Our step by step Managed MPLS IP VPN services procurement Mindmap won the BT Business award for innovation. We outline, at a glance, all of the key areas, the risks, pitfalls and opportunities.
We’ve worked with numerous companies across the last five years from the largest Global Enterprise through to a small three site Global data network. Our experience has essentially allowed us to recognise that successful WAN procurement requires a repeatable process. A workflow which aligns the specifics of your organisation to the overall capability of any prospective service provider. The procurement of managed MPLS IP VPN services (Multi Protocol Label Switching) or VPLS (Virtual Private Network) products is challenging with the increased complexities of globalisation, cloud computing, remote applications, extranet partners and so on. The connectivity within any business is the key to moving a product or service through sales cycle to delivery in the form of your productivity and customer service. For the purposes of this article, we consider MPLS as layer 3 VPN and VPLS as layer 2 VPN. For more information, see this Wiki article on the OSI model.
Below: Our latest video tutorial content surrounding Managed MPLS VPN Pricing. This article will be updated with further video content in due course.
Importance of analysing data
Within our connectivity practice, we speak about the importance of collecting data on your business strategy, reach, your application traffic performance, business continuity, process, latency and jitter, quality of service and more. We show how, with this output, it is possible to create a Statement of Requirements (SoR) to clearly define your MPLS network design & VPLS VPN (Virtual Private Network) needs from business continuity, application traffic support through to commercials. If this sounds like a huge amount of work, don’t be put off. The actual SoR may be as simple or as complex as you’d like it to be. The key is, you ensure you’ve ticked all the right boxes and not missed critical components for your company including cloud, security information and remote access. And that is important across many different aspects.
In our visits to many organisations, the indicators which highlight issues revolve around the following feedback:
- Our managed WAN lacks agility. Adds, moves and changes take too long creating project delays.
- Support troubleshooting is not proactive requiring constant involvement from IT to progress issues.
- Information and data about our service required to make decisions is out of date or unavailable.
- Statistics do not provide the necessary data information to trend report and understand where improvements may be made.
- Design & Topology configuration contains multiple single points of failure.
- Application packet performance is poor - routing of traffic between selected locations often experiencing high latency or jitter issues.
- Our account team do not provide regular reviews or interact with us over contract term.
- Our SLA (Service Level Agreement) is not robust.
- Our MPLS IP VPN pricing is not competitive with the market place.
If any business is intent on avoiding a repeat of existing issues and problems when procuring a new service provider capability, a tight alignment between business objectives and IT capabilities is required.
To get our readers thinking, our workshops revolve around answering a set of high level VPLS & MPLS VPN Network service provider procurement questions:
What do we want to achieve?
- What do we think is possible when we buy managed MPLS VPN services or Ethernet VPLS technology?
- What do we need to do to achieve our goals?
- Does our existing WAN connectivity align with the company strategy?
- When should we react to new opportunities and adapt plans?
- What budget is available?
- How are we going to get there?
- What are the challenges right now and how to we prioritise solving problems?
- What other initiatives do we need to consider within our sector - i.e. environmental?
One common area which requires transparency surrounds coverage. The marketing of prospective suppliers will profess to offer significant national and global reach. The reality is that the providers core network may be small and limited with their reach being provided by backhaul traffic via wholesale tail circuit local loop providers. Understanding the true MPLS VPN service provider or VPLS coverage and reach of prospective suppliers often requires forcing transparency. The majority of account teams will market their reach based on wholesale agreements and not real MPLS node coverage. The impact of low edge PE proliferation depends on your own unique requirements but, at a high level, diversity, resiliency and general performance has the potential to be degraded. In order to force transparency, request to view MPLS PE (Provider Edge) details. The PE reach will demonstrate true coverage and this ability.
VPNs - Don't forget the users
The users are, of course, a major component of your organisation - internal customers. The workspace is changing fast with increased device capability and remote working. A user could be in the UK one day and the US the next but they have the same requirement to access ubiquitous data and resources. Their resources could be a simple PDF or video conferencing for a brand new client. The user doesn’t particularly care about the underlying WAN network providing the service operates within certain parameters. Then consider security and the scale of the need to provide a good MPLS VPN network connectivity & VPLS service design and proposal is key.
The ‘people’ within an organisation also varies in terms of their influence and needs. We therefore recommend taking a subset of users to understand more about their views on the existing network and how any new MPLS network or VPLS VPN service might further enhance productivity. If your organisation is Global, we have a specific MPLS network map which clearly shows capability, at a glance, around the globe.
MPLS Network Services Due Diligence
Once the MPLS network service is installed, an environment of good practice is needed to be sure the value gained within pre-sales is not lost. All too often, service providers sell a service, subject the organisation to a 3 year contract, and move on to the next deal. As a client, you will have requirements to understand where improvements may be made, you’ll want to be sure the documentation and product information is kept up to date and, overall, understand the performance and management of the network.
We find regular quarterly review meetings are key to resolving issues, updating designs and generally talking about new products and enhancements. The guide covers these areas together with trend reporting on an ongoing basis. Trend reporting allows everybody concerned to understand pinch points and network issues together with the rise in WAN usage.
Your existing Managed MPLS IP VPN Service Provider situation
When we consider new networks, there is an opportunity to look retrospectively back into our existing business capability to understand the elements which have performed well for customers against the areas which have represented a bottleneck.
The word bottleneck is used a fair amount in the managed WAN network arena; normally when speaking about connectivity sizing. However, we generally refer to bottlenecks as an overall statement to describe a WAN which doesn’t fit with your businesses demands. The real overall objective of MPLS VPN design should revolve around creating a capability which rolls with the ever changing demands of your business. Will the network need to be expanded, connect new sites over time? Will sites need to close or is the business expanding? What applications are we considering? How do we keep up with the demands of global employee productivity?
Unless you are creating a brand new layer 3 MPLS VPN design or layer 2 VPLS requirement because of a greenfield business, looking retrospectively is the first port of call. If you have any available trend reporting data, now is the time to consider the network trends over a time period. This work will allow you to view the growth curve and understand where usage might be over a given period of time. All circuits should be considered where possible including fibre based connectivity and ADSL. At a higher level, consider how applications are being used and determine how the performance has been impacted by service quality, support issues and so on. Creating a documentation set surrounding the existing solution is a critical component as this will allow you to consider whether there are areas which are not providing a capability. We recommend looking at SLA (Service Level breaches) to gain clarity on how the existing service provider has been performing generally. On the subject of the SLA, the elements surrounding adds, moves and changes are often a source of major frustration. Slow, painful change requests are just as business impacting as poor network performance. We have carefully analysed and broken down the BT's MPLS SLA to ensure your business is aware of overall performance.
Technically speaking, the average customer VPN also includes some fundamental details and information such as routing, VRF (Virtual Routing Forwarding table), BGP protocol configuration, device interface IP addressing and so forth. Whether or not your existing wires only or managed network is provided by Cisco or another vendor, capturing the current state of each device on the network will also provide a good insight into how data is flowing across your infrastructure. Some detail may be deemed as too granular - for example, not everybody needs to know the loopback address of a device but we recommend getting as detailed as possible without detracting from the overall goal.
Strategy of your IT projects and business is a key area which should be documented. The majority of MPLS network services are hybrid based VPNs meaning that most organisations will make use of private Ethernet layer 3 MPLS (VPRn) or Ethernet layer 2 VPLS / Virtual leased line products when appropriate. With private cloud solutions, layer 2 VPN services are an ideal way of extending the LAN between hosting sites which provides a much more scalable infrastructure.
SLA - Service Level Agreement
We never recommend MPLS VPN technology based on an SLA. With this said, service provider capability is indicated by the figures and data published within the SLA. As an example, core POP to POP (Point of Presence) latency figures provide an idea of application performance. With this said, the SLA does not often include the tail circuit element of your MPLS VPN design (or VPLS) which will ultimately impact overall capability. With latency in mind, QoS (Quality of Service) will also fall into SLA categories depending on each setting offered including EF - Expedited Forwarding, AF - Assured Forwarding and Be - Best Effort. The top level of QoS (EF) will also include jitter performance (the delay between each packet traversing the network). Again, these figures are based on the providers core network. Over and above application performance, the SLA will include fix times, adds, moves / changes and installation timescales. These aspects are critically important since making changes to the network will, on occasion, need to be completed efficiently to avoid business impact. The migration SLA will also enable IT Management to update key areas in the business of when new service maybe potentially become live or where a downtime window may occur. The SLA is an estimate of performance and should never be taken as an unbreakable law. As an example, delivery of a new circuit may be SLA’d to a certain date and whilst this is good information to know, there are mitigating factors which have the potential to cause delay. More on this next.
Wires only or Managed WAN Migration
VPLS and managed MPLS IP VPNs typically require tail circuit provision unless the circuit is directly connected to the provider of choice - e.g. data centre or hosting facility. Perhaps number 1 on the list of potential project disappointment surrounds serious delay of circuit provision. There are numerous reasons why delay occurs, two examples are listed below:
• Wayleave - Landlord permission is required to perform work. On occasion, approval may be protracted for a variety of reasons.
• Resilient access - when a second failover circuit is required, engineering work may mean council permissions (for example) are required before work may commence.
The actual work to configure and ship customer routers, access site, test and handover circuits takes considerable focus. However - with the right step by step process (as outlined within our Mindmap), potential problems may be minimised.
MPLS VPN Pricing
The most important advice when trying to achieve good costs is to ensure your organisation has a good statement of requirements. Providers (BT or otherwise) are better positioned to achieve good cost outcomes when they are clearly able to see a valid project. The tactic of sending generic spreadsheets out to multiple providers will result in standard costs. The process we use at Network Union will ensure clear requirements are indicated which aligns well with the service provider process to achieve the best possible pricing outcome.
Private MPLS VPN services are complex by nature but, the low level of detail surrounding the core of a providers infrastructure is not needed for procurement unless your project is very bespoke.
MPLS vs Internet based IP VPN
There has been a lot of attention paid to MPLS (Multi Protocol Label Switching) over the last decade. The benefits are pretty clear but the fact remains, IT Management are often unsure whether MPLS or IP VPN services are more applicable to their organisation. In reality, both MPLS layer 3 networks and Internet based layer 3 networks are both classed as VPN (Virtual Private Network) products. However, over the years, the term VPN has become synonymous with Internet based IPSec or SSL (Secure Socket Layer) solutions with layer 3 private based networks termed as MPLS. (Note that IP VPN is a term often used generically to describe Internet encrypted traffic)
The overall answer surrounds in analysing your business specifics across strategy and technical elements which ultimately outputs a design which will be met by a specific product or, more commonly, a hybrid service. The topic of hybrid networking is providing renewed interest in Internet based VPN services. The thinking behind our Mindmap series is to obsess over the kind of detail we would want to know in the position of IT Manager. In this release, we consider some thoughts and ideas surrounding the considerations you need to make when thinking about MPLS or VPN as a capability for your business.
I was personally responsible for the largest managed IPSec VPN’s back in early 2000 for an automotive client. If I think back to that time, I recall the process being pretty clunky with a fair amount of unknown capability. We all thought that Internet based VPN’s would be phased out by MPLS and, although we have seen a paradigm shift in WAN procurement, both private and public based networks are very much used in today’s Enterprise networks.
MPLS or IPSec VPNs?
In order to make a decision on MPLS or VPN types there a number of questions which should be answered.
- Is our organisation looking to deploy delay sensitive applications such as voice or video?
- Do we need to maintain a base level of service and performance across mission critical applications?
- Would we benefit from a granular insight into our applications performance?
These kind of questions are generally answered as a ‘yes’ for growing organisations. And, these base features are the reason why MPLS has grown to the extent we see today. This said, we very much believe that Internet VPN’s are more important than ever as we transition our workforce to become truly global, to work anywhere with any device.
