1. SD WAN:
MPLS VPN disruption or enhancement?
Fahim Sabir
Director of Architecture & Development, Colt On Demand
04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 1
2. Colt networking solutions
and our customers
─ Launched MPLS based services in early 2000s
─ 1000s of customers
─ Range from 10s to 1000s of sites, all over the world
─ Across all sectors: Finance, Media, Manufacturing, Transport,
etc.
─ Typically headquartered in major European and Asian cities
where we have a fibre presence
─ Launched IPSec sites tunnelled over the internet in late
2000s, long before SD WAN came into existence
─ Introduced SD-WAN capability into our networking solutions in
2016, partnering with Versa Networks for the platform
04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 2
3. 04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 3
The CIO challenge hasn’t
really changed
─ Do more with less
─ Exponential growth in bandwidth requirements – Gbps world
─ Greater agility
─ Highly distributed organisations, all sites need connectivity
─ Measured by spend and application performance
─ Consumer experiences have set the bar much higher
─ Self-service no longer a ‘nice to have’
─ Need the cutting edge without the disruption of a big migration
4. Both MPLS and IPSec over Internet have
pros and cons
MPLS
― High level of guaranteed performance
― Very expensive per Gbps, especially for
off-net locations
Use when applications are latency, performance
and security sensitive
04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 4
IPSec over Internet
― Performance not guaranteed
― Commodity connectivity which is cheaper
and available everywhere
Use when bandwidth is key and performance is
not critical or can’t be controlled
5. Connectivity isn’t what makes
SD WAN special. The intelligence
and service experience we can add
to the connectivity is.
04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 5
6. Almost every networking solution
RFI received by Colt in the last 18
months has requirements that are
best solved by SD WAN
capabilities, whilst demanding
performance, security and reliability
that can only be delivered by an
MPLS underlay, at a price point
closer to commodity internet
connectivity.
04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 6
7. High level architecture
MPLS Internet
x86 CPEs
Cloud
MPLS SD WAN
Gateways
x86 CPEs
Control
MPLS IPVPN
Internet
IPSec
Director and
Analytics
Custom Portal
BSS/OSS
systems
Traditional
CPEs
Firewall VNF
Firewall VNF
04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 7
― Versa Networks based platform
― Commodity Atom based CPEs – alternate option high performance Xeon D
based CPE due 2017Q4
― VNFs on CPE to provide additional value, currently firewall, others planned
― Direct site-to-site IPSec tunnels where connectivity is over the Internet
― Custom portal offering control and analytics
― Integrated to existing MPLS architecture
― Integrated to existing BSS/OSS platforms
8. Architecture benefits
─ Delivers a good balance of cost, performance, security and
agility without sacrificing on any of these
─ The customer can validate the SD WAN capability without
committing to a big network rollout or migration
─ The customer can execute the migration to a full SD-WAN
based solution on a rolling basis
─ End-to-end service assurance from a single operator across
‘legacy’ and next generation networks.
04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 8
9. Challenge #1: Expensive off-net MPLS connectivity
Solution: Hybrid MPLS and IPSec over
Internet connectivity
― Premium (MPLS) and value (IPSec over Internet) paths
back to the network
― Default path for each type of traffic, determined by basic
layer 4 analysis, or DPI (2017Q4)
― Alternate path for each type of traffic based on some
steering criteria (latency, available bandwidth)
― Self-service policy setting
― Analytics
MPLS Internet
x86 CPE
Cloud
MPLS SD WAN
Gateway
x86 CPE
MPLS IPVPN
Internet
IPSec
9
10. Challenge #2: Exploding internet bandwidth requirements
04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 10
MPLS Internet
x86 CPE
Cloud
MPLS SD WAN
Gateway
x86 CPE
MPLS IPVPN
Internet
IPSecSolution: Local internet breakout
― Traditional used central gateways to break out from the
MPLS core
― Premium bandwidth is reserved for applications that
need it
― Internet services that rely on geolocation work as they
should
― Improved latency for remote sites
11. Challenge #3: Internet security threats
04 October 2017 11
MPLS Internet
x86 CPE
Cloud
MPLS SD WAN
Gateway
x86 CPE
MPLS IPVPN
Internet
IPSecSolution: Firewall VNF
― Layer 4 firewall.
― Logging
― Analytics of rule hits
― Resides on the same CPE, additional
hardware not needed
― Multiple firewall types supported (due
2018)
12. Development continues…
Near term developments include…
― Dual CPE support, with load balancing/redundancy
― More than 2 connections
― Advanced firewall and steering capabilities
― Advanced analytics
― Sub-networks/multi-VRF support
― High performance Xeon D based CPE
― More network functions (application optimisation)
― Support for MPLS only connectivity with an x86 CPE
04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 12
13. 04 October 2017 SD WAN: MPLS VPN disruption or enhancement? 13
Learnings as an operator
― Feature parity is expected with the network solutions
customers already have. Even the basic stuff needs to be
rebuilt from scratch
― Customer pipeline initially drives the roadmap, because
demand is greater than development velocity
― Customer experience implications must drive every decision
― The commodity compute+software world is very different
from the custom hardware world. For everyone
― Service assurance models need to be rethought for
networks which are part on-net and part overlay
― There aren’t many people available in the market with the
technical skills needed. Cross training is key
― A close working relationship with your SD WAN platform
vendor is a necessary foundation