Cisco Managed Services Portfolio: Requirements Document · This document outlines the managed...

Cisco Managed Services Portfolio: Requirements Document

V4.0 05/01/08 This document is Cisco Confidential. For Channel Partner use only. Not for distribution. 2

Requirements Document

Table of Contents Introduction 3 MSCP Service Descriptions 4 Managed Connectivity 4 Managed Security 5 Managed Unified Communications 5 Managed Mobile Communications 6 Managed Data Center 7 Managed Connectivity 8 MPLS VPN 9 Metro Ethernet 16 Managed Internet Service 21 IP Trunking 25 Router 32 IPSec VPN 33 LAN 35 Frame Relay/ATM 37 Managed Security 38 Firewall 39 IDS/IPS 44 Secure Router 50 Managed Unified Communications 52 Business Communications 53 Unified Contact Center (Managed) 58 Unified Contact Center (Hosted) 64 Hosted Unified Communications 70 Managed Mobile Communications 72 Wireless LAN 73 Managed Data Center 76 WaaS 77

Hosting/Co-Location 81 Appendix 1: Acronyms 83



Introduction

This document outlines the managed service specific requirements at all levels of the MSCP model and should be used in conjunction with the Cisco Offer Based Channel Model Audit and Policies Document when preparing for a Managed Services Channel Program Audit.

The Cisco Offer Based Channel Model Audit and Policies Document covers the core requirements of the MSCP regardless of the types of managed services offered; it focuses on the Network Operations Center service management according to ITIL recommendations.

To qualify as a Cisco Managed Service, the offer must include proactive monitoring, remote troubleshooting capabilities from your NOC, and minimum 1-year SLA with the end-user customer, and must meet the additional requirements specified within this document.



MSCP Service Descriptions

These tables provide an overview of services only. See linked sections for details.

Managed Connectivity

MPLS VPN A Cisco Powered managed MPLS VPN service provides private IP networks with high quality, secure, any-to-any connectivity.

The service is based on the Cisco IP NGN Architecture, Multi Protocol Label Switching (MPLS) and Cisco Design and Implementation Guides.

The service delivers appropriate levels of latency, jitter, and packet loss to ensure the successful, concurrent handling of multiple types of traffic, especially voice and video, from customer site to customer site.

The network classifies and prioritizes traffic flows from end to end, enabling SLAs for multiple classes of service.

The service also provides comprehensive SLAs covering the overall performance of the service, and online access to real-time and historical service-performance reports.

Metro Ethernet A Cisco Powered managed Metro Ethernet service provides high-speed, site-to-site connectivity. It supports the delivery of voice, video and other mission-critical applications.

This service is based on the Cisco IP NGN Architecture, Cisco Design and Implementation Guide, and Metro Ethernet Forum standards and specifications.

The service delivers a variety of point-to-point and multipoint Ethernet services over Layer 1, Layer 2, and Layer 3 topologies with seamless integration. It allows for QoS functionality, including classification and prioritization techniques to enable multiple levels of service.

The service also provides comprehensive SLAs covering the overall performance of the service, and online access to real-time and historical service-performance reports.

Managed Internet Service

A Cisco Powered managed Internet service delivers secure Internet connectivity.

This service is based on the Cisco self-defending network architecture and is built upon a secure infrastructure.

The service delivers connectivity for users regardless of location and access methods. It is backed by comprehensive SLAs covering the overall performance of the service, and online access to real-time and historical service-performance reports.

The service offers service-level agreements for network performance and service availability, supports quality of service (QoS) techniques, access control lists, and other industry best practices.

IP Trunking A Cisco Powered managed IP Trunking service is a Session Initiation Protocol (SIP)-based trunk from the service provider to an IP PBX or key system, delivering voice, multimedia, and data traffic.

The service provider provides basic connectivity, emergency services, dial plan management and operator services. Local and long distance call connections are completed by the service provider. A managed IP Trunking service includes the IP termination service and features a PBX with a gateway, an IAD or an IP PBX.

The service provides comprehensive SLAs covering the overall performance of the service, and online access to real-time and historical service-performance reports.

Router A managed router service provides remote router configuration, management, and maintenance. This service delivers 24x7 management and monitoring of customer site routers in a Wide Area Network (WAN).

IPSec VPN A managed security IPSec VPN service provides secure site-to-site connectivity through encrypted data streams over a private or public network.

This service is based on RFC specifications and protocol, a framework of open standards.

This service delivers IPSec encryption and tunneling protocols, data confidentiality, data integrity, and data authentication over unprotected networks such as the Internet.



LAN A managed Local Area Network (LAN) service provides remote LAN switch configuration, management and maintenance.

Frame Relay/ATM A managed Frame Relay/ATM service delivers Layer 2 site to site connectivity over a Frame Relay or ATM network.

This service delivers 24x7 management, monitoring and maintenance of customer site routers in a Wide Area Network (WAN).

Managed Security

Firewall A Cisco Powered managed firewall service provides Cisco proven firewall technology solutions to help customers better protect their business infrastructure.

The service is managed from a security operations center (SOC). It supports the key features available on the Cisco firewall solutions, such as network bandwidth optimization and anti-IP address spoofing, and conforms to Cisco and industry best practices.


IDS/IPS A Cisco Powered managed Intrusion Detection (IDS)/Intrusion Prevention (IPS) service provides Cisco deep-packet, inspection-based technology to better protect a customer’s business Infrastructure.

This service delivers real-time monitoring and detection and mitigation of many types of malicious network traffic, such as DDoS attacks.

The service is managed from a security operations center (SOC) and is deployed at strategic locations across the enterprise network. It supports the key features available on the Cisco IDS/IPS solutions and conforms to Cisco and industry best practices.


Secure Router A managed secure router is a managed WAN router with integrated security to provide secure connectivity.

This service is based on the Integrated Services Router (ISR) security bundles that are packaged in 3 forms: Entry bundle for basic security, enhanced bundle for added performance and scale, and V3PN for integrated security and IP communications.

This service delivers 24x7x365 management, monitoring, and maintenance of network traffic flows. Included are comprehensive SLAs covering the overall performance of the service and online access to real-time and historical service-performance reports.

Managed Unified Communications

Business Communications

A Cisco Powered managed firewall service provides Cisco proven firewall technology solutions to help customers better protect their business infrastructure.

The service provides the integration of voice, video, and other collaborative data applications into intelligent network communications solutions. These solutions, including IP telephony, unified communications, and rich-media conferencing, take full advantage the power, resilience, and flexibility of an organization’s UC network. The service is provided with quality of service (QoS) capabilities that ensure a consistent experience, service resiliency options for site design, and embedded security capabilities that protect the customer environment.

The service provides comprehensive SLAs for service performance and a Web portal that provides real time and historical performance analysis.



Unified Contact Center (Managed)

A Cisco Powered Managed Unified Contact Center Service provides an IP-based, centralized infrastructure that can support many distributed sites.

The service offers a full suite of contact management services that can be implemented immediately or incrementally.

The service enables customer deployments of < 10 agents and scaling up to > 1,000 agents and provides customers administrative control options for their environment.

This service delivers intelligent call routing, network-to-desktop CTI, and multi-channel contact management over an IP network to contact center agents. The solution also delivers TDM to IP connectivity with Cisco VoIP gateways, and media termination with Cisco IP phones.

The service provides comprehensive SLAs for service performance, a Web Portal that provides real time and historical performance analysis.

Unified Contact Center (Hosted)

A Cisco Powered Managed Unified Contact Center Service provides an IP-based, centralized infrastructure that can support many distributed sites.

The service offers a full suite of contact management services that can be implemented immediately or incrementally.

The service enables customer deployments of < 10 agents and scaling up to > 1,000 agents and provides customers administrative control options for their environment.

This service delivers intelligent call routing, network-to-desktop CTI, and multi-channel contact management over an IP network to contact center agents. The solution also delivers TDM to IP connectivity with Cisco VoIP gateways, and media termination with Cisco IP phones.

The service provides comprehensive SLAs for service performance, a Web Portal that provides real time and historical performance analysis.

Hosted Unified Communications

A Cisco Powered Hosted Unified Communication Service (HUCS) has been designed to deliver a suite of UC applications for deployments where a centralized, partitionable environment provides an economic advantage to a more traditional, on customer premises distributed deployment.

The Cisco HUCS solution provides maximum scalability and simplified provisioning. The infrastructure equipment and service are both owned and managed by the service provider, so end users can eliminate the cost and complexity of buying and managing their own unified communications solutions.

In a Cisco HUCS environment, each customer has a unique dial plan, set of phone numbers, voicemail, and other resources. The service provider operates one call-control network for all customers, enjoying significant economies of scale that can lead to lower capital and operational expenses, competitive prices to customers, and a new revenue stream.

The Cisco HUCS gives managed service providers a new way to cost effectively leverage their network infrastructure to gain new revenue. For end users, the service saves time, money, and reduces complexity letting them concentrate on their core competencies.

Managed Mobile Communications

Wireless LAN A managed wireless LAN service extends the corporate network securely, allowing employees to conduct business anywhere, anytime, from any device.

The service has integral security capabilities that protect both the device and the enterprise network with quality of service (QoS), availability, and reliability.

It supports advanced wireless capabilities such as Wi-Fi Multimedia, virtual LANs, and fast, secure layer 2 and 3 roaming for seamless mobility.

Hosting/Co-Location This Cisco Powered managed hosting service provides the secure hosting of Web or other application servers, and related Internet connectivity. The service scales from basic co-location, where the customer owns the equipment “in the cage”, to traditional Web hosting, where the provider owns the servers and all related equipment.

Essentially, the baseline offering would provide space, power, and pipe in an environmentally controlled fire protected facility with redundant power and network connectivity. The higher end offering is a more complex service built upon a highly network secured and resilient infrastructure that conforms to Cisco’s data center V-Frame design guidelines for virtual application/server functionality and application control server load balancing.



The service ranges from offering 24x7 continuous monitoring over servers and network, to incremental offerings of real time and historical traffic reporting and server performance via a customer portal with some level of customer control if required. Additionally, the hosted applications scale from being horizontally offered, to multiple vertically defined offers across industry sectors.

The service is backed by comprehensive SLAs for service performance, including network availability, server availability, and server implementation timelines.

Managed Data Center

WAAS A Cisco Powered Managed Wide Area Application Service (WAAS) is a powerful application acceleration and WAN optimization solution that optimizes the performance of any TCP-based application delivered across a WAN.

A Managed WAAS is a component of Cisco’s Data Center 3.0 architecture that enables partners to offer a comprehensive portfolio of application networking solutions and technologies that result in the optimization and secure delivery of business applications from data centers to branches and mobile end users.

This purpose-built software and hardware service allows customers to consolidate costly branch servers and storage into data centers, and deploy new applications centrally, while still offering LAN-like performance for any employee regardless of location.

The service offers lower total cost of ownership (TCO), ease of operation through network transparency, reliable deployment of applications and preserves the security of accelerated traffic.

Hosting/Co-Location This Cisco Powered managed hosting service provides the secure hosting of Web or other application servers, and related Internet connectivity. The service scales from basic co-location, where the customer owns the equipment “in the cage”, to traditional Web hosting, where the provider owns the servers and all related equipment.

Essentially, the baseline offering would provide space, power, and pipe in an environmentally controlled fire protected facility with redundant power and network connectivity. The higher end offering is a more complex service built upon a highly network secured and resilient infrastructure that conforms to Cisco’s data center V-Frame design guidelines for virtual application/server



Managed Connectivity

Benefits and Requirements

Benefit Description Cisco

Powered Strategic Legacy

Eligible for Discount Products within this category are eligible for program discount (upon certification or designation approval) • • •

Eligible for Rebate Products within this category are eligible for program rebate (upon certification or designation approval) •

Eligible for Global Procurement

Products within this category are eligible for global procurement (upon certification or designation approval) • • •

Eligible for Branding and Additional Marketing Benefits

Approved managed services within this category are eligible for branding and additional marketing benefits •

Trade-In Credits Approved managed services within this category can be combined with trade-in credits • • •

Incentive Programs, Rebates, Offers

Approved managed services within this category can be combined with resale-based incentive program discounts (OIP, VIP, SIP), rebates, and offers



Real-time Monitoring Managed Services are proactively monitored via the Partner’s NOC • • •

24x7 Service Availability

Service management is available 24x7 • • •

SLAs The Managed Service provider must back SLAs with terms of one-year (or greater) • • •

Technical Attributes Technical attributes for the managed services in this category are defined • •

Service Management Service management requirements are stipulated • • POS Customer Reports

Partner must provide POS customer information on a monthly basis. Customer information collected as part of the requirement will be used for program governance only.

• • •

Eligible Products Managed services within this category have a pre-established set of eligible Cisco products • • •

≥ 50% Cisco Infrastructure

The transport Managed Services in this category must be based partially or wholly on Cisco infrastructure, with at least 50% of the provider edge provisioned on Cisco platforms and that absorb Cisco based infrastructure ports when the Managed Service is provisioned

• •



MPLS VPN

Network Requirements Cisco Powered Managed Services To qualify as a Cisco Powered Managed service, the IP transport must be based partially or wholly on Cisco infrastructure, with at least 50% of the provider edge provisioned on Cisco platforms and that absorb Cisco based infrastructure ports when the Managed Service is provisioned.

Strategic Managed Services

Same as Cisco Powered Managed Services requirements

Legacy Managed Services

N/A

Architecture and Technical Attributes Cisco Powered Managed Services Requirement Auditor Instructions (What to Look for)

Network foundation for VPN service must be based on IP/MPLS

Network design diagram or Technical Service Description (TSD) demonstrating the deployment of MPLS over a Cisco IP network. Refer to RFC 2547—BGP/MPLS VPN.

Connectivity provided to the Internet from the VPN

Partner must demonstrate that the service offers Internet connectivity across the MPLS backbone to eliminate the need to carry Internet bound traffic back to a customer’s regional HQ site and then on to the external Internet connection. A default route to the Internet can be injected in to the VPN, drawing traffic that does not go to a specific location on the customer network. A managed firewall then screens traffic.

Customer ability to select a full mesh VPN option where all sites can pass traffic directly to each other

Generally part of the Marketing Service Description (MSD); other service description may also be acceptable

Customer ability to select a design configuration option that will emulate a hub and spoke environment

Part of the MSD, or Partner must be able to demonstrate network design option available to customer

Extranet access to VPN The service offering needs to include the ability to connect to a Community of interest network. This extranet allows interested companies to connect together to share information. Partner must demonstrate how this service is secured to ensure that each customer’s VPN is protected from access by another company.

Layer 3 network reach The network needs to support IP routing capability, as opposed to Layer 1 or Layer 2 backhaul services, to provide the full benefits of Layer 3 connectivity in each country or region the service is offered in. Partner must be able to demonstrate the existence of a network design process to ensure this. This must include the decision criteria of what the routing node distribution needs to be to adequately cover population densities in each country served.

Customer Edge—Provider Edge routing protocol support

Partner must support BGP, OSPF, EIGRP and static routing protocols between the CPE and the Provider Edge Router

Remote access via Internet Service must support the ability to gain access to VPN resources via the Internet. Partner must demonstrate how this is achieved. May require client software on remote User access devices.



Strategic Managed Services Requirement Auditor Instructions (What to Look for)

Network foundation for VPN service must be based on IP/MPLS

Network design diagram or technical service description demonstrating the deployment of MPLS over a Cisco IP network. Refer to RFC 2547—BGP/MPLS VPN.

Connectivity to the Internet must be available as an option for the service

Partner must demonstrate that the service offers Internet connectivity across the MPLS backbone to eliminate the need to carry Internet bound traffic back to a customers regional HQ site and then on to the external Internet connection. A default route to the Internet can be injected in to the VPN, drawing traffic that does not go to a specific location on the customer network. A managed firewall then screens traffic.

Customer ability to select a full mesh VPN option where all sites can pass traffic directly to each other


Remote access via Internet Service must support the ability to gain access to VPN resources via the Internet. Partner must demonstrate how this is achieved. May require client software on remote User access devices.


N/A

Quality of Service

Quality of Service (QoS) features that enhance the capabilities of the service to support all traffic types over a converged infrastructure

Cisco Powered Managed Services

Requirement Auditor Instructions (What to Look for)

At least 5 classes of service available Generally part of the Marketing Service Description (MSD); other service description may also be acceptable

If narrowband (< E1/T1) access links are supported, support mechanisms must be offered to help ensure that delay-sensitive traffic receives the required QoS

Network design criteria for narrowband links must include consideration for supporting multiple traffic classes; mechanisms may include MLPPP and FRF.12

Overall network design capability to transport customer settings across the network transparently, regardless of the number of classes of service supported and the QoS settings available

Detailed in MSD or part of network design criteria

The following QoS features must be implemented in the PE nodes:

• Policed High Priority-Queue

• Assured Forwarding Queue

• Packet Sequence Preservation

Partner must demonstrate that a mechanism is in place to limit overall traffic entering the HP-Q such that the lower classes are not starved of bandwidth. Partner must demonstrate that the Video traffic from a customer can be streamed into the AF-Queue. This must be shaped to provide the required behavior for Video, allowing it to not be dropped but still receive predictable jitter and delay. If the customer sends more traffic for a class than is subscribed to, the excess traffic must not be put in to a separate class, but remain in the same CoS queue and marked for discard in the event of congestion. This avoids a TCP stream being split up and potentially being delivered via two queues which are drained at different rates, causing out of sequence arrival.





N/A



Device-Level Security

Partner must be able to demonstrate adherence to the policies and best practices outlined within the Cisco Network Foundation protection framework, as described at http://www.cisco.com/go/nfp



Data Plane

Partner must demonstrate that the following capabilities have been implemented to protect the data plane on each device:

• Access Control Lists (ACL)—protects devices from malicious traffic by explicitly permitting legitimate traffic

• Unicast Reverse Path Forwarding (URPF)—mitigates problems caused by the introduction of malformed or spoofed IP Source addresses

• Remotely Triggered Black Hole (RTBH)—drops packets based on source address and can be used while device is under attack

• QoS tools—used to protect against flooding attacks

Clearly defined and documented security procedures that describe how the following are implemented as part of an overall security policy:

• Infrastructure ACLs are applied to the network core

• Drops packets without a verified source address

• A filtering method for dropping malicious traffic at the peering edge of the network

• Defined QoS policies to rate limit or drop offending traffic (identify, classify and rate limit) Note: Current specifications are applicable, but newer releases and revisions may supersede the herein outlined requirements.

Note: Current specifications are applicable, but newer releases and revisions may supersede the herein outlined requirements.

Control Plane

Partner must demonstrate the following capabilities have been implemented to protect the control plane on each device:

• Receive ACLs—limits the type of traffic that can be forwarded to the processor

• Control Plane Policing (CPP)—provides QoS control for the packets destined to the control plane of the device. Ensures adequate bandwidth reserved for high priority traffic such as routing protocols

• Routing protection—MD5 neighbor authentication protects routing domains from spoofing attacks

• Auto secure procedures in place

Partner must

• Demonstrate use of ACLs in security policy

• Demonstrate use of QoS control in security policy

• Demonstrate use of MD5 neighbor authentication in security policy

• Demonstrate lock down of devices using industry best practices (NSA)

Management Plane

Partner must demonstrate the following capabilities have been implemented to protect the management plane on each device:

• CPU and memory thresholding— protects CPU and memory resources of IOS devices against DDoS attacks

• Dual export syslog—increases availability by exporting information to dual collectors

• Procedures to prevent unauthorized management access to devices

• Procedure in place to react to thresholds being exceeded or documentation in support of functionality

• Part of design for collection of management information from each device

• Partner must have security procedure in place. Can use features such as Secure Shell only access (SSH), VTY access control list, Cisco IOS software login enhancements, SNMP V3, TACACS+.




Data Plane

Policy for protection against security attacks Clearly defined and documented security policy covering protection of infrastructure from security attacks

Access Control Lists (ACL)—protects devices from malicious traffic by explicitly permitting legitimate traffic

Infrastructure ACLs are applied to the network core

QoS tools—used to protect against flooding attacks

Defined QoS policies to rate limit or drop offending traffic (identify, classify and rate limit)

Control Plane

Routing protection—MD5 neighbor authentication protects routing domains from spoofing attacks

Demonstrated use of MD5 neighbor authentication in security policy

Auto secure procedures in place Demonstrated lock down of devices using industry best practices (NSA)

Management Plane

Procedures to prevent unauthorized management access to devices

Partner must have security procedure in place. Can use features such as Secure Shell only access (SSH), VTY access control list, Cisco IOS software login enhancements, SNMP V3, TACACS+.


N/A

Security Infrastructure: DDoS Protection

Partner must be able to demonstrate adherence to the policies and best practices outlined within the Cisco Cleanpipes DDoS infrastructure protection—detailed at http://www.cisco.com/en/US/netsol/ns615/networking_solutions_sub_solution.html Cisco Powered Managed Services


Regional Cleaning Centers deployed using Cisco Guard solution

Evidence of network design that includes Cleaning Centers

Network based mechanism to identify, classify and mitigate attacks based on anomaly characteristics

Demonstrated process to identify, classify and mitigate attacks based on anomaly characteristics

Process to baseline normal traffic loads periodically, at least weekly; must be repeated on a regular basis as agreed with the customer

Demonstrated process for periodic baseline of traffic loads; must be at least weekly and repeated as agreed with customer

Ability to conduct network based traffic tuning on the detection network for at least 24 hours at peak traffic time

Demonstrated process for network based traffic tuning on the detection network for at least 24 hours at peak traffic time


Not a requirement at this level


N/A



Resiliency and Redundancy

Implementation of technology that enables network wide resiliency for IP networks, as described at http://www.cisco.com/ en/US/partner/products/ps6550/products_ios_technology_home.html Cisco Powered Managed Services


Device level resiliency H/W—effective design process to ensure deployment where applicable to enhance device level hardware resiliency

Design processes or sample PE node config. which makes use of features such as redundant processors, line cards, switch fabric and power

Device level resiliency S/W—effective design process to ensure use of software features enhance device level resiliency

Use of Non-Stop Forwarding (NSF) and Stateful Switchover (SSO)

Transport level resiliency—effective deployment of link or transport level resiliency features within network design

Design features such as SONET/SDH APS, Resilient Packet Ring (RPR), Etherchannel, Spanning-Tree Protocol (STP)

Protocol level resiliency—effective deployment of protocol level resiliency features to enhance availability

Layer 3 protocols. These should include: Hot Standby Routing Protocol (HSRP) RFC 2281, Virtual Router Redundancy Protocol (VRRP) RFC 2338, MPLS-TE, BGP graceful restart, NSF on OSPF/IS-IS.

Convergence time tuning procedures— procedures in place to tune convergence times where applicable

Demonstrated use of features such as fast reroute (FRR), BGP multipath, failure detection and recovery tuning, routing protocol optimization, IP even dampening

Application level resiliency—procedures to ensure availability of critical applications

Use of features such as Global server load balancing, S NAT, Stateful IPSec, DNS, DHCP, Cisco server load balancing



Network architecture design to meet the levels of guaranteed service availability

Demonstration of design process in place to ensure target network availability can be met. Should include reference to areas of availability specified in Cisco Powered Managed Services requirements.


N/A

Options for Site Network Resiliency



If leased lines are delivered over a SONET/SDH infrastructure, protection must be offered for the circuit

Marketing Service Description (MSD) must include this as an option, or Partner must demonstrate service designs that have incorporated this feature

Customer option to backup a link from a site into the VPN network

MSD must include an option for sites to connect to the same PE node. Technology such as ISDN, EVDO may be used depending on access type and speed. Consideration in network design must be given for impact on traffic supported, such as rerouting Voice traffic to an alternate path.

Ability to dual home the CPE into 2 separate nodes in the aggregation network

As above, MSD should include this option or Partner must demonstrate use of it in network designs

Customer option to encrypt the access link between Customer premises and Provider Edge

Partner must demonstrate support for IPSec encryption, or similar solution, for additional level of security before the traffic gets into the MPLS VPN









N/A

Service Level Management: Required SLA Components



Mean Time to Respond (MTTN): May vary according to severity levels; best case of 20 minutes supported for high-priority issues

Partner must provide actual SLA offering MTTN for high priority issues of 20 minutes

Mean Time to Fix/Repair (MTTR): May vary according to customer needs; best case of 4 hours available as an option

Partner must provide actual SLA offering MTTR for high priority issues of 4 hours

Service Availability: Must offer an SLA for per-customer service availability

Partner must provide actual SLA offering Service Availability, e.g., 99.99% availability

Jitter: Jitter guarantee of <30 msecs Partner must provide actual SLA offering Jitter guarantee of <30 msecs

Packet Delay: Guarantee of <150msecs Intra-continental (e.g., within Europe or U.S.) and <300 msecs for Global (e.g., between Europe and U.S. Trans-Oceanic)

Partner must provide actual SLA offering guarantee of <150msecs Intra-continental (e.g., within Europe or U.S.) and <300 msecs for Global (e.g., between Europe and U.S. Trans-Oceanic)

Packet Loss Ratio: Guarantee of 1% or less packet loss for voice, video and business class data

Partner must provide actual SLA offering guarantee of 1% or less packet loss for these classes of service









Jitter: Must offer an SLA for High Priority service class

Must offer an SLA for Jitter for High Priority service class

Packet Delay: Must offer an SLA for High Priority service class

Must offer an SLA for Packet delay for High Priority service class

Packet Loss Ratio: Must offer an SLA for at least one class of service

Must offer an SLA for Packet Loss for at least one class of service


N/A



Service Level Management: Service Reports



VPN Service Reports distributed on a regular schedule agreed with the customer:

• Asset Report

• Parameter Settings Report

• Trend Report

• Resource Utilization Report

• Configuration Report

Example reports provided or demonstration of Web portal with ability to select reports listed

Secure Web portal to communicate current status and performance, including specific reports available online as agreed with the customer

Demonstration of portal from customer viewpoint, including real-time view of connectivity and status of individual VPN. Mechanisms may include password protection or similar restrictions to access the online Web portal for downloading reports.

Separate performance reports for each class of service supported

Example reports for each class of service



VPN Service Reports distributed on a regular schedule agreed with the customer

Example reports provided or demonstration of Web portal with ability to select report(s)




N/A

Service Level Management: CIO Dashboard



Summary level dashboard to communicate key performance criteria, including:

• Network health

• Real-time status map

• Trouble ticket status

• Summary reports

• Network monitoring and periodic reporting (Daily/Weekly/Monthly/Quarterly)

Demonstration of summary dashboard on Web portal provided to customer or description provided in customer documentation of capabilities to be expected





N/A



Metro Ethernet

Network Requirements


To qualify as a Cisco Powered Managed service, the IP transport must be based partially or wholly on Cisco infrastructure, with at least 50% of the provider edge provisioned on Cisco platforms and that absorb Cisco based infrastructure ports when the Managed Service is provisioned.




N/A

Architecture and Technical Attributes

If Partner can provide evidence of certification to Metro Ethernet Forum 6 and 10.1 or MEF 9 test suite then this section is considered compliant. See http://metroethernetforum.org Cisco Powered Managed Services


Support for at least two of the three service types defined in the Metro Ethernet Forum (MEF) guidelines sections 6 and 10.1

Partner must demonstrate support for at least two of the three following service types: point-to-point EVC (E-Line), root-to-leaf EVC and multipoint to multipoint EVC (E-LAN), as described in section 6.1

Ability to connect multiple CPE devices from the same site

Documented evidence in the Marketing Service Description (MSD) or equivalent documentation outlining customer design options

Service frame transparency—deliver frames across the service without adversely affecting the format

See MEF 10.1 sec 6.5.3

Layer 2 control processing requirements Conformance to the mandatory requirements in MEF 6 section 7 table 9

E-LMI support Service must support the E-LMI functionality mandated in MEF 16, specifically the ability to auto-configure the CE and to provide EVC status information

Provision of a service that allows the customer to specify which VLAN ID they use

See MEF 10.1 sec 7. The service must allow the preservation of the CE-VLAN ID, or for this to be different at the ingress and egress UNI.



Support for at least one service as defined in the Metro Ethernet Forum (MEF) guidelines sections 6 and 10.1—Ethernet Virtual Leased Lines or Virtual Private LAN Service

Partner must demonstrate support for at least two of the three following service types: point to point EVC, multipoint EVC E-Line) and multipoint to multipoint EVC—(E-LAN), described in section 6.1. UNI 1.1 or UNI 1.2 as specified in MEF 13

Service frame transparency—deliver frames across the service without adversely affecting the format

See MEF 10.1 sec 6.5.3

Layer 2 control processing requirements Conformance to the mandatory requirements in MEF 6 section 7 table 9


N/A



Quality of Service




Ability to support hierarchal shaping, including:

• Class level

• VLAN level

• Physical or port level

Demonstrated capability in the network design

Bandwidth profile for ingress and egress ports See MEF 10.1 sec 7.11. Partner must offer the ability to enforce a bandwidth profile on both the ingress and egress UNIs. Coloring must be in accordance with table 7.11.2.

At least 2 classes of services are available Generally part of the Marketing Service Description (MSD); other service description may also be acceptable

Full range of Access Support As specified in MEF 10.1 table 12

Ability to scale bandwidth offered to the customer through remote configuration, including offering customer access to different bandwidth options over the physical link

Demonstration of capability from customer portal or description from Marketing Service Description (MSD)

Support for a VLAN connected to the Internet with appropriate security support (see below)


Support of access to an MPLS VPN; if this option is used, the customer must be able to use this service as a connection option with the same QoS/CoS characteristics




Ability to support Gigabit Ethernet access Detailed in Marketing Service Description (MSD) or part of network design criteria

Support for a VLAN connected to the Internet Generally part of the Marketing Service Description (MSD); other service description may also be acceptable


N/A



Options for Site Network Resiliency: Service Protection

If Partner can provide evidence of certification to Metro Ethernet Forum 2 then this section is considered compliant. See http://metroethernetforum.org Cisco Powered Managed Services


Ability for subscriber of the service to request different protection parameters for Ethernet services

See MEF 2 section 9.1 http://metroethernetforum.org/page_loader.php?p_id=29

Partner must provide the following options for site network resiliency:

• Unprotected service: Basic service with no resiliency options

• Fully load shared links: Traffic is load shared down redundant paths

• Active/passive links: One link is active and monitored. Under failure conditions the backup link is enabled

Demonstrated in Technical Service Description (TSD) or other available document



Site resiliency options MSD (or other available document) must detail at least two levels of site resiliency. Features to enable this include Layer 1 protection (SONET/SDH), option to connect multiple CPEs onsite, dual homing


N/A


If Partner can provide evidence of certification to Metro Ethernet Forum 2 then this section is considered compliant. See http://metroethernetforum.org Cisco Powered Managed Services








Service Restoration Time: Measures how quickly the network will respond to failure on a specific service to restore connectivity without operator intervention

See MEF 2. SLA must offer all of the four options—from 50 msecs to sub 5 secs specified in 9.1.2 R4

Jitter: Jitter guarantee of <30 msecs Partner must provide actual SLA offering Jitter guarantee of <30 msecs

Packet Delay: Guarantee of <150msecs Intra-continental (e.g., within Europe or U.S.) and <300 msecs for Global (e.g., between Europe and U.S. Trans-Oceanic)

Partner must provide actual SLA offering guarantee of <150msecs Intra-continental (e.g., within Europe or U.S.) and <300 msecs for Global (e.g., between Europe and U.S. Trans-Oceanic

Packet Loss Ratio: Guarantee of 1% or less packet loss for voice, video and business class data











Service Restoration Time: Must offer an SLA for Service Restoration Time

See MEF 2. SLA must offer all of the four options—from 50 msecs to sub 5 secs specified in 9.1.2 R4


N/A




VPN Service Reports distributed on a regular schedule agreed with the customer:

• Asset Report


• Trend Report





Demonstration of portal from customer viewpoint, including real-time view of connectivity and status. Mechanisms may include password protection or similar restrictions to access the online Web portal for downloading reports.


Examples of separate reports for each class of service

Bandwidth on Demand: Partner must offer the customer the option to provision bandwidth via a Web portal without Partner intervention

Capability demonstrated via Web portal



Partner must provide service performance reports to the customer on a regular basis that compare actual performance to agreed service levels



N/A







• Network health



• Summary reports





Partner must demonstrate the capability to pro-actively inform the customer on key issues that affect the ability for the service to meet agreed performance levels.



N/A



Managed Internet Service


Partner must be able to demonstrate adherence to the policies and best practices outlined within the Cisco Network Foundation protection framework, as described at http://www.cisco.com/go/nfp Cisco Powered Managed Services


Data Plane










• Defined QoS policies to rate limit or drop offending traffic (identify, classify and rate limit)


Control Plane Partner must demonstrate the following capabilities have been implemented to protect the control plane on each device:


• Control Plane Policing (CPP)—provides QoS control for the packets destined to the control plane of the device. Ensures adequate bandwidth reserved for high priority traffic such as routing protocols



Partner must





Management Plane Partner must demonstrate the following capabilities have been implemented to protect the management plane on each device:

• CPU and memory thresholding— protects CPU and memory resources of IOS devices against DDoS attacks









Data Plane






Control Plane




Management Plane


Partner must have security procedure in place. Can use features such as Secure Shell only access (SSH), VTY access control list, Cisco IOS software login enhancements, SNMP V3, TACACS+. Demonstrated in Technical Service Description (TSD) or other available document

Legacy Managed Services No device-level security requirements at this level

Security Infrastructure: DDoS Protection

Partner must be able to demonstrate adherence to the policies and best practices outlined within the Cisco Cleanpipes DDoS infrastructure protection—detailed at http://www.cisco.com/en/US/netsol/ns615/networking_solutions_sub_solution.html Cisco Powered Managed Services


Regional Cleaning Centers deployed using Cisco Guard solution

Evidence of network design that includes Cleaning Centers

Network based mechanism to identify, classify and mitigate attacks based on anomaly characteristics

Demonstrated process to identify, classify and mitigate attacks based on anomaly characteristics

Process to baseline normal traffic loads periodically, at least weekly; must be repeated on a regular basis as agreed with the customer

Demonstrated process for periodic baseline of traffic loads; must be at least weekly and repeated as agreed with customer

Ability to conduct network based traffic tuning on the detection network for at least 24 hours at peak traffic time

Demonstrated process for network based traffic tuning on the detection network for at least 24 hours at peak traffic time



N/A


No DDoS protection requirements at this level







Design processes or sample PE node config. which makes use of features such as redundant processors, line cards, switch fabric and power


Use of Non-Stop Forwarding (NSF) and Stateful Switchover (SSO)

Transport level resiliency—effective deployment of link or transport level resiliency features within network design

Design features such as SONET/SDH APS, Resilient Packet Ring (RPR), Etherchannel, Spanning-Tree Protocol (STP)

Protocol level resiliency—effective deployment of protocol level resiliency features to enhance availability

Layer 3 protocols. These should include: Hot Standby Routing Protocol (HSRP) RFC 2281, Virtual Router Redundancy Protocol (VRRP) RFC 2338, MPLS-TE, BGP graceful restart, NSF on OSPF/IS-IS

Convergence time tuning procedures—procedures in place to tune convergence times where applicable

Demonstrated use of features such as fast reroute (FRR), BGP multipath, failure detection and recovery tuning, routing protocol optimization, IP even dampening

Application level resiliency—procedures to ensure availability of critical applications

Use of features such as Global server load balancing, S NAT, Stateful IPSec, DNS, DHCP, Cisco server load balancing






No resiliency and redundancy requirements at this level




Mean Time to Fix/Repair (MTTR): Must offer an SLA for MTTR

Partner must provide actual SLA offering MTTR for high priority issues






Partner must provide actual SLA offering MTTR for high priority issues




Minimum 1 year Service Level Agreement in place with end-user customer

Partner must provide SLA outlining performance of the service to be expected

Proactive management of CPE devices Demonstration that the management capabilities offered to the customer meet the stated entry criteria for the program






Service Reports distributed on a regular schedule agreed with the customer:

• Asset Report


• Trend Report








Service reports available to the customer providing an overview of service performance



No service reporting requirements at this level






• Monitoring report

• Usage report

Demonstration of Web portal from customer perspective demonstrating real time views, optional reports and service summary




No dashboard requirements at this level



IP Trunking

Network Requirements


To qualify as a Cisco Powered Managed service, the IP transport must be based partially or wholly on Cisco infrastructure, with at least 50% of the provider edge provisioned on Cisco platforms and that absorb Cisco based infrastructure ports when the Managed Service is provisioned.




N/A


IP Trunking Service must be in compliance with RFC 3261

Partner must demonstrate that the service offers Internet connectivity across the MPLS backbone to eliminate the need to carry Internet bound traffic back to a customers regional HQ site and then on to the external Internet connection

IP Trunking Architecture must support Emergency Calls

As an example, E911 or country-specific regulatory specification

IP Trunking Architecture must be in compliance with RFC3264 “An Offer/Answer Model with Session Description Protocol (SDP)”

Part of the Marketing Service Description (MSD) or Partner must be able to demonstrate network design option available to customer

IP Trunking Service support for Managed Dial Plan Service: unified dial plan across multiple locations (N-digit/private dial plan w/ overlap between enterprises)

Part of the MSD or Partner must be able to demonstrate network design option available to customer in documentation

The Service Elements of IP Trunking Architecture must be hardened against DOS attacks and secured appropriately to counter unauthorized access

Conformance to NFP best practices for securing service elements using the same methods described for the MPLS VPN and other connectivity services

IP Trunking Architecture must be in compliance with RFC 2833 (DTMF Relay)


IP Trunking Service must support the codecs G.711 u-law and/or a-law


IP Trunking Architecture must provide demarcation between service provider network and customer network in order to grant the correct operational independence and security level for both networks

Part of the Marketing Service Description (MSD) or service diagram demonstrating compliance with Cisco IP-to-IP gateway




IP Trunking Service must be in compliance with RFC 3261

Partner must demonstrate that the service offers Internet connectivity across the MPLS backbone to eliminate the need to carry Internet bound traffic back to a customers regional HQ site and then on to the external Internet connection

IP Trunking Architecture must support Emergency Calls

As an example, E911 or country-specific regulatory specification

IP Trunking Architecture must be in compliance with RFC 2833 (DTMF Relay)


IP Trunking Service must support the codecs G.711 u-law and/or a-law


IP Trunking Architecture must provide demarcation between service provider network and customer network in order to grant the correct operational independence and security level for both networks

Part of the Marketing Service Description (MSD) or service diagram demonstrating compliance with Cisco IP-to-IP gateway


N/A

Quality of Service





If narrowband (< E1/T1) access links are supported, support mechanisms must be offered to help ensure that delay-sensitive traffic receives the required QoS; mechanisms may include MLPPP and FRF.12

Network design criteria for narrowband links must include consideration for supporting multiple traffic classes

Overall network design capability to transport customer settings across the network transparently, regardless of the number of classes of service supported and the QoS settings available

Detailed in MSD or part of network design criteria

Following QoS features must be implemented in the PE nodes

• Policed High Priority-Queue

• Assured Forwarding Queue

• Packet Sequence Preservation

• Real-time view of connectivity and status of individual VPN

Partner must demonstrate a mechanism is in place to limit overall traffic entering the HP-Q such that the lower classes are not starved of bandwidth. Partner must demonstrate that the Video traffic from a customer can be streamed into the AF-Q



IP packet marking between SP and Enterprise Edge are recommended as follows:

• SIP Signaling Message: Diffserv PHB CS5 DSCP Value 40

• RTP Media: Diffserv PHB EF DSCP Value 46

• WAN Network Outage Survivability, in case of IP WAN Network Failure all sites must maintain capability to make calls through PSTN




Legacy Managed Services N/A




Data Plane














Control Plane Partner must demonstrate the following capabilities have been implemented to protect the control plane on each device:


• Control Plane Policing (CPP)— provides QoS control for the packets destined to the control plane of the device. Ensures adequate bandwidth reserved for high priority traffic such as routing protocols



Partner must





IP Trunking architecture must support Transport Layer Security Protocol


IP Trunking architecture must have capability to reject non-TLS Traffic if desired


IP Trunking architecture must support MD5 Message Digest Algorithm


IP Trunking architecture must Support IPSec protocol


IP Trunking architecture must support the WWW-Authenticate header with “Digest” Authentication as specified in RFC-3261


IP Trunking architecture must support the HTTP authentication as specified in RFC-3261


Management Plane


• CPU and memory thresholding—protects CPU and memory resources of IOS devices against DDoS attacks








Data Plane








Control Plane Routing protection—MD5 neighbor authentication protects routing domains from spoofing attacks



Management Plane

The Service Elements of IP Trunking Architecture must be hardened against DOS attacks and secured appropriately to counter unauthorized access


IP Trunking architecture must support Transport Layer Security Protocol





N/A

Options for Site Network Resiliency Cisco Powered Managed Services Requirement Auditor Instructions (What to Look for)

If leased lines are delivered over a SONET/SDH infrastructure, protection must be offered for the circuit

Marketing Service Description (MSD) must include this as an option, or Partner must demonstrate service designs that have incorporated this feature



Ability to dual home the CPE into 2 separate nodes in the aggregation network

As above, MSD should include this option or Partner must demonstrate use of it in network designs










N/A





















N/A





• Asset Report


• Trend Report




Secure Web portal to communicate current status and performance, including specific reports available online as agreed with the customer.






VPN Service Reports distributed on a regular schedule agreed with the customer





N/A







• Network health



• Summary reports





Partner must demonstrate the capability to proactively inform the customer on key issues that affect the ability for the service to meet agreed performance levels



N/A



Router

Architecture and Technical Attributes Cisco Powered Managed Services N/A Strategic Managed Services N/A Legacy Managed Services Requirement Auditor Instructions (What to Look for)

Regular backups of router configuration Demonstrated process to ensure timely backup of configurations and ability to restore saved configurations if required

Software patch management Demonstrated support for proactive software patch management to help ensure the Managed Router has the correct service level



N/A


N/A








N/A


N/A



Service is proactively monitored by the Network Operations Center and customer is notified of any disruption to service levels

Network operations procedures verified to include proactive monitoring of the CPE, constant access to remote devices, alarm management to start working on problems without direct customer intervention



IPSec VPN

Architecture and Technical Attributes Cisco Powered Managed Services N/A Strategic Managed Services Requirement Auditor Instructions (What to Look for)

Partner must offer DES, 3DES and AES (where permitted) encryption for IPSec


Partner must offer managed Firewall service Generally part of the Marketing Service Description (MSD); other service description may also be acceptable


N/A



N/A



Control Plane




Management Plane




N/A



N/A



Remote Access Service Accessibility: Must offer an SLA for successful remote access connections to the Gateway

Partner must provide actual SLA offering Remote Access Service Accessibility




N/A





N/A



Service Reports distributed on a regular schedule agreed with the customer



N/A



LAN


Solution design architected to meet customer requirements for levels of service performance

Demonstrated ability to translate customer business needs to network design. Staff training program to ensure up to date knowledge of latest solution capabilities

Software patch management Demonstrated support for proactive software patch management to help ensure the LAN equipment has the correct service level

Device-Level Security Cisco Powered Managed Services N/A Strategic Managed Services N/A Legacy Managed Services Requirement Auditor Instructions (What to Look for)


Partner must demonstrate procedures to prevent unauthorized management access to devices



N/A


N/A










N/A


N/A




Network operations procedures verified, including proactive monitoring of the CPE, constant access to remote devices, alarm management to start working on problems without direct customer intervention



Frame Relay/ATM


Regular backups of router configuration Demonstrated process to ensure timely backup of configurations and ability to restore saved configurations if required

Software patch management Demonstrated support for proactive software patch management to help ensure the LAN equipment has the correct service level



N/A


N/A








N/A


N/A




Partner must be able to demonstrate the ability to proactively monitor the CPE in accordance to the basic rules of the program



Managed Security






















• • •




Firewall


Support for Authentication, Authorization and Accounting features

Partner must demonstrate the use of User authentication servers such as RADIUS, TACACS, SDI, NT, LDAP, Local, Kerberos/Active Directory

Ability to fall back to local user database when external AAA is down

Partner must demonstrate the ability to support this function

Stateful, stateless failover in transparent and routed mode, active/active, and active/passive States

Generally part of the Technical Service Description (MSD); other service description may also be acceptable

Support of voice media failover Generally part of the Technical Service Description (MSD); other service description may also be acceptable

Stateful failover protocols including TCP, UDP, ESP, IKE, GRE, and IPSec (pre-shared only)


Access control based on Layer 2, Layer 3, Layer 4 and Layer 7 parameters. Layer 2 must support ether-type, source and destination IP addresses, protocols, TCP/UDP ports, and time schedule


Multiple context of firewall Generally part of the Technical Service Description (MSD); other service description may also be acceptable

Transparency of the firewall Generally part of the Technical Service Description (MSD); other service description may also be acceptable

Support of a VoIP Inspection Engine, such as H323, MGCP, SCCP, or SIP. May include MGCP version 0.1 and 1.0, Cisco Unified Call Manager 4.1, SIP RFC 2543.


QoS features, including support for traffic priority and policing and priority queuing; including committed rate conform action, burst rate and exceed action


Support for tunneling protocols, including GRE, MPLS, IP-in-IP, and IPv6


Support for multimedia applications, including Stream Works 2.0, Yahoo messenger, AOL (Chat or voice), MSN messenger (Chat or voice), MS Windows (SIP messenger)




Access lists Generally part of the Technical Service Description (MSD), or demonstrated in configurations


N/A




If the service includes Cisco IOS based Firewall services, the Partner must be able to demonstrate adherence to the policies and best practices outlined within the Cisco Network Foundation protection framework, as described at http://www.cisco.com/go/nfp Cisco Powered Managed Services Requirement Auditor Instructions (What to Look for)

Data Plane












Control Plane



• Control Plane Policing (CPP)— provides QoS control for the packets destined to the control plane of the device. Ensures adequate bandwidth reserved for high priority traffic such as routing protocols



Partner must





Management Plane











Data Plane

Partner must have clearly defined and documented security policy covering protection of the infrastructure from security attacks

Security policy covering protection of infrastructure from security attacks

Access Control lists—protect devices from malicious traffic by explicitly permitting legitimate traffic




Control Plane




Management Plane


Partner must have security procedure in place. Can use features such as—Secure shell only access (SSH), VTY access control list, Cisco IOS software login enhancements, SNMP V3, TACACS+.


N/A


Implementation of technology that enables network wide resiliency for IP networks, as described at http://www.cisco.com/ en/US/partner/products/ps6550/products_ios_technology_home.html




Design processes that incorporate customer requirements for service resiliency








N/A








Mean Time to Fix/Repair (MTTR): May vary according to customer needs; must be in 4 hours or less in 95% of cases

Partner must provide actual SLA offering MTTR in 4 hours or less in 95% of cases

Turnaround Time for Customer-Initiated Changes: Must be with 24 hours for standard changes

Partner must provide actual SLA offering Turnaround Time for Customer-Initiated Changes within 24 hours

Incident Handling Alerting Mode and Response Time (via mail, pager, mobile): Customer alerting and recommendations must be offered 24x7

Partner must provide actual SLA offering Incident Handling Altering and Response 24x7

Change Request for Rules: Priority rules must be changed within 30 minutes; all others within 4 hours

Partner must provide actual SLA offering Rules Changes within 30 minutes for priority rules and all others within 4 hours

Event Log Retention: Must be retained for at least 3 months

Partner must provide actual SLA offering Event Log Retention for at least 3 months

Notification of Security Update and Bug Fixes: Must offer an SLA for Notification of Security Update and Bug Fixes

Partner must provide actual SLA offering Notification of Security Updates and Bug Fixes




Partner must provide actual SLA offering MTTR

Service Availability: Must offer an SLA for Service Availability

Partner must provide actual SLA offering Service Availability


N/A





• Asset Report


• Trend Report






Incident Management Reports:

• Monitoring and management of faults

• Monitoring and management of security incidents

• Automated blocking, shunning, and TCP Reset

• Manual shunning/update of access control

• Manual port configuration













• Monitoring report

• Usage report





N/A



IDS/IPS


Deploy as IDS or IPS. Service must have the ability to deploy the sensor in several modes: monitor-only, fully-managed service, promiscuous mode—listen only and alarm, inline—bump in line with drop/alarm, signature updates, customization and tuning.


Intrusion detection is supported. Intrusion monitoring is supported, including event correlation/alarm filtering, classification and customization. Monitoring must include log trending with analysis.


Support of voice media failover Generally part of the Technical Service Description (MSD); other service description may also be acceptable

Support of the following detection methodologies:

• Simple Pattern Matching: Looking for a fixed sequence of bytes in a single packet; can be associated with a specific service

• Stateful Pattern Matching: Matches are made in context within the state of stream.


Dynamically deploy signatures and/or ACLs to respond to new attacks. The IDS/IPS must be able to be configured to check for signature updates and push them to the sensors in the network. New signatures must be able to be added to the existing policies on the mitigation devices.


Recognize new outbreaks and deploy threat specific ACL within 60 minutes, and new signature within 90 minutes. Intrusion Prevention Service must be capable of deploying outbreak prevention policies on mitigation devices.


Support for signatures for evaluation of VoIP (H323 and H225) traffic, including:

• Ensuring protocol compliance for call setup messages

• Protecting against attacks on voice gateways

• Preventing excess memory allocation through detection of ULR overflow


Support for tunneling protocols, including GRE, MPLS, IP-in-IP, and IPv6




An automatically scheduled mechanism to update signature files. The user has 3 choices in IPS MC 2.2 when dealing with signature updates:

• Check only: Allows the IPS MC to check for new updates and notify the user

• Check and download: Checks for new signature updates



Deploy as IDS or IPS. Service must have the ability to deploy the sensor in several modes: monitor-only, fully-managed service, promiscuous mode—listen only and alarm, inline—bump in line with drop/alarm, signature updates, customization and tuning.


Intrusion monitoring is supported, including event correlation/alarm filtering and classification. Monitoring must include log trending with basic analysis.


Support of the following detection methodologies:

• Simple Pattern Matching: Looking for a fixed sequence of bytes in a single packet; can be associated with a specific service

• Stateful Pattern Matching: Matches are made in context within the state of stream.


Dynamically deploy signatures to respond to new attacks. The IDS/IPS must able to be configured to check for signature updates and push them to the sensors in the network.


Recognize new outbreaks and deploy threat specific ACL within 60 minutes, and new signature within 90 minutes. Intrusion Prevention Service must be capable of deploying outbreak prevention policies on mitigation devices.


Access lists Generally part of the Technical Service Description (MSD); other service description may also be acceptable





If the service includes Cisco IOS based Firewall services, the Partner must be able to demonstrate adherence to the policies and best practices outlined within the Cisco Network Foundation protection framework, as described at http://www.cisco.com/go/nfp Cisco Powered Managed Services


Data Plane








Control Plane



• Control Plane Policing (CPP)—provides QoS control for the packets destined to the control plane of the device. Ensures adequate bandwidth reserved for high priority traffic such as routing protocols.



Partner must





Management Plane











Data Plane





Control Plane




Management Plane




N/A











Demonstration of Design process in place to ensure target network availability can be met. Should include reference to areas of availability referenced in Tier 1 (Cisco Powered) requirements.


N/A






Mean Time to Respond (MTTN): Must offer an SLA for MTTN

Partner must provide actual SLA offering MTTN



Real-time Intrusion Monitoring: Must be offered 24x7

Partner must provide actual SLA offering Real Time Intrusion Monitoring 24x7

Real-time Event Correlation and Interpretation: Must be offered 24x7

Partner must provide actual SLA offering Real-Time Event Correlation and Interpretation 24x7

Signature Update Response Time: Must offer an SLA for Signature Update Response Time

Partner must provide actual SLA offering Signature Update Response Time

Solution Performance: Must offer an SLA for Solution Performance, based on throughput, connection rate, resource guarantees

Partner must provide actual SLA offering Solution Performance

Turnaround Time for Customer-Initiated Changes: Must offer an SLA for Turnaround Time for Customer-Initiated Changes

Partner must provide actual SLA offering Turnaround Time for Customer-Initiated Changes

Incident Handling Alerting Mode and Response Time (via mail, pager, mobile): Customer alerting and recommendations must be offered 24x7

Partner must provide actual SLA offering Incident Handling Alert Mode and Response Time 24x7





Service Availability: Must offer an SLA for Service Availability

Partner must provide actual SLA offering Service Availability


N/A





• Asset Report


• Trend Report






Incident Management Reports:

• Monitoring and management of faults

• Monitoring and management of security incidents

• Automated blocking, shunning, and TCP Reset

• Manual shunning/update of access control



Demonstration of portal from customer viewpoint, including real-time view of connectivity and status of individual VPN. Mechanisms may include password protection or similar restrictions to access the online Web portal for downloading reports.


Service reports distributed on a regular schedule agreed with the customer


Legacy Managed Services N/A Service Level Management: CIO Dashboard




• Attack data


• Total attack status

• List of attacks

• Monitoring reports

Demonstration of Web portal from customer perspective demonstrating real time views, optional and service summary




N/A



Secure Router


Hardware based encryption for VPN Must offer a service that utilizes this capability of the ISR if performance requirements demand it

Must support software load appropriate for security features

Software loads include advanced security, advanced IP services and advanced enterprise feature sets. Referred to as K-9

Support for Voice media encryption Uses Secure Real-Time Transport Protocol (SRTP)

Support for dedicated hardware for IDS and content security

The 2800 and 3800 support an IDS network module and a content engine network module for increased performance. These modules must be available as a design option.

Support for firewalls Ability to support firewalls


N/A


If the service includes Cisco IOS based Firewall services, the Partner must be able to demonstrate adherence to the policies and best practices outlined within the Cisco Network Foundation protection framework, as described at http://www.cisco.com/go/nfp Cisco Powered Managed Services N/A



Data Plane




Infrastructure ACLs are applied to the network core.



Control Plane




Management Plane




N/A





N/A



Mean Time to Respond (MTTN): Must provide 24 hour response time

Partner must provide actual SLA offering MTTN of 24 hours




N/A



N/A






N/A



Managed Unified Communications






















• • •




Business Communications


Integrated soft phone support, allowing customer to be able to use a soft phone as part of the service


Support for phones that allow integrated video calls


A Unified Messaging service that supports e-mail, voice and fax delivered to one inbox


Emergency number support solution that offers diverse paths for emergency calls to help ensure the user will be successfully routed


Mobility feature that provides the customer the ability to log on to any IP phone as their customized extension.


Options for localized or central voicemail support


Voicemail access in different formats and not tied to a specific phone. This may include the ability to receive voicemail via e-mail or a PC account.


Automatic Call Distributor (ACD) support features, including Auto Attendant and Call Queuing


Support for voice signaling protocols, including H323 and SIP based wide-area networking


Clear migration plan capability that allows the customer to move to the new service while interoperating with the existing service




Emergency number support solution that offers diverse paths for emergency calls to help ensure the user will be successfully routed


Options for localized or central voicemail support


Automatic Call Distributor (ACD) support features, including Auto Attendant and Call Queuing


Support for voice signaling protocols, including H323 and SIP based wide-area networking


Clear migration plan capability that allows the customer to move to the new service while interoperating with the existing service





Quality of Service Cisco Powered Managed Services Requirement Auditor Instructions (What to Look for)

Support for at least two VLANs at access layer, including a native VLAN for data traffic and a Voice VLAN


Pre-classification of traffic into appropriate classes before CPE egress


Priority queuing of RTP voice packet streams into multiple egress queues


Ability for voice and video traffic that traverse the WAN to run over a QoS-enabled infrastructure


Ability for service to support call admission control as an option




Support for at least two VLANs at access layer, including a native VLAN for data traffic and a Voice VLAN


Pre-classification of traffic into appropriate classes before CPE egress


Priority queuing of RTP voice packet streams into multiple egress queues.



N/A



Device-Level Security Cisco Powered Managed Services Requirement Auditor Instructions (What to Look for)

Support of device authentication Demonstrated in Technical Service Description (TSD) or other available document

Support of signaling and media encryption Demonstrated in Technical Service Description (TSD) or other available document



Support of device authentication Demonstrated in Technical Service Description (TSD) or other available document

Support of signaling and media encryption Demonstrated in Technical Service Description (TSD) or other available document


N/A


Gate Keeper redundancy Demonstrated in Technical Service Description (TSD) or other available document

Redundancy for key services, including TFTP, DNS, DHCP, LDAP and IP Phone Services


Redundant media resources, including conference bridges and music on hold


Redundant voicemail servers Demonstrated in Technical Service Description (TSD) or other available document

Redundant media gateways that provide integration with PSTN and legacy services


Hot standby routing protocol (HSRP) at the distribution layer routers


Either 1:1 or 1:2 redundancies for call processing servers


Ability for remote site to continue to support voice calls in the event of a WAN outage, using survivable remote site telephony (SRST)


For Cisco Unified CallManager solutions only: Supports for clustering of call control servers for scale and redundancy




Redundancy for key services, including TFTP, DNS, DHCP, LDAP and IP Phone Services


Ability for remote site to continue to support voice calls in the event of a WAN outage, using survivable remote site telephony (SRST)



N/A










User Addition to Service: Commitment must be at least 50 per day with 3 days notice.

Partner must provide actual SLA offering User Addition to Service at the rate of at least 50 per day with 3 days notice. This requirement does not apply if customer manages the end devices themselves (no restrictions on user additions).

Existing User Changes: Must offer an SLA for Exciting User Changes

Partner must provide actual SLA offering Existing User Changes for a pre-defined number of users per day, with an agreed notice period. This requirement does not apply if customer manages the end devices themselves (no restrictions on user changes).

Packet Loss Ratio: Guarantee of 1% or less packet loss for these classes of service


User Availability: Must offer an SLA for User Availability

Partner must provide actual SLA offering User Availability, e.g., >99% availability if all aspects of the service delivery are under the control of the Managed Service Provider



Partner must offer an SLA, specific requirements not defined by Cisco

Partner must provide actual SLA with specific requirements


N/A





• Asset Report


• Trend Report












• Asset Report


• Trend Report











• Network health



• Summary reports



Summary reports, extracted from detailed reports above, providing key information about the performance of the service. Made available to the customer on an agreed schedule.

Examples of summary reports



Partner must demonstrate the capability to proactively inform the customer on key issues that effect the ability for the service to meet agreed performance levels



N/A



Unified Contact Center (Managed)


Support for intelligent routing of calls using defined business logic. Redirection of the call must not cause the loss of any data collected during interaction with the customer.

Review Call Center procedures, as applicable. Verify data flow in lab or at an existing installation. (Name, account number, status or equivalent)

Routing of calls based on specific customer profiles

Review Call Center procedures, as applicable

Handling of bulk e-mail interactions. Supported via the Cisco e-mail manager option.


Service deployments of <10 Agents and scaling up to >1,000 Agents

Review Call Center procedures, as applicable. Verify 1000 agents via lab simulation or actual installation

Customer instance created for each customer that requires full admin control


Network Level IP Call Switching Control Review network diagram for Cisco NAM/CICM servers

Network Level Call Routing (ACD) and Treatment Capability (IVR)

Review network diagram for Cisco Customer Voice Portal (CVP)

Support of both IP- and TDM-based Contact Centers

Review procedures to integrate with legacy TDM

Hosted Call Processing Review network diagram for Cisco NAM/CICM servers

Real time and historical reporting of the system Review actual reports of lab or installation. Show ability to access hypothetical records going back two years.

Support of Emergency Calls Review support of emergency calls. If the SP/SI geography makes this not relevant, this item may be skipped

All servers running antivirus application with latest virus definition files

Review procedures to ensure anti-virus updates are done in a reasonable period of time. Compatible antivirus listed at Cisco Intelligent Contact Management (ICM) Bill of Materials available on cisco.com.

Management portals for customers for daily activities

Review the actual portal (not a network diagram). Verify usability for, at a minimum, a medium complex call routing, including five types of skills and links to appropriate reporting. Show support for remote office and home based workers.

Agent and supervisor controls plus CTI screen pop capabilities. CTI OS servers can be shared by multiple customers.

Witness the CTI screen pops in a lab or installation. Verify the ability to customize the screen pops per customer.

Allowance for presentation of any caller data to the agent (CTI)

Verify the presentation of caller data (at a minimum Name, account number, reason for calling) via CTI

Integrated Web collaboration tools as part of the customer interaction

Verify the use of Web collaboration tools

Multichannel skills-based routing, manages agent and tasks states across all media types and controls call queuing

Verify in lab or installation at least five defined skill categories for skill based routing and observe them in lab or installation. Verify routing of contact via both voice and email.

Call re-routing based on Wait Time Verify, in lab or installation re-routing based on wait time. Examine a test or actual wait time flow for usability. Ensure that the call flow makes maximum use of customer resources (minimize agent down time to an acceptable level).

Individual Subscriber System Management and Reporting Tools from browser based to full admin workstation

Verify, in lab or installation



Report templates with multi-media statistics, including measuring of service level across all media types

Review reports and verify service levels. Ensure that the following information is easily accessed from the reports:

• Agent productivity

• Caller wait time (minimum, maximum, average)

• Efficient use of network (percentage of traffic that stays on net verses PSTN

Integrated reporting across all media for IPCC and TDM customers

Verify integrated reporting

Integration of Cisco Unified Customer Voice Portal (CVP)

Verify use of CVP and demonstrate VXML call flow with at least five skill levels






Handling of bulk e-mail interactions. Supported via the Cisco e-mail manager option



Review Call Center procedures, as applicable. Verify 1000 agents via lab simulation or actual installation.








Support for both IP- and TDM-based Contact Centers




Support of Emergency Calls Show support of emergency calls. If the SP/SI geography makes this not relevant, this item may be skipped.


Show procedure to update anti virus in a reasonable period of time. Compatible antivirus listed at Cisco Intelligent Contact Management (ICM) Bill of Materials available on cisco.com.

Management portals for Customers for daily activities

Review the actual portal (not a network diagram). Verify usability for, at a minimum, a medium complex call routing, including five types of skills and links to appropriate reporting.









Intelligent queuing of customer interactions to maximize productivity of the agent. Examples include:

• Allowing an agent handling text sessions to accept additional text sessions

• Allowing an agent dealing with e-mail queries to accept priority voice calls

Verify requirement in lab or installation

Use of Remote agents. Requires QoS across the Multiservice WAN to provide the remote agent the same capabilities regardless of location.

Verify network diagram. Verify QoS to a level that will allow remote agents to work seamlessly. Latency between ICM Central Controllers and remote PGs cannot exceed 200 ms one way (400 ms round-trip).

Performance monitoring of remote agents Use of the Microsoft Windows Performance Monitor (PerfMon) or something similar to track performance of remote agents








N/A


Support for Firewall services Verify network design

Support for Intrusion detection services Verify network design





N/A


Support for real-time application failover Verify network design

Resiliency options for managing hardware component failures

Verify network design



Offer resiliency options for managing network failures










N/A







Partner must be able to offer a MTTR for high priority issues of 2 hours. Verify procedures. Upon recertification, review records or logbook.

Agent Availability: Must offer an SLA for User Availability







Partner must provide actual SLA offering MTTN for high priority issues of 4 hours


N/A







• Asset Report


• Trend Report











• Asset Report


• Trend Report







N/A





• Agent Status: High level status indicator for each agent and call information

• Agent Communications

• Three Way Conference

• Agent Status: Ability to change an Agent status remotely














N/A



Unified Contact Center (Hosted)















Support of both IP- and TDM-based Contact Centers




Support of Emergency Calls Review support of emergency calls. If the SP/SI geography makes this not relevant, this item may be skipped.


Review procedures to ensure anti-virus updates are done in a reasonable period of time. Compatible antivirus listed at Cisco Intelligent Contact Management (ICM) Bill of Materials available on cisco.com.

Management portals for customers for daily activities

Review the actual portal (not a network diagram). Verify usability for, at a minimum, a medium complex call routing, including five types of skills and links to appropriate reporting. Show support for remote office and home based workers.





Integrated Web collaboration tools as part of the customer interaction

Verify the use of Web collaboration tools



Call re-routing based on Wait Time Verify, in lab or installation re-routing based on wait time. Examine a test or actual wait time flow for usability. Ensure that the call flow makes maximum use of customer resources (minimize agent down time to an acceptable level).

Individual Subscriber System Management and Reporting Tools from browser based to full admin workstation

Verify, in lab or installation



Report templates with multi-media statistics, including measuring of service level across all media types

Review reports and verify service levels. Ensure that the following information is easily accessed from the reports:

• Agent productivity

• Caller wait time (minimum, maximum, average)

• Efficient use of network (percentage of traffic that stays on net verses PSTN

Integrated reporting across all media for IPCC and TDM customers

Verify integrated reporting

Integration of Cisco Unified Customer Voice Portal (CVP)

Verify use of CVP and demonstrate VXML call flow with at least five skill levels

















Support for both IP- and TDM-based Contact Centers




Support of Emergency Calls Show support of emergency calls. If the SP/SI geography makes this not relevant, this item may be skipped.


Show procedure to update anti virus in a reasonable period of time. Compatible antivirus listed at Cisco Intelligent Contact Management (ICM) Bill of Materials available on cisco.com.

Management portals for Customers for daily activities

Review the actual portal (not a network diagram). Verify usability for, at a minimum, a medium complex call routing, including five types of skills and links to appropriate reporting













Use of Remote agents. Requires QoS across the Multiservice WAN to provide the remote agent the same capabilities regardless of location.

Verify network diagram. Verify QoS to a level that will allow remote agents to work seamlessly. Latency between ICM Central Controllers and remote PGs cannot exceed 200 ms one way (400 ms round-trip).

Performance monitoring of remote agents Use of the Microsoft Windows Performance Monitor (PerfMon) or something similar to track performance of remote agents








N/A



Support for Intrusion detection services Verify network design





N/A

















N/A







Partner must be able to offer a MTTR for high priority issues of 2 hours. Verify procedures. Upon recertification, review records or logbook.

Agent Availability: Must offer an SLA for User Availability







Partner must provide actual SLA offering MTTN for high priority issues of 4 hours


N/A







• Asset Report


• Trend Report











• Asset Report


• Trend Report







N/A






















N/A



Hosted Unified Communications




The Service Provider architecture for Hosted Voice Service has to be in compliance with Cisco Validated architectures and best practices.

Auditors validate the Service Provider Hosted Voice Service Architecture with the Cisco Hosted/Managed—Unified Communications Services Customer Requirements Document.

The Partner’s Hosted Voice Service must support the Multi Tenant capability with Overlapping number support

Auditor validate the Partners voice service capability support to Multi tenant from the Service Provider’s Marketing Service Description document.

The Partner’s Hosted Voice Service must deploy Cisco Unified Communication Manager for Voice Call Processing

Auditor validate the partners voice Service architecture document to show only Cisco Unified Communication Manager being used for Call Processing

The Hosted Voice Service must support the capability to support both Intra and Inter Customer calls

Auditor validate the Partner’s Hosted Voice Service Marketing Service Document to state it states both Inter and Intra Customer voice calls

The Hosted Voice Service must support high availability at the remote locations

Auditor interview the Hosted Voice Service Product Manager to validate the high availability of the remote locations are supported using SRST features on the Cisco Customer Edge Router.

The Hosted Voice Service must support the capability for SS7 and PRI for PSTN Access

Auditor validate from Technical Service Description or interview the Hosted Voice Service Product Manager, to verify the Partner hosted service support SS7 and PRI for PSTN access.

The Hosted Voice Service must support the capability for QSIG, DPNSS and H.323

Auditor validate from Technical Service Description or interview the Hosted Voice Service Product Manager, to verify the Partner hosted service support QSIG, DPNSS and H.323

The Hosted Voice Service must support the capability for Local Number Portability

Auditor validate from Technical Service Description or interview the Hosted Voice Service Product Manager, to verify the support for Local Number Portability

The Hosted Voice Service must support the capability for Emergency Services

Auditor validate from Marketing Service Description or interview the Hosted Voice Service Product Manager, to verify the support for Emergency Services.

The Hosted Voice Service must deploy Cisco PGW product for PSTN access, no other product can be used

Auditor validate from Hosted Voice Service Architecture or interview the Hosted Voice Service Product Manager, to verify only Cisco PGW product is being used for PSTN access.

The Hosted Voice Service must deploy Cisco Unity and/or IP Unity products for voice mail. The Hosted Voice Service must support the Voice mail capability

Auditor validate from Hosted Voice Service Architecture or interview the Hosted Voice Service Product Manager, to verify only Cisco Unity (for single tenant) or IP Unity (multi-tenant) product is being used for voice mail or unified messaging.

The Partner must perform the end customer’s LAN assessment to ensure the readiness of the LAN network to support the bandwidth and QoS required for VoIP.

Auditor must interview the Hosted Voice Service Product Manager to ensure a best practice for assessment of end customer’s LAN is in place.

The Partner Hosted Voice Service must support for Multilevel provisioning and tenant self-provisioning as a feature of the service

Auditor must interview the Hosted Voice Service Product Manager to ensure that Partner has deployed the Vision OSS network management system to manage and provision the Hosted Voice Service.

The Partner Hosted Voice Service must support the capability for Directory Service

Auditor must validate the Marketing Service Description document to validate that Hosted Voice Service support the Directory Services

The Partner Hosted Voice Service must support the capability for Extension mobility for end users

Auditor must validate the Marketing Service Description document to validate that Hosted Voice Service support the Mobility for end users

The Partner Hosted Voice Service must be transported on the Layer 3 capable network

Auditor must interview the Hosted Voice Service Product Manager to ensure that Partner’s Hosted Voice Service is transported over the Layer 3 capable network



The Partner’s Hosted Voice service network must have No VLAN or broadcast domain provisioned to traverse the core of the network.

Auditor must interview the Hosted Voice Service Product Manager to ensure that Hosted Voice service network must have No VLAN or broadcast domain provisioned to traverse the core of the network

The Partner’s Hosted Voice Service network must support distribution layer network high availability using Hot Standby Redundancy Protocol (HSRP) or Virtual Redundancy Router Protocol (VRRP)

Auditor must interview the Hosted Voice Service Product Manager to ensure that Hosted Voice service distribution layer network must deploy HSRP or VRRP protocols.




The Service Provider architecture for Hosted Voice Service has to be in compliance with Cisco Validated architectures and best practices.

Auditors validate the Service Provider Hosted Voice Service Architecture with the Cisco Hosted/Managed—Unified Communications Services Customer Requirements Document.

The Partner’s Hosted Voice Service must support the Multi Tenant capability with Overlapping number support

Auditor validate the Partners voice service capability support to multi-tenant from the Service Provider’s Marketing Service Description document.

The Partner’s Hosted Voice Service must deploy Cisco Unified Communication Manager for Voice Call Processing

Auditor validate the partners voice Service architecture document to show only Cisco Unified Communication Manager being used for Call Processing

The Hosted Voice Service must support the an ability to support both Intra and Inter Customer calls

Auditor validate the Partner’s Hosted Voice Service Marketing Service Document to state it states both Inter and Intra Customer voice calls

The Hosted Voice Service must support the capability for Emergency Services

Auditor validate from Marketing Service Description or interview the Hosted Voice Service Product Manager, to verify the support for Emergency Services.

The Hosted Voice Service must deploy Cisco PGW product for PSTN access, no other product can be used

Auditor validate from Hosted Voice Service Architecture or interview the Hosted Voice Service Product Manager, to verify only Cisco PGW product is being used for PSTN access.

The Hosted Voice Service must deploy Cisco Unity and/or IP Unity products for voice mail. The Hosted Voice Service must support the Voice mail capability

Auditor validate from Hosted Voice Service Architecture or interview the Hosted Voice Service Product Manager, to verify only Cisco Unity (for single tenant) or IP Unity (multi-tenant) product is being used for voice mail or unified messaging.

The Partner Hosted Voice Service must support for Multilevel provisioning and tenant self-provisioning as a feature of the service

Auditor must interview the Hosted Voice Service Product Manager to ensure that Partner has deployed the Vision OSS network management system to manage and provision the Hosted Voice Service.

The Partner Hosted Voice Service must support the capability for Directory Service

Auditor must validate the Marketing Service Description document to validate that Hosted Voice Service support the Directory Services

The Partner Hosted Voice Service must support the capability for Extension mobility for end users

Auditor must validate the Marketing Service Description document to validate that Hosted Voice Service support the Mobility for end users

The Partner Hosted Voice Service must be transported on the Layer 3 capable network

Auditor must interview the Hosted Voice Service Product Manager to ensure that Partner’s Hosted Voice Service is transported over the Layer 3 capable network



Managed Mobile Communications






















• • •




Wireless LAN

Service Requirements


N/A


To qualify as a Strategic Managed service, the Managed Wireless LAN service must be sold as part of a Cisco based managed LAN infrastructure service


N/A


Must offer Guest services Service design must include procedures to set up and provide ongoing self-management of Guest access

Must support Voice services Service design must incorporate ability to support wireless VoIP service


N/A

Device-Level Security Cisco Powered Managed Services N/A Strategic Managed Services Requirement Auditor Instructions (What to Look for)

Data Plane







Control Plane






Management Plane




Infrastructure Protection

Integrated security policy for Wireless LAN service—see http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/netbr09186a00801f7d0b.html Cisco Powered Managed Services

N/A



Wireless link encryption—All wireless traffic must be encrypted between the client and the access point to ensure information integrity

Can use any of a variety of mechanisms, e.g., WEP, EAP/LEAP, WPA/2

Support for user and device authentication Implemented using Cisco secure services client

Implemented operational and policy control framework

Partner must demonstrate the use of a framework for management of the wireless service. This will typically include asset tracking, NAC policies, segmentation (guest access) and the use of management tools such as Cisco MARS.

Implemented threat mitigation process This will typically include policies for features such as rogue access point detection, IDS/IPS policies for wireless users, and DOS attack management


N/A


Implementation of technology that enables network wide resiliency for IP networks, as described at http://www.cisco.com/ en/US/partner/products/ps6550/products_ios_technology_home.html


N/A






N/A





N/A










N/A



N/A



WLAN Service Reports distributed on a regular schedule agreed with the customer



N/A



Managed Data Center






















• • •




WaaS

Supported Features: Cisco Powered Managed Services Requirement Auditor Instructions (What to Look for)

The Provider must offer a “WAN Optimization” type service(s) based on technologies enabled by WAAS Transport license. The WAAS Transport license includes Data Redundancy Elimination (DRE), Persistent LZ Compression (PLZ), Transport (TCP) Flow Optimization (TFO), and Application Traffic Policy (ATP).

Verify WAAS Transport licenses are enabled as a minimum on all WAEs supporting a “WAN Optimization” type service offer by the Provider.

The Provider must offer an “Application Acceleration” type service(s) specifically for one or more applications that are outlined in the categories below, as enabled by the WAAS Enterprise license. The offered service may additionally be accompanied by the appropriate related server consolidation (the migration of servers to the centralized data center as enabled by WAAS). – File Services: CIFS acceleration (Windows), file Pre-Positioning – Print Services (for Windows) – Email: Microsoft Exchange, Internet Mail, Lotus Notes – Web & Collaboration: HTTP, WebDAV, FTP, Microsoft Sharepoint – Software Distribution: Microsoft SMS, Altiris, HP Radia – Enterprise Applications: Microsoft SQL, Oracle, SAP, Lotus Notes – Backup Applications: Microsoft NT Backup, Legato Networker, Veritas Netbackup, CommVault Galaxy – Data Replication: EMC SRDF/A, EMC IP Replicator, NetApp SnapMirror, Data Domain, Double-Take, Veritas Vol Replicator

Verify WAAS Enterprise licenses are enabled as a minimum on all WAEs supporting an “Application Acceleration” type service offer by the Provider. Verify if the service is accompanied by its appropriate related server consolidation (optional).

If the Provider offers greater application networking solutions to complement a managed WAAS service then they are entitled to the same product discount on the following Cisco product families: ACE XML Gateway, ACE Global Services Switch (or Global Site Selector) GSS, Application Velocity System (AVS), Application Networking Manager (ANM), Content Switching Module (CSM), ASA 5500 Series Adaptive Security Appliances, PIX 500 Series Security Appliances, VPN 3000 Series Products, Cisco Secure Access Control Server

Verify if Provider is offering greater application networking services to complement their managed WAAS offerings.

Each WAAS remote branch site must be deployed in one of the following configurations: 1) Integrated router WAE network module running in network integrated off-path

intercept mode with WCCPv2 protocol 2) WAE appliance running in network integrated off-path intercept mode with

WCCPv2 protocol 3) WAE appliance running in simple transparent in-line mode

Verify each branch site is deployed in one of the three configurations stated. However, all sites combined can be deployed in any combination of the three configurations.

The WAAS headend site, which is pairing with each remote site, must be deployed in one of the following configurations: 1) WAE appliance running in network integrated off-path intercept mode with

WCCPv2 protocol 2) WAE appliance running in network integrated intercept mode with ACE

(Application Control Engine) series. ACE can be deployed on either a blade integrated into a switch/router or as a standalone appliance.

Verify headend is deployed in one of two configurations stated.

WAAS Headend sites must be deployed in a high-availability redundant configuration, meaning a cluster must exist with two or more WAEs using either of the following configurations: 1) Network integrated off-path intercept mode with WCCPv2 protocol

With WCCPv2 intercept, active/active clustering supports up to 32 WAEs and 32 routers with automatic load-balancing, load redistribution, fail-over, and fail-through operation.

2) Network integrated intercept mode with ACE (Application Control Engine) series ACE can be deployed on either a blade integrated into a switch/router or as a standalone appliance. ACE is recommended for the most demanding headend environments and can scale to support hundreds of WAEs in numerous clusters and also provide automatic load-balancing, load redistribution, fail-over, and fail through operation.

Validate headend is deployed in a cluster configuration of two or more WAEs running in WCCPv2 mode or with ACE network integration.



The Provider must offer a high-availability redundant WAE option for remote branch sites. Each of these remote branch sites must be deployed in either of the following configurations: 1) Two or more WAE appliances in a cluster running in network integrated

off-path intercept mode with WCCPv2 2) Two or more WAE appliances running transparent serial in-line clustering

Verify the Provider offers or has customers on a high-availability redundant deployment option for remote branch sites. Verify these remote sites conform to the two options as outlined.

Disk encryption for data at rest must be deployed for all headend and remote WAEs, using FIPS 140-2 level 2 compliant 256-bit AES disk encryption with automatic and centralized key management.

Verify Provider requires WAAS service to have all WAEs running disk encryption as outlined. Verify all deployments have required Enterprise license and are running WAAS 4.0 or greater software.

Provider must offer complete stateful firewall inspection and network virus scanning for all accelerated traffic, and integrate seamlessly and transparently into network security, visibility, and control functions. It must not break security practices of tunneling through and opening application ports in firewalls.

Verify Provider offers or has customers running stateful firewall inspection and network virus scanning services, and that they are not violating security practices of tunneling through or opening ports in firewalls.


The Provider must offer a "WAN Optimization" type service(s) based on technologies enabled by WAAS Transport license. The WAAS Transport license includes Data Redundancy Elimination (DRE), Persistent LZ Compression (PLZ), Transport (TCP) Flow Optimization (TFO), and Application Traffic Policy (ATP).

Verify WAAS Transport licenses are enabled as a minimum on all WAEs supporting a "WAN Optimization" service offer by the Provider.

Each WAAS remote branch site must be deployed in one of the following configurations: 1) Integrated router WAE network module running in network integrated off-path

intercept mode with WCCPv2 protocol 2) WAE appliance running in network integrated off-path intercept mode with

WCCPv2 protocol 3) WAE appliance running in simple transparent in-line mode

Verify each branch site is deployed in one of the three configurations stated. However, all sites combined can be deployed in any combination of the three configurations.

The WAAS headend site, which is pairing with each remote site, must be deployed in the following configuration: 1) WAE appliance running in network integrated off-path intercept mode with

WCCPv2 protocol

Verify headend is deployed in one of two configurations stated.

Disk encryption for data at rest must be offered for headend and remote WAEs, using FIPS 140-2 level 2 compliant 256-bit AES disk encryption with automatic and centralized key management.

Verify Provider offers or has customers running disk encryption as outlined. Verify those offers and deployments have required Enterprise license and are running WAAS 4.0 or greater software.




Service is proactively monitored 24x7 and customer is notified of any disruption to service level(s)

Verify network operations procedures include proactive monitoring of WAAS service gear and alarm management to start working fault(s) without direct customer intervention.


Verify Provider offers an actual SLA for Service Availability

Mean Time to Respond (MTTN): Must offer an SLA for MTTN Verify Provider offers an actual SLA for MTTN

Mean Time to Fix/Repair (MTTR): Must offer an SLA for MTTR Verify Provider offers an actual SLA for MTTR

Must offer WAE and ACE software upgrades: As needed, requested, and scheduled, as agreed with customer.

Verify Provider offers an actual SLA for WAE and ACE software upgrades






Verify Provider offers an actual SLA for Service Availability


Verify Provider offers an actual SLA for MTTR




Central Manager must be deployed on dedicated WAE at the headend with an option for a redundant configuration. Central Manager provides the following fuctionality: • Manages central configuration, provisioning, monitoring,

fault-management, logging, and reporting for up to 2500 WAEs within a Cisco WAAS topology.

• Comprehensive statistics: comprehensive logs, reports, graphs, and statistics for Cisco WAE device functions help IT administrators to optimize system performance and troubleshooting.

• Monitoring, reporting, and alerts. The option for a redundant configuration would provide: Active/standby deployment with automatic failover, replication of Central Manager database, and encryption keys.

Verify Central Manager(s) is deployed on dedicated WAE appliance(s) at the WAAS headend, with an option of a redundant configuration. Verify CM license(s) are enabled with WAAS 4.0 or greater software.

Service Reports distributed on a regular schedule as agreed to with the customer: – Top optimized application being used – General optimization statistics (e.g. WAN bandwidth savings) – Traffic volumes per application and per device (WAE) – Asset ReportParameter Settings Report – Trend Report – Resource Utilization Report – Configuration Report


Provider must offer a secure Web portal to communicate current status and performance, including specific reports available online as agreed with the customer.

Demonstration of portal from a customer perspective, including service status, access to reports, and password protection.

Provider may offer as an option, customer self-monitoring capability using RBAC (Roles-based Access Control) to isolate users to specific capabilities and domains of management within Central Manager.

Demonstration of customer self-monitoring capability within Central Manager, plus verify RBAC hierarchy, all as an optional service.





Central Manager must be deployed on a WAE appliance at the WAAS headend. Central Manager provides the following fuctionality: • Manages central configuration, provisioning, monitoring,

fault-management, logging, and reporting for up to 2500 WAEs within a Cisco WAAS topology.

• Comprehensive statistics: comprehensive logs, reports, graphs, and statistics for Cisco WAE device functions help IT administrators to optimize system performance and troubleshooting.

• Monitoring, reporting, and alerts

Verify Central Manager is deployed on a WAE appliance at the WAAS headend. Verify CM license are enabled with WAAS 4.0 or greater software.

Service reports available to the customer providing an overview of service performance.


Provider may offer as an option, customer self-monitoring capability using RBAC (Roles-based Access Control) to isolate users to specific capabilities and domains of management within Central Manager.

Demonstration of customer self-monitoring capability within Central Manager, plus verify RBAC hierarchy, all as an optional service.



Hosting/Co-Location


Application and/or Web type hosting: Horizontally offered across industry sectors

Identification of which customer specific application or Web/Internet service is being hosted

Server load balancing to redundant servers Demonstration of Cisco ACE technology deployed

Hot standby servers (with operating system and application loaded) when Provider hosted

Identification of types of servers that are on standby, plus verifies operating system and application load as being identical to those that are live

Server restoral from storage backup Identification of type of storage backup

Following security services offered: MSCP Managed Firewall service and MSCP Cisco IPS/IDS service

Identification of, if any, managed security services deployed in conjunction with hosting service

Connectivity Access Speeds: 1Mbps to 10Gbps Identification of network connectivity line rate method (i.e. MPLS, Ethernet, etc.)

Administrative Services: Domain Name Registration, IP Address Allocation (dynamic and static)

Documentation of registered domain names and IP address allocation plus demonstrates DHCP, NAT, etc.

Caching and Pre-positioning services offered Identification of implementation and demonstrates (via performance reports perhaps) Web applications are being accelerated


Connectivity Access Speeds: 1Mbps to 10Gbps

Identification of network connectivity line rate method (i.e. MPLS, Ethernet, etc.)

Administrative Services: Domain Name Registration, IP Address Allocation (dynamic and static)

Documentation of registered domain names and IP address allocation plus demonstrates DHCP, NAT, etc.



N/A



Network Availability Guarantee: Must offer an SLA for Network Availability

Partner must provide actual SLA offering Network Availability Guarantee

Maximum Network Latency Guarantee: Must offer an SLA for Maximum Network Latency

Partner must provide actual SLA offering Maximum Network Latency Guarantee

Packet Delivery Guarantee: Must offer an SLA for Packet Delivery

Partner must provide actual SLA offering Packet Delivery Guarantee

Server Availability (when SP Hosted) Guarantee: Must offer an SLA for Server Availability

Partner must provide actual SLA offering Server Availability Guarantee (when SP hosted)



New Server Implementation Timeline Guarantee: Must offer an SLA for New Server Timeline

Partner must provide actual SLA offering New Server Implementation Timeline Guarantee

Time to Restore Servers from Storage Guarantee: Must offer an SLA for Time to Restore Servers from Storage

Partner must provide actual SLA offering Time to Restore Servers from Storage Guarantee

Real-time Facility Monitoring: Continuous 24x7 Camera Monitoring with On-Site Security Guards, Secure Card Access

Partner must provide actual SLA offering Real-Time Facility Monitoring 24x7

Facility Accessibility: 24x7* *applies only to co-location option

Partner must provide actual SLA offering Facility Accessibility Guarantee of 24x7

Real-time Network Monitoring: Continuous 24x7 (with fault restoration)

Partner must provide actual SLA offering continuous Real-Time Network Monitoring 24x7

Real-time Server/Application Monitoring: Continuous 24x7 (with fault restoration)

Partner must provide actual SLA offering continuous Real-Time Server/ Application Monitoring

Operating Systems Updates and Patches: Scheduled

Partner must provide actual SLA offering Operating Systems Updates and Patches

UPS: 4 hours or more via battery and/or generator back-up minimal

Partner must provide actual SLA offering UPS for 4 hours or more

Controlled Environment: Including fire detection and suppression

Partner must provide actual SLA offering Controlled Environment for fire detection and suppression

Legacy Managed Services Network Availability Guarantee: Must offer an SLA for Network Availability

Partner must provide actual SLA offering Network Availability Guarantee

Packet Delivery Guarantee: Must offer an SLA for Packet Delivery

Partner must provide actual SLA offering Packet Delivery Guarantee

Real-time Facility Monitoring: Continuous 24x7 Camera Monitoring with On-Site Security Guards, Secure Card Access

Partner must provide actual SLA offering Real-Time Facility Monitoring 24x7

Facility Accessibility: 24x7* *applies only to co-location option

Partner must provide actual SLA offering Facility Accessibility Guarantee of 24x7

UPS: 4 hours or more via battery and/or generator back-up minimal

Partner must provide actual SLA offering UPS for 4 hours or more

Controlled Environment: Including fire detection and suppression

Partner must provide actual SLA offering Controlled Environment for fire detection and suppression



N/A



On-line Monitoring Tools: Available for Customer query


Real-time and historical performance reports: Available for Packet and Server performance


Monitoring and Restoral Service: Available for Network Connectivity and Server


Legacy Managed Services Monitoring and Restoral Service: Available for Network Connectivity and Server




Appendix 1: Acronyms

Acronym Definition

MPLS Multi Protocol Label Switching

MSD Marketing Service Description

TSD Technical Service Description

QoS Quality of Service

SLA Service Level Agreement

WAN Wide Area Network

LAN Local Area Network

VLAN Virtual Local Area Network

VPN Virtual Private Network

SOC Security Operations Center

NOC Network Operations Center

IDS Intrusion Detection Service

IPS Intrusion Protection Service

DoS Denial of Service

ISR Integrated Services Router

SRTP Secure Real-Time Transport Protocol

ACL Access Control List

RTBH Remote Trigger Black Hole

MEF Metro Ethernet Forum

MTTN Mean Time To Notification

MTTR Mean Time to Repair

CTI Computer Telephony Integration

TDM Time Division Multiplexing

BGP Border Gateway Protocol

OSPF Open Shortest Path First

EVC Ethernet Virtual Circuits

EAP/LEAP Extensible Authentication Protocol

PSTN Public Switched Telephone Network

WPA Wireless Protected Access

EIGRP Enhanced Interior Gateway Routing Protocol



05/08

Date post:	02-Apr-2020
Category:	Documents
Upload:	others
View:	7 times
Download:	0 times

Cisco Managed Services Portfolio: Requirements Document · This document outlines the managed...

Documents