Technical White Paper for VPN Manager

Technical White Paper for VPN Manager

Huawei Technologies Co., Ltd.


Table of Contents1 2 Preface ............................................................................................................................... 1 Introduction to the VPN Manager Solution ......................................................................... 22.1 2.2 2.3 MPLS VPN Concept ........................................................................................................ 2 VPN Manager Solution.................................................................................................... 4 VPN Manager Architecture.............................................................................................. 5 2.3.1 2.3.2 Product Orientation .............................................................................................. 5 Software Architecture........................................................................................... 6

3

Key Features of the VPN Manager Solution ....................................................................... 83.1 Whole-Process Service Management ............................................................................. 8 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.2 3.3 Service Planning .................................................................................................. 8 Automatic Discovery of Services ......................................................................... 9 Service Deployment............................................................................................. 9 Service Audit ........................................................................................................ 9 Service Monitoring ............................................................................................. 10

Perfect Client Management........................................................................................... 11 Unified Management of Various VPNs.......................................................................... 11 3.3.1 3.3.2 3.3.3 BGP/MPLS VPN Service ................................................................................... 11 VPLS Service ..................................................................................................... 12 Martini Service ................................................................................................... 13

3.4

Powerful System Integration Capability ........................................................................ 14

4

Typical VPN Manager applications................................................................................... 144.1 4.2 4.3 VPN Service Support .................................................................................................... 15 VPN Service Fulfillment................................................................................................. 16 VPN Service Maintenance ............................................................................................ 17

5

Conclusion........................................................................................................................ 17

Appendix Abbreviations ........................................................................................................... 18

Copyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/

i


Technical White Paper for VPN ManagerAbstract: VPN Manager is a service tool that helps the operators to release, deploy, secure, and monitor the MPLS VPN service. In addition, the tool performs the VIP customer management in the related field. This technical white paper describes the key features and typical use cases of the VPN Manager. Key words: MPLS VPN, LSP, VPN Manager, OSS

1 PrefaceThe Multi-Protocol Label Switching (MPLS) technology is designed for improving the switch performance of the router. Doing well in the traffic project and the VPN field, the MPLS technology is now becoming an important method for providing value-added services in the IP network. It provides the security-based and QoS-based corporation association and service isolation for customers. On the one hand, the MPLS VPN technology helps customers to set up end-to-end communications between different areas of their corporations. The massive equipment and line investment in the traditional DDN/FR network is saved. The network can be expanded easily with effective cost. On the other hand, the MPLS VPN technology can provide customers with the service quality, such as the security, confidentiality and QoS as the traditional network as well as connection service. Besides the data communication service, the operators can provide more IP value-added services such as the contents consignment, VoIP and multimedia service to the users.

Currently, the MPLS VPN service is becoming the main service of the bearer network of the operators. As the society and social economy develop, the expansion of the corporation services and the development of corporation braches will boost the development of the MPLS VPN technology. The VIP service with corporation VPN as its highlight brings operators a great sum of profits and challenges service capability of theCopyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 1


operators. As the service products have less and less significant differences in quality, the operators change their competition focus from the technology to the service. The telecom corporations should make innovations in quality, differentiator and featured customization when performing VIP customer marketing. Operators should purchase hardware of good performance to suit the development of the MPLS VPN service and deploy relevant service platforms to meet the customer requirements of quick service deployment, quick location of damaged service, continuous monitoring and featured self-service. In the special management environment of some operators, the service platform of the MPLS VPN technology should have good interconnection capability so that the service platform can be integrated into the current OSS or BSS system of the operators.

VPN Manager is a service tool that helps the operators to release, deploy, secure, and monitor the MPLS VPN service. In addition, the tool performs the VIP customer management in the related field. When the VPN Manager is deployed, the VPN service quality of the operator customers can be improved and the OPEX can be reduced effectively.

