Managing Vpns, Ca
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Managing Vpns, Ca as PDF for free.
More details
- Words: 3,444
- Pages: 13
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
How Service Providers can Offer Premium Services and Increase Revenue by Effectively Managing VPNs
Table of Contents Executive Summary 2
SECTION 1: CHALLENGE
The Challenges of Managing Service Provider Networks Managing Thousands of Devices Managing a Myriad of Services Managing International Operations Managing Equipment from Multiple Vendors 3
SECTION 2: OPPORTUNITY
The CA SPECTRUM® Opportunity Distributed Server Architecture Fault Tolerant Architecture Distributed Viewing and Navigation — OneClick Architecture Efficient Service Assurance Reduced Operator Intervention Reduced Network Traffic Multi-Vendor Management 10 CA SPECTRUM — Designed for Service Assurance
SECTION 3: BENEFITS
SECTION 4: CONCLUSIONS ABOUT CA
10 Back Cover
Copyright © 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.
Executive Summary Challenge Service providers are rapidly rolling out managed Virtual Private Network (VPN) services, including MLPS VPNs, which enable carriers to offer differentiated levels of service commensurate with customer needs. One of the concerns that carriers face is how to effectively manage these large scale networks to ensure that customers are receiving the level of service for which they have contracted. Factors adding to the complexity of managing MPLS VPNs include: • Managing thousands of devices • Managing a myriad of services • Managing international operations • Managing equipment from multiple vendors
Opportunity CA SPECTRUM® Network Fault Manager is suited to manage these challenges while increasing operator efficiency and lowering costs. CA SPECTRUM provides advanced tools and policies that are essential to delivering reliable, scalable and profitable VPN services. CA SPECTRUM provides a distributed, fault tolerant architecture built to support the world’s largest service provider networks offering complex services over network equipment spanning hundreds of different vendors. CA SPECTRUM also provides an efficient services architecture to proactively monitor the health of service delivery from edge to edge, and provides efficient dashboard views into service quality. With all of its capabilities, CA SPECTRUM gives service providers the opportunity to increase revenue through differentiated services and offers.
Benefits CA SPECTRUM can manage the complexities of MPLS VPN services, enabling service providers to take advantage of this growing market opportunity. Using a combination of historical performance data and real-time monitoring and assessment, along with a distributed and fault tolerant architecture, CA SPECTRUM offers the essential capabilities required for large scale, managed VPN environments: • Scalability
• Reduced operator cost
• Service assurance
• Multivendor support
• Multivendor support
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 1
SECTION 1: CHALLENGE
The Challenges of Managing Service Provider Networks Premium services demand high service quality. This is not an easy task when networks span thousands of devices, a multitude of service types, international services and a variety of network equipment vendors. Managing Thousands of Devices The first and most obvious challenge in managing large service provider environments is the huge number of devices that make up the network. As networks scale to thousands and tens of thousands of intelligent devices, typical management paradigms are no longer adequate to address this scale of problem. Historically, an enterprise could be managed by polling all devices from a single or small number of management stations. This approach fails when the number of devices reaches into the tens of thousands. In addition to the number of devices, it is the relationship between these devices that significantly increases the management complexity. As device count increases, total port count increases even more significantly. Current devices have the capacity to connect to potentially hundreds of other devices. While these additional connections provide increased service and connectivity options, this greatly increases the complexity of management. This increased complexity is due to the additional dependencies on services provided by these other devices. Without proper control, outages and configuration errors can negatively and quickly propagate throughout the network, affecting a large number of other devices. This cascading of a fault would cause expensive downtime and loss of service for a large number of customers. It is essential for the management system to understand and accurately model these critical relationships between devices. Today we stand at a critical junction of network, systems and service management brought about by the increase in: • Device count • Device port density • Device dependencies Managing a Myriad of Services In addition to the number of devices which make up today’s provider networks, there are a large variety and growing number of service offerings. A few examples of these ever increasing service offerings include: • MPLS VPNs – Layer 3 • MPLS VPNs – Layer 2 • Voice over IP • Internet connectivity • Data backup services • Hosted applications • Network security • Redundant/failover links
2 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
As the number of services increases, there is additional burden on the routers, switches and other devices that make up the network. Likewise, the impact on management is significant. As in the case where each device supports an increasing port density, devices are supporting an increasing “service density”. In other words, a single device is offering an increased number of critical services to the end user. In addition to managing the devices, these services must be properly managed to deliver contracted service levels to the end user. The increase in devices, ports and services leads to an explosion in the number of managed objects that must be handled by the management system. As the number of managed objects increases, the cost of managing this environment also increases. There are some indications that these increases are not simply linear, but increasing more rapidly than the total number of objects. Managing International Operations Multinational service providers present a challenge due to the geographically dispersed nature of their operations. It is possible that the customer edge equipment, provider edge equipment, network management server and network management client can be in different locations and time zones. Managing Equipment from Multiple Vendors Managing large, distributed multi vendor networks presents a challenge to service providers. There are a number of major vendors who sell to the service provider market. The challenge this poses is that vendors seldom use the same, or even similar, SNMP MIBs in their devices. In addition, the configuration of devices and services varies significantly from one vendor to another.
SECTION 2: OPPORTUNITY
The CA SPECTRUM Opportunity The architecture of CA SPECTRUM combined with its management tools make it capable of managing complex multi vendor networks and delivering the high quality of service that premium services require. Distributed Server Architecture CA SPECTRUM employs a distributed server architecture, which is the foundation that enables distributed management applications to scale to the largest management environments. No single management server alone can provide the capacity to manage these networks. The distributed architecture is based on the CA SPECTRUM Assurance Server capability, distributing critical aspects of management over many servers for greater scalability of CPU load, memory and disk bandwidth and network bandwidth by localizing polling traffic. In large networks, the CA SPECTRUM Assurance Server capability is typically used in fault tolerant pairs that will be discussed later.
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 3
A service provider's network consists of core and edge routers, connected to customer edge routers. The entire network is separated into multiple management domains based on: • Administrative control • Topology • Location • VPN membership
FIGURE A
MANAGING MULTIPLE DOMAINS OF A SERVICE PROVIDER
Managing the multiple domains of a service provider network is complex. It involves managing multiple devices, including service provider core and edge routers and customer edge routers.
Fault Tolerant Architecture In addition to the distributed server architecture described above, each Assurance Server can operate as a fault tolerant pair. This capability has been successfully used by some of the largest global service providers and enterprises. This capability is continually enhanced to meet the challenges and requirements of the most demanding network environments, allowing for continuous monitoring of the network through a redundant Assurance Server, which can be available in any of the following configurations: • Hot Standby redundant server actively polling • Warm Standby redundant server is ready, but not polling • Cold Standby redundant server is started upon failure of primary
4 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
A hierarchy of fault tolerant, distributed servers shown in the Figure B can be used in large service provider deployments where redundancy of a “chain of management” is needed. In this architecture, the servers in charge of the lower level domains (Domain 1 – 3) are visible to the server managing the entire environment.
FIGURE B
FAULT TOLERANT DISTRIBUTED SERVER ARCHITECTURE
This figure demonstrates the use of fault tolerant server pairs in a chain of management. The higher domain servers are in a fault tolerant configuration managing three lower level domains, which are also in fault tolerant configurations.
Distributed Viewing and Navigation — CA SPECTRUM OneClick Architecture The distributed server architecture by itself is not sufficient to manage large networks efficiently. With CA SPECTRUM, this is complemented by a distributed view and navigation paradigm, CA SPECTRUM OneClick architecture that allows the operator to seamlessly navigate from one management domain to another. In fact, the operator need not be aware of the fact that they are traversing management domains — all managed entities appear to be part of one uniform workspace. This greatly simplifies navigation as it is not necessary to establish a connection to the “right server” to obtain management information. In addition, all global resources, like VPNs, are shown in a single view. Figure C illustrates this with a simple screen shot. Each of the unique devices under “vpn-red” could be in a separate management domain and monitored by a different Assurance Server.
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 5
FIGURE C
DISTRIBUTED VIEWING AND NAVIGATION
CA SPECTRUM OneClick architecture provides simplified navigation.
