Layer 3 VPNs offer secure, any-to-any communication over a service provider's IP/Multiprotocol Label Switching (MPLS)-based backbone network. Today, businesses of all sizes are choosing to buy Layer 3 VPN services instead of traditional Frame Relay and ATM transport services because of the simplified management of a connectionless network, the wide range of supported access technologies and speeds, the ability to manage and prioritize traffic from different applications, and the cost savings of an optimized, converged WAN.
Service providers that offer Layer 3 VPN services can take advantage of new, advanced features from Cisco Systems® to differentiate their service, reduce operational and capital expenditure, and generate incremental revenue streams. This white paper explains proven features from Cisco® that benefit both the service provider and its customers. These features help enable enhanced service-level agreements (SLAs), enhanced VPN security and service protection, multicast over VPN, and powerful network-management capabilities.
SLAs
A provider's ability to offer SLAs is essential to attracting and retaining customers. Basic SLAs for IP-based VPN services guarantee performance metrics for network availability, packet loss, delay, delay variation (jitter), and throughput. By refining these SLAs, service providers are generating incremental revenue from premium service levels, increasing customer retention, and gaining an edge in attracting new customers. Cisco offers four techniques that service providers can use to improve their SLA service offerings (see Figure 1):
• Improved network-performance metrics
• Finer granularity: different metrics for different traffic
• Measurement from customer site to customer site
• Visibility into network performance through management tools
Figure 1
Four Techniques Service Providers Can Use to Differentiate Their SLAs: Metrics, Granularity, Measurement, Management
By combining these techniques, service providers can create a tailored service that meets individual customers' performance requirements for delay-sensitive applications such as voice over IP (VoIP), video on demand, and mission-critical, Web-based applications. To employ these techniques, service providers use a variety of tools within Cisco IOS® Software.
Metrics
Service providers gain a competitive edge by guaranteeing a higher level of network performance-for example, a higher percentage of uptime, lower mean time to repair (MTTR), or a lower latency versus their competitors.
Cisco offers two technologies that service providers can use to improve availability of their Layer 3 VPN services: bandwidth protection in the core network and dial backup in the access network. SLAs with higher network availability boost customer retention and help attract new customers.
Bandwidth protection for Layer 3 VPNs is analogous to automatic protection switching (APS) for SONET. In an MPLS network, the enabling technology is Fast Reroute, part of the traffic-engineering capabilities of the Cisco IOS Software. If a link or node anywhere in the network should fail, the Fast Reroute feature routes traffic to another path within 50 milliseconds (ms), practically eliminating the downtime.
Dial backup is a design technique that improves availability in the access network. If the primary connection becomes unavailable, enterprise customers can continue to access the VPN via an ISDN dial backup connection. Service providers generally charge a premium for dial backup.
Granularity
Basic service provider SLA agreements stipulate the same network-performance metrics for all traffic traveling across the network, regardless of the traffic type or destination. With more granular SLA measurements that take into account the type of traffic or its origination and destination, the service provider can further differentiate its service. Quality of service (QoS) uses classification, marking, queuing, policing, and shaping of the network traffic to allow a provider to create different classes of service (CoS) with different latency, jitter, and packet loss characteristics. Voice, for example, requires very low latency and jitter, whereas an additional half-second delay for e-mail is inconsequential. Service providers typically offer three tiered service classes, such as those shown in Table 1. Some service providers offer up to five service classes by subdividing the business-critical data class.
Note: Some service providers subdivide this CoS into up to three CoS.
x
x
x
x
Standard, or "best effort" (e-mail)
x
x
QoS can be used in conjunction with traffic engineering to provide a guaranteed bandwidth service between specific endpoints. For instance, the enterprise customer might want to subscribe to a more stringent SLA for traffic between its two data centers or hub sites in New York and Los Angeles. The underlying Cisco technology that helps enable service providers to offer point-to-point commitments is MPLS DiffServ-aware traffic engineering (DS-TE). With DS-TE, the bandwidth on each link that can be reserved for constraint-based routing (CBR) is managed through two bandwidth pools: a global pool and a subpool. The service provider can limit the subpool to a subset of the link bandwidth. Tunnels using the subpool bandwidth are used in conjunction with MPLS QoS mechanisms listed in Table 2 to deliver guaranteed bandwidth services end to end across the network. DS-TE automatically chooses a routing path that satisfies the bandwidth constraint for each defined service class, such as Premium, Gold, Silver, or Bronze.
Table 2. Promoting Granular SLAs with QoS Tools in Cisco IOS Software
Tool Category
Tool Name and Description
Classification and marking tools satisfy the first requirement of a QoS policy: to identify the type of traffic that requires different treatment. Classification tools mark a frame or packet with a specific value. This marking (or re-marking) establishes a trust boundary used by scheduling tools.
• 802.1Q/p CoS-Three bits within the header of an Ethernet frame.
• IP Type of Service Byte-Layer 3 marking that accommodates changes in Layer 2 media as packets traverse from source to destination. The first three bits of the type-of-service (ToS) byte, known as IP Precedence bits, are used for QoS marking.
• DSCPs and Per-Hop Behaviors-A 6-bit marking model allowing up to 64 values, represented either numerically (differentiated services code points [DSCPs]) or by keywords (per-hop behaviors [PHBs]).
• MPLS EXP-Three bits within the MPLS label used to hold a QoS indicator, which by default is copied from the IP Precedence field in the underlying IP packet during label imposition.
Scheduling tools determine how a frame or packet exits a device. Whenever packets enter a device faster than they can exit, as happens with speed mismatches, a bottleneck can occur. Service providers can schedule higher-priority packets to exit the buffer sooner than lower-priority ones, a technique called queuing.
• Class-Based Weighted Fair Queuing (CBWFQ)-Allows the service provider to define traffic classes and associated bandwidth allocations based on custom match criteria, such as an access control list (ACL), input interface, protocol, and others.
• Modified Deficit Round Robin (MDRR) Queuing-Works in similar fashion to CBWFQ, for Cisco 12000 Series routers.
• Low-Latency Queuing (LLQ)-Allows for a queue that is serviced for delay-sensitive traffic, such as voice- and video-based services. Packets are serviced as they arrive.
• Weighted Random Early Detection (WRED)-Helps avoid congestion by dropping lower-priority packets when thresholds for congestion are met.
Link-specific tools
• Policing and shaping tools-Identify traffic violations and either drop them (policing) or hold excess traffic in a buffer (shaping).
• Link fragmentation and interleaving tools-Mitigate delay in placing large data packets onto the wire in slow-speed WANs. This overcomes a problem called "serialization delay" that can exceed the delay or jitter thresholds for VoIP packets.
• Compression tools-Minimize bandwidth requirements on slow links by compressing packet headers.
• TX Ring Tuning-Helps ensure that a frame will always be available when the interface is ready to transmit traffic so that link utilization approaches 100 percent.
Measurement
Service providers typically deploy tools to measure the performance of their network between their own points of presence (POPs). However, these tools ignore performance in the access network, and even the best performance on the service provider network can be inadequate if the access circuit is slow.
Service providers that offer managed customer premises equipment (CPE) service can enforce improved SLAs by taking into account performance between customer sites instead of just POP-to-POP performance. This requires enabling the Service Assurance Agent (SAA), which is part of Cisco IOS Software, to send out probes from the CPE to measure latency, jitter, loss, and other parameters.
MANAGEMENT
Some enterprise customers want the ability to view real-time network-performance metrics pertaining to their VPN. One reason is to monitor whether SLAs are being met, another is to analyze traffic data to plan for upgrades. Cisco network-management tools, discussed later in this paper, help enable the generation of real-time reports on network performance.
VPN SECURITY AND SERVICE PROTECTION
When evaluating providers for VPN services, most enterprises consider security an important selection criterion. Specifically, they need assurance that sensitive data transported over the shared network infrastructure remains private, that their VPN cannot be breached, and that the service provider's network is protected from attacks that might halt or slow down service. Inherent MPLS VPN security mechanisms include address space separation, resistance to label spoofing, and reduced visibility of the provider network to outside parties. To augment these inherent security features, Cisco IOS Software offers additional mechanisms for integrated service protection in the VPN control plane (the routing system) as well as the data plane (the packet-forwarding system). These features give service providers a competitive edge in attracting enterprise customers for whom security is a high priority, including companies that need to comply with mandates such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for the healthcare industry; the Sarbanes-Oxley Act affecting corporate governance, disclosure, and financial accounting; and others.
Control Plane Protection Mechanisms
On the control plane, the Cisco IOS Software protects edge devices both from device-level vulnerabilities and device-to-device communication vulnerabilities, with the following features:
• Secure routing-A typical MPLS-enabled VPN network employs multiple control-plane protocols, such as Border Gateway Protocol (BGP), Interior Gateway Protocol (IGP), and Label Distribution Protocol (LDP), as well as customer-edge-to-provider-edge routing protocols such as BGP, Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Enhanced Interior Gateway Routing Protocol (EIGRP). The Cisco IOS Software uses neighbor authentication with MD5 hash passwords to prevent a router from receiving fraudulent updates from a control-plane neighbor. This protects service availability.
• Route limiting-The Cisco IOS Software enables service providers to limit routes on per-VPN or per-neighbor basis. Setting route limits protects the scarce memory on the route processor and line cards and allows the service provider to increase the scalability of its devices.
• Route filtering-Route filtering complements route limiting by helping ensure that unintended routes, such as the full Internet routing table, are not carried within the VPN, where they might be visible to intruders. Service providers can apply route filtering on per-peer basis to restrict the routes that appear in the VPN routing tables.
• Processor protection-A high volume of traffic can overwhelm the router processor, resulting in denial of service (DoS). Some Cisco routers, such as Cisco 12000 Series routers, protect the processor with two complementary techniques called receive ACLs and Control Plane Policing (CPP). While receive ACLs control the type of traffic that can be forwarded to the processor, CPP provides QoS control for packets destined to the control plane of the routers. This helps ensure that high-priority traffic on the receive ACL, such as routing protocols, receive adequate bandwidth.
Data-Plane Protection Mechanisms
In the data plane, most traffic within a VPN traverses a router rather than being addressed to it. Therefore, the security mechanisms in the data plane are designed primarily to protect routers from any malicious traffic. This, in turn, protects VPN service continuity. The Cisco IOS Software protects edge routers with the following techniques:
• Interface ACLs-Interface ACLs protect edge routers from malicious traffic. Applied to individual customer-edge-to-provider-edge circuits, these ACLs explicitly permit the legitimate traffic that can be sent to the edge router's destination address.
• Unicast Reverse Path Forwarding (RPF) Check-The Unicast RPF feature helps mitigate problems caused by the introduction of malformed or spoofed IP source addresses into either the service provider or customer network. Unicast RPF deflects common IP address spoofing-based DoS attacks by forwarding only those packets with source addresses that are valid and consistent with the virtual route forwarding (VRF) routing table. Packets that lack a verifiable IP source address are discarded, protecting the service provider and customer networks.
MULTICAST
IP Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to up to thousands of recipients. IP Multicast makes it possible for enterprise customers to use the IP VPN for applications such as real-time corporate communication, e-learning, trading stocks and commodities (stock quotes and ticker information), and emergency messaging services.
Service providers that currently offer unicast MPLS VPN services can offer multicast VPN services, as well, using their existing core network (see sidebar on service provider THUS). To offer multicast services, the service provider does not need to change the network other than to configure multicast on the provider-edge routers. Multicast VPN does not require MPLS labeling and therefore does not interfere with unicast MPLS data.
The Cisco implementation of multicast VPN supports the following:
• Scalable traffic delivery, a result of Data Multicast Distribution Tree (Data MDT) technology.
• A choice of Protocol Independent Multicast in the core network, for both data and default MDTs. These include sparse mode and Source Specific Multicast (SSM).
• A broad range of multicast options within a VPN, including Router-port Group Management Protocol (RGMP), Cisco Group Management Protocol (CGMP), Bidirectional Protocol Independent Multicast, and accept-register filters in the VPN.
• Additional options:
– Route processor at the provider edge on a per-VRF basis
– VRF awareness of multicast-related MIBs
– Cisco multicast VPN MIB and Multicast Source Discovery Protocol (MSDP) in the VPN, for route-processor redundancy and route-processor management service
– Networks in which the customer-edge routers are not directly connected to sources and receivers
CISCO IP/MPLS NETWORK MANAGEMENT
Service providers can cut costs and improve network performance and reliability by using the following three categories of Layer 3 VPN management applications: provisioning, fault management, and traffic engineering.
MPLS Provisioning
The Cisco IP Solution Center product family is an intelligent network element-management suite that includes applications for MPLS VPN provisioning, including Layer 3. These provide provisioning support for Cisco MPLS routers and for multicast VPN services, reducing total cost of ownership (TCO) for service provider networks. Cisco IP Solution Center understands any intricacies of interacting with Cisco devices and also provides an API to facilitate higher-layer, third-party provisioning operational support systems (OSSs) to "flow through" the comprehensive Cisco IP Solution Center provisioning engine, isolating the OSS from changes in Cisco IOS Software and device line cards. As a productivity tool in the network operations center, Cisco IP Solution Center frees up administrators from performing repetitive, time-consuming, and error-prone device-configuration tasks. This reduces operational expenditure while increasing service uptime and reliability. For faster provisioning the administrator defines a set of provisioning parameters in a service policy, which captures details such as provider edge-to-customer edge protocol, IP numbering, and VLAN Auto-Allocation. These policies can then be reused, and the operator simply has to select the device subinterface to connect customer-edge routers to customer VPNs. Following is a sample MPLS VPN service policy for a customer, which is defined once and can be reused again and again without further manual overhead:
• Routing Information Protocol (RIP) used for provider edge-to-customer edge traffic
• Redistribute routes at the customer edge, redistribute OSPF from the customer edge
• Automatic assignment of IP address for the provider edge-to-customer edge connection or "attachment circuit"
• Automatic allocation of customer-edge IP address into management VPN
With policy-based provisioning, Cisco IP Solution Center decreases TCO for the core network by reducing labor requirements and human error. At the same time, it maximizes the revenue opportunity by accelerating network-provisioning operations and helping the service provider to deploy advanced services such as Carrier Supporting Carrier and Inter-Autonomous System support. Finally, Cisco IP Solution Center provides a functional audit capability that allows the operator to verify that the configuration operation on the router has been completed successfully. For more information, visit http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/index.html.
