Beruflich Dokumente
Kultur Dokumente
Executive Summary
Layer 3 Virtual Private Networks (VPNs) developed in the late 1990s are now delivering secure, reliable office connectivity solutions for various applications of many Fortune 1000 companies. The reasons for the popularity of these network-based IP VPNs are clear: they are now a mature and stable way to interconnect enterprises at a lower cost than Frame Relay or ATM; they enable voice over IP (VoIP), IP video and other advanced services that the legacy technologies do not; and they provide a safe and secure upgrade path for the future. These Layer 3 IP VPNs also improve performance and resiliency, and enable enterprises to extend core business applications to remote offices with security every bit as robust as the Frame Relay and ATM networks they typically replace. While there are a number of ways enterprises can implement IP VPNs, this paper describes the advantages of network-based Layer 3 IP VPNs. Often regarded as the outsourcing solution to an organizations data transport needs, the primary attribute of these IP VPNs also known as 2547 VPNs is that the service provider takes responsibility for all of the routing. They are called network-based because they implement the technology of Multiprotocol Label Switching (MPLS) over a service providers IP infrastructure. The result provides what is effectively a private network for each VPN customer that is logically separate from the public Internet, as illustrated in Figure 1.
Extranet
Figure 1: Network-based IP VPNs use the same infrastructure as best-effort Internet traffic but are administered separately to give them the security and performance of dedicated networks.
Network-based VPNs provide premium WAN connectivity without requiring customers to set up and maintain their own secure Layer 2 tunnels interconnecting every site. As a result, network-based IP VPNs enable an organizations IT staff to focus on the applications that run over the network instead of managing the network. This paper outlines the value of network-based IP VPNs for enterprise customers. For some organizations, lower costs and ease of deployment are reason enough to embrace this approach. But the ways in which these network-based IP VPNs are implemented yield additional benefits that are important now and will become increasingly compelling as latency-sensitive applications such as voice and video become more integrated into routine commerce. Quality of Service (QoS) is a particularly key capability that the most advanced service providers implement in their IP networks and that yields important benefits for their Layer 3 VPN customers. QoS enables providers to differentiate all their traffic so that low-latency applications are given top priority all through their network, not just at the edge. By giving preferential treatment to voice, video, and other high-priority traffic, essential VPN applications can stay up and running despite bursts of network activity or failures that may congest the network for others. Service providers organize traffic by Class of Service (CoS) to ensure that their VPN customers receive the Quality of Service (QoS) appropriate for each of their network applications. As they implement end-toend QoS, these service providers are transforming IP networking from Internet-style, best-effort, takewhat- you-get service into a secure, reliable transport system that is as available and resilient as carrier-grade, circuit-switched networks at a fraction of the cost.
Small and mid-size organizations typically lack the in-house expertise needed to implement full mesh configurations using Frame Relay, and even large enterprises that are more able to afford specialists are increasingly eager to consolidate their operational support around Ethernet and IP . These LAN/WAN skills not Frame Relay or ATM are the knowledge base required to implement and maximize the value of current and future network applications.
Automatic Future-proofing
Experts agree that IP has won the protocol wars. Modern enterprise-wide applications are IPenabled, and new applications are seizing the full potential of MPLS over IP networks. Now is the time to standardize on IP as the transport of choice and take advantage of its advanced features that are unavailable with legacy technologies. What is the best way to lower network costs while preserving options to support future applications? While there is no single answer that best meets the needs of every organization, Layer 3 network-based IP VPNs transfer the burden of future-proofing to the service provider. Instead of customers having to ask themselves how ready they are for the unknown applications of the future, they can evaluate service providers on that basis. Applications of the coming decade will require IP networks that are increasingly fast, smart, reliable, and secure. These characteristics, along with low latency, low jitter, and high availability are the hallmarks of todays best network-based IP VPNs. Continuing investments by leading service providers ensure that the VPNs they build and maintain will provide their customers with data transport that is always at the state of the art. Top service providers that have already extended these better than best-effort capabilities beyond the CE-PE link throughout their network are now working to extend the same assured experience across other providers networks in a collaborative industry effort called the Infranet: a network for all communications that combines the reach of the Internet with the performance and security of a private network. Outsourcing data transport to service providers that are making these commitments to excellence is an efficient way to future-proof an organizations secure WAN strategy.
CPE-VPN
CPE CPE
VPN Tunnel
IP-VPN
Subscriber Site 2
n Tu ne l
CPE
Subscriber Site 1
Tunn e l
PE
Subscriber Site 1
VPN
PE PE
VPN Tunnel
PE
PE
PN
Subscriber Site 3
CPE
Subscriber Site 3
CPE
VPN
Tunn e
PE
Subscriber Site 2
CPE
Figure 2: Comparing customerprovisioned, CPE-based VPNs (left) with provider-provisioned network-based VPNs (right). While the CPE-based tunnels appear to be direct pipes between sites, the reality is that they are encrypted packets traversing the public Internet without any priority. When carriers set up network-based VPNs for their customers, they can program their routers to give priority to that traffic.
When evaluating carriers for IP VPN service, its also important to understand their backbone router Class of Service support. While throwing more bandwidth at the problem by deploying big pipes worked a few years ago, this is no longer the case. While it is true that big pipes give great service to all traffic as a matter of routine, there really is no such thing as steadystate in the wild and woolly public Internet. A burst of peer-to-peer file sharing that coincides with a backhoe severing a primary link can suddenly congest secondary links. Furthermore, the uplinks from the market aggregation routers to the core routers are even more likely to be congested by bursty traffic. Prioritization on these links protects the traffic to and from the core. That is when end-to-end CoS ensures that VPN traffic still moves while the public Internet appears unreachable or painfully slow to others. Like many enterprises with geographically dispersed locations, one large chain of retail stores is reducing costs by routing intra-company telephone calls over their network-based IP VPN. Previously, the long latencies inherent in their hub-and-spoke Frame Relay network made it impossible for nearby stores to call each other over the corporate data network, forcing them to use traditional PSTN telephone service at per-minute rates. Not only were they compelled to use more expensive telephone service, any link failures cut all data communications to the affected sites. Now, with the any-to-any connectivity of their network-based IP VPN, all sites talk to
VPN e Tunn l
one another via least-latency routes. The company has achieved carrier-grade QoS at a very low cost per call, and multiple paths to every site improve resiliency for all communications. Of course, the purpose of CoS is to ensure that each application gets the QoS it needs, not simply to give VPN customers better service than Internet customers. Voice and video understandably require latencies measured in milliseconds, but instant messages still seem immediate despite a second of delay, and few customers care if e-mail takes an extra minute. The key is to make sure that each packet gets the resources appropriate for its intended use. This powerful ability to control how classes of data move on networks is why the best networkbased IP VPNs will always have a performance edge over customer-provisioned VPNs, regardless of which network layer they use. While customers can establish secure tunnels through the Internet using their own CPE, unless the provider assigns priorities to that traffic, customerprovisioned VPNs can get only best-effort carriage.
HQ
HQ
HQ
HQ
Figure 3: Any-to-any Connectivity Reduces Cost by Routing Voice Traffic over Network-based IP VPN
To Denver
To Chicago
To Boston
To Denver
To Chicago
To Boston
To Dallas
An analogy with mailing a package demonstrates how the flexibility of MPLS helps route all traffic, and can accelerate network-based VPN traffic in particular. (See Figure 4.) If the post office used MPLS, a package mailed in San Francisco to an address in Boston might first get a mailing label to a post office in Denver. In Denver, handlers might replace the Denver label with one for, say, Chicago. In Chicago, the label could get switched again for the final leg of its trip to Boston. The beauty of this approach is that the routing can be changed dynamically based on network conditions. If there is a problem in the link to Chicago, Boston-bound packets can be routed through Dallas and Washington instead. When combined with CoS, label-switching enables providers to give their VPN customers extra advantages. To extend the package analogy, when Chicago becomes unreachable, rules maintained in Denver may specify that only high-priority items are sent through Dallas and Washington. All other traffic destined for Boston might get routed through less direct routes. In the world of IP VPNs, customers whose sites are interconnected with a network-based VPN have hundreds even thousands of ways that their data can traverse the network, and on networks implementing end-toend CoS, their data is given VIP treatment at every hop.
Figure 4: Multi-protocol Label Switching (MPLS) applies new labels at each hop to route San Francisco to Boston packets most directly (top), or in the event of link failure middle), through alternate paths (bottom).
Conclusion
Across industries, enterprises of all sizes are outsourcing their voice and data traffic to carriers that have made the investments in technology and developed the expertise needed to deliver secure, reliable, high-performance IP networking over Layer 3 VPNs. While these network-based VPNs use the same infrastructure as the public Internet, top carriers take advantage of the routing flexibility built into their MPLS-enabled networks to give their VPN customers premium service that ensures that each application gets the QoS it requires. Deploying a multisite IP network with the performance and resiliency needed to run latencysensitive applications such as voice is a difficult and expensive proposition even for large enterprises that can devote considerable resources to the task. As new applications keep raising the bar for what constitutes acceptable WAN connectivity, organizations are increasingly working in partnership with service providers that have the technology and expertise to provide all of the benefits of dedicated networks at a fraction of the cost.
CORPORATE HEADQUARTERS AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICA Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888-JUNIPER (888-586-4737) or 408-745-2000 Fax: 408-745-2100 www.juniper.net EAST COAST OFFICE Juniper Networks, Inc. 10 Technology Park Drive Westford, MA 01886-3146 USA Phone: 978-589-5800 Fax: 978-589-0800 ASIA PACIFIC REGIONAL SALES HEADQUARTERS Juniper Networks (Hong Kong) Ltd. Suite 2507-11, 25/F ICBC Tower Citibank Plaza, 3 Garden Road Central, Hong Kong Phone: 852-2332-3636 Fax: 852-2574-7803 EUROPE, MIDDLE EAST, AFRICA REGIONAL SALES HEADQUARTERS Juniper Networks (UK) Limited Building 1 Aviator Park Station Road Addlestone Surrey, KT15 2PG, U.K. Phone: 44-(0)-1372-385500 Fax: 44-(0)-1372-385501
About XO Communications
XO Communications is a leading provider of telecommunications services exclusively to businesses. XO services include local and long distance voice, dedicated Internet access, private networking, data transport, and Web hosting services, as well as bundled voice and Internet solutions. With more than a billion dollars in annualized revenue, XO is a proven provider of IP bundled services. XO operates an 18,000-route mile nationwide MPLS-enabled IP network that connects 75 metropolitan markets and operates 9,100 route miles of local fiber. For more information visit www.xo.com or call 1.866.266.9696.
Copyright 2007, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
XO Communications, Inc. 11111 Sunset Hills Road Reston, VA 20190 Phone: 866-266-9696 www.xo.com