[email protected]. - telekomunikacije...mpls basedcore network withprotectionof alllinks metroethernet...

Telecommunications, Portorož, 04.10.2008 1NLB d.d.

[email protected].

* MPLS – Multi Protocol Label Switching ** NLBd.d. – Nova Ljubljanska banka d.d.

Janko Jager

Telecommunications, Portorož, 04.10.2008 NLB d.d. 2

Foreword

This presentation is about NLB d.d. experience in upgrading network communications infrastructure –why, what, how, pros., cons., lessons learned – and not about technology and configurations.

Some statements in this presentation could be author’s personal opinion and not official opinion of NLB d.d.


Agenda

About NLB d.d.WHY...WHAT...HOW...ConclusionsQ&A


About NLB d.d.

NLB GroupNLB in Slovenia


NLB d.d. - NLB Group

58 members in 17 countries

banks: 13 (including NLB d.d.)

leasing: 11

trade finance: 11

insurance: 5

asset mgmt: 1

non financial: 17


NLB d.d. - Sloveniaaround 150 branches; more than 700 ATMs (SNA)


WHY to upgrade network

CapacityTechnologyNew servicesCosts


WAN topology (present)leased lines from 512kbps to 2Mbps; ISDN backups


WAN utilization (present)100% increase of network traffic in less than one yearISDN backups no longer sufficient


Goals

To provide sufficient capacity, quality, availability, security - to migrate corporate network from switching and routing to service oriented network platform.

To provide network support for several emerging technologies and network services – IP ATMs, IP telephony, IP video surveillance...

To lower communications costs (enhance price –performance) and achieve independence from only one telecom provider.


WHAT is obvious technical solution

MPLS VPNGRE/IPsecMPLS VPN over GRE/IPsec


MPLS VPN (maybe right solution for “non-corporate” networks)

Provided/implemented by telecom provider

+Customer’s virtual private “communication

cloud” within provider’s networkMedia independent (Ethernet, xDSL, leased lines,

Frame Relay, FO...)Network devices managed by provider

-Customer depends on provider (costs, QoS...)Different customers “communication clouds” are

separated but not safe


GRE/IPsecImplemented by customer

+GRE/IPsec tunnels provide data securityTunnels connect customer’s private networks

(branches – datacenters)Network devices managed by customer

-Additional network equipment (costs, management,

processor power)Additional configuration (routing)


MPLS VPN over GRE/IPsecImplemented by customer

+Customer defined MPLS VPN network(s) over

GRE/IPsecProvider independent (better monitoring and service

management, easy to introduce new network services, customer defines virtual networks within his network)

More than one provider (costs, price-performance, QoS, redundancy...)

Network devices managed by customer

-Additional configuration


Comparison...MPLS VPN over GRE/IPsec

MPLS VPN GRE/IPsec

Provider independency No Yes Yes

Authentication No Yes Yes

Encryption No Yes Yes

Media independency Yes Yes Yes

Trafic separation Yes No Yes

Implemented/provided by Provider Customer Customer


MPLS VPN over GRE/IPsec

Customer’snetwork

Customer’snetwork

MPLS VPNMPLS VPN

Provider #1

Provider #2

Provider #3

GRE/IPsecGRE/IPsec

VPN AVPN A

VPN BVPN BBranch 2

VPN AVPN A

VPN BVPN BBranch 1

VPN AVPN A

VPN BVPN BBranch 3

VPN AVPN A

VPN BVPN BBranch 4

VPN AVPN A

VPN BVPN B

Primary

MP-BGP

Simplifyed logical scheme

datacentresecondary

&


HOW to do it

... (project)RequirementsPilot testingTelecom Slovenia... (implementation)


Requirements, decisions...Selecting telecom provider(s): primary and secondary connections

by Telecom Slovenia (all connections MPLS VPN; defined QoS, reporting, on-line monitoring, problem solving...)

Selecting system integrator(s): NIL d.o.o., NLB Propria

Datacenter:1Gbps, FO, EthernetCisco routers ASR 1002

Branch office:Primary connection: 10Mbps, FO, Ethernet,

RJ45 (to the micro location)Secondary connection: xDSL Cisco routers 28xx, 38xx


QoS requirementsParameters Required Acceptable offsetBandwidth 10Mbps up to 20%Availability – monthly average >= 99,9%

Delay – hourly average <= 100 ms up to 3 times/month

Delay – daily average <= 70 ms up to 1 time/month

Delay – monthly average <= 60 ms

Jitter – hourly average <= 15 ms up to 3 times/monthJitter – daily average <= 10 ms up to 1 time/month

