Solution Brochure

The Business Case for Network-based Layer 3 IP VPNs

Better network performance and resiliency with support for voice, video, and future applications all at lower cost

Juniper Networks | The Business Case for Network-based Layer 3 IP VPNs

Executive Summary
Layer 3 Virtual Private Networks (VPNs) developed in the late 1990s are now delivering secure, reliable office connectivity solutions for various applications of many Fortune 1000 companies. The reasons for the popularity of these network-based IP VPNs are clear: they are now a mature and stable way to interconnect enterprises at a lower cost than Frame Relay or ATM; they enable voice over IP (VoIP), IP video and other advanced services that the legacy technologies do not; and they provide a safe and secure upgrade path for the future. These Layer 3 IP VPNs also improve performance and resiliency, and enable enterprises to extend core business applications to remote offices with security every bit as robust as the Frame Relay and ATM networks they typically replace. While there are a number of ways enterprises can implement IP VPNs, this paper describes the advantages of network-based Layer 3 IP VPNs. Often regarded as the outsourcing solution to an organizations data transport needs, the primary attribute of these IP VPNs also known as 2547 VPNs is that the service provider takes responsibility for all of the routing. They are called network-based because they implement the technology of Multiprotocol Label Switching (MPLS) over a service providers IP infrastructure. The result provides what is effectively a private network for each VPN customer that is logically separate from the public Internet, as illustrated in Figure 1.

Branch Of ce Corporate Headquarters Intranet Mobile Users and Telecomuters

Internet Remote Access

Mobile

Extranet

Suppliers. Partners and Customers

Figure 1: Network-based IP VPNs use the same infrastructure as best-effort Internet traffic but are administered separately to give them the security and performance of dedicated networks.

Network-based VPNs provide premium WAN connectivity without requiring customers to set up and maintain their own secure Layer 2 tunnels interconnecting every site. As a result, network-based IP VPNs enable an organizations IT staff to focus on the applications that run over the network instead of managing the network. This paper outlines the value of network-based IP VPNs for enterprise customers. For some organizations, lower costs and ease of deployment are reason enough to embrace this approach. But the ways in which these network-based IP VPNs are implemented yield additional benefits that are important now and will become increasingly compelling as latency-sensitive applications such as voice and video become more integrated into routine commerce. Quality of Service (QoS) is a particularly key capability that the most advanced service providers implement in their IP networks and that yields important benefits for their Layer 3 VPN customers. QoS enables providers to differentiate all their traffic so that low-latency applications are given top priority all through their network, not just at the edge. By giving preferential treatment to voice, video, and other high-priority traffic, essential VPN applications can stay up and running despite bursts of network activity or failures that may congest the network for others. Service providers organize traffic by Class of Service (CoS) to ensure that their VPN customers receive the Quality of Service (QoS) appropriate for each of their network applications. As they implement end-toend QoS, these service providers are transforming IP networking from Internet-style, best-effort, takewhat- you-get service into a secure, reliable transport system that is as available and resilient as carrier-grade, circuit-switched networks at a fraction of the cost.

Lower Total Cost of Ownership

When cost is no object, private networks provide their owners with the highest security and the ultimate control over network resources. But since cost is an issue for most enterprises, Layer 3 network-based VPNs were developed as a way to deliver the benefits of dedicated networks over a service providers infrastructure, complete with security, application-appropriate QoS, and automatic routing around failures. Therefore, the relevant comparisons are between IP VPNs and legacy networks such as Frame Relay and ATM, and between network-based IP VPNs and Customer Premise Equipment (CPE) -based, customer provisioned IPSec VPNs.

Less Expensive Than Legacy Networks

With Frame Relay and ATM, the cost is proportional to the number of Private Virtual Circuits (PVCs) purchased, which makes larger networks expensive to operate. Even small legacy networks require specialized, costly expertise to make their Layer 2 facilities meet the needs of modern routed IP applications. In contrast, Layer 3 network-based IP VPNs leverage the IP routing expertise that organizations have developed to deploy their LANs and WANs and are often priced based on consumed bandwidth which keeps costs aligned with usage. With network-based VPNs, the CPE can be more basic and less expensive because the network intelligence is supplied by the service providers equipment. Basic routers are less complex with fewer set-up tasks, so less is required of customer staff. Depending on their organizations security requirements, IT professionals can simply set their Customer Edge (CE) routers for static or default routing and let the Provider Edge (PE) routers take over from there. Additional layers of security such as firewalls and IPSec data encryption are optional with network-based Layer 3 IP VPNs. That can be an important cost consideration because upgrading legacy routers to full-function CE platforms that are able to implement security functions at full line speed can cost thousands of dollars per site and require ongoing monitoring, maintenance, and periodic upgrades.

Important Advantages for New Applications

The rise of new IP applications makes a stronger case for IP VPNs in general, and network-based VPNs in particular. For example, companies are merging telephony with data transport so that employees can receive voice messages via e-mail and listen to their e-mail over the phone. These applications offer exciting ways to improve productivity and reduce telecommunications costs, but they require fast, resilient networks that are capital-intensive and resource-intensive to build and manage. When the ability to perform such essential business tasks as placing and receiving telephone calls depends on the continuous availability and security of a companys data network, IT leaders are increasingly working in partnership with service providers that have the technology and expertise needed to make it all work with carrier-grade reliability.

Reduced Staffing Requirements

There is a vast difference in required skill level between running network-based IP VPNs and legacy networks such as Frame Relay. With network-based IP VPNs, a customers IT staff does not have to be expert in network traffic engineering, selecting and maintaining routing protocols, managing address space, troubleshooting outages, and implementing lightning-fast reroutes around problems.

Juniper Networks | The Business Case for Network-based Layer 3 IP VPNs

Small and mid-size organizations typically lack the in-house expertise needed to implement full mesh configurations using Frame Relay, and even large enterprises that are more able to afford specialists are increasingly eager to consolidate their operational support around Ethernet and IP . These LAN/WAN skills not Frame Relay or ATM are the knowledge base required to implement and maximize the value of current and future network applications.

Automatic Future-proofing
Experts agree that IP has won the protocol wars. Modern enterprise-wide applications are IPenabled, and new applications are seizing the full potential of MPLS over IP networks. Now is the time to standardize on IP as the transport of choice and take advantage of its advanced features that are unavailable with legacy technologies. What is the best way to lower network costs while preserving options to support future applications? While there is no single answer that best meets the needs of every organization, Layer 3 network-based IP VPNs transfer the burden of future-proofing to the service provider. Instead of customers having to ask themselves how ready they are for the unknown applications of the future, they can evaluate service providers on that basis. Applications of the coming decade will require IP networks that are increasingly fast, smart, reliable, and secure. These characteristics, along with low latency, low jitter, and high availability are the hallmarks of todays best network-based IP VPNs. Continuing investments by leading service providers ensure that the VPNs they build and maintain will provide their customers with data transport that is always at the state of the art. Top service providers that have already extended these better than best-effort capabilities beyond the CE-PE link throughout their network are now working to extend the same assured experience across other providers networks in a collaborative industry effort called the Infranet: a network for all communications that combines the reach of the Internet with the performance and security of a private network. Outsourcing data transport to service providers that are making these commitments to excellence is an efficient way to future-proof an organizations secure WAN strategy.

High Performance and Resiliency

End-to-end CoS Gives Network-based VPNs VIP Treatment
When customers turn to leading carriers like XO Communications to implement network-based IP VPNs for them, it is important to understand that even though the carrier employs the same routers and links it uses for general Internet traffic, network-based VPNs offer the flexibility to handle traffic differently. Carriers that provision network-based VPNs for customers do not automatically give preferred treatment to VPN traffic; carriers must program those priorities into all of their routers. XO Communications, for example, has programmed all of its edge and backbone routers to classify and schedule all traffic using four supported classes of service. Each router in the XO network can determine how to route each packet based on the VPN to which it belongs, and on the CoS tag that the PE router has applied to its header. The CoS capability of MPLS enables carriers like XO to tag each packet with one of several levels of priority. General Internet traffic, as a best-effort service, is always the lowest priority. XO customers selecting CoS for their VPN can classify their traffic into four different CoS levels (Real Time, Critical, Priority, and Standard) to prioritize VoIP or other important application data. The PE router can map this CoS setting to the CoS of the MPLS backbone to protect the VPN traffic end-to-end. The result is that whenever a link becomes congested, network-based VPN traffic (classified as higher priority than best-effort) goes first. If that leaves little bandwidth for Internet traffic, then general Internet users and the customer-provisioned VPN users among them have to make do with whatever bandwidth remains. Figure 2 illustrates the advantage that carriers can give their network-based VPN customers compared to customers who set up their own tunnels through the public Internet.

CPE-VPN
CPE CPE
VPN Tunnel

IP-VPN
Subscriber Site 2
n Tu ne l

CPE

Subscriber Site 1
Tunn e l

PE

Subscriber Site 1

VPN

PE PE
VPN Tunnel

PE

PE

PN

Subscriber Site 3
CPE

Subscriber Site 3
CPE

VPN

Tunn e

PE

Subscriber Site 2
CPE

Figure 2: Comparing customerprovisioned, CPE-based VPNs (left) with provider-provisioned network-based VPNs (right). While the CPE-based tunnels appear to be direct pipes between sites, the reality is that they are encrypted packets traversing the public Internet without any priority. When carriers set up network-based VPNs for their customers, they can program their routers to give priority to that traffic.

When evaluating carriers for IP VPN service, its also important to understand their backbone router Class of Service support. While throwing more bandwidth at the problem by deploying big pipes worked a few years ago, this is no longer the case. While it is true that big pipes give great service to all traffic as a matter of routine, there really is no such thing as steadystate in the wild and woolly public Internet. A burst of peer-to-peer file sharing that coincides with a backhoe severing a primary link can suddenly congest secondary links. Furthermore, the uplinks from the market aggregation routers to the core routers are even more likely to be congested by bursty traffic. Prioritization on these links protects the traffic to and from the core. That is when end-to-end CoS ensures that VPN traffic still moves while the public Internet appears unreachable or painfully slow to others. Like many enterprises with geographically dispersed locations, one large chain of retail stores is reducing costs by routing intra-company telephone calls over their network-based IP VPN. Previously, the long latencies inherent in their hub-and-spoke Frame Relay network made it impossible for nearby stores to call each other over the corporate data network, forcing them to use traditional PSTN telephone service at per-minute rates. Not only were they compelled to use more expensive telephone service, any link failures cut all data communications to the affected sites. Now, with the any-to-any connectivity of their network-based IP VPN, all sites talk to

VPN e Tunn l

Juniper Networks | The Business Case for Network-based Layer 3 IP VPNs

Hub-and-spoke Legacy Network

Full-mesh Network-based IP VPN

one another via least-latency routes. The company has achieved carrier-grade QoS at a very low cost per call, and multiple paths to every site improve resiliency for all communications. Of course, the purpose of CoS is to ensure that each application gets the QoS it needs, not simply to give VPN customers better service than Internet customers. Voice and video understandably require latencies measured in milliseconds, but instant messages still seem immediate despite a second of delay, and few customers care if e-mail takes an extra minute. The key is to make sure that each packet gets the resources appropriate for its intended use. This powerful ability to control how classes of data move on networks is why the best networkbased IP VPNs will always have a performance edge over customer-provisioned VPNs, regardless of which network layer they use. While customers can establish secure tunnels through the Internet using their own CPE, unless the provider assigns priorities to that traffic, customerprovisioned VPNs can get only best-effort carriage.

HQ

HQ

HQ

HQ

Any-to-any connectivity boosts performance and resilience

An automatic benefit of network-based IP VPNs is that every customer site is connected to every other site in a full-mesh configuration. (See figure 3.) That is a significant advantage over Frame Relay networks that are usually built as hubs-and-spokes to economize on the number of point-to-point links needed. Otherwise, scaling makes a full-mesh among sites difficult for a fully meshed Layer 2 or customer-provisioned VPN since it requires N2/2 links to be provisioned and maintained. For a network-based VPN, only a single link per site is required. Latency-sensitive applications, such as voice and video, can suffer when they must transit a hub, and a hub failure can impact multiple sites. Organizations that replace their Frame Relay networks with network-based IP VPNs will enjoy better performance between remote sites, and the multiple alternate paths that they provide increase resiliency. A side benefit is that less bandwidth will be needed at former hub sites since there are no hubs in a full-mesh configuration. A network-based VPN can be configured in a huband-spoke topology if there is a requirement that traffic be routed through a hub site for security or other policy reasons. However, because of the flexibility and easier administration of a fullmesh, most customers prefer it. One of the main reasons providers now use MPLS throughout their networks is to take advantage of the protocols many resiliency features, which are a particular boon to network-based IP VPNs. A look at how MPLS works shows why.

Figure 3: Any-to-any Connectivity Reduces Cost by Routing Voice Traffic over Network-based IP VPN

To Denver

To Chicago

To Boston

To Denver

To Chicago

To Boston

MPLS Helps Accelerate VPN Traffic

With MPLS, as each packet traverses the providers network, every router applies a new intermediate destination to the packet header according to any number of rules. It is this practice of switching the address label at every hop that gives Multi-protocol Label Switching its name.
To Denver To Boston To Washington

To Dallas

An analogy with mailing a package demonstrates how the flexibility of MPLS helps route all traffic, and can accelerate network-based VPN traffic in particular. (See Figure 4.) If the post office used MPLS, a package mailed in San Francisco to an address in Boston might first get a mailing label to a post office in Denver. In Denver, handlers might replace the Denver label with one for, say, Chicago. In Chicago, the label could get switched again for the final leg of its trip to Boston. The beauty of this approach is that the routing can be changed dynamically based on network conditions. If there is a problem in the link to Chicago, Boston-bound packets can be routed through Dallas and Washington instead. When combined with CoS, label-switching enables providers to give their VPN customers extra advantages. To extend the package analogy, when Chicago becomes unreachable, rules maintained in Denver may specify that only high-priority items are sent through Dallas and Washington. All other traffic destined for Boston might get routed through less direct routes. In the world of IP VPNs, customers whose sites are interconnected with a network-based VPN have hundreds even thousands of ways that their data can traverse the network, and on networks implementing end-toend CoS, their data is given VIP treatment at every hop.

Figure 4: Multi-protocol Label Switching (MPLS) applies new labels at each hop to route San Francisco to Boston packets most directly (top), or in the event of link failure middle), through alternate paths (bottom).

Comprehensive and Powerful Security

Equal to Frame Relay and ATM
Customers who entrust their voice and data traffic to a single network must be assured that it will remain private and secure. Network-based IP VPNs meet these requirements because each VPN is kept logically separate from every other VPN and from general Internet traffic. This is really no different than the way Frame Relay and ATM set up PVCs over a shared network infrastructure. For the most sensitive applications, IPSec encryption can be added where appropriate.

Better Defense to DoS Attacks

In contrast to customer-provisioned VPNs which are vulnerable to Denial of Service attacks that congest the CE-PE link, network-based VPNs avoid the problem because the VPN traffic is separate from Internet traffic. This is analogous to the streets around a railway station becoming congested during rush hour while trains are still able to arrive and depart without problems. In this analogy, data sent via a customer-provisioned IPSec VPN would be stuck in the gridlock perhaps locked in an armored car secure, but undelivered. In a DoS attack, a CE or PE router can be overwhelmed with bogus Internet traffic bound for a customers web servers, forcing the routers to discard most of it including some legitimate traffic. But the routers can still give priority treatment to network-based VPN traffic because the packet headers identifying them as part of the VPN cannot be forged in a well-engineered network.

Conclusion
Across industries, enterprises of all sizes are outsourcing their voice and data traffic to carriers that have made the investments in technology and developed the expertise needed to deliver secure, reliable, high-performance IP networking over Layer 3 VPNs. While these network-based VPNs use the same infrastructure as the public Internet, top carriers take advantage of the routing flexibility built into their MPLS-enabled networks to give their VPN customers premium service that ensures that each application gets the QoS it requires. Deploying a multisite IP network with the performance and resiliency needed to run latencysensitive applications such as voice is a difficult and expensive proposition even for large enterprises that can devote considerable resources to the task. As new applications keep raising the bar for what constitutes acceptable WAN connectivity, organizations are increasingly working in partnership with service providers that have the technology and expertise to provide all of the benefits of dedicated networks at a fraction of the cost.

Juniper Networks | The Business Case for Network-based Layer 3 IP VPNs

CORPORATE HEADQUARTERS AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICA Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888-JUNIPER (888-586-4737) or 408-745-2000 Fax: 408-745-2100 www.juniper.net EAST COAST OFFICE Juniper Networks, Inc. 10 Technology Park Drive Westford, MA 01886-3146 USA Phone: 978-589-5800 Fax: 978-589-0800 ASIA PACIFIC REGIONAL SALES HEADQUARTERS Juniper Networks (Hong Kong) Ltd. Suite 2507-11, 25/F ICBC Tower Citibank Plaza, 3 Garden Road Central, Hong Kong Phone: 852-2332-3636 Fax: 852-2574-7803 EUROPE, MIDDLE EAST, AFRICA REGIONAL SALES HEADQUARTERS Juniper Networks (UK) Limited Building 1 Aviator Park Station Road Addlestone Surrey, KT15 2PG, U.K. Phone: 44-(0)-1372-385500 Fax: 44-(0)-1372-385501

About XO Communications
XO Communications is a leading provider of telecommunications services exclusively to businesses. XO services include local and long distance voice, dedicated Internet access, private networking, data transport, and Web hosting services, as well as bundled voice and Internet solutions. With more than a billion dollars in annualized revenue, XO is a proven provider of IP bundled services. XO operates an 18,000-route mile nationwide MPLS-enabled IP network that connects 75 metropolitan markets and operates 9,100 route miles of local fiber. For more information visit www.xo.com or call 1.866.266.9696.

About Juniper Networks

Juniper Networks develops purpose-built, high-performance IP platforms that enable customers to support a wide variety of services and applications at scale. Service providers, enterprises, governments and research and education institutions rely on Juniper to deliver a portfolio of proven networking, security and application acceleration solutions that solve highly complex, fast-changing problems in the worlds most demanding networks. Additional information can be found at www.juniper.net.

Copyright 2007, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

XO Communications, Inc. 11111 Sunset Hills Road Reston, VA 20190 Phone: 866-266-9696 www.xo.com

00-00 May 007