Enterprises that outsource their WANs to MPLS VPN service providers gain cost-effective, high-bandwidth service delivery between sites. The tradeoff for these benefits can be a huge loss of management visibility into their WAN backbone. Route analytics technology has emerged as a way to regain visibility over MPLS VPN-based WANs, perform effective network analysis and keep service providers accountable.

Layer 3 MPLS VPN services are delivered by service provider IP/MPLS networks organized into a core of provider (P) routers and a layer of customer-facing provider edge (PE) routers, which connect to enterprise customer edge (CE) routers located at VPN-connected sites.

While outsourcing the WAN backbone to an MPLS VPN service offloads its management to the provider's shared infrastructure, it also results in the enterprise's WAN backbone residing primarily in the service provider’s routing administrative domain, making its inner workings invisible to the enterprise network manager. The resulting lack of WAN management visibility can impede effective troubleshooting of application delivery problems and sometimes make it hard to figure out whether a network issue is stemming from the service provider or the enterprise part of the picture.

The nature of the MPLS VPN customer-to-provider interface – a highly dynamic and complex Layer 3 IP routed peering – complicates the visibility issue since network managers must ensure not only that CE to PE links are “up” from a Layer 2 point of view, but that there is proper Layer 3 routing over these links and through the VPN “cloud”. On top of these factors, the most common routing protocol used in MPLS VPN CE-PE peerings is the Border Gateway Protocol (BGP), which is complex, difficult to analyze and easy to misconfigure.

Unfortunately, traditional multi-minute SNMP polling cycles aren't equipped to monitor VPN route advertisements and withdrawals that can happen within milliseconds, so the tools that most network managers have to monitor their network can not provide much in the way of WAN management visibility.

Given these challenges, how then do network managers get the information they need to monitor VPN routing and reachability issues and determine whether a problem is being caused by the enterprise or the provider? How can they be sure their VPN is not getting mixed with another customer's, and that their VPN sites are routing properly through the VPN? Without visibility into these issues, enterprises and their providers can get caught in futile finger-pointing.

Enter route analytics technology. Route analytics works by forming peerings with a few key routers on the network, listening passively to and recording every routing protocol (BPG, OSPF, EIGRP, IS-IS) exchange and update, and creating a model of the network that is as accurate and up to date as the network itself. Users get a "router's eye view" of Layer 3 connectivity and reachability. In the case of MPLS VPNs, route analytics peers via BGP with the CE routers and receives all the routing updates that the CE router receives from other CE routers via the MPLS VPN. Route analytics never advertises routes or makes any changes to routing in the network, so it can not adversely affect connectivity.

Route analytics helps monitor some key management criteria for ensuring the proper function of a MPLS VPN backbone:

• ‑Remote Site Router and Network Reachability: “How do I know if my CE routers have a proper routing connection to the VPN and that the networks behind them are reachable?” By monitoring the real-time ebb and flow of advertised or withdrawn prefixes from the MPLS VPN, route analytics can rapidly detect if a remote site is offline from a VPN routing point of view, or if a routed network at any given site has become unreachable.

• ‑VPN Privacy and Integrity: “How do I ensure that my VPN is being mixed with another VPN customer network inside the service provider cloud?” By monitoring thresholds of newly advertised or withdrawn routed prefixes in the network, and by examining Autonomous System Numbers (ASNs) connected to the VPN, route analytics can quickly inform network managers if there is a potential breach of VPN privacy that may have occurred within the service provider’s network.

• ‑Forensic Analysis of Reachability Issues: “How can I see exactly what happened in the past, to solve problems and give customers forensic information?” Since route analytics keeps a rewindable and replayable history of all routing changes across the entire network, network managers always have a complete forensic repository to draw on for analysis purposes and in order to keep their providers accountable for issues that are clearly caused by the provider’s network.

• ‑Remote site IGP (Interior Gateway Protocol) monitoring: “How do I get insight into potentially complex routing issues within the remote sites?” Since route analytics can analyze all major routing protocols across all parts of the network, network managers can now easily understand complex Layer 3 and routing issues occurring at remote sites or campuses.

The move to MPLS VPN services need not mean a complete loss of WAN management visibility. By deploying route analytics technology, network managers can accomplish their network outsourcing goals while still retaining the management information needed to ensure application delivery and performance.

Alex Henthorn-Iwane is Vice-President of Product Marketing at Packet Design Inc., 650-739-1850; email: alex@packetdesign.com; web: www.packetdesign.com.