Service Providers and Enterprise: The Battle of Outsourcing Versus Do-It-Yourself

An increasing number of organizations is moving toward an outsourced model, or what is commonly referred to as a managed service, for IT and/or network operations requirements. An important driver for outsourcing to a service provider or subscribing to a managed service is cost reduction. The main technical motivation for an enterprise to subscribe to a Layer 3 MPLS VPN service has been to better manage hub and spoke topology (common in enterprise networks), where scaling is a major concern and further adds to the management complexity. In fact, an analysis of customer traffic indicates that the vast majority of traffic still flows as hub to spoke in an MPLS network. Most major applications tend to reside in one or two large HQ-operated data centers. The trend toward distributed applications that was in vogue some years ago has now reversed to a centralized operation. MPLS networks are easier to manage and additions/deletions and changes to VPNs are simpler to manage than on traditional point-to-point networks, such as Frame Relay.

Service providers are well placed to address this market using MPLS technology because of the economies of scale. A service provider can use MPLS technology to offer multiple services to multiple customers due to the peer model constructs (as opposed to the expensive overlay model associated with Layer 2 networks). Additionally, the service provider can extend the range of services provided by offering QoS and multicast support. Finally, as customers deploy applications that require an any-to-any topology, and not hub and spoke (for example, VoIP), using MPLS technology enables service providers to support any-to-any topologies.

Secondary benefits are that Layer 3 MPLS VPNs are generally easier to manage, meaning the management is outsourced to the service provider, and that Layer 3 MPLS VPNs provide higher availability (not all-dependant on a hub) as a single source of failure. A Layer 3 MPLS VPN service offering can support CoS options via the implementation of differentiated services, which is further discussed in Chapter 10. Layer 3 MPLS VPNs enable data segregation for security considerations as a result of acquisitions and mergers.

Do-It-Yourself

Total cost of ownership (TCO) is usually more attractive because a DIY deployment typically means that the enterprise customer must invest in capital up front. By employing a managed service based on Layer 3 MPLS VPN, these assets can be reduced resulting in an increase in near-term cash flow. However, some enterprise customers might subscribe to a hybrid service, often packaged by the service provider as an "unbundled" service. An example of a hybrid service is where the enterprise owns and manages the customer edge devices, while the service provider furnishes the Layer 2 transport infrastructure. In the hybrid model, the enterprise customer retains control over its edge domain.

The main motivation to implement or migrate WAN service to Layer 3 MPLS VPN in a DIY model is that the cost of the overall service (equipment and management) is lower than that of Frame Relay.

Some enterprise organizations and government entities have sensitive data security policies that dictate such an internal deployment model. Other large multinational enterprises behave as an internal "service provider" to their own departments, subsidiaries, and third-party partners, therein using MPLS to develop and deploy services. Some large enterprises with global WAN connectivity are considering MPLS to simplify management and provide services, such as via Layer 3 MPLS VPN or traffic engineering, and are challenged to reduce recurring WAN connectivity costs.

One consideration when exploring a DIY implementation versus subscribing to a managed service is to review whether an enterprise customer requires full control and end-to-end security. You also must answer the question, What is the maximum time that an enterprise IT staff needs to detect, diagnose, and restore a network and service problem? How much of the downtime experienced by the enterprise customer is attributed to configuration errors? How much staff is required by the enterprise organization to deploy these services? With pressure to focus on mission-critical applications and demonstrate operating efficiency, enterprise customers might consider a managed service as a viable option.

Enterprise Segmentation

Why segment the enterprise network? The main driver is securitythat is, to mitigate against worms and provide virus containment that reduces global service impact. Three types of VPNs for enterprise segmentation are as follows:

• Server VPNs For business-critical applications

• User VPNs For standard production

• Global VPNs For guest access and VoIP

Enterprise virtualized network services include firewalls, intrusion detection, VPN service modules such as IPSec, and load balancers. VLAN "awareness" also comprises an enterprise virtualized network service. So, when exploring enterprise segmentation requirements, it is important to note which capabilities will be applied to the designated service segments, as illustrated in Figure 1-3.

Figure 1-3. Enterprise Virtualized Network Services

Traditionally, the most common approach to designing campus networks has been one that is both hierarchical and modular. Hierarchy is defined by network roles assigned from the center of the network toward the edge: core, distribution, and access. Modularity is defined by grouping distribution switches to provide modular access to the core for the entire physical network areas.

One key element to providing scalability and high availability in a campus network is restraining the reach of Layer 2 failure domains by deploying a Layer 3 (routed) core and distribution, which keeps the surrounding Layer 2 domains isolated from each other in terms of failure propagation. The net result of this type of design is a network that leverages IP routing in its core and bridges toward its edge. The proportion between the size of the Layer 2 and Layer 3 domains is debatable, with some engineers advocating the use of Layer 3 switching everywhere (even in the wiring closet) and others preaching the benefits of using Layer 2 switching over most of the network with the exception of the core.

Central Services with an Enterprise Campus

One of the most important aspects of deploying Layer 3 MPLS VPNs in a campus is that it allows every VPN to utilize services and policies that are centrally available yet private to each VPN. Thus, by defining the VPN routing such that there is a single point of access into and out of the VPN, security policies that used to be distributed across the campus and were therefore hard to manage can now be enforced at this single point of access and are much simpler. The method also allows different VPNs to share a common firewall appliance that provides individualized policies by associating a separate virtual firewall to each VPN.

The key to centralizing services in the campus is to provision the routing within each VPN in such a way that a single, common point of ingress and egress exists among all of them. In service provider terms, this equates to the Internet; in campus terms, this could or could not be associated to the Internet (it generally is).

Thus, the Internet is a transit zone for VPNs to communicate with each other. To reach this transit zone, all traffic must go through a firewall in which security policies are enforced. Services could reside in the transit zone, although if the transit zone is actually the Internet, an extra firewall is required and services should be placed in a services VPN. Note that the firewalls are actually inserted outside each VPN (on the VLAN, which is mapped to the VPN), so at this point the configuration is equivalent to a problem of traditional IP routing between different networks that have a firewall at the head-end.