When an enterprise hires a service provider to deliver an MPLS wide area network (WAN), it is paying for more than simple connectivity. It is also paying for agreed-upon network architectures and service
The problem for enterprises is figuring out how to make sure the service provider is delivering what it promised.
"There are solutions that can monitor connections to the service provider's WAN," said Jeff Raice, executive vice president of marketing and business development at Santa Clara, Calif.-based Packet Design Inc. "I can monitor to make sure those links are up, but in a Layer 3 VPN, the IP routing layer, the service provider actually has an additional role other than connecting at a physical layer at each site. The service provider is also doing the routing for you. If I have 10 major sites that I want to connect across an MPLS VPN, I don't want to route across the wide area network. I'm paying a provider to do that for me."
As Raice noted, there are plenty of tools to determine whether MPLS links are up or down, but physical connectivity is just one part of the equation. Enterprises also want to know whether the MPLS network is routing data properly between their sites.
The shift from legacy wide area networks to MPLS networks offers enterprises plenty of advantages (faster transport, easy implementation of QoS), but they come at a price. Enterprises lose much of the visibility they used to have into their WANs because the local WAN links are simply forwarding data into a network cloud owned and managed by the service provider.
"When an enterprise moves to MPLS, it loses some of the visibility it used to have on how healthy those links are and whether or not they are passing the traffic they are supposed to pass and whether the service provider is delivering the SLA [service-level agreement] they committed to," said Jim Frey, senior analyst with Enterprise Management Associates. "A lot of times, service providers don't have the same granularity or criticality of concern that enterprises do [about how an MPLS network routes information]," Frey said. "A lot of times, it's up to the enterprises to worry about this."
For instance, is the virtual private network (VPN) provided by the carrier actually private?
"A service provider has hundreds of enterprise customers, and each enterprise is sharing that provider's single network infrastructure. It's the service provider's role to make sure that as the enterprises connect through the network, none of them are mingled together," Raice said. "It happens quite often that a service provider misconfigures a router, and all of a sudden my locations are getting routing addresses from another enterprise's network."
Also, enterprises have certain policies that they want the service provider to deliver in the MPLS network. A company might want the network maintained in a hub-and-spoke architecture where branch offices can't communicate directly with one another. Traffic must first pass through the firewall at headquarters before being forwarded to a branch. Or the enterprise will want a mesh network to improve redundancy. How can the enterprise verify that these architectures are delivered properly? An inadvertent configuration change to a service provider router can undo all of that.
Frey said there are a few ways to look beyond simple connectivity and determine whether an MPLS network is successfully connecting an enterprise's sites. For instance, a company can set up agents at each of its sites and send test traffic across the WAN to see whether it reaches across the network, he said. "And if I don't get a response, then I know something is bad." But he said this approach does put some additional load on the network, and it's not something that will test traffic constantly. But it's an affordable approach that smaller companies might try.
"There are other tools that try to assemble and watch passively the traffic going to and from remote sites, including those being reached across MPLS, so you can sort of build an activity view," Frey said. "That's great, except that you've got sites that aren't on 100% of the time. Sometimes they're quiet. And the question is: Are they down or are they just quiet?"
These approaches reveal the health of a WAN link, he said, but they don't check the integrity of the path that a service provider uses to route data between sites. So it's impossible to use such methods to detect whether policies set by enterprises are being followed by the provider.
This week, Packet Design Inc. introduced MPLS WAN Explorer, an appliance that listens passively to a service provider's WAN edge routers to determine how those routers are forwarding and receiving data among an enterprise's sites.
Raice said MPLS WAN Explorer analyzes the routing protocols that these edge routers use to communicate with the rest of the provider's network and the path it uses to route traffic from one enterprise site to another. It can't actually see beyond the provider's edge network, but it hears what the edge routers are saying. This allows it to set a baseline of how the provider's MPLS network looks. From there, it can detect whether any of the routers change how they forward data into the provider's network. If a service provider inadvertently reconfigures a router in such a way that the enterprise's policy of a mesh MPLS network is violated, the enterprise's IT organization will receive an alert. And if an edge router somehow loses the destination addresses for the enterprise's sites connected at other points on the WAN edge, the product will catch that as well.
"We constantly listen to routing announcements, and we can alert to any change," Raice said. "So if a bunch of routing addresses disappear from one site, that means that site doesn't know how to reach the resources at those addresses. We can detect that and alert enterprise IT people that you've lost reachability between site 1 and site 2."
MPLS WAN Explorer, which is now available, will cost between $100,000 and $250,000, Raice said, depending on the size of deployment. This is a hefty price tag for many companies, but Frey said the product will pay for itself pretty quickly if a company can use it to avoid even a little bit of downtime.
"But the place where it really makes a big difference will be those companies that have more than one service provider," Frey said. "They will be able to track multiple service providers."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor