigE (VLAN) Service aggregation 7450 ESS Internet VPRN 1 VPRN 2 VPRN 3 IP/MPLS VPRN 1 Enterprise 1 VPRN 2 Enterprise 2 VPRN 3 Enterprise 3 Residential DSL RADIUS AAA DSL connected branch offices separation in VLAN terminates the session to IP VPN or HSI context Branch office connected to corporate IP VPN This solution separates business customer routed traffic in a shared Layer 2 network, regardless of which VLAN deployment scenario is deployed: VLAN per customer A 1:1 model using 802.1q and Q-in-Q for customer separation in the metro network. VLAN per service An N:1 model which relies on 802.1q and Q-in-Q for service separation resulting in multiple customers in a shared VLAN. The Alcatel-Lucent solution enables the operator to scale their network to respond to small enterprises, remote offices of a large enterprise, or SOHO customers that require Internet access or a secure connection to their corporate IP VPN over DSL while, at the same time, ensuring SLA consistencies. The solution also provides the following key benefits: The BRAS is bypassed, which removes an active element from the critical datapath to improve service availability and performance. The setup and configuration is simplified, ensuring faster setup time for the operator because only one service access point must be set up per IP VPN or HSI routed context. This approach improves the time to service and fault isolation. A converged IP/MPLS architecture delivers business VPN services to enterprise customers and residential triple play services to consumers. This approach enables strong options for the operator to reduce CAPEX and OPEX. 14 Flexible Service Access for Business VPNs Technology White Paper
4. Common management for flexible services access A challenging aspect facing the operator, when hosting different service access technologies, is scalability. The operator must ensure that network and service management can scale beyond the disparate element management platforms to address the expanded scope of the network. The Alcatel-Lucent solution uses a service aware manager to allow operators to overcome the challenges created by separate element managers. The Alcatel-Lucent 5620 Service Aware Manager (SAM) provides end-to-end fault management for Layer 2 and Layer 3 business VPN services. The 5620 SAM enables the operator to provide network and service management from a single entity, as opposed to many element managers. This service aware management capability enables operators to effectively provision and manage the business VPN service offerings for large, medium or small enterprise across a full range of service access options (see Figure 9). The Alcatel-Lucent 5620 SAM also combines automation and a new generation of template capabilities to ensure that services are provisioned quickly and correctly. In order to offer operational excellence to their customers, operators must be able to deploy business VPN services without errors, to keep customer satisfaction high and obviate the need for troubleshooting or expensive truck rolls. The Alcatel-Lucent 5620 SAM reduces operational costs by reducing complexity for front line operators ensuring that services are provisioned quickly and accurately. The Alcatel-Lucent 5620 SAM provides second generation template capabilities to customize the workflow which enables operators to enter the minimum number of variables when configuring a service. Service templates are configured during the service definition by technical staff so that operations staff can simply pick a template according to a work order and fill in the blanks. The user interface is customizable so only the required fields are displayed. Optionally, those service attributes that are not populated by the operator can be set to read-only. Templates exist for all the different service types such as VPRN, and Carrier point-to-point () and multipoint () services. Figure 9. End-to-end service management for Layer 2 and Layer 3 business VPN services Composite services Customer A OAM toolkit for rapid troubleshooting Fast service activation and fault notification Maintain SLA performance metrics (test service latency, jitter, packet loss, round-trip delay) Service provider NOC OAM notification Service-aware manager Enterprise Customer web portal Performance/usage reporting Policy changes SLA tracking Ticket tracking Inventory tracking Frame relay Frame relay IP VPN Customer A Customer B Customer C Customer A TDM IP VPN IP/MPLS service edge IP VPN IP VPN IP/MPLS metro MTU switch Composite Service Assurance Flexible Service Access for Business VPNs Technology White Paper 15
