SPECTRUM VPN Management White Paper

TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM

How Service Providers canOffer Premium Services andIncrease Revenue by EffectivelyManaging VPNs

Copyright © 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or non-infringement. In no event will CA beliable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

Table of Contents

Executive Summary

SECTION 1: CHALLENGE 2The Challenges of Managing Service ProviderNetworks

Managing Thousands of Devices

Managing a Myriad of Services

Managing International Operations

Managing Equipment from Multiple Vendors

SECTION 2: OPPORTUNITY 3The CA SPECTRUM® Opportunity

Distributed Server Architecture

Fault Tolerant Architecture

Distributed Viewing and Navigation — OneClickArchitecture

Efficient Service Assurance

Reduced Operator Intervention

Reduced Network Traffic

Multi-Vendor Management

SECTION 3: BENEFITS 10CA SPECTRUM — Designed for Service Assurance

SECTION 4: CONCLUSIONS 10

ABOUT CA Back Cover

TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 1

Executive SummaryChallenge

Service providers are rapidly rolling out managed Virtual Private Network (VPN) services,including MLPS VPNs, which enable carriers to offer differentiated levels of servicecommensurate with customer needs. One of the concerns that carriers face is how toeffectively manage these large scale networks to ensure that customers are receiving thelevel of service for which they have contracted. Factors adding to the complexity ofmanaging MPLS VPNs include:

• Managing thousands of devices

• Managing a myriad of services

• Managing international operations

• Managing equipment from multiple vendors

Opportunity

CA SPECTRUM® Network Fault Manager is suited to manage these challenges whileincreasing operator efficiency and lowering costs. CA SPECTRUM provides advanced toolsand policies that are essential to delivering reliable, scalable and profitable VPN services.CA SPECTRUM provides a distributed, fault tolerant architecture built to support theworld’s largest service provider networks offering complex services over networkequipment spanning hundreds of different vendors. CA SPECTRUM also provides anefficient services architecture to proactively monitor the health of service delivery fromedge to edge, and provides efficient dashboard views into service quality. With all of itscapabilities, CA SPECTRUM gives service providers the opportunity to increase revenuethrough differentiated services and offers.

Benefits

CA SPECTRUM can manage the complexities of MPLS VPN services, enabling serviceproviders to take advantage of this growing market opportunity. Using a combination ofhistorical performance data and real-time monitoring and assessment, along with adistributed and fault tolerant architecture, CA SPECTRUM offers the essential capabilitiesrequired for large scale, managed VPN environments:

• Scalability • Reduced operator cost

• Service assurance • Multivendor support

• Multivendor support

The Challenges of Managing Service Provider NetworksPremium services demand high service quality. This is not an easy task when networks spanthousands of devices, a multitude of service types, international services and a variety ofnetwork equipment vendors.

Managing Thousands of DevicesThe first and most obvious challenge in managing large service provider environments is thehuge number of devices that make up the network. As networks scale to thousands and tensof thousands of intelligent devices, typical management paradigms are no longer adequateto address this scale of problem. Historically, an enterprise could be managed by polling alldevices from a single or small number of management stations. This approach fails when thenumber of devices reaches into the tens of thousands. In addition to the number of devices, it isthe relationship between these devices that significantly increases the management complexity.

As device count increases, total port count increases even more significantly. Current deviceshave the capacity to connect to potentially hundreds of other devices. While these additionalconnections provide increased service and connectivity options, this greatly increases thecomplexity of management. This increased complexity is due to the additional dependencieson services provided by these other devices. Without proper control, outages and configurationerrors can negatively and quickly propagate throughout the network, affecting a large numberof other devices. This cascading of a fault would cause expensive downtime and loss of servicefor a large number of customers. It is essential for the management system to understand andaccurately model these critical relationships between devices.

Today we stand at a critical junction of network, systems and service management broughtabout by the increase in:

• Device count

• Device port density

• Device dependencies

Managing a Myriad of ServicesIn addition to the number of devices which make up today’s provider networks, there are alarge variety and growing number of service offerings. A few examples of these ever increasingservice offerings include:

• MPLS VPNs – Layer 3

• MPLS VPNs – Layer 2

• Voice over IP

• Internet connectivity

• Data backup services

• Hosted applications

• Network security

• Redundant/failover links

SECTION 1: CHALLENGE

2 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM

As the number of services increases, there is additional burden on the routers, switches andother devices that make up the network. Likewise, the impact on management is significant. Asin the case where each device supports an increasing port density, devices are supporting anincreasing “service density”. In other words, a single device is offering an increased number ofcritical services to the end user. In addition to managing the devices, these services must beproperly managed to deliver contracted service levels to the end user.

The increase in devices, ports and services leads to an explosion in the number of managedobjects that must be handled by the management system. As the number of managed objectsincreases, the cost of managing this environment also increases. There are some indicationsthat these increases are not simply linear, but increasing more rapidly than the total numberof objects.

Managing International OperationsMultinational service providers present a challenge due to the geographically dispersed natureof their operations. It is possible that the customer edge equipment, provider edge equipment,network management server and network management client can be in different locations andtime zones.

Managing Equipment from Multiple VendorsManaging large, distributed multi vendor networks presents a challenge to service providers.There are a number of major vendors who sell to the service provider market. The challengethis poses is that vendors seldom use the same, or even similar, SNMP MIBs in their devices.In addition, the configuration of devices and services varies significantly from one vendorto another.

The CA SPECTRUM OpportunityThe architecture of CA SPECTRUM combined with its management tools make it capable ofmanaging complex multi vendor networks and delivering the high quality of service thatpremium services require.

Distributed Server ArchitectureCA SPECTRUM employs a distributed server architecture, which is the foundation thatenables distributed management applications to scale to the largest management environ -ments. No single management server alone can provide the capacity to manage thesenetworks. The distributed architecture is based on the CA SPECTRUM Assurance Servercapability, distributing critical aspects of management over many servers for greater scalabilityof CPU load, memory and disk bandwidth and network bandwidth by localizing polling traffic.In large networks, the CA SPECTRUM Assurance Server capability is typically used in faulttolerant pairs that will be discussed later.

SECTION 2: OPPORTUNITY


A service provider's network consists of core and edge routers, connected to customer edgerouters. The entire network is separated into multiple management domains based on:

• Administrative control

• Topology

• Location

• VPN membership

MANAGING MULTIPLE DOMAINS OF A SERVICE PROVIDER

Fault Tolerant ArchitectureIn addition to the distributed server architecture described above, each Assurance Servercan operate as a fault tolerant pair. This capability has been successfully used by some of thelargest global service providers and enterprises. This capability is continually enhanced to meetthe challenges and requirements of the most demanding network environments, allowing forcontinuous monitoring of the network through a redundant Assurance Server, which can beavailable in any of the following configurations:

• Hot Standby redundant server actively polling

• Warm Standby redundant server is ready, but not polling

• Cold Standby redundant server is started upon failure of primary

FIGURE A

Managing the multiple domains of aservice provider network is complex.It involves managing multiple devices,including service provider core andedge routers and customer edgerouters.


A hierarchy of fault tolerant, distributed servers shown in the Figure B can be used in largeservice provider deployments where redundancy of a “chain of management” is needed. In thisarchitecture, the servers in charge of the lower level domains (Domain 1 – 3) are visible to theserver managing the entire environment.

FAULT TOLERANT DISTRIBUTED SERVER ARCHITECTURE

Distributed Viewing and Navigation — CA SPECTRUM OneClick ArchitectureThe distributed server architecture by itself is not sufficient to manage large networksefficiently. With CA SPECTRUM, this is complemented by a distributed view and navigationparadigm, CA SPECTRUM OneClick architecture that allows the operator to seamlesslynavigate from one management domain to another. In fact, the operator need not be awareof the fact that they are traversing management domains — all managed entities appear tobe part of one uniform workspace. This greatly simplifies navigation as it is not necessary toestablish a connection to the “right server” to obtain management information. In addition, allglobal resources, like VPNs, are shown in a single view. Figure C illustrates this with a simplescreen shot. Each of the unique devices under “vpn-red” could be in a separate managementdomain and monitored by a different Assurance Server.


FIGURE B

This figure demonstrates the use offault tolerant server pairs in a chainof management. The higher domainservers are in a fault tolerantconfiguration managing three lowerlevel domains, which are also in faulttolerant configurations.

DISTRIBUTED VIEWING AND NAVIGATION

CA SPECTRUM OneClick architecture is a three-tier, web-based architecture whose centralcomponent is a Web server that connects directly to CA SPECTRUM Assurance Servers anddelivers information out to distributed Java clients. The CA SPECTRUM OneClick architectureprovides the best of both worlds by leveraging the intuitive nature of web-based applicationswith the scalability and responsiveness of desktop client applications.

