Migrating a corporate WAN from a conventional Layer 2 Frame Relay to a Layer 3 IP-based VPN offers strategic and tactical advantages to organizations of any size, from large multinational enterprises to small and medium-sized businesses (SMBs). The chief benefit is the simplified WAN management that arises from converging previously separate networks for data, video, and voice. Organizations typically migrate to IP VPN in an evolutionary fashion, beginning by providing remote access to the intranet, then providing site-to-site connectivity among branches using cost-effective access technologies such as DSL or Ethernet, and finally interconnecting their regional data centers. During the transition, companies might deploy multiple IP VPN technologies, including network-based Multiprotocol Label Switching (MPLS) and customer premises equipment (CPE)-based IP Security (IPSec).
IP VPN SIMPLIFIES WAN MANAGEMENT AND PROVIDES MORE ACCESS OPTIONS, REDUCING BANDWIDTH COSTS
EXECUTIVE SUMMARY
Ovum, a leading market research and consulting company, forecasts that companies will spend more money on IP VPNs than on Frame Relay by 20051. Why the shift? Compelling reasons for migrating from Frame Relay to IP VPN are to:
• Increase flexibility, decrease complexity, and reduce network costs through any-to-any connectivity, which eliminates the need for manually meshed permanent virtual circuits (PVCs)
• Provide access-independent connectivity, including Frame Relay, Ethernet, and DSL
• Converge and integrate disparate voice, video, and data networks
• Reduce the cost of bandwidth for new applications like enterprise resource planning (ERP)
• Introduce IP telephony, which most service providers offer over an IP VPN
• Scale more easily, typically with simple local peering from offices to the provider edge rather than end-to-end site peering
• Provide network connectivity to geographically dispersed branch offices, remote users, teleworkers, and business partners
• More easily deploy IP-based applications such as e-learning and streaming video
Businesses that transition to IP VPNs can realize further benefits by selectively or totally out-tasking the management of transport, equipment, and network security to a service provider that offers managed IP VPN services. Out-tasking frees the company to focus on its core business and improves the availability and security of the network with 24-hour network support services that often are too costly or impractical to provide with in-house resources. Out-tasking also provides assurance of network performance through service-level agreements (SLAs).
This white paper explains considerations for companies that are evaluating migration from Frame Relay to IP-based VPNs. It compares the two services, discusses the business and technical advantages of migration, and explains the benefits of out-tasking to a service provider. The paper concludes with criteria for selecting a service provider that will deliver outstanding network availability, quality of service (QoS), network security, manageability, and multicast support. For specific characteristics of different IP VPN architectures, see the Cisco® white paper, "Enterprise Guide for Selecting an IP VPN Architecture: Comparing MPLS, IPSec, and SSL," at http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns465/net_implementation_white_paper0900aecd801b1b0f.shtml.
COMPARING FRAME RELAY AND IP VPN CAPABILITIES
Table 1 compares how well Layer 2-only Frame Relay service and IP VPN service meet business requirements. Because MPLS- and IPSec-based VPNs have different strengths, the table distinguishes between them.
Table 1. Comparing MPLS and IPSec to Frame Relay Alone
Criteria
How MPLS VPN Compares to Frame Relay
How IPSec VPN Compares to Frame Relay
Simple multisite WAN capacity planning
Better
About the same
Simple provisioning
Better
Better
Support for IP applications
Better
Better
Extensive geographic coverage
Better
Better
Easy extranet configuration
Better
Better
Low subscription and access costs
About the same
Better
Network security
About the same
Better
WHY MIGRATE FROM FRAME RELAY TO IP VPN?
Migrating a corporate network from Frame Relay to IP VPN has become an attractive business strategy because of recent changes in business application requirements and advances in VPN flexibility, ease of management, and cost efficiency.
Simplified Multisite WAN Capacity Planning
The primary advantage of migrating from Frame Relay to IP VPN is simplified WAN management. With Frame Relay networks, the enterprise IT group must carefully plan capacity for the links that carry traffic from multiple sites. With an MPLS-based IP VPN, in contrast, the enterprise simply plans capacity for each site connected to the cloud.
IP VPNs do not require site-to-site physical connectivity, so the IT staff is relieved of these planning and monitoring burdens. Instead, the enterprise only needs to plan capacity for a single link-to the provider cloud for MPLS, or to the hub for IPSec (Figure 1).
Figure 1
Simplifying From a Hub-and-Spoke Frame Relay Network to a Point-to-Cloud IP VPN
Simplified Provisioning
Frame Relay networks are based on point-to-point connections between sites. Large numbers of point-to-point connections can become difficult to manage and usually require hub-and-spoke topologies that do not optimize bandwidth. Adding a new site requires updating the router configuration at all the sites to which it connects, making a full-mesh topology impractical and costly to manage.
IP VPNs based on MPLS scale far more easily than Frame Relay networks, providing full-mesh IP connectivity without a full mesh of logical circuits. Instead, they use a local peering model, meaning that a customer site only needs to peer with the provider network rather than with all other CPE or customer-edge routers on the VPN. This connectionless architecture allows the creation of VPNs in Layer 3 and therefore eliminates the need for point-to-point tunnels or virtual circuits that inhibit scalability. IP VPN service can be provisioned within days, or even hours, compared to the one to seven weeks typically required to order and provision a PVC for Frame Relay service.
Note that CPE-based IP VPNs do require point-to-point connections. While CPE-based IP VPNs take more effort to scale than network-based VPNs, the Cisco IOS® Software simplifies growth with tools such as Dynamic Multipoint VPN.
Easier Support for IP-Based Applications
Mission-critical and time-sensitive applications require QoS support in the network. MPLS VPNs provide QoS on a per-packet basis, whereas Frame Relay, which is designed for Layer 2 transport and therefore has no knowledge of higher-layer traffic, can provide QoS only per PVC. Therefore, an IP VPN infrastructure helps enable rapid, enterprisewide deployment of IP-based applications that are difficult to deploy on Frame Relay, such as ERP, e-learning, hosting, telephony and unified communications, centralized application services, and video services. IP VPNs offer several design options to support these services, including full mesh, partial mesh, or hub-and-spoke, depending on the services, applications, and location. Firewall, Internet, and centralized applications and servers might be located at the hub, for example.
For existing applications that are not IP-based, an IP VPN provides a simple migration path. For example, suppose a company wants to adopt IP telephony but needs to continue using a traditional inventory system that would be difficult to migrate to IP. The company can continue to use its non-IP applications through generic routing encapsulation (GRE) tunneling over the IP VPN. The resulting converged backbone will support both IP-based and non-IP applications.
Support for Geographically Dispersed Branch Offices, Teleworkers, and Mobile Workers
Traditional Frame Relay service extends only to those customer sites physically located within the service provider's Frame Relay footprint. With remote-access VPNs using IPSec, service providers can extend their reach to sites outside this footprint, as well as mobile users and teleworkers, over the service provider's own access networks (dial-up, DSL, or cable) or the public Internet (Figure 2).
MPLS VPNs provide greater geographic reach than Frame Relay, for two reasons. One is that the enterprise can take advantage of any of the service provider's access methods-leased line, Ethernet, or DSL, for example-to reach sites that the service provider's Frame Relay network does not cover. Another reason is that connectivity across autonomous systems does not require significant interworking.
Figure 2
IP VPN-A Multiservice VPN
Ability to Extend Extranet Applications to Business Partners
Frame Relay networks are typically deployed for site-to-site connectivity between corporate and branch offices only. They do not allow controlled access to extranet partners because this would require access control lists (ACLs), building a mesh of PVCs, and configuring routing protocols. IP VPNs, in contrast, make it easy to rapidly and securely extend network access to partners, suppliers, and resellers over the public Internet, without provisioning a PVC. In fact, if a company's suppliers are located in the same service area, the service provider can provision an extranet VPN between the suppliers and the corporate resources that is distinct from the intranet used to connect headquarters and branch offices. This adds another layer of network security by preserving the integrity of the corporate network.
