Network Transformation Strategy — Part 1

How to Migrate Sites

to SD-WAN
$1,999,999.900
AC +/- % ÷

7 8 9 ×

4 5 6 -

1 2 3 +

0 . =
Data Traffic

MPLS

The Future of SD-WAN. Today.

Overview
By now, you’re probably all too familiar with the networking challenges facing the enterprise. Rapid site
deployment, Internet and cloud traffic explosion, protection from an endless supply of advanced threats —
today’s networking requirements simply didn’t exist when MPLS became the defacto standard for connecting
locations. Internet-based SD-WAN promises a way forward, but how do you move from a dedicated, carefully
managed MPLS service to an SD-WAN running over the free-for-all that’s the Internet?

This migration plan should help. It identifies the issues and options you’ll need to consider when evolving your
network. Gathered are insights from SD-WAN adopters, industry best practices, and our own experiences
helping hundreds of enterprises transform their networks.

While replacing MPLS is certainly the first step in most network transformations, it’s not the full story.
Enterprises face networking-related challenges beyond MPLS, such as:

yyReducing the time to detect and remediate threats without increasing costs

yyBringing IT security and compliance controls to cloud resources

yyImproving and simplifying the remote access experience

yyFinding ways to provide visibility into all enterprise traffic

To those ends, we’ve created a two-phased migration plan for

transforming your WAN. In part 1, this eBook, we walk through the
issues and challenges of the most common first step towards
WAN transformation — MPLS migration. In part 2, we’ll look at
the security, management, and connectivity issues associated
with branch offices, the cloud, and mobile users.

A final note before we jump into the details. This guide is meant
to lay out the issues and principles of any SD-WAN migration. It’s
not meant to serve as a guide for moving to Cato Cloud. If that’s of
interest, check out this step-by-step Cato adoption plan.

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 2
Location Migration Summary
Reducing MPLS bandwidth costs and improving agility are often the initial objectives of network
transformation initiatives. To ease that transition, follow these five steps:

Categorize Your Locations

1 Group locations by their requirements for availability,
packet loss, and costs.

Select the Right Last Mile

2 Internet access services have different
characteristics. Use those difference to meet your
networking and business requirements.

Decide on Your Middle Mile

3 Like Internet access, there are different middle-
mile options. Here’s how to select the one right for
your needs.

Engineer End-to-End Network

4 Architecture
Combine middle and last miles to deliver MPLS-
like quality with Internet-like price and agility.

Procure Your Last-Mile Services

5 Decide whether to manage the last-mile procurement
and ISP evaluation in house or outsource.

MPLS MPLS MPLS

MPLS

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 3
1 Categorize Your Locations
uirem ents
Networking req
Document Site Requirements and
Group Locations
Start your MPLS migration by documenting site requirements.
SD-WAN’s ability to simultaneously leverage multiple types of
access — MPLS, dedicated Internet access (DIA), broadband,
and wireless — allows for a graceful, incremental transition
away from MPLS, and gives you incredible flexibility in meeting
business and networking requirements. The same flexibility,
though, risks complicating operations, leading to a network of
“snowflake” implementations where a site has a slightly different
network configuration.

Avoid that problem by grouping locations according to their

networking requirements. If you’ve already gone through this Group 3
exercise, the site’s current connectivity can serve as a guide
(see below for details). Evaluate last mile requirements across
three dimensions — uptime, performance and anticipated cost. Group 2
Key sites, such as datacenters or the headquarters, will require
greater uptime, better performance, and greater investment than
small offices. Rank groups on a simple scale from low to high. Group 1

Keep it Simple
Try to keep your categorizations actionable. Make them simple enough to be usable but not so simple
as to be inaccurate. A basic categorization map is provided below. Performance, in particular, may
need to be broken out further as application requirements can differ in terms of capacity and packet
loss. Latency is less of an issue given the last mile’s comparatively short distance. Depending on your
industry, regulatory requirements may also need to be considered.

Site Categorization Map

Grouping locations by requirements simplifies network operations at scale.

Tier Description Uptime Performance Cost

T1 Large site High High High

T2 Medium site Medium High Medium

T3 Small site with failover Medium Medium Low

T4 Small site Low Low Low

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 4
2 Select the Right Last Mile
With sites categorized, map their requirements onto last-mile and middle-mile service characteristics.
Matching the service quality of MPLS circuits is possible, but requires understanding where problems
occur on the Internet and how to address them using the magic of multipathing and SD-WAN features.

Last Mile vs. Middle Mile: What’s the Difference?

SD-WAN, and more specifically the Internet, consists of three segments — two last miles reaching from
the customer premises to their ISPs’ premises and the middle mile connecting the two last miles —
stitched together using the BGP routing protocol. Availability and performance issues associated with
the Internet manifest differently depending on the segment. (See this eBook for an extensive analysis of
last- and middle-mile challenges and how to overcome them.)

Contention for bandwidth and the lack of redundancy can leave the Internet last mile prone to downtime
and packet loss. SD-WAN addresses availability challenges with multipathing. Balancing traffic across
multiple last-mile circuits not only increases the capacity available to SD-WAN solutions but also allows
them to steer traffic around blackouts or brownouts. In fact, coupling last-mile services from different
providers can provide availability on par or even better than MPLS (see “How SD-WAN Provides High
Uptime Without SLAs”).

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 5
Types of Last Mile Services
There are two primary types of Internet last-mile services:

Dedicated Internet Access (DIA)

is best suited for medium and large sites. DIA services are symmetrical services with committed bandwidth,
and guarantees for availability and repair. Packet loss rates are low but not guaranteed. Deployment times will
depend on the presence of existing fibers without which delivery will be comparable to MPLS. DIA connections
will cost less than MPLS but more than broadband connections.

Broadband Services
such as cable and DSL, can serve as primary connections for small sites or secondary connections for all sites.
As broadband services share capacity with other customers, actual capacity will vary based on the contention
ratio — the number of customers accessing the service. A contention ratio of 20:1, for example, indicates that
20 customers share 1 Mbits/s of bandwidth. Consumer broadband will have higher contention ratios; business
broadband will have lower contention ratios. With consumer broadband, repairs will generally be done on a
best-effort basis; there are no SLAs. Business broadband services will have a limited availability SLA. While
broadband services do not come with guaranteed packet loss, research from the FCC indicates that the
average loss for US broadband services runs about .8%. As for price, broadband is the least expensive Internet
service.

Type Availability Packet Contention SLAs Time Price Delivery

Loss Ratios

MPLS 99.9% .1% 1:1 Latency, Loss, 4-hours $$$$$ 30 -180

(Leased Line) and Availability Days

Dedicated 99.9% ~.5% 1:1 Loss and Next business $$$$ 30 -180
Internet Availability day Days
Access
(Fiber)

Broadband 99% ~1% 1:20 None Best Effort $ < 7 Days

Wireless Access Services

namely 4G/LTE, provide a valuable function as secondary connections. Improving SD-WAN last-mile
availability is predicated on redundant physical infrastructure. But “diverse routing,” where access lines use
completely redundant infrastructure, is challenging as providers will share wiring ducts and other physical
components even for terrestrial services of different technologies. Mixing wireless and wireline services
addresses this challenge.

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 6
 Match Last Mile to Business Requirements
By coupling the right last-mile service with specific SD-WAN features, you can address a diverse range of
network and business requirements. Minimize packet loss, for example, with DIA as the primary and, ideally,
secondary connection. Loss can be further reduced with packet loss correction technologies.

Mix and match Internet technologies to reduce site-deployment windows. Rather than mandating 90-day notice
for new sites, SD-WAN allows you to open offices in a matter of days (with broadband) or even immediately (with
4G). Connections can be upgraded to DIA when available.

It’s often assumed that the Internet cannot match MPLS performance, but that’s not exactly true. Through a
combination of SD-WAN features, multipathing, and the right Internet service you can meet application service
requirements while reducing costs and improving agility.

3 Decide on Your Middle Mile

Whereas the last mile faces challenges of availability and packet loss, the sheer length of the middle mile
makes latency and predictability the major issues. For those who want to avoid carrier lockin, there are two
middle mile choices — the public Internet and global managed backbones.

Global Managed Backbones The Public Internet

are low-cost alternatives to MPLS. Locations
establish encrypted tunnels across Internet last-
mile services to one of points of presence (PoPs)
constituting the backbone. Traffic is sent across the
backbone, exits through through the PoP closest to
the destination, and continues through the last mile
terminating at the final location.
New York New York
is well suited for low-cost, best effort services.
The already high latency of the middle mile is
only exacerbated by the routing policies of the
public Internet, which are optimized for business
concerns, not application performance. Packet
loss particularly becomes a problem in the Internet
core when providers exchange traffic at congested,
public peering points.

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 7
What to Look for in a Middle Mile
By avoiding the public Internet, managed backbones eliminate the latency introduced by Internet routing, and the congestion
of public peering points. Global managed backbones should also optimize traffic and use application-aware routing to select
the optimum path for each packet, even if that path is not the most direct one.

Check that the backbone has sufficient resilience and geographic coverage. To minimize blackouts and brownouts, the PoPs
constituting the backbone should be fully redundant, and sites should be able to automatically connect to alternate PoPs in
the event of an outage. As for coverage, PoPs should be located within 25 milliseconds of your locations. Global, managed
backbones will be more expensive than the public Internet but should be far less expensive than MPLS.

Middle-Mile Attributes:

Type Performance Availability Coverage Price

MPLS Very good; Excellent Very good; Core Very good; MPLS Poor; As fully-
performance with the availability is excellent, network providers managed services,
least latency and packet but high costs often partner with one another MPLS come at
loss when connecting make last-mile to expand their footprint. a high premium.
locations. However, redundancy impractical. Support teams will still Even unmanaged
often adds latency when Still, support teams manage the network services will be more
accessing the cloud and address outages within end-to-end. However, expensive than
the Internet, and lacks specified windows. costs often increase and competing middle-mile
mobile support. control might be more architectures.
limited.

Internet Average; Unpredictable Good; The Internet core Excellent; The Internet Excellent; The
Internet routing and might be unpredictable core is everywhere, Internet is the most
congestion at peering but rarely fails available from anywhere. affordable service
points may mean completely. Last-mile with a range of pricing
latency/loss will be great availability will depend options depending on
one day and terrible the on implementation. the configuration.
next.

Global Very good; As Very good; Core and Good; Global Very good; Global
backbone managed networks, last-mile should be fully backbones will have backbones will be
global backbones redundant. Should a PoP global coverage of some more expensive than
offer latency/loss very fail, backbones should sort but how much will the Internet core but
close to MPLS and automatically switch be implementation far less expensive than
far better than the locations to next nearest dependent. PoPs need MPLS.
Internet. Will also use PoP. not share the same
optimum routing for city as your locations
improving cloud delivery. provided last mile
Mobility support will access is within 25
be implementation milliseconds.
dependent.

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 8
4 Engineer Your End-to-End
Network Architecture
MPLS to Internet Conversion DIA+
In dealing with hundreds of customers, Cato Networks has
found that MPLS connections can be effectively replaced by
BROADBAND
a combination of DIA and broadband services in the last mile
and a private backbone in the middle mile.

A medium-sized branch office with a single MPLS connection MPLS

and no backup, for example, should migrate to symmetrical
fiber with 1x-1.5x the bandwidth of MPLS and a second,
broadband link with 2x-5x MPLS capacity.

The additional bandwidth reflects the shift in quality and need

for capacity. DIA provides approximately the same last-mile
quality attributes as MPLS for business-critical applications
with the slight increase in capacity reflecting the difference.
The broadband link delivers additional redundancy and a
capacity boost missing from MPLS. Using a global backbone
in the middle mile completes the picture, providing an end-to-
end connection with latency and packet loss close to MPLS,
but with far more capacity and a much lower price point.

And What About SLAs?

Companies who’ve shifted from MPLS to an Internet-based SD-WAN often find that sound engineering
is a far better predictor of network performance than service levels written in ways to be difficult for
customers to enforce.

MPLS to Internet Migration

Tier Current Connection New Connection

Link 1 Capacity Link 2 Capacity

T1 MPLS +Internet DIA 1X-1.5X MPLS Keep Current

T2 Single MPLS DIA 1X-1.5X MPLS Broadband 2X-5X MPLS

T3 Dual Internet Keep current

T4 Single Internet Keep current

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 9
5 Procure Your Last-Mile Services
With last and middle mile services identified, you’re able to determine whether to keep procurement in-house
or outsource to a last-mile aggregator who will manage the full procurement process using specific partnering
providers or ISPs around the globe.

What is Procurement?
To be clear, by procurement we mean the
process of evaluating and selecting ISPs,
and managing those relationships, which
includes the full lifecycle of the last-mile
service — contract negotiations, site
deployment, invoicing and payment, working
the provider to resolve any network problems
and more.

Inhouse or Outsource?
At first, consolidating procurement with an
aggregator sounds like the smart choice. It gives IT
“one throat to choke” in the event of a last-mile problem and
simplifies acquisition. But outsourcing acquisition also comes with a
significant uptick in cost.

What’s more when kept in-house, organizations can:

yySave on the provider’s margin

yyLeverage their existing providers

yySwitch to providers with better networks

yyMeet personal or organization supplier preferences

yyIn general have more control over last-mile selection.

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 10
Logistical Considerations
Budget aside, there are several considerations to determine which procurement approach is right for
your organization:

Monitoring and Troubleshooting

While it’s true that good engineering and smart ISP selection can prevent many last-mile headaches,
it’s also true that you need to plan for troubleshooting last-mile problems. Centralized monitoring of all
last miles should be part of any good SD-WAN solution. As for troubleshooting, many organizations find
that by documenting the right phone numbers to call and people to contact at the local ISPs in advance,
and, if necessary, hiring another IT resource closer to the local timezone, can meet their troubleshooting
requirement and still save on procurement costs.

SD-WAN solutions should provide centralized monitoring of and detailed insight into all last-mile connections.

Accounting Issues
Billing, invoicing, currency conversion — the accounting issues of managing many ISPs may already be
addressed by your accounting team. If not, see what’s required to put them into place. Aggregators will
also supply those services.

Site Surveys
On-site evaluations can be important for new installations, particularly when deploying LTE or
other wireless infrastructure whose performance is impacted by environmental factors. If you’re not
positioned to conduct local site surveys, be prepared to find a local partner or provider who can meet
that need.

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 11
The WAN Beyond the SD-WAN
As we’ve seen, there are alternatives to high-priced MPLS services. You will need the right mix of redundancy,
last- and middle-mile services, and SD-WAN features. Migrating sites off of MPLS, though, is only the first
chapter in the WAN transformation story.

Often organizations find that reevaluating other dimensions of the network when
assessing their WAN helpful in improving overall IT agility and efficiency. This is
particularly true as WAN transformation, and more broadly changes in the way
we work, raise considerations that many MPLS network designs never needed to
accommodate.

Security is a case point. Many companies with MPLS implementations will find local
Internet breakout, recommended for branch offices in an SD-WAN, difficult, if not
impossible to implement with their centralized, security architectures.

The complexities associated with the new tenants of the modern WAN — cloud
resources and mobile users — are another set of examples to consider when
rethinking the WAN. Cloud resources are accessed by SD-WAN users, and SD-
WAN users frequently become mobile users outside of the office.

And finally, while we’ve spent a great deal of time discussing SD-WAN-related
deployment issues, we haven’t discussed how to administer and run the new
network. SD-WAN introduces a range of new management possibilities that will
allow you to operate leaner and be more responsive than was possible with carrier-
managed MPLS services. Which is right for you? We’ll explore those management
choices, as well as the branch security, cloud, and mobility issues in part 2 of our
network transformation strategy.

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 12
 The Cato Approach
Cato Cloud is a self-service (or optionally, fully managed) SD-WAN service that not only connects but also
protects all the enterprise network elements, including branch locations, the mobile workforce, physical and
cloud datacenters, and cloud applications into a global, encrypted and optimized SD-WAN in the cloud. The
Cato Cloud network is a globally managed backbone that provides affordable, SLA-backed connectivity.
With all WAN and Internet traffic consolidated in the cloud, Cato can protect the complete enterprise with full
set of optional security services that include NGFW, SWG, IPS and more all backed Cato’s security team that
proactively hunts and identifies threats on customer networks.

To see how Cato can help your company visit:

www.CatoNetworks.com

@CatoNetworks

Where do you want to start?

SECURE AFFORDABLE BRANCH CLOUD MOBILE ACCESS SIMPLE

CLOUD-BASED MPLS APPLIANCE DATACENTER OPTIMIZATION NETWORK
SD-WAN ALTERNATIVE ELIMINATION INTEGRATION AUTOMATION

GlobalBackbone.
Global Backbone. Cloud-Based
Cloud-Based SD-WAN.
SD-WAN. Firewall
Firewallas
asaaService.
Service.All
AllininOne
One

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 13
 ix
nd
pe
Ap

How SD-WAN Brings Five 9s

Availability to Internet Last Mile
As much as we might like guarantees, networking teams have long complained service level agreements
(SLAs). They’re difficult to enforce, written to favor the carriers, and any credits can never cover outage
impact. Some SD-WAN services might offer SLAs, but its primarily the redundant design enabled by Internet
affordability that enables SD-WAN to meet and exceed MPLS uptime.

To deliver uptime in your SD-WAN, start with the access services. They should share no physical components
— what’s called diverse routing. Since even competing terrestrial services often share fiber, ducting etc. many
organizations rely on LTE for a secondary or tertiary connection.

Configure SD-WAN appliances in high availability (HA) mode. Cato’s affordable HA provides appliance
redundancy without additional ongoing costs. In the event of an appliance failure, traffic is sent to the secondary
appliance.

The appliances will monitor and load balance the last-mile connections. They’ll use loss correction features,
such as packet duplication, to overcome line problems. Should there be a slow-down(brownout) elsewhere
in the network or a line failure (blackout), appliances automatically steer traffic around the outage, failing over
completely to the secondary connection, if necessary (and failing back based on defined policies). Taken
together with proper middle-mile redundancy, SD-WAN services can deliver better than MPLS uptime even
when using the Internet.

The Future of SD-WAN. Today.

Network Transformation Challenges and How to Address Them 14