network transformation strategy — part 1 how to migrate ... · the uture of sd-wan. today....

+/- ÷AC

8 ×

5 -

2 +1

. =

%

9

6

3

7

4

0

$1,999,999.900

MPLS

Data Traffic

The Future of SD-WAN. Today.

Network Transformation Strategy — Part 1

How to Migrate Sites to SD-WAN

2Network Transformation Challenges and How to Address Them


OverviewBy now, you’re probably all too familiar with the networking challenges facing the enterprise. Rapid site

deployment, Internet and cloud traffic explosion, protection from an endless supply of advanced threats —

today’s networking requirements simply didn’t exist when MPLS became the defacto standard for connecting

locations. Internet-based SD-WAN promises a way forward, but how do you move from a dedicated, carefully

managed MPLS service to an SD-WAN running over the free-for-all that’s the Internet?

This migration plan should help. It identifies the issues and options you’ll need to consider when evolving your

network. Gathered are insights from SD-WAN adopters, industry best practices, and our own experiences

helping hundreds of enterprises transform their networks.

While replacing MPLS is certainly the first step in most network transformations, it’s not the full story.

Enterprises face networking-related challenges beyond MPLS, such as:

yy Reducing the time to detect and remediate threats without increasing costs

yy Bringing IT security and compliance controls to cloud resources

yy Improving and simplifying the remote access experience

yy Finding ways to provide visibility into all enterprise traffic

To those ends, we’ve created a two-phased migration plan for

transforming your WAN. In part 1, this eBook, we walk through the

issues and challenges of the most common first step towards

WAN transformation — MPLS migration. In part 2, we’ll look at

the security, management, and connectivity issues associated

with branch offices, the cloud, and mobile users.

A final note before we jump into the details. This guide is meant

to lay out the issues and principles of any SD-WAN migration. It’s

not meant to serve as a guide for moving to Cato Cloud. If that’s of

interest, check out this step-by-step Cato adoption plan.

https://go.catonetworks.com/Challenges-Facing-SD-WAN-and-How-to-Address-Them.html

https://go.catonetworks.com/How-to-Migrate-from-MPLS-to-Cato-Cloud.html



MPLS

MPLS

MPLS MPLS

Location Migration Summary Reducing MPLS bandwidth costs and improving agility are often the initial objectives of network

transformation initiatives. To ease that transition, follow these five steps:

1

2

3

4

5

Categorize Your Locations Group locations by their requirements for availability, packet loss, and costs.

Select the Right Last Mile Internet access services have different

characteristics. Use those difference to meet your

networking and business requirements.

Decide on Your Middle Mile Like Internet access, there are different middle-

mile options. Here’s how to select the one right for

your needs.

Engineer End-to-End Network Architecture Combine middle and last miles to deliver MPLS-

like quality with Internet-like price and agility.

Procure Your Last-Mile Services Decide whether to manage the last-mile procurement

and ISP evaluation in house or outsource.



1 Categorize Your LocationsDocument Site Requirements and Group LocationsStart your MPLS migration by documenting site requirements.

SD-WAN’s ability to simultaneously leverage multiple types of

access — MPLS, dedicated Internet access (DIA), broadband,

and wireless — allows for a graceful, incremental transition

away from MPLS, and gives you incredible flexibility in meeting

business and networking requirements. The same flexibility,

though, risks complicating operations, leading to a network of

“snowflake” implementations where a site has a slightly different

network configuration.

Avoid that problem by grouping locations according to their

networking requirements. If you’ve already gone through this

exercise, the site’s current connectivity can serve as a guide

(see below for details). Evaluate last mile requirements across

three dimensions — uptime, performance and anticipated cost.

Key sites, such as datacenters or the headquarters, will require

greater uptime, better performance, and greater investment than

small offices. Rank groups on a simple scale from low to high.

Keep it Simple Try to keep your categorizations actionable. Make them simple enough to be usable but not so simple

as to be inaccurate. A basic categorization map is provided below. Performance, in particular, may

need to be broken out further as application requirements can differ in terms of capacity and packet

loss. Latency is less of an issue given the last mile’s comparatively short distance. Depending on your

industry, regulatory requirements may also need to be considered.

Tier Description Uptime Performance Cost

T1 Large site High High High

T2 Medium site Medium High Medium

T3 Small site with failover Medium Medium Low

T4 Small site Low Low Low

Site Categorization Map

Grouping locations by requirements simplifies network operations at scale.

Networking requirements

Group 3

Group 2

Group 1



2 Select the Right Last MileWith sites categorized, map their requirements onto last-mile and middle-mile service characteristics.

Matching the service quality of MPLS circuits is possible, but requires understanding where problems

occur on the Internet and how to address them using the magic of multipathing and SD-WAN features.

Last Mile vs. Middle Mile: What’s the Difference? SD-WAN, and more specifically the Internet, consists of three segments — two last miles reaching from

the customer premises to their ISPs’ premises and the middle mile connecting the two last miles —

stitched together using the BGP routing protocol. Availability and performance issues associated with

the Internet manifest differently depending on the segment. (See this eBook for an extensive analysis of

last- and middle-mile challenges and how to overcome them.)

Contention for bandwidth and the lack of redundancy can leave the Internet last mile prone to downtime

and packet loss. SD-WAN addresses availability challenges with multipathing. Balancing traffic across

multiple last-mile circuits not only increases the capacity available to SD-WAN solutions but also allows

them to steer traffic around blackouts or brownouts. In fact, coupling last-mile services from different

providers can provide availability on par or even better than MPLS (see “How SD-WAN Provides High

Uptime Without SLAs”).

https://go.catonetworks.com/Cato-Networks-Internet-is-Broken.html

https://go.catonetworks.com/Cato-Networks-Internet-is-Broken.html



Types of Last Mile ServicesThere are two primary types of Internet last-mile services:

Dedicated Internet Access (DIA) is best suited for medium and large sites. DIA services are symmetrical services with committed bandwidth,

and guarantees for availability and repair. Packet loss rates are low but not guaranteed. Deployment times will

depend on the presence of existing fibers without which delivery will be comparable to MPLS. DIA connections

will cost less than MPLS but more than broadband connections.

Broadband Servicessuch as cable and DSL, can serve as primary connections for small sites or secondary connections for all sites.

As broadband services share capacity with other customers, actual capacity will vary based on the contention

ratio — the number of customers accessing the service. A contention ratio of 20:1, for example, indicates that

20 customers share 1 Mbits/s of bandwidth. Consumer broadband will have higher contention ratios; business

broadband will have lower contention ratios. With consumer broadband, repairs will generally be done on a

best-effort basis; there are no SLAs. Business broadband services will have a limited availability SLA. While

broadband services do not come with guaranteed packet loss, research from the FCC indicates that the

average loss for US broadband services runs about .8%. As for price, broadband is the least expensive Internet

service.

Wireless Access Servicesnamely 4G/LTE, provide a valuable function as secondary connections. Improving SD-WAN last-mile

availability is predicated on redundant physical infrastructure. But “diverse routing,” where access lines use

completely redundant infrastructure, is challenging as providers will share wiring ducts and other physical

components even for terrestrial services of different technologies. Mixing wireless and wireline services

addresses this challenge.

Type Availability Packet Loss

Contention Ratios

SLAs Time Price Delivery

MPLS (Leased Line)

99.9% .1% 1:1 Latency, Loss, and Availability

4-hours $$$$$ 30 -180 Days

Dedicated Internet Access (Fiber)

99.9% ~.5% 1:1 Loss and Availability

Next business day

$$$$ 30 -180 Days

Broadband 99% ~1% 1:20 None Best Effort $ < 7 Days



New York

Shanghai

Match Last Mile to Business Requirements By coupling the right last-mile service with specific SD-WAN features, you can address a diverse range of

network and business requirements. Minimize packet loss, for example, with DIA as the primary and, ideally,

secondary connection. Loss can be further reduced with packet loss correction technologies.