Efficient Service Assurance with CA SPECTRUM® Network Fault Manager MPLS VPNManager (CA SPECTRUM NFM MPLS VPN Manager)There are two primary techniques to provide service assurance, each having unique strengthsand weaknesses. Passive techniques typically require fewer resources to operate, but theyprovide limited information to the user. Active techniques provide richer information at the costof increased resources. In order to better serve customer needs, CA SPECTRUM NFM MPLSVPN Manager provides both types of service assurance techniques in its management suite:

• Passive techniques: Trap handling, interface to site rollup

• Active techniques: MPLS-aware VRF Ping and Traceroute

In environments where traps are used, this provides the most resource efficient way tomanage these services. Examples include the following traps, which are sent when the VRFchanges state:

• VRF interface up

• VRF interface down

As network devices become more capable, there will be increased reliance on active serviceassurance techniques.

FIGURE C

CA SPECTRUM OneClick architectureprovides simplified navigation.


VRF AWARE PING VRF-aware ping is one of the active service assurance tools available to theCA SPECTRUM user. This is used to monitor not just the health of the devices, but also theservice provided by the entire infrastructure. This is accomplished by creating tests at theedge of the network to ensure connectivity between any two points. Typically this is used toensure that a customer can reach all its sites on a provider’s network. In addition to simpleconnectivity, these tests may be used to monitor response time between pairs of sites on thecustomer’s network.

While the VRF-aware ping is a useful tool in managing MPLS VPN environments, judicious useis required to ensure maximum effectiveness. Testing to ensure that all sites in a VPN canreach one another becomes impractical when the number of sites is greater than 50. A fullmesh test scenario is an “n squared” problem and would lead to 2,500 tests per test cycle.Large VPNs present even greater capacity limitations.

In order to scale to VPNs with a large number of member sites, CA SPECTRUM offers severaltechniques and user-definable options to ensure performance and scalability. These are:

• Disable VRF ping completely

• Enable VRF ping per VPN (useful for premium VPN services)

• Enable VRF ping per site

In addition to being able to include or exclude a site in the testing process, CA SPECTRUMallows the user to define what role the site plays in the network. Rarely do all sites in a VPNneed to connect directly to all other sites. Instead, a more common scenario is all remoteoffices need to connect back to servers at the corporate headquarters — greatly reducing thenumber of tests that need to be provisioned. In addition, common hub and spoke topologiescan also reduce the number of tests. Each communicates to one hub directly instead of dozensof other sites.

CA SPECTRUM delivers superior flexibility, allowing the user to define the test role of each site.The possible roles include the following:

• Testing Disabled

• Source Testing Role (VPN site is a originator for VRF testing)

• Destination Testing Role (VPN site is the destination for VRF testing)

• Source and Destination Testing Role

VRF AWARE TRACEROUTE VRF Aware Traceroute is the other active service assurance toolavailable in the CA SPECTRUM NFM MPLS VPN Manager module. Similar to the ping tool thatcreates end-to-end connectivity tests, this creates end-to-end path tracing tests. These testsare used to determine stability of the core network (MPLS LSPs). For example, one serviceprovider has discovered that if more than 10% of paths are changing in a single cycle, itindicates a critical problem. In their case, the service provider created alarms to highlightwhenever that occurs.


As with VRF-aware ping, VRF-aware Traceroute testing requires thoughtful techniques toensure performance and scalability since VRF Traceroute creates more network packets for asingle test. For this reason this feature offers the same configuration options for each site:

• Testing Disabled

• Source Testing Role (VPN site is a originator for VRF testing)

• Destination Testing Role (VPN site is the destination for VRF testing)

• Source and Destination Testing Role

Reduced Operator InterventionOne of the primary costs of delivering reliable network services to a large customer base isoperator expenses. Operator efficiency translates directly to cost savings. For this reason,the CA SPECTRUM NFM MPLS VPN Manager solution offers a number of out-of-the-boxcapabilities that increase operator productivity, speed time to resolution and ultimately reducecost. These capabilities include the following:

• Automated service management

• Auto-provisioned server assurance tests

• Seamless cross server navigation

• Collapsing views focusing on desired areas

• Global policy control with local overrides

• Advanced search capabilities

The automated service management capability allows the system to discover and model newMPLS services as new network devices are managed in CA SPECTRUM or as new services areprovisioned on existing devices. This greatly reduces the amount of time and effort requiredfor operators to configure the system. In addition, these features may be configured so thatservice discovery happens only at certain times or to conform to local policies or practices.For example, it may be desirable to limit discovery operations to off-peak hours.

