Packets, Paths, Policies: 2018

Saturday, December 1, 2018

ZTNA 2018: Emergence and the Future of Secure Access

December 2018 • 7 min read

In late 2018, Zero Trust Network Access (ZTNA) emerges as a promising alternative to traditional VPNs. As enterprise networks evolve and cloud adoption increases, legacy perimeter-based models struggle to keep up with the new threat landscape. ZTNA introduces a shift in mindset: trust no one, verify everything.

The Rise of Zero Trust

First articulated by Forrester in 2010, the Zero Trust model gains traction in 2018 as organizations face increasingly sophisticated threats and a dissolving network perimeter. Unlike traditional security frameworks that assume anything inside the network is trusted, ZTNA demands strict identity verification and granular access controls regardless of location.

From VPNs to ZTNA

VPNs dominate remote access solutions for years, but they expose the entire network once access is granted. ZTNA, on the other hand, connects users to applications—not the network—based on identity and context. This approach limits lateral movement and reduces the attack surface significantly.

Key Components of ZTNA

Identity-centric access: User authentication and role-based policies govern access.
Microsegmentation: Network access is limited to specific apps or services.
Device posture checks: Compliance checks ensure endpoint security before granting access.
Continuous monitoring: Real-time telemetry supports adaptive access policies.

Vendor Landscape in 2018

By the end of 2018, vendors like Zscaler, Google (BeyondCorp), Akamai, and Cisco begin offering ZTNA-aligned services. While the space remains immature, early adopters are piloting ZTNA in hybrid cloud environments and mobile workforces.

Benefits and Limitations

ZTNA brings clear advantages:

Improved security posture through least-privilege access
Better user experience with seamless, app-level access
Reduced risk of lateral movement and malware propagation

However, ZTNA also introduces complexity:

Integration with legacy systems remains challenging
Policy creation requires deep visibility into user/app behavior
Vendor lock-in and interoperability issues can arise

Use Cases and Early Adoption

Typical early use cases in 2018 include third-party contractor access, secure BYOD, and multi-cloud environments. Organizations looking to modernize VPNs or improve cloud access control are the first to explore ZTNA pilots.

Preparing for the ZTNA Journey

To prepare for ZTNA, organizations need to:

Assess current access control models
Inventory applications and user roles
Evaluate endpoint posture tools and SSO integration
Start with a pilot focused on a narrow user group or app

The Road Ahead

While ZTNA remains in early stages in 2018, it signals the beginning of a broader security transformation. As network perimeters dissolve and cloud-first strategies take hold, ZTNA becomes a critical enabler of secure digital business. Enterprises that start the journey early gain a strategic advantage.

Eduardo Wnorowski is a network infrastructure consultant and Director.
With over 23 years of experience in IT and consulting, he helps organizations maintain stable and secure environments through proactive auditing, optimization, and strategic guidance.
LinkedIn Profile

Tuesday, November 20, 2018

SD-WAN Deep Dive Part 3: Monitoring, Operations, and Optimisation

November 2018 - Reading Time: ~12 minutes

We wrap up our three-part deep dive into SD-WAN by focusing on what happens after deployment — the critical stage of monitoring, operations, and ongoing optimisation. Building on Part 1 (architecture) and Part 2 (design and implementation), this post dives into visibility, control, operational strategy, and SD-WAN evolution.

Introduction: Operational Maturity in SD-WAN Environments

Deploying SD-WAN isn’t the finish line — it’s the beginning of a new operational paradigm. Success depends on proactive monitoring, rapid incident response, and iterative policy improvements. SD-WAN provides the instrumentation to elevate these capabilities, but organisations must know how to harness them.

Centralized Visibility and Control Plane Metrics

Modern SD-WAN solutions centralise telemetry from thousands of edge devices, making it possible to monitor metrics such as control channel uptime, tunnel status, routing updates, and configuration drift. Controllers offer real-time dashboards for immediate insight into control plane health.

Real-Time Analytics and SLA Enforcement

SLA-based routing requires accurate, near-real-time measurements. SD-WAN platforms measure jitter, loss, latency, and MOS scores on a per-path, per-application basis. Dynamic path selection policies rely on these metrics to switch to optimal paths.

Managing Overlay Health: Probes, Alerts, and Alarms

Built-in active probes such as ICMP, HTTP, and synthetic traffic simulations allow constant path validation. Alerting mechanisms notify operations teams of degradation events, path flaps, or performance anomalies — often before users feel the impact.

SD-WAN Policy Tuning and Feedback Loops

As conditions evolve, policies must adapt. Operations teams monitor real-world application performance and user experience, feeding insights back into QoS and routing policies. This feedback loop improves efficiency and aligns WAN behavior with business needs.

Case Study: SLA Violation Detection and Path Re-Selection

Consider an enterprise with dual broadband links and a 150 ms latency SLA for VoIP. Continuous monitoring identifies path degradation on the primary link. SD-WAN controllers automatically reroute VoIP traffic to the secondary link, preserving call quality. Historical analytics validate the event and adjust threshold policies to reduce false positives.

Automation and AIOps in SD-WAN NOCs

The rise of AI-driven operations (AIOps) transforms how NOCs interact with SD-WAN telemetry. Pattern recognition, anomaly detection, and root cause inference reduce MTTR. Some SD-WAN vendors embed ML to correlate events and suggest or automate remediation.

Integrating Monitoring Tools with External Systems (SNMP, Syslog, API)

SD-WAN must play well with existing toolchains. Exposing telemetry via SNMP, syslog, REST APIs, and streaming protocols enables integration with platforms like Splunk, SolarWinds, or custom-built dashboards. Webhooks and automation scripts further extend monitoring granularity.

Capacity Planning and Growth Forecasting

Historical data is invaluable for trend analysis. SD-WAN reporting engines track bandwidth consumption, session counts, top applications, and user behaviors. This data feeds capacity planning models, justifies circuit upgrades, and guides hardware refreshes.

Future Outlook and Evolution of Operations Practices

As SD-WAN matures, operational frameworks converge with DevOps and NetDevOps. Infrastructure as code, continuous policy delivery, and closed-loop automation reshape how engineers manage WANs. The next frontier includes SASE integrations, ZTNA context-awareness, and proactive security analytics embedded into the SD-WAN fabric.

