This guest blog post is from CloudGenix. We thank CloudGenix for being a sponsor.
Cooper Cash can finally see what’s going on in the WAN. Thanks to the application identification and analytics capabilities of SD-WAN, Cash has deep visibility into—and control over—the applications that employees use at over 60 remote sites.
Cash is Team Lead for Branch Office Infrastructure for Teleflex, a medical device manufacturer with branch and remote offices in the United States, Europe, and Asia. He’s rolling out SD-WAN appliances from CloudGenix to every location in the company’s network.
In addition to visibility, the metrics that the CloudGenix appliances capture give him and his team more insight into WAN performance, which makes it easier to identify and troubleshoot problems.
The analytics also help him predict bandwidth growth for existing sites and to properly provision new branches that come online.
Cash initially began investigating SD-WAN because his bandwidth costs were rising. About of third of Teleflex’s sites have both primary and secondary WAN circuits, but those secondary circuits were only available if the primary went down.
At the same time, bandwidth utilization was doubling every two or three years. Cash didn’t want to pay for more bandwidth on the primary circuits when he had unused secondary connections just sitting there.
He’d heard about SD-WAN and its ability use multiple links, and decided it was time to investigate. After researching the market and putting five vendors through detailed Proof of Concepts (PoCs), he chose CloudGenix, an SD-WAN startup founded in 2013.
As promised, the CloudGenix appliances allowed him to send traffic across both circuits, which improved performance—and end user satisfaction—without additional costs.
As Cash rolled out SD-WAN appliances, he quickly realized additional benefits. Because the appliances sit at the WAN edge, they see all the traffic going into and out of each office. The CloudGenix appliances can identify hundreds and hundreds of applications, and then collect essential metrics including bandwidth usage and performance.
Applications are identified using traditional and advanced methods including cross-connection correlation, which then serve as the anchor upon which policies are built and statistics are shown.
Using these analytics, Cash and his team are enjoying several new capabilities.
First, the company can set and enforce usage policies to ensure that critical business applications, such as Skype For Business, get priority over things like Facebook or streaming video from YouTube.
Even more impactful is improved operations and troubleshooting thanks to detailed information captured by the appliances. “You can drill into new and concurrent flows for every application and transaction,” said Cash. He and his team can query flows by destination IP, protocol, or application. They can see the number of bytes, whether there were resets, and so on.
They also get performance metrics such as server response times, application round-trip times, and even MOS scores for VoIP and video traffic.
These analytics mean Cash and his team have an easier time isolating the root cause of an issue. For example, IT was getting complaints that the network was slow. They were able to identify Windows updates that were contending for bandwidth with other high-priority traffic, and then adjust policies to reduce contention.
They were also able to view a breakdown of whether poor response times were caused by the network or the server application, which further helped in problem isolation.
“The visibility is huge,” said Cash. “We can dive in right away and isolate issues.” Without this insight into applications and their performance, Cash said they would have to dig through firewall logs, hunt down an issue with pings and traceroutes, or reach out to the providers and put up with the usual finger-pointing as they tried to identify the problem.
Cash is training key members of his help desk team to work with the CloudGenix interface. The analytics and data captured by CloudGenix and surfaced up into an intuitive GUI gives Teleflex a single location they can use to monitor their global footprint and manage the WAN.
Many of Teleflex’s branch sites are too small to merit a full-time IT staffer, so support often comes from help-desk teams based in Ireland and Mexico, or regional staff who may travel to a remote site.
Given the distributed nature of tech support, it’s essential that IT have the tools to make remote troubleshooting feasible. Cash said the tech support team immediately saw the benefits of CloudGenix.
“They want to use it as their first tool when someone comes to them with a problem,” said Cash. “It reduces the time that a customer is going to be down or impacted.”
Cash also uses the information collected by CloudGenix to anticipate future bandwidth utilization.
“A tool like this can show us trends over time to let us better understand what we’ll need,” he said. “We can better plan for operational expenses going forward.”
There are a range of branch types at Teleflex, including manufacturing, distribution, R&D, and sales. These different branch types will have different usage profiles; for example, a sales site is likely to take advantage of Internet applications such as Salesforce but have less site-to-site traffic.
This kind of insight will let Teleflex anticipate bandwidth needs to get ahead of circuit procurement before it’s an issue. It will also help them turn up new sites more quickly because they can work from a basic template depending on the site’s role.
Last but not least, Cash also uses the metrics to produce regular reports for upper management.
The Traffic Engineer
A key capability for Teleflex is CloudGenix’s ability to do traffic engineering based on applications.
For instance, in some cases it makes sense to send some traffic, as defined by policy, directly to the Internet from the WAN edge. If a branch site uses a SaaS application such as Salesforce, Teleflex may want that traffic to go right onto the Internet rather than across a mesh to the primary data center first.
“Why would we want to pay to backhaul traffic to the data center?” said Cash. “We’d just drop it to the Internet at the data center anyway.”
In addition, application-based traffic engineering lets Cash and his team set policies regarding which link an application or service should use.
For example, in some branch locations where Teleflex uses an MPLS circuit and a broadband connection, Cash can set a policy in CloudGenix to send voice traffic via the MPLS connection.
And because the CloudGenix devices continuously probe WAN links to track current performance, Teleflex can set policies to let other traffic decide which connection to use based on which path has the best performance.
“We have QoS at the edge that’s intuitive,” said Cash. “And we can tweak it. If something more important this week, we can tune it.”
No Greenfields Here
Aside from meeting needs around bandwidth and analytics, Cash chose CloudGenix because he found the company was willing to accommodate his legacy environment and work with him on particular deployment requirements.
“They want to make the product work for the customer, rather than telling the customer you need to do X Y and Z to make the product work,” said Cash.
Each Teleflex branch is part of a full-mesh VPN that’s linked by Check Point firewall/VPN appliances at every site.
Cash wanted the ability to essentially run two separate meshes in tandem as SD-WAN devices were rolled out. As each branch came up on the SD-WAN mesh, it also had to be able to route into the VPN mesh as well.
“Check Point has to live in tandem while we roll out SD-WAN” said Cash. He says that requirement “…eliminated a lot of people from the field.”
“Right now we’re in the middle of the process,” he said. “We should be fully moved over by April.”
At sites where he has both the CloudGenix device and the Check Point box, the CloudGenix device is Internet-facing. As traffic leaves the branch, it passes through the Check Point box to CloudGenix.
Prior to deploying CloudGenix, Cash had configured the Check Point boxes so that Internet-bound traffic such as Salesforce or Skype for Business would go out locally, while traffic bound for another branch or the headquarters would go across the VPN mesh.
He preserved that configuration in the CloudGenix devices. The difference now is that Internet-bound applications can be aggregated across both the primary and secondary connections. He can also rate-limit applications such as YouTube and Facebook to ensure business apps get priority.
As for IPSec traffic that goes into the VPN mesh, the CloudGenix device doesn’t decrypt the VPN tunnel. Instead, the CloudGenix device is simply configured to direct IPSec traffic to the primary circuit. Because it’s encrypted, Cash can’t employ any fine-grained policies as of yet.
Cash said it hasn’t been a problem having the firewall/VPN appliances and the CloudGenix devices interacting.
“When we first started testing, it took some time to add applications to CloudGenix to identify proprietary protocol stuff that Check Point does site to site. But once we could see that and build policy on CloudGenix, we haven’t seen conflicts.”
Once CloudGenix is deployed at each site, Cash plans to turn off the VPN feature in Check Point and just use the firewalls.
He also plans to begin swapping out some secondary private-line circuits with broadband connections. “Once you start adding up those savings, it sells itself,” he said.
For organizations that may be looking into SD-WAN, Cash says to invest some time in the PoC phase. He recommends knowing your specific requirements right out of the gate, and then being prepared to get into the weeds to parse the differences between vendors.
“This was so new to us, we weren’t even quite sure what to test,” he said.
He also says potential customers shouldn’t automatically discount smaller players and startups.
“Look to the little guy. The biggest name doesn’t mean the best.”
Interested in how CloudGenix SD-WAN can help? Visit www.cloudgenix.com/trial for a free trial!