Virtual Private Networks

An Early Look At Network-Based VPN Deployment —continued

Savvis and Nortel Network's Shasta 5000 Broadband Service Node (BSN)
Last year, Nortel Networks acquired Shasta, a Silcon Valley start-up that conceived the Shasta 5000 Broadband Service Node (BSN). This platform provides both DSL aggregation and managed IP services for carriers and providers. The Shasta Service Creation System (SCS) lets the provider quickly create and apply complex per-subscriber and per-ISP policies for IP services like VPNs, ICSA-certified firewalls, differentiated service marking, traffic policing, and traffic shaping.

Nortel got the Shasta 5000 BSN out to market early, resulting in top ranking for units shipped and worldwide revenue in Infonetics' 1Q00 report. To date, Nortel has announced more than a half dozen service provider customers, including Savvis Communications, Qwest Communications, Telstra, @Link Networks, BroadWing, Zyan Communications, and ConnectSouth. Brad Hokamp, Executive Vice President of Product Management and Marketing at Savvis, spoke with me about his company's experience with network-based VPNs using the Shasta 5000 BSN.

"Savvis rolled out its network-based managed service offering back in May at Networld+Interop, so we've been selling it for 3 months now," said Hokamp. "We've signed 30 customers to date, and implemented around 15 of those. The biggest of these is Bridge Information Systems, which we're migrating away from our private network." Savvis plans to roll out 80 Shasta 5000 BSN's throughout its global ATM/IP-based network, covering US, Europe, and the Pacific Rim. "We have 20 BSNs deployed today, including a few in Europe," said Hokamp.

According to Hokamp, combining the Shasta 5000 BSN with its ATM backbone lets Savvis to deliver the best of both worlds. Said Hokamp, "The Internet is simple and cost-effective. Private networks are very secure and offer controlled performance."

Private ATM and Frame Relay networks have been popular for years, but they can be complex, requiring CPE routers and interconnection of all sites with fully-meshed PVCs. "By the time you charge for ports, access links, and CPE, that approach is very expensive," said Hokamp. "In the last few years, we've also seen CPE-based VPNs. But you still have to deploy a CPE device with IPsec and firewall capabilities, and you lose control over performance."

According to Hokamp, the network-based approach "takes the complexity out by delivering intelligent IP services (firewall, virtual routing, VPN, etc.) with the kind of performance that our customers need."

How do network-based VPNs benefit Savvis and its customers? "From a price perspective, based on our cost structure with the network-based VPN solution, we are able to save customers 30-50% over traditional private Frame Relay networks, and 20-30% over CPE-based VPN solutions," said Hokamp. "Our savings are significant as far as capital is concerned — we cut our capital equipment costs five times by providing IP services in the network instead of CPE."

Savvis is also finding it easier to manage network-based services. "This is true even though we have a lot of experience managing CPE routers — we manage over 15,000 of them today," said Hokamp. "We're simplifying the network on our side, because the Shasta 5000 BSN is easier to implement and manage than CPE, and network-based VPNs are easier to design. At the customer premises, you still have an ATM mux or Frame Relay router. But routing is turned off — we bridge customer traffic onto the BSN, and the BSN does all the routing."

Savvis is also trying to simplify VPN packaging by offering a handful of bundled network-based services. "With our VPN plus Internet service, each customer site has one connection to a BSN. This connection is split into two logical VPNs: a public Internet context and their own VPN context for internal traffic," said Hokamp.

Savvis is trying to move 4500 financial institutions from its existing Financial Xchange private network service to IP Xchange and Private IP Xchange Extranet services. By migrating, "Every financial institution can have access to either their own private network or the shared network," said Hokamp. "We set up policies in the Shasta box that provide any-to-any connectivity, within a private or shared VPN."

All network-based offerings include intelligent IP services like IPsec, firewall, private routing, and NAT. They also include a CPE router, access line, and port into the Shasta 5000 BSN. "The only factors that vary are QoS and speed," said Hokamp.

"Thus far, this has been pretty smooth sailing for us," said Hokamp. Although a few problems with NAT and IPsec were encountered, Hokamp stressed that Nortel worked closely with Savvis to correct them. According to Nortel Director of Product Management Keerti Melkote, "We came out with an initial software set that did what we expected customers to require. We are learning as we go as to what is required, and have made the necessary changes. We feel we are now ready for mass market deployment."

"Customers have been extremely receptive to our network-based VPN services and our bundling approach," said Hokamp. "For example, Bridge is effectively a wholesale customer, and they've resold our network-based service to 75-80 financial institutions already."

One challenge: Getting customers to think differently about networking. "We are building market momentum by convincing customers to move intelligence into the network. In general, we rely on layer 2 PVCs from the customer premises to the BSN for security, but if customers want to encrypt traffic on this link, they can put an encrypting device behind our CPE router. A financial institution that requires end-to-end secure transactions knows they need to add something on top of what we offer. But, for the mass market, network-based tunnels are working well."

 

1. Introduction

2. Broadslate's Experience with Lucent

3. Savvis' Experience with Nortel

>4. AduroNet's Experience with CoSine, and Conclusion