IVCi s IntelliNet SM Network



Similar documents
Multi Protocol Label Switching (MPLS) is a core networking technology that

November Defining the Value of MPLS VPNs

Optimizing Networks for NASPI

Improving Quality of Service

Sprint Global MPLS VPN IP Whitepaper

Hosted Voice. Best Practice Recommendations for VoIP Deployments

Simwood Carrier Ethernet

Requirements of Voice in an IP Internetwork

Best Effort gets Better with MPLS. Superior network flexibility and resiliency at a lower cost with support for voice, video and future applications

VPLS lies at the heart of our Next Generation Network approach to creating converged, simplified WANs.

WHITEPAPER MPLS: Key Factors to Consider When Selecting Your MPLS Provider

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide

How to cut communications costs by replacing leased lines and VPNs with MPLS

Preparing Your IP network for High Definition Video Conferencing

Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

WHITEPAPER. VPLS for Any-to-Any Ethernet Connectivity: When Simplicity & Control Matter

Firewall Architecture

Quality of Service (QoS) on Netgear switches

Global Headquarters: 5 Speen Street Framingham, MA USA P F

PREPARED FOR ABC CORPORATION

MITEL. NetSolutions. Flat Rate MPLS VPN

Preparing Your IP Network for High Definition Video Conferencing

STANDPOINT FOR QUALITY-OF-SERVICE MEASUREMENT

VoIP / SIP Planning and Disclosure

CARRIER MPLS VPN September 2014

Transport for Enterprise VoIP Services

BroadCloud PBX Customer Minimum Requirements

How to Keep Video From Blowing Up Your Network

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

WAN Traffic Management with PowerLink Pro100

The Next Generation Network:

Building integrated services intranets

Private Cloud Solutions Virtual Onsite Data Center

Internet Protocol: IP packet headers. vendredi 18 octobre 13

A Preferred Service Architecture for Payload Data Flows. Ray Gilstrap, Thom Stone, Ken Freeman

WAN Data Link Protocols

MPLS: Key Factors to Consider When Selecting Your MPLS Provider

How To Provide Qos Based Routing In The Internet

5. DEPLOYMENT ISSUES Having described the fundamentals of VoIP and underlying IP infrastructure, let s address deployment issues.

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Network Considerations for IP Video

Computer Networking Networks

NETWORK ISSUES: COSTS & OPTIONS

Quality of Service in the Internet. QoS Parameters. Keeping the QoS. Traffic Shaping: Leaky Bucket Algorithm

APPLICATION NOTE 209 QUALITY OF SERVICE: KEY CONCEPTS AND TESTING NEEDS. Quality of Service Drivers. Why Test Quality of Service?

Analysis of IP Network for different Quality of Service

TABLE OF CONTENTS LIST OF FIGURES

Fundamentals of MPLS for Broadcast Applications

GPRS and 3G Services: Connectivity Options

Chapter 5 Configuring QoS

1.1. Abstract VPN Overview

SingTel MPLS. The Great Multi Protocol Label Switching (MPLS) Migration

The need for bandwidth management and QoS control when using public or shared networks for disaster relief work

Is Your Network Ready for VoIP? > White Paper

The Conversion Technology Experts. Quality of Service (QoS) in High-Priority Applications

MPLS/IP VPN Services Market Update, United States

About Firewall Protection

The Essential Guide to Deploying MPLS for Enterprise Networks

Using & Offering Wholesale Ethernet Network and Operational Considerations

Voice over IP (VoIP) for Telephony. Advantages of VoIP Migration for SMBs BLACK BOX blackbox.com

VegaStream Information Note Considerations for a VoIP installation

Voice Over IP. MultiFlow IP Phone # 3071 Subnet # Subnet Mask IP address Telephone.

The term Virtual Private Networks comes with a simple three-letter acronym VPN

QoS Parameters. Quality of Service in the Internet. Traffic Shaping: Congestion Control. Keeping the QoS

Testing VoIP on MPLS Networks

GR2000: a Gigabit Router for a Guaranteed Network

Per-Flow Queuing Allot's Approach to Bandwidth Management

Please purchase PDF Split-Merge on to remove this watermark.

VoIP Bandwidth Considerations - design decisions

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks

MPLS VPN basics. E-Guide

Frame Relay vs. IP VPNs

Network Simulation Traffic, Paths and Impairment

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Quality of Service. Traditional Nonconverged Network. Traditional data traffic characteristics:

Voice, Video and Data Convergence > A best-practice approach for transitioning your network infrastructure. White Paper

Voice over IP Networks: Ensuring quality through proactive link management

Cisco CCNP Optimizing Converged Cisco Networks (ONT)

Truffle Broadband Bonding Network Appliance

SIP Trunking The Provider s Perspective

Edgewater Routers User Guide

Avaya IP Office. Converged Communications. Contact Centres Unified Communication Services

Nortel Technology Standards and Protocol for IP Telephony Solutions

Jive Core: Platform, Infrastructure, and Installation

Packetized Telephony Networks

Terms VON. VoIP LAN WAN CODEC

UNDERSTANDING BUSINESS ETHERNET SERVICES

12 Quality of Service (QoS)

QoS (Quality of Service)

Transcription:

IVCi s IntelliNet SM Network Technical White Paper Introduction...2 Overview...2 A True ATM Solution End to End...2 The Power of a Switched Network...2 Data Throughput:...3 Improved Security:...3 Class of Service End to End...3 Quality of Service (QoS)...4 Intelligent IP Architecture...4 Intelligent IP Components...4 ATM Backbone...5 Service Levels...5 Broadband Access...6 Intelligent IP Services...6 Anti Spoofing...8 DiffServ Marking...8 Traffic Shaping...10 Other Services...10 Network Address Translation...10 Off-net IPSec Tunneling...11 Conclusion...11

Introduction IVCi s IntelliNet is the world's first globally available, intelligent private IP-based video collaboration network. IntelliNet provides you with the ability to have a completely reliable, onall-the-time, secure video conferencing network for a fixed fee each month. IntelliNet delivers an end-to-end solution utilizing an award-winning switched ATM-based IP network. The result is a 100% reliable, unbreakable global network that guarantees video calls will be interruption free, including unmatched video quality, without interference from any other types of data traffic whatsoever. IntelliNet provides you with complete choice and flexibility ranging from allowing you to use information by accessing the Internet, to providing industry leading automated multipoint video conference calls. If you already have your own video bridge, then it can be utilized on the IntelliNet network and hosted at IntelliNet s 24/7 high tech Network Operation Center or even at one of your own facilities. If you need to meet with any customers or suppliers not yet on the IntelliNet network, then IntelliNet provides central ISDN access to the outside world through its automated Gateway service. Unique with this service is that all of your systems, rooms and people can be scheduled using the powerful award winning GSS enterprise scheduling tool, standard with all IntelliNet connections. This paper discusses the architecture and many of the networking and security techniques that are part of IntelliNet. These include the creation of a dedicated video Class of Service (CoS) and how that differs from Quality of Service, which on its own is not sufficient to carry video over a wide area network. The different Classes of Service will be identified and associated security and traffic management techniques such as anti-spoofing, Diffserv markings, firewalling, VPN (Virtual Private Network) steering, traffic shaping techniques, NAT (Network Address Translation), On-Net and Off-Net tunneling. Overview A True ATM Solution End to End The IntelliNet network boasts a fully meshed ATM backbone that transmits the IntelliNet IP traffic through globally deployed ATM switches. By extending the ATM backbone all the way to a customer s facilities, IntelliNet is able to provide end-to-end ATM data security, throughput, and performance and guarantee end-to-end quality of service. The Power of a Switched Network The IntelliNet ATM network consists of a switched backbone operating at layer 2 of the OSI network model. When a call is set up over an ATM network, a path is defined through the switched cloud and dedicated to that call. Just as a switched Ethernet LAN offers performance advantages over a shared Ethernet LAN, a switched broadband Wide Area Network (WAN) offers advantages over a routed (layer 3) broadband Wide Area Network, including:

Data Throughput: Switches operate faster than routers, do not introduce queuing delays, and support virtual circuits so that all packets follow the same path and arrive at the destination in the proper order. Improved Security: Data traveling through switched networks travels a pre-determined path and therefore does not need to be opened and inspected at every switch and router along the way. Limiting the number of inspection points (i.e. the number of times the data is read and therefore exposed ) enhances the security of the network. In addition, one of the benefits of a layer 2 hardware switched network is that in order to tap into the data, would-be hackers need physical access to the network. In contrast, routed networks transmit data on layer 3 of the OSI model. As information is transmitted between layer 3 devices (routers), the data is inspected (read) at each router location (a.k.a. hop) and the most appropriate route for the next leg of the journey is determined on the fly based on the contents of dynamically-updated routing tables. Because the data needs to be inspected and re-directed at each router, routed networks compared to switched networks tend to incur additional delays and packet loss if the routers are busy. In addition, each time the data is inspected, it is exposed and, in theory, can be read by others, making security more of an issue. Single Network owned by one carrier London New York Bridged ATM IP 100% Switched ATM Backbone ATM to Customer Premise to transport IP over ATM (via T- 1 Last Mile) Bridged ATM IP LA Figure A - 100% switched network Class of Service End to End One of the differentiators of the IntelliNet switched ATM network is the ability to offer customers several different classes of service. In simple terms, a class of service is a segment (or path) along the network reserved for mission critical or loss- and latency-sensitive traffic. Although the terms quality of service (QoS) and class of service (CoS) are often used interchangeably, there are important differences.

Quality of Service (QoS) Quality of Service, or QoS, is the prioritization of certain types of traffic within the data network. As information reaches switches and routers, which are potential sources of delay, the information is processed and re-transmitted in priority order. Although prioritized information is processed more quickly than less mission-critical (or time sensitive) data, the data still has to travel on the same potentially overcrowded network path as other less-critical data. Prioritization alone does not guarantee fast travel or network performance. Figure B below shows how a typical routed network is made of different providers all routing a packet over an indeterminable number of routers (hops) thus increasing delay, packet loss and exposure to security breaches. Customer s Network Site A LEC (e.g. Verizon) DSL Provider (e.g. Covad) = Router Backbone Carrier (e.g. WorldCom UUNet) Multiple Networks owned by different carriers DSL Provider (e.g. ProSpeed) LEC (e.g. Verizon) Customer s Network Site B Figure B - Packet Path in a Routed Network Intelligent IP Architecture Intelligent IP Components Figure 1 below illustrates the components that make up IntelliNet s Intelligent IP architecture. These components are described in further detail in the following sections:

Broadband Access Intelligent IP Services Anti Spoofing DiffServ Marking ATM Backbone Class 1 - Real Time Market Data Intelligent IP Services Anti Spoofing DiffServ Marking Broadband Access ATM Policing Firewall VPN Steering Traffic Shaping Class 2 - Voice & Video (IntelliNet) Class 3 - File Transfer Class 4 - Email & Internet Policing Firewall VPN Steering Traffic Shaping ATM NAT NAT Policy Steering Policy Steering Captive Portal Captive Portal Network Creation System (NCS) Figure 1: Intelligent IP Components ATM Backbone In addition to offering core transport, the ATM backbone is the CoS enabler: Each Service Level is transported using different traffic parameters as shown in Table 1. Service Levels Network traffic is then mapped onto the appropriate service level by marking traffic flows using the Differentiated Services (DiffServ) architecture, allowing IntelliNet to provide industryleading Service Level Agreements (SLA s), as shown in Table 1 Table 1 - Service Levels Service Level ATM Transport DiffServ Marking Core Availability Core Latency Core Packet Loss 1 VBR-nrt-1 AF=4 100% 55 ms < 0.1% 2 VBR-rt-2 AF=3 100% 60 ms < 0.25% 3 VBR-nrt-3 AF=2 100% 70 ms < 0.5% 4 UBR AF=1 100% 75 ms < 0.75% Customers can then select the appropriate service level based on their application type as shown in Table 2. For video conferencing services, customers would select Service Level 2. Table 2 - Service Levels per Application Type

Service Level Application Type Example 1 Delay intolerant Real-time market data 2 Delay & jitter sensitive Real-time video conferencing 3 Delay sensitive File transfer, transaction processing 4 Delay tolerant Email, Internet access Broadband Access The Class of Service feature delivered by the ATM backbone is extended to the customer premises through the use of an ATM Integrated Figure 2 - Broadband Access Access Device (IAD). This is unique in that most network providers cannot guarantee this level of service beyond the network. The fact that traffic segregation can take place from the customer premises ensures end-to-end deliver of data in the manner that is most suited for the given application. The utilization of Broadband Access allows for the delivery of multiple streams over the same physical link as illustrated in Figure 2: Multiple Virtual circuits are built on a single access circuit, with each ATM Virtual Circuit carrying a different application flow, each with its own service level and traffic parameters. Customers can therefore run video conferencing and Internet services simultaneously without fear of quality degradation. Intelligent IP Services IntelliNet s Intelligent IP features are based on a distributed network-based stateful inspection engine that detects predefined data flows and acts upon them according to predefined policies, providing Class of Service (CoS), security and VPN functionality.

Figure 3 - Intelligent IP Features Figure 3 depicts the Intelligent IP Features and data flows, as implemented within the IntelliNet network. Customer traffic enters the network with an ATM QoS applied at the customer premise. The data first passes through an Ingress Anti Spoofing policy, which prevents masquerade attacks from hackers. The traffic then passes into the traffic management elements. The first traffic management applies DiffServ marking on predefined traffic flows to ensure that these flows are mapped to the appropriate Service Level. The traffic then enters a VPN steering function. This directs the data to either a VPN community or to the Internet. It is within the VPN steering function that firewall policies are applied. IntelliNet has created several default security templates, based on typical customer environments that the customer may apply for customized security policy enforcement. All VPN traffic (i.e., from a customer site to another) is segregated from other flows (Internet or other customers) by using tunnels between privately routed networks over the core backbone. Each VPN community has its own routing table that separates one subscriber s VPN traffic from other VPN traffic, as well as Internet traffic.

Finally, based on the earlier DiffServ marking, IntelliNet assigns the predefined traffic flows value to different PVC within the ATM backbone. This separates the different traffic types across the backbone, and offers QoS enforcement in support of SLA s. In the opposite direction, traffic entering the Intelligent IP functions from the network core may or may not have been subject to DiffServ marking, based on the customer s requirements, or the origin of the packet (such as off-net Internet). In any case, the traffic passes through the filter rules of the firewall. By placing the firewall in the network, traffic sent to the customer s premise has already been filtered eliminating the need for the customer to deploy costly premised-based firewalls at each location. The in-network firewall also reduces the amount of wasted bandwidth that may have been taken by data that would be restricted/dropped at the customer s premise. The data then enters the traffic shaping function, also responsible for protecting the bandwidth of the customer s access link so that mission critical applications may receive higher prioritization over delay-tolerant applications. Here, weight and bandwidth limits are assigned based upon source, destination, and traffic type. Lastly, the data passes through an Egress Anti Spoofing policy, protecting the customer from external masquerade attacks. All Intelligent IP policies are based on rule sets that allow identifying a traffic flow based on source, destination, application or DiffServ marking, then acting upon it. The following sections further detail the use of these policies. Anti Spoofing The purpose of Anti Spoofing is to prevent masquerade type attacks. Egress Anti Spoofing, illustrated in Figure 4, allows dropping incoming (to customer) packets with an IP address belonging to the customer site. Ingress Anti Spoofing allows dropping outgoing (from customer) packets with an IP address not belonging to the customer site. Figure 4 - Egress Anti Spoofing DiffServ Marking As previously indicated, DiffServ marking allows mapping to the appropriate service level by tagging IP flows using DiffServ s Assured Forwarding (AF) field.

