/ Lot 1 Standard Service Offer Data Access Services Service Offer RM1045-L1-SSO-00002-Pinacl Standard Service Offer - Connectivity MPLS with Cloud Service Provider Connectivity MPLS (Multiprotocol Label Switching) is a widely used technology for connecting multiple sites into a virtually isolated network. It relies on the application of labels on each packet to identify which virtual network the traffic belongs to. In this way a provider s network (Convergence Group) can be utilised for multiple customers whilst retaining the security and flexibility required for each, at a fraction of the cost of a dedicated network. The flexibility of this approach means that multiple carriers (BT/VM/Vodafone etc) can be utilised to provide the underlying physical access circuits, with the core provider then overlaying a logical network or that individual customer s use. Multiple access technologies can be used with MPLS such as ADSL2+/FTTC/EFM/Fibre Ethernet, thereby ensuring that access is right sized for that individual locations needs. MPLS can be further enhanced to incorporate traffic management or segregation in the form of multiple VFS (Virtual Routing and Forwarding) and QoS (Quality of Service). Furthermore access can be provided to services such as Microsoft Azure/Office 365, Amazon Web Services and Gamma SIP as well as a wide range of on net datacentres. Typically the provider will also supply the terminating routers/switches known as CPE (Customer Premise Equipment). In this way the end-to-end service can be guaranteed. Accreditations held by Convergence include: CESG CAS(T) ISO27001 ISO9001 ISO14001 ISO/IEC 27001 Typical benefits of the move to an MPLS network include: High-speed, fully managed & secure solution Additional resilient and multipath routes Wide choice of circuit connectivity providers and connection types Centrally managed internet connection Easy to manage and low cost Ideal for VoIP and SIP Trunks Network wide SLAs. Easy to add, move or remove sites or circuits as the ICO business evolves The following Connectivity Service is applicable to organisations requiring secure, direct, low latency, high throughput connections to branch offices and Cloud Service Providers such as Amazon Web Services (AWS), Microsoft Azure ExpressRoute (including Office 365), Google and IBM Softlayer.
Core Components The purpose of this service is to provide direct connections between end-user networks and Cloud Service Providers (CSP) via direct, dedicated links which provide low latency and high throughput as an alternative to a public internet connection. This provides a premium network connection, private networking for primary Office 365 workloads and predictable performance with managed connectivity. Clients will have their own contract and account with the CSP and Pinacl will use these details to set up the connection. Clients are responsible for setting up the account with the CSP and paying any charges associated with the services they are consuming. The core network is based in three UK Data Centres, linked via an MPLS network running over multiple, diverse and resilient dark fibre links. Connectivity to the CSPs is achieved by connecting the end user s network to the CSPs with a range of bandwidths available which can be scaled up to accommodate future growth in services as required. Connectivity to the client network The client will require connectivity between the core network and the client network equal to or in excess of the bandwidth selected. Clients with network nodes in the same public Data Centres as the core can connect via an internal cross-connect (copper or fibre depending on bandwidth and distance between the locations). National Ethernet or optical wavelength connections can also be provided at bandwidths from 10Mb to 10Gb, linking the client s network or Data Centre to the core network. These can be single connections or dual, diverse links. Diversity Where dual, diverse links are required, Pinacl will produce a high level design based on connections which meet the requirements of resilient separation (5m apart at all times) and will agree the design with the client before implementation. Two separate links will then be provided between the client s network and the chosen CSPs from two separate Data Centre nodes. A higher level SLA is provided with dual, diverse links.
Figure 1- Core MPLS Network Available bandwidths 10Mb 20Mb 50Mb 100Mb 200Mb 300Mb 400Mb 500Mb 1Gb 2Gb 5Gb 10Gb Note for Azure connections. Microsoft has three platforms, Cloud Services (Office 365), Public Services and Compute. If the client requires connectivity to two or three of these services they will have to select a separate vlan and appropriate bandwidth to each service. However all services will be delivered to the customer on a single interface from the Pinacl Convergence Cloud Connect platform.
Figure 2- Client Network Figure 3- Cloud Connectivity- 200/500/1Gb variants
Supplementary Components Connections between the client s network and Pinacl Convergence platform. These connections vary depending on bandwidth required and the distance between the Pinacl/Convergence platform and the client s network interface. This interface can be a client router located in the client s own Data Centre or comms room, a client rack in a public Data Centre, or an edge router port on a client MPLS network or WAN. Monitoring and Alerts (Netview/Netflow) Real time monitoring will be carried out as part of the service however to provide the customer with a state of the nation view of the deployed WAN, visibility can be given into the real time and historic performance of the network. Pinacl will provide read access to the Netview Portal (based on Solarwinds Orion management software). The information available through the portal is an identical view to that used by Pinacl and Convergence engineers for fault handling. Netview provides access to real-time and historical performance monitoring and fault management directly from any web browser. The comprehensive alert engine and event monitor help identify network problems, keeping outages and downtime to a minimum. The web based views are fully customisable and web accounts can be limited based on department, geographic area, customer ID or any user defined field. Web enabled maps provide a real time pictorial status of the network topology with the ability to click and drill into regions, departments and devices. The Netview system monitors the following in real-time: Network and circuit availability Network Latency Bandwidth utilisation Interface errors and discards CPU and memory utilisation Volume usage Node, interface and volume status Buffer usage and errors Additionally, Pinacl can provide application-level monitoring through the use of Netflow which gives: Utilisation by port/application Top talkers by port/application Originating and destination IP addresses Please note that some of the devices proposed under this design are not capable of supporting Netflow data. Additionally this functionality requires further processing power and will not be able to show all traffic (as some will be encrypted) therefore Pinacl would request a technical design session prior to deployment if the customer wishes to take advantage of Netflow monitoring.
Managed Firewalls We don t have a standardised cost for a Cisco ASA service at >100Mb, I agree this was a future state though as they believed 100Mb was plenty for now. It may be worth us stating that, should the service need to be increased over 100Mb, that the customer would not be penalised by moving off a virtualised platform and that we d work with them to construct a bespoke service based on a fully-managed or co-managed platform. BT costs Currently BT are more costly however we have included them in the table, however, please could you note that given BT are in the building already we will be approaching them for a special-bid to match the Vodafone price and anticipate that they will agree to that cost. Therefore, the customer will benefit from the shortest lead time and the best cost simultaneously. Air-gap Internet Service This can be achieved in two ways, firstly we can configure the network to pass this internet traffic to the managed firewall as standard internet traffic. The benefit of this is that it will be covered by the managed firewall service and gives the customer a greater degree of control and security. Alternatively, this service can be provided as a fully separate internet breakout. If the latter is the preferred option, we would need to know whether the service will also require a separate firewall or if it will be run a dirty internet. In either case stand-alone internet will be created as a logical partition on the network, either using individual VLANs (each service has its own internet service) or a VRF (all sites share one internet breakout, for instance with a firewall). A VRF will be presented to site via the protocol.1q trunking (Q-in-Q) which requires the same routers as the encryption service has been quoted with Cisco 2921. In summary: - Share an internet gateway with other traffic No Change - Each site has its own gateway No router change, internet bandwidth at 3 Mb/mth + 1 day PS @ 1000 - Each site shares a separate firewall o 2921s, internet bandwidth charge, managed firewall charge - Separate Breakout traffic No Change - Each site has it s own gateway Require a different router, internet bandwidth at 3.53 Mb/mth + 1 day PS @ 1,000 - Each site shares a separate firewall o 2921s, internet bandwidth charge, managed firewall charge