Emergency L2 WAN Replacement Using Cellular SD-WAN

A Great Big Air Gap

I took a call yesterday from a MSP who had a customer with a serious WAN issue. The MSP provided public facing Internet services and complex communications infrastructure for their customer as a managed service from their datacenter that integrated tightly with the customers on premise backend services at their head office. The datacenter was connected to the customers location over a dedicated private secure Layer 2 WAN link made up of both fiber and point to point microwave links to reach the customers remote location.

The issue was that the Layer 2 topology had failed in spectacular fashion (picture storms and important communication structures failing over) and had produced an air gap that was going to take a considerable time to fix (weeks rather than days).

The result was that the customers business processes were at a virtual standstill so they needed replacement connectivity and they needed it quick. The remote nature of the location -combined with the requirement for a secure high bandwidth Layer 2 link between their datacenter and the customer premises, made for quite a technical challenge.

Thank Goodness for 4G/LTE

After some hurried research into alternative options, it was discovered that there was good LTE bandwidth at the customer location, and thats when the MSP decided to reach out to me to see if Peplink could help.

Emergency connectivity is something of a speciality of mine. Over the years I have worked on rapid temporary deployment of internet connectivity using Peplink hardware into all kinds of situations, from outages caused by flooding or fires to replacement connectivity for temporary events and to provide rural business continuity when other providers have failed.

The solution I proposed was a Balance 580 in the MSP datacenter that was allocated a fixed public IP address, and a MAX HD4 with four active LTE connections in the customers location. Using SpeedFusion VPN in a Layer 2 configuration I could then create a resilient transparent connection between the datacenter and the customers office.

By replicating the failed Layer 2 VPN connection, configuration changes would be kept to a minimum. There would be no changes required to the customer network apart from patching in the HD4 to their network as a replacement to the existing failed fiber/microwave link. At the MSP datacenter end the balance plugged in alongside the switches and routers for the existing Layer 2 link and was allocated a dedicated public IP.

PreConfiguration Magic – A SD-WAN Super Power

One of the best bits about this deployment was just how simple and quick it was to configure. In fact I never even got to see or touch the Balance or MAX routers. I had a colleague at a remote office power them on whilst sat on the workbench and plug them into his local internet connection. Once they connected to the internet I could manage and configure them remotely using InControl 2– Peplinks Cloud based SD-WAN Controller.

With InControl 2 I set up the SpeedFusion VPN profiles on both devices, using the Find My Peplink Dynamic DNS service to enable the HD4 to automatically bring up the Layer 2 VPN connection as soon as the Balance came online.

From start to finish I think the whole configuration took about 30mins. In fact, it took longer to work out the custom APN settings for the different LTE providers and then draw up the network diagram than it did to get this setup and working on the test bench.

No need (or time) for expensive data SIMs

We’re not using specialist data SIMs in the HD4, just Pay as you go sims from multiple network operators bought from retail outlets. They are all on 30 Day rolling contracts and have 20GB data allowances. This works out at close to £1/Gb /Month for 80Gb of data, with the option of adding four more sims to the redundant slots on the HD4 if needed.

I normally prefer to work with proper business grade SIMS from the MNO and MVNOs as they tend to come with much better SIM management tools and better visibility of the SIM estate using online dashboards. However, since the HD4 is creating the VPN tunnels back to the Balance 580 we don’t need fixed IPs, so the cheap off the shelf SIM products direct from the MNOs are fine for this. If we were deploying 10 or more sites (so 40+ SIMs) I would always look to use business data SIMS for management purposes.

Next Steps

At some point in the next few weeks, the original Layer 2 point to point link will be repaired. When it is, there are two options, The first most obvious one would be to remove all the Peplink equipment, plug everything back together as it was and move on – but there is another way.

Using SD-WAN For Service Augmentation

Since the HD4 can support two wired ethernet WAN links and there are spare WAN ports on the Balance 580 in this deployment also, the restored original private Layer 2 link could be added in as an additional WAN connection to the SpeedFusion VPN.

Using the router’s SD-WAN capabilities, network traffic flows could be enabled that use the private Layer 2 WAN link as the primary route for traffic and the cellular WANs on the HD4 as failover links.

So if the primary Layer 2 WAN link were ever to fail again in the future, the network traffic would be re-routed at a packet level across the cellular connections seamlessly.

And that ladies and gentlemen is why everyone needs to be thinking about SD-WAN. Its clever, its agile, its quick and easy to deploy, and great for solving really tricky connectivity problems like this in an emergency.