Cisco MGX 8900 Series Switches

Building a Multiservice Network for Homeland Security

Table Of Contents

Application Note

Application Note

Building a Reliable and Secure Multiservice

Network for Homeland Security and Defense

The Need:

Defense and intelligence agencies need broadband networks that enable them to communicate securely and effectively across wide geographic areas as they enact their urgent and critical missions.

These agencies need a network infrastructure that supports "C4ISR"—command, control, communications, computers, intelligence, surveillance, and reconnaissance. C4ISR provides the right information at the right time to make the best decisions possible. To support C4ISR, agency networks must converge voice, video, and data onto a single network to enable faster deployment of new services and applications. The need for converged networks and new services demands that network capacity must increase by an order of magnitude to support a smooth evolution into the future.

The Solution:

A Multiservice Network.

Asynchronous Transfer Mode (ATM) is compatible with Type 1 security. A multiservice network based on ATM can transport combined voice, video, and data traffic. Successfully deployed in some of the largest government, defense, and service provider networks, ATM multiservice switches provide the foundation for offering reliable services. ATM can deliver the flexibility needed for any mix of applications, and it can support speeds from (DS0/T1)to OC-12/STM-4 and OC-48/STM-16, even up to OC-192c/STM-64 in the backbone. Bandwidth can be assigned variably and flexibly, maximizing network efficiency and economy, and some of the advanced multiservice switches enable organizations to integrate IP applications, and to migrate over time to an IP infrastructure. An advanced ATM multiservice switch can satisfy any requirements of secure networks today—and those of the future.

The organizations responsible for protecting and defending their nations need high-quality, high-capacity communications. This has become a vital part of national defense.

These networks must be able to deliver a flexible mix of applications needed to match changing world conditions and the technologies of national security—and they must be able to do so reliably and securely.

Traditionally these high-security organizations have built separate data and time-division multiplexing (TDM) voice networks, but they are finding that this architecture cannot achieve the required versatility, capacity, and quality they now need. Therefore, they face several challenges:

Transitioning to high-bandwidth multiservice networks that converge voice, data, and other types of communications onto a single network with adequate redundancy to achieve high availability

Maintaining network security, such as type 1, for all who need it

Enabling capabilities such as multi-level pre-emption and precedence

Achieving flexibility and cost savings that converged networks can deliver

Building a reliable network

These are ambitious objectives, but all can be met. Global defense organizations are installing ATM-based multiservice networks that can provide:

Quality of service (QoS) for all applicationsATM was designed by the carriers and the defense industry to transport multiple services—voice, data, and video—giving each the required class of service (CoS).

High availability for applications—The reliability and availability features expected by the service provider and built into today's ATM multiservice switches can be used to build a more flexible, scalable, and reliable communications infrastructure.

Encryption available up to OC-48/STM-16-ATM can interface with cell encryptors, approved for high levels of security, such as the Type 1 encryptors required by the United States government for top security. ATM is also the technology on which the next generation of OC-192 encryptors are being built. The standards are still being developed for high speed IP-based encrytors.

Proven technology— ATM networks have been in service for decades and many multiservice switches have been deployed within these networks. These switches have proven their reliability, availability, and serviceability.

Capacity and scale— The network can easily be scaled, allowing it to evolve and grow as communications requirements increase. The world's largest data service networks are built on ATM technology.

Dynamic bandwidth management—Surmounting the QoS hurdle enables secure ATM multiservice networks to make effective use of the available-bit-rate (ABR) service class, assuring that even low-priority applications use the maximum bandwidth available at any given time while still minimizing costs.

Investment Protection for the future—ATM multiservice switches scale to higher transmission rates than those typically used in secure networks - these existing systems can support upgrades in the future. They also support other protocols, such as IP and Multiprotocol Label Switching (MPLS), which further protects the initial investment.

Compatibility with IP-based service and applications—The hurdle of mapping IP QoS precedence to ATM CoS categories has been solved, so organizations that need reliable, secure voice can be assured of having it in a multiservice network. Applications such as voice over IP (VoIP) can be supported, providing investment protection and an evolution path toward a more IP-centric architecture in the future

As a Layer 2 technology, ATM cannot read the Layer 3 packet header information that encodes the QoS level. However, a technique has been developed that maps the seven IP QoS precedents to individual ATM permanent virtual circuits (PVCs). Each QoS level is transmitted over its own channel through the ATM network, assuring that it receives the priority desired (refer to Figure 1).

Figure 1:

This diagram illustrates how multiple virtual circuits map applications to ATM virtual circuits to help ensure that the applications receive the desired QoS level.

Capacity and Capabilities

The upgrade from T1 or T3 lines to OC-3/STM-1 or OC-12/STM-4 ATM for access and backbone increases network capacity by an order of magnitude and more—from 1.5 or 45 Mbps to 45 or 622 Mbps—with gigabits available now if required. When intelligence and defense needs increase enough to require high-speed connectivity, ATM can deliver. OC-3/STM-1s can easily become OC-12/STM-4s, and OC-12/STM-4s can easily become OC-48/STM-16s. New connections can be provisioned quickly. When the network is in place, even minute-by-minute demands for bursts of very high bandwidth can be satisfied. The ATM multiservice network provides capacity for any and all high-speed applications.

Among the applications possible with a high-speed multiservice network are the kinds of communications vital to the national security: the ability to talk and share files simultaneously, for example, or to videoconference with ease. A high-speed multiservice network also offers the ability to move massive amounts of data instantly for analysis, or the simple ability to get even modest downloads immediately.

Packet Voice

A good example of the flexibility that an ATM multiservice network provides can be demonstrated by looking at the alternatives available for packet voice.

High-priority voice—Secure voice is a top priority for many agencies, and so they want constantly available secure voice circuits. This is easily accomplished with ATM using the ATM adaptation layer 1 (AAL1) protocol to set up PVCs with dedicated bandwidthThis guarantees the required resources for voice. If a network outage occurs, these connections can be automatically rerouted around failures, with priority claims on remaining network resources.

Private branch exchange PBX-to-PBX trunking—Voice can also share bandwidth with other applications. A single PVC can be provisioned to support many simultaneous voice calls, using AAL2, which reduces network complexity. Bandwidth efficiencies, such as silence suppression and compression, can be applied to these calls to reduce overall bandwidth requirements.

Multiservice access—At smaller remote sites, the bandwidth available may be constrained, and the ability to consolidate voice along with data and video traffic onto a single link can save costs, and can make use of a wide variety of available facilities. A wide range of customer premises equipment (CPE) is now available that support multiple interfaces, including voice, and various mechanisms to increase bandwidth efficiencies. These CPE products could use IP or ATM as the encapsulation method as required, increasing flexibility.

Video—Video, given the same priority as voice, now becomes a viable technology, and users are already taking advantage of teleconferencing equipment that was unused because previous transmission was too unreliable—a serious contribution to improved communications among staff members.

Figure 2:

This diagram shows how flexible a voice packet deployment is when deployed within the network.

The crucial requirement for voice over ATM (VoATM) is that no latency or jitter be introduced, as can happen in a network that also carries intermittent, bursty data traffic (refer to Figure 2). This can be achieved with the combination of IP-to-ATM QoS mapping and the ability of ABR to allocate bandwidth effectively. Voice and video, which cannot tolerate delays either, both come through clean and clear. Very importantly, this VoATM solution avoids the need for MPLS, which is currently incompatible with top-security cell encryption.

Dynamic Bandwidth Allocation

Data traffic of all kinds benefits from the mapping technique that permits reliable voice transmission. ATM was designed to support all service classes:

Constant bit rate (CBR)—a reliable way to transmit voice

Real-time variable bit rate (VBR RT), non-real time variable bit rate (VBR NRT), and ABR

ABR is the most efficient way to allow any spare capacity on any channel that is not at the moment carrying traffic to be used by an application that needs it. Thus, when a channel is not transporting VoATM or video, its bandwidth can be used by any other application, such as File Transfer Protocol (FTP), which is being transported as ABR.

Flexible bandwidth allocation works by monitoring real-time usage of bandwidth across the path of each connection. The network tells each connection how fast it can run based on instantaneous usage of the network resources, allowing it to speed up when bandwidth is available and, as importantly, to slow down as quickly when other applications such as voice start to come online. Managing the flows into the network rather than just managing congestion as it occurs dramatically improves overall throughput. The effect on users and their productivity can be astonishing, almost like the upgrade from dialup modem to broadband.

Flexible Implementation

An ATM network not only converges voice, video, data, and other services onto one network, it also gives customers choices in just how far they move into the new multiservice world. For example, some agencies want to take advantage of shared bandwidth and multiservice transport in their backbone networks and still use ISDN Primary Rate Interface (PRI) as the interface to some or all of their onsite voice switches and for trunking between them. This can be done; some multiservice equipment is compatible with ISDN PRI, unlike much of the TDM equipment currently employed by government agencies. Agencies that could not get ISDN PRI before are taking advantage of its faster call setup and its ability to pass caller ID information across the network.

An ATM multiservice network can also support phased installation of new services. New sites, often the first choice for leading-edge technology, can be equipped with VoIP to their hubs, with the VoIP being converted at the hub into VoATM for transport over the wide-area ATM backbone.

Building a Secure Network with Cisco Advanced ATM Multiservice Portfolio

Although ATM is the best answer for secure broadband networks, not all ATM networks are alike. The capabilities that make ATM especially useful by giving them attributes of IP networks—the mapping of IP precedents to ATM CoSs, for example—are unique to Cisco. Developed by Cisco engineers, this capability relies on the Cisco Advanced ATM Multiservice Portfolio (AAMP), which includes the Cisco MGX® 8850, 8830, and 8950 switches. Dynamic bandwidth and the ability to make the most of the ABR CoS were pioneered by Cisco. The ability to implement ISDN PRI on the ATM network by using the Cisco Voice Interworking Service Module (VISM) is also unique to Cisco.

Cisco has built secure ATM networks using a basic architecture in which unsecured links are aggregated at customer sites by switches equipped with the Cisco MGX PXM-45 or PXM-1 processor switch module, switching fabrics that provide the appropriate capacity for the site. The aggregated traffic passes through a cell encryptor and is routed at the OC-3/STM-1 or OC-12/STM-4 rate to a core Cisco MGX 8850 Switch and multiplexed onto a backbone typically at the OC-12/STM-4 or OC-48/STM-16 rate. Using ATM in both the access and core of the network, voice, video, and data can be combined in the proportions the agency needs.

Each of the two Cisco MGX switches can accept a wide variety of interfaces and services. For serial interfaces, including V.35, RS-232, RS-422, IGX feeder shelves must be attached.

A network for a large agency might have a dozen or more major sites equipped with Cisco MGX 8850 and 8950 switches to provide a high-capacity core backbone that scales to OC-192. For smaller sites, the Cisco MGX 8830 provides access to the core by aggregating traffic onto encrypted links.

Both switches accept User-Network Interface (UNI) and Network-to-Network Interface (NNI) data, circuit emulation, frame protocols, and, equipped with the Cisco VISM Module, ISDN-PRI voice interfaces. Moreover, they perform with 99.999-percent reliability.

The Cisco VISM, added to the Cisco MGX switches, enables the network to carry VoATM combined with data as a converged network service when that is desirable.

Many agencies already use Cisco's IP-based voice, video, and data multiservice architecture to provide flexibility in the application of these services—for example, the ability to talk and share data files simultaneously. Using capabilities as described for integration of IP onto the ATM infrastructure, the Cisco ATM network can integrate IP-based applications across the network to maintain QoS.

Cisco AAMP Architecture Provides the Highest Application Density and Investment Protection

Migration paths from an ATM network built with Cisco MGX systems to more advanced services are clear, so investment in the network will be protected. An upgrade from a point to point VoATM network to a VoIP network providing connectivity between all sites for voice traffic can be achieved using the same hardware and the addition of one or more call managers, depending on the size of the network.

Using the Cisco AAMP Route Processor Module (RPM)-XF, packet interfaces, Gigabit Ethernet, or packet over SONET (POS) can be installed into the Cisco MGX switches.

Cisco has also announced road maps for Cisco AAMP systems that will support even higher bandwidth in the future—for example, the Cisco MGX 8950 handles traffic at the OC-192/STM-64 rate, if encryption technology becomes available at that rate. A Cisco ATM network also lays the foundation for the IP network that many agencies see as their goal. ATM can continue to be the transport technology; IP will ride on top.

This ATM network looks to the future. When installed, it will handle any demands made on it for years to come. And it delivers the reliability mandatory for the defense and intelligence agencies it is so well suited to serve.

Figure 3:

Cisco AAMP Multiservice Switch Portfolio

Cisco AAMP Multiservice Switch Portfolio

A switch that can deliver the best in class for each type of traffic and service must be optimized for each one and give it full access to the switch resources needed for top performance. The Cisco AAMP—the first commercially available switches and other systems to be certified as compliant by the Multiservice Switching Forum—do just that.

Figure 4:

Cisco Virtual Switch Architecture

They employ the Cisco Virtual Switch Architecture (VSA) in which different switch functions such as applications, control, switching, and port adaptation are handled in separate planes, allowing each to operate independently of the others.

In addition, Cisco VSA switches can have multiple application controllers, each operating independently, governing a different service, and calling on partitioned, allocated resources in the various planes. New controllers can be added in the future simply by plugging in new cards.

Because of their ability to manage traffic at both Layers 2 and 3, Cisco AAMP switches are capable of controlling traffic ingress and egress, maximizing switch fabric and card interface usage, managing bursty traffic so it does not delay applications with higher priorities, and shaping traffic for efficient use of bandwidth.

In addition, reliability, availability, and serviceability (RAS) are designed into these switches from the start. Cisco AAMP switches meet carrier-class expectations, and deliver all the reliability and availability required for different CoSs.

Why Cisco AAMP Is the Best Option for Defense Organizations to Build Out Their Network Infrastructure

When looking to enhance the network infrastructure in place today, the Cisco AAMP portfolio offers defense organizations many unique advantages, including the following:

Based on proven technology—ATM technology has proved itself capable of providing reliable services for multiple applications across a common network. Encryption techniques used within the defense industry often rely on an ATM infrastructure.

Capacity and scale—The Cisco AAMP product portfolio scales from entry level to OC-192c capable switches using a common architecture, minimizing operational and training costs.

Dynamic bandwidth management—Bandwidth efficiency and application performance are increased by using the advanced traffic management capabilities of the product family.

Compatibility with IP-based service and applications—The ability to classify IP traffic and place it onto the PVC with the correct CoS within the ATM network ensures the required end-to-end application performance across the network.

Application density—The wide variety of interface types and speeds supported, from Ethernet to Frame Relay, from packet voice to synchronous data services, ensures that the Cisco AAMP network will be able to support the applications that must be transported across the network, all in one integrated system.

Investment protection—Working within the carrier market, Cisco appreciates the requirements for networks to be able to evolve without requiring major changes to the infrastructure. The Cisco AAMP portfolio has been designed to leverage investments made in hardware and operational expertise, with common hardware modules and software across the product line.

High availability— %99.999 availability is achievable in a single ATM-based multiservice network with the proper deployment of power, transmission line, processor and service module redundancy. Today there are very large multiservice networks which have achieved this rate of availability many years ago and continue to achieve this rate with the addition of new IP and MPLS related services.

Ability to evolve—As requirements change, the network will have the ability to adapt accordingly. Higher-capacity bandwidth, new services, including those based on MPLS utilizing Cisco VSA functionality, and additional network switching capacity can all be added as and when required.

Implementing a multiservice ATM network based on the Cisco AAMP portfolio is a strategic choice for defense and intelligence agencies. Cisco AAMP dramatically improves the performance of applications today, while providing a platform with the flexibility to meet the challenges of tomorrow.