1. Overview

Colt’s Software Defined WAN solution (hereafter SD WAN) enables Internet to be used as a business network and an MPLS alternative for the WAN. There is a radical shift occurring in the market where customers are evolving towards a hyper-connected and digital world by adopting innovative business and operational models (Cloud, Big data, Collaborative tools, etc.). This journey is dramatically changing the requirements for bandwidth, performance, flexibility and agility in the solutions supporting the business and applications traffic.SD WAN gives Customers the ability to combine multiple access connections types (MPLS, Internet, 3G/4G) with application-based policy forwarding and advanced security functions to create a software defined network capable of delivering on changing business needs and capacity challenges.

Colt SD WAN incorporates various software images of Virtual Network Functions (VNFs) deployed on ‘commercially available off-the-shelf hardware components and systems’ for routing, security, WAN and application optimization and analytics. Colt SDWAN makes use of underlay connectivity (private MPLS and public Internet) to establish a secure, encrypted overlay virtual network. Customers can use it to quickly create and deploy a network that offers services like business- grade IP VPN, secure broadband Internet or application-aware routing with full security and QoS over WAN connections. Traffic can be automatically and dynamically (using traffic steering policies) forwarded across the most appropriate WAN path based on network conditions, quality-of-service (QoS) requirements, usage requirements and cost. This combined feature set offers higher network service availability and increased network performance.

In addition, SD WAN allows Customers to optimize the use of their bandwidth through load balancing over multiple Internet uplinks over broadband, 3G/4G (with an Ethernet handoff) in addition to traditional MPLS connections. SD WAN also allows to connect to Cloud service providers and SaaS providers to extend their WAN edge to Cloud.

Colt has upgraded its SD WAN service with the introduction of universal customer premises equipment (uCPE) at the network edge. The service now supports 3pp unmanaged VNF hosting, including CheckPoint Firewall as additional VNFs on uCPE alongside Versa SDWAN VNF. uCPE allows customers to license, manage, and monitor functions with flexible network options, bringing cloud computing benefits from data centres to edge computing at customer premises and branch sites—a new way for enterprises to use connectivity services.

Colt also offers a Wholesale SD WAN solution that offers not only an alternative to an existing vendor, but also the instant ability to a fast time to market when no SD WAN solution is in place for wholesale customer. The Wholesale solution includes Versa SD WAN solution with clear adaptation (customizable portal, branding and further hierarchy levels, systems and processes modification, etc) that allows the Wholesale partner to offer the end-customer an industry leading SD WAN service

The SD-WAN wholesale proposition is perfect for wholesalers without their own solution, seeking a partner to provide a turnkey option with no initial investment or development time. This offering, while limited by resale and vendor restrictions, covers these aspects in detail within the document.

Colt can help to engage this digital enrolment, helping to integrate our existing SD WAN service so that the Wholesale customer can resell it to their end customers, with little visibility about who is actually providing the service in backstage and with full functionality towards them.

There are specific considerations along the processes, that will be covered during the following sections.

2. Benefits

2.1 Available Anywhere

Colt SD WAN service is available to virtually any business address worldwide (basic connectivity pre requisite) in a fully meshed or hub-and-spoke network configuration options.
SD WAN allows connectivity between SD WAN and Non-SDWAN (traditional IPVPN) sites.

2.2 Quick Deployment

New locations can be turned up in as little as minutes with zero touch provisioning (“bringing” the device into the network). Customers will be able to manage their own service, add new branch sites in hours, or upgrade bandwidth in real-time. Colt uses pre-configured CPE devices which are as easy to setup like a home WiFi router.

2.3 Security

Secure end to end connectivity using IPSEC encryption, this ensures that the transit of Customer’s proprietary data is fully protected and inaccessible beyond the intended origination and destination points. Colt SD WAN provides an integrated firewall with SD WAN which provides secure local internet
breakout, provides DDoS protection and ability to create firewall policies and rules through customer portal.

2.4 Connectivity Flexibility

Colt SD WAN services can be provided over public internet – broadband Internet and business internet – dedicated internet access (DIA) connectivity (using any and all transport technologies like xDSL, wireless 3G/4G/LTE (only available in EU for Colt provided SIMs, no limitation for customer-owned), Ethernet or traditional MPLS regardless of whether Colt is providing that underlying connectivity or not. Local breakout is available, if desired, so that only certain traffic is forced through the SD WAN network.

Colt SD WAN supports Colt provided MPLS underlay connection as a standard. MPLS circuit is from Colt or from Colt’s existing MPLS NNI partners. Any new MPLS provider needs an MPLS NNI to be setup first (see connectivity constraints for Carrier’s provided MPLS legs).

2.5 Application Performance

Based on Customer requirements, Colt SD WAN service ensures that it always provides the best available connection for traffic flows based on jitter and latency requirements. In addition, Customers are in complete control of steering traffic over specific preferred links through the use of layers 3, 4 and 7 based
access control lists and policies that can be implemented via the self-service portal.

2.6 Self-Service Portal

The Colt SD WAN portal allows dynamic management of network based on Customer requirements, with policy control and visibility, traffic data reporting is also available for visibility of throughput (peak/average) and traffic volume for a selected duration.

For the Wholesale SD WAN service, both wholesale customers and end customers will benefit from a customized look and feel, setting wholesale customer’s own logo, background image, links and contact details, so that their end-customer experience doesn’t differ from the rest of their services offered.

2.7 Service Reliability

Multiple points of presence, bidirectional metro rings, and a fully redundant network core support ensures service availability and that customer data gets to where it needs to go.

2.8 Redundancy and High Availability

Colt SD WAN service can be deployed in a redundant and highly available manner, supporting link level and device level redundancy to eliminate single point of failures. In addition, the back-end control and provisioning systems are redundant as well to ensure service availability is not affected by any single point of failure.

