Global SD-WAN solution for Wallenius Wilhelmsen

Wallenius Wilhelmsen ASA (WalWil) is a leading shipping company in the transport of cars and other rolling stock and general cargo. The company operates 60 RoRo ships and has a global operation with 9,500 employees in 29 countries. International communication between the company's 130 land-based offices is critical and has historically been costly and complicated. They are now in the final phase of a global rollout of Cisco Meraki SD-WAN, which brings several positive effects.

The main purpose of the project was to save costs on international data communication by switching from MPLS to SD-WAN. The work started in 2018 after first exploring an SD-WAN solution through a global Telecom provider. After reviewing the proposed solution, it was found that greater effects could be achieved by building the solution themselves. Jan Kristian Osland from Sicra has been the architect of the solution and has been the executing and technically coordinating resource in the global rollout.

In the process, it was decided to also include LAN and WiFi at the locations, so that a comprehensive solution with good visibility for security and operations could be achieved. During the rollout, the latter has provided good security effects and oversight. Devices that are on networks they shouldn't be on are now much easier to detect. Unified visibility over which devices/applications use the most bandwidth, as well as the ability to shape traffic, prevents overload and improves the user experience. Continuous firmware updates also contribute to stability and improved security.

The solution is now operational for over 80% of WalWil's offices. The rollout has taken place at a high pace in all regions, and WalWil has found that the solution more than meets expectations.

What is SD-WAN?

SD-WAN is a concept where a software-defined virtual private wide-area network (WAN) is built using public internet and encryption (VPN tunnels).

About the solution

Cisco Meraki is a cloud-based network managed through a cloud service in a regular web browser. This means that, for example, switches, WiFi, firewall, IDS/IPS, AMP, and SD-WAN are managed and configured from the Meraki dashboard in the cloud. WWL has outsourced the daily operation of the solution.

An important place to start is to create a good basic design; naming standards, templates, security policies, firewall rules, SSIDs, switch port configuration, alerting, and logging. This is to ensure that the solution is clear and easy to manage afterward.

One of the considerations made is whether to use a global provider of internet access or a combination of several local ones. Local providers offer the greatest flexibility but also a lot of administration. Practically, one may also experience that local helpdesks do not speak English. WalWil has therefore consolidated as much as possible with a global provider but supplemented with local ones where practical reasons necessitate this. The SD-WAN concept still brings everything together in one network. A special case is China, which has its own Meraki cloud/dashboard. This is because VPN connections out of the country are not allowed. This must be resolved by using MPLS or another unencrypted connection between China and a location outside China to link the two Meraki SD-WANs. Meraki is currently not available in Russia but may be in 2020.

Some large cloud services use geolocation to route you to the nearest data center, for example, Office365. Since WWL primarily uses a global ISP, and these reuse public IP addresses, there is a risk that the IP address has been used on another continent previously. It is therefore important that the equipment has the correct country code. Ordering all equipment in Norway for forwarding was therefore not optimal. In hindsight, it is seen that the equipment should have been sent directly from Meraki to where it was to be used, to get the correct country codes. Some countries are challenging with customs handling, and therefore local ordering has been adopted. South Korea and China are examples of this.

When switching from a global MPLS network to SD-WAN with local Internet breakout, the DNS design must also be reviewed. In practice, DNS requests must go out locally instead of centrally as previously used. This consideration also applies to previous central proxy services.

In the transition from MPLS to an SD-WAN solution, one of the arguments for buying the equipment themselves, as opposed to buying Meraki as a service from another provider, is to avoid "vendor lock-in." While it is relatively easy to switch an MPLS provider, this becomes much more complicated when LAN and WiFi are included. WalWil therefore considered it best to procure all the equipment themselves and rather outsource the operation after implementation. This avoids "vendor lock-in" and provides much more freedom to negotiate prices/agreements, making it much easier to switch service providers if needed.

One of the reasons for choosing the Meraki solution was that it is leading in terms of security features. This is essential when switching from regional internet access to local internet at all locations. Meraki has Cisco Anti Malware Protection (AMP), IDS/IPS, and URL filtering based on category. This provides effective local access while maintaining a good security level.

What has changed with the new solution?

The following effects have been experienced:

• SD-WAN provides reduced cost for international communication, increased flexibility, and is not dependent on an ISP.

• One console for all maintenance and settings for the entire solution. The solution also has a Global change log. This provides insight into who has done what and when it was done, which in turn provides better security and easier management.

• Greater flexibility in acquisitions or sales of businesses. WalWil has grown through acquisitions over time, and the SD-WAN solution makes it easier to integrate a new business into the common solution. It is also easier and faster to set up or take down an office. It provides great flexibility that all that is needed is an internet connection; in the worst case, a 4G router can provide a connection.

• Increased security level and visibility for security incidents. Standardization of equipment and firmware.

• Reduced complexity in managing the solution.

• An API interface to everything, making it possible to create custom scripts and solutions.

One of the values Jan Kristian has added to the project is combining data from Meraki APIs with WalWil's ship positions, severe weather, and seismic events. This gives WWL a simple overview of its global WAN in a practical operational context. Totto Befring, Head of Global IT Operations at WalWil, says that in this view, he can, for example, see hurricanes rolling into the Gulf of Mexico and follow the consequences for the land-based networks as it happens.