TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM

How Service Providers can

Offer Premium Services and
Increase Revenue by Effectively
Managing VPNs
 Table of Contents

Executive Summary

SECTION 1: CHALLENGE 2
The Challenges of Managing Service Provider
Networks
Managing Thousands of Devices
Managing a Myriad of Services
Managing International Operations
Managing Equipment from Multiple Vendors

SECTION 2: OPPORTUNITY 3
The CA SPECTRUM® Opportunity
Distributed Server Architecture
Fault Tolerant Architecture
Distributed Viewing and Navigation — OneClick
Architecture
Efficient Service Assurance
Reduced Operator Intervention
Reduced Network Traffic
Multi-Vendor Management

SECTION 3: BENEFITS 10
CA SPECTRUM — Designed for Service Assurance

SECTION 4: CONCLUSIONS 10

ABOUT CA Back Cover

Copyright © 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted
by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or non-infringement. In no event will CA be
liable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.
Executive Summary
Challenge
Service providers are rapidly rolling out managed Virtual Private Network (VPN) services,
including MLPS VPNs, which enable carriers to offer differentiated levels of service
commensurate with customer needs. One of the concerns that carriers face is how to
effectively manage these large scale networks to ensure that customers are receiving the
level of service for which they have contracted. Factors adding to the complexity of
managing MPLS VPNs include:
• Managing thousands of devices
• Managing a myriad of services
• Managing international operations
• Managing equipment from multiple vendors

Opportunity
CA SPECTRUM® Network Fault Manager is suited to manage these challenges while
increasing operator efficiency and lowering costs. CA SPECTRUM provides advanced tools
and policies that are essential to delivering reliable, scalable and profitable VPN services.
CA SPECTRUM provides a distributed, fault tolerant architecture built to support the
world’s largest service provider networks offering complex services over network
equipment spanning hundreds of different vendors. CA SPECTRUM also provides an
efficient services architecture to proactively monitor the health of service delivery from
edge to edge, and provides efficient dashboard views into service quality. With all of its
capabilities, CA SPECTRUM gives service providers the opportunity to increase revenue
through differentiated services and offers.

Benefits
CA SPECTRUM can manage the complexities of MPLS VPN services, enabling service
providers to take advantage of this growing market opportunity. Using a combination of
historical performance data and real-time monitoring and assessment, along with a
distributed and fault tolerant architecture, CA SPECTRUM offers the essential capabilities
required for large scale, managed VPN environments:
• Scalability • Reduced operator cost
• Service assurance • Multivendor support
• Multivendor support

TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 1

SECTION 1: CHALLENGE
The Challenges of Managing Service Provider Networks
Premium services demand high service quality. This is not an easy task when networks span
thousands of devices, a multitude of service types, international services and a variety of
network equipment vendors.

Managing Thousands of Devices

The first and most obvious challenge in managing large service provider environments is the
huge number of devices that make up the network. As networks scale to thousands and tens
of thousands of intelligent devices, typical management paradigms are no longer adequate
to address this scale of problem. Historically, an enterprise could be managed by polling all
devices from a single or small number of management stations. This approach fails when the
number of devices reaches into the tens of thousands. In addition to the number of devices, it is
the relationship between these devices that significantly increases the management complexity.

As device count increases, total port count increases even more significantly. Current devices
have the capacity to connect to potentially hundreds of other devices. While these additional
connections provide increased service and connectivity options, this greatly increases the
complexity of management. This increased complexity is due to the additional dependencies
on services provided by these other devices. Without proper control, outages and configuration
errors can negatively and quickly propagate throughout the network, affecting a large number
of other devices. This cascading of a fault would cause expensive downtime and loss of service
for a large number of customers. It is essential for the management system to understand and
accurately model these critical relationships between devices.

Today we stand at a critical junction of network, systems and service management brought
about by the increase in:
• Device count
• Device port density
• Device dependencies

Managing a Myriad of Services

In addition to the number of devices which make up today’s provider networks, there are a
large variety and growing number of service offerings. A few examples of these ever increasing
service offerings include:
• MPLS VPNs – Layer 3
• MPLS VPNs – Layer 2
• Voice over IP
• Internet connectivity
• Data backup services
• Hosted applications
• Network security
• Redundant/failover links

2 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM

 As the number of services increases, there is additional burden on the routers, switches and
other devices that make up the network. Likewise, the impact on management is significant. As
in the case where each device supports an increasing port density, devices are supporting an
increasing “service density”. In other words, a single device is offering an increased number of
critical services to the end user. In addition to managing the devices, these services must be
properly managed to deliver contracted service levels to the end user.

The increase in devices, ports and services leads to an explosion in the number of managed
objects that must be handled by the management system. As the number of managed objects
increases, the cost of managing this environment also increases. There are some indications
that these increases are not simply linear, but increasing more rapidly than the total number
of objects.

Managing International Operations

Multinational service providers present a challenge due to the geographically dispersed nature
of their operations. It is possible that the customer edge equipment, provider edge equipment,
network management server and network management client can be in different locations and
time zones.

Managing Equipment from Multiple Vendors

Managing large, distributed multi vendor networks presents a challenge to service providers.
There are a number of major vendors who sell to the service provider market. The challenge
this poses is that vendors seldom use the same, or even similar, SNMP MIBs in their devices.
In addition, the configuration of devices and services varies significantly from one vendor
to another.

SECTION 2: OPPORTUNITY The CA SPECTRUM Opportunity

The architecture of CA SPECTRUM combined with its management tools make it capable of
managing complex multi vendor networks and delivering the high quality of service that
premium services require.

Distributed Server Architecture

CA SPECTRUM employs a distributed server architecture, which is the foundation that
enables distributed management applications to scale to the largest management environ-
ments. No single management server alone can provide the capacity to manage these
networks. The distributed architecture is based on the CA SPECTRUM Assurance Server
capability, distributing critical aspects of management over many servers for greater scalability
of CPU load, memory and disk bandwidth and network bandwidth by localizing polling traffic.
In large networks, the CA SPECTRUM Assurance Server capability is typically used in fault
tolerant pairs that will be discussed later.

TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 3

 A service provider's network consists of core and edge routers, connected to customer edge
routers. The entire network is separated into multiple management domains based on:
• Administrative control
• Topology
• Location
• VPN membership

FIGURE A MANAGING MULTIPLE DOMAINS OF A SERVICE PROVIDER

Managing the multiple domains of a
service provider network is complex.
It involves managing multiple devices,
including service provider core and
edge routers and customer edge
routers.

Fault Tolerant Architecture

In addition to the distributed server architecture described above, each Assurance Server
can operate as a fault tolerant pair. This capability has been successfully used by some of the
largest global service providers and enterprises. This capability is continually enhanced to meet
the challenges and requirements of the most demanding network environments, allowing for
continuous monitoring of the network through a redundant Assurance Server, which can be
available in any of the following configurations:
• Hot Standby redundant server actively polling
• Warm Standby redundant server is ready, but not polling
• Cold Standby redundant server is started upon failure of primary

4 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM

 A hierarchy of fault tolerant, distributed servers shown in the Figure B can be used in large
service provider deployments where redundancy of a “chain of management” is needed. In this
architecture, the servers in charge of the lower level domains (Domain 1 – 3) are visible to the
server managing the entire environment.

FIGURE B FAULT TOLERANT DISTRIBUTED SERVER ARCHITECTURE

This figure demonstrates the use of
fault tolerant server pairs in a chain
of management. The higher domain
servers are in a fault tolerant
configuration managing three lower
level domains, which are also in fault
tolerant configurations.

Distributed Viewing and Navigation — CA SPECTRUM OneClick Architecture

The distributed server architecture by itself is not sufficient to manage large networks
efficiently. With CA SPECTRUM, this is complemented by a distributed view and navigation
paradigm, CA SPECTRUM OneClick architecture that allows the operator to seamlessly
navigate from one management domain to another. In fact, the operator need not be aware
of the fact that they are traversing management domains — all managed entities appear to
be part of one uniform workspace. This greatly simplifies navigation as it is not necessary to
establish a connection to the “right server” to obtain management information. In addition, all
global resources, like VPNs, are shown in a single view. Figure C illustrates this with a simple
screen shot. Each of the unique devices under “vpn-red” could be in a separate management
domain and monitored by a different Assurance Server.

TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 5

FIGURE C DISTRIBUTED VIEWING AND NAVIGATION
CA SPECTRUM OneClick architecture
provides simplified navigation.

CA SPECTRUM OneClick architecture is a three-tier, web-based architecture whose central

component is a Web server that connects directly to CA SPECTRUM Assurance Servers and
delivers information out to distributed Java clients. The CA SPECTRUM OneClick architecture
provides the best of both worlds by leveraging the intuitive nature of web-based applications
with the scalability and responsiveness of desktop client applications.

Efficient Service Assurance with CA SPECTRUM® Network Fault Manager MPLS VPN
Manager (CA SPECTRUM NFM MPLS VPN Manager)
There are two primary techniques to provide service assurance, each having unique strengths
and weaknesses. Passive techniques typically require fewer resources to operate, but they
provide limited information to the user. Active techniques provide richer information at the cost
of increased resources. In order to better serve customer needs, CA SPECTRUM NFM MPLS
VPN Manager provides both types of service assurance techniques in its management suite:
• Passive techniques: Trap handling, interface to site rollup
• Active techniques: MPLS-aware VRF Ping and Traceroute

In environments where traps are used, this provides the most resource efficient way to
manage these services. Examples include the following traps, which are sent when the VRF
changes state:
• VRF interface up
• VRF interface down

As network devices become more capable, there will be increased reliance on active service
assurance techniques.

6 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM

VRF AWARE PING VRF-aware ping is one of the active service assurance tools available to the
CA SPECTRUM user. This is used to monitor not just the health of the devices, but also the
service provided by the entire infrastructure. This is accomplished by creating tests at the
edge of the network to ensure connectivity between any two points. Typically this is used to
ensure that a customer can reach all its sites on a provider’s network. In addition to simple
connectivity, these tests may be used to monitor response time between pairs of sites on the
customer’s network.

While the VRF-aware ping is a useful tool in managing MPLS VPN environments, judicious use
is required to ensure maximum effectiveness. Testing to ensure that all sites in a VPN can
reach one another becomes impractical when the number of sites is greater than 50. A full
mesh test scenario is an “n squared” problem and would lead to 2,500 tests per test cycle.
Large VPNs present even greater capacity limitations.

In order to scale to VPNs with a large number of member sites, CA SPECTRUM offers several
techniques and user-definable options to ensure performance and scalability. These are:
• Disable VRF ping completely
• Enable VRF ping per VPN (useful for premium VPN services)
• Enable VRF ping per site

In addition to being able to include or exclude a site in the testing process, CA SPECTRUM
allows the user to define what role the site plays in the network. Rarely do all sites in a VPN
need to connect directly to all other sites. Instead, a more common scenario is all remote
offices need to connect back to servers at the corporate headquarters — greatly reducing the
number of tests that need to be provisioned. In addition, common hub and spoke topologies
can also reduce the number of tests. Each communicates to one hub directly instead of dozens
of other sites.

CA SPECTRUM delivers superior flexibility, allowing the user to define the test role of each site.
The possible roles include the following:
• Testing Disabled
• Source Testing Role (VPN site is a originator for VRF testing)
• Destination Testing Role (VPN site is the destination for VRF testing)
• Source and Destination Testing Role

VRF AWARE TRACEROUTE VRF Aware Traceroute is the other active service assurance tool
available in the CA SPECTRUM NFM MPLS VPN Manager module. Similar to the ping tool that
creates end-to-end connectivity tests, this creates end-to-end path tracing tests. These tests
are used to determine stability of the core network (MPLS LSPs). For example, one service
provider has discovered that if more than 10% of paths are changing in a single cycle, it
indicates a critical problem. In their case, the service provider created alarms to highlight
whenever that occurs.

TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 7

 As with VRF-aware ping, VRF-aware Traceroute testing requires thoughtful techniques to
ensure performance and scalability since VRF Traceroute creates more network packets for a
single test. For this reason this feature offers the same configuration options for each site:
• Testing Disabled
• Source Testing Role (VPN site is a originator for VRF testing)
• Destination Testing Role (VPN site is the destination for VRF testing)
• Source and Destination Testing Role

Reduced Operator Intervention

One of the primary costs of delivering reliable network services to a large customer base is
operator expenses. Operator efficiency translates directly to cost savings. For this reason,
the CA SPECTRUM NFM MPLS VPN Manager solution offers a number of out-of-the-box
capabilities that increase operator productivity, speed time to resolution and ultimately reduce
cost. These capabilities include the following:
• Automated service management
• Auto-provisioned server assurance tests
• Seamless cross server navigation
• Collapsing views focusing on desired areas
• Global policy control with local overrides
• Advanced search capabilities

The automated service management capability allows the system to discover and model new
MPLS services as new network devices are managed in CA SPECTRUM or as new services are
provisioned on existing devices. This greatly reduces the amount of time and effort required
for operators to configure the system. In addition, these features may be configured so that
service discovery happens only at certain times or to conform to local policies or practices.
For example, it may be desirable to limit discovery operations to off-peak hours.

The remaining items in the list provide operator efficiencies in viewing, navigation and
searching. These enhancements give operators the tools to work efficiently in the numerous
large networks. The global policy control provides a great asset to managing server policies in a
multi server environment. This feature allows an operator to set the policy on a single Assurance
Server and push that policy to all other Assurance Servers. Examples of the types of attributes
which may be set include:
• Enable Dynamic Discovery
• Enable Trap-based management
• Enable Port Polling on PE routers
• Model Inactive VPNs
• Enable VRF Ping / Set Polling Interval / Set Timeout
• Enable VRF Trace / Set Polling Interval / Set Timeout
• Enable Cross Server Service Assurance

8 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM

In addition, the global policy control allows operators, with the appropriate privilege, to
override a global setting and enact local policies for their management domain where
conditions require.

Reduced Network Traffic

Although the cost of network bandwidth on a per bit basis continues to decrease, service
providers will attest that it is still far from free. For this reason it is necessary to ensure that
operations and management activities consume as little network bandwidth as possible. There
are a number of advanced features in CA SPECTRUM that give operators greater control over
the allocation of management bandwidth. These features include:
• Flexible Polling Options
– Per device class
– Per device type
– Per device
– Per interface
• Trap-based Service Monitoring The flexible polling options allow these activities to be
focused exactly where they are needed. The trap-based service monitoring reduces polling
requirements significantly by providing a way to quickly detect changes in VPN service.
These changes could be:
– New VRF provisioned
– An existing VRF has been reactivated
– A VRF has been deactivated
– A VRF has been deleted

Multi Vendor Management

CA SPECTRUM is designed to support the management of intelligent network devices in a
multi platform, multi vendor environment. CA SPECTRUM multi vendor support has included
an impressive list of leading and emerging vendors that span the networking industry. This
list includes:
• Cisco Systems
• Juniper Networks
• Nortel Networks/Bay Networks/Synoptics
• Alcatel-Lucent
• Cabletron/Enterasys/Riverstone Networks
• 3Com
• Foundry Networks

TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM 9

SECTION 3: BENEFITS
SECTION 4: CONCLUSIONS
10 TECHNOLOGY BRIEF: MANAGING VPNS WITH CA SPECTRUM
CA SPECTRUM — Designed for Service Assurance
CA understands the concerns of the service provider — scalability, availability and cost control
— and provides the capabilities within CA SPECTRUM to meet these requirements so that
premium services can be competitively offered.
CA SPECTRUM distributed architecture provides the scalability to manage thousands of
devices, ports and services. CA’s platform-independent approach assures the ability to support
the multi vendor environment found in large service provider networks and in their customer
networks.
The distributed fault tolerant architecture of CA SPECTRUM is a key part of the service
assurance that is essential for premium service offerings. Active tests for end-to-end
connectivity and response testing go one step further in maintaining quality service.
Reduced operator costs through automation, advanced techniques for viewing, navigation and
searching, and global policy control are just some of the ways that the CA solution enables
premium services to be offered at a reasonable cost, keeping your business profitable and
competitive.
CA SPECTRUM has a long history in large-scale distributed network and service management.
The CA SPECTRUM NFM MPLS VPN Manager builds on this foundation and extends the
capability to handle the largest service provider and enterprise networks where MPLS VPNs
exist. This advanced capability is one member of a large and growing family of complementary
management applications in the CA SPECTRUM suite, which includes modules such as:
• Service Manager
• Network Configuration Manager
• Report Manager
The single goal of this family of applications is to minimize the operational expenses of
managing large, complex networks. This is accomplished by automating the tasks associated
with network, systems and applications management and allowing the management staff to
visualize and monitor their network at a higher level.
The CA SPECTRUM team continues to focus on developing advanced management tools with
the aim to unify and simplify management operations.
To learn more about the CA SPECTRUM architecture and technical approach, visit
ca.com/spectrum
CA, one of the world’s largest information technology (IT)
management software companies, unifies and simplifies
complex IT management across the enterprise for greater
business results. With our Enterprise IT Management vision,
solutions and expertise, we help customers effectively
govern, manage and secure IT.

TB05ESMSPEC01E MP322361107

Learn more about how CA can help you

transform your business at ca.com