Service Router Application Assurance

(1)

A P P L I C A T I O N N O T E

Service Router Application Assurance

Breathing new life into your business service portfolio

(2)

Executive summary

Service Providers (SPs) today face significant marketing and operational challenges. A rapidly commoditizing market for traditional network connectivity and enterprise demand for new enterprise services centered around networked applications and cloud computing are putting pressure on their traditional role as bandwidth providers. Overcoming these challenges requires new, application-aware network services aimed at helping enterprises thrive as they adopt new application architectures. SPs that embrace this new generation of application-aware network services will tap into new sources of high margin revenue and evolve from network connectivity provider to trusted ICT partner in the eyes of their enterprise customers.

Alcatel-Lucent’s Application Assurance (AA) enables this transition by transforming SP business networks from being service-aware to being application-aware. In a service aware network, packet loss, roundtrip delay, jitter and QoS are all viewed and controlled within the context of the service being delivered — all applications within each service class are treated equally. An application-aware network enables new services by allowing SPs to monitor and control these attributes on a per application basis.

AA breathes new life into existing L2/L3 VPN and business internet services by allowing enterprise customers to monitor and control the applications running over the network service. By entrenching AA in their network as a primary differentiator, SPs can protect business service revenue from price erosion and reinforce customer stickiness in today’s highly competitive business services market. The overall business case is highly profitable with return on investment achievable in a relatively short period of time. And as SPs align their services to meet enterprise IT objectives for application performance, they move closer to the CIOs and to new revenue opportunities in cloud services and consulting. The SP can also use a network-resident AA infrastructure to resolve the operational challenges created by the explosion of new enterprise applications. Operators can proactively monitor customer application performance and leverage network-based application troubleshooting to quickly resolve problems. AA can also provide invaluable insight into the behavior and types of applications running over the SP business network, ensuring capacity/network plans are optimized around application trends, performance and bandwidth needs.

SPs that are ready to take the next step beyond AA VPNs and AA Business Internet services can leverage their AA infrastructure to develop highly competitive AA IDC/Cloud services. Hosted application SLAs can be enforced across multiple touch points in the business network to achieve higher reliability vs traditional cloud service offerings. Applications can be monitored to optimize IDC planning and to provide valuable insight into new cloud service development.

In summary, Application-Assured business services allow SPs to capitalize on enterprise application trends and drive new service revenue. The transition from basic VPNs to application-assured VPNs to IDC/Cloud service VPNs moves SPs ever closer to their enterprise customers and accelerates their transition from connectivity provider to trusted ICT partner.

Service provider challenges

SP marketing

For many SP marketing managers, the most pressing issue is commoditization of VPN services as universal availability and service uniformity propel pricing as the primary differentiator. To protect their margins and drive new revenue, SPs must differentiate their offerings relative to the competition to sustain a price premium, or provide value-added functionality as a chargeable option to basic VPN services. Recent changes in enterprise IT are providing just such an opportunity. These changes include: • Cloud computing architectures are being adopted to virtualize IT infrastructure and to realize the

(4)

• The increasingly distributed and collaborative nature of business is putting pressure on how business applications perform across the Wide Area Network (WAN).

• Real-time voice, multimedia and business-critical data applications are converging on a unified communications infrastructure.

Even as enterprises are increasingly reliant on WAN/cloud applications for successful day-to-day operation, many IT departments have little or no visibility of how these applications are performing over the VPN services they purchase. A recent study from In-Stat, WAN Management/Security Solutions Survey, Sep 2008, identified that:

• The majority of IT managers are under pressure to maximize the value of existing resources and contain costs, while the lack of application visibility has led to unpredictable and failed projects, and cost overruns.

• The top issue for a majority of IT directors is achieving consistent end-to-end application performance. However, most IT directors did not know what applications were running on their WANs, thus making it difficult for them to address this issue.

Maintaining visibility of business-critical applications to ensure optimized performance and to detect application issues is often a huge challenge for resource-strapped IT departments. The majority of deployments to date have been implemented by enterprises themselves because the alternative options from operators have either been limited in capability and scale or very costly.

