Maximized Network Availability With Diverse VSAT Routing

Integrated Network Diversity and Increased Network Reliability
Encore Networks’ BANDIT™ line of environmentally and electrical immunity hardened products offer diverse routing, and increased reliability with extensive failover capabilities. Using integrated network interfaces that include a 56K/T1 CSU/DSU, Frame Relay/MPLS, single or dual mode-fiber, DMZ Ethernet, and cellular (with embedded EVDO or HSDPA modem).

The BANDIT™ can be configured with limitless WAN connection options including Satellite, VSAT, Microwave or Radio, supporting any or all of these connections simultaneously while utilizing Quality of Service/Class of Service (QoS/CoS.) Should any WAN connection fail, traffic is automatically re-routed over the remaining WAN connection(s) with minimal data loss.

Whenever a new or existing remote site requires an ultra-reliable network connection to meet either NERC-CIP diverse route requirements or to better increase overall network reliability with diverse network routing design, the best choice is BANDIT™ based technology using a satellite service with Very Small Aperture Terminal (VSAT) technology.

Satellite Design Considerations
When considering a satellite network, the designer must evaluate several factors such as weather, delay, and Machine-to-Machine (M2M) protocol support to design an optimized network. When deploying satellite, a user may run into situations where weather affects the network performance and availability.
One such situation is atmospheric attenuation commonly referred to as ‘rain-fade’. An additional issue is found when using an end-to-end Virtual Private Network (VPN) over a VSAT link from remote sites to a central headquarters location. The most common form of VPN is IPSec using 3DES or AES-256.

When running any IP-based applications over VSAT, TCP acceleration is required to efficiently support basic TCP communication. Without this acceleration the IP sessions time out due to delays in the IP acknowledgements caused by the distance between the satellite and remote locations. This acceleration is commonly comprised of processors and software called Performance Enhancing Proxy Servers (PEP). All VSAT service providers have a similar process but all are unique to their network topology.

To improve VPN over VSAT, Encore Networks has patented an IPSec based VPN solution for the VSAT industry called Selective Layer Encryption (SLE). SLE is designed to enhance VPN and work in tandem with PEP and provide fully encrypted IPSec data.

The test data in the performance chart is based upon a 1Mbs FTP file sent in both directions of the data flow. The test network capacity parameters were 1.5Mbs OB x 200Kbs IB. Test performance shows SLE obtained maximum throughput in both directions and IPSec at an 80% loss of usable bandwidth. The Performance Chart below presents the bandwidth efficiencies of SLE over IPSec on a VSAT network. SLE performed at theoretical maximum for both Inbound (IB) and Outbound (OB) data streams. The purchased data plan was 1.5Mbps x 225Kbps.


New Site Solution
Designing with the BANDIT™ using a terrestrial and a VSAT WAN connection for optimal infrastructure diversification, two parallel VPN tunnels are used to maintain data integrity with automatic fail-over and recovery tasks. Since the tunnels are maintained within the BANDIT™, any data that would be lost over the failed link is re-transmitted over the backup link, providing minimized loss of data.

Existing Site Solution
Since the BANDIT™ is standards based IP; it can be easily integrated into operations with any standards based third party router to provide a VSAT WAN connection for optimal infrastructure diversification.

Designing with the BANDIT™ with a VSAT WAN connection and a third party router that already has the existing terrestrial WAN connection requires the implementation of Virtual Router Redundancy Protocol (VRRP). Invoking VRRP increases reliability at the site by creating a “virtual” router with the third party router and BANDIT™. These routers now act as a master and backup residing on the same subnet. Only the “master” router is actively transmitting data across its hosted VPN tunnel. If the master VPN connection fails, an automatic switchover occurs between the third party router and the BANDIT™ with all traffic being routed across the backup VPN connection. Once the primary route is restored, all data is routed back through the primary terrestrial VPN connection.

The role of the BANDIT™ is to be an intelligent network monitoring A/B switch between two WAN interface connections, automatically able to route any data format over any WAN connections. In a new deployment where only the BANDIT™ is used, it maintains both the primary and backup data connections in one device. There is minimized data loss when switching from the terrestrial network VPN (IPSec) to the satellite network VPN (SLE over Ku-VSAT).

For existing sites where the BANDIT™ is integrated with a third party WAN router, it will re-route all traffic to the backup network (in this example, Ku VSAT) through the use of VRRP. Once the primary route is restored, all data is routed back through the primary terrestrial connection.

In both these deployments the BANDIT™ is providing industry requirements of teleprotection and achieving extremely high network availability to any site. Where there is a need to provide diverse network routes, a SLE enabled BANDIT™, combined with secure broadband satellite network, offers the perfect solution.

In conclusion we discussed how to effectively add a VSAT network for maximized availability to any terrestrial solution utilizing VRRP and leveraging the full potential of the BANDIT™ to handle back-office applications, M2M, SCADA, AMR collection, VoIP and/or Video. This diversely routed network solution provides better than 99.99% network availability.

Network Diagram

Printable Version