MPLS vs IPSec – The differences
When IT Managers discuss MPLS VPNs, they are really talking about access to a private based data network with application based QoS (Quality of Service). MPLS is in fact a technology used by service providers to traffic engineer their networks by ensuring the most efficient use of their resources (internal bandwidth). The original concept of MPLS has evolved offering organisations capability across layer 3 routed networks through to layer 2 VPLS (Virtual Private LAN Services) and VLLs (Virtual Leased Lines). With the previous statements in mind, organisations are actually buying access to MPLS provider services but not actually running MPLS on their edge devices. If you are wondering (and who wouldn’t be?), the correct term would be VPRn (Virtual Private Routed network).
In short, MPLS IP VPN types are as follows:
VPRn (Virtual Private Routed network). A layer 3 any to any private network. A good solution for managed networks where outsourcing to the service provider is a key driver.
VPLS (Virtual Private LAN Service). A layer 2 Ethernet any to any private network. At layer 2, the your organisations LAN may be extended and you are positioned well to support your own IP traffic and routing.
VLL (Virtual Leased Line). Referred to as pseudo wire products, they emulate point to point and multipoint capability over longer distances.
As an MPLS VPN service provider capability is private based, there is little need to concern yourself with security. The product capability is defined within the RFC (Request for Comments) which outlines how routing between each customer is kept separately within a given ID. This said, some financial or government institutions may well decide to overlay further security because of regulations but, for most of us, the service is inherently secure. Internet is normally provided via cloud based access or at a central HQ location where Firewalling protects your organisation from outside threats.
IPSEC / SSL
For the purposes of this article, we are really going to concentrate on IPSec which is used as a method of connecting office sites together over the Internet. SSL is generally used for remote access.
When discussing IPSec based VPN’s with IT Management, I try and differentiate between Internet based VPN’s and Single Provider Public based network VPN’s. (I appreciate this must sound confusing).
I’m really referring the the fact that provisioning an IPSec VPN over one provider’s network is more of a predictable capability since your data will only be traversing a single provider network. I refer to this as a Single Provider Public based network. In this scenario, latency, packet throughput should all be much more aligned to an SLA (Service Level Agreement) and provide your organisation with confidence in performance.
The alternative is a true Internet based VPN. In this scenario, you are using multiple Internet providers from around the globe (or nationally) where traffic will be routing from one provider to another. There is really no way to predict the performance of this kind of design and therefore it is not an ideal option for site to site office connectivity. This said, for remote users this design is the enabler to global productivity so very much is a capability used within networks today.
In both scenario’s, IPSec is used to secure packets which traverse public networks which is achieved by a combination of encryption and authentication. There are plenty of resources available on the Internet which discuss IPSec in depth but for our article, let’s look at the basics.
We show how traffic within an IPSec VPN is configured to only allow traffic through based on a list of authenticated endpoints. If the IPSec mechanism establishes that the traffic is not from an authenticated end point, it is simply dropped. As packets are moving between your sites, IPSec adds encryption which protects the data from snooping. As an aside, IPSec may also be configured for split tunnelling where both authenticated end points and access to the Internet is enabled. If split tunnelling is configured, a Firewall should be implemented to secure the site.
Overall, IPSec layers on complexity. We often hear of dropped tunnels and short periods of downtime. Whilst this is becoming a rarity, these problems have not fully disappeared. In addition, encryption adds an overhead which is especially a point of consideration for small packets such as those found in voice applications. We know IPSec now has mechanisms to support QoS (Quality of Service) but remember that additional functionality has to be supported. If you are considering outsourcing your VPN, check what is available in terms of product support.
Why would you select MPLS or VPN – the answer is in alignment of your business specifics
In the distant past, Internet VPNs were a lower cost vs their MPLS counterparts. However, today we still see a lower initial cost for Internet bandwidth but when you layer on the requirement for IPSec hardware (think router or Firewall), the costs are pretty much aligned.
