Live Demo: Top Deployed SD-WAN Use Cases (Part Two)
This live demo will cover the major use cases of SD-WAN that are applicable to both large and small enterprise scenarios.
- Distributed media streaming with multicast
- Enabling cloud-security capabilities with Zscaler
- Segmentation and per-segment topologies
- Service insertion and service chaining
- Virtualized elements for Cloud (IaaS+PaaS)
- Zero touch provisioning
Senior infrastructure technologies professional with over 15 years of extensive experience in designing and deploying complex multidisciplinary networking environments.
Rachel: Good morning, everyone and thank you for joining us in this webcast, Top Deployed SD-WAN Use Cases. Before we get started I just want to mention a few things .So for those of you that attended the Future WAN Summit, this is a continuation, a part two, if you will of the Live Demo Webcast presented during the summit. Now don’t worry if you missed the previous Live Demo, as this session will just be covering additional SD-WAN cases. If you do however enjoy today’s session we, of course encourage you to check out the previous Live Demo Webcast which along with the other Future WAN Summit sessions, can be found at viptela.com/futureWAN. Now our presenter today is David Klebanov, who is the director of Technical Marketing here at Viptela.
Now just before I turn it over to David, I’d like to point everyone to the Q & A box, and we encourage you all to ask questions, which David will try to get to at the end of the Webcast. I’d also like to point you to the attachment section, where you will find a link to the Future WAN Summit page, as well as an 11-question peer insight survey on WAN. So if you’re able to take a few minutes to fill that out, that’d be much appreciated and you will receive a copy of the results. Now without further delay, I will turn it over to David, David take it away.
David: All right, thank you very much Rachel. All right, everybody, good morning again. So we are here to talk about Top Deployed SD-WAN Use Cases. As Rachel mentioned in the introduction we are continuing our conversation around Top Deployed SD-WAN Cases. We have done part one during the SD-WAN virtual summit just two weeks ago. And you are more than welcome to go and follow this link after this webinar and just listen to that session, it’s an hour long session that gives you four use cases. And we’re going to continue and build beyond that. We talked about transport independence. We talked about how you build and integrate into the existing environment. We talked about regional security. And we talked about regionalization of internet exit points.
These are all top use cases in the previous session. And today we’re going to continue and build on those. Right? So as last time; let’s look at the Demonstration Topology and sort of a Customer Journey, to implementing those features. So the first four things have already been implemented, we’ve again talked about MPLS to Hybrid, we talked about a Brownfield integration, we talked about Regional Internet Exit and we talked about Regional Secure Perimeter by inserting through service chaining, a firewall and an IDS appliance. Now the next step, we’re going to talk about cloud security through Viptela’s integration with Zscaler, then we’re going to turn to hybrid cloud through an integration with AWS, Viptela integrates with both AWS, EC2 and Microsoft [unintelligible 00:03:11].
This time we’re going to talk about an AWS integration. Then we’re going to talk about connecting to business partners and not just business partners, but in this case, we’re going to look at business partners. But it’s a vast connectivity options outside of the organization. Once you’re deployed in SD-WAN solution, how you can accommodate connectivity to the … to other entities, which are external to your organization. And again, we’re going to look at business partners in this particular session. And at the end, we’re going to look at something very interesting, pretty unique of streaming digital contents, which is something that we’re seeing in some of our customers and that’s going to be pretty interesting use case. We’re going to wrap up today’s session with that use case.
So, let’s start talking about cloud security integration with the Zscaler, which is … that’s going to be the area of focus. Right? So if you look at … before we jump into the actual use cases, if you look a little bit about how the connectivity into the cloud applications and the cloud resources was accommodated in legacy environments, then you really are looking at two different models. You have the data center backhaul model where you primarily relying on the MPLS network for connectivity from your branch offices into your data centers. And that is where your connectivity to the cloud resources is provisioned. So, of course, to secure that accessing to the cloud resources, most of the customers are putting firewalls in there. Right?
So what you’re having here, you’re having a data center backhaul into the organizational enterprise data center where the traffic is inspected by the firewall before it’s given to the cloud resources. The second model, is direct internet access from the branch offices, that’s where the organizations are having direct internet access into the internet from the branch offices. And again, since those branch offices now become an internet exit points, it needs to be secured. So the traditional way of securing those is to provision a firewall in every single branch office. Right? Of course for obvious reasons, you may get a more optimal [unintelligible 00:05:40], so you’re not backhauling the traffic to data center anymore.
But you are adding to your footprint in your branch offices. You are relying on quite a few firewalls, basically as many firewalls as you have branch offices, which is costly to procure and also costly to manage. So as applications, sort of are shifting more to the cloud, so is the security approach of how to secure that access to those cloud applications is also [morphing]. And when you talk about an SD-WAN, and how SD-WAN can embrace the cloud security, and this time it’s a cloud security with Zscaler, you can see that there are two approaches, again. There is the approach on the left that is a regionalization of a cloud access, which is … you can think about as a regionalized cloud path, where you have sides or branch offices which are provisioned for an SD-WAN fabric, yet they’re not having a direct access into those cloud resources.
The traffic is sent to the regional hub locations and from the regional hub locations it is forwarded to the Zscaler [enforcements] note, where the security path is enforced and security is done. Right? So this is the regionalization of the services for the organizations that are not quite ready to open the floodgates and allow every single branch office to connect into the internet and sort of with direct internet access. On the right you see a more optimal way where every single branch is allowed direct internet access connectivity into the Zscaler enforcement note, which are spread across every geography. And that traffic goes direct from the branch offices into the Zscaler cloud where it gets inspected and gets subjected to the security policy that the enterprises are looking for.
So, that’s really the transformation of security posture from being in [unintelligible 00:07:41] physically at most and to the cloud-based security, which is both regionalized or direct access. Now what are the deployment options for the Zscaler cloud security? Right? And here you have a choice, it depends on how your site is built. If you’re looking at data centers or regional data centers, you’re mostly talking about two SD-WAN appliances that have connectivity into the SD-WAN fabric of the [unintelligible 00:08:12] connectivity into your core routing infrastructure and integrates with ASPF or BGP or both into the core infrastructure and each device is provisioned with a tunnel into the Zscaler enforcement notes. That deployment is best fit for regional data centers or main data centers or maybe very large campuses.
The mid one is the large campuses where you can see is large or midsize campuses where you can see it’s very similar to the drawing on the left. The only difference is basically the LAN side of the integration, instead of using routing protocols, it uses [unintelligible 00:08:52] protocols, such as VRRP for high availability. And again you have tunnels in redundant fashion that are provisioned into the Zscaler enforcement nodes. Now on the right you see the remote location, which is going to be the case we’re going to discuss, where an organization opt into not having a redundancy in an SD-WAN appliance. You can see there’s a single SD-WAN appliance provision there. Yet it has two tunnels, the two different Zscaler enforcement nodes for geographic redundancy.
So you have a redundancy on the security standpoint, from the enforcement node standpoint, but you don’t have the redundancy on the SD-WAN side. And again, all three are valid deployments and we have plenty of deployments for each one of them, right. Now if we look at our specific demo here, as I said, we are going to examine the branch office model, where we have two VPN’s, VPN 1 and VPN 2. You can think about VPN 1 as something that services guest Wi-Fi users. You can see VPN 2 something that services core users. The traffic out of these VPN’s have different patterns, the traffic from VPN 1 is going to go through the tunnels into the Zscaler for the quality enforcement.
The VPN 2 traffic is not going to go to through the tunnel to the Zscaler. It’s going to basically go through an SD-WAN tunnel into the SD-WAN fabric to the rest of the organizational network. Right? Now the traffic segmentation is performed on the Viptela vEdge device, the security policy is enforced on the Zscaler cloud security. Now what we have, is we have a deny peer-to-peer file sharing policy from the Zscaler, which prevents access into, let’s say sites that just be [unintelligible 00:10:52], that would be your way of kick starting the peer-to-peer file sharing. Right? So let’s get into the actual demo, and so let me look at vManage, right for those who have watched their previous leaders, vManage is a single pane of glass for all the management, monitoring, troubleshooting, all the operational tasks that you perform on the Viptela system.
Right? So let’s go into the configurations and let’s look at templates. And there’s a template here that you can see, it’s called remote site, that template is … if we look at which device it’s attached too, it’s attached to several devices. So if I look at the actual properties of the template, I can see that two GRE interfaces have been attached to this template. And if I want to see the actual GRE configuration, I can go into the feature, just take … we search for GRE, here are the two GRE feature templates. And if I look at them, I will be able to see inside the … all the characteristics that you need to build the GRE channel to the Zscaler pop. In this case, this GRE tunnel goes to the Zscaler pop in San Francisco, it uses its source interface [unintelligible 00:12:23] 02 the vEdge appliance and the destination of the tunnel is this IP address.
Right? So the second GRE tunnel would have the same characteristics. Right? Now if you want to see the status of the GRE tunnels, I can go into the monitor, I can go into the network. I’m going to choose the remote site one vEdge, I want to run a live query against the device and basically have it display to me all the GRE tunnels that are provisioned on the devices. As you can see, we have two tunnels on that remote office that are GRE 1 and GRE 2 and they are connecting to two different destination IP addresses, which are the IP addresses of the Zscaler enforcement nodes in the cloud; of course they are up to date. Right? So let’s actually make some policy push and make sure that this traffic goes into the Zscaler enforcement points.
Just because we have GRE tunnels, doesn’t mean that we are still sending the traffic there. Before we do that, let me just hop into this desktop in here, so this desktop is think about this as a client, which is connected behind the vEdge in that remote site and this is … everything we’re doing here is going to go through that vEdge appliance that we just looked at and onto the network. Right? So before we do … before we actually shift the traffic to Zscaler, let me just quickly open a terminal window in here. Let me just start a continuous ping to a DNS server, let it just run; we’ll come back to the screen. As you can see, this connectivity is going. Right now it is not taken a Zscaler, right now it’s actually going through a main data center.
So this is traditional sort of way of doing security through the main data center. Now I want to embrace the cloud security, so let me go back to vManage; actually before vManage let me just browse and see that we have access to all the resources. For example, go to ESPN, you can see that I’m getting the ESPN website and then I go to the BitTorrent, and I get a BitTorrent website. And that’s exactly what I want to prevent; I don’t want that site to open. I want to make sure that in my URL filtering policy blocking this website, so people are not consuming peer to peer and networking. And of course block many things, but just for the simplicity of the demo, we’re just going to do a simple URL policy.
So now I’m going to go to the vManage, I’m going to go into the configuration, and I’m going to go to policies, and we have the policy that was created ahead of time, so let me just go and activate this policy. So now what happens; the policy gets activated on the vManage. So once it’s activated, it’s activated on the vSmart controllers and it’s enforced on the vEdge appliances, in this case it’s going to be the appliance that remote office. And of course, think about this, as we are applying this onto one branch, but the policy, Viptela policy framework is a very skeletal framework, it allows you to define the scope of the policy. And the scope of the policy could be an individual site, which is what we’re doing right now, but the policy could also span the entire network.
So by just applying the policy, I could implement a cloud security over my entire SD-WAN network. So now the policy has been implemented, so let me go back into the desktop, and just refresh the page. Of course I get this popup that says, security violation has occurred, it is not allowed … you’re not allowed to browse a peer to peer site. And that’s exactly what we were after, is to make sure that we are … the content that we would like to block is blocked. Right? ESPN, of course is still accessible and it passes through the Zscaler, the Zscaler policy does not block this traffic. Right? So we achieved exactly what we wanted to do. Now if we quickly open that … the terminal window we had running in here, and we just stop it
Just as an interesting observation, you can see in here a zero packet loss. Right? So what happened is that we have shifted the traffic from passing through a main data center, like through a back hole into the main data center. And having this traffic, take it direct internet access, directly from the branch office into the Zscaler cloud and we did this with zero packet loss. Right? So that is something that many of our customers are … very important in consideration for our customers because when you’re deploying SD-WAN, when you’re deploying an [intereret] grade SD-WAN, you are anticipating and you’re expecting the features to be scalable, reliable; and that’s exactly what we’re doing here with activation of a cloud security. Right?
So let me just … while we transition to the next [view] scape, let me go to the policies’ and just deactivate these policies so we can get ready for the next use case. Also we’ll just let it run and let’s go back into [unintelligible 00:18:18] case. So the next one we’re going to talk about is hybrid cloud. What we’re talking about hybrid cloud … when we’re talking about hybrid cloud, really talking about connectivity into the AWS and the extension of your computer footprint from your own [unintelligible 00:18:37] data center into the AWS [VBC] two instances. Right? So it could be that you’re doing a hybrid cloud in a sense that you are distributing the resources between an [unintelligible 00:18:50] and a cloud location.
But at the same time, some organizations really take it a step further and moving all of the resources. In which case, it becomes not a hybrid cloud, but rather a complete public cloud, where you’re moving your entire data center resources into the ASW environment. Whatever the case may be, the philosophy that we have for an adoption of a public cloud is to create a seamless experience whether your resources are located in your enterprise data center as your private cloud or if your resources have now transitioned into the public cloud instances with AWS or Microsoft Azure. What Viptela does, it gives you a seamless experience of extending your SD-WAN fabric all the way from the branch offices, to the corporate data centers, to the regional data centers, to the cloud destinations; all of that is one seamless SD-WAN fabric. Right?
So we, of course, extend all the SD-WAN features through that fabric, such as for example, very popular feature of segmentation. So if you have segmentation into lines of businesses at the remote office or you had a segmentation into an organizational unit in your branch offices, and that segmentation was carried over into your enterprise data canter, what we want to make sure is the same segmentation is now carried into your cloud data center. As you are moving or transitioning your resources, or maybe commissioning new resources in the public cloud. So the features of segmentation transport agnostic hybrid transport, application visibility and control; all of those things are inherent features in SD-WAN fabric and Viptela’s philosophy is to seamlessly enable those throughout your fabric, wherever the fabric is, even if it gets extended into the public … a public cloud environment.
Another element is the shortest network path to reach those resources. If you are moving your resources from the private cloud into the public cloud, you don’t want to incur any additional latency by backhauling your traffic into specific choke points in your network to … before your traffic arrives at the public cloud. Viptela’s philosophy is to provide you the shortest network path between your users, which are the branch offices and your cloud resources, which in this case, are in your ASW. No backhauling, no swinging through a midpoint choke point, straight connectivity from branch offices into the cloud. Now for our demonstration, we will consider that we have an existing SD-WAN network and we are commissioning vEdge cloud, which is the software instance of the Viptela vEdge SD-WAN appliance.
Think about this as an NFV instance of Viptela SD-WAN appliance that gets commissioned in the VPC, in the AWS VPC and it front ends the computer resources that are in that VPC. And again, it extends all of the features of the SD-WAN fabric seamlessly into the AWS and the connectivity is just a straight connectivity between the remote side into the AWS environment through a direct cloud path. Now of course if you deploy this in multiple AWS VPC’s all of those VPC’s will join the SD-WAN fabric and you’ll just have one cohesive fabric that extends from your own frame data centers or own frame branches and into the public cloud VPC instances, multiple instances.
And you can even do a multi cloud in a sense of, you can extend the same SD-WAN fabric between a single instance on AWS to multiple instances in AWS, and also instances on Microsoft Azure. So you start being a cloud agnostic and you don’t really pay attention to which cloud the connectivity extends to from the SD-WAN perspective it gives you the same seamless experience. So let’s go back to the vManage, all right, and from here let’s navigate into the configuration, let’s navigate into the devices. You see a device in here that’s sort of in this state where it doesn’t really have its host name, doesn’t have any system IP, doesn’t have site ID, doesn’t have any characteristics in it. Now what is this device?
If I were to look at the AWS console, so this is the EC2 console, we actually have the vEdge cloud running in there and there is one single [unintelligible 00:23:53] behind it. Just for the demonstration purposes, of course, it’s a very simplistic environment. And so this is the vEdge cloud, now vEdge cloud has been provisioned in the system yet, if I go into … back into the vManage, and I go into the configuration in certificates, you can see that the certificate that was given to this individual vEdge is actually marked in an invalid state, which means the system does not trust a certificate that is installed in that vEdge cloud virtual appliance. Every appliance comes with virtual … physical appliances come with prebuilt certificates that are inserted into the [unintelligible 00:24:34] module during the manufacturing process.
For the virtual instances, which is exactly what gets installed in the public cloud, the certificate is allocated, so it’s not a build in certificate, it’s allocated. However, you can see that it’s been put into an un-trust mode, which means that device is not allowed to be admitted to the network. Before I activate this device, if I also quickly go into the geography. I’m expecting this device to be somewhere in here, in the Portland area, in Oregon. Of course you see there’s no device in here, because it’s sort of an un-trusted device, it’s not one of the managed devices yet. So if I go back into the certificates, and I just flip this into valid, and I say yes, and I say I want to propagate this into the controllers, so now the knowledge that this device is a valid device is going to get propagated throughout the control infrastructure.
And once it’s completed, you see that now all of the devices, they now have all the control … elements now have the knowledge of this device. Right? So go back into certificates, it’s now see that the host name has been recognized, the IP address, so the system has been recognized and it’s now in a valid state. Now if I go into the network, I can now see this device also appears in here, on AWS as an AWS host name. If I go and I can see it’s been already building control connections through the internet because that AWS instance is connected to the internet, it’s already building control connections to all the control infrastructure. And of course if I go back to the geography, I can see this device also appeared in here.
And I can click on it and I can request it to show me all the links that has been provisioned. And as you can see it’s part of the fabric, it’s connected to the rest of the sites. So that is how you seamlessly extend your SD-WAN fabric into the public cloud environments. All right, let’s move onto the next case, business partner connectivity, so business partner connectivity is an ability for you to extend your organizational fabric into the external entities. And now what those external entities are; they could be suppliers, they could be partners, they could be part of mergers and acquisitions, and they need access into your protected application resources in your data centers. The question is, is how are you going to accommodate that connectivity, because they’re not fully trusted entities? Right?
So Viptela’s philosophy is to regionalize access into those protected applications in the data center. There’s multiple ways of doing that, but in this case we’re talking about regionalization of the services. In those regional service … regional hubs, you can provision firewall devices and those are going to enforce the policy for connectivity from those external entities into your protected applications. So effectively the arc creating a shield and a controlled access around your organizational and around your enterprise protected applications and allowing only selective access to suppliers, partners or entities that has been acquired. Right? There’s quite a lot of examples of where that could be useful, but suppliers, partners, mergers and acquisitions, spinoff’s these are the most predominant cases that we’re seeing being deployed.
Now there’s quite a few elements that go into the business partner connectivity, it’s easier said than done. Thinking that I only need to provision connectivity to the partner, I need to send them through the firewall and that’s it. But in fact, it’s a convergence of different things that you would want or different features that you would want to implement in order to make it a whole solution. Right? And here you’re talking about segmentation, make sure the partner gets only … gets compartmentalized into their own segments. The ability to do a per segment topologies, in a sense that once they are in the segment, you don’t want that segment that they’re in to span your entire network.
Because again, if you remember we are talking about taking the partner traffic to the regional hub facilities and not to the rest of your organization. So just because they’ve been provisioned in SD-WAN appliance, doesn’t mean that they now have full unrestricted access to all of it. Right? We want to make sure that the topology that they’re mapped ; between the partner and your hub locations and not your entire network. Now once they’ve been provided connectivity into that hub, an ability to do service insertion or service chaining through one or more service nodes, they’re could be a requirement for network address translation in case that partner actually uses an IP space that you are also using, you can’t really force your partner to re-IP just because they need to connect to you.
And the ability to send the traffic between multiple VPN’s and inter-VPN traffic to make sure that you have connectivity from the partner VPN into your corporate VPN, yet it’s subjected through the fire … by the firewall, the policy gets subjected in the firewall through the service insertion and service chaining. So in our case what we’re going to do; we assume that we have an existing fabric, we have a data center site that hosts the business partner portal, which is basically just a web portal for our case. We are provisioning a regional SD-WAN hub site where we can a parallel to firewall that is connected through a trust and un-trust interfaces into the regional SD-WAN, Viptela SD-WAN appliance in that regional hub.
Then if vEdge is provisioned at the business partner’s facility, the topology point to point VPN topology gets established and it’s important for me to emphasize here, we’re not talking about here provisioning a WAN of point to point IP sect tunnel between the two devices. We’re talking here as a same fabric and the ability to segment that fabric and create a point to point topology over this fabric so you don’t have to treat this connection into the partner as a one off onboarding. It’s the same experience, same management tools, same configuration and troubleshooting tools, it’s just segmented off different topology, service change through the firewall, so the connectivity from the business partner into the business partner portal in the data center is going over the secure isolated path. Right?
So, that’s what we’re set to do. Now let’s go back into the system, all right, let’s look into the network. As you can see, there’s a B2B partner device that has been provisioned in the system; that is the device that you have shipped to the business partner; they have been provisioned in the system, yet they have no connectivity into your environment. So if I look for a second here in the geography, and I look at the B2B partner, this is the device, it’s a managed device, and I looked at the links from this device, I can see that the IP sect tunnels have been established, so it’s part of the network, yet if you remember, segmentation comes into play here and it makes sure that the traffic from that site or from that partner site, even though the tunnels have been provisioned, the VPN traffic is not allowed to be sent on any of these tunnels because it’s been isolated into its own VPN.
Another thing to look at here, is that you can see a data center, and you see this line between the B2B partner and the data center, so this data center has a tunnel right now between the branch … between the B2B vEdge and the data center vEdge. So keep that in mind that we have this connectivity that is now enabled, but again, yet there’s no connectivity. Now if I want to go and I want to see the … from that device perspective, from the B2B partner perspective, let me just run a real-time query of how does the IP routing table look on that device. What I’m going to see is I only see connected routes, right of course there’s one default route, static route to get me access into the internet. But I don’t see anything else accept the connected routes.
So you see that VPN’s have been provisioned, that the device is fully managed. I can collect statistics about it, I can try to un-trust it, so it’s a piece of my infrastructure, yet no reach-ability information has been propagated to this device and the device has no connectivity. And of course if I go here and I just quickly browse into the business partner desktop, so think about this, as the desktop connected behind this B2B partner vEdge appliance, and if I go here and I try to navigate into the business partner portal, huh, that should not have happened. Okay, that probably was [cashed] right, right, that was [cashed]. You see that, the page is not available, just do another refresh, there is no connectivity, it was an artifact of a previous testing.
So the webpage doesn’t open, there’s no reach-ability, and as you can see, there’s no connectivity, there’s nothing in the routing table to advertise the data center prefix. The data canter prefix is 192.168.4.0, see it’s not on the table. So if I go into the policies, and I apply a policy that we have prepared ahead of time, and that policy activates quite a few features in there, it enables communication between different VPN’s, it enables service chaining through the firewall, it enables the connectivity into the business portal on the data center. So there’s quite a few features that are in that policy to make it happen. Right? It also defines a different topology and converts it from the topology of a full mesh into a topology that is only extended into the regional hub facilities and not the corporate data center, because we want to prevent the communication, direct communication from the remote B2B vEdge into the data center vEdge.
So we just wait for another second for this thing to complete, then we can examine the routing table again and then also test that the firewall has seen this traffic. So now you see it’s been propagated. So if I go back into the network, and I again, choose the B2B partner, and I go into the real-time statistics or real-time information, and I say, show me the I2 route information, here’s exactly what we’re expecting to see. The 192.168.40 route has been advertised through the overly management protocol, which is Viptela’s control channel, control plane protocol. You can also see that it’s available from the 10.10.10.15 site, if I quickly go into the site, I can see the data center is 10.10.10.14 and 10.10.10.15 is actually a regional hub; it’s exactly what we wanted to do.
We wanted to advertise this data center’s hub and yet make it available from the regional hub so the traffic that is destined to the data center is actually attracted by the regional hub facility. So I go into the business partner, you can see the site has already opened and I have access into the web portal in there. Now if I go into the … quickly into the firewall, there’s a parallel to the firewall that has been provisioned in this topology, as well. It’s connected into the regional hub, it’s connected to the vEdge in there, in the regional hub facility. So if I’m going to log into the paloalto firewall, just give it a second, and then I’m going to go into the monitor tab. You can see in here, this is the traffic that … which is generated. Right?
It matched the rule and it was traffic on port 80 and it got allowed. And if I go into the policies, then this is exactly the policies that got matched, we allow the web traffic to go in; made it very granular and allowed only the services that I wanted to be extended or to be allowed to be connected to from the business partner. So as you can see in here, it’s a very convenient way for you to extend your organizational SD-WAN connectivity into the external entity, business partners, suppliers, yet we are extending connectivity in a very secure and granular way and allows you the full range of controls of how that connectivity … Once the connectivity’s been established, you can … allows you full range of control to send it through the service chaining or service insertion policy into the security enforcement, in this case it’s the paloalto firewall, and actually have a security policy enforcement in there. Right?
So it’s very useful skeletal way that our customers are deploying that, and again, regionalization of those service is also possible. You can have some partners go to one regional hub, some other partners go to another regional hub.
Rachel: Thank you everyone for joining us today and as mentioned, please do visit the Future Wan website and if you do have any further questions, feel free to contact David directly. And again, thank you very much for joining us today. Have a great day.
David: Thank you.