The MPLS Problem: Too Expensive and Too Short on Agility
Manufacturers know all too well the challenges of global MPLS — the delays, the high bandwidth costs, the lack of insight. Alone, such attributes pose significant problems for any company. But add in the need to spin up new sites rapidly, and it’s easy to see why a global manufacturer, like Baltimore Aircoil Company (BAC), would look for a better solution.
A leading manufacturer of cooling systems, BAC’s cooling towers reduce the temperature in large manufacturing plants and provide the cooling effect of air conditioning used by businesses in office blocks worldwide. The company operated three MPLS networks, connecting 20 sites across Europe, North America, Russia, China, Australia, and South Africa. The three networks were interconnected in a datacenter in Brussels.
As business transformation progressed within BAC and IT usage grew, the infrastructure team became increasingly frustrated by the lack of agility to respond to new demands. There was insufficient bandwidth to adequately handle the new rollout of VoIP and video in North America. “Traversing a 10 Mbps MPLS connection has too many checkpoints before getting out to the Internet,” says infrastructure manager Keith Tripp. At busy times of the day, this has a severe effect on everyone’s VoIP conversations – with no easy solution. “You can’t just call your MPLS provider and say I want any extra 20 megs tomorrow,” he added.
“You can’t just call your MPLS provider and say I want any extra 20 megs tomorrow.”
In Europe, BAC sales offices liked to relocate whenever they found a better location. The most significant delay to this process came from IT, which needed three or four months to relocate the MPLS circuits. “Hopefully, we would get at least one of the circuits on time,” said Michael Devogelaere, BAC IT manager infrastructure, “but sometimes it was the backup circuit that arrived first, with the main circuit a few months later.” However, a significant concern with its European provider occurred at the Paris site. Here, one of the provider’s subcontractors changed from copper to fiber, and the MPLS provider demanded a new multi-year contract from BAC. “We did not understand why we should sign a new contract when a subcontractor arbitrarily changed its technology,” said Devogelaere.
Then there were the security concerns. Although the MPLS included firewalls, BAC had no direct control over them – and the firewalls and firewall rules differed between the different MPLS providers. Luc Derveaux, BAC’s global manager of information protection, was concerned that he could not personally respond to the data warnings provided by the firewalls. “The only real security we had was on the VPNs,” he added.
Troubleshooting was also complicated by having to juggle different interfaces when trying to solve a problem. “With separate MPLS and firewall architecture, all information was available in different locations,” says Michel Neuts, the network engineer who architected BAC’s new network. “It was difficult to correlate the information, which meant that we needed more time to diagnose problems.”
Permeating all the problems that BAC faced with its MPLS networks was the lack of agility – the inability to respond at speed to new requirements. Large scale, rapid development of work-from-home was one example. But so was troubleshooting real-time problems. “If we had a problem like the quality of a global video conference it would have meant waiting as we opened tickets with each of our MPLS providers,” says Neuts.
Searching for a Solution, Finding Cato
BAC knew that its existing problems would only get worse over time. It started looking for alternatives. The easiest option would be a simple switch to using the Internet directly, but this was immediately rejected. “You need a solution that provides support,” explains Derveaux. “If you get an Internet problem between Australia and North America, who can you go to for help?”
“You need a solution that provides support. If you get an Internet problem between Australia and North America, who can you go to for help?”
The existing MPLS providers were asked about their SD-WAN offerings, but the BAC team found that the offerings were always dependent on at least one physical line – keeping the company tied to MPLS.
Instead, the company investigated several alternative options. Some new offerings appeared promising but were considered untested and not market ready. Others required significant new investments in infrastructure. Then a network engineer who had been tasked with finding a new WAN solution suggested Cato Networks.
Cato’s Solves BAC’s Network Problems
After a brief PoC, BAC decided to go with Cato. With Cato, BAC reduced network costs by about 60% and significantly increased capacity. In Australia, for example, bandwidth more than doubled from 20 Mbps to 50 Mbps. The bandwidth improvements were even greater elsewhere. In Milford, California, it increased fivefold from 10 Mbps to 50 Mbps.
“With Cato, BAC reduced network costs by 60% and increased capacity by as much as 5x”
With Cato, BAC gained a single-pane-of-glass into the entire network. “I especially liked having all information available in one dashboard, one portal,“ says Neuts. “We now have much more information on how our network is behaving then we did before.”
Derveaux’s concerns over security were also alleviated. “Going to Cato, we could see directly into the traffic and say, ‘There’s a problem here, there’s something wrong there,’” he said. He particularly liked Cato’s ability to drill down into networking and security events. “I checked it every day for several months,” says Derveaux.
But it’s the increase in agility that stands out. With Cato, BAC could resolve global problems in real time. “When we first decided to stream a monthly webinar to our 300 or so remote employees, we chose to do it across as live event across our video conferencing platform. Now live events are a bit different than your typical video conference; they’re in one-direction where users can see the speaker not vice versa. Apparently, the provider changes up their protocols a bit as a result.
“During the event users starting complaining about the very poor video quality. That’s unusual for this platform. So right then I opened the Cato portal and went into the real-time events page. I could see that the traffic was not being categorized as real-time video traffic but as web traffic, which meant that the QoS level wasn’t what it should be. I changed live events on this video conferencing platform to real-time video and, instantly, users across the globe saw a noticeable difference. There’s no way we could have done that as quickly with our MPLS network.”
Another example came when BAC moved a server to a new location. “When we relocated a server from Germany, we found it was getting a bit slow because we hadn’t considered the SMB traffic – with Cato, we were able to just change the priority of that SMB traffic. We could have done this with the other providers, but we would need to ask them, possibly pay a fee, and wait for it. With Cato, we just did it,” says Devogelaere.
“With Cato, we just did it.”
Perhaps the most prominent example of the new agility came with the COVID-19 pandemic. “When we saw how bad it was in New York,” said Tripp, “we went to HR and said we need to do something. We gave our staff a Wi-Fi stick and headphones and told everybody they could work from home. From an IT perspective, it didn’t matter whether people were at home or in the office.
“Cato enabled us to keep the lights on during the pandemic.”
“Because of the pandemic,” he continued, “I would say that the VPN part of Cato was probably one of the biggest benefits. Previously multiple VPNs would come into one MPLS circuit and suffer bandwidth issues. Before Cato, the engineering team was unable to send CAD drawings via a VPN. Cato SDP [Cato’s remote access solution] made it possible. Cato enabled us to keep the lights on during the pandemic.”
BAC is particularly happy with Cato’s support services. “The speed at which Cato was adding new features was really surprising,” said Devogelaere. “We really felt that we were part of the development of the product.”
Two future options have already been considered. The first is the ability to publish an application using the clientless option of Cato SDP. “We have a requirement for some external people to access to resources and our network, but we don’t feel comfortable with having a computer that has a security policy that we don’t know accessing our resources,” said Devogelaere. “If they can do that via jump hosts or something similar, that would be good from a security perspective for us.”
Another future option that has been considered by BAC is Cato’s Managed Threat Detection and Response (MDR) capability. With the customer already connected to Cato, Cato can deliver zero-footprint detection of persistent threats without requiring customers to install additional appliances. Cato MDR uses machine learning algorithms combined with human verification of detected anomalies, with the availability of Cato experts able to guide customers through any necessary remediation. BAC doesn’t need Cato MDR today, but for Devogelaere and the rest of the BAC team, being able to enable MDR and other Cato capabilities instantly was a “welcome change” from the delays and headaches of MPLS.