Mix and match Internet technologies to reduce site-deployment windows. Rather than mandating 90-day notice

for new sites, SD-WAN allows you to open offices in a matter of days (with broadband) or even immediately (with

4G). Connections can be upgraded to DIA when available.

It’s often assumed that the Internet cannot match MPLS performance, but that’s not exactly true. Through a

combination of SD-WAN features, multipathing, and the right Internet service you can meet application service

requirements while reducing costs and improving agility.

3 Decide on Your Middle MileWhereas the last mile faces challenges of availability and packet loss, the sheer length of the middle mile

makes latency and predictability the major issues. For those who want to avoid carrier lockin, there are two

middle mile choices — the public Internet and global managed backbones.

The Public Internetis well suited for low-cost, best effort services.

The already high latency of the middle mile is

only exacerbated by the routing policies of the

public Internet, which are optimized for business

concerns, not application performance. Packet

loss particularly becomes a problem in the Internet

core when providers exchange traffic at congested,

public peering points.

Global Managed Backbonesare low-cost alternatives to MPLS. Locations

establish encrypted tunnels across Internet last-

mile services to one of points of presence (PoPs)

constituting the backbone. Traffic is sent across the

backbone, exits through through the PoP closest to

the destination, and continues through the last mile

terminating at the final location.

New York New York



What to Look for in a Middle Mile By avoiding the public Internet, managed backbones eliminate the latency introduced by Internet routing, and the congestion

of public peering points. Global managed backbones should also optimize traffic and use application-aware routing to select

the optimum path for each packet, even if that path is not the most direct one.

Check that the backbone has sufficient resilience and geographic coverage. To minimize blackouts and brownouts, the PoPs

constituting the backbone should be fully redundant, and sites should be able to automatically connect to alternate PoPs in

the event of an outage. As for coverage, PoPs should be located within 25 milliseconds of your locations. Global, managed

backbones will be more expensive than the public Internet but should be far less expensive than MPLS.

Middle-Mile Attributes:

Type Performance Availability Coverage Price

MPLS Very good; Excellent

performance with the

least latency and packet

loss when connecting

locations. However,

often adds latency when

accessing the cloud and

the Internet, and lacks

mobile support.

Very good; Core

availability is excellent,

but high costs often

make last-mile

redundancy impractical.

Still, support teams

address outages within

specified windows.

Very good; MPLS

network providers

partner with one another

to expand their footprint.

Support teams will still

manage the network

end-to-end. However,

costs often increase and

control might be more

limited.

Poor; As fully-

managed services,

MPLS come at

a high premium.

Even unmanaged

services will be more

expensive than

competing middle-mile

architectures.

Internet Average; Unpredictable

Internet routing and

congestion at peering

points may mean

latency/loss will be great

one day and terrible the

next.

Good; The Internet core

might be unpredictable

but rarely fails

completely. Last-mile

availability will depend

on implementation.

Excellent; The Internet

core is everywhere,

available from anywhere.

Excellent; The

Internet is the most

affordable service

with a range of pricing

options depending on

the configuration.

Global

backbone

Very good; As

managed networks,

global backbones

offer latency/loss very

close to MPLS and

far better than the

Internet. Will also use

optimum routing for

improving cloud delivery.

Mobility support will

be implementation

dependent.

Very good; Core and

last-mile should be fully

redundant. Should a PoP

fail, backbones should

automatically switch

locations to next nearest

PoP.

Good; Global

backbones will have

global coverage of some

sort but how much will

be implementation

dependent. PoPs need

not share the same

city as your locations

provided last mile

access is within 25

milliseconds.

Very good; Global

backbones will be

more expensive than

the Internet core but

far less expensive than

MPLS.



4 Engineer Your End-to-End Network ArchitectureMPLS to Internet ConversionIn dealing with hundreds of customers, Cato Networks has

found that MPLS connections can be effectively replaced by

a combination of DIA and broadband services in the last mile

and a private backbone in the middle mile.

A medium-sized branch office with a single MPLS connection

and no backup, for example, should migrate to symmetrical

fiber with 1x-1.5x the bandwidth of MPLS and a second,

broadband link with 2x-5x MPLS capacity.

The additional bandwidth reflects the shift in quality and need

for capacity. DIA provides approximately the same last-mile

quality attributes as MPLS for business-critical applications

with the slight increase in capacity reflecting the difference.

The broadband link delivers additional redundancy and a

capacity boost missing from MPLS. Using a global backbone

in the middle mile completes the picture, providing an end-to-

end connection with latency and packet loss close to MPLS,

but with far more capacity and a much lower price point.

And What About SLAs? Companies who’ve shifted from MPLS to an Internet-based SD-WAN often find that sound engineering

is a far better predictor of network performance than service levels written in ways to be difficult for

customers to enforce.

MPLS to Internet Migration

Tier Current Connection New Connection

Link 1 Capacity Link 2 Capacity

T1 MPLS +Internet DIA 1X-1.5X MPLS Keep Current

T2 Single MPLS DIA 1X-1.5X MPLS Broadband 2X-5X MPLS

T3 Dual Internet Keep current

T4 Single Internet Keep current

MPLS

DIA+BROADBAND



5 Procure Your Last-Mile ServicesWith last and middle mile services identified, you’re able to determine whether to keep procurement in-house

or outsource to a last-mile aggregator who will manage the full procurement process using specific partnering

providers or ISPs around the globe.

What is Procurement?To be clear, by procurement we mean the

process of evaluating and selecting ISPs,

and managing those relationships, which

includes the full lifecycle of the last-mile

service — contract negotiations, site

deployment, invoicing and payment, working

the provider to resolve any network problems

and more.

Inhouse or Outsource?At first, consolidating procurement with an

aggregator sounds like the smart choice. It gives IT

“one throat to choke” in the event of a last-mile problem and

simplifies acquisition. But outsourcing acquisition also comes with a

significant uptick in cost.

What’s more when kept in-house, organizations can:

yy Save on the provider’s margin

yy Leverage their existing providers

yy Switch to providers with better networks

yy Meet personal or organization supplier preferences

yy In general have more control over last-mile selection.



Logistical ConsiderationsBudget aside, there are several considerations to determine which procurement approach is right for

your organization:

Monitoring and TroubleshootingWhile it’s true that good engineering and smart ISP selection can prevent many last-mile headaches,

it’s also true that you need to plan for troubleshooting last-mile problems. Centralized monitoring of all

last miles should be part of any good SD-WAN solution. As for troubleshooting, many organizations find

that by documenting the right phone numbers to call and people to contact at the local ISPs in advance,

and, if necessary, hiring another IT resource closer to the local timezone, can meet their troubleshooting

requirement and still save on procurement costs.

Accounting IssuesBilling, invoicing, currency conversion — the accounting issues of managing many ISPs may already be

addressed by your accounting team. If not, see what’s required to put them into place. Aggregators will

also supply those services.

Site Surveys On-site evaluations can be important for new installations, particularly when deploying LTE or

other wireless infrastructure whose performance is impacted by environmental factors. If you’re not

positioned to conduct local site surveys, be prepared to find a local partner or provider who can meet

that need.

SD-WAN solutions should provide centralized monitoring of and detailed insight into all last-mile connections.



The WAN Beyond the SD-WANAs we’ve seen, there are alternatives to high-priced MPLS services. You will need the right mix of redundancy,

last- and middle-mile services, and SD-WAN features. Migrating sites off of MPLS, though, is only the first

chapter in the WAN transformation story.

Often organizations find that reevaluating other dimensions of the network when

assessing their WAN helpful in improving overall IT agility and efficiency. This is

particularly true as WAN transformation, and more broadly changes in the way

we work, raise considerations that many MPLS network designs never needed to

accommodate.

Security is a case point. Many companies with MPLS implementations will find local

Internet breakout, recommended for branch offices in an SD-WAN, difficult, if not

impossible to implement with their centralized, security architectures.

The complexities associated with the new tenants of the modern WAN — cloud

resources and mobile users — are another set of examples to consider when

rethinking the WAN. Cloud resources are accessed by SD-WAN users, and SD-

WAN users frequently become mobile users outside of the office.

And finally, while we’ve spent a great deal of time discussing SD-WAN-related

deployment issues, we haven’t discussed how to administer and run the new

network. SD-WAN introduces a range of new management possibilities that will

allow you to operate leaner and be more responsive than was possible with carrier-

managed MPLS services. Which is right for you? We’ll explore those management

choices, as well as the branch security, cloud, and mobility issues in part 2 of our

network transformation strategy.



BRANCH APPLIANCE

ELIMINATION

SECURE CLOUD-BASED

SD-WAN

AFFORDABLE MPLS

ALTERNATIVE

SIMPLE NETWORK

AUTOMATION

MOBILE ACCESS OPTIMIZATION

Where do you want to start?

CLOUD DATACENTER INTEGRATION

Global Backbone. Cloud-Based SD-WAN. Firewall as a Service. All in OneGlobal Backbone. Cloud-Based SD-WAN. Firewall as a Service. All in One

The Cato ApproachCato Cloud is a self-service (or optionally, fully managed) SD-WAN service that not only connects but also

protects all the enterprise network elements, including branch locations, the mobile workforce, physical and

cloud datacenters, and cloud applications into a global, encrypted and optimized SD-WAN in the cloud. The

Cato Cloud network is a globally managed backbone that provides affordable, SLA-backed connectivity.

With all WAN and Internet traffic consolidated in the cloud, Cato can protect the complete enterprise with full

set of optional security services that include NGFW, SWG, IPS and more all backed Cato’s security team that

proactively hunts and identifies threats on customer networks.

To see how Cato can help your company visit:

www.CatoNetworks.com

@CatoNetworks



How SD-WAN Brings Five 9s Availability to Internet Last Mile

Appendix

As much as we might like guarantees, networking teams have long complained service level agreements

(SLAs). They’re difficult to enforce, written to favor the carriers, and any credits can never cover outage

impact. Some SD-WAN services might offer SLAs, but its primarily the redundant design enabled by Internet

affordability that enables SD-WAN to meet and exceed MPLS uptime.

To deliver uptime in your SD-WAN, start with the access services. They should share no physical components

— what’s called diverse routing. Since even competing terrestrial services often share fiber, ducting etc. many

organizations rely on LTE for a secondary or tertiary connection.

Configure SD-WAN appliances in high availability (HA) mode. Cato’s affordable HA provides appliance

redundancy without additional ongoing costs. In the event of an appliance failure, traffic is sent to the secondary

appliance.

The appliances will monitor and load balance the last-mile connections. They’ll use loss correction features,

such as packet duplication, to overcome line problems. Should there be a slow-down(brownout) elsewhere

in the network or a line failure (blackout), appliances automatically steer traffic around the outage, failing over

completely to the secondary connection, if necessary (and failing back based on defined policies). Taken

together with proper middle-mile redundancy, SD-WAN services can deliver better than MPLS uptime even

when using the Internet.

https://www.catonetworks.com/blog/ensuring-high-uptime-with-sd-wan/

https://www.catonetworks.com/blog/ensuring-high-uptime-with-sd-wan/

network transformation strategy — part 1 how to migrate ... · the uture of sd-wan. today....

Documents