2.9 Cost Efficiency

Colt SD WAN provides the ability to manage and optimize traffic over multiple infrastructure links and maximize the use of bandwidth thereby lowering costs. Customers can use it to top up existing IP VPN bandwidth by using the Internet in addition to existing IP VPN bandwidth; another use case would be an Internet only version which can be used where dedicated leased line cannot be justified due to cost reasons.

2.10 Control (Changing Traffic Patterns)

SD WAN gives the ability for customers to route their traffic for specific application based on a number of parameters. Traffic policies (MPLS vs internet) will be set during the initial deployment and will be based on basic business rule settings (IP address/subnet, protocol and/or port number, preloaded applications), these can be changed any time via the self-service portal.

2.11 Analytics

Near real time, interactive dashboards that enable Customers to keep view the health of a network and applications by continuously monitor traffic flows and enabling the identification of and response to business impacting events. Visualization of application performance, network security and Firewall, and
utilization – allowing organizations to analyse issues at the site level, application layer, or individual user level.

2.12 Multi-cloud

With With SD WAN Multi-Cloud, customers are able to connect their branch sites directly to all their cloud-based SaaS and IaaS workloads and manage this connectivity centrally via the Colt SD WAN portal. It brings together a single cohesive view of the enterprise network, tying together WAN sites, IaaS/Cloud sites, and traffic towards SaaS cloud – all easily viewed and managed via the Colt SD WAN portal. SD WAN Multi-Cloud extends the SD WAN benefits of security, analytics and optimization to connectivity to the Cloud Service Provider and provides an end-to-end SLA for all connectivity types (MPLS, Internet, Wireless and Cloud) for enterprise networks.

Colt SD WAN Multi-cloud services are available in Europe and Asia and supports direct connectivity towards Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. The SD-WAN Multi-cloud solution uses gateways hosted in the Colt network with dedicated connectivity into the Cloud. Today, Colt is monitoring proactively our Cloud Gateway infrastructure, cloud providers at an application level. Within the direct connectivity program of the CSP, Colt supports both hosted and dedicated CSP options in the likes of AWS Direct Connect, Azure ExpressRoute and Google Cloud Interconnect (GCI).

2.13 Support for IPv6

Internet Protocol version 6, is a new addressing protocol designed to incorporate whole sort of requirement of future internet known to us as Internet version 2. This protocol as its predecessor IPv4, works on Network Layer (Layer-3). IPv6 provides larger addressing space and simplified header. Colt SD
WAN supports use of IPv6 addressing on LAN interface. Colt SD WAN supports use of IPv6 addressing on WAN interface for single CPE, single internet with IPv6 only

2.14 WAN Optimization

SD WAN with WAN optimization provides customer an enhanced user experience as it improves the network performance and reliability over multiple wan links for a site. It alleviates the effects of latency that maximize bandwidth utilization and relieves network congestion. The advantage of SD WAN with
WAN optimization is that it is aware of other network traffic on the same link and can intelligently manage all flows overcoming the problems of TCP retransmission.

We utilize following traffic optimization techniques

• Forward Error Correction (FEC): Allows missing data packets to be recreated at the destination without adding latency or jitter

• Packet Cloning (Replication): Mirrors packets between two or more paths – if one packet is lost, the mirrored packet will still be delivered

3. Service Design

3.1 Transport agnostic Application driven WAN

Colt SD WAN ensures Customer WAN network is designed to provide efficient application performance irrespective of the underlying transport (MPLS or Internet). The service enables and implements application routing policies and also allows for load balancing of default traffic in order to ensure that all
available WAN capacity is optimally utilized.

3.2 Site design types – SD WAN Service Pack (Multiple WAN Links)

Colt SD WAN supports multiple access types to suit individual site requirements; these can include dedicated Ethernet, Direct Internet Access, cost-effective broadband DSL connectivity or 3G/4G/LTE. By default 3G/4G circuits should be used as backup only if fixed Internet and MPLS circuits are available i.e. traffic should not load-share across 3G/4G and other WAN circuits. The SD WAN CPE can be attached directly to the Internet Access circuit (recommended) or behind a customer router or modem device. The handoff to the SD WAN CPE should be plain 802.3 Ethernet (no VLAN tagging) or PPPoE (with or without VLAN tagging). PPPoE handoff (with or without VLAN tagging) has been validated and enabled for France only (with Bouygues Telecom) currently.

Blue Wireless

Colt now offers a Fixed Wireless, 4G/ 5G cellular Internet access service to our customers. This service is a complete resell of the Wireless Internet access service provided by Blue Wireless, a Singapore-based company. Uniform service including on-site survey, installation, maintenance and operation can be provided in about 90 countries in Europe and Asia as well as in North America, South America and the Middle East. This service comes with Cradlepoint mobile router, Dual SIM and its data, installation and operation service, and SLA. This service offers managed mobile internet access service maximum up to 300Mbps/30Mbps(Down/Up) supports both unlimited data and limited data plan with flat rate pricing. This service guarantees 50% of contract speed.

The service can also be utilised for SDWAN customers as an Internet underlay, typically utilised as a backup to existing fixed WAN connections or for low priority site locations where physical connectivity is difficult to achieve. 

All countries where Supplier has the network coverage (~ 88 countries) and where Colt is authorized to sell. Not all these plans are available in all locations, for several reasons.

As part of the ‘Partner IP Access’ product, Colt has chosen Blue Wireless to provide an end-to-end managed service supplying Wireless Internet connectivity using 4G LTE/ 5G cellular technology with a managed CPE. The standard service offering delivers a Blue Wireless managed Cradlepoint CPE with dual resilient SIMs as below: 

There are 2 service offerings by Blue Wireless, Primary mode and Backup mode. Primary mode has an unlimited data plan expected to be used for most typical enterprise customer use cases and a backup mode offering that comes with a data limit. Typically, 10GB per month and over usage restriction, along with 30GB data Uplift plan for backup mode. Over usage will automatically downrate the access line to a minimal speed (1Mbps/1Mbps), which ensures the service is not completely down when the data limit has been reached but will result in a poor customer experience for normal everyday applications. Low bandwidth applications could still function such as credit card transactions as an example but would be very limited. 

