Teldat SD Wan Features Description April 2018 180413

Teldat SD-WAN.
Features description
Agenda
1 SD-WAN Market
2 SD-WAN Main Features
3 Teldat Solution
4 Teldat strengths
©2017 Teldat Group Spain, Germany and more than 40 Countries worldwide. 2
SD-WAN market
69% compound
annual growth
rate over the
next 5 years
(*)
SD-WAN is a 2021: $8.05

growing market billion market
(*)
(*)Source: IDC (https://www.networkworld.com/article/3048174/wide-area-networking/idc-sd-wan-market-to-hit-6b-by-2020.html)

General SD-WAN main features
Decouple
Cost
High level network
Focus on reduction/ Application
configuration tech from
Applications Network visibility
through GUI transport
agility
network
Current enterprise
SD-WAN changes Reduce the It allows to reduce Now the network
network scenario
the perspective of complexity of the the operation and allows to check the
generates a strong
the network enterprise network maintenance costs traffic going
dependence between
management. configuration of a network, through it,
transport network
From pure through a providing identifying
provider and network
communications to centralized flexibility. applications at
technologies. SD-WAN
applications based configuration and level 3, 4 or 7.
allows to simplify this
management tool.
process
Teldat Solution - Overview
Cloud NetManager (CNM) is the tool

where all the Teldat SD-WAN features are
centralized:
WAN1
 Device life-cycle management WAN2
 Configuration management WAN3
 Network Monitoring
 API Integration
 Multi-tenant
Datacenter
 Application visibility All the enterprise own services are
behind a Datacenter Edge device.
 …
Remote office
The users connect to the services
from the remote offices with a
Branch Edge Device
CNM – Deployment modes
Cloud NetManager (CNM) can be deployed in two different modes
1 2
Virtual appliance deployment
Cloud deployment of CNM (SaaS)
The CNM is deployed in customer premises
The Cloud instance is managed by
(datacenter) and it can be installed in one or three
Teldat, and the reseller/channel
nodes depending on the HA requirements
can get its own URL and even a
fully customized portal for its
customers.
High Availability –
Standalone 3 instances
CNM - Main Concepts
Template Application
An Application is any traffic
A Template is the definition of a from/to an User Group, directed
type of branch, collecting LAN, to a (Datacenter) Service, internet
WAN and policies configuration. site or another User Groups(s),
identified at level 3, 4 and/or 7.
User Group A user group defines a pool of IP SLA The SLA defines the desired policy
addresses that will be used in the for a set of applications. SLA types:
branch offices. For instance, a) Performance monitor: decide
computers, phones, guests… link to use based on delay, jitter
and loss, b) Best effort: Fixed link
regardless path status, c) Drop
Service Application Category
A service is a pool of IP
addresses, which are defined in The applications categories relate
the datacenter network that the applications with SLA and
hosts a specific tool (SIP, SAP, allow the user to prioritize that
CRM…) traffic through different links.
Transport independent
Teldat SD-WAN solution supports different kind of access: Internet and MPLS
BRANCH N
BRANCH 1
MPLS
INTERNET
Teldat SD-WAN features > Deep packet inspection (DPI)
(independent from the access type): SERVICES > Application visibility at level 3, 4
> VLAN tagging and 7
> DHCP and DHCP relay > Application policies
DATACENTER
> Quality of Service (QoS) per > WAN link status aware policies
application category and network
> Zero touch provisioning
access.
> High availability
> Downstream/Upstream
bandwidth allocation. > MPLS and Internet local breakout
> VRFs support to create the overlay > …
Network architecture
(per Application Category)
IPSec tunnels are created from Policy Based Routing (PBR) +
remote offices to the Datacenter WAN Probes (IPSLA) to select
A fixed IP address is Edge devices per application the tunnel, and BGP routing
needed in DC site. category and per WAN to indicate the Datacenter
Edge device the reverse
traffic path.
DMVPN to create the overlay
IPSec tunnel over GRE1
IPSec tunnel over GRE
IPSec tunnels created based
on Pre-Shared Key (PSK) Remote office
Datacenter
MPLS The Branch Edge device can be

BGP is received from the
Branch Edge device to select
Internet in the second level, even when
the first level device is
the tunnel to send back the configured with NAT
application traffic to the
specific remote office
Support of MPLS and broadband Internet networks
The SD-WAN network architecture is based on VRFs.
Datacenter Edge Device Branch Edge Device

A VRF per application category is There is a VRF per WAN to guarantee the traffic isolation between
created. This VRF manages tunnels from WANs. Each VRF generates a tunnel per App Cat configured to use
any branch and WAN, where that App that WAN.
Cat is configured to be used
breakout
Branch 1:
WAN1 Access to all the AppC
(AppC2 can only be
accessed from WAN1)
There is an application
WAN1 WAN2
with local breakout to
Servers AppC1 WAN1
AppC1
Servers AppC2
AppC2
WAN1
AppC3
WAN2 Branch 2:
Datacenter: Access to AppC2 and AppC3
AppC3 has centralized There is an application with
on the DC the access WAN2 local breakout to WAN2
to the internet.
Servers Internet breakout
AppC3
(per Application Category)
A fixed IP address is Edge devices per application the tunnel, and BGP routing
needed in DC site. category and per WAN to indicate the Datacenter
Edge device the reverse
traffic path.
Datacenter

BGP is received from the
Branch Edge device to select
the tunnel to send back the configured with NAT
application traffic to the
specific remote office

A VRF per application category is There is a VRF per WAN to guarantee the traffic isolation between
created. This VRF manages tunnels from WANs. Each VRF generates a tunnel per App Cat configured to use
any branch and WAN, where that App that WAN.
Cat is configured to be used
breakout
Branch 1:
WAN1 Access to all the AppC
(AppC2 can only be
accessed from WAN1)
WAN1 WAN2
Servers AppC1 WAN1
AppC1
Servers AppC2
AppC2
WAN1
AppC3
WAN2 Branch 2:
Datacenter: Access to AppC2 and AppC3
AppC3 has centralized There is an application with
on the DC the access WAN2 local breakout to WAN2
to the internet.
AppC3
(per WAN) – Reverse traffic steering
A fixed IP address is Edge devices per WAN. the tunnel, and BGP routing
needed in DC site. to announce LAN IP
addressing

Datacenter

configured with NAT


A VRF per WAN is created. This VRF There is a VRF per WAN to guarantee the traffic isolation between
manages tunnels from any branch, WANs. Each VRF generates a tunnel per App Cat configured to use
where that WAN is configured to be that WAN.
used
breakout
Branch 1:
WAN1 Access to both access
networks.
WAN1 WAN2
WAN1
Servers WAN1
AppC1
Servers
AppC2
WAN2
WAN1
WAN2 Branch 2:
Datacenter: Access to both access
AppC3 has centralized networks.
on the DC the access WAN2 There is an application with
to the internet. local breakout to WAN2
AppC3
Teldat Solution - Datacenter
Horizontal scalability
Throughput can be increased adding new
Datacenter Edge devices. CNM (Controller)
distributes automatically the load among them.
Connectivity
Datacenter Edge devices must be
connected to all the WANs.
Several DC support
In the same SD-WAN
network.
Internal routing
Datacenter Edge devices support
OSPF or BGP for internal routing
towards datacenter side.
Hub & Spoke architecture Concentrators redundancy

All the traffic from the remote offices goes to
Datacenter Edge devices can be deployed in
the Datacenter Edge devices (except the
pairs to avoid a single point of failure.
breakout traffic).
High availability architecture
Branch Edge devices generate all the tunnels when the device is provisioned (active and
passive tunnels for all and each one of the WANs) but each Branch Edge device only
maintains one tunnel ‘active’ per application category and WAN, only it would change if
the Datacenter Edge device connected by the active tunnel is not reachable.
1
A
2
Passive 3
B
(*) Datacenter Edge

4
devices A and B are
deployed in HA The Branch Edges 1 and 3 are connected to the Datacenter Edge A
architecture.
The Branch Edges 2 and 4 are connected to the Datacenter Edge B
Only in case of failure the remote offices would change to the other Datacenter Edge device.
(*)This illustrates only tunnels for only one App Cat (and WAN), but same schema is replicated for all and each App Cat (and WAN).
One Brach Edge device has one
active DataCenter Edge device
for all the application categories
VRF1
VRF2
VRF3
VRF
VRF1
VRF2
VRF3
VRF One VRF per ‘Application Category’ at Datacenter Edge devices -> One tunnel is
created over any WAN to any Branch per each Application Category.
The full pink tunnels are the active ones, in case the active Datacenter Edge device
crashes, all the traffic is redirected to the second Datacenter Edge device
automatically (striped pink tunnels).
One Brach Edge device has one
active DataCenter Edge device
for all the WANs
VRF1
VRF
VRF1
VRF One VRF per ‘WAN’ at Datacenter Edge devices -> One tunnel is created from any
Branch, per WAN.
The full pink tunnel is the active one, in case the active Datacenter Edge device
crashes, all the traffic is redirected to the second Datacenter Edge device
automatically (striped pink tunnel).
Internet breakout
Internet traffic can also be
routed from the remote offices Local Internet Breakout in the
to the Datacenter Edge device, remote offices to connect directly
and then to the Internet. the branch office with Internet
Overlay
INTERNET
Security (Roadmap)
Teldat will include some
Existing datacenter applications to the SD-WAN
connectivity to internet is used, solution in order to secure the
taken advantage of security breakout connectivity:
measures. CLOUD - BlueCoat: Firewall
- Flashstart: DNS Web filtering
APPLICATIONS
MPLS breakout
Remote
To communicate two remote offices office 1
through the overlay, the traffic goes to
the Datacenter Edge devices and then to
the other remote office
Using MPLS breakout,

the traffic between
MPLS branches goes directly,
without passing through
Datacenter the datacenter
Direct communication between branch offices is possible

using the underlay.
Remote
office 2
Network status
Probes are sent over the overlay from the Branch Edge devices to the
Datacenter Edge devices to get the network status
The probes get
information about RTT,
rate loss and jitter. An IPSLA probe is sent
IPSLA probes are used to balance through each tunnel which
the application traffic depending are generated for each App
on the network metrics. Carrier A
Cat and each WAN
Network
Carrier B
Network
The Branch Edge devices, in function With the collected information,

of the information from the probes, the Branch Edge devices send
send BGP routing to the Datacenter the traffic through a specific
Edge devices to decide which is network depending on the SLAs
tunnel to send back the traffic to the previously defined.
remote offices
Application policies
The Branch Edge devices identify
(optionally) the applications using WAN links priority per
the Deep Packet Inspection (DPI). application category can be
The DPI can be activated as a license defined in each branch
in each device. template:
- Main access network
- Secondary access network
- …
SLAs policies per application

category:
- Network Performance: jitter,
delay and traffic loss The tool identifies applications at
- Best effort: overlay or direct level 3 and 4 (and 7 when the DPI is
connectivity. activated in the routers). Then, users
- Drop can apply policies per application
Application Traffic Visibility
Teldat devices can generate and export Netflow/IPFix traffic to get all the traffic
information in the network.
To have level 7 visibility, the DPI must be activated in the device (license).
Teldat Visualizer is the Teldat Netflow collector which shows the traffic information.
Teldat Visualizer
 Shows all this information in a coherence way
 Filter the traffic per branch, LAN/WAN IP
addresses, application, port…
 Create dynamic dashboards
 Generate reports
 Define thresholds to generate notifications
Quality of Service
Four different class priorities: Real-time, High,

1 Medium and Low.
QoS per WAN Bandwidth allocation: percentage of the network

and application 2 bandwidth allocated for a specific application category.
category
Apart from the link
priority based on SLA
Rate limit: the maximum throughput that can use
thresholds, in CNM the 3 a specific application category.
user can configure:
ToS or DSCP: the user can configure the traffic marking per
4 application category or it can disable this option.
Zero Touch Provisioning
ZTP process:
1. The devices is plugged to the electric power and the network.
2. The device automatically connects with the CNM (providing the serial number).
3. Once the device is identified by the S/N, the CNM sends the configuration to the device
and the SSL certificate to encrypt the communications between CNM and the device
4. When the device loads the configuration, it gets the final configuration of the network and
the security parameters to establish further CNM connections.
4
2
+
1 3
Zero Touch Provisioning
To run the ZTP process automatically, a pre-configuration in the device is needed. There are
two possibilities
Standard ZTP Customized ZTP
This configuration is valid for the following This configuration is valid for any network
scenarios: scenario:
 Second level device  First level access devices or second
 Cloud CNM. level devices.
 VA or Cloud CNM
The pre-configuration includes: …
 DNS pre-configured to resolve the
CNM URL. The pre-configuration is customized per
customer, then it includes all the
 DHCP pre-configured to get the IP
minimum configuration to get connectivity
from the network.
from the devices to the CNM in the
 Cloud CNM URL to contact with CNM. specific customer network scenario.
CNM – Device Lifecycle Management
1 3
2 4
Update configuration
OS Update
template
CNM allows to Change configuration Device monitoring and
upload in the tool a template When the template is information
new version of the modified in the CNM, the
OS (CIT), and send it tool will show a warning
The user can change the The device contacts each
to a specific device notification in the devices
original template chosen 30 seconds with the CNM
or a group of configured with that
for a specific branch or a to provide the monitoring
devices template: “The
group o branches, if, for information of CPU,
configuration has been
example, a remote office memory and disk. In
updated!”. Then, the user
has been upgrade from a addition, in each contact,
can upload the change
small office to a medium the device will receive the
immediately, or program
or large office. jobs that are pending
the update to a specific
(update configuration,
date and time.
update OS…)
Teldat SD-WAN: Integration
All the Teldat devices can generate Netflow/IPFix
traffic (with the information of the traffic going
through the network) and sent it to a Netflow/IPFix
Netflow collector, to be used in a specific tool.
If the device has the DPI license activated, the

level 7 traffic information will be included.
3rd party
tools
integration
Cloud NetManager (CNM) has a Northbound REST
API that can be used by any external tool to get
information about the network, or apply some
Rest API configurations.
The API has been developed to adapt to any 3rd

party tool that the customer requires to integrate.
Branch office devices
Branch office device: the same physical devices that are in the current Teldat portfolio can be
migrated to a Teldat SD-WAN solution.
The Operating System of the devices may need to be updated.
Minimum OS version for SD-WAN: CIT 11.01.04
Max. BW(*) 28Mbps 380Mbps 884Mbps
Teldat V Teldat M1 Teldat iM8

(*) All licenses activated. Aggregated encrypted IMIX traffic
Datacenter Edge Devices
RXL14000 is one of the Teldat solutions for the concentrator device.
SDE-20K will be available soon (June 2018).
RXL14000 can provide up to 1Gbps and SDE-20K up to 20Gbps (2, 10 and 20Gbps models)
Furthermore, they can scale horizontally to cover scenarios with higher bandwidth
requirements
Max. BW(*) 20Gbps
1Gbps
OSDx
Hardware x86
RXL14000 SDE-20K family
(*) Aggregated encrypted IMIX traffic

Teldat strengths
Multi-tenant platform: with
02 the same CNM instance, the
re-seller or Service Provider
can manage different
projects fully isolated
01 Modular solution: the
04
solution can be adapted to the
customer necessities (base
license, controller license,
SD-WAN ready: the visualizer license…)
customers can migrate
easily to a SD-WAN
solution, not hardware 03 Real ZTP: the
update needed if they are provisioning of a new
using Teldat devices in branch or device in
pre-SD-WAN networks Teldat SD-WAN
like MPLS. Standard Protocols: use 05 solution is real zero
touch, without
of common standard
protocols as DMVPN, technical intervention.
IPSec, Netflow, IPSLA…
Teldat weaknesses
The DC Edge device is not MESH topology is not
multi-tenant supported
IPSEC tunnels build with PSK (PKI is

in roadmap – June 2018)
Level 7 application Breakout

identification redundancy
Remote offices HA
architecture LAN IP addresses are selected automatically
by CNM (partially solved)
Other competitors weaknesses
It needs technical staff intervention to load a
specific configuration
Not real Zero Touch Provisioning
Only when the SD-WAN controller is in Cloud
One DC edge devices is requested per access

DC Edge devices per access network network.
None vendor has the QoS configuration of

QoS configuration limited each network in SD-WAN
None vendor has the possibility nowadays to

New devices required reuse the installed devices
Several tools to have a SD-WAN Usually SD-WAN vendors need several

solution management tools to manage the SDWAN
network
Future developments
Change LAN IP
address manually
SDE-20K and
Reverse Traffic
Steering
7th June CNM

Monitoring
Visualizer June
(demo) 14th June
CNM Batch
operations 31st July
Digital
Certificates
| Terima | Merci | Thank You | Xiè xiè nǐ
Kasih | Děkuju | Gracias | Danke | Obrigado
©2017 Teldat Group Spain, Germany and more than 40 Countries worldwide. 00/00

Teldat SD Wan Features Description April 2018 180413

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Teldat SD Wan Features Description April 2018 180413

Uploaded by

Copyright:

Available Formats

Teldat SD-WAN.

2 SD-WAN Main Features

SD-WAN is a 2021: $8.05

(*)Source: IDC (https://www.networkworld.com/article/3048174/wide-area-networking/idc-sd-wan-market-to-hit-6b-by-2020.html)

Cloud NetManager (CNM) is the tool

 Configuration management WAN3

Cloud NetManager (CNM) can be deployed in two different modes

MPLS The Branch Edge device can be

Datacenter Edge Device Branch Edge Device

MPLS The Branch Edge device can be

Datacenter Edge Device Branch Edge Device

DMVPN to create the overlay

MPLS The Branch Edge device can be

Support of MPLS and broadband Internet networks

Datacenter Edge Device Branch Edge Device

Hub & Spoke architecture Concentrators redundancy

(*) Datacenter Edge

Using MPLS breakout,

Direct communication between branch offices is possible

The Branch Edge devices, in function With the collected information,

SLAs policies per application

Four different class priorities: Real-time, High,

QoS per WAN Bandwidth allocation: percentage of the network

Standard ZTP Customized ZTP

If the device has the DPI license activated, the

The API has been developed to adapt to any 3rd

The Operating System of the devices may need to be updated.

Minimum OS version for SD-WAN: CIT 11.01.04

Max. BW(*) 28Mbps 380Mbps 884Mbps

Teldat V Teldat M1 Teldat iM8

RXL14000 SDE-20K family

(*) Aggregated encrypted IMIX traffic

IPSEC tunnels build with PSK (PKI is

Level 7 application Breakout

One DC edge devices is requested per access

None vendor has the QoS configuration of

None vendor has the possibility nowadays to

Several tools to have a SD-WAN Usually SD-WAN vendors need several

7th June CNM

You might also like