AA BusVPN Services An

8/12/2019 AA BusVPN Services An

1/24

A P P L I C A T I O N N O T E

Overcoming Application Performance Challenges withApplication-Assured Business VPN Services


2/24

Abstract

Operators face many challenges as they strive to keep pace with the demand from small, mediumand large enterprises for business services. In this very dynamic market, operators must respond withsolutions that meet many criteria, including high availability, security, cost effectiveness, quality,manageability, scalability and, most recently, the ability to assure the operation of business appli-cations. This application note focuses specifically on this last requirement and describes how the

Alcatel-Lucent Application-Assured Business VPN Services solution offers operators the ability tomove up the value chain by enhancing their existing virtual private network (VPN) service offer-ings for enterprises with application assurance.

Most enterprises have little or no visibility of their business applications or how these applicationsare performing over the wide area network (WAN). Operators can address this shortfall and differ-entiate their services by offering application performance assurance for their business VPN services.One option for enabling application assurance is to rely on costly standalone WAN optimization ap-pliances, which essentially provide a quick fix. However, as this paper illustrates, operators wouldbe well advised to implement an integrated network-based approach for the delivery of application-assured VPN services. VPN-based application enablement reduces the cost for operators in compar-ison with standalone solutions, and is readily aligned with the enterprises application performance

goals without significant additional complexity. By offering this comprehensive, end-to-end assur-ance solution, an operator can more effectively address the enterprises application-centric require-ments and differentiate its VPN services from the competition.


3/24

Table of contents

1 1. Enterprise challenges provide opportunities for operators

2 2. Transitioning from service-aware to application-assured VPNs

3 2.1 Comparing network-based application assurance solutions with CPE-based WAN

optimization solutions

5 3. Alcatel-Lucent Application-Assured Business VPN Services solution

8 3.1 Application identification

9 3.2 Application monitoring and reporting

12 3.3 Application assurance

15 4. New revenue potential with the Alcatel-Lucent AA-BVS solution

16 4.1 Market opportunity

16 4.2 Service penetration and revenue

17 4.3 Associated service installation and operation costs

18 5. Conclusion

19 6. Abbreviations


4/24


5/24

Overcoming Application Performance Challenges with Application-Assured Business VPN Services | Application Note 1

1. Enterprise challenges provide opportunities for operators

While enterprises are increasingly reliant on their business applications for successful day-to-day opera-tion, most enterprises have little or no visibility of how the applications are performing over the widearea network (WAN) services they purchase. Business applications continue to grow and place greaterdemands on the enterprise WAN. Applications are being centralized at data centers, and real-timevoice, multimedia and business-critical data applications are converging on a unified communica-

tions infrastructure. Furthermore, the highly distributed and collaborative nature of business makes itcritical that applications be optimized for availability and performance across multiple locations, viathe WAN. These applications are the lifeblood of the enterprise and the impact of poor applicationperformance can result in higher operating costs and often translates directly into lost business.

Maintaining visibility of these business-critical applications to ensure optimized performance andto detect application issues can be a huge challenge for IT departments. Many enterprise IT depart-ments have limited resources and cannot afford to proactively monitor the performance of their ap-plications across the WAN. As a result, they have tended to only address an application issue whenthey encounter a problem that is impacting users and business processes.

Operators have an opportunity to capitalize on this gap by enhancing their existing WAN service

offerings with the ability to monitor and address application performance issues. According to arecent study by Ovum-RHK, enterprises are willing to pay for this kind of service from operators, asshown in Figure 1. By outsourcing this function to the operator, the enterprise can free up valuableresources and reassign its internal operational support teams. Enterprises will place considerabletrust in operators that can assure application performance.

The Ovum study interviewed 150 enterprises located in Europe and the United States of America,including a mix of small, medium and large enterprises. The study looked at the adoption of WANoptimization as a managed service overall, and specifically what enhancements enterprises wouldbe willing to pay for. A very significant 30 percent of enterprises claim that they would pay extrafor improved quality of service (QoS) to guarantee the performance of mission-critical applicationsand 27 percent would pay extra for improved ability to optimize bandwidth and justify bandwidth

upgrades. Twenty percent would be prepared to pay extra for consultancy services to help them withapplication performance monitoring/reporting and for solutions that improve the performance ofapplications. This study shows not only a willingness to pay, but that the might be willing to paysegment is very large and will be sensitive to the value of the offering.

Figure 1. Enterprises are willing to pay for WAN optimization as a managed service (Ovum-RHK)

Source: Ovum: The adoption of WAN Optomization as a managedervice. July 2008150 Enterprises in USA and Europe


6/24

Overcoming Application Performance Challenges with Application-Assured Business VPN Services | Application Note2

As further proof that there is a market for application assurance solutions, IDCs U.S. WAN Man-ager Survey, 2008found that 51 percent of 368 enterprises stated that they would use a managedWAN optimization service from an operator, and 37 percent would use a combination of a managedservice from an operator and an in-house solution. The remaining percentage of enterprises wouldcontinue to use a solution managed by their in-house IT staff, for now. A recent study from In-Stat,WAN Management/Security Solutions Survey, Sep 2008, also identified that:

The majority of IT managers are under pressure to maximize the value of existing resources and

contain costs, while the lack of application visibility has led to unpredictable and failed projects,and cost overruns.

The top issue for a majority of IT directors is achieving consistent end-to-end applicationperformance. However, most IT directors did not know what applications were running on theirWANs, making it difficult for them to address this issue.