Blue Wireless offers a number several bandwidth plans

Not all these plans are available in all locations, for several reasons. Some MNOs are not offering all these plans in all regions. Some (higher) speeds might not be attainable due to the local environment the Cradlepoint CPE will be in. Blue Wireless will test the speed before handing over the service to Colt / customer

The Service offer two data plan options for customer to choose from, to be Indicated in the Order.

• Unlimited Data (Primary Plan), offering unlimited data usage at the contracted Maximum Access speed at a fixed MRC. The Service is configured as an active access for the primary connection.
• Limited Data (Failover Plan), where there is predefined amount of data usage included per month indicated in the rate card to be used at the contracted Maximum Access speed at a fixed MRC.

An option may be provided to increase the predefined amount of data usage per month. Upon reaching the data limit, the maximum access speed will be throttled to 1Mbps/1Mbps speed. The blue wireless CPE can be attached to any of the current standard Versa CPEs – no new colt managed hardware is introduced for Blue Wireless connections

Based on the maximum bandwidth supported by Blue wireless i.e. 300Mbps/30Mbps(Down/Up), following T-Shirt sizes/packages are in scope of current phase:

• XS – Extra small
• S – Small
• S Plus – Small Plus

Key points

• Blue wireless connections shall be ordered as part of IP Access underlay
• Maximum 1 Blue Wireless link per site, both for single or dual CPE setups, is supported
• Internet Egress is only available for unlimited plan  
• IPv6 is not supported
• uCPE is not supported
• Blue Wireless (with limited plan) and a 4G connection at the same site is not supported
• Zscaler SSE solution has been technically validated with Blue wireless with Unlimited plan but not the Versa SASE yet.
• Customers shall ensure that the CradlePoint device Installation must be carried out at the location where Versa CPE is expected to be installed in order to achieve a direct connectivity between these two devices. In case Blue Wireless considers that coverage is not good enough and SLAs are at risk, they will evaluate the installation of a 10m indoor external antenna to get the right signal out of the rack.  Customers are always advised to increase the default coverage of the CradlePoint equipment by installing it on top of the rack where the SDWAN box is installed. If in case the indoor external antenna does not suffice to guarantee Blue Wireless Service, the CradlePoint equipment will be installed elsewhere in the building where signal is good enough and customer will be responsible to install the required internal cabling considering RJ45 demarcation towards Colt SDWAN equipment. And it is customer’s responsibility that the CradlePoint device must not be shifted from the install location as performed by Blue Wireless.
• As Blue wireless connection is a wireless connection, It should not be considered as one to one replacement of any wired internet access considering different performance matrix like latency. Blue wireless connections latency is expected to be higher then the wired internet connections, especially in case if inter-regional site to site communications.
• Blue Wireless does not offer any guarantees on the Latency, Jitter and Packet Loss but Blue Wireless will endeavour to optimise the performance.

Note: Due to some regulatory limitations, blue Wireless do not offer services in following countries: India, China, Russia, Cuba, Syria, Iran, North Korea, Venezuela

Blue Wireless – Starlink Satelite

Blue Wireless, in partnership with SpaceX, provides Starlink satellite services. Following satellite services are supported as an underlay for the Colt Versa SD WAN solution:

• Global Managed LEO Plus (GML+), based on a combined Satellite and LTE/5G connection using a performance satellite antenna and cellular antenna.
• Global Managed LEO (GML), based on a single Satellite connection using a performance satellite antenna.

These plans are supported as an underlay for the Colt Versa SD WAN with the following guidelines:

• Leo, Leo+ with limited data plan only
• Leo, Leo+ available as backup/secondary connection only
• Only Public IP Supported
• Supported with SD WAN XS, S and S Plus Packages
• Supported with SD WAN CPE Models: v120, v210, v220
• Supported with Following SD WAN site topologies:

Limited Data Plan	Connection Supported
Single CPE LTE Only	Primary LTE or Leo/Leo+
Single CPE Hybrid [LTE]	MPLS + LTE or Leo/Leo+
Single CPE Dual Internet LTE	IPA (wired, not Leo) + LTE or Leo/Leo+
Dual CPE Hybrid LTE	MPLS (wired) + LTE or Leo/Leo+
Dual CPE Dual Internet LTE	IPA (wired, not Leo) + LTE or Leo/Leo+

Below is a table summarising the standardised packages that are available for customer to order per site.
Each size package varies in the type and number of WAN uplinks, number of CPEs, bandwidth, diversity, and service assurance.
To build a new SD WAN solution, simply work with customer to mix and match these ‘sizes’ to meet the requirements for each site.

Note: Blue wireless connections are supported for XS, S & S Plus packages only currently.

• Any combination of Internet and MPLS uplinks up to the max supported and not
  exceeding maximum for each type.
• LTE as substitute or in addition to any fixed Internet connections.
• LTE substitutes the fixed WAN Uplink
• Dual LTE not supported in combination with Fixed MPLS or Internet uplinks. Single
  LTE uplink is on primary CPE when combined with 2 fixed uplinks.
• Max 1 MPLS per CPE. Single MPLS is always on primary CPE.
• For 2 Internet uplinks LTE substitutes the second Internet uplink

To illustrate these site size packages further, see the example use cases below:

The CPE model used in M & M Plus package will be the V220, offering a maximum BW of up to 1 Gbps.

The CPE model used in M & M Plus package will be the V810, offering a maximum BW of up to 2 Gbps.