CA SPECTRUM OneClick architecture is a three-tier, web-based architecture whose central component is a Web server that connects directly to CA SPECTRUM Assurance Servers and delivers information out to distributed Java clients. The CA SPECTRUM OneClick architecture provides the best of both worlds by leveraging the intuitive nature of web-based applications with the scalability and responsiveness of desktop client applications. Efficient Service Assurance with CA SPECTRUM® Network Fault Manager MPLS VPN Manager (CA SPECTRUM NFM MPLS VPN Manager) There are two primary techniques to provide service assurance, each having unique strengths and weaknesses. Passive techniques typically require fewer resources to operate, but they provide limited information to the user. Active techniques provide richer information at the cost of increased resources. In order to better serve customer needs, CA SPECTRUM NFM MPLS VPN Manager provides both types of service assurance techniques in its management suite: • Passive techniques: Trap handling, interface to site rollup • Active techniques: MPLS-aware VRF Ping and Traceroute In environments where traps are used, this provides the most resource efficient way to manage these services. Examples include the following traps, which are sent when the VRF changes state: • VRF interface up • VRF interface down As network devices become more capable, there will be increased reliance on active service assurance techniques.
6 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
VRF AWARE PING VRF-aware ping is one of the active service assurance tools available to the CA SPECTRUM user. This is used to monitor not just the health of the devices, but also the service provided by the entire infrastructure. This is accomplished by creating tests at the edge of the network to ensure connectivity between any two points. Typically this is used to ensure that a customer can reach all its sites on a provider’s network. In addition to simple connectivity, these tests may be used to monitor response time between pairs of sites on the customer’s network.
While the VRF-aware ping is a useful tool in managing MPLS VPN environments, judicious use is required to ensure maximum effectiveness. Testing to ensure that all sites in a VPN can reach one another becomes impractical when the number of sites is greater than 50. A full mesh test scenario is an “n squared” problem and would lead to 2,500 tests per test cycle. Large VPNs present even greater capacity limitations. In order to scale to VPNs with a large number of member sites, CA SPECTRUM offers several techniques and user-definable options to ensure performance and scalability. These are: • Disable VRF ping completely • Enable VRF ping per VPN (useful for premium VPN services) • Enable VRF ping per site In addition to being able to include or exclude a site in the testing process, CA SPECTRUM allows the user to define what role the site plays in the network. Rarely do all sites in a VPN need to connect directly to all other sites. Instead, a more common scenario is all remote offices need to connect back to servers at the corporate headquarters — greatly reducing the number of tests that need to be provisioned. In addition, common hub and spoke topologies can also reduce the number of tests. Each communicates to one hub directly instead of dozens of other sites. CA SPECTRUM delivers superior flexibility, allowing the user to define the test role of each site. The possible roles include the following: • Testing Disabled • Source Testing Role (VPN site is a originator for VRF testing) • Destination Testing Role (VPN site is the destination for VRF testing) • Source and Destination Testing Role VRF Aware Traceroute is the other active service assurance tool available in the CA SPECTRUM NFM MPLS VPN Manager module. Similar to the ping tool that creates end-to-end connectivity tests, this creates end-to-end path tracing tests. These tests are used to determine stability of the core network (MPLS LSPs). For example, one service provider has discovered that if more than 10% of paths are changing in a single cycle, it indicates a critical problem. In their case, the service provider created alarms to highlight whenever that occurs. VRF AWARE TRACEROUTE
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 7
As with VRF-aware ping, VRF-aware Traceroute testing requires thoughtful techniques to ensure performance and scalability since VRF Traceroute creates more network packets for a single test. For this reason this feature offers the same configuration options for each site: • Testing Disabled • Source Testing Role (VPN site is a originator for VRF testing) • Destination Testing Role (VPN site is the destination for VRF testing) • Source and Destination Testing Role Reduced Operator Intervention One of the primary costs of delivering reliable network services to a large customer base is operator expenses. Operator efficiency translates directly to cost savings. For this reason, the CA SPECTRUM NFM MPLS VPN Manager solution offers a number of out-of-the-box capabilities that increase operator productivity, speed time to resolution and ultimately reduce cost. These capabilities include the following: • Automated service management • Auto-provisioned server assurance tests • Seamless cross server navigation • Collapsing views focusing on desired areas • Global policy control with local overrides • Advanced search capabilities The automated service management capability allows the system to discover and model new MPLS services as new network devices are managed in CA SPECTRUM or as new services are provisioned on existing devices. This greatly reduces the amount of time and effort required for operators to configure the system. In addition, these features may be configured so that service discovery happens only at certain times or to conform to local policies or practices. For example, it may be desirable to limit discovery operations to off-peak hours. The remaining items in the list provide operator efficiencies in viewing, navigation and searching. These enhancements give operators the tools to work efficiently in the numerous large networks. The global policy control provides a great asset to managing server policies in a multi server environment. This feature allows an operator to set the policy on a single Assurance Server and push that policy to all other Assurance Servers. Examples of the types of attributes which may be set include: • Enable Dynamic Discovery • Enable Trap-based management • Enable Port Polling on PE routers • Model Inactive VPNs • Enable VRF Ping / Set Polling Interval / Set Timeout • Enable VRF Trace / Set Polling Interval / Set Timeout • Enable Cross Server Service Assurance
8 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
In addition, the global policy control allows operators, with the appropriate privilege, to override a global setting and enact local policies for their management domain where conditions require. Reduced Network Traffic Although the cost of network bandwidth on a per bit basis continues to decrease, service providers will attest that it is still far from free. For this reason it is necessary to ensure that operations and management activities consume as little network bandwidth as possible. There are a number of advanced features in CA SPECTRUM that give operators greater control over the allocation of management bandwidth. These features include: • Flexible Polling Options – Per device class – Per device type – Per device – Per interface • Trap-based Service Monitoring The flexible polling options allow these activities to be focused exactly where they are needed. The trap-based service monitoring reduces polling requirements significantly by providing a way to quickly detect changes in VPN service. These changes could be: – New VRF provisioned – An existing VRF has been reactivated – A VRF has been deactivated – A VRF has been deleted Multi Vendor Management CA SPECTRUM is designed to support the management of intelligent network devices in a multi platform, multi vendor environment. CA SPECTRUM multi vendor support has included an impressive list of leading and emerging vendors that span the networking industry. This list includes: • Cisco Systems • Juniper Networks • Nortel Networks/Bay Networks/Synoptics • Alcatel-Lucent • Cabletron/Enterasys/Riverstone Networks • 3Com • Foundry Networks
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 9
SECTION 3: BENEFITS
CA SPECTRUM — Designed for Service Assurance CA understands the concerns of the service provider — scalability, availability and cost control — and provides the capabilities within CA SPECTRUM to meet these requirements so that premium services can be competitively offered. CA SPECTRUM distributed architecture provides the scalability to manage thousands of devices, ports and services. CA’s platform-independent approach assures the ability to support the multi vendor environment found in large service provider networks and in their customer networks. The distributed fault tolerant architecture of CA SPECTRUM is a key part of the service assurance that is essential for premium service offerings. Active tests for end-to-end connectivity and response testing go one step further in maintaining quality service. Reduced operator costs through automation, advanced techniques for viewing, navigation and searching, and global policy control are just some of the ways that the CA solution enables premium services to be offered at a reasonable cost, keeping your business profitable and competitive.
SECTION 4: CONCLUSIONS
CA SPECTRUM has a long history in large-scale distributed network and service management. The CA SPECTRUM NFM MPLS VPN Manager builds on this foundation and extends the capability to handle the largest service provider and enterprise networks where MPLS VPNs exist. This advanced capability is one member of a large and growing family of complementary management applications in the CA SPECTRUM suite, which includes modules such as: • Service Manager • Network Configuration Manager • Report Manager The single goal of this family of applications is to minimize the operational expenses of managing large, complex networks. This is accomplished by automating the tasks associated with network, systems and applications management and allowing the management staff to visualize and monitor their network at a higher level. The CA SPECTRUM team continues to focus on developing advanced management tools with the aim to unify and simplify management operations. To learn more about the CA SPECTRUM architecture and technical approach, visit ca.com/spectrum
10 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
CA, one of the world’s largest information technology (IT) management software companies, unifies and simplifies complex IT management across the enterprise for greater business results. With our Enterprise IT Management vision, solutions and expertise, we help customers effectively govern, manage and secure IT.
