Ericsson Enterprise Wireless

Data Sheet:

NetCloud Exchange

2024 - 12 - 20

NetCloud Exchange (NCX) is a unified WAN networking and security architecture that brings cellular, SD-WAN, and security into a tightly integrated solution, uniquely designed for lean IT.  

 

NetCloud Exchange enables customers to:

  • Connect from anywhere using LTE/5G
  • Provide inherent Wireless WAN security by creating a locked-down, zero-trust network
  • Deliver application assurance across highly distributed cellular and hybrid WANs through cellular-optimized SD-WAN
  • Streamline operations through cloud-based orchestration and intuitive policy management

 

NetCloud Exchange architecture components:

 

NetCloud Exchange Service Gateway is a scalable and reliable services delivery platform (or headend) that can reside standalone or in an active/standby configuration in a customer’s data center or hosted cloud. The NCX Service Gateway aggregates traffic from IoT, vehicle, site, and remote work environments, enforces policy, and provides visibility into every flow. 

 

Cradlepoint WAN edge routers for providing persistent, reliable cellular or hybrid connectivity for IoT devices, vehicles, sites, or remote work. The NCX Service Gateway is compatible across Cradlepoint’s primary WAN solutions (excluding standalone adapters), augmenting them with advanced security and SD-WAN services.

 

NetCloud Manager to simplify the deployment, management, and ongoing troubleshooting of the NetCloud Exchange architecture. It enables scalable end-to-end WAN orchestration, the bulk provisioning of policies across multiple device types, and provides intuitive health dashboards, AI-driven insights into faults, and comprehensive reporting and alerts.

 

Optional components:

 

NetCloud Virtual Edge is a software-based solution that can be easily deployed in a data center or private cloud environment to extend the Secure Connect zero-trust network to corporate managed applications.

 

NetCloud Client for enabling secure remote access to an NCX Secure Connect network. The NetCloud Client supports Windows and macOS laptops, iOS and Android mobile devices, and Linux devices. The NetCloud Client is available with a Zero-Trust Network Access license.

NetCloud Exchange Network Diagram

Common Use Cases

IoT Deployments Secure Connect for zero-trust connectivity between IoT devices and their hosts, replacing complex VPN/Private APN architectures.

SD-WAN for improving the quality of experience of real-time applications over low-speed links (for example implementing FEC over for a video transfer over a lossy link.

Zero Trust Network Access (ZTNA) for granting internal and third parties secure remote access to IoT devices on the WAN for maintenance and monitoring.
Vehicle Deployments Secure Connect for zero-trust connectivity between vehicle-based technology and their hosts, replacing complex VPN architectures.

SD-WAN for traffic steering and providing resiliency between multiple modems/service providers, satellite links, or Wi-Fi as WAN connections.

ZTNA for secure remote access to corporate applications in the cloud or data center, or IoT devices on the WAN.
Branch Deployments Secure Connect for zero-trust connectivity between branches and corporate data centers and clouds, replacing complex VPN architectures.

SD-WAN for traffic steering and providing resiliency between wired and cellular connections.

ZTNA for secure remote access to corporate applications in the cloud or data center, or IoT devices on the WAN.
NCX Service Gateway Specifications

NetCloud Exchange Service Gateway is the foundation of the NetCloud Exchange architecture enabling organizations to take advantage of fully integrated zero-trust security and SD-WAN as part of their Ericsson wireless or hybrid WAN.  The NetCloud Exchange Service Gateway aggregates traffic, enforces policy, and provides deep visibility into traffic flows.

