5G, SD-WAN, SASE Technologies
  • MPLS L3VPN Inter-AS Option A, B, and C

    MPLS-TE: เปรียบเทียบ SPF (OSPF/ISIS) กับ CSPF (OSPF-TE/ISIS-TE)

    IP Networks for the cloud, 5G and IoT era:

    IP Network Requirements:
    • Multiples - Capacity and fan-in
    • Superior - Capability and agility
    • Fraction - OpEx and complexity

    Networks of the future must be:

    • Bigger, faster & more efficient
    • Safer
    • More adaptable
    Connecting the Internet of Things - New opportunities, and threats:
    • No perimeter:
      • Large attack surface
      • Countless sources
    • Malicious user traffic:
      • Hackers and cyber criminals
      • Terrorists and anarchists
    • Many vulnerabilities:
      • Hijacked cloud servers, IoT devices
      • Essential services (DNS, AAA, NFV)
    • Distributed DoS attacks:
      • Causing widespread outages
      • Increasing frequency and volume

      Denial of service = no service! Service availability is gated by network security

    Unmitigated DDoS attacks can cause massive outages within hours - Time is of the essence to detect and stop them

    Major DDOS attack on Dyn disrupts AWS, Twitter, Spotify and more - 21 Oct. 2016 by Sebastian
    Cloud and IoT are fueling major DDoS attacks - Security is an ongoing and evolving threat:
    • Increasing scale and complexity:
      • Higher internet upload speeds
      • More connected IoT devices
      • Many vulnerabilities. DDoS as a service
    • Increasing attack frequency:
      • 100G+ attacks are a daily occurrence
      • Bi-weekly attacks in 300 - 600G range
      • Multiple attackers (Mirai, Kaiten, XOR, Spike, ...)

    Mirai: The first open-source IoT botnet:

    • Sep 2016:
      • 600G attack on security expert Brian Kreb's website
      • 1.1T attack on OVH, a French web hosting company
    • Oct:
      • Mirai source code is released in public domain
      • 1T+ flooding attack on DynDNS
    • Nov:
      • Attack on DT, disabling 900,000 home routers

    Terabit DDoS attacks will soon be the norm. Is your network prepared for this?

    DDoS mitigation Present Mode - The network is part of the problem:

    • IP routers backhaul DDoS traffic to scrubbing center
    • Network appliances detect and filter DDoS traffic
    • High cost, partial protection and poor scalability

    Escalating cost of backhaul capacity and scrubbing appliances to mitigate DDoS attacks

    DDoS mitigation Future Mode - The network is part of the solution:

    • Cloud-based DDoS detection and analysis
    • Filtering volumetric DDoS traffic at the IP edge
    • Network-wide protection with superior scalability

    Scalable, distributed solution to mitigate volumetric Distributed Denial-of-Service attacks

    Detecting and mitigating DDoS attacks - Packet inspection and signature detection:

    DDos flows can be detected by inspecting the IP packet payload for tell-tale signature patterns:

    • Conventional IP routers are incapable to look beyond the "5 tuple" IP packet header field
    • DPI appliances can look deeper into the packet, but their forwarding capacity is very limited

    How to mitigate DDoS flooding attacks containing 100,000 of flows?

    Denial of Service attacks: Top 10 threats:

    • UDP amplification-based attacks using "reflection"
    • DNS/NTP reflector attacks:
      • Abuse DNS/NTP protocol aspects to generate a large payload from small requests
      • Use IoT bot-nets to amplify the attack (nature of DDoS)
      • Hard to detect and mitigate. Must be surgically blocked
    Insight driven automation - Growing list of use cases:
    • Automated IP Network Security:
      • Multiple tier 1 SPs - DDoS Attack Mitigation
    • Service automation with dynamic assurance:
      • Multiple tier 1 SPs - Dynamic IP/MPLS services
      • Multiple tier 1 SPs - On-demand IP/MPLS services
    • Multi-dimensional flow steering:
      • Global webscale company - Peering/CDN optimization
      • EMEA content provider - High quality experience
      • APAC tier 1 ISP - High quality OTT experience

    5G Addressing Diversified Network Requirements:

    • Extreme Mobile Broadband:
      • Devices 1.5GB/day
      • Mobility on Demand
      • >10 Gbps peak data rates
      • 10,000 x more traffic
      • 100 Mbps whenever needed
      • Capacity on Demand
    • Critical machine communication:
      • Smart factories 1 PB/day
      • Autonomous driving 1ms latency
      • <1 ms radio latency
      • Coverage on Demand
      • Ultra reliability
    • Massive machine communication:
      • Billions of sensors connected
      • Connectivity on Demand
      • Security on Demand
      • 1 Million Connection/SqKm

    Key trends on the path to 5G - and their implications on transport networks:

    • New spectrum options, multi-connectivity and carrier aggregation - More transport capacity to support 10x rise in demand
    • Densification - Higher port density to accommodate macro/small cells
    • Evolution to Cloud RAN - New RAN architectures, use of ethernet for fronthaul
    • Proximity of content to users - Diverse topologies, Multi-connectivity to different networks
    • 5G/IoT coming but 2G/3G/4G not leaving - Support old and new, w/ scale & security for 1,000x devices
    • Customer experience is king - Adequate transport must be in place ahead of RAN

    The evolution of mobile transport to 5G:

    1. 5G anyhaul
    2. Converged any-G transport 2G/3G/LTE with 5G
    3. Fixed-mobile convergence
    4. Multi-access edge computing (MEC) and radio cloud centers interconnectivity
    5. SDN control

    Universal need for mission-critical communication networks - Different Business Objectives and Challenges:

    • Energy and resources:
      • Power utilities
      • Oil, gas & mining
      • Smart grid
      • Monitoring & automation
    • Transportation:
      • Railways
      • Highways
      • Aviation
      • Passenger experience
      • Efficient operation
    • Public sector:
      • Government
      • Defense
      • Public safety
      • Multi-agency networks
      • Safety and Security
    • Large enterprises
      • Automotive
      • Finance & insurance
      • Healthcare
      • Digital banking
      • Telemedicine, telehealth

  • 4 Comments sorted by
  • Transformation to 5G network:
    1. Build in 5G capabilities into existing IP Transport Network:
      • mmWave/vRAN
      • Fronthaul
      • Segment Routing
    2. Evolve traditional packet core to virtual (or hybrid) solution:
      • CUPS
      • Distributed Functions
      • Edge Compute
    3. Automate and Simplify:
      • NSO
      • WAE
      • Ultra-Automate
      • Analytics and Telemetry
    4. Secure:
      • Devices
      • Network
      • Cloud


    Segment Routing Migration Strategies and Case Studies:

    Current Deployment Landscape:

    Current State of SP Network Deployments:
    • Decades of Technical Evolution and Deployment
    • Vast Array of Technologies in Core, Edge, Access and Data Centers
    • Huge CapEx Investment. Cannot be simply uprooted
    • Complex, multigenerational Networks

    Evolution of Technical Architectures and Protocols - over last few decades:

    • Native L2:
      • Low Cost, Plug & Play
      • IRB creates L3 overlay network to support TDM
      • STP/PVST/RPVST -> G.8032, REP, MC-LAG
    • IP/MPLS - to Access/Aggregation:
      • Unify services (TDM, Ethernet)
      • Common MPLS (access, aggregation, Core)
      • Remote LFA, Auto IP Ring
    • Unified MPLS - for Scale:
      • Operational Simplicity Model
      • Remove majority of protocols on access/aggr devices

    • karneliuk.com/2016/01/ccie-what-you-need-to-know-about-study-process

    • www.flowtable.net/remote-lfa-2

    • Virtual Extensible LAN (VxLAN):

    • Building DataCenter Networks with VXLAN BGP-EVPN

    • MPLS + SDN + NFV World Congress Public Multi-Vendor Interoperability Test 2017:

    Segment Routing:

    • www.bloggang.com/viewblog.php?id=likecisco&date=19-11-2016&group=12&gblog=1

    • www.facebook.com/groups/CCNAHunterGroup/permalink/1707585259544859

    • blogs.cisco.com/sp/segment-routing-fundamental-to-make-your-network-sdn-ready

    • LTRRST-2500 - Get your hands dirty - Segment Routing on IOS-XR and IOS-XE (2017 Berlin)

    • www.ozguler.co/blog/why-should-i-do-segment-routing
  • SD-WAN:

    • SD-WAN ช่วยให้องค์กรใน America และ Europe ลดค่าเครือข่ายระหว่างสาขาสูงสุดถึง 400 เท่าจาก MPLS:

    • รู้จักกับ SD-WAN:

    • แจก Free eBook เรื่อง Software-Defined WAN for Dummies:

    • 4 Feature ต้องมีใน SD-WAN:

    • SDN, SD-WAN, NFV, VNF รู้ยังตัวไหนปังสุด???:

    • What is SDN & SD-WAN?:

    • 7 เรื่องจริง SD-WAN Info-graphic:

    • How to reduce MPLS cost with SD-WAN


    • The VMware SD-WAN by VeloCloud architecture: VCO, VCG/VCC, & VCE

    • SD-WAN Visibility & Control:

    • Network & SD-WAN overlay and how to config it on VMware SD-WAN:

    • SD-WAN Redundancy ตอนที่ 1 EDGE Redundancy options:

    • SD-WAN Redundancy ตอนที่ 2 Spoke/Branch HA Design options:

    • SD-WAN Redundancy ตอนที่ 3 Hub/DC HA Design options:

    • 4 Key Functionalities of DMPO Info-graphic:
      Mechanism ที่ทำให้ DMPO Feature เหนือคู่แข่งเลย คือ:
      1. Latency Check โดยใช้หลักการ (T0+T1)/2 และยังแบ่งการ Check Packet Type เป็น 3 รูปแบบ ตาม Traffic Type และ MTU Size
      2. Jitter Check ทำตาม RFC3550 โดยแบ่งตาม Traffic Type และ MTU Size เช่นกัน
      3. Packet Loss Check โดยการแปะ Sequence Number เข้าไปหน้า Packet และ Check หัวท้ายว่าตกหล่นหรือไม่
      4. Dynamics Application Recognition ใช้ Qosmos ที่เป็น Best Market ในตลาด DPI (NBAR เชยไปแล้ว)
      5. Per Packet Forwarding ลบล้างข้อจำกัดของ Traditional Router ที่เป็น Per Flow Load-balance
      Cr: Chow@VMware

    • VMware SD-WAN Security Architecture ตอนที่ 1: Secure Control, Data and Management Plane:

    • ถ้า Dual MPLS ราคาแรงไป!! ลองหันมาใช้ Hybrid wan แทนดีกว่า!!:

    • Network Services:
      • Direct: โดยทั่วไปใช้สำหรับ Internet Application ที่ไม่สำคัญและเชื่อถือได้ ที่ควรส่งตรงๆ, Bypass DMPO Tunnel ตัวอย่างเช่น Netflix, บริการที่ไม่ใช่ Business Application, ที่มี Bandwidth สูงและไม่ควรส่งผ่าน DMPO Tunnel
      • Multi-Path: มอบสิทธิ์ให้ใช้งานกับ Application ที่สำคัญ โดยจะส่ง Internet Traffic ไปยัง VCG

    • ปฐมบทเริ่มต้น SD-WAN: กว่าจะมาเป็น VMware SD-WAN Service Provider รายแรกในไทย + Predictive 2021:

    • พาไปส่อง VMware SD-WAN Architecture:

    • Enables a secure overlay and Provides insertion of network services are the benefits of VMware SD-WAN.

    • Accesses cloud-based enterprise applications is one of the characteristic features of VMware SD-WAN Gateways.

    • An overlay solution is SD-WAN.

    • Ignite Activation Networking SD-WAN includes Enablement training, Sales metrics, and Marketing, professional solutions development & professional services development elements

    • The sales metrics which include Milestone 1 + Milestone 2 can be completed throughout both Milestone time periods to meet the requirement.

    • Weekly Progress Report Summary Ignite reporting tool provides an overview of teams progress within the Milestone.

    • All registrations for enablement trainings must be completed by Week 3.

    • For all Ignite Activation Networking SD-WAN questions should reach out to IgniteNetworking[at]VMware.com.

    • Dynamic per packet steering, Continuous link monitoring and remediation does Dynamic Multi-path Optimization provide.

    • Hosted VMware SD-WAN Orchestrator and VMware SD-WAN Edge does unique hybrid SaaS service include.

    • VMware SD-WAN Orchestrator provides management features.

    • Gateway is used to provide managed, reliable On-Ramp to the cloud applications.

    • WAN is a common bottleneck for large retail stores.

    • Enables branch transformation, Optimizes cloud access, and Simplifies WAN management are the benefits of VMware SD-WAN.

    • An overlay architecture does VMware SD-WAN employ.

