Virtual customer premise equipment (vCPE) is a way for network operators to transition enterprise access and virtual private network (VPN) customers to next-generation cloud and networking platforms. This can substantially reduce costs associated with specialized hardware deployed on-premises and, with the right tools, enables operators to inject value into wide-area network (WAN) services using virtual network functions (VNFs).
In this context, customer-facing services become key to generating sales and ongoing business. A customer portal with Layer 7 visibility provides operators with an opportunity to go beyond connectivity and climb the value chain by offering value-added services made up of VNFs (using the app store model) that are cost-effective to buy and operate.
Take the example of an enterprise customer who wants to purchase WAN services across multiple office locations. In a cloud model, deployment becomes “self-service”, with the network implementing service requests automatically, in a matter of minutes, without the need for manual intervention on the part of the operator. This contrasts with the classic model, where a series of manual orders and provisioning tasks is required to set-up the services, and can take weeks or even months to accomplish. Automation, therefore, enables operators to “close the loop” between agile, dynamic, software-configurable infrastructure and the services that run over it.
Visibility into application layer traffic is important to how dashboards monitor and represent traffic on enterprise networks – for example, to address issues like compliance and “shadow IT” – and can be used to steer traffic into the correct service chains composed of VNFs.
Service Chaining: Architecture and Deployment Options
There are two basic architectures for vCPE deployment:
The two models are an evolution on the classic CPE box-stacking model as shown in the diagram below.
The two vCPE models can be thought of as “bookends”, with the specific configuration dependent on the type of enterprise customer, the nature of connectivity between customer sites, and so on. Some factors favor a migration to a centralized cloud-hosted model over time, while others suggest enduring value in localized compute, storage and routing. In practice, variations of the two models, with more or less capability at the customer premises according to the operator or customer strategy, are likely to coexist even within the same operator network.
vCPE Deployment Model Impacts Service Delivery
vCPE deployment impacts where VNFs are deployed and, therefore, the provision of network services and the use of Layer 7 technologies. The diagram below shows the differences for a “thin” branch, a “medium” branch and a “thick” branch office.
Of the three options shown, the thin branch model is the most disruptive. VNFs are deployed in the cloud, reducing “truck roll” (the sending of skilled technicians into the field) and operational expenses. This model also makes it (relatively) straightforward to add new VNFs using a cloud orchestrator and customer portal. In this case, Layer 7 visibility is most useful to support application-aware and subscriber-aware service chaining between cloud-hosted VNFs.
Where there is a need for a more capable device at the customer premises, services such as WAN acceleration and local routing necessarily need functionality deployed at the customer site. In this case, a more capable CPE device is required. This CPE can replace many appliances with a single, smart device that will run some applications “natively” and is capable of running third-party VNFs. Layer 7 visibility, in this case, would be useful to enforce quality of service (QoS) and prioritize application or user traffic across the WAN.
Note that centralized VNFs could also be used in conjunction with VNFs running locally on this “smart” CPE device to create an end-to-end service using common orchestration tools.
Traffic encryption is on the rise, with a high proportion of network traffic already encrypted, including enterprise WAN traffic. Encryption does not mean, however, that the traffic is undetectable, it just means that the content remains private. A Layer 7 IP classification engine can help manage encrypted traffic using advanced techniques, such as Deep Packet Inspection (DPI), to classify flows without compromising privacy and without breaking the encryption. This enables network operators and service providers to continue to apply policy and management operations to all traffic and to ensure QoS.
This article has been extracted and adapted from the white paper “Layer 7 Visibility for Virtual CPE”, prepared by Heavy Reading for the Qosmos Division of Enea.