The CPE model used in M & M Plus package will be the V850, offering a maximum BW of up to 3 Gbps.

The CPE model used in L & L Plus package will be the V1800, offering a maximum BW of up to 10Gbps.

Both support fibre handoff option.

3.3 Traffic flows

The customer may have a mix of sites – IP VPN on-net sites (connected directly to Cisco based MPLS network) or SD WAN hybrid sites (OLO MPLS and Internet lines, Versa based) or SD WAN Internet only (Versa based) or SD WAN MPLS-only site.

The table below provides the overview of the traffic flows with regards to how SD WAN gateways and Encrypted tunnels are used (Versa uses IPSec but combined with other protocols)

SD WAN Gateways provide the following functions 1) they act as a transit gateway between the encrypted SD WAN VPN and a normal IP-VPN and 2) They act as a hub for connecting SD WAN sites on disjoint networks e.g. a site connected to MPLS only and a site connected to Internet only. SD WAN Gateways are implemented on a region by region basis to reduce the latency caused by backhauling tunnels

3.4 Application aware connectivity

Colt SD WAN service delivers path control for application-aware routing and forwarding across the WAN. It supports, dynamic selection of the best path for application-based business policies and application-based load balancing across paths for full utilization of bandwidth with improved network availability.

3.5 Encryption

• Encryption method: Advanced Encryption Standard AES-128 and AES-256 supported.
• Authentication Method: Secure Hash Algorithm SHA2.
• Internet Key Exchange (IKE): IKEv2.
• PSK: As standard, pre-shared keys will be used to authenticate between IPSec peers.

(For Colt SD WAN, Colt owns & manages the keys).

4. Features

Colt SD WAN is an evolving product line, this is primarily because the industry is still evolving with ongoing developments (Colt product offering is mature as committed). Colt will continue to improve and add new product features and they will be added in this guide as they are released (please refer to roadmap for details).

4.1 Customer Portal

Colt SD WAN Portal is a self-service portal available for both Carrier and end customer. It enables network services to be used, modified and orchestrated on real-time and on-demand basis – as is typical for cloud services. As it is ‘software defined/controlled’, the WAN transforms into an agile, flexible network enabling a customer to be in control of its network.

In summary, the portal gives the Customer the ability:

• To map applications to specific WAN uplink (eg., MPLS and/or Internet)
• To choose when an application needs to switch to the secondary path

                   The SD WAN portal is intuitive and easy to navigate with below features:

Portal Pages	Page Details
Tablero de mandos	Gives an overview of all provisioned sites on a geographically accurate map Dashboard allows regularly used graphs or reports to be pinned to the Dashboard view. Status of Pending orders are listed
Policy Management	per site traffic steering policy rules per site add, delete, edit and back-up traffic policies map traffic to WAN uplinks on multiple parameters like source and destination IP Address, source and destination port/socket, protocol and applications (more than 2,500 applications supported) define policy to switch between WAN links based on latency, jitter, packet loss, traffic Rx/Tx thresholds Multiple metrics per policy can be added Bulk copy pushes policies to multiple sites by single button click
Firewall Management	per site firewall rules overview per site add, delete, edit and back-up firewall policies Policies applied to Internet and SDWAN for both inbound and outbound traffic Create firewall rules based on multiple parameters like source and destination IP Address, source and destination port/socket Create Application layer inbound and outbound Firewall policies with source/destination IP addressing Create DNAT for LAN and DMZ zone rules by IP address and port number Bulk copy pushes policies to multiple sites by single button click default policy deny all
Firewall analytics	lists all active firewall rules top 10 (or more) applications with sessions, traffic Tx/Rx and bandwidth used historical view by day, week, month or custom time frame
Interface Analytics	delay, jitter, loss ratio, traffic in/out and number of sessions on per interface basis historical view by day, week, month or custom time frame
Application Analytics	application bi-directional bandwidth utilization top application information pertaining to sessions, and traffic utilization (Rx/Tx) Application view can be filtered or selected per application historical view by day, week, month or custom time frame
DDOS	create DDOS attack profiles and suspend actions historical view by day, week, month or custom time frame of DDOS attack analytics associated with attack profiles.
Device	detailed CPE hardware information self CPE diagnostics, including ping and traceroute Data synchronization icon to re-synchronize the Portal and SDWAN bases. WAN interface details including MAC, status, IP address, speed, traffic Rx/Tx and QoS policies LAN interface details including MAC, ARP information, IP address, speed, and routing policies

4.2 SD WAN wholesale customer portal specifics

Colt SD WAN Portal for the Wholesale segment can have a personalized branding and domain, and therefore there are some requisites the wholesale customer needs to fulfil.

All the required information needs to be captured by Sales teams and shared to Portal team to set up Reseller’s SD WAN portal.

At the same time, special flag within the order form will remind the user that this requirement needs to be taken care of prior to service delivery.

Main requirements:

• Select a domain name for the branded version of the portal (e.g. sdwan. reseller.com)
• Update the Carrier’s own DNS records to associate this domain name with the Colt production portal, either:
  • as a CNAME record pointing to sd-wan.colt.net or
  • as an A record pointing to the colt-owned IP address: 217.111.165.33

• Obtain an SSL certificate to secure web traffic to this domain.
• The associated private key for this SSL certificate should be a minimum of 2048 bits long.
  • The certificate should be signed by a widely trusted Certificate Authority – e.g. Verisign
  • The certificate expiry date should be a minimum of 365 days from the date of issue
  • Neither the key nor the certificate should be password protected

• Using the following pages as a starting point, collect content that the Carrier wants to be shown on the branded portal.
  • Not all content is mandatory (e.g. a login logo), but if it is not supplied, then the corresponding area of the screen will default to blank
  • Image sizes and other constraints apply

• Send the certificate, the private key and the branding information to the SDWAN Portal team.
• For testing purposes, a Colt Demo portal can be set up as well with the customized look and feel
• Carrier is responsible for end-customer credentials and password management, that would be created within their user access to the portal (tenant management). End-customer will not be able to manage his credentials, only to ask for a reset to Carrier.

4.2.1 SD WAN wholesale customer portal branding

In order to customize the specific branding for each wholesale customer, Following information essential to be captured from wholesale customer:

• Splash screen background image
  • Min 1920px wide, 1440px high, PNG or JPG format
• Login dialog logo
  • Max 250px wide, 200px high, PNG or JPG format
• Forgot password link (required)
  • URL only (text will be unaltered)
• Footer HTML (required)
  • HTML inside a DIV element, maximum 2 lines high. <ul><li> elements will be separated by vertical bars

Once in the SD WAN Network Dashboard, there are some other items that can be customized as well:

• Application logo
  • Max 250px wide, 32px high, PNG or JPG
• Help link (required)
  • URL only (text will be unaltered)
• NOT SHOWN:
  • Web page title (text only)
  • FAVICON.ICO icon to show in the address bar (48×48 px or 24×24 px, icon format)

In case the customer doesn’t want to customise the landing page or the SD WAN dashboard logos, Colt can also offer the possibility of not showing any logo instead.

Technical details as registered domain, SSL certificate or even the Help and support & Forgot password links are mandatory.

API integration with SDWAN Portal is possible but not as a standard switch on/off capability. API integration with SDWAN portal will require some efforts to understand customer requirements and development. Based on the initial analysis, SDWAN portal integration cost could be provided.

Note: Pease refer to Portal Guide document for further details

4.3 Dynamic traffic steering

Dynamic multi-path traffic steering is a real-time portal driven feature that helps Customers utilize both MPLS and Internet uplinks in a redundant or load sharing configuration. In addition to detecting pre-configured applications, traffic can be routed through IP address, protocol and/or port (socket) numbers.

Customers can choose to do (add/edit/ delete) all their policy configurations anytime via the secure Colt SD WAN portal.

Colt SD WAN platform measures jitter, packet-loss, round-trip delay, traffic utilization TX/RX in all the paths between branches or between branch-to-hub. Please see portal appendix for policy configuration details.

4.4 Optimum path selection

Optimum Path Selection is a default SD WAN portal feature for all customers that provides the best path selection between all possible paths when a 10 % variance of performance is reached. The standard SDWAN traffic Steering rules through SD WAN portal provides path selection based on circuit priorities and/or SLA thresholds instead of performance. Optimum path selection can steer traffic based on one or combination of several metrics, For example lowest latency, lowest packet loss or lowest delay variation. Besides traffic selection, our existing SD WAN traffic steering options remain available.

These include:

• Configuration of different circuit priorities
• Configuration of SLA thresholds for several metrics: Latency (ms), Jitter (ms), Packet loss (%), Transmit/Receive Bandwidth utilization (%)
• Continuous evaluation of the traffic sessions that provides the traffic switching between difference paths, when the used path is no longer SLA compliant or there is a better option with <10% of difference

4.5 Analytics

Supported for interface, firewall and applications. These are on near real-time basis with based on logs sent from branch sites and stored in the analytics database . Historical views are also supported along with deeper granularity. Please see portal appendix for details.

4.6 Routing between Colt managed CPE and customer LAN

Both static and dynamic routing supported. Static, BGPv4 and OSPFv2 routes are all supported on SD WAN CPE for routing towards the customer LAN.

4.7 DHCP

DHCP requests from local clients are forwarded to Customer owned/managed central DHCP server (applies for IP addressing on the Customer LAN, not static or DHCP config in the WAN if customer is providing own Internet). Colt SD WAN CPE adds its own information to the request to identify the site (to enable the central server to allocate address from appropriate pool). DHCP server can be delivered as a bespoke on customer special request.

4.8 IP address management

Customer IP addresses may be private or public as the service treats the addresses relevant only to the particular customer VPN.

As per DHCP, it applies for IP addressing on the Customer LAN, it does not refers to the WAN if customer is providing own Internet.

• IPv4 & IPv6 are supported
• By default static routes shall be used for all the addresses for each site. As an option, routing protocols may be enabled as well at the time of ordering the service.

4.9 Local internet breakout

The Local Internet breakout feature allows ‘to/from’ internet traffic to utilize an SD WAN site’s local internet connection rather than going through the central network gateway. Any traffic other than which is destined for SD WAN sites (e.g. to access legacy applications residing at an enterprise location) will access the internet using  the local internet connection.

A key benefit of local breakout is the user experience when accessing trusted applications as these can be accessed locally and hence avoids unnecessary latency. In addition local breakout helps reduce the customer’s bandwidth needs across Colt SD WAN platform.

By default a Deny-All rule is applied for traffic between the LAN and Internet in both directions. The customer can then add rules to selectively allow traffic towards and from the Internet e.g for trusted applications such as Office 365.

Local Internet breakout is a default Colt SD WAN service feature, if an Customer, for any specific reasons, wants central internet breakout (central gateway) then it will be handled as a bespoke request and would need a modification order.

Highlights:

• Default option
• Will be on the first internet connection (more than one internet connections possible)
• Available on all site types that have an internet connection
• With dual internet, the local internet breakout will be on an active/standby basis (could be load balancing if requested by customer)
• With dual CPE, internet breakout will only be on the internet attached CPE
• With MPLS/internet, breakout will only be available on internet connection at that site

Multiple Internet – LIB

A local internet breakout is an access point to the internet located as close to the user as possible. Local breakouts enable organizations to offload internet-bound traffic from local branches and remote offices, and route it directly to the internet via a local internet service provider (ISP).

