About Us

Home >Technology > Full Story

Network Management Solutions for IP-VPN Services
By Chandan Mendiratta

Enabling service providers to profitably deploy and manage IP-VPN services

Service Provider's profitability in the New World will be defined by their ability to rapidly introduce new services tailored to the specific needs of their customers. A flexible, multi-service Operations Support System (OSS) designed and optimized for a New World infrastructure is critical to their ability to deliver on this. Internet OSS is a broad range initiative from various companies delivering on the New World Operations vision through open, standards-based reference architecture. New World Operations gives service providers the opportunity to gain competitive advantage as the world transitions into this network information structure.

Virtual Private Network-Internet Protocol (IP-VPN) services represent a tremendous opportunity for service providers to realize new and more substantive revenue streams. Service providers who can offer customized, rapidly deployable, and manageable IP-VPN services will gain competitive advantage. The key to successful and profitable IP-VPN deployment is manageability. Cisco provides an integrated suite of service management products for managing VPN services known as the Cisco Service Management System (CSM). CSM enables highly scalable, integrated solutions that address the complexity and customization requirements of service providers today. Based on the open system architecture of the Telecommunication Management Network (TMN) and distributed processing principles of the telecom information architecture consortium

(TINA-C), the CSM management framework contains an open set of modular building blocks. Through CSM, the Cisco Internet-scale VPN technology allows service providers to easily create intranets and extranets among different customers using group memberships instead of complex, point-to-point topologies and deploy new, advanced IP services.

Service providers are experiencing intensifying demand for IP services as businesses seek to boost productivity through information technology. One IP service of particular interest to service providers' corporate customers is IP-enabled "virtual" private network service (often abbreviated as IP-VPN service). With IP-VPN, a service provider connects two IP addresses located at geographically dispersed sites. These two locations thus appear to be within a private IP network. The customer experiences a private network service that connects its remote sites, even though traffic actually flows though a shared provider infrastructure. The benefits of this "virtual" connection include greater reliability for the customer and better resource utilization for the service provider. In its simplest form, IP enabled means to seamlessly connect sites over the underlying provider network without the need for the customer to create IP connectivity between sites. Note, however, that IP enabled does not mean that the provider's underlying transport technology is router-based only indeed it can, and often will, include technologies such as Asynchronous Transfer Mode (ATM).

The key to success and ultimate profitability of IP-VPN services goes beyond simply the enabling technology. Equally important is service manageability or the management of the entire life cycle of service: planning, provisioning, operations, and billing. Service management depends on the management of underlying network infrastructure and on the provision of interfaces to data mechanisms that drive the provider's overall business process. The key to profitably in deploying VPN service is management. To address these important areas properly, this document focuses on network and service management issues.

The Changing Face of Network Services
In the beginning: Private networks Corporations first leased multiple circuits between geographically dispersed sites to extend their private networks. Physical circuits, leased from carriers, connected pairs of sites to create a point-to-point private communications infrastructure. Corporate network administrators specified which pairs to directly connect and the rate of interconnecting bandwidth. Typically, a company leased the least expensive circuits, even if circuits had to be leased from multiple providers.

In circuit-switched private networks, circuit cost was a function of capacity and geographic distance. Circuit costs included a one-time setup charge and a periodic recurring charge based on the bandwidth. Because providers supplied fixed bandwidth, customers had exclusive access to leased bandwidth, whether or not they actually used it. Performance and throughput were not at issue, except with regard to a potential failure. Hence, service provider contract agreements specified attributes that relate to the physical quality of the circuits leased. For example, contracts specified only attributes such as availability (for example, availability 99.5 percent of the time), bit error rate, or mean time to repair in the event of failure.

By using leased circuits, a corporation could extend its private network backbone and have it completely self-contained and self-managed. The company that leased the circuits, not the provider, was responsible for ensuring that circuit bandwidth was sufficient to meet the connectivity and performance demands of its end users. Life was simple, but expensive.

Then - Virtual Private Networks
Introduction of Frame Relay and ATM technology allowed providers to sell less expensive private network services through economies of scale. Both Frame Relay and ATM protocols, classified as Level 2 protocols, provided remote-site point-to-point connectivity without the need to dedicate bandwidth between sites. Instead, logical or "virtual" circuits (VCs) were overlaid on the physical infrastructure. A customer purchased access ports to connect each of its sites to the provider network. The customer specified which sites to connect with a point-to-point virtual circuit and a profile for the traffic rate requirement between endpoints.

Service cost was a function of the number of access connects, the number of VCs, the VC rate, and quality of service (QoS) parameters. Some service providers also made VC cost usage sensitive. In this case, the cost depended additionally on the rate sent over each circuit. VPN services were typically not sensitive to distance charges and were much less expensive than leasing dedicated circuits.

