Skip to main content

The use cases for SD-WAN by Fusion Broadband


MPLS migration 

MPLS has been used in the enterprise since the late 2000's and many networks are built using this technology. In reality it is still the significant majority.

An MPLS network is used in a scenario where an organization has a number of geographically dispersed branches. These are interconnected using MPLS from network operators.

MPLS is inherently expensive. A link to a branch averages out at about R12k while alternatives are in the region of R3k. Besides the cost, the implementation of these types of networks is difficult and time consuming. High level engineers are required and often extensive troubleshooting is required to operationalize deployments.

MPLS is provided by the larger network opertors, the architecture requires long design, quote, order and implementation cycles. Configuration is also a complex undertaking that can lead to costly errors that take time to identify and fix. Extending MPLS networks into cloud hosting or to reach cloud services requires engaging carriers and network operators in additional design, quote, deployment cycles and will increase costs. Adding cloud services into SD-WAN networks is simple, especially if the cloud service is reachable using Internet connections and the SD-WAN platform can be deployed in containers or virtualized at the cloud or hosting provider.

Fusion Broadband SD-WAN deployments

SD-WAN has become a better alternative as it allows a automated deployment of a branch by resources with limited technical skill. A branch is activated within a period of two minutes. The inherent benefits include better security, overall network management, affordable, AES data encryption, flexible contracts, rapid deployment, carrier redundancy, BYO connectivity, hybrid networks and Quality of service (QoS).

Watch Greg make an excellent case for SD-WAN in the video below...


Centralized firewalls

Many organizations have used the strategy of firewall carpet bombing. This implies a firewall deployed generically at all points of the network in an indiscriminate manner. Most modern day systems have some basic form of firewalling but this is not what I'm referring to but rather the perimeter security firewalls. In a branch network, deploying one at each branch is an onerous license requirement.

What makes more sense is to securely connect the edge to a centralized firewall that is hosted in a data centre. This can be a resilient cluster. This firewall will be more powerful than the puny one currently deployed at the edge.

SD-WAN Centralized firewalls

SD-WAN allows a business to consolidated firewalls which also provides a significant administrative benefit as the rule based is significantly reduced and simplified.

100% uptime on last mile

Legacy networks have a reliability problem in the last mile. Even when scripts or protocols are used the fail-over is typically upwards of 30 seconds, which is also the fail-over of most mesh based SD-WAN implementations.

A hub and spoke SD-WAN deployment provides the ability to deliver near instantaneous fail-over as well as also aggregate bandwidth via a process known as bonding. However, the biggest benefit is the ability to ensure 100% uptime over the last mile.

SD-WAN Last Mile

The above example shows a last mile that utilizes 3 IPPs. 2 are on fibre, and 1 is a fixed wireless. This type of configuration provides 100% uptime over the last mile especially because it includes a mix of fibre and fixed wireless. Fixed wireless often is able to mitigate last mile outages related to service interruptions such as a back hoe digging up the fibre.

No alt text provided for this image

Disaster recovery

One of the issues with disaster recovery is that when you restore your systems they will all be configure with new IP addressing. This requires a large amount of testing and troubleshooting.

However, one of SD-WAN's abilities is to have floating IPs whereby IP addresses can be used anywhere within the SD-WAN network. In a normal broadband deployment, an IP address is limited to a specific site and cannot be moved to another region. It is thus an arbitrary configuration to migrate IP addresses between sites and locations as what is required for disaster recovery.

SD-WAN disaster recovery

Threat management

SD-WAN has a unique ability to handle and manage threats in an optimal manner. The two enforcement points can be at the aggregator or the edge. One is system wide and the other would be site specific.

At the aggregator we can drop the following traffic: bogons, hijacked domains, dshield top attacking network ranges, as well as malware. The aggregator from Fusion Broadband can be configured with the firehol level 1 block list. This list includes these malware lists sources: feodo, sslbl, zeus_badips, and bambenek_c2. The mechanism used is to implement a list using the IPSET tool. This is achieved using a script.

On the edge, the SD-WAN solution uses DNSMASQ. This allows the use of hosts file in the exact same manner as the famous pi-hole tool. An example of lists that can be used is those hosted on Energized Protection. Another resources is the ultimate list.

No alt text provided for this image

The DNSMASQ configuration on the edge can use multiple simultaneous DNS resolves including those from Quad 9 and Cloudflare. This configuration can improve resolution performance by up to 240% especially when the appropriate hardware is implemented at the edge.

A supplementary benefit as mentioned above is achieved using a highly efficient local caching resolver. This can be supplemented by techniques to disable DoH/DoT and redirected all DNS queries using firewall rules on the SD-WAN to the local caching resolver.

Cloud acceleration

The assumption is often that fibre is by default better than wireless. Regardless that most sites have wifi so there is wireless in the connectivity chain regardless, the problem is that packet loss on fibre is more difficult to detect. The manner in which this manifests itself is great local speeds but poor international speeds. This is due to the nature of the protocols being used which impact speeds more over long distances!

TCP acceleration is a mechanism by which the congestion control algorithm is changed to accelerate access to the cloud. A good example is BBR.


SD-WAN Cloud acceleration

The Fusion Broadband solution uses a TCP proxy mechanism to accelerate specific ports by multiplexing these streams as well as apply a better congestion control mechanism.

Another factor is DNS. A local resolver with good performance makes a world of difference. The Fusion Broadband South Africa resolver is excellent and can improve speeds by up to 240%.

FBSA DNS Benchmark

Network and traffic visualization

In the seventies when the short two hour television broadcast in South Africa was not being transmitted, there was a test pattern. Any time of the day you could switch on the Telefunken in the corner and see the status of the signal. In the first few days we watched the test pattern for longer periods than the actual television broadcast. It was a comfortable feeling that during the forthcoming scheduled broadcast, things would work!

When using any connectivity solution the test pattern signal is mandatory, In SD-WAN this is achieved using network performance management metrics and dashboards. Additionally, traffic visualization is also provided optional down to the application and user experience level.

SD-WAN Network and traffic visualization

The Fusion Broadband SD-WAN solution has excellent NPM. All the necessary metrics are displayed on a single pane of glass which includes latency, bit rate, packetloss, outages, load and quality of service. This is described in an article on MyBroadband: Fusion SDWAN traffic visualisation unmasks cyber and other incidents. The article includes describing how the user experience and application level traffic visualization is provided. Included is mitigation on cybersecurity monitoring including those such as the Sunburst breach.


The biggest problem associated with kiosks is that often the only viable connectivity is from mobile providers. This usually involves a 3G router attached in this neck of the savannah to either Vodacom or MTN. But often, even when the better connection in an area is selected there are still outages.

The next level in router provided the ability to use two SIM slots with the ability to fail-over. The problem with this strategy is that the mobile providers disable SIMs which have not pinged the network for a few days. So when the fail-over is required, it ironically fails!

Enter Fusion Broadband with its innovative Jaguar based SD-WAN edge that uses two active radio modems to connect to mobile providers. The architecture ensures a continuous keep alive ping to both SIMs and thus the above scenario where fail-over does not work is prevented.

SD-WAN Kiosk

Additionally, Fusion's SD-WAN is able to aggregate the mobile data bandwidth using bonding, thereby also being able to increase performance and throughput at the kiosk.

Work from home 

The primary functionality required for work from home is the ability to communicate back to the office. Many offices in South Africa still have a significant number of servers install on premise at the office and require employees to access them remotely when working from home.


The recommended manner to access the office is to use a Virtual Private Network (VPN). The implementation of this has a number of attributes such as the encryption and authentication mechanisms implemented. But it is important to reduce the vulnerability of the implementation by installing the VPN concentrator in a demilitarized zone (DMZ). Deploying the VPN in a monolithic manner on a firewall results in potential compromise. The DMZ could potentially be a virtual container.

The SD-WAN will ensure reliable an non-stop access for the work from home users. In normal times people working from the office could still access local servers and continue working when the Internet links failed. Working from home this is not a possibility. The Internet links need to be up 100%.

SD-WAN Work from home

Multiple locations and even companies can share a Bastion concentrator.

Edge computing

Large co-location data centres work for service providers and the enterprise but not really for small business. The requirements for a small business do not extend to the full rack level, but a partial one. Additionally, the small business wants their infrastructure as close to their business as possible. This is where edge computing solves the problem with c-location sites in decentralized and small scale data centres, typically refereed to as edge computing.

No alt text provided for this image

Edge computing will rely on multiple paths to the main data centre where IP transit and peering exists via Internet Exchanges. At the Internet Exchanges multiple SD-WAN aggregators would exist to make the solution fully resilient.

Business grade Internet links

Most broadband providers have a consumer and a business product. The product is supplied across the exact same infrastructure and the attributes of the two products have few technical attributes that uniquely distinguish them. Often the only feature of the business product is that a priority phone number is provided where a ticket can be logged to escalate repair. In the significant number of cases the service provider isn't even able to proactively provide notification of outages and the business needs to call in to log a fault. Clearly this is not business grade Internet.

SD-WAN Business grade Internet Links

The Fusion SD-WAN solution changes broadband links to be reliable with 100% uptime. These also include out of the box dashboards and monitoring with no third party tools required.

Regional meshed wide area networks

The best method to connect the edge to a data cente is via a hub and spoke mechanism. If a mesh is used at this level it does not scale and the processing and path decisions become onerous.

No alt text provided for this image

Fusion Broadband caters for the SD-WAN hubs which are located in regional data centres and known as aggregators to be meshed. This means that country wide private wide area networks can be established in a simplified manner, unlike the complexity involved with MPLS. The meshed aggregators use VXLAN and Babel.

Improve support and reduce associated charges

The support required as well as the associated charges for a legacy network deployment are significant. SD-WAN keep ISPs honest as they provide a new single plane of glass that verifies the connectivity as well as other metrics.

The nature of the service provides visibility to the network for troubleshooting and causation of problems. This includes traffic visualization.

The problem types identified and correct are:

  • Identifying packet loss on the last mile
  • Identifying latency issues on the last mile
  • Determining congestion on the last mile and identifying the traffic types causing congestion
  • Determine path and mtu problems
  • Determine outage and SLA breaches
  • Identify name resolution problems
  • Determine peering exchange problems
  • Identify long distance problems
  • Capture packets to analyze problems
SD-WAN Improve support

The Fusion Broadband SD-WAN solution reduces the time to execute support tasks significantly.

Cloud connector

The cloud connector is an interesting use case for SD-WAN. An example would be of a South African company install servers in a co-location data centre in London. If there is no CDN involved locally then the performance is not optimal.

Fusion Broadband solves this problem by install a cloud connector in the remote data centre that is associated with a local aggregator. This improves the performance of the access to these servers by the use of TCP multiplexing and the use of more efficient congestion control algorithms.

No alt text provided for this image

No alt text provided for this image
Ronald Bartels provides solutions to networking and last mile reliability problems. The solution from Fusion Broadband allows a business to stay 100% connected, avoid downtime and keep working. The Fusion Broadband solution has been installed in many vertical industries including state owned and private entities.In addition to the IBM Beacon Award 2020 for Infrastructure Services, the solution is a mature software platform that has over 2000 installed instances of multiple site private wide area networking deployments.
This article was originally published over on LinkedIn: The use cases for SD-WAN by Fusion Broadband


Popular posts from this blog

LDWin: Link Discovery for Windows

LDWin supports the following methods of link discovery: CDP - Cisco Discovery Protocol LLDP - Link Layer Discovery Protocol Download LDWin from here.

easywall - Web interface for easy use of the IPTables firewall on Linux systems written in Python3.

Firewalls are becoming increasingly important in today’s world. Hackers and automated scripts are constantly trying to invade your system and use it for Bitcoin mining, botnets or other things. To prevent these attacks, you can use a firewall on your system. IPTables is the strongest firewall in Linux because it can filter packets in the kernel before they reach the application. Using IPTables is not very easy for Linux beginners. We have created easywall - the simple IPTables web interface . The focus of the software is on easy installation and use. Access this neat software over on github: easywall


#!/bin/bash # # usage <configuration file> # eg: /etc/ipset-threatblock/ipset-threatblock.conf # function exists() { command -v "$1" >/dev/null 2>&1 ; } if [[ -z "$1" ]]; then   echo "Error: please specify a configuration file, e.g. $0 /etc/ipset-threatblock/ipset-threatblock.conf"   exit 1 fi # shellcheck source=ipset-threatblock.conf if ! source "$1"; then   echo "Error: can't load configuration file $1"   exit 1 fi if ! exists curl && exists egrep && exists grep && exists ipset && exists iptables && exists sed && exists sort && exists wc ; then   echo >&2 "Error: searching PATH fails to find executables among: curl egrep grep ipset iptables sed sort wc"   exit 1 fi DO_OPTIMIZE_CIDR=no if exists iprange && [[ ${OPTIMIZE_CIDR:-yes} != no ]]; then   DO_OPTIMIZE_CIDR=yes fi if [[ ! -d $(dirname &q