TB05ESMSPEC01E MP322361107
Learn more about how CA can help you transform your business at ca.com
How Service Providers can Offer Premium Services and Increase Revenue by Effectively Managing VPNs
Table of Contents Executive Summary 2
SECTION 1: CHALLENGE
The Challenges of Managing Service Provider Networks Managing Thousands of Devices Managing a Myriad of Services Managing International Operations Managing Equipment from Multiple Vendors 3
SECTION 2: OPPORTUNITY
The CA SPECTRUM® Opportunity Distributed Server Architecture Fault Tolerant Architecture Distributed Viewing and Navigation — OneClick Architecture Efficient Service Assurance Reduced Operator Intervention Reduced Network Traffic Multi-Vendor Management 10 CA SPECTRUM — Designed for Service Assurance
SECTION 3: BENEFITS
SECTION 4: CONCLUSIONS ABOUT CA
10 Back Cover
Copyright © 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.
Executive Summary Challenge Service providers are rapidly rolling out managed Virtual Private Network (VPN) services, including MLPS VPNs, which enable carriers to offer differentiated levels of service commensurate with customer needs. One of the concerns that carriers face is how to effectively manage these large scale networks to ensure that customers are receiving the level of service for which they have contracted. Factors adding to the complexity of managing MPLS VPNs include: • Managing thousands of devices • Managing a myriad of services • Managing international operations • Managing equipment from multiple vendors
Opportunity CA SPECTRUM® Network Fault Manager is suited to manage these challenges while increasing operator efficiency and lowering costs. CA SPECTRUM provides advanced tools and policies that are essential to delivering reliable, scalable and profitable VPN services. CA SPECTRUM provides a distributed, fault tolerant architecture built to support the world’s largest service provider networks offering complex services over network equipment spanning hundreds of different vendors. CA SPECTRUM also provides an efficient services architecture to proactively monitor the health of service delivery from edge to edge, and provides efficient dashboard views into service quality. With all of its capabilities, CA SPECTRUM gives service providers the opportunity to increase revenue through differentiated services and offers.
Benefits CA SPECTRUM can manage the complexities of MPLS VPN services, enabling service providers to take advantage of this growing market opportunity. Using a combination of historical performance data and real-time monitoring and assessment, along with a distributed and fault tolerant architecture, CA SPECTRUM offers the essential capabilities required for large scale, managed VPN environments: • Scalability
• Reduced operator cost
• Service assurance
• Multivendor support
• Multivendor support
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 1
SECTION 1: CHALLENGE
The Challenges of Managing Service Provider Networks Premium services demand high service quality. This is not an easy task when networks span thousands of devices, a multitude of service types, international services and a variety of network equipment vendors. Managing Thousands of Devices The first and most obvious challenge in managing large service provider environments is the huge number of devices that make up the network. As networks scale to thousands and tens of thousands of intelligent devices, typical management paradigms are no longer adequate to address this scale of problem. Historically, an enterprise could be managed by polling all devices from a single or small number of management stations. This approach fails when the number of devices reaches into the tens of thousands. In addition to the number of devices, it is the relationship between these devices that significantly increases the management complexity. As device count increases, total port count increases even more significantly. Current devices have the capacity to connect to potentially hundreds of other devices. While these additional connections provide increased service and connectivity options, this greatly increases the complexity of management. This increased complexity is due to the additional dependencies on services provided by these other devices. Without proper control, outages and configuration errors can negatively and quickly propagate throughout the network, affecting a large number of other devices. This cascading of a fault would cause expensive downtime and loss of service for a large number of customers. It is essential for the management system to understand and accurately model these critical relationships between devices. Today we stand at a critical junction of network, systems and service management brought about by the increase in: • Device count • Device port density • Device dependencies Managing a Myriad of Services In addition to the number of devices which make up today’s provider networks, there are a large variety and growing number of service offerings. A few examples of these ever increasing service offerings include: • MPLS VPNs – Layer 3 • MPLS VPNs – Layer 2 • Voice over IP • Internet connectivity • Data backup services • Hosted applications • Network security • Redundant/failover links
2 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
As the number of services increases, there is additional burden on the routers, switches and other devices that make up the network. Likewise, the impact on management is significant. As in the case where each device supports an increasing port density, devices are supporting an increasing “service density”. In other words, a single device is offering an increased number of critical services to the end user. In addition to managing the devices, these services must be properly managed to deliver contracted service levels to the end user. The increase in devices, ports and services leads to an explosion in the number of managed objects that must be handled by the management system. As the number of managed objects increases, the cost of managing this environment also increases. There are some indications that these increases are not simply linear, but increasing more rapidly than the total number of objects. Managing International Operations Multinational service providers present a challenge due to the geographically dispersed nature of their operations. It is possible that the customer edge equipment, provider edge equipment, network management server and network management client can be in different locations and time zones. Managing Equipment from Multiple Vendors Managing large, distributed multi vendor networks presents a challenge to service providers. There are a number of major vendors who sell to the service provider market. The challenge this poses is that vendors seldom use the same, or even similar, SNMP MIBs in their devices. In addition, the configuration of devices and services varies significantly from one vendor to another.