The majority of WAN optimization deployments to date have been implemented by enterprises them-selves because the alternative options from operators have either been limited in capability and scaleor very costly. (IDC currently tracks this market to be approximately one billion United States dollars.)Recent service models by some operators have relied on costly standalone solutions or poorly scalableWAN optimization appliances as a quick fix way to get started. The Alcatel-Lucent network-based

application enablement approach delivers application-assured virtual private network (VPN) servicesand aligns with the enterprises application performance goals. This more strategic approach givesoperators a very cost-effective way to differentiate their business VPN service offering.

2. Transitioning from service-aware to application-assured VPNs

To be in a position to offer cost-effective, managed WAN optimization services, operators musttransition their services from service-aware VPNs to application-assured VPNs1. Moving to applica-tion-assured VPNs expands the reach and value of an operators business VPN service portfolio, andenables the operator to transition from a connectivity provider to a provider of both connectivityand business application intelligence to the enterprise. Table 1 summarizes the key attributes thatare associated with service-aware VPNs and application-assured VPNs.

Table 1. Comparing attributes in service-aware and application-assured business VPNs

SERVICE-AWARE BUSINESS VPN APPLICATION-ASSURED BUSINESS VPN

Network availability (either for the entire VPN or on anindividual site basis)

Service-level visibility Packet loss (per class of service) Roundtrip delay Jitter Mean time to repair Service operations, administration and maintenance (OAM) No, or limited, ability to diagnose on a per-application basis

All of the service-aware VPN at tributes, plus: Per-application identification/recognition Application reporting, including application traffic mix and

problem identification and localization Application assurance, including per-application fine tuning

to optimize performance Application protection, encompassing the identification of

unwanted traffic and controlling access to the VPN to thoseapplications defined to run on the VPN

The primary responsibility of service-aware VPNs is to ensure the operators network and serviceperformance objectives are met. There is limited focus on applications: it is assumed the applicationperformance is acceptable if the service performance objectives are met. The VPN service assignsdifferent classes of service (CoS). The CoS defines the service pipe into which applications willbe classified by a trusted customer premises equipment (CPE) device, which in turn determines itsprioritization (for example, Gold, Silver, and Bronze). This does not help address the enterprises topissue (as identified by In-Stat), which is to have per-application visibility and control, without someform of costly CPE-based application-aware classification.

1 These VPN services encompass IP VPNs, Carrier Ethernet VPNs (including Virtual Private LAN Services (VPLS) and Pseudowire Emula-tion Edge to Edge (PWE3)), and IPSec.


7/24


An application-assured VPN ensures per-application performance objectives are met through ap-plication recognition and optimization. This is enabled through a network-based approach that pro-vides per-application classification and end-to-end assurance from both trusted and untrusted CPEdevices, that is, it ensures managed end-to-end application performance, in addition to the networkassurance attributes identified for service-aware VPNs.

An application-assured business VPN solution provides many benefits, including:

Tiered business VPN service plans, as shown in Figure 2, ranging from basic VPNs and Service-Aware VPNs to Application-Assured VPNs, offering profitable customer contact with positiveup-sell opportunities

Service differentiation, enabling the operator to avoid VPN commoditization and price erosionagainst competitive offerings

New service revenue through application reporting and assurance at signicantly lower deploy-ment costs, compared to standalone WAN optimization appliances, with faster time to market,enabling incremental revenue streams with lower overhead

Greater upsell opportunities for VPN connectivity itself as ICT Directors can readily justifyWAN services as they relate directly to application and business performance for the CIO.

Enhanced customer loyalty, by becoming a strategic partner to the enterprise, with incremental

value

Figure 2. Increased revenue and customer loyalty with application-assured VPNs

Meet ng enterpr seapplication-centric

requirements

Application-assured VPNs

Service-aware

VPNs

BasicVPNs

Application signatures Flow-based Layer 4-7

VPLS, VPWS, IP VPN (Layers 2 and 3)

MPLS-enabled carrier Ethernet Service attributes (HA, H-QoS, OAM, scale)

Connectivity IP VPN Commodity pricing

VPN services

Applicationassurance

Networkassurance

Operato

rrevenue

TieredVP

Nservice

s

+

2.1 Comparing network-based application assurance solutions with CPE-based WANoptimization solutions

Network-based application assurance differs from the first wave of application optimization/accel-eration solutions available, which are based on standalone CPE appliances. These first-generationdeployments are WAN overlays with a specialized appliance, generically referred to as a WAN opti-mization controller (WOC), which require an up-front capital expenditure (CAPEX). The differentapproaches are summarized below and illustrated in Figure 3.


8/24


CPE appliance approach An application optimization and acceleration solution where WOCappliances are deployed on premises usually at both the enterprises data center and branchoffice locations. Existing WAN optimization solutions, which are widely accepted for network-ing of large sites served by T1/E1, T3/E3 or STM-x/OC-x connections, have not proven costeffective for deployment in a multi-site, distributed network. For sites with low speed or broad-band access, the hard cost payback period is long or uncertain due to the cost of the additionalappliances. Also, managing hundreds or thousands of devices across the distributed network in-

troduces complexity which can tax already overburdened support staff. Additional costs includetruck rolls to each CPE location adding to the burden of deployment, configuration, ongoingmonitoring, and maintenance of yet another network device at each site. As well, many CPEsolutions employ proprietary end-to-end encapsulation and flow control techniques that preventservice interoperability with other CPE appliances.

Network-based approach A VPN application identification, reporting and assurance solutionwhere capabilities are embedded within the operators IP/MPLS network to support hundreds orthousands of enterprise VPNs. The combination of a VPN and WAN optimization intelligenceat the network service edge can deliver a highly cost-effective, application-aware enterprisenetworking solution. It enables the operator to cost-effectively deliver application assuranceSLAs for prospective customers who may be sensitive to the higher costs of a dedicated WANoptimization appliance. In addition, once deployed, it can easily be activated for new sites, ornew customers through remote management, with visibility and control through a simple serviceportal. This eliminates the need for truck rolls and dramatically reduces the time to market. Thisapproach is provided by integrating WAN application assurance technology within networkprovider edge (PE) nodes.

Figure 3. Comparing the delivery of network-based application assurance and CPE-based application optimization

Applicationassurance

in PE

Networ - ase

HQ

7750 SR

7450 ESS7450 ESS

CPE

App servers

CPE CPE

AA-ISAAA-ISA

AA-ISA

WAN

Remote locations

Book-endedper site

De cate CPE app ances

HQ

7750 SR

7450 ESS7450 ESS

CPE

App servers

CPE

WAN

Remote locations

CPE

WOC

WOCWOC


9/24


A network-based application assurance solution can be extremely effective for deployment in amulti-site, distributed network enabling the operator to realize the following benefits:

Application visibility, which enables per-application trafc analysis and reporting on a per-VPN,per-site or per-customer basis

Support for all business VPN services, regardless of the access type connecting the enterprisesite, which can range from less than 2 Mb/s to 10 Gb/s

Matching of the VPN service to per-site specic application needs (such as volume of use bytime and application)

Scalable performance, dependent on the operators specic infrastructure; for example, an opera-tor with Alcatel-Lucent 7750Service Routers (SR) and Alcatel-Lucent 7450 Ethernet ServiceSwitches (ESS) can scale up to 70 Gb/s of application processing per node to support hundredsand thousands of enterprise VPN sites.

Reduced time and investment to operationalize the solution. Integrating the application intelli-gence into the network nodes reduces complexity and eliminates the need for truck rolls to CPElocations. Also, an integrated service management capability minimizes the installation andprovisioning times.

The ability to offer service portals at an incremental charge to enterprise customers to enable

them to monitor their application statistics, download customized application performancereports, and manage their VPNs themselves through application-based policy control.

The network-based solution is deployed once by the operator and can be offered to all enterprisecustomer VPN sites at minimal cost. Also, the application assurance service can be activated inminutes remotely, without requiring onsite installation.

3. Alcatel-Lucent Application-Assured Business VPN Services solution

The existing Alcatel-Lucent Business VPN Services (BVS) solution enables operators to supportthe convergence of IP voice, data and video over Layer 2 and/or Layer 3 business VPNs. Enhancingthe BVS solution with application assurance to deliver Application Assured Business VPN Services

(AA-BVS) enables operators to leverage their existing IP/MPLS network and service managementinfrastructure and offer application-level visibility and policy control with minimal incrementalinvestment. It also enables the operator to tailor VPN services to each enterprises unique applica-tion performance requirements.

The Alcatel-Lucent AA-BVS solution provides the ability to recognize applications and applicationflows through the network. This in turn enables the operator to report on the applications and/or applyapplication-level QoS controls. The AA-BVS solution supports multiple small, medium and large enter-prise customers and hence provides dramatic cost savings over a comparable WOC appliance approach.


10/24


Figure 4. Network-based application assurance provides greater VPN coverage at a fraction of the cost

High

Cost($$)

Low

Reporting Optimization Acceleration

Application awareness function

The network-based Alcatel-Lucent AA-BVS solution enables operatorsto cost-effectively address the majority of enterprise VPN sites

CPE-basedWAN optimization

Network-based AA-BVS

ExistingVPN services

Figure 4 illustrates the potential costs faced by an operator when deploying dedicated CPE WAN

optimization appliances at the enterprises premises in comparison to deploying the Alcatel-LucentAA-BVS solution. Given that the majority of the reporting and control capabilities needed by mostsites can be offered at a much lower price, operators deploying the Alcatel-Lucent 7750 SR and 7450ESS are able to provide application assurance to the majority of enterprise VPN sites supported overtheir network. Additionally, the ongoing operational savings through deployment simplification(logistics, installation, provisioning, assurance and maintenance) of a network-based solution arevery compelling.

The use of network-wide AA-BVS reporting, which is operationally simple and cost-effective to con-figure, provides a level of insight into network use not available in todays VPN service networks.This enables the operator to target specific up-sell opportunities to other premium services, includ-ing a complementary portfolio of CPE devices that can be offered in specific cases. An example

of this would be for data compression. If the objective for the enterprise is to send less data for thesame amount of information over the WAN service, this can only be accomplished in the CPE.

The Alcatel-Lucent AA-BVS solution relies on the Application Assurance feature set of theAlcatel-Lucent Service Router Operating System (SR-OS), including the purpose-built Alcatel-Lu-cent Application Assurance Integrated Services Adapter (AA-ISA). The AA-ISA is an integratedprocessing adapter for the Alcatel-Lucent 7x50 routing and switching portfolio. The AA-ISA is ahardware module that can be hot-inserted into the existing chassis of the Alcatel-Lucent 7450 ESSor Alcatel-Lucent 7750 SR to provide application assurance. It provides stateful, pattern- and string-based identification of applications to enable dynamic per-service, per-site and per-application QoSpolicy control.

Target application traffic flows are directed to the AA-ISA module via the routers backplane andfabric so no external connections are required. Traffic flows are identified and subjected to a set ofApplication QoS Policy (AQP) rules comprising match and action criteria that determine the QoStreatment applied. This enables any combination of passive monitoring and reporting, active band-width and/or flow policing, and flow-based QoS re-marking to enable per-application services allat line speed.