Reduced Monthly Subscription and Access Costs
In many cases, businesses dramatically reduce their monthly subscription and access costs by migrating from Frame Relay networks to IP VPNs. In general, the extent of cost savings rises with the degree of meshing: a fully meshed IP VPN costs significantly less than a fully meshed Frame Relay network (Figure 3). Other factors contributing to potential cost savings are:
• Elimination of additional PVCs
• Optimized bandwidth, a result of peering only between the CPE and provider-edge router
• Converging previously separate voice, video, and data networks
Figure 3
Frame Relay versus QoS IP VPN Costs
Network Security
Frame Relay networks rely on traffic separation for secure data transport. Network-based IP VPNs using MPLS offer equivalent security to Frame Relay by using logical traffic separation2. IPSec VPNs provide superior security to Frame Relay through the use of strong encryption standards, such as Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES). IPSec can be applied on the link from the CPE to the provider edge, as well as CPE-to-CPE tunnels.
WHY OUT-TASK IP VPN SERVICE MANAGEMENT?
Companies that decide to migrate from Frame Relay to IP VPN have the option to design, build, provision, support, and manage the VPN using in-house resources, or to selectively or totally out-task to a service provider. The decision whether or not to out-task managed IP VPN services affects IT workload, capital expenditure, and ongoing operational expenses, and can potentially affect service availability, network security, and QoS. According to Ovum, many IT departments prefer to devote resources to mission-critical operations than to everyday network management and problem resolution3.
Ovum also notes that approximately 80 percent of companies in EMEA out-task some aspect of their IP VPN service and that the U.S. is following EMEA's lead, with 20 percent currently out-tasking IP VPN service management.
Following are the primary incentives for enterprises to out-task VPN service management.
Free Up Internal IT Resources to Focus on the Core Business
By working with a service provider for managed IP VPN services, companies can delegate the routine tasks they do not see a compelling reason to control, such as daily monitoring, support, provisioning, transport, and router maintenance. At the same time, they free IT staff resources to focus on the core business as well as strategic initiatives such as network design and planning. Ovum notes that some IT groups retain responsibility for strategic issues such as architecture decisions and technology purchases, while offloading responsibility for day-to-day issues to the service provider.
IP VPN service components that businesses can out-task to a service provider include:
• Managed CPE
• Managed network security
• Telecommuting services for remote workers
• Internet-access integration
• Secure off-net access
• Site-to-site encryption services
• Managed extranet services
• Real-time network monitoring (event logs, trunk usage, call detail, resource usage, and so on)
• Maintenance of router configuration and upgrades
• Performance management and optimization (circuit availability, network availability, WAN link, router usage)
• Fault identification and resolution with managed backup connectivity for critical sites
• Configuration or change management
• Auditing or asset management
• Maintenance and support services
Reduce Costs
Gartner Dataquest reports that large enterprises in the United States that out-task network management to service providers cut their network costs by up to 25 percent, while small U.S. businesses can experience up to 15 percent cost reductions. In fact, access to the service provider's lower-cost structure, the result of a greater economy of scale, is one of the most compelling tactical reasons for out-tasking, according to The Outsourcing Institute of Jericho, New York. The service provider can charge less than its customers would otherwise spend for operations, maintenance, service, equipment, and technology upgrades.
Companies that out-task network management not only reduce their costs, they make recurring costs more predictable by shifting from a variable- to a fixed-cost model. Businesses that out-task know their monthly costs in advance, as compared to businesses that need to find the budget for unexpected expenses related to network upgrades or outages. Out-tasking also enables "pay-as-you-grow" scalability, eliminating the need to overpurchase at the outset of service deployment to accommodate anticipated growth.
Gain Expertise and Support Not Available In-House
Many service providers offer networking skills not available within the enterprise. The value of this benefit increases as companies add more applications and users, and as network management becomes more complex. Service providers have the resources to offer 24-hour monitoring, management, and support-capabilities not readily available in-house to any but the largest enterprises. Service providers also can offer rapid deployment because of their deployment experience. Even for companies with large in-house staffs, service providers can fill critical resource gaps such as network security, which typically requires special training and expertise.
CRITERIA FOR ASSESSING SERVICE PROVIDER CAPABILITIES
Service providers that offer IP VPNs typically provide varying levels of high availability, network security, QoS, manageability, and multicast support, depending on their network infrastructures. By evaluating prospective service providers according to the following criteria, companies can determine which service provider can best meet their IP VPN requirements.
High Availability
Frame Relay networks are inherently very stable. Companies planning to migrate to IP VPN need assurance that their service provider will meet or exceed current availability levels. Service providers typically demonstrate their ability to deliver high network availability by offering SLAs. When an SLA is in place, the service provider incurs a penalty or must provide a credit if the service level falls below an acceptable level stipulated in the SLA agreement.
