sd wan mpls service disruption or enhancement

SD WAN: MPLS VPN disruption or enhancement?

Fahim Sabir

Director of Architecture & Development, Colt On Demand

04 October 2017 SD W AN: MPLS VPN d isrupt ion or enhancement? 1

Colt networking solutions and our customers

─ Launched MPLS based services in early 2000s

─ 1000s of customers

─ Range from 10s to 1000s of sites, all over the world

─ Across all sectors: Finance, Media, Manufacturing, Transport,

etc.

─ Typically headquartered in major European and Asian cities

where we have a fibre presence

─ Launched IPSec sites tunnelled over the internet in late

2000s, long before SD WAN came into existence

─ Introduced SD-WAN capability into our networking solutions in

2016, partnering with Versa Networks for the platform



The CIO challenge hasn’t really changed

─ Do more with less

─ Exponential growth in bandwidth requirements – Gbps world

─ Greater agility

─ Highly distributed organisations, all sites need connectivity

─ Measured by spend and application performance

─ Consumer experiences have set the bar much higher

─ Self-service no longer a ‘nice to have’

─ Need the cutting edge without the disruption of a big migration

Both MPLS and IPSec over Internet have pros and cons

MPLS― High level of guaranteed performance

― Very expensive per Gbps, especially for off-net locations

Use when applications are latency, performance and security sensitive


IPSec over Internet― Performance not guaranteed

― Commodity connectivity which is cheaper and available everywhere

Use when bandwidth is key and performance is not critical or can’t be controlled

Connectivity isn’t what makes

SD WAN special. The intelligence

and service experience we can add

to the connectivity is.


Almost every networking solution

RFI received by Colt in the last 18

months has requirements that are

best solved by SD WAN

capabilities, whilst demanding

performance, security and reliability

that can only be delivered by an

MPLS underlay, at a price point

closer to commodity internet

connectivity.


High level architecture

MPLS Internet

x86 CPEs

Cloud

MPLS SD WAN

Gateways

x86 CPEs

Control

MPLS IPVPN

Internet

IPSec

Director and

Analytics

Custom Portal

BSS/OSS

systems

Traditional

CPEs

Firewall VNF

Firewall VNF


― Versa Networks based platform

― Commodity Atom based CPEs – alternate option high performance Xeon D based CPE due 2017Q4

― VNFs on CPE to provide additional value, currently firewall, others planned

― Direct site-to-site IPSec tunnels where connectivity is over the Internet

― Custom portal offering control and analytics

― Integrated to existing MPLS architecture

― Integrated to existing BSS/OSS platforms

Architecture benefits

─ Delivers a good balance of cost, performance, security and

agility without sacrificing on any of these

─ The customer can validate the SD WAN capability without

committing to a big network rollout or migration

─ The customer can execute the migration to a full SD-WAN

based solution on a rolling basis

─ End-to-end service assurance from a single operator across

‘legacy’ and next generation networks.


Challenge #1: Expensive off-net MPLS connectivity

Solution: Hybrid MPLS and IPSec over Internet connectivity

― Premium (MPLS) and value (IPSec over Internet) paths back to the network

― Default path for each type of traffic, determined by basic layer 4 analysis, or DPI (2017Q4)

― Alternate path for each type of traffic based on some steering criteria (latency, available bandwidth)

― Self-service policy setting

― Analytics

MPLS Internet

x86 CPE

Cloud

MPLS SD WAN

Gateway

x86 CPE

MPLS IPVPN

Internet

IPSec

9

Challenge #2: Exploding internet bandwidth requirements


MPLS Internet

x86 CPE

Cloud

MPLS SD WAN

Gateway

x86 CPE

MPLS IPVPN

Internet

IPSecSolution: Local internet breakout

― Traditional used central gateways to break out from the MPLS core

― Premium bandwidth is reserved for applications that need it

― Internet services that rely on geolocation work as they should

― Improved latency for remote sites

Challenge #3: Internet security threats

04 October 2017 11

MPLS Internet

x86 CPE

Cloud

MPLS SD WAN

Gateway

x86 CPE

MPLS IPVPN

Internet

IPSecSolution: Firewall VNF

― Layer 4 firewall.

― Logging

― Analytics of rule hits

― Resides on the same CPE, additional hardware not needed

― Multiple firewall types supported (due 2018)

Development continues…

Near term developments include…

― Dual CPE support, with load balancing/redundancy

― More than 2 connections

― Advanced firewall and steering capabilities

― Advanced analytics

― Sub-networks/multi-VRF support

― High performance Xeon D based CPE

― More network functions (application optimisation)

― Support for MPLS only connectivity with an x86 CPE



Learnings as an operator

― Feature parity is expected with the network solutions

customers already have. Even the basic stuff needs to be

rebuilt from scratch

― Customer pipeline initially drives the roadmap, because

demand is greater than development velocity

― Customer experience implications must drive every decision

― The commodity compute+software world is very different

from the custom hardware world. For everyone

― Service assurance models need to be rethought for

networks which are part on-net and part overlay

― There aren’t many people available in the market with the

technical skills needed. Cross training is key

― A close working relationship with your SD WAN platform

vendor is a necessary foundation

Thank you


sd wan mpls service disruption or enhancement

Technology