1. Overview

Colt’s Software Defined WAN (SD WAN) is a managed service offering towards deploying and managing Enterprise network connectivity and providing several integrated functionalities to transform customer’s digital network experience. It gives Customers the ability to combine multiple access connections types (MPLS, Internet, 3G/4G) with application-based policy forwarding and advanced security functions to
create a software defined network capable of delivering on changing business needs and capacity challenges.

Colt SD WAN incorporates various software images of Virtual Network Functions (VNFs) deployed on commodity hardware for routing, security, WAN and application optimization and analytics. Colt SDWAN makes use of underlay connectivity (private MPLS and public Internet) to establish a secure, encrypted overlay VPN. Customers can use it to quickly create and deploy a network that offers services like business grade IP VPN, secure broadband Internet or application-aware routing with full security and QoS over WAN connections. Traffic can be automatically and dynamically (manually) forwarded across the most appropriate WAN path based on network conditions, quality-of-service (QoS) requirements, usage requirements and cost. This combined feature set offers higher network service availability and increased network performance.

In addition, SD WAN allows Customers to optimize the use of their bandwidth through load balancing over multiple Internet uplinks over broadband, 3G/4G (with an Ethernet handoff) in addition to traditional MPLS connections. SD WAN also allows to connect to Cloud service providers and SaaS providers to extend their WAN edge to Cloud.

Colt has further enhanced its SD WAN service with the launch of its universal customer premises equipment (uCPE) solution at the network edge. The Colt SD WAN service now provides 3pp unmanaged VNF hosting functionalities like CheckPoint Firewall offered as an additional VNFs on the uCPE with Versa SDWAN VNF. It further puts the control of network in the hands of the customer, giving them the flexibility to license, manage, monitor functions with the choice of network options. This capability is bringing the benefits of cloud computing from data centres to edge computing at the customer premises and branch sites, representing a paradigm shift in how enterprises consume connectivity services.

Colt also offers a Wholesale SD WAN solution that provides a flexible approach that offers not only an alternative to an existing vendor, but also the instant ability to a fast time to market when no SD WAN solution is in place for them.

This solution consists in offering our current Versa solution to them, with some clear adaptation (customizable portal, branding and further hierarchy levels, systems and processes modification, etc) that allows the end-customer to benefit from a top-quality SD WAN service without any reference to Colt, as if our Wholesale customers were offering it directly.

Perfect match will come for those who haven’t developed an owned solution, proactively looking for some partner who could cover that gap and offer a turnkey solution with no upfront investment or development time, assuming certain limitations because of the resale environment and the vendor restrictions, that will be covered throughout the document.

Colt can help to engage this digital enrolment, helping to integrate our existing SD WAN service so that the Wholesale customer can resell it to their end customers, with little visibility about who is actually providing the service in backstage and with full functionality towards them.

There are specific considerations along the processes, that will be covered during the
following sections.

2. Benefits

2.1 Available Anywhere

Colt SD WAN service is available to virtually any business address worldwide (basic connectivity pre- requisite) in a fully meshed or hub-and-spoke network configuration options.
SD WAN allows connectivity between SD WAN and Non-SDWAN (traditional IPVPN) sites

2.2 Quick Deployment

New locations can be turned up in as little as minutes with zero touch provisioning (“bringing” the device into the network). Customers will be able to manage their own service, add new branch sites in hours, or upgrade bandwidth real-time. The customer will be provided with Common off the Shelf (COTS) server, Colt uses pre-configured CPE devices which are as easy to setup as a home WiFi router

2.3 Security

Secure end to end connectivity using IPSEC encryption, this ensures that the transit of a Customer’s proprietary data is fully protected and inaccessible beyond the intended origination and destination points. Colt SDWAN provides an integrated firewall with SDWAN which provides secure local internet breakout, provides DDoS protection and ability to create firewall policies and rules required as per customer specific requirements

2.4 Connectivity Flexibility

Colt SD WAN services can be provided over public internet – broadband Internet and business internet dedicated internet access (DIA) connectivity (using any and all transport technologies like xDSL, wireless 3G/4G/LTE (only available in EU for Colt provided SIMs, no limitation for customer-owned), Ethernet or traditional MPLS regardless of whether Colt is providing that underlying connectivity or not. Local breakout is available, if desired, so that only certain traffic is forced through the SD WAN network

Ideally MPLS should be from Colt. MPLS circuit is from Colt or from Colt’s existing MPLS NNI partners. Any new MPLS provider needs an MPLS NNI to be setup first (see connectivity constraints for Carrier’s provided MPLS legs)

2.5 Application Performance

Based on Customer requirements, Colt SD WAN service ensures that it always provides the best available connection for traffic flows based on jitter and latency requirements. In addition, Customers are in complete control of steering traffic over specific preferred links through the use of layers 3, 4 and 7 based
access control lists and policies that can be implemented via the self-service portal.