MPLS Fault Management
MPLS fault-management applications reduce network operational costs and increase network availability, allowing service providers to offer increased SLAs. They include applications for MPLS embedded management and network management.
MPLS Embedded Management
All network-management applications rely on information collected from the network elements and the diagnostics present in device instrumentation. A consistent way to manage and collect information from these network elements is essential for managing fault, configuration, accounting, performance, and security (FCAPS). Cisco has invested heavily in Cisco IOS MPLS Embedded Management to offer a set of tools that work together to provide complete MPLS FCAPS (see Figure 2).
The building blocks of the Cisco MPLS Embedded Management architecture are as follows:
• Performance tools-The Cisco Service Assurance Agent (SAA) within Cisco IOS Software allows users to monitor network performance between a Cisco router and a remote device, which can be another Cisco router, an IP host, or a multiple virtual storage (MVS) host. By using Cisco Service Assurance Agents within MPLS VPNs, service providers can plan, provision, and manage IP VPN services according to customers' SLAs.
• Accounting tools-MPLS-aware Cisco NetFlow is an extension of Cisco NetFlow accounting that provides highly granular traffic statistics for Cisco routers. It collects statistics on a per-flow basis.
• Management Information Bases (MIBs)-MPLS MIBs provide open Simple Network Management Protocol (SNMP) interfaces that service providers can use to take advantage of vendor element-management applications, third-party specialized independent software vendors, or in-house management applications. SNMP MIBs are heavily used by third-party, multivendor applications, including advanced fault-management applications such as root-cause analysis and SLA performance reporting.
• Protocol enhancements-Protocol enhancements help automate provisioning and maintenance of MPLS networks. For example, the AutoMesh Traffic Engineering feature of Cisco IOS Software automatically constructs a mesh of traffic-engineering LSPs among provider-edge routers. The AutoTunnel Primary and Backup feature allows a router to dynamically create 1-hop primary tunnels on all interfaces that have been configured with MPLS traffic-engineered tunnels.
Network Management Applications
Element-layer applications reduce operational expense for MPLS VPN services. Cisco management applications that support MPLS include:
• Cisco Info Center-The Cisco Info Center consolidates, suppresses repeat events, filters, and correlates fault and alarm information from a wide range of management platforms and products from various vendors. Its fault-management support includes the use of the Cisco MPLS Embedded Management tool set described in the previous section.
• Cisco IP Solution Center-As discussed in the Provisioning section, Cisco IP Solution Center is used for provisioning Layer 3 MPLS network elements. It supports a broad range of Cisco platforms, from Cisco 3600 Series multiservice platforms to Cisco 12000 Series routers. It also manages a variety of Layer 3 MPLS-related technologies, including VPNs based on MPLS BGP and IP Security (IPSec).
• Cisco Info Center VPN Policy Manager-Integrated with Cisco IP Solution Center, the Cisco Info Center VPN Policy Manager provides in-depth information about the effects of network faults on MPLS VPNs and customers, how to prioritize events, and how to effectively and quickly troubleshoot a problem. Cisco Info Center VPN Policy Manager relates device-level faults directly to customer VPNs provisioned by Cisco IP Solution Center so that the service provider can immediately determine which customer VPNs are affected.
Figure 2
Cisco MPLS Embedded Management Architecture
MPLS Traffic Engineering Management
To optimize network capacity, service providers can use the advanced traffic-engineering management capabilities in the Cisco MPLS management toolset and the Traffic Engineering Management application (formerly known as Cisco TunnelBuilder Pro) in the Cisco IP Solution Center product family.
The Traffic Engineering Management application is an offline network design and planning tool that computes optimal paths in the MPLS VPN. These calculations are based upon advanced mathematical algorithms developed by Cisco. The Traffic Engineering Management application significantly improves routing optimization by combining intelligent search with MPLS Traffic Engineering path configuration. Compared to the online or offline Constrained Shortest Path First (CSPF) protocol in traffic-engineered networks, the advanced algorithms for placement of traffic-engineered tunnels allow service providers to carry more traffic on the network, provide more stringent QoS guarantees to customers, and reduce capital expenditure by optimizing the existing infrastructure capacity.
CONCLUSION
As demand for managed IP VPN services continues to grow, service providers can set themselves apart by offering enhanced SLAs, enhanced VPN security and service protection, multicast over VPN, and new network management applications. Those capabilities are available today, through features in Cisco IOS Software.
