Post on 30-Jan-2018
SOLUTION GUIDE
Hybrid WAN Solutions with FortiWANThe cost-effective way to deliver the WAN bandwidth and redundancy your organization demands
2
OverviewAlmost every organization faces the need for increased WAN bandwidth for its data center and branch office networks. The recent explosive
growth in cloud-based applications and video is significantly impacting the ability for traditional WAN networks to handle the load and in
many cases is adding increased latency. MPLS and metro Ethernet can easily be upgraded in most cases to handle the load, however at
a very steep price that most organizations can’t afford. There are many other technologies that offer high-speed bandwidth such as DSL,
Cable and LTE, however integrating them into a seamless business-class WAN has proven challenging in the past.
Link Load Balancers have evolved significantly in the past few years into intelligent WAN optimization tools that can manage multiple links
from virtually any technology and from multiple carriers. This multi-technology, multi-carrier approach is called the “Hybrid WAN” and is
enabled by WAN Link Load Balancers such as Fortinet’s FortiWAN product line.
In this solution guide we’ll take a look at the drivers behind the need for increased bandwidth, introduce you to the key technologies in our
FortiWAN products and how they are applied to WAN bandwidth management, provide information on the top use cases for Hybrid WAN
implementations, and briefly discuss the integration of the Hybrid WAN into Software Defined Networking (SDN).
Everyone Needs More BandwidthIt’s tough to find a business that says it has just enough WAN bandwidth to meet its needs and that’s content with its monthly fixed line,
MPLS or Metro Ethernet bills. Each year business Internet traffic usage is growing at a 20% rate and is expected to reach over 22 exabytes
of traffic by 2017 from 16 exabytes in 2015. To put that in perspective, 1 exabyte is 1 billion gigabytes or roughly equivalent to 3,000 times
all the text, audio and video stored in the U.S. Library of Congress. Behind this are the growth of video for business use, cloud-based
applications and the consolidation of virtual devices centrally driven by virtualization technologies.
Some organizations have more specific drivers for increased WAN bandwidth. For example, hotel properties with guest Wi-Fi services find
that networks optimized for content delivery are stressed when guests are uploading video to YouTube or syncing photos to cloud-based
servers. An unfortunate few are in areas where they’ve hit the maximum bandwidth available to deliver business connectivity and don’t have
easy or inexpensive options without having to pay their telco carrier to run new higher-capacity WAN links to their locations.
www.fortinet.com 3
SOLUTION GUIDE: Hybrid WAN Solutions with FortiWAN
Old WANs, New ProblemsYears ago if you needed to connect a remote location to your data
center you added a leased line from your telco carrier. If you added
more locations, you added more leased lines ranging from T1s to
DS3s and fractions thereof depending on your needs. Technologies
like Frame Relay cropped up and faded away giving way to the
predominant technology today, Metro Ethernet, usually with MPLS.
Metro Ethernet is a very flexible IP-based technology that connects
your locations to a carrier’s Ethernet network and can easily be
bridged to the Internet. MPLS is an overlay technology that creates
virtual private networks at the layer 2 level that isolates traffic
between locations to make it appear that any remote location is
directly connected to your data center or other location. Carriers
offer the ability to bridge MPLS networks to the Internet for a fee or
that can be done at your data center with various routing options.
These technologies continue to work well for organizations that
need dedicated SLAs, guaranteed uptime and have deep pockets
to pay for bandwidth upgrades as their traffic volumes grow. There
are some limitations though.
Metro Ethernet with MPLS will generally only work within the
geographic boundaries of a telco carrier. This means if you have
a remote location in an area not served by the carrier, you’ll need
to look to dedicated leased lines or use a secondary MPLS from
another carrier. Also, although Metro Ethernet and MPLS have very
high SLAs, usually ranging from 99 to 99.999% uptime, there still
exists the possibility of outages from a few hours to a few days
each year. Depending on the needs of your organization that can
represent significant losses. You can deploy a secondary backup
MPLS network, but that isn’t practical in many situations and will
be very cost prohibitive except for large organizations.
Many smaller organizations have successfully deployed VPNs
over Internet services as a less expensive “DIY” option for remote
connectivity. Usually tied to a firewall, they bypass the need for
carrier-managed services, but it can be challenging to bridge
multiple VPNs for traffic expansion and to add additional bandwidth
to an existing platform
The greatest challenge facing traditional WAN technologies is
pricing. Any of the traditional WAN technologies can provide you
virtually unlimited bandwidth for your needs, however that comes
at a very high price. For example, Metro Ethernet typically is a
tiered pricing model where if you only need a few hundred extra
megabytes of throughput, you may have to jump to a higher tier for
a full gigabyte, which in some cases may double or even triple your
monthly service bill.
Challenges to Traditional WANs
Growth in bandwidth is driven
by Internet-based applications
like video and hosted
applications strains traditional
networks. MPLS and other
carrier-based networks are
expensive and don’t always
serve all your locations.
SOLUTION GUIDE: Hybrid WAN Solutions with FortiWAN
4
WAN Connectivity with a Hybrid WANIn most cases the “old school” WAN backhauled most if not all
traffic to the data center. In some cases today that is still needed in
certain industries, but for most it’s overkill. Not only does Internet
traffic strain your backhaul to the data center, in most situations it
introduces a significant amount of latency for things like video and
cloud-based applications like SalesForce.com and even Google
Docs.
If you really take a good look at your Internet traffic, you’ll most
likely find there are many applications that don’t need the
guaranteed throughput and SLAs of a carrier-based WAN. There’s
a great opportunity to get this off your core network and route it
directly from a branch to the Internet without having to go all the
way back to your data center to only be sent to the Internet from
there.
There are also many low-cost options for Internet connectivity like
DSL and Cable modem services. These can be up to 1/20th the
cost and offer speeds that are comparable to the lower pricing
bands of Metro Ethernet.
The question is how can you leverage lower cost Internet options
without the complexity of managing various point solutions for
your WAN?
A Hybrid WAN can take your existing WAN infrastructure and seamlessly combine it with other lower-cost Internet technologies to give
you the bandwidth you need on a platform that is easy to manage. Virtually any Internet technology such as MPLS, Metro Ethernet,
leased lines, DSL, Cable Modems, LTE and Satellite can be implemented to add links to your WAN to either add bandwidth or to provide
redundancy and resilience to your network. Hybrid WAN can also link multiple MPLS or VPN networks together into one large network
that can span multiple geographies and ensure almost 100% network availability.
www.fortinet.com 5
The Evolution of the Link Load BalancerThe Hybrid WAN is built on the technology of the humble Link Load Balancer. Most IT
professionals today still think of a Link Load Balancer as a tool to provide backup link
redundancy should a primary WAN link go down. And yes, there are still many that are sold
today expressly for that purpose. There are also many firewalls, routers and application
delivery controllers that also include basic link backup and link load balancing.
An advanced WAN Link Load Balancer uses basic link health checking, failover and link
restoration functionality and adds many advanced features that take full advantage of the
links coming in and out of your data center and remote locations to create a dynamic
Hybrid WAN.
There are 5 key features to a WAN Link Load Balancer that enable a Hybrid WAN and
separate it from basic link monitoring and failover:
Optimum Routing: Monitoring performance and directing traffic to the best
available link.
Policy Based Routing: Configurable business rules that use traffic and application type
to route traffic to specific links.
Quality of Service: Prioritization by traffic type to ensure latency-vulnerable traffic (such
as voice and video) is provided the bandwidth it needs to minimize disruptions.
Link Aggregation (tunnel routing): The ability to assign individual links to create a
larger virtual tunnel that appears and acts as a single link between sites.
DNS Multihoming: Inbound traffic management and IP reassignment of URLs to ensure
seamless access to internal resources from external users.
These features enable you to easily add almost any Internet technology and bandwidth
to your WAN by simply adding new links. As long as there’s an Ethernet port to plug into,
they can be added to your network and be configured to add backup capabilities, offload
Internet traffic from your data center backhaul, or create larger private links without the
need for additional investments in your MPLS infrastructure.
Can’t a Firewall or ADC Support Hybrid WANs? There are many appliance solutions
that offer some degree of link load
balancing. The most common are
available in firewalls and Application
Delivery Controllers (ADCs).
Most firewalls offer an “all or nothing”
failover option where if a link goes
down, all traffic is automatically
routed to the remaining link. This
is great for redundancy, however
you’re paying for a live link that’s
only used for backup. A WAN link
load balancer like FortiWAN lets you
use the bandwidth of all links you’re
paying for. If one fails, traffic is routed
to the remaining healthy links with no
disruption to your users, other than
a possible slowdown in response
times. Once the link is restored,
FortiWAN automatically starts routing
traffic back to that link.
ADCs provide the same type of
functionality as a firewall, and some
offer a few more features such as
Quality of Service and Optimum
Routing. Even with these features,
they’re generally capped at 4-16
links as to not interfere with the core
ADC tasks of managing traffic to
backend servers. FortiWAN offers
up to 50 links for high-bandwidth
situations and has additional
capabilities of tunnel routing to
aggregate multiple links into a single
pipe to seamlessly add capacity to
private networks.
SOLUTION GUIDE: Hybrid WAN Solutions with FortiWAN
6
FortiWAN WAN Link Load Balancers
FortiWAN WAN Link Load BalancersFortinet’s FortiWAN appliances provide the tools you need to manage and integrate WAN links into your network to create a Hybrid WAN
using almost any ISP technology. Need back up connectivity? Want to add more bandwidth to your data center, remote offices, VPN or
support free Wi-Fi for guest users? Need to expand your backhaul but don’t want to add to your MPLS costs?
FortiWAN Features:
nn Manage up to 3 Gbps of combined WAN throughput and up to 50 WAN links on a single device.
nn Support multiple link types from one or multiple carriers.
nn Seamlessly manage link outages with soft failover and automatic recovery.
nn Monitor link performance and route traffic to best links.
nn Securely aggregate multiple links into larger virtual private tunnels.
nn Provide inbound traffic routing with multihoming.
FortiWAN WAN Link Load Balancers are based on over 10 years of proven technology and experience that offer the latest in WAN Link
Load Balancing features. From simple link back up capabilities that provide redundant connections to patented Tunnel Routing that
creates secure virtual private lines out of multiple links, FortiWAN delivers the features you need to support today’s complex Hybrid WAN
environments.
The best way to showcase these features is to illustrate how they solve your problems. In the next section we’ll cover the top use cases for
FortiWAN’s Hybrid WAN technologies to give you examples of how they can help solve your bandwidth and redundancy problems.
www.fortinet.com 7
SOLUTION GUIDE: Hybrid WAN Solutions with FortiWAN
Common FortiWAN Use CasesIn this section we’ll cover the top use cases for FortiWAN.
Although a top use case is simple link backup for WAN connection
redundancy, it’s generally understood by most IT professionals as
a fundamental feature of a link load balancer. It will be referenced in
the use cases below, but not highlighted as a use case by itself.
Add Bandwidth to a Remote Location or Data Center
Offloading Internet Traffic with FortiWANFortiWAN can manage multiple links to offload general Internet
traffic (blue) and Cloud Applications (orange) from core backhaul
traffic (green) providing increased bandwidth for all users either
from the branches or the data center.
As mentioned earlier, almost every organization
needs more bandwidth than it has today. Be it
a data center or remote location, adding more
bandwidth can be an expensive proposition using
traditional WAN links such as Metro Ethernet or
leased lines. FortiWAN can utilize lower cost links
like DSL, Cable or even LTE to add capacity, and
with intelligent Policy Based Routing, can offload
Internet traffic from your backhaul links providing
them more bandwidth for core applications.
In Figure UC1, FortiWANs are deployed at both
the data center and at branch offices to offload
general Internet and cloud-application traffic from
the private backhaul network. The orange and blue
links can be virtually any ISP technology ranging
from leased lines to inexpensive DSL or Cable
modems. In this situation we’ve put FortiWANs at
both locations, however if more bandwidth and
offloading is only required at a branch office, only
one FortiWAN would be needed.
FortiWAN Use Cases:
nn Add Bandwidth to a Single Location or Data Center
nn Securely Connecting Multiple Locations
nn MPLS Bridging (Multiple MPLS)
nn Deliver Cost-effective Wi-Fi Access
nn Adding Wireless to Your WAN
FIGURE UC1
SOLUTION GUIDE: Hybrid WAN Solutions with FortiWAN
8
Securely Connecting Multiple Locations
Securely Bridging Locations with Tunnel RoutingFortiWAN’s patented Tunnel Routing used to bridge multiple links
into a single secure virtual private line between the data center and
remote location.
When you need more backhaul bandwidth from
a remote location to your data center, it’s easy
to upgrade your MPLS network or upgrade to a
higher-capacity Metro Ethernet tier. With that ease,
comes a lot of extra cost, usually requiring you to
jump to a new usage tier for your network. If you
only need a few extra megabits of bandwidth,
FortiWAN can let you add less expensive options
like DSL and Cable to your private network by
aggregating them with Tunnel Routing.
In Figure UC2, three links are aggregated together
into a larger virtual private line that backhauls to the
data center. These lines can be any combination
of links, including your existing MPLS, additional
leased lines or less expensive DSL and Cable.
FortiWAN does the heavy lifting of managing the
links so that all you see is one large virtual link
connecting your locations. If an individual link goes
down, private traffic is routed to the remaining
links seamlessly. When the link is restored, traffic
automatically begins routing to that link again.
Please note that in order to use Tunnel Routing, a
FortiWAN is required at each end, here at the data
center and the branch office.
FIGURE UC2
www.fortinet.com 9
SOLUTION GUIDE: Hybrid WAN Solutions with FortiWAN
MPLS Bridging (Multiple MPLS)
Bridging Multiple MPLS Networks with FortiWANFortiWAN used to bridge two separate MPLS networks (blue and red) into
one seamless network for all locations.
Similar to our previous use case, Tunnel
Routing also can be used to bridge multiple
MPLS networks. We have numerous customers
that have deployed this solution to take two
separate MPLS networks and bridge them to
create a seamless single network spanning
multiple carriers and geographies. This can be
used also for situations where you may need
a second MPLS network for backup. With
FortiWAN you can put the idle backup MPLS to
use by creating one larger single network from
both. If one should fail, the other seamlessly
routes traffic without the need for manual
intervention.
In Figure UC3 FortiWANs are deployed at
points where the two MPLS networks enter
your network. Other locations with single
MPLS links don’t require FortiWAN appliances.
FortiWAN takes MPLS 1 (red) and MPLS 2
(blue) and creates a single network for all
locations. The Headquarters and Regional
Office are able to take advantage of the
increased bandwidth of both MPLS networks
where Branches 1 and 2 are seamlessly
connected to the broader network regardless of
which MPLS network they are connected to.
FIGURE UC3
SOLUTION GUIDE: Hybrid WAN Solutions with FortiWAN
10
Deliver Cost-effective Wi-Fi Access
Add Cost-effective Wi-Fi Capacity with FortiWANFortiWAN used to route guest Wi-Fi traffic to less expensive DSL
(blue) while leaving MPLS bandwidth unaffected for office users.
Many organizations offer guest Wi-Fi access to
their customers. The most typical quoted scenario
is the venerated local coffee house. Yes, coffee
houses and chains offer their customers free Wi-
Fi, however we also see this in many hospitality
situations and businesses that offer free Wi-Fi for
visitors. Adding Metro Ethernet for bandwidth is
expensive for giving something away for free. DSL
and Cable offer two low cost options to offload
guest Wi-Fi and leave your business traffic on
carrier links or MPLS.
In Figure UC4, FortiWAN is deployed at the
location where you need to provide guest access
for Wi-Fi. Using its Policy-based Routing, guest
Wi-Fi user traffic is routed to the DSL link (blue)
and the back office users are only allowed access
to the MPLS link. This also can be configured
to provide backup should either link fail where
FortiWAN will automatically restore traffic flows
once the link is back online.
FIGURE UC4
www.fortinet.com 11
SOLUTION GUIDE: Hybrid WAN Solutions with FortiWAN
Adding Wireless to Your WAN
Add Wireless for Backup and Mobile LocationsFortiWAN can seamlessly failover to wireless only when it’s required for link
backup or can be used to combine multi-carrier LTE to create up to DS3
speeds for mobile applications.
Wireless access like LTE and Satellite can be a
great backup where terrestrial based links are
unreliable or not readily available. FortiWAN
can add wireless WAN for backup connectivity
or bandwidth capacity depending on how it’s
configured. If you only need wireless WAN
for backup at a remote location, FortiWAN
can be configured to only use that link when
there’s an outage on the primary link. Although
more specialized, FortiWAN can also combine
multiple wireless links into larger virtual ones
to provide up to 45 Mbps of speed for mobile
applications (tradeshows, work sites, etc.).
Figure UC5 shows both these scenarios.
At the top, FortiWAN is configured to only
use the LTE network (green) if the DSL and
T1 (red) go down. At the bottom, a mobile
tradeshow vehicle uses 3 LTE connections
(from different carriers) to achieve near DS3
speeds as long as it can access the wireless
networks.
FIGURE UC5
SOLUTION GUIDE: Hybrid WAN Solutions with FortiWAN
Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales
EMEA SALES OFFICE120 rue Albert Caquot06560, Sophia Antipolis, FranceTel: +33.4.8987.0510
APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730
LATIN AMERICA SALES OFFICEPaseo de la Reforma 412 piso 16Col. JuarezC.P. 06600 México D.F.Tel: 011-52-(55) 5524-8428
SDN, WAN and “SD WAN”Just as SDN (Software Defined Networking) has impacted traditional LAN environment planning, Software Defined WAN (SD WAN) is being
discussed more as the future of WAN networking.
The goal of SD WAN is similar to SDN, to seamlessly manage traffic at the layer 2 level of the OSI model without the need to manage
hardware-based switches or WAN controllers. The latest in SDN controllers are offering the ability to add WAN links to the controller so it
can be managed centrally.
Although FortiWAN does not offer direct SDN integration today, it can be used as a single link into an SDN controller where you still can take
advantage of FortiWAN’s features like tunnel routing, automatic link failover, and policy based routing. FortiWAN’s upcoming API interface
will allow an SDN controller or similar devices to directly manage FortiWAN providing benefits of advanced Link Load Balancing and SDN
management and control.
SummaryThe high cost of WAN bandwidth challenges most organizations. Lower-cost options like DSL, Cable and even Wireless can provide the
bandwidth, but introduce complexities where most organizations don’t think they’re worth the headaches. There are many instances
where traffic doesn’t need to be backhauled to a data center and then out to the Internet from there. By implementing an advanced WAN
Link Load Balancer such as FortiWAN, organizations can provide cost-effective bandwidth and link redundancy to create Hybrid WANs.
By seamlessly integrating links using virtually any ISP technology, FortiWAN enables organizations to address needs such as adding
cost-effective bandwidth to their remote locations and data centers, increasing backhaul capacities with tunnel routing, and delivering
inexpensive Wi-Fi to guest users.
April 21, 2015