Jitter – monthly average <= 5 msPacket loss – hourly average <= 0.8% up to 3 times/monthPacket loss – daily average <= 0.3% up to 1 time/monthPacket loss – monthly average <= 0.2%

Should be confirmed by provider (and put in a contract)Measurement and reporting should also be defined


Pilot implementation

Telecom Slovenia Datacentre

Branch office

Secondary MPLS

New (MPLS) routers

Existing routers ISDNEthernet Leased line

Primary MPLS

Leased line

ISDN IPsec GRE tunnel

HSRP

Simplified logical scheme


Telecom Slovenia 1/3

MPLS@NLB add on from TS

VPN business

services

Carrier Class equipmentCarrier Grade network infrastructure with DWDM protection mechanismsMPLS Based Core network with protection of all linksMetroethernet based Access Network with protection of business customersUsage of different kind of first‐mile technologies as ADSL2+, VDSLx, FTTx, SHDSL, EFM, Wimax and Mobile networkOver 100 cities covered with business network for VPN servicesE2E QoS assuranceSLA monitoring/reporting and advanced SLA monitoring/reporting (with applications)24/7 Network operations center Dedicated contact channel and technical team for business customers

* Signed

contract

with

mobile

operater Mobitel (on trial)




Services on MPLS networkL3 VPN

VoIP for SB, SMB and large enterprise networks (IP centrex and IP PBX support)

Advanced IP TV services, standard and high definition

VoIP for residental segment and for SOHO

FMC services

Hotels multimedia services and advanced hotels multimedia services

SLA monitoring and advanced SLA monitoring (with applications)

Combination of P2P and mash VPN network

L2 VPN*

IMS (IP multimedia subsystem)*

IPS service (Intrusion Prevention System)*

Redundancy location of DRC**

Surveillance service (commercial name INFRANET)*

VPN service for IP/POS terminals and ATM’s*

* on trial




Telekom Slovenia topology

Carrier Class equipment MPLS Based Core network with protection of all links (10G)Metroethernet based Access Network with protection of business customersOver 100 cities covered with business network for VPN servicesSeparate business and residental netwotk on physical layer Dual WAN connectivity


Conclusions

Lessons learnedResultsTO DO...


Lessons learnedImportan NLB d.d. experience

Project Involve internal users/customers; gain management support; prepare business case...

Plan, plan, plan More than one year of planning, meetings, educations.Larger network, more services – more planning required.Think about big picture – don’t forget about other network segments (network core, monitoring and management) and new services (IP telephony, IP ATMs...)Significant architecture change – server centralization.

Equipment Be careful when buying new network equipment: capacity, end of sale, end of support, SW versions for required functionalities...Support costs for new equipment might be lower; part of business case.

Testing, pilot branch office implementation Proved to be very useful; some configurations were changed.Internal users/customers confirmation.

Telecom providers Take time for negotiations. Think about contract: obligations and penals – costs, response times, QoS parameters, measurements, reporting... Not all telecom providers are capable of connecting all NLB d.d. branch offices.Different providers – very different prices.

Cable installations (within buildings) Might be a problem: protected buildings, permits, cabling documentation, extra costs, extra time...Who is responsible for cabling...


ResultsGoals NLB d.d. conclusions

Sufficient capacity 10Mbps for each branch office, can be upgraded.QoS Telecom providers put QoS parameters and measurement

methods into contracts. Unfortunately they do not offer QoS as required.

Availability High availability is technically supported by using primary and secondary connections. Unfortunately both are still from the same provider.

Security Enabled by using MPLS VPN over GRE/IPsec.Ability to easily support new network services (IP ATMs, IP telephony...)

Enabled by using MPLS VPN over GRE/IPsec. Independent from telecom provider. Consideration could be sufficient QoS.

Lower communications costs Much better price-performance. Lower network equipment maintenance costs. Server centralization/consolidation.

Independence from only one telecom provider

Independence is technically supported. Not all telecom providers are capable of connecting all NLB d.d. branch offices.


TO DO...

Sign the contract with providerEstablish connectivity with all branchesFinish implementation (only datacenters and one branch implemented)

Introduce network support for new services (IP ATMs)Start redesigning network core...


Q&AOne question at a time, please...


Thank you.

Janko Jager, B.Sc.ManagerNLB d.d., IT Processing and Infrastructure, NetworkŠmartinska 132, SI-1520 Ljubljana, SloveniaT:+386 1 476 46 98, F:+386 1 476 41 25, [email protected], www.nlb.si

http://www.nlb.si/

[email protected]. - telekomunikacije...mpls basedcore network withprotectionof alllinks metroethernet...

Documents