MPLS: Expensive and Incompatible with Alewijnse’s Business
For decades, Alewijnse relied on MPLS as a principal part of its wide area network (WAN). The company’s Amsterdam datacenter, nine sites in the Netherlands, and a branch office in Romania were connected by a fully meshed, MPLS network. Its predictability made MPLS essential for delivering the company’s high-definition video system, and remote desktops using Citrix and the Remote Desktop Protocol (RDP). Three other locations, the largest in Vietnam, established virtual private network (VPN) tunnels across direct Internet access (DIA) connections to the Amsterdam datacenter.
Increasingly, though, MPLS was not addressing Alewijnse’s business requirements. Users complained about poor Internet and cloud performance – and for good reason. Applications were starved for bandwidth, as they were backhauled across 10 Mbits/s MPLS connections to the Internet breakout in Alewijnse’s datacenter.
Internet traffic was driving up MPLS costs. Cloud applications and Internet usage accounted for about 50 percent of MPLS bandwidth to the datacenter, says Willem-Jan Herckenrath, manager of ICT at Alewijnse.
IT agility was also constrained by MPLS. “Our business demands that we can set up project locations in a short period of time,” says Herckenrath, “With MPLS, I often had to wait three months to get a connection, if the technology was even available in that region.”
At the same time he was rethinking his network, Herckenrath had to reevaluate the company’s security architecture. He needed a better way to secure his remote offices. Firewall appliances bring additional operational costs around deployment, management, and upgrades.
He also needed a better approach to protect mobile users against ransomware and zero-day attacks. “Users were local administrators on their laptops and so they were not always fully protected when they entered the office,” he says, “We wanted to introduce a way so that they would always connect securely.”
Converging Networking and Security Reduces Complexity and Costs
Herckenrath wanted a simpler WAN design that made more effective use of the Internet without compromising on MPLS’ “quick performance” required by his loss-sensitive applications. The architecture would also have to address company’s security requirements and mobility concerns.
Connecting locations through an Internet-based VPN was one approach, but that would still mean installing, configuring, and managing VPN routers at every location. SD-WAN showed promise, but traditional SD-WAN solutions do not connect mobile users or cloud resources. They also lack advanced security services and a global backbone.
Herckenrath and his team looked at bundling SD-WAN solutions with a secure web gateway (SWG) service and another provider’s backbone. But they rejected the idea. “The feature comparison looked good on paper, but they were more difficult to implement and much more expensive than Cato Cloud,” says Herckenrath.
Cato Cloud is a secure, global SD-WAN service, connecting locations, cloud resources, and mobile users. Advanced security services are built into Cato Cloud and include a next generation firewall (NGFW), SWG, IPS, and advanced threat protection. “With Cato, we got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users, integrated together and at a fraction of the cost,” he says.
Cato Cloud: MPLS-like Performance without MPLS-like Price
Alewijnse began a phased deployment of Cato Cloud. In the first phase, Herckenrath and his team connected the offices in the Netherlands, Romania, and Vietnam into Cato using high-quality, Internet last mile. In the next phase, Herckenrath connected the rest of his offices to the Internet and Cato Cloud.
Cato’s ability to use any available last mile service in the WAN gave Herckenrath additional agility. Established locations can still be connected via MPLS, but now Herckenrath and his team were no longer dependent on MPLS services. As long as users can connect to the Internet, they can access Cato Cloud. And where physical Internet connectivity is not available, he can use 4G. It means his project teams at building locations, for example, can quickly get up and working.
Yet despite moving off of MPLS, Herckenrath has not sacrificed performance. “Our users haven’t noticed a difference,” he says, “Latency and packet loss are low. Even the users outside of Europe have the same or better user experience with our HD video conferencing and our CAD system (which runs over Citrix).”
Eliminating MPLS means he’s been able to reduce his bandwidth spend each month by “about 25 percent,” says Herckenrath, for as much as 10-times more bandwidth in some locations.
Additional bandwidth has helped his Internet performance, but so has eliminating Internet backhaul. With Cato, Alewijnse Internet traffic goes directly to Cato Cloud, where it’s inspected and secured, and from there to the public Internet.
“Users are much happier now with our Internet services,” he says.
Any new deployment faces its challenges and when they happen, quickly getting hold of a quality support team is critical. “We had our challenges, but what I hear from my guys is that they WhatsApp with Cato’s support guys. They don’t always have to first go, log a complaint, and open a ticket. I really like that approach,” he says.
Alewijnse Extends WAN Transformation to Mobile Users and Eliminates Security Appliances
To achieve the full value of the converged solution, Alewijnse will gradually deploy Cato Clients to secure employees’ laptops and mobile devices. Also on the roadmap is to eliminate the firewall appliances in the branch offices. Together, Herckenrath has a long migration path for transforming his network, but with Cato Cloud he thinks he has the right platform.
“We like Cato’s all-in-one approach and the competitive pricing gave us very good value for money.”