• Customers will be able to select the Internet links and resiliency mode (load-sharing or active/standby) through SDWAN Portal.

Our solution Multiple LIB customers can benefit from the below,

• With the introduction of multiple WAN Uplinks, the customer can have up to 4 Internet uplinks.
• Through SD WAN portal customers can select the Internet links and resiliency mode (load-sharing or active/standby)
• By default, for all sites enabled for LIB in order system will have the internet wired uplink enabled in Active/Active mode.
• The Customer will have the option to change the default mode to Active/Standby based on the defined priority of Internet links via portal.
• Customers can now selectively enable or disable specific Internet links for Internet access from SDWAN portal.

LIB can be configured in two modes as per below picture.

4.10 Standard firewall

Colt SD WAN platform comes equipped with an L4 Stateful firewall (Versa FlexVNF Stateful FW feature on CPE). It supports rules around source and destination IP addresses, source and destination port and/or protocol numbers. When a customer site is first activated, the default firewall policy is to allow all traffic between SD WAN sites and “deny all” in both directions between the customer LAN and Internet. As an additional option, SD WAN firewall can be enabled which extends the default “deny all rule” to traffic between SD WAN sites. Firewall policy rules can be modified using the SD WAN portal.

Firewall rules are standard and based on simple allow, deny or reject commands on any of the defined parameters. Rule can be applied to a single or multiple CPEs.

The firewall feature is integrated with the Colt SD WAN solution and makes use of the stateful firewall feature embedded in the Versa FlexVNF software. This avoids the need for a separate firewall solution.

Highlights:

• Control – add, delete, modify and prioritize rules
• Back up – switch to any previous (saved) configuration version
• Analytics – there will be user friendly graphical analytics allowing users to view the number of allow and deny logs per rule.

Please refer portal guide here for details.

4.11 Advanced firewall

The Colt SD WAN Advanced Firewall feature set is ideal for Customers needing protection against modern web-based security threats like malware attacks, targeted attacks, application-layer attacks; these attacks exploit weaknesses in applications, rather than weaknesses in networking components and services which are the targets of traditional attacks and can be prevented by a stateful firewalls.

The Colt SD WAN platform uses an integrated Next Generation firewall that offers advanced firewall capabilities integrated with the SDWAN router, the functionality can be configured via the Colt SDWAN portal. The Advanced Firewall allows customers to connect separate LAN and DMZ networks to the SD WAN CPE and is used in combination with the local Internet breakout feature.

Colt also offers the Denial of Service (DoS) protection feature with Versa SDWAN. It is used to protect services on the customer LAN or DMZ that are exposed to the Internet e.g. web servers, mail servers. It is only supported in combination with the DMZ / destination NAT feature for the traffic from the Internet towards the LAN/DMZ.

4.12 Dual CPE (High Availability Site)

To enhance resiliency, two SD WAN CPEs are provided in high availability mode, using VRRP to ensure traffic will be routed to the other if either SD WAN CPE fails. By default, not all traffic is rerouted; there may be application exception policies in place for specific applications to avoid Internet or MPLS networks. The dual CPEs form a high availability site with shared aggregated total site throughput.

Dual CPEs can be situated in the same location or different locations, but they require an additional interconnect besides being connected via LAN for VRRP. This additional interconnect is necessary for proper WAN routing.

For the back to back connectivity between the two SD WAN CPEs, the customer can decide whether they need an electrical or optical port

In standard delivery internal cabling can include up to 5 metres, above that needs to be quoted in a case by case scenario.

Dual CPE is available in three combinations:

• Dual CPE (Hybrid): Primary CPE with MPLS + Secondary CPE with Internet
• Dual CPE (Dual Internet): Primary CPE with Internet + Secondary CPE with Internet
• Dual CPE (Dual MPLS): Primary CPE with MPLS+ Secondary CPE with MPLS

4.13 CPEs

Versa FlexVNF can be deployed on either a Colt uCPE (not available yet for Wholesale customers) or a Versa Certified Whitebox appliance (Baremetal), both installedon the customer premise. The following appliance types are used based on bandwidth and feature requirements:

Versa – Certified Whitebox Appliances

Model	Descripción	Rendimiento	Uplink	Deployment
Versa 510 (EoS)	Advantech FWA- 2320 Intel Atom C2558, 4 core, 8GB RAM	Up to 150Mbps	GbE (Cu)	Small Branch
Versa 120  LTE only	EAdvantech FWA- 1010, Intel Atom C2758, 8 Core, 16GB RAM	Up to 500Mbps	GbE (Cu/ SFP) + LTE	Small Branch (with LTE)
Versa 210	Advantech FWA-1012VC-4C, Intel Atom C3000, 4 Core, 8GB RAM	Up to 300Mbps	GbE (Cu/ SFP)	Small Branch
Versa 220	Advantech FWA1012VC. FWA-1012VC- 8CA1V (Versa 220 without LTE) FWA-1012VC- 8CA1VR (Versa 220 with LTE modem for EMEA) WA1012VC2006-T (Versa 220 with LTE modem for APAC)	Up to 1Gbps	GbE (Cu/ SFP) + LTE	Small Branch (with LTE)
Versa 810	Advantech FWA- 3260, Intel Xeon D-1548, 8 core, 64GB RAM	Up to 2Gbps	GbE (Cu/ SFP)	Medium Branch
Versa 850	Advantech FWA-5070L2205-T, Intel(R) Xeon(R) Silver 4210R, 10 core, 64GB RAM	Up to 3Gbps	GbE Cu    10G Fibre	Medium Branch
Versa 1800*	Advantech FWA- 5070 Intel Xeon Gold 6212U, 24Core, 96GB RAM	Up to 10Gbps	10GbE (SFP+)	Hub / Data Centre

Mentioned throughput are the highest throughput achievable under favourable circumstances. It is the throughput ceiling. The actual throughput & CPE Performance will degrade depending on network and security policies/features applied. CPE performance can be down to 30% on certain CPEs.