Multiplexing data on their backbone allowed providers to share bandwidth among several customers and, as a result, realize cost efficiencies. In this paradigm, only a fraction of the total circuit allocation was actually used at any one time, allowing bandwidth to be oversubscribed, as long as it was appropriately managed. This gain was especially applicable to the highly variable traffic rates characteristic of data communication traffic typically sent today. Even though multiple corporations shared the service provider infrastructure for interconnectivity, there was no visibility of one another or even of the underlying physical infrastructure. Virtual circuits kept traffic logically separated. As in the case of private circuit networks, customers were typically responsible for managing how they used the service and not the service itself. However, a rapidly growing market in outsourcing managed services has changed this paradigm.

The most observable difference between private network service and VPN service, besides cost, is that VPN service suffers from variable transport performance. With VPN, the corporate customer has no knowledge of the actual capacity between sites; capacity varies in response to the total demand placed on the provider network, resulting in the potential for resource contention and service performance variability. To address this uncertainty, the service provider furnishes a service-level agreement (SLA) in its service contract with the customer. Typically, the provider agrees to engineer the network to guarantee specified transport performance (for example, delay, packet loss) between connected sites for the agreed traffic rate. The provider agrees to pay a penalty if it does not meet this agreement. The service provider bills based on the nature of the contract and how well it keeps its contractual obligation.

Because the VPN business model is driven by the trade-off between over subscription of resources and meeting contractual guarantees, network operations and management in support of these environments must provide functions to offer quality services cost-effectively. Despite the simplicity of this objective, the mechanisms and applications involved are quite complex. Moreover, it makes network management a key to revenue generation, with effective service delivery and quality assurance being critical factors.

New Era of IP-VPN Services
Today's service providers are experiencing increasing demand for IP services. More and more businesses want to outsource Internet, intranet and extranet services, managed network services, and content-related services such as Web hosting, mail service, and secure remote access. As a result, these and a multitude of other IP service offerings represent a tremendous opportunity for providers to realize new and more substantive revenue streams from the corporate sector.

IP-VPN services can be provided using one of the following technologies:

  • Establish IP-VPN connectivity over a Frame Relay/ATM network with a router at each edge to manage the Layer 3 information
  • Establish point-to-point tunnels over routed backbones
  • Privately secure access through IP Security Protocol (IPSec) or encryption, and so on Nonetheless, these implementations will not scale to meet the future demand for IP services. For scalability and economic reasons, providers who want to deploy wide-scale IP-VPN services must "IP-VPN enable" their networks; that is, the forwarding mechanisms of the network infrastructure, whether router based, switch based, or a hybrid of both, must be integrally aware of IP-VPN partitioning without having to use overlay models to establish connectivity. Instead, traffic forwarding must actively participate in partitioning and inter-VPN membership control. Routed and switched backbones can be "IP enabled" through the use of label switching technology known as the Multiprotocol Label Switching (MPLS) standard.

The MPLS-based VPN solution integrates Layer 3 routing and Layer 2 switching mechanisms, providing the best of each IP intelligence with the speed of Layer 2 forwarding. Label switch routers and switches build their routing databases using standard IP routing protocols. Neighboring label routers and switches then distribute label values to each other using the Label Distribution Protocol. The combination of the local IP route determination and Label Distribution Protocol creates end-to-end paths, making the underlying infrastructure invisible to Layer 3 mechanisms. This lightweight tunneling provides an extendible foundation that provides VPN and other service capabilities. Indeed, label functionality can provide additional advanced service-related features, such as class of service (CoS) and resource reservation routing. MPLS represents the long-term Cisco solution to large-scale VPN service offerings.

Similar to VPN services offered over Frame Relay and ATM backbones, IP-VPN Internet-scale implementations suffer from variable transport performance. To appropriately manage IP-VPN services, network management capabilities must provide the ability to manage services and the network in the process of providing these services. However, a service- level focus represents a fundamental change in the way IP networks are traditionally managed.

Enabling the Provider through Service-Level Management Questions Providers Need to Ask Beyond the capability of the enabling technology and its ability to scale to provide efficient and effective service deployment, management, and service differentiation, value-added enhancements will determine a provider's success in making a profitable, competitive business out of delivering IP-VPN services. In this environment, network management is no longer simply an operating expense. Indeed, network management is the key to providing revenue generation and competitive positioning. Success depends on the degree to which service providers will be able to convince their customers that the services they provide are dependable enough to replace existing services, perform predictably, and meet the needs of the growing corporate network. At the same time, profitability depends on the efficiency to which the provider uses operations personnel and equipment resources. As such, network and service management should be considered to be as necessary and important as the enabling technology itself.