As an example, Figure 5Figure shows the mapping to service levels for a customer who selected Service Level 2 (AF=2) for video conferencing services while all Internet traffic is market at Service level 4 (AF=1). By default, traffic to and from the Internet is always mapped to Service Level 4, which corresponds to a best-effort service. Figure 5 - DiffServ Marking Fire-Walling and VPN Steering Figure 6 illustrates a simple firewall and steering policy that: Securely steer all VPN traffic to other VPN members Allows the customer to reach the Internet (but not users on the Internet to reach the customer) The Intelligent IP networkbased state-ful inspection Figure 6 - Simple Firewall engine allows reflexive access control; which means the ability to identify complex application flows such as FTP or Voice over IP (VoIP) where an initial control communication is followed by ephemeral communications. Figure 7 - Complex Firewall Figure 7 illustrates a policy that allows a web server to receive http requests (line 4) and a VoIP gatekeeper to participate in the establishment of H.323 connections. Figure 7 - Complex Firewall

Traffic Shaping Traffic shaping is a service that acts upon traffic in the direction towards the customer s network. Traffic shaping provides prioritization and rate guarantees to specific mission critical applications while giving lower priority to delay-tolerant applications (such as Email). Shaping identifies IP flows and shapes to an absolute bandwidth and/or a relative (%) bandwidth under times of congestion. Different flows receive different bandwidth allocations on a per-customer (site) basis. This layer-3 shaping is in addition to any shaping the ATM layer is providing at layer-2. Figure 8 depicts traffic to the site s web server will occupy about 2/3 of the bandwidth, while all other http traffic will receive 1/3 (rate weight of 20 on line 1 versus 10 on line 2). In addition, the Per Connection Rate Limit is configured so Figure 8 - Traffic Shaping that a single http session may not exceed 6250 Bytes/sec (50kbps). These parameters only take effect during times of link congestion. Other Services Other optional Intelligent IP Services are offered as part of IntelliNet s Intelligent IP solution. Network Address Translation Network Address Translation (NAT) is designed for IP address simplification and conservation, as it enables private IP networks that use unregistered or private IP addresses to connect to the Internet. NAT usually Figure 9 - Many-to-one NAT operates at a network border, and translates the hidden addresses in the internal network into legal addresses before packets are forwarded onto another network. NAT is incompatible with protocols that are based on a

state machine that opens the IP headers. An example of such is tunneling protocols (PPTP, IPsec). Figure 9 illustrates an example of many-to-one NAT where all hidden addresses within a customer site are mapped to a single public address when communicating outside of the VPN. Intelligent IP services currently support one-to-one and many-to-one NAT. Off-net IPSec Tunneling The Intelligent IP architecture allows for the termination of IPSec tunnels within a pre-defined VPN. This allows a site that is part of a VPN community to securely communicate with another site or entity located on the Internet using pre-defined security mechanisms. Conclusion IntelliNet s ability to segregate traffic through the Intelligent IP network based upon application type, allows for a premiere platform on which video conferencing services can be delivered. Unlike other network providers, IntelliNet provides a high performance, secure network on which video conferencing actually rides on a separate class of service from all other applications. As a result of this, an increase in Internet traffic will not slow or hinder the delivery of the video conferencing service. With other network providers, the video conferencing service is at risk of being severely hindered if a spike occurs across the network. These providers allow the delay sensitive video conferencing application to be mingled with all other forms of less sensitive traffic which in turn leads to lesser performance and greater risk of packet loss.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information