Within an operator s IP/MPLS network, it is common to mesh many network elements together when configuring the MPLS tunnels. Each tunnel is unidirectional so the tunnels must be set up in each direction between each node. The Alcatel-Lucent 5620 SAM removes this extra workload by auto-meshing network elements according to the selected topology, such as ring, mesh or star. As new network elements are added over time, the additional meshing is automated, thus removing one of the complexities of network management. Operators can also use the templates to configure composite services which effectively bind different types of service access together to form a single end-to-end picture. For example, two distinct service components, such as and service access points, can be bound to a multipoint Carrier service, as shown in Figure 9. In addition, a VPRN (IP VPN) can be bound to a service. Combining these distinct service components into a composite service enables the operator to quickly identify when problems occur on the composite service. The operator can locate the problem and, more importantly, knows the degree to which the end user s experience is compromised. In addition, configurable test suites provide automation to ensure that operators can troubleshoot quickly and correctly when problems arise. The Alcatel-Lucent 5620 SAM provides the right tools and information to ensure this happens. The Alcatel-Lucent 5620 SAM provides the operator with end-to-end service provisioning and assurance for Layer 2 and Layer 3 business services. This approach enables the operator to improve overall operational efficiencies by: Improving activation time for new business VPN services from hours to minutes Applying policies on an end-to-end basis made possible through a common view of the network from a centralized NOC Reducing the time to identify and fix service issues Providing enterprise customers with a better service portal to track or request changes to their business VPN service Service portals allow enterprises to monitor their services. Operators can use the statistics generated by the 5620 SAM to enable the enterprise to develop its own reports on the service s health. Some operators currently offer customer-facing tools with graphical user interfaces to allow their customers to perform these statistics-reporting functions. Service portals can also allow enterprises to dynamically change the bandwidth and other parameters of their services. Incremental revenue is realized as operators invoice their customers for these tools. 5. Conclusion The Alcatel-Lucent IP/MPLS-based business services solution enables operators to offer a choice of secure, scalable, flexible and always-on, managed business VPN services. These services meet enterprise business-critical communications requirements efficiently and cost-effectively, and they provide a guaranteed, flexible evolution path with predictable costs. The solution s interworking capabilities ensure legacy access options are integrated with new business VPN services, to maximize the revenue potential of the operator s infrastructure investments. By supporting a full range of business service access options, the operator can extend their VPN foot print to meet the needs of a diverse enterprise population, from SOHO and SMEs to large international corporations. Specifically, the Alcatel-Lucent solution enables operators to extend VPN access through an end-to-end interface that can reach across different last mile technologies to provide an handoff, regardless of the enterprise s access. The solution s support for IPSec allows the operator to extend the reach of its VPN offerings to those accessing the network via uncontrolled or untrusted public networks, such as the Internet. 16 Flexible Service Access for Business VPNs Technology White Paper
6. Abbreviations The solution s flexibility enables the operator to further differentiate their business VPN service offering from their competitor s. The integrated, multiservice IP/MPLS infrastructure can be managed through a single end-to-end service-aware management system and helps the operator improve the time-to-market with new services as well as reduce the total cost of ownership. ASAP BRAS CAPEX CLE CMTS CRM DOCSIS EPON ERP ESS FR GPON HDLC HFC HSI IT MDA MEF MPLS MSO NOC OAM OPEX Any Service Any Port Asynchronous Transfer Mode Broadband Remote Access Server Capital expenditures Customer located equipment Cable Modem Termination System Customer relationship management Data over Cable Service Interface Specification passive optical network Enterprise resource planning Service Switch Frame Relay Gigabit-capable passive optical network High-level data link control Hybrid fiber coax High-speed Internet Information technology Media Dependent Adapter Metro Forum Multiprotocol Label Switching Multiple service operator Network operations center Operations, administration and maintenance Operating expenditures PE PON POP POS POS PPP PW RFID SCM SDH SLA SME SOHO SONET SR TLS VLAN VPN VPRN Provider edge Passive optical network Point of presence Point of sale Packet over SONET Point-to-Point Protocol Point-to-Point Protocol over Pseudowire Radio frequency identification Supply chain management Synchronous digital hierarchy Service level agreement Small-to-medium enterprise Small office-home office Synchronous optical network Service Router Transparent LAN service Virtual LAN Virtual Leased Line Virtual Private LAN Service Virtual private network Virtual private routed network Virtual routing and forwarding Flexible Service Access for Business VPNs Technology White Paper 17
www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2009 Alcatel-Lucent. All rights reserved. CPG4688090201 (02)