The following key questions
illustrate the role network management plays in the IP-VPN solutions. The answers to these questions measure the degree to which providers can offer quality services for profit:

  • How effectively can the service provider manage existing VPN services?
  • What is the cost and time to provision the service to the customer?
  • How easy is it to manage changes to the service (for example, site moves, additional sites, new service to existing site)?
  • Is there customer visibility into what constitutes the managed service (for example, customer-specific reporting of inventory, connectivity, policies)?
  • Can the provider guarantee its customers service levels and provide audit information to ensure integrity?
  • Is there a means for the service provider to charge back network resource use to the customers?
  • Can the provider sustain rapid growth in demand without periodic service degradation or undersubscription of resources?
  • Are network resources used in the most efficient and effective manner to reduce overall expenses and optimize performance?

Business-Centric, Service-Level Management
Since IP-VPN technology represents a revenue-generating offering provided primarily to corporate subscribers, service providers will be compelled to follow the procedures and practices befitting Frame Relay and ATM network management solutions used by service providers today. Service order processing, revenue accounting, trouble ticket tracking, service quality assurance, service quality differentiation, and new service capacity planning are examples of some essential provider network management functions. The primary difference between these management functions and those traditionally employed in the managing of IP networks is their business-centric, service-level focus. Traditionally, an IP network is managed as interconnected equipment. Service-level management focuses on managing the network as it provides IP-VPN services specifically as a business opportunity.

Service-level management optimizes the provider's business process by allowing the integration of business-centric processes with the infrastructure that implement and manages services on the network. Customers will evaluate an IP-VPN service based on their experience of the service, not the physical components that enable the service. With service-level management, the provider can focus on delivering quality services and can make decisions based on the impact on service quality and revenue. As a result, the provider can improve customer satisfaction and, at the same time, more efficiently and cost-effectively manage resources, ensuring greater revenue, service value, and competitive differentiation.

Facing the Challenges Ahead
There are three main challenges in providing service-enabled network management to support IP-VPN services.

The first challenge is to provide embedded service-level technologies that enable service-level management applications. Because conventional network management solutions for IP networks have not been service-provider oriented, even the fundamental mechanisms required to support service-level management do not currently exist. When they do exist, they often lack some of the provider-class architectural requirements, such as scalability and accuracy. Provider-class requirements, discussed later, must be satisfied for network management to sustain a critical role in the provider's business process. If the fundamental service-level management-enabling technologies are absent, network management applications, whether built by the vendor, provider, or third-party vendor, will suffer.

The second challenge is to provide integrated, end-to-end management of the network and services over heterogeneous technologies and protocols. IP-VPN service will likely be provided over an integration of IP and Frame Relay/ATM technologies or a combination of different implementations such as IPSec tunnels and MPLS-based IP-VPN. Service-level management requires the underlying service delivery mechanisms to be abstracted to a higher level to provide an integrated, consolidated view of services. The interaction of service, physical, and logical connectivity relationships must be provided such that the definition of service can be abstracted, even across multiple technologies or vendor equipment. Service must be monitored and controlled, that is, managed, without having to specify lower-level details such as network equipment type, protocols, or management communication and control mechanisms.

The third challenge is to provide multi-layered, modular components and intelligent agents. By its very nature, service management must integrate with the provider's operational processes and existing management systems. Programmable modules with open interfaces are required as functional building blocks within a provider's custom solution. The close coupling of network management and a provider's business process often requires customization of the end solution. Because software development is not a core business, service providers look to equipment vendors and other third parties to provide and integrate management solutions. Network management can no longer consist of a single application targeted for all users. Instead, a comprehensive framework is needed with many intelligent interfaces that support the decoupling of service from the underlying network infrastructure and network management. In essence, applications that provide service and customer-centric views of all aspects of operations, administration, management, and provisioning need to be built around vendor-provided, programmable information models. The next section provides a brief overview of the layers that comprise such a framework.

A Comprehensive Service Management Framework
Service management requires integration with the provider's business. Because business practices vary among service providers, one set of network applications will not effectively manage IP-VPN services universally for all providers. Service-level management functionality in a provider environment requires a comprehensive, layered, and open framework one that can correlate information and data in terms of services at the various levels of operations and management within the provider's organization. Cisco provides a layered, modular network management framework with open interfaces at each layer. This setup enables service providers to integrate functionality into their solutions when needed. Moreover, providers can opt to build custom applications to differentiate their services. The framework is based on the ITU's Telecommunication Management Network (TMN) reference model. TMN is a five-layer model that defines both the logical division and the communication between areas that comprise a service provider's business, operations and management process.

Chandan Mendiratta is Principal Consultant, Cisco India and can be reached at chandanm@cisco.com


- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD