PortaSwitch deployment in a cloud

Link copied to clipboard

PortaOne introduces the concept of PortaSwitch as a cloud-based solution. With this solution, you do not need to purchase hardware servers and/or spend time and effort on their maintenance. Instead, you decide upon the processing capacity you require for your business, submit your request to the PortaOne Sales team and then receive a scalable, ready-to-use platform that operates in a cloud. Thus you start your business faster and speed up your payback.

cloud architecture

The key features of the cloud-based PortaSwitch solution are:

  • Near-zero CAPEX and reduced OPEX – By deploying PortaSwitch in a cloud, you save on hardware purchases and provisioning. The cloud infrastructure is maintained by PortaOne, which drastically reduces the load on your administrative staff.

  • Reduced deployment time – You receive the platform, ready-to-use, within a day.

  • Flexible scalability – The processing capacity can be increased/decreased on demand.

  • Cloud pricing – The cloud-based PortaSwitch solution does not assume licensing. The pricing consists of a one-time set-up fee and then a recurring subscription fee that is formulated based on the number of billable xDRs processed per month. Customers interested in migrating their existing deployments to a cloud will be eligible for commercial incentives.

The cloud-based PortaSwitch platform is the solution for businesses of all sizes. Due to a reduction in deployment charges, small telcos and startups can use it to enter the telecommunications market. Large ITSPs can also use PortaSwitch to:

  • Deploy a new installation (site) in another region/country to introduce geo-redundancy and perform software upgrades with zero down-time;

  • Gradually move active customers to new installations using the Porter data transfer tool and thereby introduce a Dual Version of PortaSwitch. (For more information, please read the Dual Version PortaSwitch chapter);

  • Quickly deploy a staging system to verify new functionalities or interoperability with third-party equipment.

With PortaSwitch deployed in a cloud, you have advanced flexibility in managing your network infrastructure. Even with reduced deployment budgets, businesses of all sizes can become active players in the telecommunications market.

Site-to-site VPN for PortaSwitch deployed on the premises and in the cloud

Link copied to clipboard

There are several ways to deploy PortaSwitch: on the premises on hardware servers, in a cloud or as a combination of both (e.g., you disperse PortaSwitch across multiple sites for redundancy or deploy a Dual Version PortaSwitch for gradual customer migration).

For PortaSwitch installations deployed both in a cloud and on the premises, a reliable and secure interconnection must be established between these two locations. In practice, this means building a VPN that combines networks from both the cloud infrastructure and the on-premises datacenter. Typically, site-to-site VPNs use tunnels to encapsulate data packets within normal IP packets and forward them over public IP-based networks, using encryption to ensure privacy.

The configuration of such a tunnel involves the following:

  1. set up a VPN endpoint within a cloud network;

  2. set up a VPN endpoint within an on-premises network;

  3. make sure that both VPN endpoints freely exchange TCP/UDP traffic on ports 500 (ISAKMP) and 4500 (NAT traversal);
  4. enable a tunnel between the two VPN endpoints and check the connectivity.

VPN endpoint in a cloud network

Link copied to clipboard

To set up a VPN endpoint in a PortaSwitch cloud network, submit a request to the PortaOne Support team. The request must include the following information:

  • a public IPv4 address for a VPN endpoint located on the premises;

  • the IP address of the private on-premises network that will be added to the VPN.

Once a VPN endpoint in a PortaSwitch cloud network is configured, you are provided with its public IPv4 address, pre-shared key and a private cloud network address.

VPN endpoint in the on-premises network

Link copied to clipboard

To set up a VPN endpoint in the on-premises network, either a VPN-capable device or software-based router is required (both must support standard-based IPSec encryption). Such a device/software router must be placed in the on-premises network and have a public IPv4 address assigned to it. It must also comply with the following ISAKMP policy options:

  • ISAKMP protocol, version 1;

  • exchange type: main mode;

  • authentication method: pre-shared keys;

  • encryption algorithms: AES-128-cbc, AES-192-cbc, AES-256-cbc;

  • authentication algorithm: SHA1 (also called SHA or SHA1-96), SHA-256, SHA-384;

  • Diffie-Hellman group: group 1, group 2, group 5; and

  • IKE session key lifetime: 28800 seconds (8 hours).

Additionally, support of the following IPSec policy options is required:

  • IPSec protocol: ESP, tunnel-mode;

  • encryption: AES-128-cbc, AES-192-cbc, AES-256-cbc;

  • authentication algorithm: HMAC-SHA1-96;

  • IPSec session key lifetime: 3600 seconds (1 hour); and

  • Perfect Forward Secrecy (PFS): enabled, group 5.

Please refer to https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/configuringCPE.htm for useful details about a particular VPN endpoint configuration.

Enable a tunnel between VPN endpoints

Link copied to clipboard

Provision the public IPv4 address, pre-shared key and private cloud network address of the VPN endpoint configured in the cloud onto an on-premises device (or software router) so that a tunnel between the two VPN endpoints can be established.

On this page