• Allowing portability of data across any device without compromising security
• Establishing security benchmarks and tackling concerns over transparency
• Moving from private Ethernet clouds to the public domain: where is the data?
2. AGENDA
• About GTS CE
• Examination of corporate customer demand
• Cloud for business customer
• Challenges
• GTS approach to cloud over Ethernet
3. GTS CE – Unmatched regional fiber footprint
Leading infrastructure-based alternative provider
of fixed-line communications to corporate and
carrier customers in Central and Eastern Europe
(CEE)
• Focused on CEE region (CZ, HU, PL, SK and RO)
• Diverse product offerings:
Ethernet | IP VPN | Leased Lines | Colocation | Voice |
Server Hosting | Cloud Computing
• Unique combination and breadth of fiber long-haul and
local access:
− 17,000 kilometers of long-haul fiber and 29 cities
with metro fiber
− 12,000 on-net buildings
− 13,000 square meters of colocation space in 14
locations
− Extensive range of wireless frequencies
• Primary operations in contiguous geographies of Czech
Republic, Poland, Hungary, Slovakia, and Romania
4. Cloud Computing hits 31% of IT budgets in EMEA*
Data processing in the cloud is a priority for action within
84% the next 18 months
41% Increase of IT efficiency
36% Increase of business agility
* Researches made for VMWare, IDG in 2012 year across CIO in EMEA region.
5. Key drivers for outsourcing approach
Cloud market will be driven by demand for outsourcing.
Assessing the opportunity for enabling XaaS services within CEE region we
must understand key drivers…
By far, the
strongest driver of
data center
services growth
Business
Growth
Regulatory
requirements
Increase the amount and storage
IT
Architecture time for data, stimulate
model development of continuity services
Complexity of IT
Price
Point architecture
Trade-off vs doing it themselves
Competitive pricing within market
Competitiveness across markets
6. Top 5 concerns
26% of IT budget is
allocated to 52% Security vulnerabilities
Cloud with the split
Other 41% Lost of control on data
10% Hosting
17%
Trainings
12% 25% Trust in performance and reliability
Outsourcing
16%
23% Solutions’ Compatibility
Software
27% IT
department
18%
19% Lost of control on server utilization in external cloud
External expenditures hits only ~ 33% of IT budget
7. Cloud for business customer
Majority of available Cloud Solutions do not meet business
customer requirements
• Lack of enough control on security
• Complex implementation and configuration of
interworking between internal and external
resources
• Limited control and flexibility of network
resources
8. Issue #1: Security vulnerabilities
Transition to Cloud Service Providers rises up challenges:
• WAN latency - application created for LAN is available via WAN / Public Internet
• Very often communication is held via public internet
• Ecosystem dynamism – it requires adaptive security policy configuration
Openness to public world
opens the application to all
Application users in
LAN
Threats within and outside
Internet
ATTACK the cloud
Complicated FW policy
management
VPS
Data processing on
Service Provider Cloud
provider side
9. Issue #2: Compatibility
Both Hybrid Cloud approach and partial migration to Cloud rises up:
• The need to provide efficient access to hundreds/thousands of LAN users
• Need for sharing a lot of middleware application – Active Directories, Integration BUS
• Reconfiguration and protection of network elements in communication with Cloud
• Communication on the public IP addresses
Application changes
Application users in
LAN
GW
Internet Infrastructure reconfiguration
Changes in the LAN
topologies
VPS VPS VPS
Data processing on
Service Provider Cloud
provider side
10. Hybrid Cloud
Business requires complete solution
Outsourced
All resources visible in the
Access – user experience PRIVATE CLOUD
PUBLIC CLOUD same way within common
like from corporate LAN EXTERNAL
management tool
CE Cloud
Connector
Security – end-to-end Performance Guaranteed
PRIVATE CLOUD
consolidated and multilayer and Monitored round-the-
INTERNAL
approach clock
On-premises
CE will play important role in adoption of hybrid cloud approach
11. Ethernet Cloud Carrier - ecosystem
Outsourced On-premises
PRIVATE CLOUD PRIVATE CLOUD
PUBLIC CLOUD
VPS VPS EXTERNAL VHE
INTERNAL
VHE
FC / iSCSI
Data synchronization
Low latency demand
High Capacity
for bandwidth Secure
consuming access to XaaS VLAN
applications Internal
On-net world, Applications’
Eyeballs users
12. Ethernet Cloud Carrier - challenges
L2 loops in bridged network
Despite, that standard is well defined CE connectivity rises up new
set of security challenges which may seriously affect customers
hosted on multitenant ecosystem:
• Accidental and deliberate attacks ( via ARP, flood storms )
• Stability issues - size of STP* domain
• Scale (ARP caches, MAC address table size)
• L2 loops – Broadcasts storms
* STP – Spanning Tree Protocol
13. Reasons of L2 loops
● Redundant connection between L2 bridges
● When redundant links exists between bridges exists
● All ports are flooded by broadcasts packets
Examples of different
loop topologies
14. Workaround – Spanning Tree Protocol
• Network protocol that ensures loop free technology for any bridged Ethernet LAN
• Prevent loops and limits broadcast radiation
• Allow spare redundant links between bridge
However there a bunch of risks related to STP application
Incorrect configuration of STP, or not configured any loop free mechanism on
customer side may cause broadcast storms in the Cloud LAN
Frequent topology changes may cause storms
It is very important to isolate customer L2 domain from provider L2 domain
15. Problem Solution #1 - EVPL is connected to subineterface of cust L3
GTS DC Customer premise
vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
500 Po500 up success success 500
nx1 Vlan rewrite Cust L3 Cust L2
10G
sw2
GTS L2 ethernet network Vlan Y Vlan X
Active PE1 PE2
10G
Vlan X
Acc sw1
Vlan Z
1G 1G
vPC
vPC
No STP ALU EVPL stp
peer Link LAG
Vlan Y
sw3
nx2 10G Standby
10G
Vlan X – customer vlan
vPC status
---------------------------------------------------------------------------- Vlan Y – GTS PE vlan range
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
500 Po500 down* success success - Vlan Z – GTS virtual hosting vlan range
• Logical separation of STP L2 domains
• EVPL is connected to customer router sub-interface, customer L2 switch
• Customer must route traffic between his LAN traffic and DataCenter traffic
• Customer shall run rapid-PVST in his network
• Customer can use private IP range
15
16. Problem Solution #2 – EVPL connected to directly Customer‘s L2
GTS DC Customer premise
vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
500 Po500 up success success 500
nx1 Vlan rewrite Cust L2
10G
sw2
GTS L2 ethernet network Vlan Y Vlan X
Active PE1 PE2
10G Acc Vlan X sw1
Vlan Z
1G 1G
vPC
vPC
No STP ALU EVPL stp
peer Link LAG
Vlan Y
sw3
nx2 10G Standby
10G
Vlan X – customer vlan
vPC status Vlan Y – GTS PE vlan range
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- ----------- Vlan Z – GTS virtual hosting vlan range
500 Po500 down* success success -
• EVPL is connected directly to customers L2 domain
• Customer traffic is bridged between his LAN traffic and Data Center traffic
• L2 CPE will be connected to customer‘s Root bridge
• Customer can use private IP range
• Customer shall:
− run rapid-PVST in his network
− enable Root Guard on his Root bridge to prevent any topology change in his network
16
17. Limitations
• Only one primary L2 EVPL connection can be configured between
virtual hosting and single customer site
• No redundancy (Backup) on L2 circuit can be configured between
virtual hosting and single customer site
• In case, that customer requires separate and fully redundant
connectivity between virtual hosting and Customer site, it must be
configured only via L3 network
18. Summary
• The wide area network is critical to meet the requirements for delivering
external private cloud and hybrid cloud services.
• Enterprises shall not rely only on the Internet to provide connectivity to
their mission-critical applications
• Carrier Ethernet will be coherent part of the Cloud market development:
− Technology is at least 4 times more efficient for an equivalent
quantity of bandwidth
− Guarantees the lowest latency (10G/100G interfaces)
− Flexibility in delivery for XaaS services – inherent support for VLAN
− Perfectly suit to the virtualization layer security requirement
• Allowing portability of data across any device withoutcompromising security• Establishing security benchmarks and tackling concernsover transparency • Moving from private Ethernet clouds to the public domain:where is the data?