Thursday, November 1, 2018

SD-WAN vs MPLS in 2018: Where Are We Now?

November 2018 • 7 min read

Introduction

In 2018 the networking world buzzes with discussions about SD-WAN. Vendors flood the market, and enterprises weigh the pros and cons of moving away from traditional MPLS circuits. But is SD-WAN truly ready to displace MPLS at scale? And in what use cases does it make sense?

The Legacy of MPLS

MPLS has long been the gold standard for enterprise WAN. It offers predictable latency, tight SLAs, and traffic engineering. Carriers bundle it with managed services, making it attractive to businesses lacking in-house WAN expertise. However, MPLS also comes with high costs, inflexible provisioning, and lengthy deployment timelines—issues that motivate a shift.

The SD-WAN Proposition

Software-Defined WAN introduces agility to the network edge. It leverages broadband, LTE, and even satellite to create virtual overlays. Policies steer traffic based on performance, application type, or security needs. Centralized orchestration replaces CLI-based provisioning. SD-WAN promises better economics and faster rollouts—but these benefits depend on proper implementation.

2018 State of the Market

By late 2018, we observe large-scale SD-WAN adoption across verticals. Financial institutions pilot it in branches. Retail chains use it for point-of-sale systems. Multinational corporations embrace hybrid WANs—MPLS for critical paths, Internet for non-sensitive apps. Gartner predicts over 40% of enterprises will evaluate SD-WAN by year-end.

Security Becomes a Key Differentiator

Early SD-WAN solutions focus on connectivity, not security. In 2018, vendors shift to embed firewalls, segmentation, and even cloud-based ZTNA. Integration with cloud security platforms like Zscaler or Palo Alto Prisma becomes a market expectation. SD-WAN is no longer just a routing solution—it’s part of the broader secure edge architecture.

Performance and SLA Realities

Critics point out that public Internet lacks the deterministic quality of MPLS. This holds true, especially for real-time apps like voice and video. However, SD-WAN mitigates this through path monitoring, FEC, and dynamic failover. The key lies in deploying diverse transport types and validating the last-mile performance.

Cost Optimization—But With Caveats

SD-WAN reduces cost per Mbps by enabling use of commodity broadband. Enterprises escape expensive MPLS lock-ins. Yet, total cost of ownership depends on licensing, hardware refreshes, and additional security layers. Some enterprises overestimate savings by ignoring these factors. Careful financial modeling is required before transition.

Operational Models Are Shifting

SD-WAN demands new skills. Network teams now manage overlays, policies, and application-based routing. Tools shift from CLI to GUI and API. Enterprises invest in retraining staff or outsourcing SD-WAN management to MSPs. Operations center workflows evolve as visibility moves from routers to orchestration portals.

Cloud and SaaS Traffic Patterns

Traditional WAN designs backhaul Internet traffic to data centers for inspection. SD-WAN enables local breakout for services like Microsoft 365, Salesforce, and AWS. This reduces latency and offloads data center firewalls. As cloud adoption rises, SD-WAN becomes the de facto method for optimizing user experience.

SD-WAN vs MPLS: Complementary or Competing?

For most enterprises in 2018, SD-WAN does not fully replace MPLS. Instead, they coexist. Branches run hybrid WANs. MPLS provides SLA-backed backbone, SD-WAN provides agility and cost savings. The future points to more Internet-first WANs—but MPLS remains relevant where predictability matters most.

What to Watch Going Forward

SD-WAN convergence with SASE and cloud security
5G and edge computing extending SD-WAN use cases
Carrier-managed SD-WAN offerings increasing in popularity
Open standards and interoperability between SD-WAN vendors
Analytics and AI driving performance optimization

Conclusion

In 2018, SD-WAN transitions from hype to maturity. Enterprises see real value—but also encounter real complexity. MPLS still holds its place for mission-critical paths, but SD-WAN rewrites how branch connectivity scales. Going forward, success belongs to those who balance flexibility, security, and performance.

Monday, October 1, 2018

The State of IPv6 Deployment in 2018: Progress and Pain Points

October 2018 • 9 min read

Introduction

In 2018, IPv6 deployment enters a new phase of maturity. Global ISPs report steady growth, major websites offer full IPv6 access, and operating systems prioritize IPv6 routing. Yet despite visible progress, many enterprises still lag. The transition is no longer about protocol support—it's about integration, planning, and operational confidence.

Global Trends in IPv6 Adoption

Google’s public stats show IPv6 adoption surpassing 25% globally, with peaks in countries like Belgium, Germany, and India. Mobile carriers lead the charge. In the U.S., major cellular providers reach over 80% IPv6 penetration. These numbers highlight a successful shift in public-facing connectivity.

Enterprises Remain Hesitant

Enterprises often hesitate to deploy IPv6 internally. Challenges include legacy applications, hardcoded IPv4 dependencies, and unfamiliar operational models. Many organizations still see IPv6 as a future requirement—not an urgent one—especially if NAT and CGNAT shield internal networks from pressure.

Address Planning and DNS Strategy

IPv6 is not just a bigger address space. It requires a rethinking of how networks are designed. Prefix delegation, interface IDs, privacy extensions, and naming conventions complicate address planning. DNS strategy must evolve too, balancing forward/reverse lookups with dual-stack compatibility.

IPv6 in BGP and WAN Routing

ISPs enable IPv6 BGP sessions over MPLS and direct Internet. Enterprises now run dual-stack BGP peering, using separate address families. Some adopt 6PE or 6VPE for transitional strategies. However, policy-based routing, prefix filters, and route-maps must be carefully mirrored between IPv4 and IPv6 to avoid asymmetric paths.

Security Considerations

IPv6 introduces new attack surfaces. SLAAC, DHCPv6, and RA spoofing create risks on LANs. Firewalls must apply consistent policies across v4 and v6. Security teams require updated training and tools—many IDS/IPS platforms initially underperform with IPv6 traffic. Logging and monitoring must also evolve.

Testing and Validation

Before enabling IPv6 enterprise-wide, IT teams simulate traffic, validate failover scenarios, and monitor app behavior. Test labs help detect issues like MTU mismatches, DNS delays, or broken dual-stack logic. Monitoring tools should show per-stack telemetry to avoid blind spots.