Versa 510

Versa 510 Specifications

Vendor Model	Advantech FWA-2320-01E
Processor	Intel C2558 4 Core CPU
Memory	4GB
Disk	64 GB SSD
Interfaces	4 x GbE Cu (WAN/LAN), 2 x GbE Cu Mgmt
Power	100W AC internal PSU
Cooling	1 x smart FAN maximum 37.5dB(A). Front to Back air- flow
Physical Format	1RU rackmount device
Dimensions	426 x 44 x 318mm
Weight	4.5Kg

Versa 120

Versa 120 Specifications

Vendor Model	Advantech FWA1010VC. Versa Builds: Versa V120-NW-EX (non LTE) Versa V120-EX-L455-W178 (LTE US/EMEA) Versa V120-EX-L7430-W178 (LTE APAC)
Processor	Intel Atom C2758 (8 core), 2.4 Ghz
Memory	16GB
Disk	128 GB SSD
Interfaces	2xGbE Cu/SFP WAN ports, 4x switched GbE Cu LAN ports, 1x GbE Cu as DMZ port
LTE/WiFi	WWAN module (Sierra MC7455, MC7430) with antennas WLAN module (Advantech/EWM-W162M) with antenna (not used)
TPM	TPM1.2 Module
Power	12V 5A, 60W external adaptor
Cooling	1 x smart FAN with maximum 37.5dB(A). Side-to-side air flow
Physical Format	Tabletop device (optional rackmount kit FWA-1010VC- RMT)
Dimensions	250 x 44 x 190.4 mm
Weight	2.3 Kg

Versa 120 – LTE Modem Specification

Modem Name	AMER, EMEA: Sierra Wireless MC7455 APAC: Sierra Wireless MC7430
Performance	Cat-6 (peak down-link: 200 Mbps, up-link: 50 Mbps)
Wireless Standards	4G-LTE, 3G (WCDMA) Frequency Bands: MC7455: B1, B2, B3, B4, B5, B8 Frequency Bands: MC7430: B1, B5, B6, B8, B9, B19
FRU	No
Geo-Location	GPS, Glonass, Beidou, Galileo
SIM Card Access	Externally accessible
Antenna	External Antennas that attach to the device are included. Antenna extension (wall mount/roofmount) is also possible. The antenna must have dual SMA male connectors and max 5dbm insertion loss. Example parts include Poynting 4G-XPOL-A0001 (Omni-directional) and 4G-XPOL-A0002 (Directional)

Versa 220

Versa 220 – LTE Modem Specification

Vendor Model	Advantech FWA1012VC. Versa Builds: FWA-1012VC-8CA1V (Versa 220 without LTE) FWA-1012VC-8CA1VR (Versa 220 with LTE modem for EMEA) FWA1012VC2006-T (Versa 220 with LTE modem for APAC)
Processor	Intel Atom C3758 (8 core), 2.2 Ghz
Memory	16GB
Disk	128 GB SSD
Interfaces	4x copper GbE via Marvell 88E1543, 2xSFP & 2x copper GbE via I350
LTE	Sierra/EM7455(EMEA) / MC7430 (APAC) Advanced-LTE module(Cat.6) with related antenna , SMA, screws
TPM	TPM1.2 Module
Power	12V 5A, 60W external adaptor
Cooling	2x system FAN with smart FAN
Physical Format	Tabletop device (optional rackmount kit FWA-1012VC- RMK)
Dimensions	250 x 44 x 193.04 mm (9.8” x 1.7” x 7.5”)
Weight	2.4 Kg

Versa 810

Versa 810 Specifications

Vendor Model	Advantech FWA-3260
Processor	Intel Xeon D-1548(8 core), 2 GHz
Memory	64GB
Disk	256 GB SSD
Interfaces	6 x 1GbE, 2 x 10GbE SFP+, Optional expansion module NMC-1004-10E with 2 x 10G SFP+ with Intel 82599ESx
LTE/WiFi	N/A
TPM	TPM1.2 Module
Power	Redundant 1+Dummy 300W AC PSU. Optional DC PSU
Cooling	4x system FAN with smart FAN. Front-to-back airflow
Physical Format	1 RU Rackmount Device
Dimensions	430 x 44.2 x 500 mm
Weight	15 Kg

Versa 1800

Versa 1800 Specifications

Vendor Model	Advantech FWA-5070
Processor	Intel Xeon Gold 6212U, 24C, 2.4GHz
Memory	96GB
Disk	2 x 512GB SSD
Interfaces	9 x 1GbE, 8x10GbE SFP+, Optional expansion module NMC-1004-10E with 2 x 10G SFP+ with Intel 82599ESx
LTE/WiFi	N/A
TPM	TPM1.2 Module
Power	Redund 650W AC PSU
Cooling	3x smart FAN. Front-to-back air flow
Physical Format	1 RU Rackmount Device
Dimensions	41 RU (438 x 44 x 550 mm) (W x H x D)
Weight	20 Kg

4.14 Universal CPE (only for Enterprise segment)

FlexVNF can also be deployed on the ADVA Ensemble Connector OS and certified uCPE appliances. See the Universal CPE solution guide for further details

Colt uCPE consists of following components

Component	Detalles
Hardware	Advantech FWA-3260 Advantech FWA-2012
Virtualization Layer	ADVA Ensemble Cloud Suite
VNF	Versa SD WAN Checkpoint Unmanaged Firewall

4.15 Multi-VPN (Multi-VRF)

Multi-VPN feature allows a single SD WAN CPE to be used to deliver up to 9 sub-VPNs (10th is used for uCPE inbound management). On the LAN side, either a separate physical interface or 802.1q logical sub-interface is configured per service instance, and it is placed in the corresponding VRF. On the WAN interface, it’s segregated using VPNv4 addresses. Unlike traditional MPLS VPN- based solutions, multi-VPN does NOT require separate logical circuits on the WAN for each sub-VPN. The SD WAN overlay provides the separation between each VPN

4.16 SNMP RO

SNMP Read-only access allows the customer to poll the MIBS on the Colt SD WAN CPE device from their own network management server. The customer server can be located on the local LAN or on another SD WAN site. SNMPv3 is supported using SHA/MD5 and AES ciphers for authentication and privacy. The type of encryption (privacy) can be: DES/3DES, or AES128

Customers who would like to use this feature need to provide authentication details like: username used in the SNMP requests, authentication password, privacy password. SNMP Traps are not provided by the CPE to the LAN, they are provided from SD WAN controller.

4.17 Advanced traffic steering (application based traffic steering)

Traffic Steering allows application traffic to be intelligently forwarded across different paths between SD WAN sites e.g. Internet or MPLS. By default traffic is load-shared across available paths or the customer can define application based policy. Capability to create traffic steering/forwarding policies based on 3000+ pre-defined applications pre-loaded on on-premise SD WAN CPE.

4.18 Advanced analytics (Versa Analytics) (only available for Enterprise segment)

Advanced analytics for applications by sessions, bandwidth, and access circuit on each branch, including bandwidth consumed by each application. It is accessible through Colt Online, and therefore limited for Colt’s direct customer, not Carrier’s end-customer. Please see appendix for details.

4.19 Self-Install CPE (Zero Touch Provisioning)

A simplified way for Customers to enable Colt SD WAN service globally without having to have technical resources on site. As part of this service, a CPE with basic configuration is shipped to end site where any site personnel (even non-technical) can connect it to the network and complete activation to start consuming the services.

Simple workflow:

• CPE received on site
• Connected to the Internet (to access Colt SD WAN Controller)
• On-site personnel connects a PC to the CPE and accesses a URL provided by Colt
• Colt SD WAN Controller checks the serial number against the URL and if there is a match the post staged customer configuration is downloaded to the CPE and it is launched and connected to Customer subscribed Colt SD WAN service.

Once the connectivity service has been confirmed (whether provided by Colt or the customer), the customer will receive shipment info email with following details.

• Site address details to which the CPE will be sent
• List of requirements for the service to be set-up (e.g. connectivity type, Ethernet interfaces etc.)
• Shipment content (e.g. 10/100 Mbps Managed Optical Demarcation Compact CPE Device, TP-TX/FX-SM1310/PLUS-ST, w/ AC Adapter, Quick Start Guide)

In case of failed self-installation, customer can request the services of an on- site technician. Customers shall incur a service charge at the professional installation rate if the technician determines the failure is directly related to customer equipment, inability or unwillingness to complete the self-installation process or mistakes customer made during the self-installation process.

4.20 SD WAN Multi-Cloud

For customers looking for cost-effective, direct connectivity into multiple cloud environments, SD WAN Multi-Cloud is the optimal solution. It offers private MPLS and/or Layer 3 connectivity into multiple cloud providers in a single solution, combined with end-to-end performance backed by a SLA, end-to- end security, and end-to-end analytics. Colt advises customers to establish resilient connects into their preferred CSP by default, in order to create high Cloud connectivity performance towards the SD-WAN locations. With the SD WAN Multi-Cloud solution, customers are able to combine management of their SaaS/IaaS cloud, WAN, and branch site connectivity into a single intelligent platform. SD WAN Multi-Cloud provides high performance, inexpensive, and secure cloud connectivity directly into the Cloud Service Providers (CSPs)

– Amazon AWS, Microsoft Azure, and Google Cloud.

SD WAN Multi-Cloud provides the following benefits:

Direct and secure Branch to Multi-Cloud connectivity and common policy management

Most companies with connectivity to the cloud are working, not just with a sin- gle cloud, but with multiple cloud service providers. There is a growing need for a simple, straightforward way to manage multi-cloud infrastructures. With SD WAN Multi-Cloud, customers are able to connect their branch sites directly to all their cloud-based SaaS and IaaS and manage this connectivity centrally via the Colt SD WAN portal.

SD WAN Multi-Cloud also offers the ability for customers to manage common policies across their branch sites, SD WAN fabric and multi-cloud environment – further increasing the ease of control over their network.

SD WAN-powered dynamic path selection with SLA

With SD WAN Multi-Cloud, cloud-based applications are intelligently and dy- namically routed to the best available path – minimising risk of performance disruption caused by unpredictable cloud traffic and resulting in an overall improved end-user experience and increased productivity.

Performance visibility across WAN and Cloud, powered by SD WAN analytics

Customers are in full control of their network with Colt SD WAN Multi-Cloud, which provides comprehensive visibility of network performance across both WAN and Cloud. Having this visibility enables customers to monitor, trouble- shoot, and make decisions to improve performance across their network.

Support of Cloud-to-Cloud communication

In many cases, customers’ data will travel through multiple cloud environments. Rather than sending that traffic from branch site to one CSP and backhauling to a data centre or SD WAN gateway to reach another, traffic is routed over ded- icated tunnels from one CSP’s environment to the other. This means reduced latency and optimised performance for the end-user.

Security (Firewall/NAT) between Public and Private Cloud domains

Security remains a top concern for enterprises, particularly in adopting new technologies like Multi-Cloud. With the security features available with SD WAN Multi-Cloud – including Firewalls and NAT (Network Address Translation) – customers can be assured that customer network is secured from the cloud public domain.

With SD WAN Multi-cloud, we can support multiple connections towards differ- ent or same CSP’s using Colt’s Cloud Gateway infrastructure. These connections are always configured as active-active individual connections.