As a channel partner or network service provider, you often need a permanent connection from your Network Operations Center (NOC) to a customer's network or data center, depending on whether you're monitoring and managing routers and switches, or just servers and applications. Whether you eat the cost of this remote connection or pass it on to your customer, you want the solution to be inexpensive. Virtualizing your WAN can give you the remote access you need at minimal cost.
The purpose of a permanent connection is usually to pass various management protocols, such as SNMP and ICMP, and for remote access to devices via telnet, SSH or a terminal server. Thankfully, this type of traffic rarely requires more than modest bandwidth. This is good, because the cost of the circuit is money out of the customer's pocket that the customer associates with your service, but that you make little or no profit from.
In an effort to further minimize costs, you may be tempted to use an Internet VPN. However, this isn't the best option. While an Internet VPN won't be an issue from a bandwidth perspective, it's not the most reliable option. For instance, if you're measuring service levels over the VPN and there's a hiccup on the Internet line, it will affect your measurements, causing it to appear as if there was a hiccup on your customer's network, when in fact there was not.
A much better answer to the problem of remote access is to leverage your customer's MPLS WAN. You can do this a couple of ways. Both methods are very easy if both you and your customer are using the same provider. And neither method requires a new, dedicated, leased-line circuit at your customer's premise.
The first way you can leverage your customer's MPLS WAN is to connect your NOC to your customer's IPVPN cloud. Your NOC will appear just as any other site on your customer's network. The advantage of this method is that you will have the most direct access possible to any customer site on the cloud without going through another customer site, such as the data center or headquarters. If you already have a circuit at your NOC that connects to the same MPLS service provider that your customer uses, then it gets even better. In this instance, you can take advantage of virtualization and add your customer's IP VPN to your own existing circuit, much like a VLAN.
A second option is to put your IPVPN on one of your customer's existing MPLS circuits. From a network perspective, this method is less advantageous because your traffic will have to go through one of your customer's sites to get to any other site on their network. However, it may be more politically acceptable if your customer is very security conscious. The customer can control your access via a firewall to any of their resources at one convenient location, while still avoiding the expense of adding any new telco circuits.
Both of these remote access solutions require you to have the same service provider as your customer. If you and your customer use different MPLS networks, it's still possible but more complex. You'll either have to connect the MPLS clouds or run extra circuits.
About the author
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years of experience in the networking industry. He is co-author of several books on networking, most recently,CCSP: Secure PIXand Secure VPN Study Guide, published by Sybex.