To acquire the confidence to offer an SLA, service providers bolster their networks with one or more of the following techniques:
• Fast routing convergence to improve recovery times
• Traffic engineering to improve traffic distribution and network usage
• Fast reroute to provide 50-millisecond (ms) failover time on links and nodes
• SLAs for mean time between failure (MTBF) and mean time to repair (MTTR)
• QoS settings for policing, rate limiting, and remarking
Service providers can more easily afford these techniques than individual businesses because they can amortize the costs over multiple customers.
Network Security
Service providers with robust security infrastructures and support processes can help their customers migrate from Frame Relay (Layer 2 technology) to IP VPN (Layer 3 technology) without compromising network security. Service providers that offer IP VPN services will provide all or a subset of the following network security features and services:
• Traffic separation
• Control route distribution
• Data encryption
• Policy-based access control
• Managed firewall
• Real-time intrusion detection and auditing
• Monitoring and mitigation of denial-of-service (DoS) attacks
Quality of Service
QoS refers to the capability to provide predictable performance and priority management of specific classes of network traffic. Primary goals of QoS include dynamic bandwidth allocation for mission-critical applications and prioritization of delay-sensitive traffic such as voice and video. QoS mechanisms include queuing, network-congestion avoidance, traffic shaping, and packet classification.
By deploying QoS techniques to manage delay, delay variation (jitter), bandwidth, and packet loss on a network, service providers can create different classes of service-for example, for real-time traffic such as voice, business-critical traffic such as ERP, and standard ("best effort") such as e-mail. Van Wijnen, the construction firm mentioned earlier in this paper, takes advantage of Versatel's class of service (CoS) model to assign highest priority to traffic from its ERP application, ensuring predictable high-performance levels.
Companies concerned with QoS should ask whether the prospective service provider has the following QoS capabilities:
• Preserving QoS service type (voice, video, or data) and assigning priority to delay-sensitive traffic across the entire VPN infrastructure without altering packets' IP headers
• Maintaining multiple classes of services across the VPN
• Mapping enterprise QoS classes into the provider's QoS classes
• Offering SLAs for latency, packet loss, and jitter
• Offering the option to add more classes and locations as needed
Note that service providers bearing the "IP VPN-Multiservice QoS Certified" designation for the Cisco Powered Network are certified to deliver enterprise-class QoS metrics.
Manageability
Service providers that offer IP VPNs must provide network-management services that can meet or exceed those available in-house. Depending on their business needs, companies should look for service providers that can offer some or all of the following network-management capabilities:
• Ability to preserve route-type and route-metric elements so that the migration to IP VPN does not require costly upgrades within the enterprise's internal network
• Ability to support current and future number of unicast IP routes and noncontiguous networks across VPN sites
• Performance management
• Fault identification and resolution
• Billing and reporting
• Service add, remove, and change management
Multicast Support
Many enterprises today use multicast to optimize WAN bandwidth utilization. Applications that are candidates for multicast can provide real-time as well as non-real-time delivery, and include e-learning, live streaming video, videoconferencing, software distribution, content delivery, financial data feeds, digital IP video surveillance, interactive gaming, and others. To support multicast applications, companies should look for a service provider that supports:
• Multicast extension to all sites, including remote branch locations and teleworkers
• Required number of simultaneous multicast streams
CISCO POWERED NETWORK MEMBER SERVICE PROVIDERS
When both the service provider and its customer use Cisco IOS Software, the customer acquires the highest levels of availability, network security, QoS, manageability, and multicast support. The reason is that Cisco Systems® has developed a set of leading-edge technologies for provider-edge and customer-edge devices. Therefore, when a customer with Cisco equipment out-tasks a fully managed IP VPN service to a service provider with an end-to-end Cisco network, the customer gains additional benefits from the exclusive Cisco innovations described in Table 2.