The remaining items in the list provide operator efficiencies in viewing, navigation andsearching. These enhancements give operators the tools to work efficiently in the numerouslarge networks. The global policy control provides a great asset to managing server policies in amulti server environment. This feature allows an operator to set the policy on a single AssuranceServer and push that policy to all other Assurance Servers. Examples of the types of attributeswhich may be set include:

• Enable Dynamic Discovery

• Enable Trap-based management

• Enable Port Polling on PE routers

• Model Inactive VPNs

• Enable VRF Ping / Set Polling Interval / Set Timeout

• Enable VRF Trace / Set Polling Interval / Set Timeout

• Enable Cross Server Service Assurance


In addition, the global policy control allows operators, with the appropriate privilege, tooverride a global setting and enact local policies for their management domain whereconditions require.

Reduced Network TrafficAlthough the cost of network bandwidth on a per bit basis continues to decrease, serviceproviders will attest that it is still far from free. For this reason it is necessary to ensure thatoperations and management activities consume as little network bandwidth as possible. Thereare a number of advanced features in CA SPECTRUM that give operators greater control overthe allocation of management bandwidth. These features include:

• Flexible Polling Options– Per device class– Per device type– Per device– Per interface

• Trap-based Service Monitoring The flexible polling options allow these activities to befocused exactly where they are needed. The trap-based service monitoring reduces pollingrequirements significantly by providing a way to quickly detect changes in VPN service.These changes could be:– New VRF provisioned– An existing VRF has been reactivated– A VRF has been deactivated– A VRF has been deleted

Multi Vendor ManagementCA SPECTRUM is designed to support the management of intelligent network devices in amulti platform, multi vendor environment. CA SPECTRUM multi vendor support has includedan impressive list of leading and emerging vendors that span the networking industry. Thislist includes:

• Cisco Systems

• Juniper Networks

• Nortel Networks/Bay Networks/Synoptics

• Alcatel-Lucent

• Cabletron/Enterasys/Riverstone Networks

• 3Com

• Foundry Networks


CA SPECTRUM — Designed for Service AssuranceCA understands the concerns of the service provider — scalability, availability and cost control— and provides the capabilities within CA SPECTRUM to meet these requirements so thatpremium services can be competitively offered.

CA SPECTRUM distributed architecture provides the scalability to manage thousands ofdevices, ports and services. CA’s platform-independent approach assures the ability to supportthe multi vendor environment found in large service provider networks and in their customernetworks.

The distributed fault tolerant architecture of CA SPECTRUM is a key part of the serviceassurance that is essential for premium service offerings. Active tests for end-to-endconnectivity and response testing go one step further in maintaining quality service.

Reduced operator costs through automation, advanced techniques for viewing, navigation andsearching, and global policy control are just some of the ways that the CA solution enablespremium services to be offered at a reasonable cost, keeping your business profitable andcompetitive.

CA SPECTRUM has a long history in large-scale distributed network and service management.The CA SPECTRUM NFM MPLS VPN Manager builds on this foundation and extends thecapability to handle the largest service provider and enterprise networks where MPLS VPNsexist. This advanced capability is one member of a large and growing family of complementarymanagement applications in the CA SPECTRUM suite, which includes modules such as:

• Service Manager

• Network Configuration Manager

• Report Manager

The single goal of this family of applications is to minimize the operational expenses ofmanaging large, complex networks. This is accomplished by automating the tasks associatedwith network, systems and applications management and allowing the management staff tovisualize and monitor their network at a higher level.

The CA SPECTRUM team continues to focus on developing advanced management tools withthe aim to unify and simplify management operations.

To learn more about the CA SPECTRUM architecture and technical approach, visitca.com/spectrum

SECTION 3: BENEFITS

SECTION 4: CONCLUSIONS


http://www.ca.com/spectrum

CA, one of the world’s largest information technology (IT)management software companies, unifies and simplifiescomplex IT management across the enterprise for greaterbusiness results. With our Enterprise IT Management vision,solutions and expertise, we help customers effectivelygovern, manage and secure IT.

TB05ESMSPEC01E MP322361107

Learn more about how CA can help you transform your business at ca.com

Documents

SPECTRUM VPN Management White Paper