Full Meshing: A Challenge For Many Enterprise Networks
All too often, WAN transformation projects reduce costs and improve IT agility so significantly that end-user benefits can be missed. But with the Paysafe Group, user impact was precisely what drove the need for a better WAN.
Executives and users at the global provider of end-to-end payment solutions were fed up with being unable to access corporate resources when visiting Paysafe offices. User mobility became a strategic imperative.
“We wanted the same access everywhere,” says Stuart Gall, Infrastructure Architect in Paysafe’s Network and Systems group. “If I’m in Calgary and go to any other office, the access must be the same — no need to RDP into a machine or VPN into the network. You can do that only with network standardization.”
The problem arose primarily due to the lack of a fully meshed network. Various mergers and acquisitions (M&As) left Paysafe with a backbone built from MPLS and Internet-based VPN, making direct connectivity between all locations unfeasible. Establishing a fully meshed Internet VPN would have necessitated 210 tunnels, Stuart notes, requiring an enormous amount of time to build and monitor. Instead, Paysafe administrators ended up “VPNing” only into the locations needed for normal user connectivity.
Without a full mesh, Active Directory (AD) operation became erratic, with updates from the distributed AD domain controllers propagating too slowly, if at all. Users found themselves locked out of some accounts in one location but not another, explains Stuart.
The VPN configuration in particular complicated IT. “Invariably we’d have someone at a site needing connectivity to a different location, forcing a reprovisioning process. That could take weeks of work with approvals and all.”
Users ended up relying on the company’s mobile VPN solution, which just didn’t sit right with Stuart. “If someone moves to a different office and has to use a mobile VPN, our technology has failed,” he says. “Users might just accept that as normal, but as an engineer, I know we need to be better. We need to go that extra mile; we need that ‘wow factor.’”
Rolling out new locations was no better with MPLS. “Deploying MPLS sites was a nightmare. Depending on where you are in the world, you could require two to three months of lead time,” he says.
Internet-Based VPN Not the Answer
Stuart knew he needed a single, fully meshed backbone, and neither MPLS nor Internet-based VPN was the answer.
Moving all locations to MPLS was too expensive. In fact, MPLS’ high costs were so well known that business leaders expected the same from SD-WAN. “They were shocked that we could dismantle MPLS, add more than twice as many locations, and save money,” he recalls.
The opposite — transitioning all offices to an Internet-based VPN — was unrealistic. Aside from the configuration and implementation challenges, Stuart didn’t think Internet-based VPN would meet his performance requirements. “Latency proved significantly higher with an Internet VPN than with Cato — maybe that’s because of the Internet, or maybe it’s the encryption engine.”
Relying on his routing and Dynamic Multipoint VPN (DMVPN) wouldn’t work either. For one, it meant being locked into one manufacturer for networking equipment at every location. Deployment would be an issue as well. “Configuring a simple DMVPN is straightforward, but setting up a DMVPN that fails over to secondary ISPs with the level of service you get with Cato is quite complicated,” he says. “You can easily have unexpected flaws, such as failover scenarios. This is especially true at the hub site, where you might take out the entire network.”
Paysafe Evaluates SD-WAN Architectures
SD-WAN was the logical option, and Stuart ended up evaluating the leading SD-WAN appliances and services, including Cato Cloud.
“The biggest eye-opener for me was that there are two completely different technology architectures called ‘SD-WAN,’” he says. “Some don’t provide the infrastructure, only doing intelligent routing over your own network or the Internet, while others include the infrastructure.”
For Paysafe, the answer was obvious. “We didn’t want a routing management solution; we wanted a core network with lower latency.”
As for competing SD-WAN services, Stuart had concerns about security, availability, management, and cost. “One global SD-WAN service provider was twice as expensive as Cato,” he says.
Stuart also preferred how Cato enrolled new locations. “The way the other SD-WAN service provider handled security was appalling,” he says. “Cato’s security background comes through.”
Cato had other advantages as well, such as availability. “In the worst-case scenario, if there were a countrywide outage, my Cato locations would automatically reconnect to the closest point-of-presence (PoP). Latency might be screwy, but at least we’d have connectivity. The other provider? Its locations would be down and require provider intervention to fix.”
With Cato, Stuart can monitor, manage, and troubleshoot outages and problems himself. “The other SD-WAN service was managed only by the provider. There’s a nice visibility console but no control. Any changes require opening trouble tickets with the provider; it’s very carrier-like. With Cato, we can fully manage the SD-WAN ourselves or tap its support.”
Paysafe Adopts Cato
Ultimately, Paysafe replaced its MPLS services and Internet-based VPN with a single, converged network — the Cato Cloud. The company has connected eleven sites to Cato with three on the way and another seven to go.
With Cato, performance is much better than with Internet VPNs and on par with MPLS — at a fraction of the price. “During our testing, we found latency from Cambridge to Montreal to be 45% less with Cato Cloud than with the public Internet, making Cato performance comparable to MPLS,” he says.
Beyond performance, Paysafe has seen significantly faster deployment. “Instead of spending weeks bringing up a new site on MPLS or even a VPN, Cato Socket deployment takes no more than 30 minutes — including unboxing.” Full-meshing problems are no longer, as all locations instantly mesh once they connect into Cato Cloud.
Stuart has discovered Cato’s incredible flexibility too. With native cloud support, Cato Cloud easily extends to IaaS or SaaS services. “Cato’s EC2 connector is easy to set up, and I expect to use it to connect our AWS datacenter into the Cato SD-WAN,” he says.
Cato also natively optimizes the delivery of cloud applications. “We use Office 365 and plan to connect the India office and possibly North America via Cato as well.”
Cato flexibility is particularly helpful with M&As, where new networks require assimilation into the WAN. “Previously, when migrating new users from an M&A onto our network, there would be months of frustrating inability to access certain resources,” says Stuart.
“We needed time to add the necessary connectivity. Overlapping IP ranges meant there were resources that couldn’t be immediately advertised,” he explains. “With Cato, we can easily tweak the routing at the host level to compensate, giving new users the access they need from day one.”
Whether he’s merging networks or just managing a global one, Stuart benefits from Cato’s easy support model. “I love the way I can open a ticket by clicking a button in the portal,” he says.
Paysafe had already adopted security and mobility solutions before hearing about Cato, but those capabilities are built into Cato Cloud, giving Stuart peace of mind and room to grow. “Cato’s mobile VPN is my secret BCP [business continuity plan] in my back pocket. If my global network goes down, I can be like Batman and whip this thing out.”
The bottom line is that Cato is good for, well, the bottom line. “With Cato,” says Stuart, “we can connect our twenty-one sites and still save 30% on costs compared to our six-site, MPLS network.”
Cato pricing also provides flexibility. “Cato lets us move bandwidth within the same billing domain. If I close a location, I don’t lose the outstanding funds for that term. I just allocate the paid bandwidth to a different location. With MPLS, I’m locked into a three-year contract at each location, even if I just have to move one down the road.”