Each AA-ISA module has a total traffic processing capacity of up to 10 Gb/s and is able to handle thou-sands of VPN sites. The AA-ISA can be configured in 1+1 redundant configurations to provide highavailability, or N+1 configuration as well with up to seven active AA-ISA modules per chassis to scalethe throughput up to 70 Gb/s, providing an industry first for this level of scalability and performance.


11/24


The Alcatel-Lucent AA-BVS solution is enabled and operated by the service and application man-agement capabilities of the Alcatel-Lucent 5620 Service Aware Manager (SAM) management suite,which includes the Alcatel-Lucent 5670 Reporting and Analysis Manager (RAM). Together, theseproducts provide a comprehensive management solution that enables the operator to extend itsexisting service network to encompass the AA-BVS. The extended functionality includes the abilityto offer application-level reports to customers via self-service portals.

The primary functions of the network-based Alcatel-Lucent AA-BVS solution, shown in Figure 5and discussed in more detail in later sections, are:

Application identification provides visibility of applications and their performance behaviorover the WAN VPN

Application monitoring and reporting provides both application traffic mix statistics, and applica-tion problem identication and isolation; generates reports to help enterprise CIOs make in-formed decisions regarding application performance over the WAN and the services they require.

Application assurance enables per-application fine tuning to optimize the performance overthe WAN or to prioritize one application above other applications within the same service class;enables true application-level QoS

Figure 5. Alcatel-Lucent Application-Assured Business VPN Services solution

7750 SR

(PE)

IP/MPLS service edge

Metro

Metro

7450 ESS

(PE)VLL(P

W)

VLL(PW

)

VPLS

IPVPN

VPLS

Data center

Self care portal

7450 ESS(PE)

IP/MPLS WANbackbone

10 GigE

IP VPN Accounts dept Manufacturing dept Sales dept HR dept IT dept

7750 SR

7750 SR

7750 SR

HQ

7750 SR

7750 SR(PE)

IP/MPLS service edge

7450 ESS(PE)

7750 SR(PE)

VLL(PW

)

VLL(PW

)

VPLS

IPVPN

VPLS

AA-ISA

AA-ISA

AA-ISA

AA-ISA

AA-ISA

AA-ISA

SAP Netmeeting FTP E-mail HTTP IM

IP VPNapplication view


12/24


The network example shown in Figure 5 illustrates:

Integrated application recognition and assurance functions into the Alcatel-Lucent 7750 SRand 7450 ESS situated at the edge of the network. The number of managed network elementsand overall power consumption can be dramatically reduced.

The AA-ISA interoperates with all existing interfaces on the Alcatel-Lucent 7750 SR and 7450ESS to enable stateful application traffic flow inspection and application assurance for small, me-dium or large enterprise Layer 2 or Layer 3 VPN services.

Complete application management by the Alcatel-Lucent 5620 SAM and 5670 RAM manage-ment suite; operators do not need to maintain multiple management interfaces and congura-tions. The AA-BVS solution enables the operator to offer a service web (self care) portal to itsenterprise customers who can then view application performance reports per site, per VPN orper application group.

3.1 Application identification

To address the performance of an enterprise customers applications over the WAN, the operatormust first have visibility of the applications. Most enterprises do not know how their applicationsbehave because they have poor visibility of them. With a CPE-based solution, even prior to definingthe application SLA, the operator has to deploy expensive equipment to enable application visibility

and analyze end-customer application behavior.

The Alcatel-Lucent network-based AA-BVS solution enables visibility through its per-applicationidentification. This is provided using:

Real-time analysis on OSI Layers 3 to 7, to dynamically identify and intelligently meter trafcflows, applications and underlying protocols

The ability to identify business applications or trafc ows using IP address prexes and ports,HTTP strings, Differentiated Services Code Point values or traffic direction in addition to proto-col signatures to detect end-to-end application and flow performance behavior

Advanced application identication techniques based on ow pattern and packet behavioralanalysis (for example, IPSec) and statistical or algorithmic analysis

New application detection and distinctive verication of applications relying on the well-knownTCP/UDP port application identification, as well as identification of rogue or unwanted traffic

Enterprises are looking to the operator for better visibility of application performance over theWAN and are willing to pay for this service, as discussed earlier in this paper. The flexible Alcatel-Lucent AA-BVS solution enables the operator to implement application assurance as a permanentfeature of a purchased Layer 2 or Layer 3 VPN service or as a value-added feature for an additionalmonthly fee.

With the Alcatel-Lucent AA-BVS solution, shown in Figure 6, the service-aware VPN (top) can beeasily and cost-effectively transitioned to an application-aware VPN (bottom), providing the opera-tor with full visibility of the enterprise applications running over the WAN VPN. This provides the

following immediate benefits:

Identication of applications and their performance behavior (that is, real-time volume andperformance statistics per customer, per VPN, per site)

Better understanding of how the enterprise customers applications are traversing the WAN anddeeper insight into how to base-line business-critical application traffic to improve performance

Ability to identify business applications and prioritize them appropriately to ensure the enter-prise experiences consistent end-to-end application performance


13/24


Figure 6. Enabling visibility through per-application identification on the Alcatel-Lucent 7450 ESS and 7750 SR

7750 SR

CPE10 Mb/s

IP VPN

CIR = 10 Mb/sPIR = 10 Mb/s

SME orlarge enterprise

Service-aware VPN

Application-aware VPN

Business data (AF 2)

Video (EF)

Voice (EF)

HSI (BE)

7750 SR

CPE

10 Mb/sIP VPN


SME orlarge enterprise

Business data (AF 2)

Video (EF)Voice (EF)

HSI (BE)

Seamless integration7450 ESS and 7750 SR

Upgradeto AA-ISA

File transfer

SAP

E-mail

Videoconferencing

CIFS

Citrix

Remote access

Oracle

HTTP

VoIP

Streaming video

Corporate

Private

E-Learning

YouTube

IM

Web browse

Scavenger apps

3.2 Application monitoring and reporting

The Alcatel-Lucent AA-BVS solution relies on application identification to provide a network-based

application monitoring and reporting capability. This information is critical for enterprises as theyare faced with operational challenges alongside increasing cost constraints. Without an applicationreporting capability, they are running blind. The Alcatel-Lucent AA-BVS solution provides exten-sive flow accounting and statistics reporting capabilities for both overall application performanceand bandwidth usage, including:

Per-protocol, per-application, and per-application-group volume and performance statistics;these are generated using the Alcatel-Lucent SR OS accounting for Layer 2 and Layer 3 VPNs(every byte, packet and flow for every application is counted, not sampled)

End-to-end application volume statistics between VPN sites and servers

Individual IP ows or an aggregated snapshot of IP ows for each VPN site

The AA-ISA modules in the Alcatel-Lucent 7750 SR or Alcatel-Lucent 7450 ESS aggregate theapplication flow information. A comprehensive set of application statistics are then sent to the Al-catel-Lucent 5620 SAM at predetermined reporting intervals, which can be as frequent as every fiveminutes. This allows for maximizing aggregation benefits when mapping extremely large volumes ofper-flow traffic counters.

This information is passed to the Alcatel-Lucent 5670 RAM, for network-wide correlation and ag-gregation into graphical usage reports, trending information, and so on, as shown in Figure 7. Thewealth of application usage and performance information that can be collected through the Alcatel-Lucent AA-BVS solution is very valuable for SLA reporting and helps enterprises determine howtheir applications are performing over their WAN VPN.


14/24


Figure 7. Alcatel-Lucent AA-BVS solution provides fine-grain application monitoring and reporting

AA-ISA

5620 SAMredundant

servers

5670 RAMaggregator anddata warehouse

Applicationassurance stats

Aggregatedapplicationassurance stats

IP VPN

5670 RAMreport/

Web server

7750 SR

Branch

Threshold crossingtriggered reports ande-mail notification

Multi-formatfile reports

Run reports viaWeb browser

Enterprise selfservice portal

Multiple policytouch points

Web apps

IP/MPLSbackboneMetro aggregation

AA-ISA

AA-ISA

AA-ISA

7750 SR

7450 ESS

7450 ESS

HQ

Figure 8 provides just a small sample of application reports that the operator can create and accessvia the web with the Alcatel-Lucent AA-BVS solution. The reports help the operator to ensureenterprise application performance metrics are met, to optimize WAN performance, and to identifyand correct application-level faults quickly. The operator can offer an extensive array of detailedreports, through consultancy for example, to help the enterprise plan its WAN VPN service needs,based on the usage and growth of its business-critical applications.

Figure 8. Detailed application reports the operator can view

Per-VPN reporting Per-site analysis reporting

Application analysis reporting


15/24


Table 2 highlights the type of information available in each sample report shown in Figure 8.

Table 2. Type of information collected by reports shown in Figure 8

PER-VPN REPORTING PER-SITE ANALYSIS REPORTING APPLICATION ANALYSIS REPORTING

This type of report provides information on: This type of report provides information on: This type of report provides information on: Top applications per VPN Trend and usage within a specified time span Application trend and usage within a specified All applications and protocols Top applications per site time span

Top source and destinations sites per application Multimedia application distribution Instant messaging application distribution

With the application report management engine delivered by the Alcatel-Lucent AA-BVS solution,operators have the option, via a web-based interface, to create, run, schedule, view, and organizepre-defined or customized reports to help differentiate their VPN service and meet the exactingapplication reporting requirements of their enterprise customers.

The Alcatel-Lucent 5670 RAM, in conjunction with the Alcatel-Lucent 5620 SAM, has the capac-ity to raise an alarm (or threshold) when specific data rate limits for a VPN service or applicationare reached. This enables the operator, through the Alcatel-Lucent 5620 SAM, to apply a policyto react to real-time conditions and optimize network VPN behaviors related to the CoS.

The Alcatel-Lucent AA-BVS solution enables the operator to add further value with a web-basedservice portal providing the enterprise with access to regularly distributed reports, as shown inFigure 9. The service portal enables the enterprise to:

Monitor applications on a per-VPN or per-site basis

View near-real-time reports and archived reports

Request or change application treatment as well as request application diagnostics

Figure 9. Enterprise web (self care) portal


16/24


Providing these monitoring and reporting tools through a self serve portal on an operators existingVPN service greatly enhances the operators value to the enterprise, because it gives the enterpriseclear and factual information regarding its applications. Without having to incur truck roll-outs,and the CAPEX associated with a full CPE-based solution, enterprises are willing to pay for thesemonitoring and reporting tools as they provide an immediate benefit to them. With this informa-tion, the enterprise can optimize business operations through enhanced application monitoringand performance.

For the operators, the ability to report and monitor applications within the VPN provides numerousbenefits, including:

New revenue potential providing performance and capacity planning reports to enterprise custom-ers, helping IT directors to understand how their applications are performing, so they can makeinformed decisions for bandwidth optimization. Decisions within the enterprise become morefact-based and focused on the business relevance of a given application for the core business.

Value-added service through the enterprise web portal

Incremental pull-through revenue on the base VPN services being offered as enterprises canunderstand where and when incremental bandwidth will have the desired effect on applicationperformance, and more readily justify VPN services costs to their CIO.

VPN service differentiation to avoid price erosion and solidify customer loyalty

3.3 Application assurance

The third capability delivered by the Alcatel-Lucent AA-BVS solution is the ability to controlthe applications within the customers Layer 2 and Layer 3 VPN service. This assurance capabilityenables the operator to apply specific AQP rules to achieve the desired performance result for anapplication.

The Alcatel-Lucent AA-BVS solution enables operators to deliver:

Extensive per-application policy enforcement with granular bandwidth shaping, policing andprioritization defined on a per-VPN basis, to intelligently control and categorize application traf-

fic based on policy. The operator now has the ability to align the enterprises application serviceswith its business needs, and to treat application traffic accordingly without introducing costlyCAPEX, and with a quick time to market for an immediate benefit.

Deterministic end-to-end application behavior through application performance optimization,application-based network path selection, application admission control and application-levelmirroring

The Alcatel-Lucent AA-BVS solution enables the operator to define per-application SLA guaran-tees to ensure consistent end-to-end performance of business-critical applications. In the followingexample the enterprise customer has bought Application Assurance Reporting and Control as aservice from the operator. Figure 10 illustrates how one of the enterprises VPN service forwardingclasses is selected and directed to the AA-ISA module. The application flows within the forwarding

class are identified and then subjected to a set of AQP rules comprising match and action criteriathat determine the QoS treatment applied to each application all at line rate.


17/24


Figure 10. AA-BVS solution provides application assurance for business and Internet traffic

IP/MPLS serviceaggregation and edge(7450 ESS or 7750 SR)

CPE

10 Mb/s

Tenant #1 IP VPN


Branch office

AQP

Service #2

Service #1

Business data (P2)Video (P4)

Voice (P5)

HSI (P0)

Service #2 VPLSCIR = 4 Mb/sPIR = 4 Mb/s

Business data

HSI

SAP P4

Netmeeting P2

FTP P2Email P2

E-Learning P2

IM P0Web browsing P0

YouTube Rate limit

HQ

E-Learning

Internet(YouTube)

Divert P2, P0

AA-I

SA

AA-ISA

The branch office CPE, on the left, provides limited classification for the IP VPN service and hasno visibility of the individual applications.

The IP VPN service is aggregated on the operators Alcatel-Lucent Ethernet Service Switchor Service Router at the metro or service edge. The SAP business application needs to beassigned a higher priority to meet the enterprise performance SLA. The SAP application iscurrently assigned to Priority 2 (P2) forwarding class.

The operator has already diverted the P2 Business trafc to the AA-ISA and can quickly iden-tify any performance issue with the SAP application using the Alcatel-Lucent 5670 RAM.

The AA-ISA identies the SAP application based on its unique signature and the operator de-fines a policy to re-mark the SAP application traffic from P2 to the higher priority P4 forwardingclass, while leaving other P2 Business traffic alone. The traffic flow is then forwarded as normal all at line rate performance.

The SAP application trafc now receives a prioritized treatment over the WAN IP VPN service

in line with the enterprise SLA. The Alcatel-Lucent 5620 SAM ensures the application QoSpolicy is maintained until the operator is ready to change it.

The IT director of this enterprise has also identified to the operator that it relies on an e-learningservice provided over the Internet to train its staff. The current performance of the e-learning appli-cation is unacceptable and the staff is reluctant to take the training, which is affecting the competi-tiveness of the enterprise. The operator, after investigating the situation, takes the following action:

High-speed Internet (HSI) trafc, which includes e-learning, is currently classied as best-effortand assigned to priority class P0.

The operator diverts the P0 HSI trafc to the AA-ISA and can quickly identify any perfor-mance issue with the e-learning application using the Alcatel-Lucent 5670 RAM. Using the

monitoring and reporting capability, the operator also identifies that YouTube activity is veryhigh and uses up valuable bandwidth.

The AA-ISA can distinguish the e-learning application from all other Internet trafc by statefulmonitoring of IP flows and matching the specific HTTP string for the e-learning Internet appli-cation. The operator defines a policy to re-mark the e-learning application traffic from P0 to thehigher priority P2 forwarding class while leaving other P0 HSI traffic alone.

The operator also denes a policy to police YouTube trafc, which helps optimize overall band-width usage.

The e-learning trafc now receives a prioritized treatment over the WAN VPN service in linewith the enterprise SLA. The Alcatel-Lucent 5620 SAM ensures the application QoS policiesare maintained until the operator is ready to change them.


18/24


Another challenge facing this enterprise is the effect on bandwidth availability and performance ofits site VPN connection once they deploy teleconferencing. The enterprise needs to be assured thatit can control the number of teleconferencing sessions so they dont overwhelm the 10 Mb/s band-width, which could cause unnecessary congestion and impact other business-critical applications.The enterprise wants to add teleconferencing without paying for additional bandwidth.

The AA-BVS solution enables the operator to address this issue by applying application session

admission control and classification specific to the site VPN interface. The example shown in Figure11 illustrates how the AA-BVS solution can control the number of video application sessions, forexample, to a maximum of two 5 Mb/s video sessions on the 10 Mb/s VPN service. The AA-BVSmonitoring and reporting capability will provide full visibility of the video application flows and theperformance impact on the other applications to that site. This capacity planning capability is pro-vided without resorting to CPE marking or deploying an expensive CPE application-aware appliance.

Figure 11. Application session admission control on the enterprise site VPN connection

7450 ESS or 7750 SRaggregation

CPE

Video

Voice

SAP server

Teleconference,video (5 Mb/s)

Divert video (P4)

Operator v ew

Teleconference,

video (5 Mb/s)

Branch

Branch

10 Mb/s Video flows

IP VPN Business data (P2)

Video (P4)

Voice (P5)

HSI (P0)

AA-ISA

5620 SAM 5670 RAM

AA-I

SA

Overbooked resources need application-based session control beyond what DiffServ QoS provides.With the AA-BVS solution, the operator can now enable intelligent application flow control based on:

Application-level admission control in line with available site VPN bandwidth and the agreedoverbooking metric

Admission control on the maximum number of session ows allowed, such as limiting to twovideo flows, as shown in Figure 11. The third video flow is policed and identified in the Alcatel-Lucent 5670 RAM reports

Admission control on the rate of session ows set up within a given timeframe for example,the operator can limit the network to admitting ten video session flows every 10 minutes toensure consistent performance


19/24


Enterprises will appreciate this improved level of responsiveness from the operator and the abilityto optimize the performance of their business-critical applications over the WAN VPN service.Enterprises can experience the value first hand and will be willing to pay the additional fee forapplication reporting and control, which the operator is able to provide more cost effectively thanthe enterprise would be able to do in-house.

4. New revenue potential with the Alcatel-Lucent AA-BVS solution

The Alcatel-Lucent AA-BVS solution enables the operator to realize additional VPN revenuequickly and at a lower cost while addressing the enterprises application performance requirements.As identified earlier in this paper, enterprises are willing to pay for application visibility and opti-mization over their WAN VPN service. The financial business case described below examines thecommercial value to operators of offering new application assurance service options that augmenttheir current Layer 2 and Layer 3 business VPN services.

The business case looks at the following two new billable service options, enabled by the AA-BVSsolution:

Application reporting service the reporting service provides detailed application monitoring,reporting and analysis of data traversing the enterprises VPN. Enterprise customers are able toview detailed application-centric reports via a web portal provided by the operator.

Application reporting and control service In addition to full reporting capabilities, the enterprisecan control the use of its VPN resources in alignment with its business application priorities, viathe same web portal.

Operators can up-sell these new application service options for an existing or new VPN service andgarner additional service revenue with a small investment. The new application service options canbe structured as an incremental monthly recurring charge applied as a percentage of the base VPNmonthly recurring charge for each site that uses these service options. In this business case, a fivepercent incremental charge is incurred for customers purchasing the application reporting service,and a ten percent incremental charge is incurred for the application reporting and control service.

For example, if a customer currently pays a 500 United States dollars per month fee for connectingone of its branch offices to its business VPN at an access speed of 2 Mb/s, the customer would nowhave the option to purchase a reporting service for an additional 25 United States dollars per month,or a reporting and control service for 50 United States dollars per month for that branch office.

For reference, typical monthly recurring charges for VPN connectivity and for new application as-surance services used in this business case are shown in Table 3.

Table 3. Baseline monthly recurring charges for a VPN site

ACCESS SPEED FOR VPN SITE MONTHLY RECURRIN G CHARGE MONTHLY RECURRING CHARGE MONTHLY RECURRING CHARGE FOR

FOR VPN CONNECTIVIT Y FOR REPORTING SERVICE REPORTING AND CONTROL SERVICE

(IN UNITED STATES DOLLAR S) (IN UNITED STATES DOLLAR S) (IN UNITED STATES DOLLAR S)

2 Mb/s 500 25 505 Mb/s 750 37.5 75

10 Mb/s 1100 55 110

100 Mb/s 2200 110 220

1000 Mb/s 4500 225 450


20/24


4.1 Market opportunity

The financial business case data is based on a European operator with a revenue base of approxi-mately 250 million United States dollars and 35,000 customer sites for its VPN service in 2008. TheVPN service sites are expected to gradually grow over the forecast period to reach about 45,000sites. In spite of reasonable site growth, revenue is forecasted to grow only marginally to accountfor a two percent year-over-year price erosion on VPN services (see Figure 12).

Figure 12. Operator VPN revenue and site forecasts

Service provider VPN revenue forecast Service provider VPN site number forecast

Revenueinm

illionsofUnitedStatesdollars

Numberofsites

250

200

300

150

100

50

0

40,000

30,000

50,000

20,000

10,000

0

2008 2009 2010 2011 2012 2013 2014 2015 2016

In this business case, application reporting and application reporting and control services aretargeted at medium and large businesses. As per IDCs Western European IP-VPN Forecast 2008-2012report, medium and large enterprises constitute over 92 percent of total VPN sites (see Figure 13).Therefore 92 percent of customer VPNsites are assumed to be addressable, for

this operator, by the AA-BVS solution.

4.2 Service penetration andrevenue

Based on market requirements andthe attractiveness of the applicationreporting or application reporting andcontrol services to VPN customers, they are forecasted to achieve a penetration of 30 percent of theaddressable VPN sites by Year 3, with penetration hitting a peak of 50 percent by Year 8. Of thoseenterprises who do purchase the incremental services, it is assumed that 75 percent will purchasethe application reporting service, while the remaining 25 percent are expected to purchase theapplication reporting and control service.

The application reporting and application reporting and control services show very healthy rev-enues, reaching 3.5 million United States dollars in Year 3 and 7.8 million United States dollarsin Year 8 (see Figure 14). Cumulative revenues for the eight-year period exceed 41 million UnitedStates dollars.

Figure 13. VPN customer distribution by size of business

Percentage oftotal VPN sites

Addressablesegments

Number ofemployees

Businesscategory

7.2%


21/24


Figure 14. Application assurance service revenue forecasts

Reporting and control service revenue Reporting service onlyrevenue

Total AA-BVS revenue forecast

RevenueinmillionsofUnite

dStatesdollars

2008 2010 2012 2014 2016

10

8

6

4

2

0

4.3 Associated service installation and operation costs

The operator has deployed the base VPN service over a network based on Alcatel-Lucent 7750 SRs

or 7450 ESSs. To enable the application assurance services at all sites, the AA-ISA module is in-stalled in each Alcatel-Lucent 7x50 system deployed at the edge (PE). Also, the Alcatel-Lucent 5670RAM is installed to provide application reporting and management. All capital costs associatedwith the incremental Alcatel-Lucent 7x50 hardware, 5620 SAM licensing and 5670 RAM softwareand SUN hardware (for the Alcatel-Lucent 5670 RAM) have been taken into account. The totalcapital costs add up to 930,000 United States dollars over eight years. The operation costs, whichinclude initial project costs (IT integration, network integration) and ongoing maintenance, serviceactivation, marketing and customer care, add up to 2.4 million United States dollars over eight years(see Figure 15).

Also, the weighted average cost of capital is set at a conservative rate of 12 percent.

Figure 15. Application services cumulative discounted cash flow

CDCF

Investments

Expenses

Revenues

9

8

7

RevenueinmillionsofUnitedStatesdollars

6

5

4

3

2

1

0

Year 1

0.22

-0.31

-0.32

-0.33

2

1.28

-0.17

-0.15

0.15

3

3.50

-0.29

-0.28

1.45

4

5.90

Cumulative discounted cash flows

-0.34

-0.12

3.69

5

7.20

-0.34

-0.02

6.22

6

7.65

-0.34

-0.01

8.62

7

7.78

-0.34

0.00

10.80

8

7.81

-0.35

-0.03

12.74

-1


22/24


The overall business case is highly profitable for the operator. With cumulative revenues in excessof 41 million United States dollars on a capital investment of just 930,000 United States dollars andoperating costs of 2.4 million United States dollars, operators get a very healthy net present value of12.75 million United States dollars over the duration of the project.

Return on investment is achieved in a relatively short period of only 20 months. Consequently, pro-viding the new application reporting or application reporting and control services to VPN custom-

ers presents an excellent opportunity for operators to grow their revenue. In addition, by strengthen-ing their VPN service offering, operators increase customer satisfaction, which in turn contributesto customer retention. Significant service differentiation also provides protection from VPN serviceprice erosion.

Enterprises benefit as they now have the necessary tools to identify and manage their applicationtraffic over their WAN VPN service effectively, leading to improved application performance andcost-optimized usage of VPN resources.

5. Conclusion

Application enablement with the Alcatel-Lucent Application-Assured Business VPN Services solu-

tion delivers real benefits to help operators align their service offerings with enterprises businessobjectives and application performance goals. By enabling network-based application performanceassurance for business VPN services, operators can clearly differentiate their VPN service offer-ings from competitors. Operators can do this while cost effectively reaching the majority of theircustomers sites and dramatically shortening the time to market in comparison with comparableCPE-based approaches.

The Alcatel-Lucent AA-BVS solution meets head-on one of the key business challenges for enter-prises today: ensuring that their business applications are operating as efficiently and cost-effectivelyas possible. With the solution in place, operators can tell enterprises exactly what applications arerunning on their VPNs and how they are running, and they can deliver detailed reports on the effi-ciency of their business services. They can also provide enterprises direct access to this informationthrough self-serve web portals.

The Alcatel-Lucent AA-BVS enables operators to introduce a variety of tiered business VPN serviceplans, aligning application services with stringent SLA requirements. This enables the operator tosupport enterprises business objectives more directly, and helps the operator to strengthen its rela-tionship with its customers. This enhanced relationship provides increased opportunities forup-selling services to the enterprise.

The new service capabilities also translate directly to increased revenue opportunities, at minimalcost, and with a faster time to market. By entrenching a competitive differentiator in its serviceofferings, the operator is safeguarding future revenue streams from price erosion, and reinforcingcustomer stickiness something that is extremely valuable in todays highly competitive market.


23/24


6. AbbreviationsAA-BVS (Alcatel-Lucent) Application-Assured Business VPN Services

AA-ISA (Alcatel-Lucent) Application Assurance Integrated Service Adapter

AQP application quality of service policy

CDCF cumulative discounted cash flow

CIO Chief information ofcer

CIR committed information rateCoS class of service

CPE customer premises equipment

ESS (Alcatel-Lucent 7450) Ethernet Service Switch

FTP file transfer protocol

HA high availability

H-QoS hierarchical quality of service

HSI high-speed Internet

ICT information and communication technology

IM instant messaging

OAM operations, administration and maintenance

PE provider edge

PIR peak information rate

PW pseudowire

PWE3 Pseudowire Emulation Edge-to-Edge

QoS quality of service

RAM (Alcatel-Lucent 5670) Reporting and Analysis Manager

SAM (Alcatel-Lucent 5620) Service Aware Manager

SME small to medium enterpr ises

SR (Alcatel-Lucent 7750) Service Router

SR-OS (Alcatel-Lucent) Service Router Operating System

TCP Transmission Control Protocoal

UDP User Datagram Protocol

VLL Virtual Leased LinesVoIP voice over Internet Protocol

VPLS Virtual Private LAN Service

VPN virtual private network

VPWS virtual private wire service

WAN wide area network

WOC WAN optimization controller


24/24

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logoare trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibilityfor inaccuracies contained herein. Copyright 2009 Alcatel-Lucent. All rights reserved.CAR4688090107 (03)

Documents

AA BusVPN Services An