2.6 Self-Service Portal

Colt SD WAN portal allows dynamic management of network based on Customer requirements, with policy control and visibility, traffic data reporting is also available for visibility of throughput (peak/average) and traffic volume for a selected duration.

For Wholesale service, both Carrier and end-customer will benefit from a customized look and feel, setting your own logo, background image, links and contact details, so that your end-customer experience doesn’t differ from the rest of your services offered.

2.7 Service Reliability

Multiple points of presence, bidirectional metro rings, and a fully redundant network core support ensures service availability and that customer data gets to where it needs to go.

2.8 Redundancy and High Availability

Colt SD WAN service can be deployed in a redundant and highly available manner, supporting link level and device level redundancy to eliminate single point of failures. In addition, the back-end control and provisioning systems are redundant as well to ensure service availability is not affected by any single point of failure.

2.9 Cost Efficiency

Colt SD WAN provides the ability to manage and optimize traffic over multiple infrastructure links and maximize the use of bandwidth thereby lowering costs. Customers can use it to top up existing IP VPN bandwidth by using the Internet in addition to existing IP VPN bandwidth; another use case would be an
Internet only version which can be used where dedicated leased line cannot be justified due to cost reasons.

2.10 Control (Changing Traffic Patterns)

SD WAN gives the ability for customers to route their traffic for specific application based on a number of parameters. Traffic policies (MPLS vs internet) will be set during the initial deployment and will be based on basic business rule settings (IP address/subnet, protocol and/or port number, pre-loaded applications), these can be changed any time via the self-service portal.

2.11 Analytics

Near real time, interactive dashboards that enable Customers to keep an pulse on the health of a network and applications – continuously monitor traffic flows, enabling the identification of and response to business impacting events. Visualization of application performance, network security and Firewall, and
utilization – allowing organizations to analyse issues at the site level, application layer, or individual user level.

2.12 Multi-cloud

With SD WAN Multi-Cloud, customers are able to connect their branch sites directly to all their cloud-based SaaS and IaaS and manage this connectivity centrally via the Colt SD WAN portal. It brings together a single cohesive view of the enterprise network, tying together WAN sites, IaaS/Cloud sites, and traffic towards SaaS cloud – all easily viewed and managed via the Colt SD WAN portal. It extends the SD WAN benefits of security, analytics and optimization to connectivity to the CSP and provides an end-to-end SLA for all connectivity types (MPLS, Internet, Wireless and Cloud) for enterprise networks.

Colt SD WAN Multi-cloud services are available in Europe and Asia and supports direct connectivity towards Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. The SD-WAN Multi-cloud solution uses gateways hosted in the Colt network with dedicated connectivity into the Cloud. Today,
Colt is monitoring proactively our Cloud Gateway infrastructure, we are also working to develop a solution to monitor the connectivity to the 3rd party cloud providers at an application level.

Within the direct connectivity program of the CSP, Colt supports both hosted and dedicated CSP options in the likes of AWS Direct Connect, Azure ExpressRoute and Google Cloud Interconect (GCI)

2.13 Support for IPv6

Internet Protocol version 6, is a new addressing protocol designed to incorporate whole sort of requirement of future internet known to us as Internet version 2. This protocol as its predecessor IPv4, works on Network Layer (Layer-3). IPv6 provides larger addressing space and simplified header. Colt SD WAN supports use of IPv6 addressing on LAN interface

2.14 WAN Optimization

SD WAN with WAN optimization provides customer an enhanced user experience as it improves the network performance and reliability over multiple wan links for a site. It alleviates the effects of latency that maximize bandwidth utilization and relieves network congestion. The advantage of SD WAN with
WAN optimization is that it is aware of other network traffic on the same link and can intelligently manage all flows overcoming the problems of TCP retransmission.