Service providers have an opportunity to capitalize on this gap by enhancing their existing VPN service to provide enterprises with the ability to monitor and address application availability and performance via a custom portal (Figure 1). Depending on the local market dynamics, this capability can be packaged a series of new service options to existing VPN services, or bundled within an existing service to provide competitive differentiation and stave off price erosion. Enterprises will place considerable trust in service providers that can assure application performance and safeguard their critical business process — without a CPE deployment to drive up cost, complexity and time-to-benefit.

Figure 1. Enterprise willingness to pay for Application Assurance (Ovum, 2009)

0% 25%

Enterprise respondents (% of total)

20%

15%

10%

5%

Application control capabilities Application monitoring and reporting

< 5% 5-9% 10-14%

Perceived value as % of base VPN price

(5)

SP operations

The enterprise trends discussed above also present significant challenges for service provider operations teams tasked with the maintenance and planning of existing network services. These challenges include: • Gaining an understanding of the behavior and performance of the business applications running

over their VPN service network. Is use of video conferencing growing? Which customers, sites and geographical areas are affected? What are the typical traffic flows?

• Fine tuning operations and capacity planning to match enterprise application trends and growth. Where is bandwidth being consumed? How much bandwidth is consumed by video conferencing relative to other applications?

• Proactive monitoring and resolution of enterprise application performance issues before they impact customers’ business processes. Which portion of the end-to-end path traversed by a video conference session is responsible for poor video quality?

Service providers that invest in value-added application monitoring and control services for their enterprise customers can also focus this new capability internally to resolve the operational challenges driven by the same enterprise trends.

IDC/Cloud services

Most service providers are investing in Internet Data Centers (IDCs) to capitalize on enterprise demand for cloud computing services. Offerings such as network storage, hosted applications and hosted data centers are often coupled with VPN services to provide end-to-end solutions for enterprise customers. Two challenges facing service providers that offer these services are how to address enterprise demands for hosted application reliability ad performance, and how to monitor application bandwidth to the IDC.

According to 2010 report on cloud services by the Yankee group (see figure 2), enterprises view network- and application-based SLAs as the most critical reliability measure when evaluating cloud based services. Service providers that can extend their network SLA strengths to include hosted application infrastructure can gain a significant advantage over cloud computing vendors that have no network capabilities to tap into.

Figure 2. Critical reliability measure when implementing cloud based services (Yankee Group, 2010)

0% 5% 10% 15% 20% 25% 30% 35%

Tools to assess packet delivery rate to site

Cross-server dynamic load balancing

Backup facility

Server redundancy

Network- and application-specific SLAs Network redundancy

(6)

Cloud computing services are a new focus area for most service providers as they move beyond their traditional role as network providers. To thrive in this dynamic new market, they need to respond quickly to market demand for new service/features and grow quickly without overcapacity. They need to monitor application performance, bandwidth utilization and traffic flows within the data center and network to quide IDC capacity planning, perform application-level troubleshooting and identify additional application-aware network service opportunities.

Addressing the challenges

To address the challenges discussed thus far, service providers must enhance their business service delivery infrastructure from being service-aware to being application-aware. In a service aware router, packet loss, roundtrip delay, jitter, QoS, etc, are all viewed from the context of the service being delivered — all applications within each service class are treated equally. As illustrated in Figure 3, an application-aware service router is able to assign and control these and other attributes on a per application basis. Application aware service routers enable:

• Per-application identification/recognition

• Application reporting, including application traffic mix and problem identification and localization • Application assurance, including per-application fine tuning to optimize performance

• Application protection, encompassing the identification of unwanted traffic and controlling access into a VPN to those applications defined to run on the VPN

Figure 3. Application level visibility vs Service level visibility within a VPN service

All applications within a service class receive

the same treatment

Custom treatment for individual

applications

Service level visibility Application level visibility Service provider Custom treatment for individual application classes L2 or L3 VPN service Enterprise Voice Video Business data Internet VoIP Videoconferencing Streaming video E-learning SAP IM Oracle CIFS Citrix Remote access File transfer HTTP

Email Web browse

YouTube

(7)

This shift in the underlying service network infrastructure enables a similar shift in the type of business services that can be offered (Figure 4). Traditional VPN services give way to application-assured VPN services that provide enterprises with visibility and control of their applications as they transit the VPN. Tiered business VPN service plans, ranging from basic VPNs and Service-Aware VPNs to Application-Assured VPNs, provide profitable customer contact with up-sell opportunities. As SPs add IDC/cloud service offerings to the mix, core SLA strengths are extended to include the hosted applications that drive their enterprise customers’ key business processes. This enables even more up-sell opportunities as ICT Directors can readily justify services that relate directly to application and business performance. Application-Assured business services provide SPs with the means to accelerate their transformation from network connectivity providers to trusted ICT partners in the eyes of their enterprise customers.

Figure 4. AA enabled services

Application assurance overview

The Application Assurance solution is based on the Alcatel-Lucent Service Router Operating System (SR-OS) and the purpose-built Alcatel-Lucent Multi-Service Integrated Services Adapter (MS-ISA). The MS-ISA is an integrated processing adapter for the Alcatel-Lucent Service Router portfolio that can be hot-inserted into an existing chassis to support Application Assurance and other high touch software. When configured with AA, it provides stateful, pattern- and string-based identification of applications to enable dynamic per-service, per-site and per-application QoS policy control — all at line speed.

Each MS-ISA module configured with AA has a total traffic processing capacity of up to 10 Gb/s and is able to handle thousands of VPN sites. It can be configured in 1+1 redundant configurations to provide high availability, or N+1 configuration with up to seven active MS-ISA modules per chassis to scale the throughput up to 70 Gb/s — an industry first for this level of scalability and performance.

Service provider revenue

Value-added business service offerings Basic VPNs • Connectivity_{• Commodity pricing}

Traditional business services AA-enabled business services • VPLS, VPWS, IP VPN (L2 and L3)

• Service attributes (HA, H-QoS, OAM, Scale) • Application monitoring and reporting • Application BoD

• Hosted application SLAs

Trusted ICT partner Connectivity provider Service-aware VPNs Application assured VPNs Cloud service VPNs

(8)

Application Assured business services are enabled and operated by the service and application management capabilities of the Alcatel-Lucent 5620 Service Aware Manager (SAM) management suite, which includes the Alcatel-Lucent 5670 Reporting and Analysis Manager (RAM). Together, these products provide a comprehensive management solution that enables the operator to extend existing business service network to incorporate Application Assurance. The extended functionality includes the ability to offer self-service portals that provide enterprises with:

• Per-protocol, per-application, and per-application-group volume and performance statistics (every byte, packet and flow for every application is counted, not sampled)

• End-to-end application volume statistics between VPN sites and servers

• Individual voice/video or TCP flows (or an aggregated snapshot of flows) for each VPN site • Near real time application monitoring (per VPN, per site)

• Application “green wall” to quickly identify applications that drop below enterprise performance tresholds

• The ability to drill down multiple levels for details

• The ability to request or change application treatment as well as request application diagnostics • Customizable archive reports (per customer or vertical market)

The MS-ISA modules in the Service Router aggregate application flow information and forward this data to the Alcatel-Lucent 5620 SAM at predetermined reporting intervals. This information is passed to the Alcatel-Lucent 5670 RAM, for network-wide correlation and aggregation into graphical usage reports, trending information, and so on, as shown in Figure 5.

Figure 5. Alcatel-Lucent AA solution overview

Enterprise HQ Enterprise portal Policy management Enterprise branch Service

management managementReporting

Set application policy Collect application stats

AA

AA Ethernet_{access or} AA

service Frame relay,

(9)

Comparison to CPE appliances

This transformation from service aware networks to application aware networks that AA enables is in sharp contrast to the niche services enabled by CPE appliances focused on application optimization/ acceleration. These first-generation deployments were overlays on top of existing business networks and came with multiple constraints that limited their use across distributed service provider networks: • They required up front capital investment and truck rolls to each customer’s data centers and branch

office locations. This approach greatly reduced addressable market while requiring 6 months or more to activate the service for each new customer. Because the AA capability is integrated within the VPN service network fabric, it can easily be activated for new sites or new customers, dramatically reducing the time to market. It also enables service providers to cost-effectively deliver application assurance to the vast majority of customers that are sensitive to the higher costs of a dedicated WAN optimization appliance.

