When customers sign up for MPLS VPN service they give their provider a list of the Internet protocol (IP) addresses associated with each site they want included in the VPN. The carrier uses this list to define a closed group of users allowed to communicate with each other using the VPN service.
Classes of Service - To Prioritize Particular Traffic
The customer chooses from a list of four or five classes of service. These classes of service are used to define the priority given to traffic for each class. For example, there may be two or three classes for data, one for voice, and another (the most expensive) for video. Voice and video have higher priorities than data. Some organizations use the lowest priced class of service for most data and higher-priced classes of service for database lookups. Often customers choose MPLS for its capability to treat voice differently than data. They initially use the network exclusively for data but plan to add voice traffic at a later time. Examples of voice traffic include:
Worldwide voice mail functionality such as broadcasting lists made up fo staff at diverse sites
Audio conferences
Sending call center traffic to remote sites based on time-of-day or staffing levels
Transmitting voice calls between international and domestic sites
Electronic Tags on MPLS Packets
MPLS attaches electronic tags to packets. Routers read the tags and assign levels of priority. The tags also enable routers to forward packets more quickly because they don't have to look up addresses in tables for each packet.
Most carriers offer service level agreements (SLAs) for an additional fee in conjunction with MPLS VPNs. These agreements offer guarantees on issues like the following:
Uptime, the percentage of time that the service operates
Latency, the amount of delay in milliseconds between when packets are sent and when they are received. This is important for voice and video
Restoral time per failure
Packet loss
Access line (the line from the customer to the carrier) uptime
Carriers that do not meet these SLAs generally give agreed-upon credits to customers.
Service Components
Customers that order MPLS use access lines between their network and the carrier. These lines are typically T-1, 1.54 Mbps or less. Most customers have a separate access line for MPLS traffic and a different line for their Internet traffic. They feel their MPLS traffic is from trusted sources at branches. The public Internet traffic requires higher levels of security.
They also specify the following:
A port speed at the provider's point of presence, often at a lower speed than their access line, perhaps 1 Mb
A committed access rate (CAR) - also referred to as committed data rate (CDR), and committed information rate (CIR). The bandwidth charge is the fee charged by many carriers for guaranteeing a particular speed between the carrier's edge and the carrier's high-speed core network. Some carriers charge a higher rate for international traffic. These speeds vary from 64 kilobits to 44 megabits (T-3)
Access charge for the circuit connecting the customer to the provider's network
They can "burst" send data at up to the speed of the port and access line they lease
Service level agreements
Classes of service; classes with a lower priority cost less than those with a higher priority (see above)
Managed Service - Provider Monitor Onsite Routers
Customers have the option of managing their own router or paying their provider to manage it. Carrier management of the router is referred to as managed service. With managed service, carriers monitor the router 24 hours per day, 7 days a week for service disruptions, denial of service attacks indicated by unusual traffic levels, and viruses. For medium-size companies, it may cost less to depend on a pool of specially trained provider technicians than to train and hire their own technical staff for these functions. As part of the service, carriers provide activity reports that track the level of traffic so that customers can ensure there is adequate capacity.
MPLS Advantages for Carriers - Revenue Sources and Administrative Efficiency
Carriers are eager to migrate customers to MPLS to save money on administration and as a platform for new services. Administratively, carriers have the capability to add classes of service for higher-priced voice and videoconferencing. These changes can be made in real time by programming requested modifications. Making changes to frame relay service is more complex because each path between sites must be programmed separately. Other potential sources of revenue for carriers are hosting, and access to hosted data storage (backup storage of customer files on the network).
However, carriers still have investments in asynchronous transfer mode (ATM) network infrastructure that is not fully depreciated. The transition to MPLS as the single network will take place gradually.
Thursday, December 18, 2008
Tuesday, December 16, 2008
VPN Technology
Improvements in routing and security protocols and increased capacity in the Internet led to the capability of IP networks to differentiate different types of corporate traffic and to improvements in secure remote access. The following are newer VPN services carried on IP networks:
VPNs for Site-to-Site Communications Within Organizations:
• Multiprotocol label switching (MPLS) VPNs provide any site-to-any site connectivity. This is referred to as meshed service. MPLS service is more flexible than frame relay to configure and is more suitable for intersite voice traffic. MPLS VPN traffic is carried separately from public Internet traffic to guarantee levels of service.
• IP-VPNs are for site-to-site data communications using the public Internet and mixing Internet traffic with site-to-site email and other applications with Internet protocol security (IPSec). IPSec creates a tunnel for each packet. The tunnel hides the destination IP address by surrounding it with a different address. IPSec also scrambles data by encrypting it.
Secure access on VPNs for Remote Access:
• Internet protocol security (IPSec) requires client software on computers. The IPSec protocol establishes a secure, encrypted link to a security device at the carrier or enterprise. This is referred to as tunneling.
• Secure socket layer (SSL) security is a newer VPN access method. Access is embedded in browsers so that organizations are not require to install special client software in each user's computer.
IP VPN and MPLS offerings enable carriers to migrate traffic to their existing IP networks rather than older networks designed to carry frame relay traffic.
VPNs for Site-to-Site Communications Within Organizations:
• Multiprotocol label switching (MPLS) VPNs provide any site-to-any site connectivity. This is referred to as meshed service. MPLS service is more flexible than frame relay to configure and is more suitable for intersite voice traffic. MPLS VPN traffic is carried separately from public Internet traffic to guarantee levels of service.
• IP-VPNs are for site-to-site data communications using the public Internet and mixing Internet traffic with site-to-site email and other applications with Internet protocol security (IPSec). IPSec creates a tunnel for each packet. The tunnel hides the destination IP address by surrounding it with a different address. IPSec also scrambles data by encrypting it.
Secure access on VPNs for Remote Access:
• Internet protocol security (IPSec) requires client software on computers. The IPSec protocol establishes a secure, encrypted link to a security device at the carrier or enterprise. This is referred to as tunneling.
• Secure socket layer (SSL) security is a newer VPN access method. Access is embedded in browsers so that organizations are not require to install special client software in each user's computer.
IP VPN and MPLS offerings enable carriers to migrate traffic to their existing IP networks rather than older networks designed to carry frame relay traffic.
Monday, December 15, 2008
VPN's for Remote Access
In many organizations, employees assume that they will have the tools to be as productive (or more productive) away from the office as in the office. Organizations frequently supply salespeople and other remote workers with laptop computers that enable them to work offsite. Employees remotely access e-mail messages, place orders, check order status, and check inventory levels from the road and from home computers (I know this is probably shocking news to you all!). With the growth of Voice over IP, some employees also receive phone calls directed to their office extensions on their laptops or PDAs.
Without a VPN, employees dial into remote access equipment consisting of modem banks at corporate headquarters to access e-mail or other applications using toll-free numbers billed to the corporation. Organization rack up thousands of dollars in toll-free charges. In addition, calls are frequently dropped and speeds are slow. Moreover, these dial-in remote access arrangements do not support cable or DSL modems.
VPNs provide staff at remote offices or home offices to gain access to the corporate Intranet in the same manner they would if they were locally connected to files. Distributing VPNs to home, telecommuters, and small offices may put access to sensitive information in facilities not as well protected as more traditional facilities. VPNs need to be designed and operated under well-thought-out security policies. Organizations using them must have clear security rules supported by top management. When access goes beyond traditional office facilities, where there may be no professional administrators, security must be maintained as transparently as possible to end users.
Some organizations with especially sensitive data, such as health care companies, even arrange for an employee's home to have two separate WAN connections: one for working on that employer's sensitive data and one for all other uses. More common is that bringing up the secure VPN cuts off Internet connectivity for any use except secure communications into the enterprise; Internet access is still possible but will go through enterprise access rather than that of the local user.
Without a VPN, employees dial into remote access equipment consisting of modem banks at corporate headquarters to access e-mail or other applications using toll-free numbers billed to the corporation. Organization rack up thousands of dollars in toll-free charges. In addition, calls are frequently dropped and speeds are slow. Moreover, these dial-in remote access arrangements do not support cable or DSL modems.
VPNs provide staff at remote offices or home offices to gain access to the corporate Intranet in the same manner they would if they were locally connected to files. Distributing VPNs to home, telecommuters, and small offices may put access to sensitive information in facilities not as well protected as more traditional facilities. VPNs need to be designed and operated under well-thought-out security policies. Organizations using them must have clear security rules supported by top management. When access goes beyond traditional office facilities, where there may be no professional administrators, security must be maintained as transparently as possible to end users.
Some organizations with especially sensitive data, such as health care companies, even arrange for an employee's home to have two separate WAN connections: one for working on that employer's sensitive data and one for all other uses. More common is that bringing up the secure VPN cuts off Internet connectivity for any use except secure communications into the enterprise; Internet access is still possible but will go through enterprise access rather than that of the local user.
Friday, December 12, 2008
Rationale for VPN's
Organizations use VPNs to save money on renting and managing private lines between sites. Dedicated private lines are circuits used only by the organization that leases them monthly (more on dedicated private lines in the future). In contrast, virtual private networks use shared circuits (electronic paths between points) within carriers' networks. Carriers benefit by not having to dedicate as much infrastructure to single customers.
In addition, VPN installation intervals, the time between ordering service and implementations, are shorter than for new private lines, which take weeks to engineer. Thus, customers with existing virtual private networks can quickly add locations. The biggest delays revolve around new access lines, if they are not already in place between the customer and the VPN provider. If links to the carrier are in place, sites can be added in a matter of days using spare capacity on these links.
VPNs enable businesses to avoid administering growth and day-to-day maintenance of private networks. Adding capacity to a virtual private network is simpler than adding higher-speed, dedicated lines and new hardware to each site of a private network. The customer only needs higher-speed access lines from its building to the carrier's network. The carrier is responsible for making sure there is capacity in the network for the customer's applications.
Large organizations often have a mix of private lines for routes with the highest amount of voice and data traffic and VPN services for routes with less voice and data traffic.
In summary, VPN benefits include:
• Shared facilities may be cheaper - especially in CAPEX (Capital Expenditure) - than traditional routed networks over dedicated facilities
• VPNs can rapidly link enterprise offices, as well as small-and-home-office and mobile workers (more later this week)
• Can scale to meet sudden demands, especially when provider-provisioned on shared infrastructure
• Can reduce opex (Operational Expenditure) by outsourcing support and facilities
In addition, VPN installation intervals, the time between ordering service and implementations, are shorter than for new private lines, which take weeks to engineer. Thus, customers with existing virtual private networks can quickly add locations. The biggest delays revolve around new access lines, if they are not already in place between the customer and the VPN provider. If links to the carrier are in place, sites can be added in a matter of days using spare capacity on these links.
VPNs enable businesses to avoid administering growth and day-to-day maintenance of private networks. Adding capacity to a virtual private network is simpler than adding higher-speed, dedicated lines and new hardware to each site of a private network. The customer only needs higher-speed access lines from its building to the carrier's network. The carrier is responsible for making sure there is capacity in the network for the customer's applications.
Large organizations often have a mix of private lines for routes with the highest amount of voice and data traffic and VPN services for routes with less voice and data traffic.
In summary, VPN benefits include:
• Shared facilities may be cheaper - especially in CAPEX (Capital Expenditure) - than traditional routed networks over dedicated facilities
• VPNs can rapidly link enterprise offices, as well as small-and-home-office and mobile workers (more later this week)
• Can scale to meet sudden demands, especially when provider-provisioned on shared infrastructure
• Can reduce opex (Operational Expenditure) by outsourcing support and facilities
Thursday, December 11, 2008
A virtual private network (VPN)
Any arrangement that provides connections between offices, remote workers, and the Internet without requiring dedicated lines, also referred to as private networks between sites. The term "virtual" refers to the fact that these VPNs provide the features of private lines; they are virtually private.
An alternate definition: A VPN is a communications network tunneled through another network, and dedicated for a specific network. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.
An alternate definition: A VPN is a communications network tunneled through another network, and dedicated for a specific network. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.
Wednesday, December 10, 2008
Digital Network Services Overview
As stated last week, we will now be shifting our attention towards networks and network services. As an introduction, the table below provides an overview of digital network services for your reference:
Tuesday, December 9, 2008
Storage Area Networks
As more business processes are computerized, enterprises are storing exact copies of all of their data at remote data centers and storage areas networks (SANs). A SAN is a network designed for backup and disk mirroring of large databases. These networks include those used for vital functions such as inventory, accounts receivable, order entry and accounts payable. Disk mirroring is the process of simultaneously writing data to backup and primary servers. SANs provide data restoral in the event of disasters or computer failures. They are located at the same site as the primary servers or at other locations in the metro area or across the country.
A data center is a centralized location for corporate data with special environmental controls such as air conditioning, fire alarms, and duplicate power sources. It also has special security provisions regarding who is allowed to enter the center. Data centers can support multiple enterprise sites. Some organizations hire outside organizations to manage their data center either at their site or at a remote site.
Enormous speed is required to transport the massive amounts of data between corporate sites and SANs and/or data centers. In some cases, data centers act as backups to each other. Fibre channel is a standard for high-speed connections at between 133 megabits per second and 4 gigabits per second between servers and storage devices. Fibre channel is used as a local physical channel within the data center. Because there are many devices in a SAN, SANs use either hubs or switches to distribute data to devices. Hubs provide a common path between devices, and switches establish dedicated paths. Fibre channel data is transmitted directly to devices' input/output interfaces. Fibre channel operates over most network protocols.
Because of the speed and reliability requirements, organizations typically use Ethernet VPNs, SONET, or leased fiber with an individual wavelength. Individual wavelengths have distance limitations of hundreds of kilometers but are less costly than SONET. Wavelengths are sent to data centers, customers, or SANs at speeds of 1.5 gigabits, 2.5 gigabits or 10 gigabits per second over one pair of fiber.
A data center is a centralized location for corporate data with special environmental controls such as air conditioning, fire alarms, and duplicate power sources. It also has special security provisions regarding who is allowed to enter the center. Data centers can support multiple enterprise sites. Some organizations hire outside organizations to manage their data center either at their site or at a remote site.
Enormous speed is required to transport the massive amounts of data between corporate sites and SANs and/or data centers. In some cases, data centers act as backups to each other. Fibre channel is a standard for high-speed connections at between 133 megabits per second and 4 gigabits per second between servers and storage devices. Fibre channel is used as a local physical channel within the data center. Because there are many devices in a SAN, SANs use either hubs or switches to distribute data to devices. Hubs provide a common path between devices, and switches establish dedicated paths. Fibre channel data is transmitted directly to devices' input/output interfaces. Fibre channel operates over most network protocols.
Because of the speed and reliability requirements, organizations typically use Ethernet VPNs, SONET, or leased fiber with an individual wavelength. Individual wavelengths have distance limitations of hundreds of kilometers but are less costly than SONET. Wavelengths are sent to data centers, customers, or SANs at speeds of 1.5 gigabits, 2.5 gigabits or 10 gigabits per second over one pair of fiber.
Subscribe to:
Posts (Atom)
Posts