NCX Service Gateway benefits:

  • Compatible with Cradlepoint IoT, vehicle, site and remote work routers.   
  • Designed from the ground up to meet zero-trust principles. 
  • Flexible deployment in a customer-hosted data center or cloud or downloaded on a physical server. 
  • Optional redundancy with active / standby configuration 

PERFORMANCE

Licensed Capacities:

  • 250 Mbps
  • 500 Mbps
  • 1 Gbps
  • 2 Gbps
  • 4 Gbps

SYSTEM REQUIREMENTS (ALL CAPACITIES)

Deployment:

AWS

Azure

Software Version:

Up to 7.24.60: Ubuntu 18.04

For 7.24.80 and later: Ubuntu 20.04

Up to 7.24.60: Ubuntu 18.04

For 7.24.80 and later: Ubuntu 20.04

Instance:

c5.2xlarge

Standard_D8S_v3

vCPUs:

8

8

Memory:

16 GB

32 GB

Minimum Disk Space:

16 GB

16 GB

vNICs:

3

3

Minimum NCX Service Gateway Release:

7.22.70

7.22.70

Concurrent Tunnels:

Up to 4,000

Up to 4,000

Performance testing was conducted based on requirements as defined in RFC2544 using fixed-frame 1518-byte packets. Throughput results reflect unidirectional. UDP traffic with less than 1% packet loss as tested with wired connections. At the time of release, the number of supported sites and tunnels is a 1:1 ratio. Ericsson Cradlepoint routers support multiple WAN interfaces simultaneously in SD-WAN mode.

PERFORMANCE

Licensed Capacities:

  • 250 Mbps
  • 500 Mbps
  • 1 Gbps
  • 2 Gbps
  • 4 Gbps

SYSTEM REQUIREMENTS (ALL CAPACITIES)

Deployment:

KVM

VMware

Software Version:

Ubuntu 18.04

ESXi 6.7 or newer

Instance:

N/A

N/A

vCPUs:

8

8

Memory:

16 GB

16 GB

Minimum Disk Space:

16 GB

16 GB

vNICs:

3

3

Minimum NCX Service Gateway Release:

7.22.70

7.22.70

Concurrent Tunnels:

Up to 4,000

Up to 4,000

Performance testing was conducted based on requirements as defined in RFC2544 using fixed-frame 1518-byte packets. Throughput results reflect unidirectional. UDP traffic with less than 1% packet loss as tested with wired connections. At the time of release, the number of supported sites and tunnels is a 1:1 ratio. Each Ericsson Cradelpoint router only supports one tunnel on one active WAN interface at a time.

Secure Connect Site Specifications

Secure Connect offers a simple-to-manage alternative to complex VPN infrastructures for securely connecting IoT devices, sites, vehicles, and remote workers. As the foundation for all other services, Secure Connect delivers a policy-governed, zero-trust network that can be easily orchestrated to enable highly secure communications from the WAN edge to the cloud.

Secure Connect benefits:

  • Dynamic orchestration of zero-trust tunnels at scale.
  • Simplified WAN deployments with support for overlapping IP addresses through name-based routing.
  • Reduces the network attack surface by hiding network resources, encrypting traffic, and obscuring all public IP addresses.
  • Delivers enhanced security by being deny-all by default, with access only enabled through policy.
  • Provides containment of breaches and malware by restricting all east/west traffic by default.

 

PERFORMANCE

Site Routers

Typical Client Count

Throughput

Concurrent Tunnels

IBR650B, IBR600C/IBR650C, IBR900, S400/S450, S700/S750, S700-FIPS/S750-FIPS

5

10 Mbps

10

NOTE: Secure Connect site performance may vary based on latency conditions.

PERFORMANCE

Site Routers

Typical Client Count

Throughput

Concurrent Tunnels

IBR1700, IBR1700-FIPS

30

40 Mbps

20

R920, R920-FIPS

5

100 Mbps

10

R1900, R1900-FIPS, R2105/R2155, R2105-FIPS/R2155-FIPS

100

400 Mbps

20

NOTE: Secure Connect site performance may vary based on latency conditions.

PERFORMANCE

Site Routers

Typical Client Count

Throughput

Concurrent Tunnels

E100, E102

5

40 Mbps

20

AER2200

100

40 Mbps

20

E300, E300-FIPS

50

400 Mbps

20

E3000, E3000-FIPS

100

400 Mbps

20

NOTE: Secure Connect site performance may vary based on latency conditions.

