«Executive Summary Enterprises today are radically different than those even a few years ago. Back in the 1990s, IT architects designed the WAN to ...»
Do More with MPLS: The Anywhere Office
Enables Remote and Virtual Workers
By Johna Till Johnson
President & Sr. Founding Partner, Nemertes Research
Enterprises today are radically different than those even a few years ago.
Back in the 1990s, IT architects designed the WAN to connect traditional office
facilities—in fact, “WAN site” and “office building” were effectively synonymous.
These days, roughly 90% of employees reside and work someplace other than at corporate headquarters—in workplaces as disparate as home offices, hotel rooms, out in the field, and at customer sites. And today’s WANs need to be designed to accommodate the needs of these “anywhere office” workers.
Fortunately, IT planners can choose from a bevy of tried-and-true technologies such as MPLS to deliver consistent application performance to this “anywhere workforce”. Moreover, MPLS-based architectures can lay the groundwork for next-generation cloud communications services, including video, collaborative services, and unified communications.
The Issue Most enterprises have deployed WANs based on multiprotocol label switching (MPLS): 84% of enterprises participating in Nemertes’ 2009 benchmark say they’ve deployed MPLS at least somewhere in their WANs—up from 76 percent in 2008, and just 24 percent in 2004. The advantages to an MPLS WAN are well- known. One is the ability to support end-to-end traffic prioritization and quality of service (QoS), which is critical for latency-sensitive traffic like voice and video, as well as emerging applications such as desktop virtualization. Another advantage is the ability to support any-to-any traffic flows (again, these are characteristic of human-to-human applications like voice and video, as opposed to machine-to- machine applications such as client-server or web-based applications). And MPLS scales nicely with application bandwidth requirements, from sub-T1 to OC-3 and beyond.
1 ©Nemertes Research 2009 www.nemertes.com 888-241-2685 DN0702 What many companies haven’t yet realized, however, is how MPLS can also help companies connect their increasingly distributed and remote employees and sites. The concept of the “anywhere office”—the idea that employees should be able to work effectively regardless of geography—is rapidly taking hold; 87 percent of organizations consider themselves “virtual workplaces”. But the hidden dynamic when it comes to supporting these “anywhere offices” is the presumption that regardless of how far-flung or remote, employees should have the same access to the same applications as their peers in more established offices. That means that these employees have the same requirements for prioritization, QoS, any-to-any connectivity, security, and bandwidth as their in-office peers.
The Evolution of WANs To understand how MPLS can enable the anywhere office, it helps to start with a historical review of WAN design. In particular, the definition of a WAN has undergone a subtle, but critical, evolution over the past two decades.
In the 1990s, WAN architects made several (usually unstated) design
Traffic consisted overwhelmingly of data applications. Voice and video were handled over separate networks (typically voice VPNs and ISDN, respectively). That meant that a hub-and-spoke architecture made perfect sense (since traffic primarily flowed from servers to users).
Only office sites merited WAN connectivity, and most employees worked in offices. The handful of employees that required different arrangements gained connectivity through separate networks (typically dial-up connectivity to remote-access gateways and later, services).
Last and most crucially, there was an implicit assumption that employees outside of the core WAN sites simply had to ratchet down their expectations for application performance.
In addition to these assumptions, designers relied on a slowly-expanding portfolio of technology options. The earliest IP WANs were based on leased-line networks (routers interconnected via leased lines) on routed leased-line connections. As frame relay began to emerge in the mid 1990s, it served as a costeffective way to interconnect sites and give architects a way to limited way prioritize different types of traffic. Later still, companies began deploying asynchronous transport mode (ATM) technology, which provided both connection-oriented services and more sophisticated QoS than frame relay.
By approximately 2000, a new technology had emerged that represented in many ways a paradigm shift over previous options. MPLS-based services gave network architects access to a much broader range of bandwidths than ATM and frame relay, added support for QoS based on mapping IP header information to optimize paths across the carrier network, and was based on a meshed design to support any-to-any connectivity. The most significant transition over the decade 2 ©Nemertes Research 2009 www.nemertes.com 888-241-2685 DN0702 since then has been the overwhelming rush to embrace MPLS-based services (as noted, 84% percent of companies now deploy such services).
But technology wasn’t the only thing that changed. Over the same 20 years, the design assumptions that WAN architects started with gradually eroded—to the point where today, none of the earlier assumptions are true. Today’s WANs typically carry voice and video (as well as data). The definition of a WAN site has grown and expanded, to encompass not only traditional office buildings, but also unstaffed data centers, micro-branch offices and even individuals working from home or the road. Employees are increasingly distributed in ever-smaller offices (with roughly 90% working somewhere other than at headquarters).
And most critically, employees have come to expect that wherever they are— whether a “traditional” office/WAN site, in telecommuting offices, or even out in the field—they will have access to the same applications and services as anyone else with the same level of performance.
Fortunately, the same architecture that sustained companies for the past decade is also well-equipped to meet the expectations of that increasing percentage of employees residing in the “anywhere office”.
The “Anywhere Office” What is the “anywhere office”? Nemertes defines seven basic categories of “non-traditional” workplaces (noting again, that in some companies, these can
comprise the majority of workplaces). These include:
Teleworkers (those that work from home either part-time or fulltime) Small offices (those with under 10 employees) Branch offices (roughly 10-50 employees) New office launches (offices that have been opened in remote geographies in advance of the availability of traditional voice and data services) Road warriors (employees who largely work from hotels and other public sites) Customer site workers (employees such as consultants who primarily work for long stretches of time from other companies’ networks) Field force workers (employees whose primary connectivity for both voice and data is wireless).
Strictly speaking, branch offices aren’t “new”—many frame relay sites in the 1990s met this definition—but branch offices have changed character over the past few years. These days, they’re significantly more likely to have no onsite IT support, and require integrated voice, data, and security services.
As noted, MPLS-based services can enhance the quality and reliability of all these flavors of “anywhere office,” although the mechanics of how each type of site is connected to the MPLS “cloud” varies by type of site. Before discussing design specifics, though, it makes sense to first briefly consider the bandwidth, security, 3 ©Nemertes Research 2009 www.nemertes.com 888-241-2685 DN0702
and wireless requirements of users at each type of site. (Please see Figure 1:
Anywhere Office Requirements, Page 4.) When it comes to bandwidth requirements, a good rule of thumb is that with rare exceptions, multiuser sites require more bandwidth than individuals. The exact amount of bandwidth depends on the specific mix of current and future applications, and it’s also important to note that bandwidth requirements aren’t a straight multiple of user count ( a site with 10 users doesn’t require 10 times the bandwidth of a single user).
When it comes to security, the main concern is whether the user is connecting via a public or private network, with public-network users requiring a greater degree of security (such as client VPN software). And finally, wireless connectivity depends heavily on use cases. In general, teleworkers don’t require wireless connectivity (although home wireless LANs have become increasingly popular). Nor do customer-site workers, who typically use the higher bandwidths of wired connections at customer sites. Field force workers and road warriors, in contrast, almost always require wireless connectivity.
Figure 1: Anywhere Office Requirements MPLS Architectures How do MPLS-based services provide connectivity for each of these types of workers? The basic architecture is an MPLS core connecting with the anywhere office sites, either directly or via the networks to which those sites or users connect.
4 ©Nemertes Research 2009 www.nemertes.com 888-241-2685 DN0702 A good way to think of this design is as a hybrid, or enhanced, MPLS architecture: Most branch offices, whether new, small, or traditional, can connect directly into the MPLS cloud. Depending on capacity required, the access circuit can be anything from DSL to a T1 pipe to nXT1 to Ethernet.
Figure 2: MPLS Core Architecture The device at the user’s site is typically an MPLS-capable CE (customer edge) router that prioritizes packets as they leave the site. That means that as for any MPLS site, the IT team defines appropriate classes of service, and determines which applications fall within each class. The IT team then negotiates with the carrier to define how much of the access pipe is dedicated to each class of service, and how that service quality is mapped and supported end-to-end in network.
Not all users are able to connect directly, however. In some cases, teleworkers (and often smaller branch-office sites) may connect to the MPLS cloud via the Internet. This means the IT team selects an ISP for those sites, and the ISP connects to the MPLS cloud via peering connection between the ISP and the MPLS provider. (If the ISP and the MPLS provider are the same company, this peering point is internal to the carrier’s network). The big difference between this and the previous scenario is that QoS isn’t honored end-to-end—the Internet connection to the user’s site isn’t able to support MPLS QoS—although IT may deploy home/edge routers with QoS capabilities to prioritize traffic leaving the site.
5 ©Nemertes Research 2009 www.nemertes.com 888-241-2685 DN0702 It is also possible for the carrier to provide “security-in-the-cloud” services that deliver enhanced security to these sites. (Security isn’t the only “cloud service” that this architecture can deliver, as we’ll discuss below). Typically IT can deploy VPN encryption technologies such as SSL or IPsec to individual users at these sites to ensure privacy.
Users connecting from a customer site have a slightly more complex challenge. Typically the customer site is not connected to the MPLS cloud—or rather, the customer may be connected to its own MPLS network, but not that of the user’s company. In this case, the user has two choices for connectivity: use the customer’s Internet connection (properly protected via IPsec or SSL) or use a mobile wireless service.
Finally, mobile workers can connect to the MPLS network via mobile services. Ideally these will be relatively high-bandwidth services, such as 3G services or Long Term Evolution (coming out in January 2010). As with Internet connectivity, the mobile network connects to the MPLS carrier’s MPLS cloud either via a peering arrangement (if they are two separate carriers), or via internal connectivity inside the carrier’s network.
Cloud Communications Services
It might be obvious from the discussion so far Internet-based access to MPLS services has one big drawback: lack of end-to-end QoS. The mobile networks and Internet connectivity that links in some of the “anywhere offices” lack the ability to deliver QoS once outside the MPLS cloud. So what’s the benefit of using MPLS?
There are two benefits, primarily. First is that MPLS-based security and QoS can be deployed across as much of the WAN as possible. Although obviously QoS and security can’t protect traffic once it’s left the MPLS cloud, this architecture enables the protection for the greatest possible percentage of the traffic path. Second, it ensures policy consistency: If certain types of traffic need to be handled in a certain way (regardless of where it initiates or terminates), IT practitioners can set and manage those policies for all traffic. (Again, enforcement can only occur on the MPLS portions of the traffic path—but the alternative is no policy and no enforcement).
For these reasons, the MPLS-based architecture provides a platform that enables consistent delivery of advanced communications services such as VOIP and unified communications applications (or at least, as consistent as possible)..
For many companies, deploying MPLS-based services was the first step in the long-term communications strategy. Tying in remote sites and “anywhere offices”, as discussed above, represents the second step. And the third step is using this architecture as a platform across which to deliver a constellation of communications services, including voice, video, and collaboration.
6 ©Nemertes Research 2009 www.nemertes.com 888-241-2685 DN0702 For most organizations, the single largest driver for bandwidth growth over the next few years is video (and in particular, telepresence), with 36% of companies saying video is a top driver. Next up? Collaboration applications, with 29% citing these apps as bandwidth drivers. The third-most-popular driver is multimedia applications, cited by 25% of companies.