2 Introduction to the VPN Manager Solution2.1 MPLS VPN ConceptAn important application of MPLS is to construct the VPN. In combination with the MPLS TE technology, MPLS can provide powerful QoS capability in addition to all the original functions of the VPN network. It features high reliability, high security and powerful management and expansion capabilities. By the specific expansion mode, MPLS VPNs may fall into the MPLS VPN based on BGP extension and the VPN based on LDP extension. By whether the PE equipment participates in VPN routing, MPLS VPNs may fall into MPLS L2 VPN and MPLS L3 VPN (BGP /MPLS VPN). Figure 2-1 MPLS VPN structureCopyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 2


As shown in the above figure, various VPN sites are connected via CEs to PEs in the service providers MPLS network. The local PE establishes an LSP tunnel via the extension mechanism with the remote PE so as to complete private transmission of data and form the VPN. The MPLS VPN has the following features:

Easy management: The network-based VPN can be completely implemented by the backbone network. Various subscribers can trust VPN management to the backbone network management organization. The end users do not sense the existence of other networks at all, just as if they were on a physically independent service network. Users do not need to know how the VPN is constructed and connected.

Good expandability: With the use of two layers of labels, the P equipment does not need to know the VPN information and there is no need to make special configuration for the P equipment during network expansion. It is very easy to expand network nodes and the network has good scalability. Moreover, only one network is needed to provide various services such as MPLS L2 VPN, BGP/MPLS VPN and IP data, and diversified customer needs can be satisfied by use of the MPLS-related enhanced technology.

Security: Packets are exchanged through label forwarding in the MPLS domain composed of network nodes, so they have the same security level as ATM/FR virtual circuits.Copyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 3


QoS: MPLS mechanisms such as CoS, RSVP and traffic engineering can be used to implement VPNs with guaranteed QoS for customers.

2.2 VPN Manager SolutionMPLS VPN services have a broad market prospect but their operation poses higher requirements for the management of IP networks. The network management of MPLS VPNs involves customer management, VPN service management, network management, equipment management and other management functions. Manual management can easily cause configuration errors, which can hardly be perceived once occurring. Moreover, it is hard to implement service monitoring and fault location. Manual management cannot effectively manage VPN customers, has low management efficiency and cannot satisfy the ever-increasing service requirements. Therefore, there must be an effective VPN network management solution for MPLS VPN services.

According to TMN and TMF specifications, the VPN network management system (NMS) should be able to provide abundant management functions that cover resource management, service management, customer management and other fields. It should provide the following functions:

Accept service orders, implement network planning, generate service requests and complete the deployment of services.

Maintain network data and monitor network performance and faults.

Make service correlation analysis of network performance and faults so as to provide original data for service faults.

Provide web-based customer network management (CNM) to offer a means for VPN customers to monitor the VPN.


4


The following figure depicts the position of the VPN NMS in the operation system. The VPN NMS is oriented to managing the MPLS VPN network and implementing the seamless integration of customer management, service deployment, performance monitoring and fault monitoring. It is a management tool for service providers to carry out MPLS VPN services. Figure 2-2 Position of the VPN NMS in the operation system

2.3 VPN Manager Architecture2.3.1 Product OrientationVPN Manager is an important component of the iManager NSM IP network service management system. It provides the function to manage three typical VPN services: BGP/MPLS VPN, VPLS and Martini. It can implement MPLS VPN service management for Huawei equipment and some equipment of other vendors and provide the support for the Telecommunications Network OSS (Operation Support System). The following figure shows the general product form:Copyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 5


Figure 2-3 Product form of VPN Manager

F: Fulfillment A: Assurance E: EMS (Element Management System)

2.3.2 Software ArchitectureThe VPN Manager adopts the multi-layer structure so as to maximally provide expandability, redundancy and robustness. The multi-layer structure also guarantees that the system can be deployed in a standalone or integrated manner and conform to the carrier-class system architecture. The layers are the customer layer, the interface layer, the control layer and the collection layer. This open architecture enables the VPN Manager to provide good expandability and conveniently manage the equipment of various vendors through OSS integration.

Customer layer: web-based graphical user interfaces (Http to Web server) or Java applications.

Interface layer: provides external interfaces. The interface mode includes the private ASN message mechanism, CORBA mechanism, CLI invocation mechanism,Copyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 6


SOAP/XML mechanism and SNMP mechanism.

Control layer: provides inventory management, network management, service management and fault management; implements the performance management and dispatching mechanism.

Collection layer: The data collection layer supporting distributed deployment, used to collect equipment data and interact with the NMS and equipment. Figure 2-4 VPN Manager architecture


7


3 Key Features of the VPN Manager Solution3.1 Whole-Process Service ManagementThe VPN Manager can provide complete management in all phases of the service life cycle, from VPN service planning to service deployment and service assurance (including audit, monitoring and maintenance). It can effectively reduce the complexity of the service providers management.

3.1.1 Service PlanningThe VPN Manager completes VPN service planning through graphical and wizard-like operations. Users can, under the guidance of the wizard, select the equipment and interface for fulfilling the service and input the relevant VPN parameters to quickly generate a service request. The VPN Manager also provides the function to design service policies. Service policies are designed by advanced users and the same configuration parameters inside a VPN are placed in the policies. The operator responsible for service fulfillment can apply a policy to a specific service request. This spares the trivial parameter input task. Service policy management can guarantee the accuracy of service request definition to some extent and also simplifies the process of service request definition.

VPN service configuration is complex and incorrect configuration may easily cause network problems such as route flapping, so the correctness of service should be guaranteed before the service is deployed. The VPN Manager can implement the basic check of the user-configured VPN parameters during the service planning process, so as to maximally guarantee the legality of services. It can generate three kinds of topological views for each service request: Network view (expresses the physical connection relations of the VPN network), VPN view (expresses the logical connection relations of the VPN network) and customer view (expresses the connectivity among customer sites). These views can be used to check if the service request has expressed the expected serviceCopyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 8


assumption and avoid service deployment errors, thus improving the efficiency of service fulfillment.

3.1.2 Automatic Discovery of ServicesThe VPN Manager provides automatic discovery of services. It can restore the MPLS VPN service already running in the network into service requests in the NMS so as to uniformly manage and monitor the service along with the other newly created services.

In the process of automatic discovery, the VPN Manager reads the equipment information and can compute the VPN service information in the network with little participation of the administrator. It can directly restore the configuration commands on the equipment into the service requests visible in the NMS. The automatic discovery of services does not change the current configuration in the equipment.

3.1.3 Service DeploymentThe VPN Manager provides two service deployment modes: manual and scheduled. Users can customize task deployment so that the system may issue the service at a time when the traffic is light (e.g. before dawn). This avoids the deployment of new services at traffic peak time and thus spares the impact on the network and existing services. The administrator may view the task execution state in the task log on the next day.

The VPN Manager also supports the deployment and removal command preview function. Users can view the command sections to be issued to the equipment before the deployment, so that no service will be removed mistakenly.

3.1.4 Service AuditIn order to guarantee the deployment of customer services, the VPN Manager can implement configuration audit and connectivity audit on the services already deployed. ItCopyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 9


can check the integrity of the configuration commands on the equipment and the end-to-end connectivity of the VPN. Once finding any problem in the audit, the VPN Manager will create a customer alarm and VPN alarm to inform the operator of the influenced customers. The VPN Manager can also highlight the logical connections between customer sites on the topological view so that users may conveniently check the connectivity between sites.

3.1.5 Service MonitoringThe alarm management module of the VPN Manager provides the function of converting equipment alarms into service alarms for users. When an alarm occurs to the equipment (interface up/down), the VPN Manager will analyze whether the NE alarm will influence the current services and will generate a customer alarm and VPN alarm, notifying the maintenance staff to timely locate and solve the problem. The product fault information may correlate with the topology and service list so that the network O&M staff can quickly locate network faults. The VPN Manager also provides abundant alarm management functions including alarm regrading, alarm knowledge base, alarm saving, alarm dumping, alarm notification, alarm acknowledgement, alarm filtering and alarm reporting. It can complete alarm-to-Email, alarm-to-SM and other functions according to the users setting.

The performance management module of the VPN Manager provides the functions to collect, display, count and report the performance and traffic data. The performance data include the CE-PE delay, PE-PE delay, CE-CE delay, jitter and traffic data. By analyzing the performance data, the administrator can more clearly learn the running state of the network and thus help implement network planning and optimization. All the collected data can be presented in the form of reports to users and provide a valuable reference for users to plan their networks.

The topology management module of the VPN Manager provides multiple views for users. Among them, the network view indicates the physical connections of the VPN, the VPNCopyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 10


view indicates the service state and the logical connections of the VPN and the customer view indicates the connectivity among customer sites. The topological view can show service alarms in real time and thus help users monitor the entire VPN network.

