Wednesday, December 19, 2018

SaaS App-Based Partial Local Breakout

I imagine this is a pretty common need. Just wondering how everyone here has solved it.

Use Case:

Several Sites in Mainland China.

- LAN to WAN Path Is Core Switch, Firewall (Inline, Layer 3), Routers

- Router Has Two VRFs (internal and external). BGP Between Both VRFs And The Firewall

- Default From external VRF, Internal Specifics From Internal

- External VRF NATs Toward Internet/Local Breakout

- Internal Sends Traffic Up To MPLS Provider

Right now, we either backhaul internet over the MPLS path, or break it out locally. The L3 Firewall Decides whether to send it to internal router VRF or external router VRF.

It's mutually exclusive. Either we saturate the MPLS circuit and make all the local users angry by trying to backhaul internet over MPLS, or we reduce productivity by breaking US-Based SaaS apps like Webex, Office365, etc., - out locally. These perform abominably in mainland China.

You can try to do PBR it on the firewall, but the DPI engine takes several packets to identify a session, and once that's worked, your TCP session has already established with the website, and when it gets switched, the public IP changes, and the session breaks. Or, you run into weird issues where what the user views as one website is actually like a dozen websites because of all the embedded content, and so from end user perspective, you haven't solved the problem at all - since different aspects of the webpage are hanging.

We've looked at an explicit proxy (customer doesn't like because it is a lot of work to manage).

We've looked at maybe migrating to SDWAN solution - but with the exception of a few options I see in Viptela (CloudExpress) where it snoops DNS and caches various dst sockets as belonging to a specific website, there isn't much out there. And this feature seems to be almost unusably buggy.

Have even considered design changes to leverage Cisco's Umbrella feature with IOS - but I am not sure this meets customer security requirements.

So assuming that we're not the only ones dealing with this, how have you handled it.

Many thanks.



No comments:

Post a Comment