needed to extend ERP access to its remote locations
and partners. It decided to go the VPN way and implemented
a high-end VPN appliance-based solution. by Prashant
Petroleum Corporation Limited (BPCL) is one of the largest
and most successful petroleum companies in India. It
has several nationwide locations connected through redundant
levels of connectivity and is the first public sector
oil company to implement an ERP.
The company needed a solution that would allow it to
extend ERP (SAP R/3) access to its remote locations
and partners who didn't need or couldn't afford a leased
line or VSAT link. The answer was to use VPN over dial-up
links, a cost-effective solution. The company did a
pilot implementation with a low-end VPN product from
Cisco. It was satisfied with the results and decided
to deploy a high-end VPN concentrator from Cisco.
Bharat Petroleum Corporation Limited (BPCL) is
one of the largest and most successful petroleum
companies in India. It has several nationwide
locations connected through redundant levels of
connectivity and is the first public sector oil
company to implement an ERP solution.
Providing access to SAP at remote locations or
partner sites where leased line or VSAT was not
The company went for Cisco's 3030 VPN concentrator
at the central office that supports up to 1500
Faster deployment, low cost of operations, scalable
solution, huge savings on money that would otherwise
have gone toward expensive VSAT/leased lines.
"BPCL wanted a cost effective technology and it
evaluated various options like VSAT and leased line
connections. The objective was to connect remote locations
which didn't need to be connected throughout the day.
Therefore a VPN solution was useful," said Vishwanath
Iyer, Principal Consultant, Cisco India.
According to A K Kaushik, DGM - IS Infrastructure, BPCL,
"VPN was opted over dedicated media including leased
lines for many reasons. Telephone exchanges at most
remote locations do not have equipment that supports
leased/ISDN lines. It takes a long time to commission
dedicated media and the cost of doing so is very high."
bandwidth requirements were very low at its remote locations.
Even 9.6 Kbps was sufficient for carrying out SAP transactions
over a VPN link. Connectivity was required for a maximum
of four hours per day, depending on the type and load
of location. A faster rollout of SAP was also required
at these VPN locations. SAP rollouts were normally carried
out on the first of the month. Up to 30 rollouts were
planned every month across the country."
BPCL evaluated various options before selecting Cisco's
VPN solution. "We had two options, a software-based
and an appliance-based VPN solution. Software based
VPNs are offered by Computer Associates and CheckPoint
and appliance-based solutions are offered by Nortel
and Cisco. We preferred an appliance-based solution
because a software-based solution would have increased
the load on our firewalls," said Kaushik.
BPCL implemented Cisco's VPN 3030 Concentrator. It's
a VPN platform for medium and large enterprises with
bandwidth requirements from T1/E1 through fractional
T3. The concentrator supports up to 1500 simultaneous
sessions. It offers hardware acceleration and is field-upgradeable
to the 3060. Redundant and non-redundant configurations
are also available for the product. The 3030 range also
comes with additional features that take care of authentication
and manages all users according to their profiles/job
Implementing a nation-wide VPN
Cisco has implemented a nation-wide VPN for BPCL. This
VPN has been deployed between 120 BPCL partners (Carry
and Forward (C&F) Agents, commission operated depots,
hospitality locations, and dispatch units) in over 100
cities across the country.
The VPN rollout began in November 2001 and completed
by March 2002. New locations were added to the VPN network
as and when they needed SAP server access. On an average,
five new locations were added every month.
"After we decided to implement an appliance-based
dedicated VPN solution we did a pilot run at our Mumbai
office with a low-end VPN concentrator, a Cisco 3005
VPN concentrator. On successful testing, we bought the
high-end VPN concentrator which can support a maximum
of 1500 concurrent tunnels and can take care of our
future requirements," said Kaushik.
"At our central site in Mumbai, the VPN concentrator
has been installed on a 2 MB link which is connected
through a firewall. PCs at remote locations have Cisco's
VPN client software installed on Windows. This software
came with the central office's VPN concentrator."
The Cisco VPN Concentrator collects all the traffic,
from different centers over the Internet to the central
BPCL operating center. The partners' users are bound
by a stringent enterprise-wide security policy implemented
by BPCL which pre-defines the level of access and services
available to users on BPCL's network. 3DES encryption
is used over the VPN.
The VPN concentrator is at BPCL's corporate office where
the company's SAP servers are also hosted. The 2 Mbps
pipe at the corporate office has 80 percent utilization
at present. No QoS tools are in use on the VPN setup.
There is some in-built redundancy in the VPN concentrator.
At the client end, many locations have more than one
phone connection or Internet account. At places where
wired telephone links are not stable, Wireless in Local
Loop (WLL) links are used to connect to the local ISP.
These links have been deployed by BSNL and provide 9.6
or 14.4 Kbps bandwidth.
Training on VPN use was given to BPCL's SAP rollout
team. The team was responsible for implementing the
solution at all locations where SAP had to be rolled
out and the remote office or partner was not linked
to BPCL's WAN.
At certain remote offices, there wasn't much choice
regarding ISPs. In such a scenario, BPCL has left it
up to users to decide which ISP to use; the choice was
based upon the provider's service record in that area.
The VPN has made it possible for BPCL's partner locations
to access the company's SAP servers for online business
functions like order entry and invoice generation at
very little running cost. "Currently the VPN is
used by 130 users from around 110 locations across the
country for carrying out SAP transactions. Other than
the partners it's also used by a few mobile personnel,"
says Kaushik. SAP administrators also access the servers
SAP has been made available to BPCL's mobile teleworkers
in other operating locations that are not on the company's
WAN using the VPN. The company's partners can access
its intranet for online business functions like order
entry and invoice generation, as well as backup data
on the intranet.
BPCL has achieved faster deployment, lower cost of operations,
and a scalable solution that supports up to 1500 concurrent
VPN users and can be integrated with future security
initiatives like digital signatures and secure ID cards.
BPCL would have had to spend a substantial higher amount
on VSAT links or leased lines at remote locations if
it had not deployed a VPN solution.
The cost of setting up a VSAT link at a remote location
is Rs 2.25 lakh for extended C-Band VSAT equipment currently
being used by BPCL and Rs 1.25 to 1.5 lakh for new Ku-Band
VSAT equipment. These are the initial capital costs.
Recurring charges like WPC charges, DoT licence fee,
bandwidth charges and the AMC are extra.
BPCL plans to extend the VPN to other BPCL locations
which are part of the BPCL WAN and have ISDN/VSAT/leased
lines as primary connectivity. This will act as a fallback
option. It also plans to extend VPN access to more mobile
Prashant L. Rao can be reached at email@example.com