Macquarie Telecom has led the way with SD-WAN solutions with the largest number of networks deployed, not only in Australia, but across Asia Pacific. Leveraging VeloCloud’s world-leading SD-WAN technology, and building on the challenges and opportunities we’ve identified along the way, Macquarie has been learning, improving and finessing our design.
This is our SD-WAN Scars and Stars story.
Part 2: SD-WAN Build
Application prioritisation and tuning
One of the Scars from Macquarie’s early SD-WAN deployments was the ‘application priority’ tuning process for customers. Many of our customers are not aware of every application running across their network, nor did they know the traffic volumes, especially hourly traffic profiles and during peak hours. So, despite customer guidance on traffic dimensioning, many of the initial network deployments required further tuning to optimise application, site and end-user performance.
We managed to turn this situation into a Star by developing customer application profiles for customers to identify and communicate their key customer application types. This vastly improved the ability to successfully deploy networks rapidly the first time. Armed with these application profiles, Macquarie’s build engineers have mapped these applications into SD-WAN Orchestrator’s “Business Profiles”, and then can readily exports those polices across the SD-WAN gateways and customer edge devices. After a week or two after network cutover, our build engineers review the network, traffic and performance via the VeloCloud network management centre, the Orchestrator, and complete the fine tuning of applications with customers.
VeloCloud SD-WAN has essentially matrixed nine classes of service based on priority (high, normal and;ow) and then by traffic class (real-time, transactional and bulk).
SD-WAN nine traffic classes by application
Because the SD-WAN edge is application aware and recognises over 3,000 apps, key customer apps can be accurately mapped in the correct prioritisation matrix. For example, a customer may want Office 365 with high priority, general web browsing as normal, and Netflix blocked. But all are port 443 / HTTPS traffic, to which MPLS cannot readily differentiate and hence treats as the same traffic class. But the application-aware SD-WAN can readily implement these traffic policies. Absolutely, a Star feature.
What applications are running?
naturally, it is always with a bit of humour to observe, that after enabling SD-WAN in their network, that the customer invariably find some applications even they are unaware of. This often leads to customers doing an internal dive to find out what users are running rogue applications.
Let’s look at a couple of examples:
Applications like company video broadcasts can create network bottlenecks due to the high bandwidth traffic contending with other apps. But mapping VC into high & real time, will ensure the corporate video gets network priority for the 30-minute CEO’s announcement.
Remote branches sometime suffer from bandwidth constraints. One of our mining services customers had end users in a remote branch unable to run core application like ERP. A review of the applications running on that SD-WAN edge identified multiple Netflix streams congesting the link. Some quick application prioritisation changes in the Orchestrator easily remediated that site’s performance.
VeloCloud’s ability to identify over 3,000 apps, and the ability to easily tune “Business Policies” is a great benefit to customer’s end-user experiences and consequently another Star.
Voice remains one of the most highly sensitive user applications. Echo, delay, chop, crackles, packet drop – all the realm of MOS (Mean Opinion Score) voice quality measurements. Building a quality voice service across a private SD-WAN is a common and critical business application. Macquarie has a MPLS network with underlying voice VRF mapping the voice SIP calls to a private SBC (Session Boarder Controller). Because we control our own network, and the SD-WAN gateways, we can carry voice traffic securely and privately across our network and not the internet. For off-net calls, we interface to transit carriers for termination. We can actively monitor and measure the quality of every call through Macquarie’s online management tool – InView.
Macquarie’s investment in managing our own SD-WAN Gateways has been a major competitive difference in being able to manage and report every voice call. This investment in core SD-WAN gateway infrastructure therefore has proven itself to be a Star. VeloCloud, of course recognises this voice application and treats as ‘real-time / normal’ or ‘real-time / high’ (per the table above) to provide high-quality SIP calls.
Legacy Network Migration
Let’s be realistic, there are very few brand-new networks in the business and government world. Typically, we are migrating from older technology to a newer technology, or one service provider to another. So how do you migrate with low risk from the traditional MPLS network to this new SD-WAN network? The good news is that we don’t have to do a Big Bang cutover of all links simultaneously.
SD-WAN’s ability to run ’over-the-top’ of MPLS, internet and third party networks makes the migration a low risk proposition. Indeed, many customer network links may have different carrier contract term dates. So, the ability to stage the migration from all networks accesses over time is an ideal use case of SD-WAN services.
Historically most business, government and enterprise wide area networks were based on MPLS architecture. Migration from MPLS to SD-WAN is achieved by mapping the MPLS’ QoS DSCP markings into SD-WAN business policies. However, this is not utilising the full features of VeloCloud’s SD-WAN which natively recognises over 3000 applications. Whilst MPLS has 4 or 6 QoS queues, customers historically mapped broad ‘traffic types’ into QoS queues, rather than applications.
Some customers choose a staged migration from MPLS to SD-WAN to prove the technology solution, while others go for big bang cutovers. Because Macquarie has invested in SD-WAN gateway infrastructure across Australia, we can readily map MPLS sites/networks into SD-WAN. That is, create a hybrid MPLS / SD-WAN network. Seamless connectivity between the MPLS and SD-WAN network is integrated in the carrier core, by mapping the MPLS VRF into SD-WAN VLANS. This allows customers to migrate legacy sites when they are ready. Legacy MPLS sites are interconnected securely and seamlessly with the SD-WAN network and no additional appliance is required. Few carriers can do this – another Star.
Configuring sites, apps, & routes
Defining and configuring the SD-WAN gateways and edge devices, as well as the customer site profiles, business application policies, and network services requires a great depth of understanding of the customer requirements and their existing network. Configuring the SD-WAN gateway largely depends on the customer network design of local internet breakout or centralised, network topology. Configuring the SD-WAN edge devices considers routing, applications, source / destination ports, firewalls policy, DNS, WAN settings, etc., and requires a detailed design and data capture process methodology. Through Macquarie’s sales and delivery process, we have identified several key milestones and artefacts in completing the customer detailed design and build.
The customer macro-design is developed during the pre-sales process which captures all the high-level network requirements such as speeds, topology and routing, resilience / HA requirements, business requirements, sites info, etc. The customer’s business applications, application priorities and their routing preferences are also documented.
The Customer Micro-design is the output from detailed technical workshops with the customer and our build engineers.
Sophisticated configuration tools
Fortunately, VeloCloud has developed the concept of Profiles which can be readily applied to each site. For example: a typical customer network will have a HQ, data centre, cloud connectivity, and we’ll say four major state offices and 40 branch offices. A profile will be defined specifically for the HQ, DC, cloud, one state office, and one branch office. The configuration for the other three states offices and 39 branch offices can be readily deployed with a few keystrokes from the Orchestrator. This is a massive time and effort saving exercise, provides consistency of design throughout the network and remains a Star.
Proof of concepts
Let’s call it out – SD-WAN is the most significant change in networking architecture since Frame Relay to MPLS nearly 20 years ago. Most customers understand the benefits of SD-WAN to their business, but how does work in the real world? What is the impact / risk to their mission-critical apps? How are the network transition risks going to be mitigated?
One of the learnings from Macquarie’s SD-WAN experiences was offering a trial, or -proof-of-concept’ capability where a small team of experts could rapidly deploy SD-WAN edge devices into the customer’s network and allow real-time testing. This was so successful that PoC are now part of the sales process at Macquarie, as the customer results are usually quite outstanding. The PoC process provides visibility of the customer’s network, allows control to determine the appropriate application priority and results in significant network performance improvements and enhanced user experience through link aggregation and underlying SD-WAN enhancements. All of this is achieved while allowing customers to get comfortable with the SD-WAN solution – this is absolutely a Star.
For those customers requiring rapid deployment of communications to a site, such as a new office, pop-up store, consultancy program office, mining sites, DR, etc., SD-WAN can solve this. An SD-WAN edge device, with one or two 4G ethernet modems, can be couriered to the site with the configuration pre-loaded. Installation, power-up and authentication can have the site operational within minutes.
Once the various business profiles are defined for a customer, e.g. HQ, DC, remote branch, state office, turning up a new site is easy. An untrained person can plug the LAN and WAN cables into an edge device at the branch. The edge device will automatically authenticate into the network Orchestrator. With a couple of clicks, the branch edge configuration is downloaded, and traffic is flowing within minutes. Activation, configuration, and ongoing management are all managed in the cloud.
This capability of Macquarie’s VeloCloud by VMware technology is clearly a Star. Many of our customers have used this capability for change in work arrangements during the Covid-19 crisis.
Visual Network health Summary
Visibility of the Network
The Orchestrator is VeloCloud’s SD-WAN management portal that allows visibility and control. As expected, when our engineers build customer networks, the Orchestrator instantly allows visibility of the physical edges, virtual edges deployed in private or public cloud, the access links in use and the total bandwidth delivered at each location. Throughput, jitter, packet loss and latency are all visible at a per-site and per-link level, in real time. These statistics, along with built-in thresholds for voice, video and transactional traffic, highlight the quality of experience (QoE) with the use of easy-to-identify traffic light status. This helps quickly identify if a site is performing well (Green), may be experiencing degradation (Amber) or requires further investigation or intervention (Red).
Additional options for monitoring the SD-WAN network include SNMP and NetFlow. Both can be configured at a profile level and pushed out to all edges with a single click. Exporting SYSLOGs to a centralised server for SIEMs and other security policy solutions is also possible.
Macquarie offers customers with read only or read /write control of the SD-WAN network while still providing a managed SD-WAN network. This allows IT managers to take control of the network, routing and applications, alerts, link performance / failure etc.
The power and flexibility of the VeloCloud Orchestrator is a real Star.
Link throughput performance measurement graphics
Traditionally, most network designs had all sites connected to the internet by traversing the network, through a centralised firewall in the head office or DC. With the megatrends of cloud and SaaS, and with SD-WAN enablement, it makes no sense to route this traffic across the backbone, causing increased costs and contention with other traffic. For trusted applications, business policies can be created to push traffic directly to the internet.
For example, Office 365, Salesforce and other SaaS apps along with guest internet browsing can be sent directly to the internet from the branch – this a Star. Other corporate applications and untrusted traffic can still be routed to HQ or the DC for centralised security policy management. From our experience, over 50% of internet bound traffic is trusted SAAS applications, and sending this traffic directly reduces the burden and cost of central firewalls / gateways.
How secure is SD-WAN? VeloCloud uses 256k DES encryption from edge to edge. There is no decoding of the flow at the gateways in the middle, as the tunnels are mapped end to end.
Management of the network via the Orchestrator provides customers with a choice of read/write or read-only access with 2FA for nominated staff members.
What about local security controls at the branch for local internet breakout? When assessing a customer’s requirements, we consider four options before recommending a final, future proof design:
Use of existing customer firewalls for customers who may have recently invested in these devices
Centralised next-generation Macquarie-managed firewalls for customers who want to avoid the operational overhead of having to manage and maintain security themselves
Local edge SD-WAN firewall
Third-party security cloud suppliers such as Zscaler can be integrated into the SD-WAN network by building tunnels directly from the edge
So overall, yes very secure. However, I would not call this Star – this is what customers expect.
Hardware or Virtual edges?
We still tend think of networks with a physical boundary. This is somewhat true even with ‘software-defined’ SD-WAN, because an ‘edge’ device is often installed at the WAN interconnection point to the LAN at the customer premise. But with the megatrends of SaaS and cloud, the network boundary here is less defined. How do you control and protect your network from SaaS and cloud vectors? Virtual edges here are the emerging Star. Macquarie Telecom can install an SD-WAN virtual image on a VM in your data centre, Macquarie Data Centres or in public cloud like Azure, in under 15 minutes. This extends your network security fabric to the cloud and seamlessly extends the security boundary of a traditional WAN. So, when you are building your SD-WAN network, consider deploying physical, virtual or a combination of both across the network.
In conclusion, Macquarie Telecom’s experience over more than three years running Australia’s largest SD-WAN deployments has given us great knowledge in designing optimised, high performance and cost-effective customer SD-WAN solutions for our customers.
This experience in running networks has given as some Scars, like bespoke design for each customer network. But our learnings have also generated some wonderful Stars such as over-the-top solutions, and customer policy templating. Not to mention Macquarie Telecom’s selection of VeloCloud by VMware, as one of the best SD-WAN vendors in the world, as validated by Gartner.
More importantly, we have been able to provide great service to our customers. Macquarie’s industry-leading +66 Net Promotor Score by our customers over the last six months tells the story. Follow the link to our SD-WAN reference customer, Transit Systems.