• Hundreds or thousands of elements needed to be separately managed, adding significant costs and operational overhead to the bottom line. The network based approach of AA greatly reduces the number of elements that need to be managed while integration with the Alcatel-Lucent 5620 SAM and 5670 RAM management suite means operators need not maintain multiple management interfaces and configurations.

• CPE solutions lacked key capabilities supported by an AA-VPN service, such as flexible reporting, a highly scalable carrier grade architecture and integration with VPN services to be considered for deployment within the service network itself.

• Proprietary end-to-end encapsulation and flow control techniques prevented service interoperability. A network-based AA service addresses a wider market, has lower cost points and is easier to manage than CPE appliances (see figure 6).

Figure 6. Service Router AA versus CPE appliances

Network-/cloud-based service Addressable market Carrier class • Platform • Reporting flexibility • VPN service integration Primarily a CPE-based service Service router application assurance Appliance

(10)

AA-VPN use case overview

The following sections gives an overview of how AA can be used to breathe new life into SPs’ existing business services, resolve operational challenges associated with the explosion of new applications, and add competitive differentiation to their burgeoning cloud computing offerings.

Business services examples

Application Assurance enables service providers to realize additional VPN revenue quickly and at lower cost vs CPE approaches while addressing 100% of the enterprise market. The example below outlines how one tier 1 SP structured application assurance service options to augment their current Layer 2 and Layer 3 business VPN services.

As outlined in Figure 7, the Tier-1 service provider planned for the following new billable service options enabled by AA:

• VPN ApplicationView: Application monitoring & reporting: provides detailed application monitoring, reporting and analysis of data traversing the enterprises’ VPN. Enterprise customers are able to view detailed application-centric reports via a web portal provided by the operator. Consulting fees apply for customized portals and reporting.

• VPN ApplicationControl: VPN ApplicationView bundle & policy control & application bandwidth on demand: In addition to full reporting capabilities, the enterprise can control the use of its VPN resources in alignment with its business application priorities, via the same web por-tal. For example, the enterprise can reprioritize a SAP application or video conferencing sessions if performance/quality dropped below a defined threshold. Application bandwidth on demand provides another remedy if performance/quality issues are caused by bandwidth constraints — the enterprise can use the portal to trigger the release of additional bandwidth (for a defined period) above the committed rate that only those key applications critical to the business can tap into.

• **VPN DynamicControl: A future AA capability and SP offering in which additional bandwidth is released automatically based on demand and the customer is charged per minute of use. The new application service options are structured as an incremental monthly recurring charge applied as a percentage of the base VPN monthly recurring charge for each site that uses these service options. The overall business case is highly profitable for the operator with return on investment achievable in a relatively short period of time. In addition to strengthening their VPN service offering, the tier 1 SP is banking on increased customer satisfaction, and associated customer retention.

Figure 7. AA-VPN service bundle examples

• Application control policies automatically triggered by speciﬁed application behaviors

• Real-time allocation of bandwidth for speciﬁed applications charged by Features* • VPN ApplicationControl package • Automatic application policy control • Automated application bandwidth on demand VPN DynamicControl*

• Application policy creation and enforcement via AA portal • On demand or scheduled allocation of bandwidth to a speciﬁed application in 30/60/90 minute blocks Features • VPN ApplicationView package

• Application policy control • Application bandwidth on demand

VPN ApplicationControl

• Application performance monitoring across multiple sites and touch points in an enterprise VPN

Features

• Application monitoring and reporting

(11)

Other service providers have taken a different approach by bundling application, monitoring and control capabilities as part of their valued added VPN offerings. These operators are able to sustain premium pricing vs competitive offerings, with one operator — Kordia — winning the award for the most innovative new service in the year of offer.

The network-based AA capability also enables Application-Assured Business Internet services that complement Application-Assured VPNs (Figure 8). One value-added business service operator targets small and medium sized companies with many remote/home offices for which a cloud based service is the only viable option. Their sweet spot is customers who i) want to manage the performance of their mission-critical software-as-a-service applications, and ii) want to shut down applications performing illegal downloads to comply with new file sharing legislation. Other non web-based services are offered to complement the enhanced business internet offering, including SSL, full VPNs and managed firewalls.

Figure 8. AA monitoring and reporting service option for VPN or Business Internet

Enhancing service provider operations

Application Assurance also allows SPs to resolve many of the operational challenges created by enterprise migration to cloud computing and networked applications. This includes the ability to: • Proactively monitor applications thresholds for key customers. For instance, the operator may

notice that a key customer has increasing video conferencing traffic on their VPN service and decides to regularly monitor the performance of video sessions across multiple network segments: CPE to PE, PE to PE, and PE to data center.

Business Internet Enterprise data center Enterprise portal Enterprise branch SOHO VPN SAP AA AA AA AA YouTube, MS Office Online, Google, Salesforce

(12)

• Take immediate action when problems arise. The SP can immediately contact their key customer if performance thresholds fall below the established baseline. Because they analyze performance data across multiple network segments, they are able to quickly identify the root cause of the problem (illustrated in Figure 9) as bandwidth congestion between the PE and CE. They can advise the customer of the performance issue — before it starts to impact their business activities — and offer the Application Bandwidth on Demand service option as a remedy. • Understand enterprise traffic mix, traffic flows and trends. The SP can build a database of

statistics over time to guide capacity and network planning. Knowing what applications are running over the network, who is using them and where the traffic is flowing allows operators to fine tune network performance while avoiding overcapacity.

• Enforce policy across multiple touch points. Corrective action can be administered to applica-tion flows at any point in the service provider’s network (that contains an MS-ISA card) for maximum flexibility.

Figure 9. Application performance troubleshooting

a) Enterprise complains of poor video conference performance.

b) Service provider uses application performance data to identify choke point between CE & PE. c) Service provider offers Application Bandwidth on Demand service to Enterprise.

Enabling cloud computing services

Two of the primary challenges facing service providers entering the cloud computing space are i) how to address enterprise demands for hosted application performance and, ii) how to track application consumption and bandwidth to/from their Internet Data Center (IDC). To help service providers meet these challenges, AA provides extensive application monitoring and reporting capabilities far beyond what stand-alone ADCs can offer (Figure 10). These include:

• Hosted or cloud application performance monitoring (client to host) with granularity across multiple network segments (Client to PE, PE to PE, PE to IDC, or between any two service routers configured with MS-ISA)

• Bandwidth utilization in the IDC or between any two sites on a per-application, application group or customer basis. statistics including top bandwidth applications and top customers per application • Centralized repositories for application data collection that scale to large service provider networks

and provide the business intelligence for new cloud services development

Enterprise HQ Enterprise branch CPE PE PE AA Access network Access

network backboneIP/MPLS Application performance measurements

(13)

Figure 10. Application-Assured IDC/Cloud services with hosted application SLAs and monitoring

Application policies can be enforced across multiple touch points, including the IDC, and at any point in the service and aggregation networks. This distributed, network-based AA capability provides SPs with significant competitive differentiation versus traditional hosting providers by enabling SLAs for hosted application sessions — right up to the managed branch or remote site location consuming the hosted service. Service providers can package cloud services — such as hosted applications or network storage — with Application-Assured VPN or Business Internet services to provide SLA guarantees while enabling performance monitoring of both hosted and enterprise applications as they transit the VPN or Business Internet network.

SOHO IP VPN L2 VPN AA AA AA AA AA Service provider Business Internet Enterprise branch Hosted applications (Citrix) Enterprise data center (Oracle) Hosted application SLAs Managed CPE Managed CPE SAP Network storage

• Service and policy management • Data collection and reporting

Hosted applications

(14)

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility