The URL can be used to link to this page

2006-038 Addendum to BellSouth Master AgreementRESOLUTION 2006-38 A RESOLUTION OF THE VILLAGE COUNCIL OF THE VILLAGE OF NORTH PALM BEACH, FLORIDA, AUTHORIZING AND DIRECTING THE MAYOR AND VILLAGE CLERK TO ENTER INTO THE ADDENDUM TO BELLSOUTH BUSINESS SERVICES MASTER AGREEMENT #CPG-4758 WITH BELLSOUTH MNS, INC., AND BELLSOUTH TELECOMMUNICATIONS, INC., ATTACHED AS EXHIBIT "A" WHICH AGREEMENT IS FOR THE PURPOSE OF THE VILLAGE OBTAINING NET VPN TELECOMMUNICATIONS EQUIPMENT AND SERVICES FOR VILLAGE FACILITIES; AND, PROVIDING FOR AN EFFECTIVE DATE. BE IT RESOLVED BY THE VILLAGE COUNCIL OF NORTH PALM BEACH, FLORIDA: Section 1. The Village Council of the Village ofNorth Palm Beach, Florida, does hereby approve the Addendum to BellSouth Business Services Master Agreement #CPG-4758 with BellSouth MNS, Inc. and BellSouth Telecommunications, Inc. attached as Exhibit "A" which Agreement is for the purpose of the Village obtaining Net VPN telecommunications equipment and services for Village facilities. Section 2. The Mayor and Village Clerk are hereby authorized and directed to execute the Addendum with BellSouth MNS, Inc. and BellSouth Telecommunications, Inc. attached as Exhibit "A" for and on behalf of the Village ofNorth Palm Beach. Section 3. This resolution shall take effect immediately upon its adoption. PASSED AND ADOPTED THIS 8th DAY (Village Sell) AT'I'.E_ST: ~ / . ~%~~~ VILLAGE CLERK i~~. BeIlSouth® Managed Network VPN Service Service Description 1) General BeIlSouth's Managed Network VPN Services ("Network VPN" or "Service") are a suite of IP VPN connectivity services designed to support the remote access, Intranet, Internet and Extranet application needs of businesses. An IP VPN Service is defined as an emulation of a virtual private network built on top of a shared IP infrastructure to interconnect mukiple customer sites and users to a common community of interest. BeIlSouth utilizes MPLSBGP4 (conforming to draft RFC 2547bis-01) and IPSec to deliver tP VPN services to Network VPN customers. The Network VPN suite of services consists of the following service capabilities: - Network VPN Site-to-Sde Service; - Network VPN Remote User Service; - AAA Hosting; - Internet Access with Firewall and Intrusion Protection Feature. Unless dherwise specified, the Service includes provisioning, proactive monitoring, management and technical support for all Network VPN service components. 2) Services Provided The service includes 24 X 7 proactive monitoring, management and technical support of all components provided with the service via BeIlSouth carrier class NOC facilities. Following is anon-inclusive list of the types of activities that will be performed to monitor and manage the provided components within Network VPN Service: - 24 X 7 monitoring, management and maintenance of all network infrastructure components associated with the Service, including customer premise equipment (CPE) when the Port + Access +CPE packaging option is selected; - Creating, tracking, updating and closing trouble tickets as appropriate; - Monitoring, reading, and setting of various SNMP Management Information Base (MIB) variables; - Setting and pilling of alarms, threshdds, etc.; - Addressing customer notification of troubles; - Implementing and managing the IP Routing and Forwarding services necessary to forward IP traffic between customer sites and/or users across the Network VPN Service; - Reporting and Customer Network Management Interfaces. Proactive monitoring and reporting on DSL connectivfty can only be provided when the Pat + Access +CPE packaging option is available and selected. a) Public and Private Connectivity options Connecting a particular Site and/or Remote User to BeIlSouth's Network VPN Service is accomplished via one of two methods: "On-Net" Connectivity: a direct connection from the customer premise device to the BeIlSouth Provider Edge (PE) Router via a private, dedicated connection (i.e. Frame Relay. Private Line, DSL). "Off-Net" Connectivity: an encrypted connection from the custaner premise device to BeIlSouth's IPSec Gateway ("IPSec Gateway") utilizing IP Security (IPSec) over a public Internet connection. The IPSec Gateway is hosted in BeIlSouth facilities and enables connectivity and interoperability between a customers "Off-Net" sites and/or users and the customer's "On-Net" Network VPN locations. For "Off-Net" connections, the customer is responsible for providing, monitoring and managing the appropriate Internet access service and associated CPE to reach the IPSec Gateway. b) Service Availability Regional (Infranchise) "On-Net" Network VPN Service: Frame Relay, Private Line, ATM, Metro Ethernet, BeIlSouth Integrated Sdutions, and DSL Service coverage includes all LATAs and metros in the 9-state BeIlSouth telephone service region in the southeastern United States; however, access options will vary by location. Customer must consult with their BellSouth Account Team to determine individual customer access availability by sRe/user location and/or serving area. BellSouth Regional Network VPN service is an offering of BeIlSouth Telecommunications, Inc. National (In-Franchise 8 Out-of-Franchise) "On-Net" Network VPN Service: Frame Relay, Private Line, ATM, Metro Ethemet, BellSorth Integrated Sdutions, and DSL Service coverage includes all LATAs and metros in the continental Unted States; however, access options will vary by location. Customer must consult with their BeIlSouth Account Team to determine individual customer access availability by site/user location and/or serving area. BeIlSouth National Network VPN service is an offering of BellSouth MNS, Inc. c) Network VPN Site-toSite Service The Managed Network VPN Site-to-Site Service (Network VPN S2S) enables businesses to establish IP level Wide Area Network (WAN) connectivity between business sites aver BeIlSouth's Network VPN service using a wide range of underlying access types/speeds to a given site. BellSouth utilzes a Peer Model in conjunction with a Layer 3 Network VPN backbone architecture in order to interoonnect custaner sites. The Peer Model requires that the customer edge device (typically a router) "peer" with only one router at the edge of the BellSouth Network VPN service (as opposed to all other CPE routers associated wdh specific sites on the custaner's VPN network). Once the BellSouth PE Router receives an IP Packet from a particular customer site, BellSouth is responsible for routing that packet across the BeIlSouth Network VPN service to the appropriate customer site destination. This connedionless architecture enables the creation of VPNs in Layer 3 while eliminating the need for tunnels or Virtual Circuits between all customer sites. Access types CONFIDENTIAL/PROPRIETARY-NOT FOR DISCLOSURE WITHOUT WRITTEN PERMISSION Version: 0212006 Page 1 of 11 Created On: April 13, 2006 CCP-9806 A Network VPN S2S Service access type/speed combination will be selected for each customer site. Following is a list of the standard Network VPN S2S access types that are currently supported. Availability of access type will vary by customer site and access serving area:. - Frame Relay; - Private Line; - ATM; - Metro Ethernet (see requirements below); - BeIlSouth® Integrated Sdutions; - DSL. Metro Ethernet (MetroE) Access to Network VPN -Requirements This service will enable customers to connect to the Network VPN service at various Metro Ethernet speeds. MetroE access to Network VPN is available as Port +Access +CPE, Port +Access and Port Only service options. When Network VPN is provided via Metro Ethernet Premium service, packets originating from a particular Customer are identified by use of a Virtual Local Area Network number (ULAN Tag) that is assigned by BellSouth when the service is provisioned. The VLAN tag is embedded in each Ethernet packet received from the Customer and serves to identify the source of the packet to BellSouth. The requirement to identify MetroE to Network VPN Customers by VLAN Tag requires that the data transport service connecting to the BMF conform to the fdlowing requirements: 1. The BellSouth Metro Ethernet Service ordered from BellSouth must be Metro Ethernet Premium service equipped with O- Forwarding. Ct-Forwarding is an optional Metro Ethernet Premium feature that adds support for VLAN tagging to the BellSouth standard Metro Ethemet Premium service. 2. If a Customer already uses a BellSouth Metro Ethemet service that does not include VLAN tagging, (i.e. BellSouth Basic Metro Ethernet service), and one or more of the existing locations desire to add Network VPN services, then all locations served by that service must be upgraded to the Metro Ethemet Premium service. 3. The CPE equipment effecting the Ethemet connection at the Customer Premises to the BellSouth Metro Ethernet service must support VLAN tagging via the 802.101 protocol. W hen a Port+Access or Port Only configuration is ordered, the Customer must provide compatible CPE and configure it according to the VLAN tags that will be assigned by BellSouth during the ME to Network VPN provisioning process. Customers providing their own Metro Ethemet transport to the Port Only Service option must purchase rate elements for Premium Fixed Metro Ethernet speeds 10M, 20M, 50M, 100M, 250M, or 500M, plus any additional mileage charges required to connect the customer premise to the closest equipped Metro Ethernet switch Central Office. Customer provided routers must be VLAN tagging capable for Metro Ethernet to Network VPN service. All dedicated, point-to-point tariffed transport services used to provide access to the Network VPN service are provided via the FCC jurisdiction tariffs. Customer Responsibilities: - Provide all IP Addresses to be used in customer's VPN Network; (BellSouth will typically assign addresses from the customer provided pad of IP Addresses); - Provide routing from Customer-edge routers to provider-edge routers (BellSouth owned and maintained) via Network VPN supported prdocds; - Configuration and maintenance of all Customer-owned devices on Customer's network- CE To PE Routing for "On-Net" Connections At each customer premise, a device is attached to the Network VPN via some type of data link connection such as Frame Relay, Point-to- Print Protocd, etc. The router at the customer premise (the CE device) may connect a single host, single subnet or multiple subnets to the Network VPN Service. At any site where the Part +Access +CPE packaging option is nd selected or is not available, it is the customer's responsibility to monitor and manage or to engage a third party to monitor and manage their own CE devices. As part of that management, the customer must provide the routing from the CE device to the BellSouth PE Router via a BellSouth Network VPN supported routing prdocd. Unless otherwise specified by the customer, static routing will be the default customer routing method provisioned far each location. Class of Service Class of Service (CoS) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class with Its rxNn level of SP.NIf'P and priority. The BellSouth GoS pffannn will s~~.,...,,~ f~~r c!ass..., ~ traffi^ n~ rea! time; ~''~ ^teract~~• ~,',~ business priority and (4) best effort. The real time class is intended to provide a building block for low decay, low jitter and low loss services, such as real-time vdce. The interactive and business priority classes are intended to provide customers with a low delay and tow loss service that would be applicable for video and business critical applications. The best effort class is intended to provide customers with a standard delivery mechanism that does not require real-time parameters. BeIlSouth's Class of Service architecture is based on a D'rfferentiated Services (DiffServ) model, whereby traffic entering the BellSouth network is classfied, and possibly conditioned, at the boundaries of the network and assigned to different behavior aggregates. A predefined marking scheme is used to identrfy each behavior aggregate. Traffic that does nd conform to BeIlSouth's predefined marking scheme will be classified as best effort. Traffic classification should occur within the customer's network or at the Customer Premises Equipment (CPE). BellSouth will not pertorm classification of packets at the Provider Edge ingress, other than to enforce the CoS contract. BeliSouth's sdution will support Class of Service whether BellSouth or the customer manages the customer premises equipment. if BellSouth does nd manage the router, the customer will be responsible for classrfying the traffic according to pdicies provided by BellSouth. d) Network VPN Remote User Services The Network VPN Remote User Service enables businesses to securely and cost-effectively connect remote users to the corporate network over BeIlSouth's Network VPN Service. The service supports "Off-Net" remote user configurations as described below. The Network VPN Remoe User Service will be sdd as a distinct overtay service to the underying IP/Intemet connectivity for this service configuration. Thus, the company andlor remote user purchases gbbal Internet Access distinct from the Network VPN Remote User Service. Additionally, the Customer is responsible for implementing any additional security capabilities for the remote user environment (e.g. personal firewalis, virus CONFIDENTIAL/PROPRIETARY-NOT FOR DISCLOSURE WITHOUT WRITTEN PERMISSION Version: 02/2006 Page 2 of 11 Created On: April 13, 2006 CCP-9806 scanning, etc.) beyond the basic secure Network VPN connectivity provided in the folowing Network VPN Remote User Service "Off-Net" configuration. At a minimum, one Network VPN "On-Net" S2S Connection, which will be designated as the host site, is required for the Network VPN Remote User Service. This connection can be dedicated for just Network VPN Remote User Service, or it can be implemented in conjunction with the Network VPN Site-to-Site Service. End User Level Help Desk Support BellSouth provides, as part of the Network VPN Remote User Service, abusiness-class end user technical support help desk. The Heip Desk is available via a tell-free number 24 hours a day, 365 days a year to support end users having trouble accessing the VPN due to VPN Client Software or other connectivity issues. The Help Desk does not provide support for troubleshooting home networks nor any other end user or server based applications. BellSouth performs the following end user help desk functions as part of the Network VPN Remote User service: - 24x7 access to a tell-free technical support help desk to all end users of the Network VPN Remote User Service; - Assisting the customer's remote user with VPN Client Software download, installation and use; - Troubleshoding basic connectivity issues. Remote User Access Control Authentication, Author¢ation and Accounting (AAA) servers provide the primary means through which access contrds are set up for the remde users, and therefore are required for Network VPN Remote User Service. The customer may host the AAA services or outsource the AAA hosting to BellSouth. If the customer chooses to host the AAA services, the customer must work with BellSouth to validate interoperability with the Network VPN Remote User Service as AAA services are also utilized to fulfill on a variety of required reporting requirements. User name and password will be the only supported authentication scheme for BellSouth hosted AAA services. Network VPN Remote User Service - "Off-fJet" IPSec Configuration This service configuration provides secure remote access connectivity to be established to the customer's network for any Internet accessible user. A Cisco IPSec Client, which the remote user downbads from the BellSouth Network VPN Customer Network Management (CNM) web interface, is provisioned with this Network VPN Remote User Service Configuration. This IPSec client must be installed on each client workstation requiring access to the customer's Network VPN Service. Valid users are established by the customer's network administrator through an AAA user authentication database (which must be hosted by the customer or by BellSouth). The secure IPSec VPN tunnel is initiated at the remote user's client location and is terminated on the IPSec VPN Gateway at the edge of the BellSouth Network VPN Service. As the IPSec client is utilzed to establish the VPN connectivity, this service is independent of the underlying access and can therefore be utilized in conjunction with any BellSouth or third party Intemet access service. However, more integrated service and support is provided when it is used in conjunction with BellSouth FastAccess® or Dial Intemet Services. IPSec Remote User Client Software All "Off-Net" Remote Users will be required to use Cisco's IPSec software client, which can be downloaded via the BellSouth provided Network VPN CNM web interface. Supported Remote User Internet Access types As previously mentioned, Network VPN Remote User Service is purchased and provisioned independently of the required underlying Internet access connectivity. However, as fellows, there are differences in the Internet access that can be utilized and/or are supported in conjunction with the service configuration. The Network VPN "Off-Net" IPSec Remote Client Configuration can be utilized regardless of the underlying Intemet access type. However, it is intended to support remote user access via typical dial-up or broadband access speeds. As such, appropriate acceptable use policies may be applicable and/or IPSec Gateway bandwidth rate limits implemented to prevent any potential abuse of the service. e) Value Added Intemet Access with Firewall Feature The customer may choose to provide all of their Network VPN Sites and/or Remote Users with Global Internet access via a centralized, Global Internet connection provided by BellSouth. Additionally, BellSouth provides network based security services (e.g. Managed Firewall and Network Address Translation (NAT), etc.) via the BellSouth Security Services Gateway ("Security Services Gateway') in order to apply appropriate perimeter security mechanisms when the gobal Internet Access service is provisioned. Customer will be required to subscribe to the Firewall Feature iF they ehos? the Internet Acr_.acs Feature ac Hart d their pyerall t~etwnrk VPN ceryica. The Managed Firewall Feature is comprised of the following: - Configuration of the customer's Network VPN to enable controlled Intemet access; - Mufti-homed global Internet connectivity from the Network VPN "cloud"; - Provisioning and configuration of the Security Services Gateway; - Initial design and implementation of the firewall rule base; - Support for Network Address Translation (NAT); - 24X7 Monitoring of the Firewall Platform; - Firewall Administration and backup; - Help Desk support and implementation of rule base changes as requested by Customer; - Firewall logging and reporting; - SLAs. The Internet Access with Firewall Feature is available in one of two service levels: Basic and Advanced. Intemet Access with Basic Firewall Feature includes: - Outbound Only Rule Set; - Dynamic NAT; - Domain Name Service (DNS) Caching (resolution); - (1) Public IP Address to be used for NAT. The Advanced Firewall Feature includes the following: CONFIDENTIAL/PROPRIETARY-NOT FOR DISCLOSURE WITHOUT WRITTEN PERMISSION Version: 02/2006 Page 3 of 11 Created On: April 13, 2006 CCP-9806 - Support for Inbound and Outbound Rule Sets; - DNS Caching and DNS Hosting for public IP Addresses provided by BellSouth as part of the service; - Static NAT for public IP Addresses provided by BellSouth as part of the service; - Support for logical demilitarized zone (DMZ) configurations using a separate PVC (only available at sites where Port + Access + CPE packaging option is selected). Intrusion Protection Feature An optional add-on security service whereby BellSouth enables Check Point's SmartDefense fitters to detect and thwart a range of application level attacks. As new advisories are received from Check Point, BellSouth will notrfy the customer of the new advisory and allow them to choose if they would like to act upon the advisory by adding the fitter to their existing Intrusion Protection Policy. The Intrusion Protection Feature includes: - Initial policy definition and implementation; - Event detection, blocking and logging based on Check Point's SmartDefense fitters; - Logging and Reporting (only available upon request); - Ongang subscription to SmartDefense Advisories. f) Service Packaging and Pricing The Network VPN Site-to-Stte service will support multiple service packaging options for a given site based upon access type, speed and components bundled with the service (e.g. Network VPN S2S Port + Access). Support for specific service package variations differ by access type and geography. Network VPN S2S Service - "On-Net" Packaging Variations - Network VPN S2S Service Port + Access +CPE: The Network VPN S2S port as well as the associated local loop and Customer Premise Equipment. With this packaging option, the Customer Premise Equipment includes a router and the LAN interface on the router is the point of demarcation between the customer's LAN and the BellSouth Network VPN Service. A separate 1FB (business local loop) is required for out of band management which is not included as part of the Network VPN Service For S2S DSL connections, the customer is responsible for providing the appropriate underlying 1FB (business local loop). - Network VPN S2S Service Port + Access: Both the Network VPN S2S port as well as the associated local access/transport is included with the service. For S2S DSL connections, the customer is responsible for providing the appropriate underlying 1F6 (business local loop). - Network VPN S2S Service Port only: Only the Network VPN S2S port is provided with the service. The Customer is responsible for providing the associated local accessRransport. Network VPN S2S Service - "On-Net" CoS Options From a service perspective, CoS will either be enabled at a given site, or not enabled. Customers will be charged a premium for those sites where CoS is required. The number of classes available to a customer at any given site are dependant upon the CoS package option contracted for at that site. BellSouth offers the following CoS packaging variations: - Standard -This option only includes the best effort class of service and is available for those customers who do not have a need fa class of service priorttization. - CoS-Basic -This option includes the Best Effort and Priority Business classes and is for those customers who need class of service to prioritize data traffic, but do not need all four forwarding classes. - CoS-Premium -This option includes all four forwarding classes. When CoS is enabled, the customers traffic will be allocated via a CoS policy that spells out how much bandwidth will be allocated to the individual classes. The bandwidth allocations in the CoS policy spell out the contracted bandwidth rates ("Contracted Bandwidth"). Unless otherwise agreed to in writing by BellSouth, no more than 50% of the total port bandwidth at a particular site may be allocated to the real-time and/or interactive classes. Network VPN S2S Service - "Off-Net" Packaging - Network VPN S2S "Off-Net" IPSec Termination - (see also IPSec Tunneling Termination): This service variation provides for the tgrrr~jnatinn and in}ernperahjlify of an IPSar_. tunnel originating from an IPSec CPF dgyice and is indgpendenr pf any given ar_.reSc serviceJtechndogy. The customer is responsible for providing the global Internet access service required to connect to the IPSec Gateway as well as any associated CPE and CPE management. Remote User -Service Tiers Service packaging is based upon a committed monthly remote user service tier. The remote user service tier defines a "per remote user rate" as welt as any committed minimum monthly recurring charge. The Remote User Service excludes any underlying accessftransport services. g) Reporting and Customer Network Management (CNM) Interfaces The service includes online web-based CNM interface to address the following areas related to the customers Network VPN service: 1) Network Status & Performance (Service Level Agreements (SLAB) and Statistics Reports); 2) Trouble Ticket Submission; 3) Security Administration (For submitting Firewall rule base change requests); 4) Network VPN Client Download; 5) Remote User Management. h) Network Addressing BellSouth will assign IP addresses to all Network VPN connections out of a customer provided pod of IP address space. While Non-Internet Routable, Private IP addresses are preferred, the customer may provide both Private and Public IP address space for use within the customer's VPN network. Additional design fees may apply when implementing Public IP addressing schemes. CONFIDENTIAL/PROPRIETARY -NOT FOR DISCLOSURE WITHOUT W RITTEN PERMISSION Version: 02/2006 Page 4 of 11 Created On: April 13, 2006 CCP-9806 - Remote users will be assigned a dynamic private IP address (non-Internet routable) when they logon to the Network VPN Remote User Service. These addresses are independent of the Intemet addresses assigned as part of the remote users' underying gbbal Intemet Connectivity. Thus, a user may have a dynamic or static Internet address, but they will always be assigned a dynamic private IP address for the Network VPN Remote User Service. 3) Service Activation and Billing Billing fa individual service components will commence upon service activation. For Site-to-Site Service, billing may commence upon activation of at least two sites. For Remote User Service, billing may commence upon activation of at least one site and the associated AAA services. 4) Disclaimer BellSouth provides the service "as is", without warranty of any kind, whether express or implied. BellSouth disclaims all implied warranties including implied warranties of marketability or fitness for a particular purpose. The Customer understands and agrees that, although characterized as "secure" and generally considered to be significantly more secure than standard Intemet access methodologies, the service is nd a guarantee against intrusions or other unauthorized use of or access to customer's network or systems. BellSouth will not be liable for indirect, special, incidental, exemplary, or consequential damages, or for any loss of profits resulting from the use of this service by the Customer or any third parties. In no event shall BeIlSouth's liability exceed a refund of the amounts actually paid to BellSouth for services provided pursuant to this agreement. The service is subject to the warranty and damages limitations and exclusions set forth in BeIlSouth's standard terms and conditions for the service. 5) Service Level Agreements The folowing Service Level Agreements ("SLAB") are made by BellSouth to customers who have ordered qualifying Managed Network VPN Service from BellSouth, for a minimum service term of one year or greater. The list of Qualifying Managed Network VPN Services varies by SLA metric and is detailed under each SLA Metric below. For the purposes ~ the SLAB, the term "Qualifying Site" means any site included in the Qualifying Service and the term "Qualifying Service" does not include any of the Services (or any applicable charges therefor) relating to any sites which are nd Qualfying Sites. BellSouth intends to provide the Service such that it will perform in a manner consistent with the objectives set forth in this document. If BellSouth fails to perform the Service such that any of the following SLAB are not met, the sde obligation of BellSouth and the Customer's sde remedies shall be for BellSouth to use commercially reasonable efforts to effectuate a repair of the Services and for BellSouth to provide the credits, if any, specified below. Network VPN service level agreements are broken down into five categories: installation, network availability, core perfonmance, access circuit performance, and security services performance. For all SLA targets, service credits will not be available to Customer, in cases where SLA targets are missed as a result of (i) the negligence, acts or omissions of Customer, its employees, contractors or agents or its end users; (ii) the failure or maHunction of testing equipment, applications or systems; (iii) port utilization greater than 80%; (iv) circumstances or causes beyond the contrd of BellSouth, including instances of Force Majeure (including war, riots, embargoes, strikes, or other concerted acts of workers, casualties or accidents, malicious or criminal acts of third parties, or any other causes or circumstances whether of a similar or dissimilar nature to the foregoing, which prevent or hinder the delivery of the Services); or (v) scheduled service maintenance, alteration, or implementation. Such credits will be granted only if Customer affords BellSouth full and free access to Customer's equipment to perform necessary testing, troubleshooting or related activities. a) Installation SLAB Installation Date (1) "Installation Date" is the actual date that the Qualifying Services are made available to the Customer at a Qualifying Site. All expedited installation requests do not qualify for this installation SLA. (2) The objective for the Installation Date is to be on or before the target date for 90% d all Qualifying Sites in any Customer Order (or to not miss the Installation Date for more than 1 Qualifying Site, if such Order encompasses less than 10 Qualifying Sites). The target date is the scheduled installation date committed to by BellSouth, as reflected on Be1lSouth's service management records. For any Customer Order for which the objective is not met (other than for the reasons set forth above) Customer will receive a credit, which may be applied towards Customer's subsequent monthly invoice(s), equal to 100% of the installation charges (if any) dherwise payable by the Customer for any Qualifying Site fnr whir_.h the Inctallatim date yyac r7rd mar. (3) For the purposes of the Installation Date SLA, the term "Qualifying Site" applies to any site that is served via Frame Relay, Private Line, ATM, McVO Ethernet, BellSouth Integrated Solutions or DSL access transport, and for which BellSouth charges an installation fee. (4) The Internet Access with Firewall Feature includes a separate objective for Installation Date. The objective is for the Internet Access with Firewall Feature to be made available upon or before the target date. The target date is the scheduled installation date committed to by BellSouth, as reflected on BeliSouth's service management records. For any Customer Order for which the objective is not met (other than for the reasons set forth above) Customer will receive a credit, which may be applied towards Customer's subsequent monthly invoice(s), equal to 100% of the Internet Access with Firewall Feature installation charges (if any) otherwise payable by the Customer. b) Network Availability (1) "Network Availability" is the percentage of total minutes during a calendar month that the Services are available to the Customer. Network Availability is calculated as follows: Network Availability% _ ((Total Minutes in the Month times the number of Qualifying Sites) - [sum of outage minutes for all Qualifying Sites]) '100)/(Total Minutes in the Month times the number of Qualifying Sites). "Outage minutes" shall be deemed to be the length of time during which the Services are unavailable to the Customer at each Qualifying Site, as determined by BellSouth in accordance with its standard procedures therefor in effect from time to time. "Outage minutes" shall not include any outages (i) occurring during scheduled maintenance activities; (ii) attributable to any act or omission of Customer; (iii) attributable to Customer's applications, equipment or facilities; (iv) resulting from reasons of Force Majeure (including war, riots, embargoes, strikes, or other Concerted acts Of workers, casualties or accidents, malicious or criminal acts of third parties, or any other causes or circumstances whether of CONFIDENTIAL/PROPRIETARY-NOT FOR DISCLOSURE WITHOUT WRITTEN PERMISSION Version: 02/2006 Page 5 of 11 Created On: April 13, 2006 CCP-9806 a similar or dissimilar nature to the foregdng, which prevent or hinder the delivery of the Services) or other causes beyond the reasonable control of BellSouth; or (v) lasting sixteen minutes or less. (2) The objective for Network Availability is 99.90% for S2S Network VPN Service. For any month in which the objective is not met, Customer will receive a credit, which may be applied towards Customer's subsequent monthly invoice(s), equal to 1/30th of the monthly recurring Network VPN charges for the affected portions of the Qualifying Service (i.e., the portion(s) of the Qualifying Service directly made unavailable as a result of the outage(s) in question) for each cumulative hour or portion thereof during which such Services are unavailable to the Customer (subject to the limitations set forth herein). Unavailability and credits will be prorated and paid in 15-minute increments. The credits payable for the Network Availability objective missed during any one-month period shall not exceed fifty percent of the total mouthy recurring charges for the Qualifying Services. (3) For the purposes of the Network Availability SLA, the term "Qualifying Site" applies to any site that is served via Frame Relay, Private Line, ATM, Metro Ethernet, or BellSouth Integrated Solutions. (4) The Internet Access with Firewall Feature includes a separate objective for Network Availability that is 99.99%. For-any month in which the objective is not met, Customer will receive a credit, which may be applied towards Customer's subsequent mouthy invoice(s), equal to 1/30th of the mouthy recurring Network VPN charges for the Internet Access with Firewall Feature for each cumulative hour or portion thereof during which such Services are unavailable to the Customer (subject to the limitations set forth herein). Unavailability and credts will be prorated and paid in 15-minute increments. c) Core Performance (1) "MPLS Core" refers to the backbone portion of BeIlSouth's Managed Network VPN Service network. CE routers and Access Circuits are outside the Core Network. The objectives for Core SLAs are as fdiaws: In-Franchise 8Out-of-Franchise "On-Net" S2S Services Measurement Best Effort Priority Business Interactive Real-Time Latency (roundtrip) <=55 ms <=50 ms <=50 ms <=45ms Jitter (roundtrip) NA NA NA <=2 ms Packet Delivery >=99.60% >=99.70% >=99.80% >=99.90% (2) For the purposes of MPLS Core SLAB, "Qualifying Service" applies to any site that is served via Frame Relay, Private Line, ATM, Metro Ethernet, BellSouth Integrated Solutions or DSL transport. Core Latency (1) "Average Core Latency" is the mouthy average round-trip latency of designated portions of the Network VPN Service MPLS core network, determined by measuring round-trip ping responses over such portions of the network as determined by BellSouth. (2) For any month in which one or more Core Latency targets is not met for any Class(es) of Service applicable to Customer's Qualifying Service at any particular site, Customer will receive a credit, which may be applied towards Customer's monthly invoce, equal to 10% of the mouthy recurring charges for the Qualrfying Service at such site. Core Jitter (1) "Average Core Jitter" is the monthly average Jitter of designated portions of the Network VPN Service MPLS core network, determined by measuring the standard deviation of variation in Latency from packet to packet taken in five minute intervals over the course of the month. (2) For any month in which one or more Core Jtter targets is not met for any Class(es) of Service applicable to Customer's Qual'rfying Service at any particular site, Customer will receive a cred'R, which may be applied towards Customer's mouthy invoice, equal to 10% of the monthly recurring charges for the Qualifying Service at such site- Core Packet Delivery (1) "Average Core Packet Delivery' is the mouthy average round-trip packet delivery of designated portions of the Network VPN Service MPLS core network, determined by measuring round-trip network responses over such portions of the network as determined by BellSouth. (2) For any month in which one or more Core Packet Delivery targets is not met for any Class(es) of Service applicable to Customer's Qualifying Service at any particular site, Customer will receive a credit, which may be applied towards Customer's monthly invoice, equal to 10% of the monthly recurring charges for the Qualifying Service at such site. d) Access Circuit Performance (1) "Access Circuit" refers to the transport connecting a CE router to the BellSouth PE router. Access Circuit applicable only for the In-Franchise NetVPN service offering. The objectives for Access Circuit SLA's are as follows: Access Circuit SLA Targets Targets by Class of Service (Regional Network VPN Service) Measurement Real-Time Latency (roundtrip) <=50ms Jitter (roundtrip) <=5 ms Packet Delivery >=99.90% performance SLA's are (2) For the purposes of Access Circuit SLAB, "Qualifying Site" applies to those sites that meet all of the following qualrfying criteria: - The site must subscribe to CoS Premium; - The site must be an "on-net location" and have one of the following qual'rfying transport types: Frame Relay, Private Line, ATM, Metro Ethemet, or BellSouth Integrated Solutions; - The site must subscribe to Port + Access +CPE packaging option ; - The minimum port speed must be greater than or equal to 768K. (3) Access circud SLA measurements are performed by means of SAA probes configured between a test router and each customer premise router, and by SNMP measurements taken at the customer premise router (CPE) and at the provider edge (PE) router, at five minute intervals. CONFIDENTIAL/PROPRIETARY-NOT FOR DISCLOSURE WITHOUT WRITTEN PERMISSION Version: 02/2006 Page 6 of 11 Created On: April 13, 2006 CCP-9806 Access Circuit SLA measurements are calculated by taking the average of the measured values as reported by SAA over a calendar month, with the following exceptions: - Any measure taken during a measurement interval during which time actual traffic. being sent exceeds the contracted bandwidth amount for that site/queue. Out of contract situations will be determined by looking at the Quality of Service (QoS) politer value on the CPE and the CPE router. If the politer value for a given class on either the CPE or the PE router is in excess of zero, the measurement will not be used in calculating the monthly average. - Any measurements taken during scheduled maintenance windows shall not be used in calculating the monthly average for SLA purposes. Access Circuit Latency (1) "Average Access Circuit Latency' is the monthly average round-trip latency from CE to PE averaged across all Qualifying Sites. (2) For any month in which one or more Access Circuit Latency targets is not met for any Class(es) of Service applicable to Customer's Qualifying Service at any particular site, Customer will receive a credit, which may be applied towards Customer's monthly invoice, equal to 10% d the monthly recurring charges for the Qualifying Service at such site. Access Circuit Jitter (1) "Average Access Circuit Jitter" is the monthly average Jitter from CE to PE averaged across all Qualifying Sites. (2) For any month in which one or more Access Circuit Jitter targets is not met for any Class(es) of Service applicable to Customers Qualifying Service at any particular site, Customer will receive a credit, which may be applied towards Customer's monthly invoice, equal to 10% of the monthy recurring charges for the Qualifying Service at such site. Access Circuit Packet Delivery (1) "Average Access Circuit Packet Delivery" is the monthly average round-trip packet delivery from CE to PE averaged across all Qualifying Sites. (2) For any month in which one or more Access Circuit Packet Delivery targets is not met for any Class(es) of Service applicable to Customer's. Qualifying Service at any particular site, Customer will receive a credit, which may be applied towards Customer's monthly invoice, equal to 10% of the monthly recurring charges for the Qualifying Service at such site. e) Security services performance (these SLAB only applicable for Internet Access with Firewall Feature) Fjrewall Rule-base Chance Implementation (1) "Firewall Rule-base Change Implementation" SLA is based on the actual amount of time elapsed from the time BellSouth receives a Customer initiated firewall rule-base change request until implementation of that rule into production. This SLA is based on actual time of implementation, and not on the time that Customer was notified that the request was completed. This SLA is only available for rule-base change requests submitted by a valid Customer Security Contact in accordance with the Rule-base Change Request Submission Procedure. Customer is sdely responsible for providing BellSouth accurate and current contact information for Customer's designated points of contact. BellSouth will be relieved of its obligations under this SLA if BeIlSouth's Security Contact information for Customer is out of date or inaccurate due to Customer's action or omission. (2) The objective for Firewall Rule-base Change Implementation is to implement Customer rule•base change requests wthin the target interval 100% of the time. The target interval for Basic Firewall is within twelve (12) hours of receipt of a valid rule-base change request. The target interval for the Advanced Firewall Service Level is within four (4) hours of receipt of a valid rule-base change request. For any month in which the objective is not met, Customer will receive a credit for each instance, which may be applied towards Customer's monthly invoice, equal to 1/30 of the monthly recurring charges for the Internet Access wfth Firewall Feature. The credts payable for the Firewall Rule-base Change Implementation objective missed during any one-month period shall not exceed fifty percent of the total monthly recuring charges for the Internet Access with Firewall Feature. Proactive Firewall Monitorins~ (1) Firewall Outage Notification" SLA is based on the actual amount of time elapsed from the time that an outage is determined by BellSouth to the time that the Customer is notified by BellSouth. Customer is sdely responsible for providing BellSouth accurate and current contact information for Customer's designated points of contact. BellSouth will be relieved of its obligations under this SLA if BeIlSouth's Security Contact information for Customer is out of date or inaccurate due to Customer's action or omission. (2) The objective for Firewall Outage Notification is to notify the Customer within 15 minutes of the time that an outage is determined. For any month in which the objective is not met, Customer will receive a credit for each instance, which may be applied towards Customer's monthly invoice, equal to 1/30 of the monthly recurring charges for the Internet Access with Firewall Feature. The credits payable for the Firewall Outage Notification objective missed during any one-month period shall not exceed fifty percent of the trial monthly recurring charges for the Internet Access with Firewall Feature. 6) SLA Terms and Conditions Customer should anticipate receiving any applicable r_.redit within 2 billing cycles afrar the mc,.~th im which the ci n oti~tive ;vas, n;isssd. !f Customer believes a credit should have been applied but was not, Customer must request credits within 120 days after the date of the report from BellSouth giving notice that an SLA objective was missed and that a credit is being issued. If Customer's request for a disputed credit was in error, Customer may be charged for the costs associated with researching the disputed credit request. The total credits payable for SLA objectives (other than the Installation Date SLA) missed during any one-month period shall not exceed fifty percent of the total monthly recurring charges for the Qualifying Services. The cumulative SLA credits granted in a month for a given site will not exceed 50% of the price paid for that individual site within a billing period. CONFIDENTIAL/PROPRIETARY-NOT FOR DISCLOSURE WITHOUT WRITTEN PERMISSION Version: 02/2006 Page 7 of 11 Created On: April 13, 2006 CCP-9806 ~ ~,~~x Addendum to Master Contract for Village of North Palm Beach BellSouth Business Services Master Agreement # CPG-4758 Quote # BBS060330093128 Term The undersigned Customer hereby orders from BellSouth Business Systems, Inc on behalf of BellSouth Telecommunications, Inc. ("BellSouth") the Business Services of the type, at the location and for the prices and term specified in this Addendum and its related documents) (collectively, this "Addendum"). BellSouth Business Services is provided, and this Addendum is submitted, subject to and in accordance with the BeIlSouth® Business Services Master Agreement ("Master Agreement"), and all applicable acceptable use policies. This Addendum is valid only when executed by an authorized representative of BellSouth. The term of the Service begins upon activation as defined in the attached Service Description and shall continue in effect for 36 Months from ("Initial Term"), unless terminated earlier as set forth herein or in accordance with the provisions set forth below. This Addendum shall be extended for additional one year terms under the same terms and conditions herein unless either party provides written notice of its intent not to renew the Addendum at least sixty (60) days prior to the expiration of the initial term or each additional one-year term. Additional Terms and Conditions 1. Pre-qualification does not guarantee service availability at the installation location. Although Customer's line pre-qualified for Service there are circumstances beyond BeIlSouth's control that may result in Customer's inability to receive this Service. Some of these limitations are not detectable until BeIlSouth's installers are at Customer's location and attempt installation of the Service. If it is determined that BellSouth is unable to install this Service, Customer will not incur any charges associated with the attempted provisioning of Service for the affected location(s). 2. If Customer cancels its Services or any portion thereof, or has its Services or any portion thereof terminated pursuant to Sections 12(a) or 12(b) of the Master Agreement, prior to the expiration of the minimum term selected herein, Customer shall be obligated to pay BellSouth a termination charge equal to 50% of the total monthly charges (other than variable usage charges) that would have become due for the remainder of the scheduled minimum term if such termination had not occurred. Such termination charge shall be paid to BellSouth within thirty (30) days after such cancellation. 3. If Customer cancels installation of the Services, or part of a service order, before the installation due date, Customer shall be obligated to pay BellSouth cancellation charges equal to 50% of all the standard nonrecurring charges associated with the order, or that part of the order being cancelled. 4. Customer may incur additional charges in the event BellSouth has to build out additional facilities in addition to provision Customer's Services. Customer will be notified of such additional charges and may terminate the Services without incurring cancellation charges. 5. This Addendum may be executed in one or more counterparts, each of which shall be deemed an original and all of which shall be taken together and deemed to be one instrument. The Parties agree that a facsimile or electronic transmission of each Party's signature to this Addendum and Orders hereunder will be deemed an original and the best evidence thereof for all purposes, including, without limitation, all evidentiary purposes before any arbitrator, court or other adjudicatory authority. 6. The term of each subsequent Order for the same type Service shall be co-terminous with the initial Order for the same type Service, unless otherwise provided for in such subsequent Order. 7. Customer shall receive their first month of service on NEW Port + Access +CPE sites ordered under this Addendum at no additional charge pursuant to the following terms and conditions: I. The 'First Month Free' offer is only available for NEW sites utilizing Network VPN Port + Access +CPE Service. Other service types, value-added services or existing sites shall not be included. II. Customer must sign an Order Addendum for the Services with a minimum term of twenty-four (24) months; CONFIDENTIAL/PROPRIETARY-NOT FOR DISCLOSURE WITHOUT WRITTEN PERMISSION D"~ Version: 02/2006 Page 8 of ? 1 Custaner Initials: Created On: April ?3, 2006 CCP-9806 Date: ~ !'S III. If Customer cancels the Service prior to contract expiration, Customer shall be responsible for payment of monthly recurring charges for the month(s) Customer used the Service including any monthly recurring charges that may have been waived; and will be subject to any applicable early termination charges IV. This promotional offer is available to Network VPN customers from January 1, 2006 through June 30, 2006. 8. CUSTOMER HAS READ AND AGREES TO BE BOUND BY THIS ADDENDUM, INCLUDING THE APPLICABLE ADDENDUM DETAIL FORM (S) AND THE BELLSOUTH BUSINESS SERVICES MASTER AGREEMENT AND RATE SCHEDULES, AND ALL APPLICABLE ACCEPTABLE USE POLICIES, ALL OF WHICH REPLACE AND SUPERSEDE ANY OTHER NEGOTIATIONS, AGREEMENTS, PROPOSALS AND COMMUNICATIONS (ORAL OR WRITTEN) RELATING TO THE SERVICES LISTED OR DESCRIBED ON THIS ADDENDUM AND SHALL PREVAIL OVER ANY ADDITIONAL OR CONFLICTING TERMS IN ANY PURCHASE ADDENDUM, INVOICE, ACKNOWLEDGMENT OR OTHER SIMILAR DOCUMENT ISSUED BY CUSTOMER. ACCEPTANCE OF ANY ADDENDUM BY BELLSOUTH IS SUBJECT TO BELLSOUTH CREDIT AND OTHER APPROVALS. FOLLOWING ADDENDUM ACCEPTANCE, IF IT IS DETERMINED THAT THE INITIAL CREDIT APPROVAL WAS BASED ON INACCURATE OR INCOMPLETE INFORMATION, BELLSOUTH IN ITS SOLE DISCRETION RESERVES THE RIGHT TO CANCEL THE ADDENDUM WITHOUT LIABILITY OR SUSPEND THE ADDENDUM UNTIL ACCURATE AND APPROPRIATE CREDIT APPROVAL REQUIREMENTS ARE ESTABLISHED AND ACCEPTED BY CUSTOMER. CONFIDENTIAL/PROPRIETARY-NOT FOR DISCLOSURE WITHOUT WRITTEN PERMISSION Version: 02/2006 Page 9 of 11 Customer Initials: Created On: April 13, 2006 CCP-9806 Date: Summary Managed Network VPN Components purchased: Site-to-Site locations Promotions: Network VPN First Month Free Promotion -Expires 06/30/06 Charges Customer will pay to BellSouth all charges billed pursuant to the Contract. Charges are as set forth below. Installation Charge.. Monthly Recurring Charge BellSouth Total $0.00 $1249.90 Incorporation The Terms and Conditions of this addendum are added to, and become, integral parts of Master with Master Agreement CPG-4758 and are fully incorporated herein by this reference. Contract acknowledge that I have received and read the Be(ll~Southl Managed Network VPN Service Description ~P I Customer Initials and Date IN WITNESS WHEREOF, the Company and Customer have caused this Addendum to be executed and delivered by their duly authorized representatives, effective upon execution by Customer and acceptance by the Company. Acknowledgement Custo er i rt alm Be ch By: Name: David B. Norris Title: Mayor Date: ~/~.~/a to Accepted by BellSouth Business Systems, Inc. On behalf of BellSouth Telecommunications, Inc. By: (Authorized Signature) Name: Kenneth Lewis or Jacob A. Granger Title: Director -Contract Management or Manager -Tactical Pricing Date: CONFIDENTIAL/PROPRIETARY- NOT FOR DISCLOSURE W ITHOUT WRITTEN PERMISSION Version: 02/2006 Page 10 of 11 Customer Initials: ___ Created On: April 13, 2006 CCP-9806 Date: Solution Details Managed Network VPN Install Charge Monthly Charge Charges for Site-to-Site Location # 1 Site Name: Anchorage Park Site Address: 603 Anchorage Drive North Palm Beach FL 33408- Service Package: S2S "On-Net" Private IP DSL Port + Access +CPE Port Speed: 256 K x 128 K (Best Effort) $0.00 $129.95 Subtotal: $0.00 $129.95 Managed Network VPN Install Charge Monthly Charge Charges for Site-to-Site Location # 2 Site Name: Country Club Site Address: 901 USHwy 1 North Palm Beach FL 33408- Service Package: S2S "On-Net" Frame Relay Port + Access +CPE Port Speed: 768 Kbps $0.00 $222.50 Subtotal: $0.00 $222.50 Managed Network VPN Install Charge Monthly Charge Charges for Site-to-Site Location # 3 Site Name: Village of NPB- Public Safety Site Address: 560 USHwy1 North Palm Beach FL 33408- Service Package: S2S "On-Net" Frame Relay Port + Access +CPE Port Speed: 1536 Kbps $0.00 $897.45 Subtotal: $0.00 $897.45 CONFIDENTIAL/PROPRIETARY-NOT FOR DISCLOSURE WITHOUT WRITTEN PERMISSION Version: 02!2006 Page 11 of 11 Customer Initials: _ ___ Created On: April 13, 2006 CCP-9806 Dale: