S-400-G6

Over View

One of the fastest growing enterprise networking technologies, SD-WAN simplifies network management and optimizes connection to data-centers with high level of security. SDWAN provides the bandwidth management and intelligence needed to support modern applications throughout an organization such as branch offices, remote offices and data centers. By mixing multiple less expensive broadband connections with MPLS connections SDWAN reduces CAPEX and OPEX.
zWAN is Systrome implementation of SDWAN solution. zWAN is targeted primarily towards small to midsize enterprises that are looking to incorporate SDWAN into their networking infrastructure.
The zWAN SDWAN solution is implemented to help enterprises achieve maximum connectivity options, minimal downtime through agnostic connectivity and highly streamlined network architecture.
The zWAN solution is intended towards businesses whose offices are spread across multiple geographic locations and need to install a network so that all locations can work, communicate and share information easily, securely and effectively.

◆Key Features:-

• Simple and easy to use interface. Visually configure/manage topology and application flows.
• Centralized management and multi-tenancy. Horizontally scalable, fault-resilient and highly available architecture.
• Edge controllers. Hub-spoke/mesh/hybrid topologies.

◆Centralized Management and Orchestration:-

zWAN is composed of two main components.

• A centralized management and orchestration server(s) that is responsible for the control and management of the SDWAN functionalities and devices.
• Distributed edge controller(s) that is responsible for all the data traffic. The management and orchestration server can be hosted on-prem or can be hosted in a cloud. This server(s) is horizontally scalable and is resilient to node failures.

◆Authentication/Authorization Provider :-

zWAN can connect to multiple backend authentication/authorization providers like LDAP, Active Directory, FreeIPA IdM to provide user login and authorization. In addition zWAN can also add MFA to these login as an additional security, even if these backend do not support it.
zWAN can also connect to third party identity providers based on the following protocols.
• SAML v2.0
• OpenID Connect v1.0
• OAuth v2.0

◆True Zero Touch Provisioning :-

zWAN supports a secure true zero-touch provisioning of edge controllers. In order to onboard a device in a remote location the only skill required is the ability to connect the cables and devices are automatically provisioned and configured to operational status. The network administrator can setup rules and policies that will be automatically applied when a matching edge controller is on boarded.

◆Intuitive Visual Interface :-

zWAN provides an intuitive visual interface. This allows for a very little or no learning curve, even for users who are not proficient with networking technologies and concepts. Users should be able to
• See topology, identify problem areas, alerts in one dashboard
• Configure rules, virtual tunnels
• Onboard/provision devices.
• Setup firewall, add/remove clients etc.

◆Northbound API Support :-

The Management and Orchestration server provides a secure GraphQL API that can be used to integrate with other OSS/BSS software. Solution also provides CLI scripts that can be used to automate deployments/house-keeping operations.

◆Blueprints:-

zWAN allows you to create blueprints that can be used apply configurations for large scale deployment. Blueprints can be created or extracted from an existing edge controller. Blueprints can contain within themselves various parameters like tunnel configuration, firewall rules etc. and one can create as many blue prints as one wish. These blueprints can be applied to any number of Edge controllers or can applied automatically based on rules when a new Edge controller is on boarded.

◆Intent Based Policies:-

To simplify configuration and eliminate learning curve, zWAN supports intent based policy settings. This allows a user to specify their intent and the orchestrator takes care of setting up virtual channels, application policies etc. An example of intent based policy would be 'maximize rdp user experience across all branches', 'stop all social media'.

◆Data Collection and Analytics:-

zWAN edge controller collects information about the flows that it sees and sends it to the centralized reporting server using IPFIX. This data is analyzed and various metrics are provided to the user such as
• Top talkers
• Application usage
• Top protocols
• Geographical usage
The user can employ cross-filters in these dashboards to drill-down the metrics. zWAN also provides the ability for the user to create their own dashboards based on their need. The user can also configure the server to send out alerts based on the certain thresholds. Various alert mechanisms are supported such as
• Email
• Slack
• PagerDuty
• Jira
• Webhooks

◆Syslog:-

zWAN edge controllers can be configured to send their syslog output to a user configured syslog server. By default syslog messages are sent to the reporting server.

◆Underlay Connectivity:-

zWAN supports multiple types of underlay connectivity such as Ethernet, DSL, LTE, fiber or Wi-Fi. The underlay connectivity service could be either public or private and can be un-managed (public broadband) or private (MPLS). zWAN uses the underlay connectivity's characteristics such as cost (flat, usage based etc.), bandwidth, latency, jitter etc. to make decisions on application steering.

◆Tunnel Virtual Connections:-

zWAN supports various tunnel virtual connections between zWAN Edge Controllers. zWAN supports both hub-spoke and mesh topologies. The connections can be encrypted and can be carried over public or private underlay connections. Applications are steered to these tunnels based on their performance/cost/time goals.

◆Flow Categorization and Automatic Tunneling:-

The zWAN Edge Controller categorizes flows and automatically channels the packets to the appropriate tunnel based on the policies and the destination.

◆Internet Breakout:-

There are cases where a set of traffic benefits by directly sending to the internet instead of one of the tunnels. The zWAN edge controller can be configured to classify those packets and steer them directly to the Internet.

◆Traffic Shaping:-

Bandwidth is a limited resource and needs to used wisely for effective performance of various applications. zWAN allows a network admin to setup limits on bandwidth usage on a per-application basis. The admin can set guaranteed and maximum bandwidth limit on a per-application basis.

◆Prioritization and QoS:-

Certain class of applications like voice and video benefits by traversing a high bandwidth / low latency network. zWAN can classify those packets and can steer those packets to a matching underlay network so that the Quality of Experience is maintained. Optionally zWAN can also the mark the DSCP bits and let the downstream network to perform appropriate prioritization.

◆Load Balancing and Failover:-

zWAN can load balance across multiple WAN Links and recover from link failure within seconds. If a link carrying application traffic fails, the application traffic will be moved from the failed link to a functioning link in seconds without any application timeouts or disconnects.

◆OSPF Support:-

zWAN can create OSPF on virtual networks and create a seamless mesh network topology between branches. The route between branches is auto learnt based on the availability and cost. OSPF provides fast route convergence from link failures. Branch LAN network details can easily be exchanged between each other with OSPF. This enables an entire LAN network to move from one branch to another.

◆BGP Support:-

BGP (Border Gateway Protocol) is a dynamic routing protocol used between two network hosts. BGP is designed to exchange routing information between Autonomous Systems (AS) on the internet. All packet exchanges on the internet go with ASN as the unique identifier. It can be used for the WAN network or exterior routing (eBGP) and the LAN network or interior routing (iBGP).

◆Multicast:-

Multicast provides an efficient method for delivering traffic flows that can be characterized as one-to-many or many-to-many. zWAN supports PIM (Protocol Independent Multicast) to provide multicast support.

◆Flow Classification:-

• Load balancing
• QoS
• Firewall • The following filters can be applied on the input and output interfaces
• Source IP (range)
• Destination IP (range)
• Packet size
• DSCP mark
• IP protocol type
• Port (range)
• TCP Flag
• Connection state
• Deep packet inspection
• Time
• Connection Limit
• Bandwidth usage

◆SSL Tunnel:-

SSL VPN is mutual authentication. Server authenticates Client and vice versa. Server can accept any Client connection as long both use same CA certificate and the x509 Host certificate are generated and signed by the same CA certificate. Additionally, peer connection can be filtered based on Certificate Common Name (CN).

◆IPSEC Tunnel:-

IPSEC Tunnel supports various encryption supports.
168 bit 3DES-EDE-CBC
128 bit Blowfish-CBC
192 bit Blowfish-CBC
256 bit Blowfish-CBC
128 bit AES-CBC
192 bit AES-CBC
256 bit AES-CBC
128 bit AES-COUNTER
192 bit AES-COUNTER
256 bit AES-COUNTER
128 bit AES-CCM;64 bit ICV
192 bit AES-CCM;64 bit ICV
256 bit AES-CCM ; 64 bit ICV
128 bit AES-CCM ; 96 bit ICV
192 bit AES-CCM ; 96 bit ICV
256 bit AES-CCM ; 96 bit ICV
128 bit AES-CCM ; 128 bit ICV
192 bit AES-CCM ; 128 bit ICV
256 bit AES-CCM ; 128 bit ICV
128 bit AES-GCM ; 64 bit ICV
192 bit AES-GCM ; 64 bit ICV
256 bit AES-GCM ; 64 bit ICV
128 bit AES-GCM ; 96 bit ICV
192 bit AES-GCM ; 96 bit ICV
256 bit AES-GCM ; 96 bit ICV
128 bit AES-GCM ; 128 bit ICV
192 bit AES-GCM ;128 bit ICV
256 bit AES-GCM ;128 bit ICV
Null encryption with 128 bit AES-GMAC
Null encryption with 192 bit AES-GMAC
Null encryption with 256 bit AES-GMAC
128 bit Camellia-CBC
192 bit Camellia-CBC
256 bit Camellia-CBC
128 bit Serpent-CBC
192 bit Serpent-CBC
256 bit Serpent-CBC
128 bit Twofish-CBC
192 bit Twofish-CBC
256 bit Twofish-CBC
128 bit CAST-CBC
128 bit Camellia-COUNTER
192 bit Camellia-COUNTER
256 bit Camellia-COUNTER
128 bit Camellia-CCM ; 64 bit ICV
192 bit Camellia-CCM ; 64 bit ICV
256 bit Camellia-CCM ; 64 bit ICV
128 bit Camellia-CCM ; 96 bit ICV
192 bit Camellia-CCM ; 96 bit ICV
256 bit Camellia-CCM ; 96 bit ICV
128 bit Camellia-CCM ; 128 bit ICV
192 bit Camellia-CCM ; 128 bit ICV
256 bit Camellia-CCM ; 128 bit ICV
256 bit ChaCha20/Poly1305 ; 128 bit ICV

◆Bridge:-

zWAN support software bridge. By combining multiple virtual tunnels and VLAN LAN interface in the bridge, ARP broadcast domain can be extended between branches and subnets can be spanned across remote locations. By enabling STP, path redundancy can be achieved without introducing loop in the network.

◆Bond:-

zWAN support link aggregation both in load balancing and failover mode. By combining multiple virtual tunnels in the BOND, per packet load balancing can be achieved. Failover mode can restrict the packets to a particular path, the second link can be standby.

◆Multi-homed DHCP server:-

A multi-homed DHCP server is useful in creating multiple subnets. zWAN's DHCP server helps to create multiple networks on the same interface by making use of the VLAN functionality, which in-turn helps to classify the traffic based on the domain/subnet and steer traffic through the SDWAN edges controllers.

◆TWAMP:-

Two-Way Active Measurement Protocol otherwise known as TWAMP is an open protocol for measurement of two-way metrics. The minimum and maximum latencies and jitter can be calculated based on the test session. The information collected is analyzed by Orchestrator to tune the network based on the SLA and perform efficient load balancing, QoS and flow classification of the zWAN Edge Controller. The periodicity of running the test sessions can be configured from the provider. The TWAMP scheduler module running in the Edge Controller then run the test sessions based on the parameters configured.