Table 2. Cisco IOS Software Features and Benefits
Cisco IOS Software Feature
Description
Benefit for Enterprise Customers
Nonstop Forwarding (NSF)
Helps ensure continuity in the event of a failure at the provider edge by routing around the failure
Improves uptime
Enables service provider to confidently offer SLAs
AutoQoS
Automates the configuration of QoS with predefined QoS values in the Cisco IOS Software so that service providers can drop-ship a router to an enterprise site and configure it remotely
Speeds implementation of QoS services
Reduces cost of QoS for service provider, which can pass savings to customers
Network-Based Application Recognition (NBAR)
Provides full classification capabilities up to Layer 7 so that the enterprise can assign priority to different types of traffic and then use QoS to guarantee a specified amount of bandwidth to specific applications
Enforces agreed traffic characteristics using selective traffic shaping and policing
Enables granular classification of traffic and bandwidth allocation based on required class of service (CoS)
Preserves the QoS guaranteed for each customer
Multi-VPN Routing Forwarding (VRF)
Provides virtual separation of traffic at the customer side, using multiple separate routing tables
Reduces capital costs for companies located in high-rise and multitenant buildings because multiple companies can share a single router and provider-edge-to-customer-edge lines
Simplifies segmentation
Broad support for routing protocols
Supports major routing protocols: Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF) Protocol, Border Gateway Protocol (BGP), and Intermediate System-to-Intermediate System (IS-IS) Protocol
Provides routing transparency, a significant benefit
Requires only nominal change to existing infrastructure
Multicast VPN
Provides the ability to support multicast over a Multipoint-BGP Layer 3 VPN, so that enterprises can extend multicast applications to any locations served by the service provider's core network
Improves user productivity and communication flow for applications such as corporate communication, e-learning, data warehousing, content synchronization, trading stocks and commodities (stock quotes and ticker information), and emergency messaging services
NetFlow
Efficiently provides a critical set of services for IP applications, including network-traffic accounting, usage-based network billing, network planning, security, denial-of-service monitoring capabilities, and network monitoring
Provides valuable information about network users and applications, peak usage times, and traffic routing
EIGRP
Optimizes path routing, accelerates convergence, and reduces CPU usage
Facilitates more rapid service deployment
Cisco IOS Firewall
Delivers advanced, router-based firewall capabilities, intrusion detection, and authentication
Provides robust security
Cisco Intrusion Prevention Solution (IPS)
Delivers cost-effective firewall capabilities and intrusion detection through CPE routers
Provides an efficient, affordable way to extend perimeter security across all network boundaries, including the branch office, intranet, and extranet perimeters
Cisco IP SLAs
Allows service provider to monitor service levels within managed IP VPN environments-either from the customer-edge to the provider-edge router or end to end
Helps service provider to generate comprehensive SLA reports so that customers can verify the agreement is met
To acquire the capabilities described previously, companies can look for service providers that are members of the Cisco Powered Network program. Cisco has for many years awarded the Cisco Powered Network designation to service providers that deliver their services over a network built end-to-end with Cisco products and technologies and that meet Cisco standards for network support. Now service providers can receive the "IP VPN-Multiservice QoS Certified" Cisco Powered Network designation which certifies that they follow best practices to achieve specified QoS metrics (see http://www.cisco.com/cpn). The designation gives companies assurance that their IP VPN conforms to enterprise standards for delay, jitter, and packet loss.
CONCLUSION
By migrating from Frame Relay to IP VPN, companies gain both tactical and strategic advantages. In the near term, companies benefit from cost-effective, secure network connectivity to branch offices and secure access to remote workers, teleworkers, and partners around the world. In the long term, they position themselves to benefit from emerging value-added, IP-based applications and to scale more cost-effectively to support more users and applications.
By out-tasking some or all of IP VPN service management to a service provider, companies free their in-house IT resources to focus on the core business. They shift from a variable to a predictable cost structure for recurring network-management costs, and eliminate the need to overpurchase to accommodate anticipated growth. Availability, QoS, and network security often exceed what would be possible with in-house VPN management because service providers offer SLAs, provide highly skilled staffs available 24 hours a day, 365 days a year, and have invested in a secure infrastructure that they can use for multiple customers.
Service providers that have earned the "IP VPN-Multiservice QoS Certified" Cisco Powered Network designation have the capability to offer the best possible QoS, availability, network security, multicast support, and management-essential ingredients for a reliable, trouble-free, scalable network.
To search for service providers offering Cisco Powered Network designated managed IP VPN, visit: http://www.cisco.com/cpn.
