Hey there!
I`m preparing for a Cisco SDWAN rollout in a global company, with ~50 big offices around the globe and not yet sure what to do in regards to WAN links in our CN office. Currently using MPLS between CN office and our Hong Kong office and sending most of VPN/Internet traffic this way, as HK is not yet filtered by government firewall. CN office has currently a single MPLS and a single Internet.
When going with SDWAN, do I need to keep this MPLS circuit running, or can I expect SDWAN fabric to “fix” this issue and rely on a pure Internet in CN office? I can also get another Internet circuit there, it`s still way cheaper than MPLS.
What is your experience with Cisco SDWAN in China?
I don’t know if SDWAN changes things, but a long time ago somebody on here answered a similar question for me about IPsec tunnels in and out. They told me to look into Aryaka, and we have never looked back. My gut tells me you will still l need MPLS as the great firewall could kill both IPsec tunnels at once. I would love to hear differently.
We’ve got Cisco Meraki SD-WAN at all of our branches and for our mainland China locations we have “premium DIA” services which required paperwork to be filled out stating we are an international company, and IPSEC connectivity and certain normally blocked business sites are all allowed over it, unfettered. Our Hong Kong site doesn’t require that, due to Hong Kong not undergoing the same restrictions as mainland China.
We use managed Cisco SD-WAN to several Chinese sites. It is based on Viptela. It work quite well. I don’t know about the long time reliability, since there is not too much data transferred. But when I tested several times, I was able to reach 200 Mbps between Europe and the Chinese site. This was the SD-WAN license limit so far…
I run leased lines into China from HK and have an internet backup.
At times I get as much as 20% packet loss on the backup and this is with a “premium international” internet connection. The leased line is 100% stable and has been for 2 years.
I would keep the leased line…
I found leased lines between HK and China surprisingly cheap compared to our other connections we have in our group.
It was mentioned below, but the problem with China (outside of needing to address encryption) is around consistent peering performance when traversing through the firewall. The three providers (China Mobile/China Unicom/China Telecom) are impacted by peering issues that arise from updates to the firewall policies and changes made by other ISP’s meeting them on the outside of the firewall.
There are services within China if you wish to go with public connectivity that offer a blended connection across the three providers. In the event that one or two start to experience peering problems which leads to added latency and jitter, the third is likely to maintain a stable connection.
We have a lot of packet loss/delay issues with China Telecom. At the moment we have an approved tunneled service (SDWAN like) that comes out in Singapore, we have a 1:1 NAT with an IPv4 address there. It is a lot more stable and reliable than what we were doing before (same as you, routing to our office in HKG)
This. I have experience with customers in CN and the CCP can cut off your IPSEC tunnel whenever they feel like it. This happened to a few companies I’ve worked with. Aryaka and Cato Networks have been used to overcome the transit out of CN. Both generally cheaper than private links.
Wait. We can pay the ISP to have doing business in China not suck? I feel like I may have wasted a lot of my life trying to solution something we can throw money at.
Cato is more of middle mile SDWan like Aryaka, so that makes sense. We have been trying to decide if we include China in our SDWan plans or stick with Aryaka for getting in and out of China. We will at least be testing it. Palo EA gave us their SDWAN license as part of the bundle, and while it probably isn’t the best option for our needs, it is no additional cost right now. 99% sure we will have to stick with Aryaka.
Yep agreed, Aryaka and Cato are really the best solution for this problem. I am a bit partial to Cato just because the story is more complete, but generally speaking both are great solutions to OPs problem.