Extending enterprise LANs beyond the firewall

Th 0504lwapp01f1

New concerns about security, business continuity in case of a disaster, and regulatory compliance with laws such as the Health Insurance Protection and Portability Act (HIPPA) and Sarbanes-Oxley Act mean that enterprise IT managers face not only the challenge of how to do more with less budget, but also how to meet stringent new internal and federal guidelines. If these guidelines are not followed, serious financial or even criminal penalties can result.

In this environment, it is more important than ever for IT managers to investigate the full range of services available to them from their carrier partners. Some of the larger carriers in the United States are upgrading their networks with multiservice provisioning platforms (MSPPs) that enable a broad range of services like voice, data, private line, and SAN in one compact product. The services these MSPPs enable not only provide tremendous cost savings, but also can help IT managers satisfy the new regulations and implement a sustainable business continuity and recovery mechanism. In particular, MSPP-enabled services can transport an enterprise’s SAN traffic natively across the WAN using the same technologies that helped extend Ethernet from the LAN to the WAN.

New government regulations regarding data management and storage along with advances in telecommunications equipment have inspired a new paradigm of converged service offerings. Converged offerings make it easier for enterprises to respond to the demand for heightened data management. Due to the stringent penalties imposed on enterprises for not adhering to the guidelines laid out by regulations like Sarbanes-Oxley, it is now imperative that IT managers consider the secure long-distance transport of SAN traffic in addition to voice and data, when developing LAN/WAN networking strategies.

Sarbanes-Oxley affects the efforts of all publicly traded companies that issue securities in U.S. public markets and file periodic reports with the Securities and Exchange Commission, while HIPPA only governs the practice of firms in the field of healthcare. Yet both laws include explicit requirements regarding the accessibility and backup of critical data in the event of a wide-scale disaster. Consider the following excerpt from Sarbanes-Oxley (http://www.sec.gov/rules/concept/34-46432.htm):

Maintain sufficient out-of-region resources to meet recovery and resumption objectives. Firms that play significant roles in critical markets, at a minimum, should have backup arrangements with sufficient out-of-region staff, equipment, and data to recover their critical activities within their recovery-time objectives. These arrangements can range from a firm establishing its own out-of-region backup facility for data and operations to arranging for the use of remote outsourced facilities. The objective is to minimize the risk that a primary and a backup site, and their respective labor pools, could both be impaired by a single wide-scale regional disruption, including one centered somewhere in between them.

That means enterprises are now faced with the need to back up critical data by transporting it to a separate SAN facility located in another region. For example, “Instead of providing disaster recovery between San Francisco and Oakland, the DR [disaster recovery] site should be located in Omaha or Chicago.”1 As the SEC itself states, “Firms recognize that out-of-region facilities fall beyond the current distance capacity of some high-volume synchronous mirrored disk backup technology.”2

In response to these pressures, telecom vendors have extended the technologies used to revolutionize the transport of Ethernet over SONET facilities to include SAN protocols like Ficon, Escon, and Fibre Channel (FC). SONET is the underlying transport protocol that already carries most enterprise voice, video, data, and storage traffic across MANs and WANs and is widely regarded by industry experts as the best choice for SAN distance extensions due to its universal availability, proven security and protection, and functionality.3

In the past, enterprises were forced to convert their storage traffic into intermediary protocols like ATM or IP before transporting it over SONET networks. That not only increased the cost, but also contributed to problems such as increased overhead, latency, and suboptimal security. It also resulted in a more complicated LAN infrastructure, burdened with additional devices used only for protocol conversion.

Hybrid MSPPs allow enterprises to connect their SAN switches (whether they’re Ficon, Escon, or FC-based) directly to native interfaces on devices located right on the customer premises. That affords enterprises the option of using the same SONET lines they lease from carriers for data and voice traffic to establish their own SAN distance extensions. Because hybrid MSPPs employ a standards-based encapsulation method (ITU G.7041), they can both work with and be managed by carrier-network devices.Th 0504lwapp01f1

Figure 1. An out-of-region SAN distance extension can be used to meet new government regulations. SAN traffic is functionally encapsulated within SONET frames and transported seamlessly through the carrier WAN.

Taking advantage of this capability, many carriers are now offering private-line storage services (see Figure 1), which should be a welcome option for enterprises that do not want to take on the burden or expense of deploying their own SAN transport network in the face of strict new government regulations. An enterprise that deploys its own SAN transport network must not only hire personnel with expertise in the field as well as purchase and maintain new equipment, but is also faced with bearing full responsibility in the case of a network failure. Sarbanes-Oxley and HIPPA contain the possibility of civil and even criminal penalties in the event a court deems there was insufficient oversight regarding recovery and accessibility of critical data. Carrier-managed storage services can help reduce this risk via redundant fiber routes and the inherent experience and expertise carriers have providing such services.

Older legacy telecom platforms did not integrate multiservice protocols like Ethernet or SAN. As a result, carriers could not provide a single offering for customers requiring transport of voice, data, and SAN traffic. As the demand for these services has grown among enterprises and end users, so has the need for multiservice-enabled customer-premises equipment (CPE). Yet legacy platforms still compose the majority of access devices deployed as CPE today, meaning that for each service an enterprise needs, there is a legacy platform associated with it as well as a separate access line and separate service provider bill each month. The end result is a network that requires three separate access lines and three different service providers to pay each month. The continued use of legacy platforms as enterprises and end users demand more types of service will also complicate reliability, security, and network management.

Today’s hybrid packet-based MSPPs are much more scalable and feature-rich than legacy CPE. Because of their scalability, integration of multiple service types, and rich feature sets, they can prove much more cost-effective than legacy platforms.

Modern MSPP CPE offers high-bandwidth optical access at the OC-3/12/48 level in conjunction with DS-1/3 interfaces for voice traffic, Fast Ethernet and Gigabit Ethernet (GbE) for integrated data transport, and native SAN interfaces (Ficon/Escon/FC), all in one compact platform (see Figure 2). Some MSPPs are also equipped with advanced quality of service (QoS) capabilities that functionally separate multiple traffic streams traveling over the same lines via virtual LANs (VLANs) and/or virtual private networks (VPNs). That adds an important level of security when transporting SAN and voice over IP (VoIP) traffic in addition to Ethernet. These characteristics make MSPPs ideal for the challenges facing enterprise IT managers today.Th 0504lwapp01f2

Figure 2. MSPP customer premises equipment takes advantage of native Ethernet and SAN interfaces to transport voice, data, and SAN traffic over the same optical line.

With CPE that provides integrated multiservice access, enterprises can continue to employ their entire data, SAN, and VoIP infrastructure, simply connecting to MSPP CPE at the point of transport. Because MSPPs host native Ethernet and SAN interfaces, there are no complicated protocol-translation devices required, and enterprises can consider the WAN as an extension of their corporate LAN.

The business case below further details the capital- and operational-expenditure savings available to enterprises that deploy carrier-managed MSPPs. The costs of operating a typical enterprise LAN infrastructure today (see Figure 3, scenario 1) equipped with legacy platforms for transporting voice, data, and SAN traffic are compared to the operating costs of an MSPP-based LAN infrastructure (see Figure 3, scenario 2).Th 0504lwapp01f3

Figure 3. While a typical legacy enterprise service connection requires multiple lines (scenario 1), MSPP-enabled service provision provides streamlined and more robust services (scenario 2).

Scenario 1 assumes the enterprise uses three functionally separate networks to provide these services to its headquarters of about 1,500 people. Scenario 2 illustrates the converged enterprise network with multiservice aggregation at the MSPP. All services from the enterprise now terminate natively on the MSPP for transport across the carrier WAN.

The Table details monthly access charges for the circuits itemized. These tariffs were taken as an average from several major U.S. carriers as reported in FCC report 499A and the FCC Statistics of Common Carriers.* It shows the cost savings achieved through the simple act of consolidating traffic from three separate networks (voice, data, and SAN) onto one converged network carried over an MSPP.Th Extending T1

The 21% cost savings shown in the Table are certainly substantial and worthy of consideration on their own. Yet, transitioning to a converged enterprise network carries with it such important benefits as a route-diverse network for security against failures, flexibility in adding new services, in-service upgrades, and the benefit of carrier expertise in creating and managing a regulatory-compliant SAN solution.

In addition, in scenario 1 the enterprise’s GbE data network is carried over a leased line specifically for data transport, which provides only 622 Mbits/sec of throughput. By migrating to an MSPP network, the enterprise can tailor the data bandwidth it needs in 50-Mbit/sec increments all the way up to full-rate GbE.

Before converging traffic onto an MSPP, the enterprise’s SAN traffic was transported over a leased OC-48 wavelength-an extremely costly service that is underutilized in this case. The enterprise’s SAN needs to include transport of a 1-Gbit/sec FC interface. An OC-48 wavelength has 2.5-Gbit/sec capacity, so over half the bandwidth goes unused even though the enterprise continues to pay for it. By transporting SAN traffic on an MSPP, the exact bandwidth needed can be dialed in, further increasing the efficiency of the network.

Several other savings can also be realized in the converged service model. By having only one carrier to deal with for all services, the enterprise can likely save on IT personnel costs and realize the luxury of having only one number to call in the unlikely event of network outages. Since this scenario negates the possibility of finger pointing among different carriers, it is perhaps one of the bigger benefits of a converged enterprise network.

From end users requiring new services, persistent need for increases in bandwidth, shrinking IT budgets, and now new regulatory requirements governing the way critical data is stored and maintained, the challenges facing enterprises are myriad. There is no shortage of excellent carriers offering voice, data, or SAN services. However, soliciting these services from three or more separate carriers may not provide the most cost-effective solution. Higher monthly bandwidth charges, additional personnel, network complexity, and finger pointing in the event of trouble are issues that the enterprise IT manager needs to consider. Regulations such as HIPPA and Sarbanes-Oxley, with stiff penalties for failure to comply, present yet another challenge for IT managers in offering their end users a SAN distance extension solution.

Many of the country’s largest carriers have upgraded their network and subsequently their end-customer offerings with MSPPs. These MSPPs offer converged transport of voice, data, video, and now SAN protocols all on one platform. The benefits to the enterprise of consolidating their network on an MSPP include lower monthly bandwidth charges, reduced personnel expenditures, easier bandwidth adjustments, a simplified network, and perhaps most important, carrier expertise in providing secure, route-protected, and expertly managed SAN transport to meet regulatory requirements.

Jim Kraeutler is product marketing manager and Rich Goode is product marketing director for the Metropolis DMX product family at Lucent Technologies (Murray Hill, NJ).

*Individual customer prices may vary greatly given disparity in the duration of the contract, volume discount, on-net versus off-net, location, distance, service-level requirements, and when the contract was written. In comparing traditional transport (three-tiered) to next generation (converged) transport, variable costs, including distance and special charges, were not employed in either case in an effort to keep the comparisons similar and reasonable.

  1. Visit http://www.hds.com/pdf/fed_gov_wp_peri_128.pdf.
  2. Visit http://www.sec.gov/rules/concept/34-46432.htm.
  3. Visit http://www.byteandswitch.com/document.asp?doc_id=30192&site=byteandswitch.
More in Network Design