    • Resource Allocations and Error Correction is automatically applied based on business policies and application priorities.

    • Gateways is included in the PCI service provider.

    • Don't use customer names for enterprises and Clean up changes after a demo are the tips that are followed when creating a new config objects.

    • DMPO and Orchestrator are the core functionalities of VMware SD-WAN.

    • VMware SD-WAN is offered in Standard, Enterprise, and Premium editions.

    • Cloud-delivered, a robust platform for delivering services, and an overlay solution for rapid branch deployments are some product strengths of VMware SD-WAN solution.

    • Dynamic per packet Steers application to the best available link role does Dynamic Multi-path Optimization play.

    • VMware SD-WAN solve branch challenges by Utilizing any available transport, Simplifying WAN management, and Optimizing cloud access.

    • Where the exit point of a subnet is in the SD-WAN network does the Overlay Flow Control (OFC) feature give insight to.

    • Simplified WAN management, Assured Application Performance, and Managed on-ramp to the cloud are the key differentiators of VMware SD-WAN.

    • Destination IP address, TCP Port number, and DPI application signature can be used to classify applications in a business policy.

    • A hosted service and Software solution are types of VMware SD-WAN Gateway solution.

    • CPE Upgrade, Migration of application to cloud services (SaaS), and WAN contract renewal are common scenarios when identifying a sales opportunity.

    • 20 is the maximum number of WAN Routers that can be assessed in the Pre-SD-WAN Assessment.

    • Cannot run a Pre-SD-WAN Assessment using the vRNI Advanced License.

    • The vRNI Pre-SD-WAN Assessment generates a PDF report including Pre & Post-SD-WAN state, Bandwidth utilization, and Top service endpoints.

    • The vRNI Pre-SD-WAN Assessment provides SD-WAN Edge recommendations for each site along with calculations for customers CAPEX and OPEX savings.

    • SNMP, SSH, and Netflow are required to be configured on the WAN Router for the Pre-SD-WAN Assessment.


    • Current State and Network Challenges:

    • Cato's Disruptive WAN Architecture - The Answer:

    • Intelisys Whiteboard Session: Cato Networks:

    • Cato Prospect Discovery:

    • s3-us-west-2.amazonaws.com/ab-media-prod-01/catonetworks-ab/2019/06/Cato-Cloud_Solution-Brief_NUM171.pdf

    • partners.catonetworks.com/wp-content/documents/catonetworks/uploads/2019/07/Cato-Networks-Security-as-a-Service-002.pdf

    • s3-us-west-2.amazonaws.com/ab-media-prod-01/catonetworks-ab/2019/06/Cato-Networks-Cheat-Sheet-2019.pdf

    • Customer are using MPLS in order to: Connect their physical locations, avoiding sending latency/packet-loss sensitive applications over the unpredictable Internet.

    • Why should a customer consider CATO cloud as an MPLS alternative:
      • Need to reduce MPLS costs and/or increase network capacity but without compromising on quality and availability.
      • Need a managed service that is agile, customer-centric, and tailored to the needs of the digital business.
      • Need to optimize and secure access to cloud data-centers and/or cloud applications.

    • Natively-integrated, global connectivity for mobile, allowing optimized and secure access enterprise resources and to the Internet offering does CATO have for mobile workforce.

    • Cato's SD-WAN is delivered as a cloud
      service with a private backbone for global connectivity, integrated security and with cloud and mobile access is Cato's SD-WAN different than other SD-WANs.

    • Uses link profiling to identify and
      report on blackouts as well as brownouts (quality degradation) makes Cato's ILMM (Intelligent Last Mile Management) service unique.

    • Cato built its own NGFW which is natively integrated into its service is NGFW used in Cato's security stack.

    • It governs both North-South (Internet) and East-West (WAN) traffic, rather then just North-South is Cato's integrated NGFW unique compared to
      other gateway firewalls.

    • The capabilities are included in Cato's security stack:
      • Intrusion Prevention System (IPS) as a Service
      • Known and zero-day malware prevention
      • Application aware access control for both WAN and Internet

    • Natively-integrated TCP Proxy is wan optimization technology provided by CATO cloud to maximize file transfer speed.

    • Cato Socket edge SD-WAN appliances do CATO customers use.

    • Simply contact Cato's partner and adjust the subscription Cato's customers do when grow in users, traffic, or sites.

    • CFO must reduce global MPLS wan connectivity costs. CATO can help with using last-mile Internet together with Cato Cloud.

    • CIO need more bandwidth in MPLS-based network with the same budget. Using last-mile Internet together with Cato can help keep the same spend and increase capacity.

    • Have 20 offices with Fortinet UTMs which are about to expire. Cato's FWaaS can easily replace all UTMs with security as a service, also transitioning from CAPEX to OPEX.

    • Cato is the ONLY vendor that can address regional SD-WAN needs and also security, cloud access and mobile access needs - all in one cloud-service platform.

    • Cato uses multiple SLA-backend backbone connections between all its PoPs, and proprietary routing software that always chooses the optimal path for each packet in real-time.

    • For the last mile, Cato supports aggregation of multiple Internet links (fiber, DSL, cable, and LTE) to establish a highly available connection to Cato's Cloud. On middle-mile, provide a 5-9's SLA similar to MPLS providers.

    • Cato has built a software-based, global network that has full control of the routing like MPLS networks, so it definitely can guarantee MPLS-like experience. The price difference is a result of Cato being a pure software-based solution.

    Huawei 5G:

    • 5G Motivation and Industry Progress: Introduction to 5G

    • 5G is not equal 4G + 1G. 4G + 1G is just 10% of 5G. 5G + ABC (AI, Big data, & Cloud).

    • Ideal/ultimate experience Virtual Reality (VR) requires 9.4Gbps. Only 5G networks can support. 4G LTE can support just 100Mbps.

    • The maximum 5G E2E latency/design requirement is 1ms.

    • 5G The Road to A Super Connected World:

    • Internet of Vehicles (IoV) and Vehicle-to-everything (V2X) services belongs to ultra-Reliable Low Latency Communication (uRLLC) scenario.

    • Under the 5G network supported 1 million connections per square kilometer.

    • The challenges faced in the 5G era:
      • Explosive growth in Mobile BroadBand (MBB) data traffic.
      • Number of connected devices has increased dramatically.
      • Ultra-low latency is required for Vehicle-to-Vehicle (V2V) communication.

    • Connect future “The world connected by 5G”:

    • Introduction to Microsoft HoloLens and Holographic technology:

    • China turns to AI, robots in coronavirus control:

    • Chinese cops use facial recognition smart glasses to identify suspects in crowds:

    • 5G driverless smart bus:

    • 5G Tele-Operated Driving:

    • In 5G charging model, can charge customers based on Traffic Value, Speed Value, Latency Value, Connectivity Value and Time Value.

    • In enhanced Mobile BroadBand (eMBB), the maximum download speed is 10Gbps.

    • Network slicing can be understood as a logical network that serves services for a specific requirement.

    • For Frequency Range 1 (FR1), the maximum supported bandwidth of a NR cell is 100 MHz.

    • The frequency range of 5G C-Band is 3.4~3.6GHz.

    • The Key Technologies of 5G Core Network:
      • Service Based Architecture (SBA)
      • Cloud Native
      • Control and User Plane Separation (CUPS)
      • Slicing

    • Driving force of Digital transformation are Revenue Decline/OPEX Increase, Changing customer expectation, and The Changing ICT Market.

    • Key objective of 'Digitization' are Operational efficiency, Reliability, and Cost savings.

    • Multi-access Edge Computing (MEC), formerly Mobile Edge Computing characteristics are Connectivity and Content Downward to Edge, and Computing Upward to Edge.

    • How can carriers enable digital transformation in the 5G era?
      5G + 4G + Artificial intelligence, Internet of things, Cloud computing, big Data and Edge computing (AICDE) + Ecology + Industry application and solutions => 5G+X.

    • uRLLC and massive Machine Type Communication (mMTC) scenarios enable Vertical industry and support to-Business (2B) market significantly.

    VMware SD-WAN Migration:

    • BGP next-hop-self can't do, need to do on the connected router.

    • Don't advertise VCO public subnets via private MPLS.

    • Prisma Access Integration Guide (Panorama Managed):

    • IP Prefix List untick exact match = le 32

    • Don't try to migrate the router with SD-WAN by do the underlay network, it will waste your time to troubleshooting. Change your mindset this is the overlay technology.

    • VMware SD-WAN Service Provider Lab Guide:

    • Underlay balance traffic per best path, but Overlay per packet.