SECTION 2: OPPORTUNITY
The CA SPECTRUM Opportunity The architecture of CA SPECTRUM combined with its management tools make it capable of managing complex multi vendor networks and delivering the high quality of service that premium services require. Distributed Server Architecture CA SPECTRUM employs a distributed server architecture, which is the foundation that enables distributed management applications to scale to the largest management environments. No single management server alone can provide the capacity to manage these networks. The distributed architecture is based on the CA SPECTRUM Assurance Server capability, distributing critical aspects of management over many servers for greater scalability of CPU load, memory and disk bandwidth and network bandwidth by localizing polling traffic. In large networks, the CA SPECTRUM Assurance Server capability is typically used in fault tolerant pairs that will be discussed later.
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 3
A service provider's network consists of core and edge routers, connected to customer edge routers. The entire network is separated into multiple management domains based on: • Administrative control • Topology • Location • VPN membership
FIGURE A
MANAGING MULTIPLE DOMAINS OF A SERVICE PROVIDER
Managing the multiple domains of a service provider network is complex. It involves managing multiple devices, including service provider core and edge routers and customer edge routers.
Fault Tolerant Architecture In addition to the distributed server architecture described above, each Assurance Server can operate as a fault tolerant pair. This capability has been successfully used by some of the largest global service providers and enterprises. This capability is continually enhanced to meet the challenges and requirements of the most demanding network environments, allowing for continuous monitoring of the network through a redundant Assurance Server, which can be available in any of the following configurations: • Hot Standby redundant server actively polling • Warm Standby redundant server is ready, but not polling • Cold Standby redundant server is started upon failure of primary
4 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
A hierarchy of fault tolerant, distributed servers shown in the Figure B can be used in large service provider deployments where redundancy of a “chain of management” is needed. In this architecture, the servers in charge of the lower level domains (Domain 1 – 3) are visible to the server managing the entire environment.
FIGURE B
FAULT TOLERANT DISTRIBUTED SERVER ARCHITECTURE
This figure demonstrates the use of fault tolerant server pairs in a chain of management. The higher domain servers are in a fault tolerant configuration managing three lower level domains, which are also in fault tolerant configurations.
Distributed Viewing and Navigation — CA SPECTRUM OneClick Architecture The distributed server architecture by itself is not sufficient to manage large networks efficiently. With CA SPECTRUM, this is complemented by a distributed view and navigation paradigm, CA SPECTRUM OneClick architecture that allows the operator to seamlessly navigate from one management domain to another. In fact, the operator need not be aware of the fact that they are traversing management domains — all managed entities appear to be part of one uniform workspace. This greatly simplifies navigation as it is not necessary to establish a connection to the “right server” to obtain management information. In addition, all global resources, like VPNs, are shown in a single view. Figure C illustrates this with a simple screen shot. Each of the unique devices under “vpn-red” could be in a separate management domain and monitored by a different Assurance Server.
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 5
FIGURE C
DISTRIBUTED VIEWING AND NAVIGATION
CA SPECTRUM OneClick architecture provides simplified navigation.
CA SPECTRUM OneClick architecture is a three-tier, web-based architecture whose central component is a Web server that connects directly to CA SPECTRUM Assurance Servers and delivers information out to distributed Java clients. The CA SPECTRUM OneClick architecture provides the best of both worlds by leveraging the intuitive nature of web-based applications with the scalability and responsiveness of desktop client applications. Efficient Service Assurance with CA SPECTRUM® Network Fault Manager MPLS VPN Manager (CA SPECTRUM NFM MPLS VPN Manager) There are two primary techniques to provide service assurance, each having unique strengths and weaknesses. Passive techniques typically require fewer resources to operate, but they provide limited information to the user. Active techniques provide richer information at the cost of increased resources. In order to better serve customer needs, CA SPECTRUM NFM MPLS VPN Manager provides both types of service assurance techniques in its management suite: • Passive techniques: Trap handling, interface to site rollup • Active techniques: MPLS-aware VRF Ping and Traceroute In environments where traps are used, this provides the most resource efficient way to manage these services. Examples include the following traps, which are sent when the VRF changes state: • VRF interface up • VRF interface down As network devices become more capable, there will be increased reliance on active service assurance techniques.
6 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
VRF AWARE PING VRF-aware ping is one of the active service assurance tools available to the CA SPECTRUM user. This is used to monitor not just the health of the devices, but also the service provided by the entire infrastructure. This is accomplished by creating tests at the edge of the network to ensure connectivity between any two points. Typically this is used to ensure that a customer can reach all its sites on a provider’s network. In addition to simple connectivity, these tests may be used to monitor response time between pairs of sites on the customer’s network.
While the VRF-aware ping is a useful tool in managing MPLS VPN environments, judicious use is required to ensure maximum effectiveness. Testing to ensure that all sites in a VPN can reach one another becomes impractical when the number of sites is greater than 50. A full mesh test scenario is an “n squared” problem and would lead to 2,500 tests per test cycle. Large VPNs present even greater capacity limitations. In order to scale to VPNs with a large number of member sites, CA SPECTRUM offers several techniques and user-definable options to ensure performance and scalability. These are: • Disable VRF ping completely • Enable VRF ping per VPN (useful for premium VPN services) • Enable VRF ping per site In addition to being able to include or exclude a site in the testing process, CA SPECTRUM allows the user to define what role the site plays in the network. Rarely do all sites in a VPN need to connect directly to all other sites. Instead, a more common scenario is all remote offices need to connect back to servers at the corporate headquarters — greatly reducing the number of tests that need to be provisioned. In addition, common hub and spoke topologies can also reduce the number of tests. Each communicates to one hub directly instead of dozens of other sites. CA SPECTRUM delivers superior flexibility, allowing the user to define the test role of each site. The possible roles include the following: • Testing Disabled • Source Testing Role (VPN site is a originator for VRF testing) • Destination Testing Role (VPN site is the destination for VRF testing) • Source and Destination Testing Role VRF Aware Traceroute is the other active service assurance tool available in the CA SPECTRUM NFM MPLS VPN Manager module. Similar to the ping tool that creates end-to-end connectivity tests, this creates end-to-end path tracing tests. These tests are used to determine stability of the core network (MPLS LSPs). For example, one service provider has discovered that if more than 10% of paths are changing in a single cycle, it indicates a critical problem. In their case, the service provider created alarms to highlight whenever that occurs. VRF AWARE TRACEROUTE
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 7
As with VRF-aware ping, VRF-aware Traceroute testing requires thoughtful techniques to ensure performance and scalability since VRF Traceroute creates more network packets for a single test. For this reason this feature offers the same configuration options for each site: • Testing Disabled • Source Testing Role (VPN site is a originator for VRF testing) • Destination Testing Role (VPN site is the destination for VRF testing) • Source and Destination Testing Role Reduced Operator Intervention One of the primary costs of delivering reliable network services to a large customer base is operator expenses. Operator efficiency translates directly to cost savings. For this reason, the CA SPECTRUM NFM MPLS VPN Manager solution offers a number of out-of-the-box capabilities that increase operator productivity, speed time to resolution and ultimately reduce cost. These capabilities include the following: • Automated service management • Auto-provisioned server assurance tests • Seamless cross server navigation • Collapsing views focusing on desired areas • Global policy control with local overrides • Advanced search capabilities The automated service management capability allows the system to discover and model new MPLS services as new network devices are managed in CA SPECTRUM or as new services are provisioned on existing devices. This greatly reduces the amount of time and effort required for operators to configure the system. In addition, these features may be configured so that service discovery happens only at certain times or to conform to local policies or practices. For example, it may be desirable to limit discovery operations to off-peak hours. The remaining items in the list provide operator efficiencies in viewing, navigation and searching. These enhancements give operators the tools to work efficiently in the numerous large networks. The global policy control provides a great asset to managing server policies in a multi server environment. This feature allows an operator to set the policy on a single Assurance Server and push that policy to all other Assurance Servers. Examples of the types of attributes which may be set include: • Enable Dynamic Discovery • Enable Trap-based management • Enable Port Polling on PE routers • Model Inactive VPNs • Enable VRF Ping / Set Polling Interval / Set Timeout • Enable VRF Trace / Set Polling Interval / Set Timeout • Enable Cross Server Service Assurance
8 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
In addition, the global policy control allows operators, with the appropriate privilege, to override a global setting and enact local policies for their management domain where conditions require. Reduced Network Traffic Although the cost of network bandwidth on a per bit basis continues to decrease, service providers will attest that it is still far from free. For this reason it is necessary to ensure that operations and management activities consume as little network bandwidth as possible. There are a number of advanced features in CA SPECTRUM that give operators greater control over the allocation of management bandwidth. These features include: • Flexible Polling Options – Per device class – Per device type – Per device – Per interface • Trap-based Service Monitoring The flexible polling options allow these activities to be focused exactly where they are needed. The trap-based service monitoring reduces polling requirements significantly by providing a way to quickly detect changes in VPN service. These changes could be: – New VRF provisioned – An existing VRF has been reactivated – A VRF has been deactivated – A VRF has been deleted Multi Vendor Management CA SPECTRUM is designed to support the management of intelligent network devices in a multi platform, multi vendor environment. CA SPECTRUM multi vendor support has included an impressive list of leading and emerging vendors that span the networking industry. This list includes: • Cisco Systems • Juniper Networks • Nortel Networks/Bay Networks/Synoptics • Alcatel-Lucent • Cabletron/Enterasys/Riverstone Networks • 3Com • Foundry Networks
TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 9
SECTION 3: BENEFITS
CA SPECTRUM — Designed for Service Assurance CA understands the concerns of the service provider — scalability, availability and cost control — and provides the capabilities within CA SPECTRUM to meet these requirements so that premium services can be competitively offered. CA SPECTRUM distributed architecture provides the scalability to manage thousands of devices, ports and services. CA’s platform-independent approach assures the ability to support the multi vendor environment found in large service provider networks and in their customer networks. The distributed fault tolerant architecture of CA SPECTRUM is a key part of the service assurance that is essential for premium service offerings. Active tests for end-to-end connectivity and response testing go one step further in maintaining quality service. Reduced operator costs through automation, advanced techniques for viewing, navigation and searching, and global policy control are just some of the ways that the CA solution enables premium services to be offered at a reasonable cost, keeping your business profitable and competitive.
SECTION 4: CONCLUSIONS
CA SPECTRUM has a long history in large-scale distributed network and service management. The CA SPECTRUM NFM MPLS VPN Manager builds on this foundation and extends the capability to handle the largest service provider and enterprise networks where MPLS VPNs exist. This advanced capability is one member of a large and growing family of complementary management applications in the CA SPECTRUM suite, which includes modules such as: • Service Manager • Network Configuration Manager • Report Manager The single goal of this family of applications is to minimize the operational expenses of managing large, complex networks. This is accomplished by automating the tasks associated with network, systems and applications management and allowing the management staff to visualize and monitor their network at a higher level. The CA SPECTRUM team continues to focus on developing advanced management tools with the aim to unify and simplify management operations. To learn more about the CA SPECTRUM architecture and technical approach, visit ca.com/spectrum
10 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
CA, one of the world’s largest information technology (IT) management software companies, unifies and simplifies complex IT management across the enterprise for greater business results. With our Enterprise IT Management vision, solutions and expertise, we help customers effectively govern, manage and secure IT.
TB05ESMSPEC01E MP322361107
Learn more about how CA can help you transform your business at ca.com
Related Documents
Managing Vpns, Ca
December 2019 2
Managing
May 2020 38
Managing
December 2019 56
Mpls Vpns And Security
June 2020 1
Wp-ip-mpls-based-vpns
May 2020 1