We utilize following traffic optimization techniques

• Forward Error Correction (FEC): Allows missing data packets to be recreated at the destination without adding latency or jitter

• Packet Cloning (Replication): Mirrors packets between two or more paths – if one packet is lost, the mirrored packet will still be delivered

3. Service Design

3.1 Transport agnostic Application driven WAN

Colt SD WAN ensures Customer WAN network is designed to provide efficient application performance irrespective of the underlying transport (MPLS or Internet). The service enables and implements application routing policies and also allows for load balancing of default traffic in order to ensure that all
available WAN capacity is optimally utilized

3.2 Site design types – SD WAN Service Pack (Multiple WAN Links)

Colt SD WAN supports multiple access types to suit individual site requirements; these can include dedicated Ethernet, Direct Internet Access, cost-effective broadband DSL connectivity or 3G/4G/LTE.
By default 3G/4G circuits should be used as backup only if fixed Internet and MPLS circuits are available i.e. traffic should not load-share across 3G/4G and other WAN circuits. The SD WAN CPE can be attached directly to the Internet Access circuit (recommended) or behind a customer router or modem device.
The handoff to the SD WAN CPE should be plain 802.3 Ethernet (no VLAN tagging) or PPPoE (with or without VLAN tagging). PPPoE handoff (with or without VLAN tagging) has been validated and enabled for France only (with Bouygues Telecom) currently

Blue Wireless

Colt now offers a Fixed Wireless, 4G/ 5G cellular Internet access service to our customers. This service is a complete resell of the Wireless Internet access service provided by Blue Wireless, a Singapore-based company. Uniform service including on-site survey, installation, maintenance and operation can be
provided in about 90 countries in Europe and Asia as well as in North America, South America and the Middle East. This service comes with Cradlepoint mobile router, Dual SIM and its data, installation and operation service, and SLA. This service offers managed mobile internet access service maximum up to 300Mbps/30Mbps(Down/Up) supports both unlimited data and limited data plan with flat rate pricing. This service guarantees 50% of contract speed. The service can also be utilised for SDWAN customers as an Internet underlay, typically utilised as a backup to existing fixed WAN connections or for low priority site locations where physical connectivity is difficult to achieve.

All countries where Supplier has the network coverage (~ 88 countries) and where Colt is authorized to sell.

Not all these plans are available in all locations, for several reasons. As part of the ‘Partner IP Access’ product, Colt has chosen Blue Wireless to provide an end-to-end managed service supplying Wireless Internet connectivity using 4G LTE/ 5G cellular technology with a managed CPE. The standard service offering delivers a Blue Wireless managed Cradlepoint CPE with dual resilient SIMs as below:

There are 2 service offerings by Blue Wireless, Primary mode and Backup mode. Primary mode has an unlimited data plan expected to be used for most typical enterprise customer use cases and a backup mode offering that comes with a data limit. Typically, 10GB per month and over usage restriction, along
with 30GB data Uplift plan for backup mode. Over usage will automatically downrate the access line to a minimal speed (1Mbps/1Mbps), which ensures the service is not completely down when the data limit has been reached but will result in a poor customer experience for normal everyday applications. Low
bandwidth applications could still function such as credit card transactions as an example but would be very limited.

Blue Wireless offers a number several bandwidth plans

• 2/2: Not to be used due to constant mgmt/crtl data that needs to be send
• 5/5
• 10/5
• 20/10
• 40/10
• 50/20
• 100/20
• 200/20
• 300/30
  Not all these plans are available in all locations, for several reasons. Some MNOs are not offering all these plans in all regions. Some (higher) speeds might not be attainable due to the local environment the Cradlepoint CPE will be in. Blue Wireless will test the speed before handing over the service to Colt / customer The Service offer two data plan options for customer to choose from, to be Indicated in the Order

Unlimited Data (Primary Plan), offering unlimited data usage at the contracted Maximum Access speed at a fixed MRC. The Service is configured as an active access for the primary connection.

Limited Data (Failover Plan), where there is predefined amount of data usage included per month indicated in the rate card to be used at the contracted Maximum Access speed at a fixed MRC. An option may be provided to increase the predefined amount of data usage per month. Upon reaching the data limit, the maximum access speed will be throttled to 1Mbps/1Mbps speed.

The blue wireless CPE can be attached to any of the current standard Versa CPEs – no new colt managed hardware is introduced for Blue Wireless connections

Based on the maximum bandwidth supported by Blue wireless i.e. 300Mbps/30Mbps(Down/Up), Following T-Shirt sizes/packages are in scope of current phase:

• XS – Extra small
• S – Small
• S Plus – Small Plus

Key points

• Blue wireless connections shall be ordered as part of IP Access underlay
• Maximum 1 Blue Wireless link per site, both for single or dual CPE setups, is supported
• Internet Egress is only available for unlimited plan
• IPv6 is not supported
• uCPE is not supported
• Blue Wireless (with limited plan) and a 4G connection at the same site is not supported
• Zscaler SSE solution has been technically validated with Blue wireless with Unlimited plan but not the Versa SASE yet.
• Customers shall ensure that the CradlePoint device Installation must be carried out at the location where Versa CPE is expected to be installed in order to achieve a direct connectivity between these two devices. In case Blue Wireless considers that coverage is not good enough and SLAs are
  at risk, they will evaluate the installation of a 10m indoor external antenna to get the right signal out of the rack. Customers are always advised to increase the default coverage of the CradlePoint equipment by installing it on top of the rack where the SDWAN box is installed. If in case the indoor
  external antenna does not suffice to guarantee Blue Wireless Service, the CradlePoint equipment will be installed elsewhere in the building where signal is good enough and customer will be responsible to install the required internal cabling considering RJ45 demarcation towards Colt SD WAN equipment. And it is customer’s responsibility that the CradlePoint device must not be shifted from the install location as performed by Blue Wireless.
• As Blue wireless connection is a wireless connection, It should not be considered as one to one replacement of any wired internet access considering different performance matrix like latency. Blue wireless connections latency is expected to be higher then the wired internet connections, especially in case if inter-regional site to site communications.
• Blue Wireless does not offer any guarantees on the Latency, Jitter and Packet Loss but Blue Wireless will endeavor to optimise the performance to the best of our abilities

Note: Due to some regulatory limitations, blue Wireless do not offer services in following countries: India, China, Russia, Cuba, Syria, Iran, North Korea, Venezuela

The way in which you order Colt SD WAN services has changed. Up until now, Colt SD WAN has been sold as a mixed configuration solution with several nonstandard elements, with personalised designs being built for every customer order.

Shape the new approach significantly simplifies the process by offering new standardised packages which customers can mix and match to meet the requirements for each of their sites. This presents a number of benefits, both internally and externally.

Below is a table summarising the new standardised packages that are available for your customer to order per site.

Each size package varies in the type and number of WAN uplinks, number of CPEs, bandwidth, diversity, and service assurance.

To build a new SD WAN solution, simply work with your customer to mix and match these ‘sizes’ to meet the requirements for each site

Note: Blue wireless connections are supported for XS, S & S Plus packages only currently.

• Any combination of Internet and MPLS uplinks up to the max supported
  and not exceeding maximum for each type.
• LTE as substitute or in addition to any fixed Internet connections.
• LTE substitutes the fixed WAN Uplink
• Dual LTE not supported in combination with Fixed MPLS or Internet uplinks.
  Single LTE uplink is on primary CPE when combined with 2 fixed uplinks.
• Max 1 MPLS per CPE. Single MPLS is always on primary CPE.
• For 2 Internet uplinks LTE substitutes the second Internet uplink
  

To illustrate these site size packages further, see the example use cases below:

The CPE model used in M & M Plus package will be the V220, offering a maximum BW of up to 1 Gbps.
The CPE model used in M & M Plus will be the V810, offering a maximum BW of up to 2 Gbps.
The CPE model used in L & L Plus will be the V1800, offering a maximum BW of up to 10Gbps.
Both support fibre handoff option.
There are numerous key benefits, that can be separated either from a customer’s perspective or internal:

For Customers, it means:

• Faster time to live SD WAN service vs competitors
• Simpler planning and deployment, no overengineering
• More efficient use of their backbone network – options can be mixed and matched to optimise the use of each site over their existing network (creating potential cost savings of 20-50% savings for retail, 30-40% for manufacturing)
• More flexibility and greater choice with greater automation capabilities in ordering and delivering their service
• More resilience options to meet SLA requirements of their business

Greater cost transparency For a Colt employee, it means:

• Reduces bespoke designs, saving time and effort
• Customer network simplification – operationally less complex to build and maintain
• Communicating with your customer is simpler and easier
  

Happy customers! Time to deliver is reduced from months to weeks Common attributes for all site types:

• Underlay to establish IPSec tunnel/MP-BGP and run data traffic directly between SD WAN and non-SD WAN sites.
• IPSec tunnels between all sites.
• Customer traffic load shared across the links.

Product approval for design is needed for all SD WAN orders above 250 sites.
At the moment this guide was written, new CPEs were being standardised to fulfil expectations of those customers who require higher bandwidth demands. Once they become available, the guides will be updated accordingly.

3.3 Traffic flows

The customer may have a mix of sites – IP VPN on-net sites (connected directly to Cisco based MPLS network) or SD WAN hybrid sites (OLO MPLS and Internet lines, Versa based) or SD WAN Internet only (Versa based) or SD WAN MPLS-only site.

Backup Path not shown

Below table provides the overview of the traffic flows with regards to how SD WAN gateways and Encrypted tunnels are involved (Versa uses IPSec but combined with other protocols)

SD WAN Gateways provide the following functions 1) they act as a transit gateway between the encrypted SD WAN VPN and a normal IP-VPN and 2) They act as a hub for connecting SD WAN sites on disjoint networks e.g. a site connected to MPLS only and a site connected to Internet only. SD WAN Gateways are implemented on a region by region basis to reduce the latency caused by backhauling tunnels

3.4 Application aware connectivity

Colt SD WAN service delivers path control for application-aware routing and forwarding across the WAN. It supports, dynamic selection of the best path for application-based business policies and application-based load balancing across paths for full utilization of bandwidth with improved network availability.

3.5 Encryption

Encryption method: Advanced Encryption Standard AES-128 and AES-256 supported.

• Encryption method: Advanced Encryption Standard AES-128 and AES-256 supported.
• Authentication Method: Secure Hash Algorithm SHA2.
• Internet Key Exchange (IKE): IKEv2.
• PSK: As standard, pre-shared keys will be used to authenticate between IPSec peers.

(Colt owns & manages the keys).

3.6 Customer Information Protection

It is Colt’s policy to protect all confidential information related to its business activities, as well as confidential information on customers, partners and others. The Information Security Policy standards are designed to ensure that information assets are protected from all types of security threats and that highly reliable services are provided. To this end, the Information Security Management System (ISMS) is established and will be enforced. Continuing efforts will be made to improve the system.

Summary of Colt’s Security certifications (ongoing):

• BS7799
• MC is accredited with ISO 27001*

ISO 27001 specifies the requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving a documented Information Security
Management System within the context of the organization’s overall business risks. It
specifies requirements for the implementation of security controls customized to the
needs of individual organizations or parts thereof.

4. Features

Colt SD WAN is an evolving product line, this is primarily because the industry is still evolving with ongoing developments (Colt product offering is mature as committed). Colt will continue to improve and add new product features and they will be added in this guide as they are released (please refer to roadmap for details).

4.1 Customer Portal

Colt SD WAN Portal is a self-service portal (does not support service provisioning and ordering – for now) available for both Carrier and end customer. It enables network services to be used, modified and orchestrated on real-time and on-demand basis – as is typical for cloud services. As it is ‘software defined/controlled’, the WAN transforms into an agile, flexible network enabling a customer to be in control of its network.

In summary, the portal gives the Customer the ability:

• To map applications to specific WAN uplink (eg., MPLS and/or Internet)
• To choose when an application needs to switch to the secondary path

The portal is intuitive and easy to navigate with below features:

Portal Pages	Page Details
Dashboard	Gives an overview of all provisioned sites on a geographically accurate map Dashboard allows regularly used graphs or reports to be pinned to the Dashboard view. Status of Pending orders are listed
Policy Management	per site traffic steering policy rules per site add, delete, edit and back-up traffic policies map traffic to WAN uplinks on multiple parameters like source and destination IP Address, source and destination port/socket, protocol and applications (more than 2,500 applications supported) define policy to switch between WAN links based on latency, jitter, packet loss, traffic Rx/Tx thresholds Multiple metrics per policy can be added Bulk copy pushes policies to multiple sites by single button click
Firewall Management	per site firewall rules overview per site add, delete, edit and back-up firewall policies Policies applied to Internet and SDWAN for both inbound and outbound traffic Create firewall rules based on multiple parameters like source and destination IP Address, source and destination port/socket Create Application layer inbound and outbound Firewall policies with source/destination IP addressing Create DNAT for LAN and DMZ zone rules by IP address and port number Bulk copy pushes policies to multiple sites by single button click default policy deny all
Firewall analytics	lists all active firewall rules top 10 (or more) applications with sessions, traffic Tx/Rx and bandwidth used historical view by day, week, month or custom time frame
Interface Analytics	delay, jitter, loss ratio, traffic in/out and number of sessions on per interface basis historical view by day, week, month or custom time frame
Application Analytics	application bi-directional bandwidth utilization top application information pertaining to sessions, and traffic utilization (Rx/Tx) Application view can be filtered or selected per application historical view by day, week, month or custom time frame
DDOS	create DDOS attack profiles and suspend actions historical view by day, week, month or custom time frame of DDOS attack analytics associated with attack profiles.
Device	detailed CPE hardware information self CPE diagnostics, including ping and traceroute Data synchronization icon to re-synchronize the Portal and SDWAN bases. WAN interface details including MAC, status, IP address, speed, traffic Rx/Tx and QoS policies LAN interface details including MAC, ARP information, IP address, speed, and routing policies