SD-WAN solution design

SD-WAN combines a full suit of advanced cloud networking, security and WAN connectivity features to form an end-to-end WAN solution for large enterprises to connect remote branches/outlets securely and resiliently, particularly as a more cost-effective alternative to traditional MPLS or VSAT solutions.

The key features of RansNet SD-WAN solution include below:

  1. Flexible connectivity options to any WAN technologies, eg. fiber Internet, PPPoE, Single/Dual LTE, MPLS, Metro-Ethernet
  2. Multi-WAN load balancing for high resiliency
  3. Multi-VPN protocol with dual/multiple VPN bonding for better security and higher WAN capacity
  4. Multi-VLAN for traffic separation for local devices sharing the same connectivity with different security policies
  5. Dynamic routing (OSPF & BGP) for auto fail-over and intelligent path selection
  6. QoS for traffic prioritization
  7. Policy-based routing for more granular traffic control
  8. Advanced "Ethernet over SSLVPN" for seamless network expansion
  9. Built-in dual-band AC Wi-Fi to offer guest hotspot access with monetization opportunity for retail outlets
  10. mfusion cloud platform for central network visibility and control

With all above features packed into a powerful platform, customers or service providers enjoy the benefits of

  1. easy to deploy, easy to configure, easy to operate
  2. cost effective
  3. higher resiliency
  4. better security

This section covers a typical SD-WAN scenario. We use a 3-layer design approach.

Access layer (HSA)

The Access layer is powered by our HSA appliance (HotSpot Access). It sits at each remote network as a CPE device to connect to different WAN technologies, eg. Fiber, MPLS, VSAT, PPPoE, or LTE. It's capable of connecting to multiple WAN options, at the same time with load balancing and auto fail-over. It has 4 x GE LAN ports to connect local devices and if there are more devices, we can simply extend with a typical LAN switch.

Through resilient WAN connectivity, the HSA will build dual SSLVPN tunnel to the CMG gateways sitting at WAN distribution layer, for highest resiliency. The HSA advertises it's local LAN network to CMG via OSPF across the VPN tunnels. It's possible to run active-active VPN tunnels, or active-standby tunnel, simply by tweaking OSPF costs, eg. by default if the tunnel cost is the same, OSPF will load balance traffic across both tunnels; else we can increase the OSPF costs over the less preferred (backup) tunnel. Typically if the backup link is less reliable we'd recommend to configure active-standby mode.

The secure SSLVPN tunnels can run across any IP networks, through dynamic or static WAN links or even from behind other routers/firewall, as long as HSA is able to reach to CMG across provider networks.

WAN Distribution layer (CMG)

The WAN distribution layer is powered by Cloud Managed Gateway (CMG). The CMG acts as VPN concentrator to terminate SSLVPN tunnels with remote HSA. The CMG runs OSPF inside the SSLVPN tunnel to learn remote routes; it runs BGP with core routers to learn upstream (core) routes. It then redistributes BGP into OSPF for the remote HSA to learn routes for core networks; and redistributes OSPF into BGP for core network to learn remote networks. So the CMG forms a very important aggregation layer between the core and remote networks.

If we need to support large amount of remote sites, it's recommended to use multiple virtual CMG hosted on typical hypervisor (VM-Host), eg. VMWare, KVM, etc. Then split remote HSA into multiple groups to tunnel with different virtual CMG.

Typical design guide:

  • Min resource per virtual CMG: 4GB RAM, 8 core CPU, 40GB HDD
  • Up to 300 SSLVPN tunnels (remote HSA) per virtual CMG. This is to ensure tunnel stability and speed up OSPF routing convergence. It also simplifies operations.
  • Up to 100 virtual CMG per VM-Host, with specs of 512GB of RAM, 2/4 CPU, 5TB usable HDD (RAID-10), 2 x 10G interfaces.

With above design, a hypervisor (VM-Host) can support up to 30,000 remote HSA. For redundancy, we will need two VM-host, to form dual tunnels with the same HSA. It is highly recommended to locate each VM-Host at two different physical locations.

Core Layer

The core layer consist of customer or provider core switches or core routers. The core routers form BGP with CMG to learn remote routes and advertises server routes/networks to CMG (redistributed to HSA). It's possible to use any other 3rd-party high performance routers or customer preferred selection of routers, as long as they support standard BGP protocols. But a physical CMG-5000 with 10G interfaces would be a good choice too.

mfusion cloud

The mfusion platform can be a VM or physical server sitting in the cloud, or any location/networks that are reachable by both CMG and HSA.

The mfusion provides below key functions

  1. remote configuration provisioning for both HSA and CMG. This empowers zero-touch configuration for HSA. Once the device is on-line, it auto "call-home" back to mfusion to push its configuration provisioned by NOC engineers remotely, without the need for any certified engineers onsite.
  2. firmware and patch management. If needed, firmware or software patches can be remotely pushed by mfusion to target HSA.
  3. real-time monitoring, alerting and scheduled historical reporting.