With costs there or thereabouts, the decision should be based on the specifics of your business. We recommend requesting our step by step guide to WAN procurement – it’s free and covers every area you should consider. The point is this. Without a complete statement of requirements, the decision making process vs service provider capability is often incorrect.
When creating a statement of requirements, you need to consider applications and their performance attributes. As an example, voice requires strict priority across the network with strict service levels. Unless there is a specific reason, running voice over an IPSec VPN would not be our recommended solution. In reality, the performance would probably be good enough but the issue relates to the word ‘probably’. Organisations must deliver predictable performance for critical applications within their business.
MPLS IP VPN Types - A Hybrid services approach
The majority of installations we see today involve a hybrid of both private MPLS and VPN. A good example of where IPSec based VPN’s are used is in the world of extranet clients - organisations which need to allow access into the network from partners. We are a BT Authorised Partner and have access to BT resources via a secure VPN into their portals and systems. The access is facilitated via a combination of IPSec and SSL.
Remote users are one clear reason why an Internet VPN would be of use. Clearly, you wouldn’t want to put in a dedicated MPLS circuit for every remote user on your network. Therefore a good Business Broadband service coupled with VPN security represents and ideal route back into the network. This said, some key users may well benefit from a broadband based MPLS circuit into the network to support voice and video if they are working from home for extended periods of time.
The choice of MPLS or VPN is often business related. Here’s an example. We worked with a construction firm recently which needed to connect up small offices (think cabins) on a temporary basis. In this scenario, Internet VPN makes perfect sense. A low cost business broadband circuit coupled with security back into the wider MPLS network.
Your services Scalability
As networks grow larger, the impact on CPU usage is increased. An an example, an any to any IPSec based VPN would require more CPU power as the networks grows. The addition of extra sites adds further complexity to the configuration and thus the risk of support problems. We would say that IPSec has become a much easier to deliver managed service over the years and CPU power has increased. The fact remains that scaling service requires thought. MPLS based VPN’s are inherently scalable as they are truly connectionless and do not rely on tunnels from site to site. Therefore the actual configuration is much a much simpler approach, we mentioned previously that there is no MPLS configured on your edge device meaning that the install and ongoing support is relatively simple (all things being equal).
For the majority of corporate networks, Ethernet MPLS (or VPLS) will ultimately form the connectivity to support your business requirements. There is a reason why MPLS VPN networks have grown to the extent they have over the past decade. In the main, a private based network without the added complexity of IPSec with the ability to deliver SLA’s on the performance of applications is compelling. However, Internet VPN’s are still a key component of networks today to support other business requirements such as extranet, remote access or temporary connectivity.
The tried and tested ISP Internet VPN is very much still at the forefront of our designs. As I write this article, I’m using a MacBook Air situated on a bench working from home. If I need to connect up to the corporate network, I simply launch my browser as the router is configured IPSec only – i.e. all traffic traverses a tunnel through to the corporate network.
The point is this. The growth of the Internet as a well engineered platform is simply going to increase in the future. Business is becoming more global, devices which require access to connectivity are becoming more prevalent and the need for security over public networks is stronger than ever. Therefore we cannot discount any form of productised service. The cloud is also a resource which requires good, stable access when both located within and outside of the office. When in the office, cloud based service may well be connected directly to the Ethernet MPLS network which, again, provides the best possible application performance. However, when you are out of the office, access to a private cloud will require some form of security. When on the road this might be via browser based security such as SSL or using a more business wide IPSec connection.
MPLS IP VPN TUTORIAL AND FURTHER READING / LINKS
Typical searches related to MPLS IP VPN network procurement - links and further reading
OSPF - Cisco guide to OSPF
CEF - Cisco guide to CEF
VRF - Cisco guide to VRF
The MPLS VPN PPT Mindmap
ISP Definition - Wiki to define an ISP
The OSI Guide
About the writer: Robert Sturt is our BT Partner Principal and writer for TechTarget as their MPLS network design expert. Reach out to Robert via Twitter: http://twitter.com/robertsturt