A traditional Chinese network operator provides two types of products for government and enterprise users: internet private lines and site-to-site VPNs. The former offers internet access to middle and small-sized government and enterprise users to satisfy their voice and internet service needs, while the latter enables interoperability among multiple nodes and delivers secure data transport service through multi-protocol label switching (MPLS) or data transport links over the operator's data transport network.
As more and more enterprise users need cloud services, Chinese operators provide them with scalable server computing, storage and internet bandwidth resources through virtualization and cloud computing technologies. However, if the government and enterprise users need a variety of products, they need to apply at different portals and may also need to build multiple physical lines, which leads to poor customer experience and complicated network maintenance and management.
The operator's intelligent private line solution provides not only internet access and site-to-site VPN services but also cloud computing through a unified portal, thus meeting the network and service requirements of middle and small-sized enterprise users in a one-stop manner.
Components of Intelligent Private Line Solution
The intelligent private line solution provided by Chinese operators for middle and small-sized enterprises can substantially reduce internet access costs, improve network QoS, and deliver integrated services including cloud computing and value-added service (VAS).
The intelligent private line solution includes the forwarding layer, the management and control layer, the orchestration layer and the peripheral system (Fig. 1). The forwarding layer includes CPEs and virtual service gateways. The enterprise CPE functions as the enterprise egress device and generally provides basic routing and tunneling functions such as VxLAN, IPSec and VxLAN over IPSec VPN. The CPE can be expanded to support virtual VAS. The virtual service gateway ZXR10 V6000 vRouter needs to support various VPN functions such as VxLAN and IPSec and also needs to support CGN, DHCP Server, EVPN and service chain. The management and control layer includes controllers supplied by vendors or third parties. The controllers are connected to the orchestration layer in the north and to the forwarding layer network elements (NEs) in the south, which can shield service details. The synergy orchestrator supplied by the operator at the orchestration layer is responsible for connecting vendors’ controllers and the IT support system. Peripheral systems contain the service portal and the IT system. The self-service portal, generally provided by a third party or the operator, needs to support multiple tenants. It provides E-commerce experience for enterprise users such as bandwidth adjustment, VAS, and cloud resource service. The operator's IT system is responsible for overall business process of cloud services and network activation in various resource pools. The IT system is also responsible for handling, approving, changing and deleting orders as well as billing function.
ZTE's Intelligent Private Line Network Solution
The intelligent private line service uses the operator's MAN to provide transport solutions as required by enterprise users. According to the enterprise CPE's capability, the start point of the tunnel in the intelligent private line solution can be deployed flexibly on different types of devices in the MAN. The networking topology of ZTE's intelligent private line solution is shown in Fig. 2.
The enterprise CPE can act as the device that diverts enterprise service traffic, or the OLT/aggregation switch in the MAN can also be selected as the device for diverting the traffic. The virtual service gateway (GW) deployed in the IDC resource pool is the anchor of enterprise service traffic. The virtual service gateway identifies internet traffic, cloud traffic and site-to-site VPN traffic based on the five tuples. For the internet traffic, the virtual service gateway needs to perform source NAT and forward it to the internet egress. For the cloud traffic, the virtual service gateway needs to complete the splicing of the access layer VPN tunnel and the cloud VPN tunnel and provide an end-to-end VPN tunnel to access the cloud to meet the security requirements of enterprise users. For the site-to-site VPN traffic, the virtual service GW is responsible for aggregating the sites in the local area and exchanging the routing information of enterprise sites with virtual service gateways in other areas as needed.
In the resource pool of IDC, VAS software can also be deployed as required by customers, such as vFW, internet access behavior management, and WAN acceleration software. The software deployed on demand can help operators reduce their deployment costs and create new profit models.
To facilitate the deployment of the above services, ZTE provides Zenic ONE controller and related components. These products support deployment of virtual service gateways on demand, flexible choice of the start point of enterprise site overlay tunnels, including enterprise CPE, HJSW or SR/BRAS, and networking topology such as Hub-Spoke and Full/Half-mesh. They can also support life cycle management and automatic deployment of virtual service NEs and VAS software, meeting the requirement of automatic network deployment.
To meet the deployment need of an operator's intelligent private line system, Zenic ONE controller and related components open northbound interfaces and support the interoperability with the synergy orchestrator/IT system of the intelligent private line system through the API defined by an enterprise or the operator. In this way, the operator need for cross-domain automatic service deployment can be satisfied.
Zero-Touch Provisioning of Enterprise CPE
In the intelligent private line solution for an enterprise, since there are numerous enterprise CPEs, the zero-touch provisioning solution is quite important. The entire zero-touch provisioning procedure includes three steps:
Step 1: underlay network activation
After an enterprise user applies for a service, the operator's O&M personnel check the line resource through the BOSS before device delivery and installation, which can also be completed by a third party. The simple device power-on can also be completed by the enterprise user. After the network quality passes the inspection, the operator confirms that the underlay network is activated.
Step 2: initial configuration of enterprise CPE
After a CPE obtains the WAN interface information from the underlay network SP, initial configuration of the overlay network should be made for the CPE to implement zero-touch provisioning over the underlay network. Currently, the CPE supports Web, U disk and Email initialization solutions.
Step 3: CPE management by call home
After the initial configuration, the CPE initiates a connection to the controller. After authenticating the CPE, the controller manages the CPE and establishes a management tunnel with the CPE, thus finishing the whole zero-touch CPE provisioning procedure.
VAS Deployment Solution
Through the Zenic ONE controller, ZTE's intelligent private line solution supports flexible deployment of VAS in the DC. Now ZTE can provide vFW and internet access behavior management software, and will continue to add new services. These VAS applications are deployed on a universal server as software and support flexible “pay as you grow” business model, lowering the initial investment cost.
In the DC, the applications are interconnected through virtual physical interfaces. Virtual service gateways acting as the centralized ingress and egress of user traffic are the starting and ending nodes of the whole service chain. The virtual service gateways are interconnected with other virtual applications through virtual physical interfaces. Serving as service classifiers (SC) and service function forwarders (SFF), the virtual service gateways use the traffic redirection policy to concatenate traffic between different virtual applications.
Redundancy of Virtual Service Gateway
ZXR10 V6000 vRouter used as the virtual service gateway supports distributed architecture, in which its forwarding and control planes are deployed on different virtual machines (VMs). The forwarding plane VMs can be expanded to guarantee high reliability of the vRouter.
ZXR10 V6000 vRouter also supports centralized architecture, in which its forwarding and control planes are deployed on the same VM. The vRouter supports the deployment of two VMs at most. It supports 1:1 redundancy on the control plane. The forwarding plane can work in the 1+1 load sharing mode or the 1:1 active/standby mode to improve reliability of the vRouter.
Forwarding plane modules where the interfaces are located can be on the same host or different hosts. When the interfaces are on different hosts, the interface of vRouter1 and that of the vRouter2 will be added to a link aggregation group. The active and standby interfaces are determined according to their priority. The messages are forwarded from the active interface. When a fault (link, network card or host fault) occurs, a new active interface will be selected. The new active interface will send gratuitous ARP packets to the connected device to refresh the MAC table, and the subsequent packets are forwarded from the new active interface.
Advantages and Applications
As a major partner of China's telecom operators, ZTE has participated in a wide range of intelligent private line projects. ZTE's intelligent private line solution has the following advantages:
—ZXR10 V6000 vRouter supports different device specifications, three-layer decoupling deployment, and third-party virtual platforms including VMWare and Redhat.
—Zenic ONE controller can manage enterprise CPE MCG53/51 series, ZXR10 V6000 vRouter series, ZXR10 M6000 series, ZXR10 9900 and ZXR10 8900E series. It supports end-to-end networking capability and zero-touch provisioning of enterprise CPEs through the centralized controller platform.
—Zenic ONE controller opens northbound APIs that can connect to the operation and management platform of the operator, meeting the operator need for automatic service provisioning. Through the unified portal, Zenic ONE controller supports automatic service provisioning and synergy of networks and cloud services, and the service provisioning time is shortened to several minutes. Also, the order is visual and the bandwidth is adjustable.
An operator's intelligent private line business involves "network on the cloud" and "cloud-network synergy" and faces many challenges such as unified display of cloud and network resources, cross-domain orchestration and scheduling, unified APIs between the controller and the orchestrator, and forwarding performance and O&M of virtual NEs. The current intelligent private line projects in China are still in commercial trial phase. ZTE will continue to cooperate with the operators in their plans for cloud-network convergence, helping them transform their networks.
Intelligent private line solution, on-demand cloud services, zero-touch provisioning, virtual service gateway, Zenic ONE controller, ZXR10 V6000 vRouter