Use Cases Driving IPv6 Now

Cloud platforms like AWS and Azure enable IPv6 for front-end services. IoT deployments, especially constrained devices, benefit from simplified addressing without NAT. Some compliance frameworks now require IPv6 readiness for specific verticals like government, defense, and telecom.

Best Practices for 2018

Enable dual-stack incrementally, starting with external services.
Train staff on IPv6 fundamentals and security implications.
Audit all infrastructure—load balancers, monitoring tools, DNS, and VPNs.
Update policies, firewalls, and ACLs to support IPv6 symmetrically.
Test real-world use cases, not just connectivity.

Conclusion

IPv6 is no longer experimental. In 2018, it represents a production-grade transport for ISPs, cloud providers, and forward-thinking enterprises. The delay in enterprise adoption stems not from technical gaps, but from inertia and risk aversion. Organizations must act now to modernize their networks—and future-proof their strategies.

Saturday, September 1, 2018

The Evolving Roles of Firewalls in Enterprise Security

September 2018 • 9 min read

Introduction

As enterprise networks evolve and threat landscapes become more complex, firewalls transform from simple perimeter guards to sophisticated inspection points across hybrid and multi-cloud architectures. In 2018, security strategies increasingly rely on context-aware firewalls to enforce granular policies across users, applications, and devices.

From Perimeter to Everywhere

Traditional firewall placement focused on the network edge. But cloud adoption and mobile workforces dissolve the classic perimeter. Enterprises deploy firewalls in branch offices, data centers, and even as virtual instances in IaaS environments. Security follows users and workloads, not just IP ranges.

Layer 7 and Application Awareness

Modern firewalls analyze traffic at Layer 7, identifying applications regardless of port. This capability helps detect evasive behavior and enforces policy beyond TCP/UDP headers. For example, a firewall distinguishes between Skype and Office 365, even when both use HTTPS on port 443.

SSL Inspection and Challenges

With over 70% of traffic encrypted in 2018, SSL inspection becomes vital. Firewalls intercept and decrypt HTTPS flows to inspect payloads. However, this introduces performance and privacy challenges. Enterprises must balance visibility with user trust, regulatory requirements, and hardware capabilities.

Intrusion Prevention Integration

Next-Gen Firewalls (NGFWs) integrate Intrusion Prevention Systems (IPS), blocking threats based on signatures and behavior. This shifts detection closer to the source, minimizing dwell time. Advanced models even incorporate machine learning to detect zero-day exploits.

Micro-Segmentation and East-West Visibility

Data centers no longer rely solely on perimeter defense. Micro-segmentation enforces security within east-west traffic. Firewalls now operate inside the data center, segmenting environments based on workload sensitivity and compliance boundaries. This trend increases firewall instances but improves lateral threat containment.

Cloud-Native Firewalls

Public cloud providers offer native firewall capabilities—security groups, NSGs, WAFs. Yet, enterprises often supplement with virtual NGFWs for policy consistency. Vendors provide images for AWS, Azure, and GCP to align on-prem and cloud policy management through central consoles.

User Identity and Role-Based Policies

Firewalls now integrate with directory services (e.g., AD, LDAP) to apply policies based on user identity, not IP. This approach enhances BYOD and roaming scenarios, enabling consistent enforcement regardless of device or location. It also simplifies audits and incident forensics.

Management and Orchestration

Manual firewall rule management no longer scales. Enterprises adopt centralized policy engines and REST APIs to automate provisioning and updates. Intent-based security models define desired outcomes (e.g., “block file sharing in finance”), with systems translating them into rules.

Best Practices in 2018

Use Layer 7 inspection to classify encrypted and evasive applications
Enable SSL inspection selectively to preserve performance and privacy
Apply micro-segmentation for east-west traffic in data centers
Leverage cloud-native controls, but supplement where needed
Automate policy management using APIs and orchestration tools

Final Thoughts

Firewalls continue to play a central role in enterprise security, but they evolve beyond basic filtering. In 2018, their power lies in application awareness, dynamic policy enforcement, and integration with broader security ecosystems. As threats grow in sophistication, firewall strategies must adapt in lockstep.

Wednesday, August 1, 2018

QoS in Enterprise WANs: Revisiting Design Priorities in 2018

August 2018 • 8 min read

Introduction

Enterprise WANs remain under scrutiny in 2018 as application demands surge and cloud adoption reshapes traffic patterns. Quality of Service (QoS), long considered a must-have for voice and video, now needs a reexamination in the age of encrypted traffic, hybrid WANs, and SaaS.

The Changing Landscape of WAN Traffic

In 2018, the composition of WAN traffic is vastly different from a decade ago. SaaS, IaaS, and encrypted web traffic dominate link usage. This change reduces the effectiveness of traditional QoS classifications, which relied on clear-text application identifiers and port-based heuristics.

Application Awareness and Encrypted Flows

Deep Packet Inspection (DPI) tools struggle with TLS 1.3 and QUIC. Modern QoS policies must adapt using metadata, flow behavior, and integration with application APIs or traffic tagging. Without visibility, blindly trusting DSCP marks poses risks.

Policy Models: From Static to Dynamic

Static QoS policies—crafted per site or per app—fail in dynamic cloud environments. Enterprises move towards intent-based models, where application needs (latency sensitivity, bandwidth guarantees) define treatment. SD-WAN solutions enhance this with real-time telemetry and orchestration.

SD-WAN and QoS Synergy

SD-WAN platforms disrupt traditional QoS thinking. They perform per-packet steering, detect brownouts, and enforce policy centrally. QoS is no longer just queuing—it’s about routing decisions, traffic duplication, and failover logic embedded in overlays.

Last Mile Realities

QoS effectiveness remains highest on constrained links. Broadband circuits often lack enforceable SLAs, and upstream shaping is essential to prevent bufferbloat. Vendors offer CPE-based QoS enforcement, but success depends on accurate traffic classification.

Validation and Monitoring

QoS doesn’t end with policy deployment. Enterprises require telemetry—packet loss, jitter, MOS scores—to validate performance. Active testing (e.g., synthetic voice tests) and passive metrics (e.g., flow health) guide optimization.

Is QoS Still Worth It?

In some scenarios—such as high-capacity DIA circuits or Internet-only WANs—QoS may add little value. Enterprises must assess risk: What happens to business-critical traffic during congestion? If impact is minimal, complexity may not be justified.

Best Practices for 2018

Classify traffic using modern tools—NBAR2, flow analytics, application IDs
Align QoS classes with business priorities, not technical protocols
Use SD-WAN policy engines to simplify enforcement
Validate policies with real metrics—not assumptions
Continuously review classification accuracy

Final Thoughts

QoS is not dead—but it evolves. In 2018, it must align with application-centric networking, adapt to encrypted traffic, and integrate with SD-WAN. Enterprises should evaluate whether their current QoS models still serve their goals—or merely add complexity.

Friday, July 20, 2018

SD-WAN Deep Dive Part 2: Design and Implementation

July 2018 · Estimated Reading Time: 12 minutes

This is the second part of our deep dive series on SD-WAN. If you missed Part 1, where we covered overlay models, hardware footprints, and operational architectures, you can read it here. In this post, we shift our focus from architecture to implementation.

Routing Strategy and Policy Design

Modern SD-WAN solutions replace static route tables with dynamic, policy-based routing engines. Enterprises define application-driven policies—by DSCP, port, or even packet signatures—allowing real-time steering across underlay links. Some controllers allow nested policies that cascade across edge sites, enabling location-aware routing decisions.

QoS and Traffic Classification

SD-WAN vendors implement built-in QoS engines. They offer packet inspection, flow tracking, and bandwidth shaping. Traffic classification integrates with business policies, identifying mission-critical flows (like VoIP or ERP) and guaranteeing their performance. Marking packets at the edge and preserving DSCP across tunnels ensures end-to-end integrity.

Failover and High Availability Design

Failover mechanisms rely on link probing, jitter analysis, and SLA monitoring. Architectures now default to active-active link usage with seamless failover, using loss/jitter thresholds to trigger flow redirection. Hybrid setups (fiber + LTE) also rise as backup options. Multi-edge redundancy is handled via edge clustering or standby appliances.

Internet Breakout Models

Breakout design is a hot topic. Enterprises balance centralized vs distributed internet access. DIA (Direct Internet Access) at branches reduces latency for SaaS apps, but brings security concerns. Most deployments implement secure DIA using cloud-based SWG (Secure Web Gateway) or firewall-as-a-service (FWaaS) partners.

Security Policy Enforcement

Edge-to-edge tunnels provide encryption, but policy enforcement varies. Integrated NGFWs or service chaining to third-party firewalls (e.g., Palo Alto, Zscaler) helps bridge the security gap. More vendors embed URL filtering, malware protection, and DNS enforcement natively at the edge.

Orchestration and Change Management

SD-WAN orchestration platforms provide centralized push-based configuration, often via GUI or API. Policy rollouts include pre-checks, versioning, and staged rollouts. Some even allow intent-based change validation using digital twins or simulation. This minimizes outage risk during policy updates.

Lessons from Field Deployments

We see common implementation challenges: misaligned SLA thresholds, overzealous application definitions, and controller overload during failovers. Best practices include building test topologies, tuning telemetry thresholds, and incrementally introducing breakout policies with failback options.

Transition to Part 3

In our upcoming Part 3, we’ll dive into monitoring and optimization. Expect coverage on telemetry frameworks, anomaly detection, analytics, and ongoing tuning strategies.

Want help designing or troubleshooting your SD-WAN rollout? Reach out today.

Sunday, July 1, 2018

Revisiting MPLS TE in 2018: Viability, Use Cases, and Modern Alternatives

July 2018 • 7 min read

Understanding MPLS Traffic Engineering

Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) emerged as a core mechanism in the early 2000s to optimize path utilization and route traffic based on constraints like bandwidth, delay, and administrative preference. Carriers adopted MPLS TE extensively to overcome limitations in traditional IGP-based shortest path routing.

TE Viability in 2018

As of 2018, MPLS TE remains a viable solution, especially in legacy environments where hardware investments and operational models still rely on RSVP-TE. In such settings, path predictability and granular control remain key requirements. However, several challenges persist:

RSVP-TE complexity in maintaining soft state and scalability across large backbones
Operational overhead in provisioning and adjusting tunnels
Limited interoperability across multi-vendor deployments

Segment Routing as a Disruptor

Segment Routing (SR) begins disrupting traditional TE approaches by enabling source-based routing and reducing control plane overhead. By encoding path instructions in packet headers, SR eliminates the need for per-flow state in the core. Combined with centralized SDN controllers, SR offers scalable and dynamic TE.

Comparing Use Cases

MPLS TE and SR address similar problems—optimal path selection, SLA enforcement, and failure recovery—but they differ in execution. In 2018, use cases for MPLS TE still dominate in networks with deep legacy investments or where control plane change is slow. Meanwhile, SR sees adoption in greenfield deployments and SDN pilots.

Operational Considerations

Network teams face a critical decision: continue maintaining RSVP-TE or begin transitioning to SR. Migration strategies include hybrid models, where RSVP-TE coexists with SR-TE to gradually phase out older mechanisms. Operators also explore intent-based networking where path constraints derive from policy rather than CLI configuration.

Vendor and Standards Landscape

Cisco, Juniper, and Nokia all offer robust MPLS TE and SR implementations. IETF support for SRv6, Path Computation Elements (PCE), and telemetry enhancements continues to strengthen the SR roadmap. TE in 2018 is no longer about whether to do it—but how to do it with less friction and more intelligence.

Final Thoughts

MPLS TE has served the industry well for nearly two decades. Yet, with SDN maturity and Segment Routing momentum, traditional TE sees diminishing returns. As 2018 progresses, network architects must evaluate when and how to shift toward simpler, more scalable TE architectures that align with evolving business needs.

Friday, June 1, 2018

Managing Large-Scale BGP Deployments in Service Provider Networks

June 2018 · 6–7 min read

Introduction

In 2018, service providers face increasing complexity in managing Border Gateway Protocol (BGP) across large-scale networks. The demand for high availability, scalability, and policy enforcement continues to push BGP to its limits. This post explores strategies that engineers implement to manage massive BGP deployments without compromising reliability.

BGP’s Role in Service Provider Networks

BGP acts as the backbone protocol for inter-domain routing. Service providers use it to exchange routing information between Autonomous Systems (ASes), apply policies, and ensure optimal path selection. In large environments, BGP does more than just route packets—it enforces traffic engineering, security policies, and customer segmentation.

Scaling Challenges

Scaling BGP introduces challenges such as route churn, session instability, convergence delays, and control plane resource exhaustion. Service providers often deal with millions of routes, thousands of peers, and diverse customer topologies.

Strategies for Stability

To maintain stability, engineers implement techniques like route dampening, prefix filtering, and route-reflector hierarchies. Modern platforms support BGP Route Convergence Optimizations (RCO), which reduce the time taken to recalculate paths. Operators deploy peer groups to streamline update processing.

Using Route Reflectors Effectively

Route Reflectors (RRs) reduce the full-mesh requirement in iBGP topologies. In large-scale networks, hierarchical RR design becomes essential. By organizing RRs by region or function, providers achieve better convergence and reduce CPU strain on core routers. Some operators go further by separating control-plane only reflectors on x86 platforms using routing stacks like FRR or BIRD.

Security Considerations

BGP lacks built-in security. Operators implement Resource Public Key Infrastructure (RPKI), prefix filtering, and session protection to mitigate threats. Monitoring tools alert engineers to suspicious route advertisements, and community tagging helps trace policy enforcement.

Monitoring and Automation

Large-scale BGP demands comprehensive monitoring. Tools like BMP (BGP Monitoring Protocol), SNMP, and streaming telemetry provide insight into neighbor health, update churn, and convergence metrics. Automation frameworks using Ansible, NAPALM, and Netmiko streamline BGP configuration deployment and auditing.

Vendor Considerations

Choosing the right hardware matters. Platforms with separate RIB and FIB processing scale better. Juniper, Cisco, and Arista provide features like PIC (Prefix Independent Convergence), GR (Graceful Restart), and NSF (Non-Stop Forwarding) to enhance stability during control-plane failures.

Best Practices Summary

Service providers managing large BGP deployments follow these best practices: - Use route-reflector hierarchies to optimize iBGP scaling - Implement RPKI and prefix filters to protect routing integrity - Monitor churn and convergence using BMP and telemetry - Automate configuration and rollback procedures - Deploy robust platforms with hardware-based convergence support

Conclusion

BGP remains the protocol of choice for service providers in 2018, but scaling it effectively requires thoughtful architecture, monitoring, and automation. By understanding both the protocol’s strengths and weaknesses, engineers continue to build resilient networks that scale with demand.

Tuesday, May 1, 2018

Modernizing Firewall Architecture for the Multi-Cloud Enterprise

May 2018 · Reading time: 12 mins

Introduction

As enterprises embrace multi-cloud strategies in 2018, firewall architecture faces a fundamental transformation. The days of monolithic firewalls guarding a fixed perimeter no longer align with hybrid environments, microservices, and software-defined networks. Security teams reimagine inspection points, automation models, and policy enforcement to protect distributed workloads at scale.

The Perimeter Disappears

Traditional perimeter firewalls protect north-south traffic. However, cloud-native apps, API-driven services, and mobile workforces shift traffic to east-west patterns—inside data centers, between containers, and across IaaS regions. Firewalls now need to secure lateral movement, not just inbound threats.

From Appliance to Fabric

Next-gen firewalls (NGFWs) evolve from centralized appliances into distributed, virtualized services. Vendors offer NGFWs as VM-based nodes, containers, or cloud-native proxies. Enterprises embed these firewalls directly into public cloud VPCs, Kubernetes clusters, and SDN overlays—bringing enforcement closer to the workload.

Microsegmentation Becomes Mandatory

To prevent lateral spread of attacks, enterprises implement microsegmentation. They define identity- or tag-based policies and enforce them through NGFWs, host agents, or hypervisor-based enforcement points. Instead of static zones and VLANs, they segment based on app tiers, data sensitivity, and user identity.

Zero Trust Alignment

Modern firewall architectures align with Zero Trust principles: verify everything, enforce least privilege, and log every transaction. Firewalls integrate with identity providers, device posture tools, and behavioral engines. They grant access dynamically, based on context—not IP ranges or static ACLs.

Traffic Types and Deployment Models

North-South: Internet or WAN ingress/egress filtering
East-West: App-to-app, container-to-container, and site-to-site traffic inspection
Service Mesh: Embedded policy checks between microservices via sidecar proxies
Cloud-native: Distributed enforcement using Security Groups and firewalls-as-a-service

Policy Management and Automation

As infrastructure scales, firewall policies must follow. Enterprises embrace Infrastructure-as-Code (IaC) models to version, audit, and deploy firewall rules alongside infrastructure. APIs and orchestration platforms (e.g., Terraform, Ansible, Panorama, Firepower) drive consistency across cloud and on-prem environments.

Visibility and Contextual Logging

Modern firewalls provide layer 7 visibility—tracking app behavior, user identity, and encrypted traffic. They integrate with SIEM platforms and expose telemetry for analytics. Packet capture, flow logging, and DPI help incident response teams understand how attackers move laterally or exfiltrate data.

Cloud Integration Challenges

Performance: Virtual firewalls may not match the throughput of hardware appliances
Licensing: Cloud consumption-based models differ from perpetual licensing
Integration: Policies and traffic inspection must span AWS, Azure, GCP, and on-prem
Telemetry: Gathering unified logs across distributed instances remains difficult

Future Direction

Firewall vendors converge security with SD-WAN, CASB, and Secure Web Gateway (SWG) platforms to deliver Security Service Edge (SSE). Inspection engines grow smarter with ML-based detection. Policy engines evolve toward intent-based declarations. And as 5G and edge computing mature, firewalls shift again—to enforce policy at the edge, closer to users and devices.

Conclusion

In May 2018, enterprises rethink firewall architecture to protect fragmented, fast-moving digital estates. They replace static perimeter guards with adaptive, distributed enforcement. Firewalls become code, context-aware, and embedded across infrastructure. The future demands agility, visibility, and enforcement everywhere—not just at the edge.

Sunday, April 1, 2018

Network Telemetry and Visibility Strategies for the Digital Enterprise

April 2018 · Reading time: 12 mins

Introduction

In 2018, digital transformation forces IT teams to rethink how they monitor, analyze, and respond to network behavior. Traditional SNMP polling and flow-based statistics no longer deliver the context or granularity needed to support cloud-first, mobile, and microservice-driven enterprises. As networks become more dynamic, real-time telemetry becomes a strategic enabler.

Why Legacy Monitoring Falls Short

SNMP provides limited insight into application-layer behavior. Flow-based tools like NetFlow or sFlow offer directional traffic stats but miss end-user experience. Static polling intervals, sampled data, and lack of correlation prevent IT teams from detecting issues before they affect productivity.

The Rise of Streaming Telemetry

Streaming telemetry replaces pull-based monitoring with push-based updates over protocols like gRPC, Kafka, and HTTP/JSON. Devices continuously stream interface stats, app metrics, and environmental data to collectors in near-real-time. This model reduces overhead and increases data freshness.

Telemetry in Multi-Domain Environments

Enterprises integrate telemetry across WAN, data center, cloud, and campus networks. By correlating device telemetry with cloud service status, app performance, and user identity, they build a holistic view of the digital experience. OpenConfig, model-driven telemetry, and vendor-specific extensions support multi-vendor deployments.

Key Use Cases in 2018

Proactive Troubleshooting: Detect latency, loss, or CPU spikes before users notice
SLA Validation: Monitor contractual performance guarantees across SD-WAN and SaaS links
Capacity Planning: Use time-series insights to predict growth and adjust architecture
Security Analytics: Feed enriched telemetry to SIEMs for anomaly detection

Vendor Landscape

In 2018, vendors like Cisco, Juniper, Arista, and Huawei deliver telemetry agents within network OS platforms. Cisco IOS-XE and NX-OS stream telemetry to tools like Tetration and DNA Center. Arista EOS uses gNMI and open collectors. Juniper supports model-driven telemetry via JTI into platforms like AppFormix.

Cloud and SaaS Visibility

IT extends visibility to internet and SaaS traffic using DNS metrics, HTTP latency probes, and synthetic transactions. Tools like ThousandEyes, AppNeta, and Catchpoint simulate user journeys to services like Office 365, Salesforce, and AWS. These measurements complement internal telemetry and validate user experience from edge to cloud.

Challenges Enterprises Face

Data Overload: Raw telemetry generates terabytes of logs and counters
Normalization: Vendors expose metrics differently, complicating cross-platform correlation
Real-time Analysis: Teams require analytics platforms that support time-series queries, alerting, and visualization at scale
Integration: Telemetry must feed into broader AIOps, ITSM, and security platforms

Best Practices for Success

Start with a clear observability goal (performance, security, compliance)
Deploy collectors close to the source to reduce backhaul and delay
Normalize metrics using open models or translation layers
Integrate telemetry into incident workflows and dashboards
Continuously refine alerts to eliminate noise and focus on actionable insights

Conclusion

In April 2018, network telemetry evolves from optional enhancement to essential foundation. Enterprises that embrace streaming telemetry, integrate cross-domain data, and automate analysis position themselves to detect, diagnose, and remediate faster than ever before. Visibility becomes a key differentiator in supporting reliable and resilient digital operations.

Tuesday, March 20, 2018

SD-WAN Deep Dive Part 1 – Architectures, Overlay Models, and Hardware Evolution

March 2018 • Reading Time: 13 mins

This article kicks off a special three-part series diving deep into the reality, evolution, and implementation of SD-WAN in enterprise networks. In this post, we focus on architecture types, overlay models, and the rapid transformation of WAN hardware in the face of software-defined expectations. The follow-up entries will explore real-world design/deployment strategies and troubleshooting insights.

Software-defined WAN (SD-WAN) continues to disrupt traditional enterprise WAN models by decoupling the control and data planes and enabling intelligent path selection across heterogeneous transport networks. As enterprises demand agility, performance, and cloud optimization, SD-WAN architectures must evolve to meet complex overlay design needs and hardware realities.

Why This Series, Why Now?

In 2018 SD-WAN is no longer hype. It's deployment-critical. Many organizations are grappling with the architectural choices and trade-offs that weren't part of their MPLS WAN planning just a few years ago. Cloud access demands, SaaS growth, and hybrid work models are accelerating SD-WAN adoption.

Understanding the Evolution of WAN Requirements

Legacy WANs were designed around MPLS-based architectures where central hubs controlled traffic flow, and all internet-bound or cloud traffic was backhauled to a secure location. As applications moved to the cloud and users became more mobile, this model introduced latency, cost inefficiencies, and rigidity in path control.

SD-WAN addresses these issues by abstracting the WAN layer and enabling the use of broadband, LTE, and MPLS simultaneously. This shift necessitates rethinking how overlay models are constructed and what roles hardware still plays in branch deployments.

Overlay Models: Hub-and-Spoke, Full Mesh, and Cloud-First

There are three primary overlay models in SD-WAN design: hub-and-spoke, full mesh, and cloud-first (or hybrid).

Hub-and-Spoke Overlays

This model resembles traditional WAN topologies but adds intelligence in routing. SD-WAN controllers direct branch traffic to regional hubs or cloud on-ramps based on application awareness. It simplifies policy control but may still introduce regional chokepoints.

Full Mesh Overlays

Full mesh topologies allow all branches to communicate directly, ideal for collaborative applications like video conferencing or real-time data replication. However, it may overwhelm underpowered devices or generate excessive routing state in large deployments.

Cloud-First/Hybrid Models

Modern SD-WAN deployments increasingly favor hybrid overlays with direct internet access (DIA) for cloud-bound traffic and selective backhauling for sensitive applications. This model prioritizes SaaS performance while maintaining compliance.

Hardware Footprints: Appliance vs uCPE vs Virtualized Edge

Enterprises must decide between purpose-built SD-WAN appliances, universal CPE (uCPE) that hosts multiple VNFs, or software-only solutions deployed on x86 platforms.

Appliance-based SD-WAN: Integrated routing, firewall, and DPI; vendor-controlled stack with optimized performance.
uCPE: Flexibility to run third-party VNFs, such as firewall or WAN acceleration, ideal for service providers offering managed SD-WAN.
Virtualized Edge: Deployed as a VM or container on general-purpose hardware; offers agility but depends on the underlying host’s reliability and performance.

Transport Independence and Link Bonding Techniques

Transport independence is a cornerstone of SD-WAN, allowing the use of diverse circuits (broadband, LTE, MPLS). Key technologies include:

Dynamic Path Selection (DPS): Real-time traffic steering based on application policy and link health.
Forward Error Correction (FEC): Improves performance over lossy links by sending redundant packets.
Packet Duplication: Simultaneously sends packets across multiple paths for zero-packet-loss experience.

Integration with Security Functions

SD-WAN often converges with next-generation firewall (NGFW), intrusion prevention, DNS filtering, and zero trust network access (ZTNA). Vendors increasingly bundle security features at the edge or redirect traffic to SASE platforms.

Cloud On-Ramps and SaaS Optimization

Direct access to cloud applications is optimized through partnerships with cloud providers (AWS, Azure, Google Cloud). SD-WAN edge nodes integrate cloud on-ramps and dynamic DNS/IP mapping to reduce latency and jitter.

Operational Models and Controller Architectures

SD-WAN orchestration relies on centralized controllers for policy distribution, visibility, and analytics. These may be cloud-hosted or on-premises. Enterprises must assess controller availability, failover behavior, and multi-tenancy support in MSP scenarios.

Challenges in Large-Scale SD-WAN Deployments

Key challenges include:

Scalability of routing overlays and tunnels
QoS enforcement across heterogeneous circuits
Operational complexity in hybrid models
Managing legacy VPN coexistence during transition phases

Future Directions: AI, SASE, and Intent-Based Networking

We expect AI-powered analytics, intent-based networking, and deeper integration with SASE platforms to define the next generation of SD-WAN. Enterprises are demanding automated remediation, application-centric SLAs, and richer telemetry for network assurance.

Next in This Series

In Part 2, we explore SD-WAN routing design, QoS, intelligent path selection, application breakout, and how failover works in multi-provider environments.

Part 3 wraps up with deep troubleshooting strategies, security layering, and lessons from large-scale SD-WAN deployments.

👉 Stay tuned for the next parts in this SD-WAN Deep Dive series.

Thursday, March 1, 2018

Zero Trust Architecture – Foundations and Transition Paths

March 2018 · Reading time: 13 mins

Introduction

In 2018, enterprises move beyond perimeter-based security. Traditional firewalls and VPNs fall short in protecting mobile users, cloud-hosted applications, and internal threats. Zero Trust Architecture (ZTA) emerges as a new model that eliminates implicit trust and verifies access continuously based on context and risk.

What Zero Trust Means

Zero Trust assumes that no user or device deserves automatic trust—whether inside or outside the network. Instead, organizations enforce policies based on user identity, device health, role, location, and behavior. This context-aware approach allows granular access control and reduces the risk of lateral movement.

Why Enterprises Adopt Zero Trust

Cloud-first workstyles: Users access resources from anywhere, bypassing traditional firewalls
Credential compromise: Attackers steal logins and operate undetected in trusted zones
Compliance pressure: Frameworks like GDPR and NIST demand continuous access validation
IoT and APIs: Non-user entities require policy enforcement too

Core Components of ZTA

Identity Provider (IdP): Authenticates users and devices
Policy Engine: Evaluates signals and grants conditional access
Access Proxy or Broker: Enforces decisions in real-time at session establishment
Device Posture Checks: Validates OS, patch level, antivirus, and encryption
Segmentation: Prevents access beyond what's necessary

How Organizations Begin

Zero Trust requires more than a product—it requires staged transformation:

Map users, devices, and data flows
Classify applications by risk and criticality
Apply MFA and identity brokering across access points
Insert proxies to control and inspect traffic
Log and audit every access decision

Example: Migrating from VPN to ZTNA

A healthcare organization replaces legacy VPN with a cloud-native ZTNA platform. Staff authenticate via SSO, and access brokers validate device health and user role before granting access to patient records or scheduling apps. The result: improved security posture and better user experience with reduced exposure.

Tooling and Ecosystem in 2018

Vendors like Okta, Duo Security, Zscaler, and Palo Alto Networks provide policy engines, SSO integrations, and access brokers. Open-source solutions like SPIFFE help assign identities to workloads and secure east-west traffic in microservice environments. APIs allow organizations to integrate with SIEMs and enforce dynamic rules across SaaS and IaaS.

Challenges to Anticipate

Policy sprawl: Overly complex policies create usability issues
Performance impact: Brokers and tunnels may affect latency
Stakeholder resistance: IT teams must align security with business outcomes
Cultural shift: Security becomes continuous, not checkpoint-based

Conclusion

By March 2018, Zero Trust moves from buzzword to implementation. Enterprises begin building context-aware security controls, gradually phasing out static, perimeter-centric models. We'll explore microsegmentation and continuous verification as essential steps in the Zero Trust journey in another posts.

Thursday, February 1, 2018

Segment Routing Advancements in Enterprise Networks

February 2018 · Reading time: 11 mins

Introduction

In 2018, enterprises explore Segment Routing (SR) as a scalable and simplified alternative to traditional MPLS-TE. SR encodes routing paths into packet headers, eliminating the complexity of state-heavy signaling protocols like RSVP-TE. With native support in major platforms, enterprise networks gain agility, deterministic routing, and programmability.

Replacing RSVP-TE with Segment Routing

Traditional MPLS-TE implementations demand heavy control plane state. SR allows the source router to define an explicit path by stacking labels (segments), making intermediate routers stateless and efficient. Enterprises use this to engineer traffic across multi-domain and hybrid WANs without RSVP.

Core Building Blocks

Node-SIDs: Identify routers and inject routing instructions
Adjacency-SIDs: Describe interface-specific routing decisions
Prefix-SIDs: Enable fast prefix-based forwarding
Binding-SIDs: Abstract path policies for reuse

These SIDs form instruction lists in packet headers, which routers interpret to forward traffic precisely.

Deployment in Enterprise WANs

Enterprises deploy SR-MPLS between data centers and regional hubs. SR offers traffic control based on application policies and reduces protocol overhead. In hybrid topologies, SR integrates with SD-WAN controllers to enforce policy-driven forwarding between MPLS, DIA, and private links.

SRv6 Emerges

Enterprises adopting IPv6 evaluate SRv6 as the next evolution. SRv6 encodes instructions in the IPv6 Segment Routing Header (SRH), enabling service chaining, load balancing, and network slicing—all via native IPv6 infrastructure. Programmable edge nodes steer traffic without relying on tunnels.

Enterprise Case Study

A financial services firm uses SR-MPLS to enforce latency-sensitive paths between regional offices. They stack Node-SIDs for predictable app delivery and reduce congestion on backup routes. Meanwhile, a global manufacturing company pilots SRv6 to segregate IoT telemetry from business-critical ERP flows using device-aware policy enforcement at ingress routers.

Migration Considerations

Ensure support for SR extensions in routing protocols (OSPF, IS-IS)
Enable SRGB configuration and SID allocation policies
Deploy centralized controllers (e.g., Cisco NSO, Juniper NorthStar) to orchestrate SR policies
Monitor SID consumption and enforce domain boundaries for scale

Operational Benefits

SR reduces control plane complexity and streamlines traffic engineering. It allows enterprises to optimize link usage, automate failover, and control performance paths dynamically. Combined with telemetry and analytics, SR supports intent-based networking goals.

Conclusion

In February 2018, SR gives enterprises a lightweight, deterministic, and programmable routing mechanism. Whether using SR-MPLS or SRv6, IT leaders architect future-ready WANs without the legacy burdens of RSVP-TE. Adoption momentum builds as vendors ship mature SR capabilities in their mainstream platforms.

Monday, January 1, 2018

Application Performance Visibility in SD-WAN Environments

January 2018 · Reading time: 11 mins

Introduction

In today’s distributed enterprise landscape, application performance directly affects user productivity and business outcomes. As organizations transitioned from MPLS-centric architectures to SD-WAN in 2018, ensuring visibility into application performance became a critical IT requirement. Traditional WAN tools proved insufficient in a world of SaaS, cloud-native workloads, and hybrid architectures.

This post explores the technologies, metrics, and best practices that shaped application performance visibility in SD-WAN environments at the time. We'll cover how SD-WAN enables deeper visibility, which metrics matter, the role of real-time analytics, and how IT teams leveraged telemetry to deliver a superior user experience.

The Limitations of Traditional Monitoring

Legacy WAN monitoring tools were not designed for today’s traffic patterns. Most focused on link-level statistics (e.g., interface utilization, packet drops) or basic reachability (e.g., ping, traceroute). Tools like SNMP or NetFlow offered a partial view but lacked application-layer context.

Furthermore, many traditional approaches required manual configuration to track application flows. As applications increasingly moved to the cloud or adopted microservices architectures, such tools failed to keep up. Visibility gaps widened, leading to poor root cause analysis and finger-pointing between network and application teams.

SD-WAN as an Enabler of Visibility

One of SD-WAN’s most impactful features is its ability to inspect and classify application traffic at the edge. Unlike traditional routers, SD-WAN edge devices include deep packet inspection (DPI) engines and can detect thousands of applications out-of-the-box.

This visibility allows IT teams to understand not just where traffic is going, but what applications are consuming bandwidth, how they’re performing, and what transport paths they’re using. SD-WAN controllers aggregate this telemetry, offering centralized dashboards and reports.

Application discovery without manual configuration
Real-time traffic classification and statistics
Path performance monitoring (latency, jitter, loss)
Dynamic policy enforcement based on application behavior

Why Application Metrics Matter

Users don’t complain about “latency on the WAN”—they complain that Salesforce is slow, or that Teams meetings are choppy. Network teams must therefore align performance monitoring to application behavior.

Commonly tracked metrics in 2018 included:

Latency: Round-trip delay, particularly for voice/video and transaction-heavy apps
Jitter: Variation in packet arrival, impacting VoIP and streaming
Packet Loss: Even small loss percentages can break real-time traffic
MOS (Mean Opinion Score): Voice quality indicator
Application Response Time: Measured at the edge, including DNS lookup and TCP handshakes

Real-Time Dashboards and Predictive Analytics

Leading SD-WAN vendors in 2018—Cisco Viptela, VMware VeloCloud, Silver Peak—offered real-time analytics dashboards. These provided visual insight into application performance trends, traffic spikes, anomalies, and site-to-site comparisons.

Machine learning also began to play a role. Anomaly detection algorithms identified outlier traffic patterns or deviations from baselines. Alerts triggered automated actions such as path switching or user notification.

Key features included:

Per-application performance graphs and baselines
Automatic detection of degraded links or applications
Heatmaps and topology maps with drill-down
Multi-tenant views for MSPs or large enterprise IT

Integration with Helpdesk and ITSM Tools

Another key trend was integrating SD-WAN visibility with IT operations. NOC teams leveraged webhook integrations to pass real-time alerts to systems like ServiceNow, PagerDuty, or Slack. Some platforms exposed APIs to fetch telemetry data for deeper analytics or dashboard consolidation.

This level of automation and integration significantly reduced mean-time-to-resolution (MTTR) and empowered L1/L2 support staff to triage WAN issues without escalation.

Challenges and Considerations

Despite the advantages, SD-WAN visibility wasn’t plug-and-play. Organizations needed to ensure:

Edge devices had adequate resources (CPU, memory) to process telemetry
Central controllers scaled to ingest and analyze traffic from all sites
Security and privacy concerns were addressed when inspecting application payloads
Change management accounted for policy tweaks affecting routing decisions

Additionally, visibility was only as good as the underlying classification engine. False positives or unrecognized applications reduced trust in the analytics platform.

Case Study: Retail Chain with 200+ Sites

One global retail chain implemented SD-WAN in late 2017. With centralized dashboards, they identified that 35% of WAN usage came from background Windows Update traffic during business hours. By shaping and rescheduling these flows, they reduced link saturation and improved POS application reliability.

Further, they detected that specific branches suffered recurring latency issues due to overloaded LTE backups. Visibility into real-time link health enabled proactive failover to fiber circuits.

Conclusion

In 2018, SD-WAN transformed how enterprises approached WAN monitoring and performance management. Visibility was no longer just about link status—it became a business-critical requirement tied to application outcomes and user experience.

Organizations embracing SD-WAN must invest in tools and practices that surface actionable insights. Doing so enables faster troubleshooting, smarter policy enforcement, and ultimately a more resilient and responsive enterprise network.