3.2 Perfect Client ManagementAs VPN services are oriented to customers, the VPN Manager provides abundant customer management functions including the management of customer information such as customers, sites and CEs. Every VPN is associated with customers. Users are allowed to view customer-related information (e.g. resources, services, topology, alarms, etc.) from the customers perspective, so as to provide services of higher quality to customers according to the running state of network resources.

The VPN Manager can also output service lease reports, resource lease reports, performance data reports, traffic data reports, failure data reports and other reports for customers, which help service providers and VPN customers learn the service running state and thus improve the customer satisfaction of service providers.

3.3 Unified Management of Various VPNsIt is flexible to construct MPLS VPNs. Different VPN technologies may be adopted to satisfy different customer needs and different application scenarios. The diversity of networking technical solutions requires that the VPN NMS should be able to manage multiple solutions. The VPN Manager can manage both L2 VPNs (including the IETF VPLS and Martini modes popular in the industry) and L3 VPNs. This satisfies the service providers requirements for multiple networking modes and centralized service management. The VPN Manager provides the following VPN management ability:

3.3.1 BGP/MPLS VPN ServiceVPN service managementCopyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 11


Support VPN instance configuration and setting the important attributes such as instance name, RT, RD and route threshold. Support PE-CE routing protocols such as static routing protocols, BGP, RIP and OSPF. Support numerous interfaces such as ATM, POS, Serial and Ethernet. Support networking modes such as Intranet and Extranet. CE management Support two CE management modes: inband and out-of-band. CE inband management is implemented via VPN management. Automatic allocation of resources The RTs, RDs, VLAN IDs and IP addresses to be used in the service process can be defined to implement automatic allocation of resources according to the predefined plan. Inter-AS service management Provide two inter-AS VPN management modes: VRF-to-VRF and MP-EBGP. Template configuration Support the basic configuration of equipment based on templates during the service process and support using system variables in the templates. Inter-AS configuration Provide two kinds of inter-AS configuration: Option A and Option B.

3.3.2 VPLS ServiceVPN service management Support two signaling modes of VPN instances: BGP and LDP. Support hierarchical VPLSCopyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 12


The VPN Manager is applicable to large-scale VPLS networks and can lower the load of signaling protocols and data packet duplication through hierarchical connections. H-VPLS service dual-homing Two PWs can be established between one UPE and two NPEs so as to implement service backup. Automatic allocation of resources The RTs, RDs, VSI IDs and other resources to be used in the service process can be defined to implement automatic allocation of resources according to the predefined plan. Template configuration Support the basic configuration of equipment based on templates during the service process and support using system variables in the templates.

3.3.3 Martini ServiceVPN service management Support multiple encapsulation modes: Ethernet, ATM, VLAN, FR, PPP, HDLC, etc. Support Martini services of heterogeneous interworking. Support automatically creating connections between sites according to the site role, so as to solve the point-to-point network N^2 problem. Automatic allocation of resources The VLAN IDs, VCs and other resources to be used in the service process can be defined to implement automatic allocation of resources according to the predefined plan. Template configuration Support the basic configuration of equipment based on templates during the service process and support using system variables in the templates.


13


3.4 Powerful System Integration CapabilityVPN service providers may also need to manage various NE equipment in the network in addition to managing MPLS VPN services. The VPN Manager can be integrated with Huawei iManager N2000 EMS for the administrator to manage the network from the NE layer and service layer, which reduces the service providers investment in NMS hardware.

The VPN Manager provides the CORBA northbound interface, which makes possible secondary development or the access to higher-layer systems (e.g. OSS) and enables the automation and intelligence of telecom operation.

4 Typical VPN Manager applicationsCareful planning is needed before the deployment of the VPN Manager solution. The VPN Manager can manage PE equipment, PE-CE links and CE routers. In general, CE routers belong to the customers equipment and service providers cannot manage them. In that case, the VPN Manager can be adopted to manage the PE directly via the MPLS core network. This management mode is simple without any treatment, as shown in the following figure. Figure 4-1 VPN Manager networking


14


The VPN Manager provides two modes for managing CEs: inband and out-of-band. A special management VPN is needed in the case of inband management to add CE equipment to its management scope. The NMS, as the hub of this VPN, may access any CE equipment. For out-of-band management, an additional IPv4 link must be added between PE and CE so that the CE can be accessed via the public network. These two modes have both merits and shortcomings and are selected according to the actual networking needs.

The VPN Manager provides a complete solution for operation and maintenance of VPN services. After being deployed, it can undertake all jobs from service planning to routine maintenance of VPN services.

4.1 VPN Service SupportVPN service support enables global planning of the MPLS network and completes the basic configuration needed for network equipment to bear VPN services. It is the precondition for subsequent service deployment and assurance. VPN service support includes: Network inventory The VPN Manager provides a resource manager to manage all resources in the network. It can quickly configure and browse the utilization of resources in the whole network and this helps resource planning and reasonable configuration. It can manage PE and CE equipment resources in a centralized manner, including equipment, physical interface and logical interface resources. Moreover, it supports automatic discovery of available resources on the network equipment and users can manually or regularly synchronize the data on the equipment. Enable VPN The VPN Manager can complete global planning of the network, including starting the MPLS of PE equipment and the corresponding VPN service functions such asCopyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 15


planning the adjacency of LDP and ACL policies. For a network, the configuration only needs to be performed once before the first fulfillment of services. The VPN services can be enabled through the template configuration tools and the predefined templates of the NMS itself. Resource pool management Resource pool management includes RD resource pool management, RT resource pool management, IP address pool management and VC ID pool management. It can uniformly manage the service resources related to MPLS VPN and improve the automation of service definition so as to implement unified management and automatic allocation of service resources.

4.2 VPN Service FulfillmentWizard-Like Service Planning The administrator can use the wizard-like service fulfillment tool provided by the VPN manager to fulfill VPNs for customers according to the customer orders. Service policies can be applied in the service planning process to greatly simplify the service definition process. Service Preview After the service planning is completed, users can preview the planned services: check the network topology connections or interpret the configurations (restore the equipment configuration commands into the topology map) to check the correctness of service planning. Service deployment Not The administrator can manually deploy services or deploy VPN services by using the time-based deployment policies provided by the VPN Manager. The failure cause can be analyzed in the event of service deployment failure to offer a reference for the administrator.Copyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 16


4.3 VPN Service MaintenanceVPN service support enables global planning of the MPLS network and completes the basic configuration needed for network equipment to bear VPN services. It is the precondition for subsequent service deployment and assurance. VPN service support includes: Provides the history of service requests for users to view all detailed operation records of the services. Provides the service configuration audit function to monitor the addition/removal of service configurations. Provides the connectivity audit (L3VPN) and PW audit (L2VPN) functions to monitor the connectivity of services. Converts NE faults into customer alarms and VPN alarms to notify to users according to the influence of these faults on services. Provides traffic and SLA monitoring tools to monitor the network traffic and class of service. Provides resource reports, fault reports, performance reports and other kinds of reports that can be generated at scheduled time.

5 ConclusionWith the development of MPLS VPN technologies, more and more service providers use them to provide services. However, the network scale and service complexity pose great challenges to the management of MPLS VPNs. The VPN Manager provides a complete solution for operation and maintenance of MPLS VPN services and creates value for users in the following aspects: Quick service fulfillment. The VPN Manager provides the service policy function, which simplifies the users definition of services and has become an important criterion forCopyright 2007 Huawei Technologies Co., Ltd. All Rights Reserved. http://www.huawei.com/products/datacomm/ 17


carriers to select the NMS when the network scale keeps growing. Abundant service management functions to manage numerous VPN services. The VPN Manager can manage both L3 VPN and L2 VPN and provides a series of networking solutions to address common user requirements. Users can flexibly apply these solutions during practical service deployment. Unified management platform to facilitate carriers centralized management. The VPN Manager can be seamlessly integrated with element management of the DMS. It can implement unified resource management, alarm management, topology management and erformance management, thus reducing carriers cost in deploying hardware. Quick troubleshooting and realtime performance monitoring help improve the VPN service quality. The VPN Manager provides the service alarm function, which helps quickly locate the influenced customers and VPNs and timely remove the trouble. The realtime performance monitoring function enables carriers to well learn the QoS of the network and thus better improve customer satisfaction.

Appendix A AbbreviationsAbbreviation/Acronym LSP MPLS VPN DMS VPLS QoS Full Spelling Label Switching Path Multi Protocol Label Switching Virtual Private Network Datacom Network Management System Virtual Private LAN Segment Quality of Service


18

Documents

Technical White Paper for VPN Manager