SD-WAN Site Specifications

SD-WAN is a cellular-optimized network service based on a zero-trust foundation that enhances WAN resilience and quality of experience (QoE) by optimizing traffic over multiple physical or logical connections including, wired, 5G/LTE, satellite, Wi-Fi as WAN, private APNs, and 5G standalone network slices.

SD-WAN benefits:

  • Designed on a simple, modern zero-trust foundation that obscures IP addresses, is deny all by default, and where resources must be defined before they are accessible.
  • Supports traffic optimization over physical and logical connections, including being the first SD-WAN solution to support 5G network slicing.
  • Implementation of application-based policies network-wide in a few simple steps.
  • Efficient and cost-effective operation over cellular by considering cellular-specific attributes when steering traffic (for example, signal strength) in addition to latency, loss, and jitter.
  • Preserves bandwidth by using inline traffic rather than artificial traffic to measure WAN performance.
  • Offers enhanced QoE over lossy links through Forward Error Correction (FEC).†
  • Ability to intelligently bond multiple WAN interfaces together to increase resiliency and provide more granular control over traffic.†
  • Deep visibility into latency, loss, and available bandwidth from the edge to the cloud.

† Available on select SD-WAN appliances. See the technical specifications for further details.

PERFORMANCE

Site Routers

Typical Client Count

Throughput

IBR1700

30

40 Mbps

R920

5

100 Mbps

R1900, R2105/R2155

100

400 Mbps

The IBR1700 and R920 routers do not yet support the Forward Error Correction (FEC), Intelligent Bonding, or Fast Link Monitoring features. R2105 routers do not yet support the Intelligent Bonding feature. R2155 routers do not yet support FEC or Intelligent Bonding features. Other SD-WAN functionality is supported.

PERFORMANCE

Site Routers

Typical Client Count

Throughput

AER2200

100

40 Mbps

E100, E102

5

400 Mbps

E300

50

400 Mbps

E3000

100

400 Mbps

The AER200 and E102 routers do not yet support the Forward Error Correction (FEC), Intelligent Bonding, or Fast Link Monitoring features. Other SD-WAN functionality is supported. All features are supported when using E100, E300, and E3000 routers.

Zero Trust Network Access Specifications

 Zero Trust Network Access (ZTNA) is a security service that integrates with an organization’s existing identity provider to provide isolated user-to-resource access for authenticated users. It enables secure remote access for internal employees and third parties to resources (IoT devices and/or applications) on the Ericsson WAN through granular user-based access policies.

ZTNA benefits:

  • Simple and safe remote access to required resources on the WAN for internal employees and third parties.
  • Flexible authentication to the network through a client or through an Ericsson Cradlepoint router.
  • Enhanced security with granular user-based access policies leveraging SAML-based attributes and context.
  • Integration with any SAML 2.0 compliant identity provider.
  • Continuous monitoring for changes in context that could revoke or reduce access privileges.
  • Device posture visibility for users that are leveraging the NetCloud Client for remote connectivity.

 

SYSTEM REQUIREMENTS

Operating System:

Windows

Version:

Windows 10 and 11

Processor:

Intel x86

Memory:

16 GB

Maximum NetCloud Client Count:

Unlimited (limited by NCX Service Gateway licensed throughput capacity per network)

SYSTEM REQUIREMENTS

Operating System:

macOS

Version:

Monterey 12.x or later

Processor:

Intel or Apple M1/M2 CPU

Memory:

16 GB

Maximum NetCloud Client Count:

Unlimited (limited by NCX Service Gateway licensed throughput capacity per network)

SYSTEM REQUIREMENTS

Operating System:

iOS

Version:

iOS 16 or later

Processor:

ARM64 or Apple Silicon

Memory:

64 GB

Maximum NetCloud Client Count:

Unlimited (limited by NCX Service Gateway licensed throughput capacity per network)

SYSTEM REQUIREMENTS

Operating System:

Linux Ubuntu

Version:

22.04

Processor:

  • Intel x86
  • Minimum four core CPU

Memory:

16 GB

Maximum NetCloud Client Count:

Unlimited (limited by NCX Service Gateway licensed throughput capacity per network)

Hybrid Mesh Firewall Specifications

Hybrid Mesh Firewall (HMF) is a security service that can be added to a Secure Connect, SD-WAN or ZTNA network.  With application and web filtering plus integrated IDS/IPS, HMF brings in modern firewall features, without the complexity.

HMF benefits:

  • Uses policies and deep packet inspection to determine whether to block or allow traffic, including communications to or from an application.
  • Provides continuous monitoring of all north/south and east/west traffic flows to detect and prevent malicious activity.
  • Blocks access to inappropriate web content including high-risk domains that may contain malware.

PERFORMANCE

Site Routers

Typical Client Count

Throughput

Concurrent Tunnels

IBR600C/IBR650C, S700/S750

5

10 Mbps

10

NOTE: Hybrid Mesh Firewall site performance may vary based on latency conditions.

PERFORMANCE

Site Routers

Typical Client Count

Throughput

Concurrent Tunnels

IBR1700

30

40 Mbps

20

R920

5

10 Mbps

10

R1900, R2105/R2155

100

400 Mbps

20

NOTE: Hybrid Mesh Firewall site performance may vary based on latency conditions.

PERFORMANCE

Site Routers

Typical Client Count

Throughput

Concurrent Tunnels

AER2200

100

40 Mbps

20

E100, E102

5

40 Mbps

20

E300

50

400 Mbps

20

E3000

100

400 Mbps

20

NOTE: Hybrid Mesh Firewall site performance may vary based on latency conditions.

NetCloud Virtual Edge Specifications

NetCloud Virtual Edge enables a simple extension of the Secure Connect zero-trust network to applications that reside in a corporate data center or private cloud environment.

NetCloud Virtual Edge benefits:

  • Push button deployment NetCloud Manager.
  • Cost-effective and simple solution for organizations that need to connect to one or more data center or private cloud environments.
  • Extension of Secure Connect zero-trust network to the data center and cloud to control access to and from cloud-based applications.

PERFORMANCE

Tunnel Throughput to/from NetCloud Exchange:

300 Mbps

DEPLOYMENT TARGETS — AWS

Instance:

m4.large

vCPUs:

2

Memory:

8 GB

vNICs:

2

NetCloud Exchange Management and Operations

NetCloud Exchange is fully deployed and managed through Ericsson’s powerful cloud management and orchestration platform, NetCloud Manager.  With features that include zero-touch deployment, bulk provisioning, multilayered dashboards, centralized flow-level visibility, and intuitive troubleshooting tools, NetCloud Manager is a valuable assist to lean IT organizations.

 

NetCloud Manager also offers valuable AI-driven insights:

  • Simplified fault management, isolation, and root cause analysis through AIOps-driven dashboard.
  • Improved productivity with virtual expert capabilities to assist with everyday queries through Natural Language Processing.
Ordering Guide

The NetCloud Exchange Service Gateway is a required component to implementing NetCloud Exchange services (Secure Connect, SD-WAN and ZTNA). These services can be purchased as an add-on to any compatible router with a NetCloud Branch, Mobile or IoT service plan, while the NCX Service Gateway is purchased based on required network capacity.

For ordering details, see the following:

  • Step 1 (required): Select NetCloud Service plan(s) for the compatible router(s)
  • Step 2 (required): Select the Secure Connect or SD-WAN site (router-based) license(s) in either standard or premium for each router 
  • Step 3 (optional): Select the ZTNA in either standard or premium per user license(s) (selection of standard or premium must match Step 2)
  • Step 4 (optional): Select the NetCloud Virtual Edge in either standard or premium per each additional data center or private cloud environment beyond where the NCX Service Gateway is located (selection of standard or premium must match Step 2)
  • Step 5 (required): Select NCX Service Gateway capacity for entire solution (separate part number for high availability)

REGION

NCX PACKAGE

DESCRIPTION

PART NUMBER

All Regions:

Service Gateway

250 Mbps

500 Mbps

1 Gbps

2 Gbps

4 Gbps

NCX-000x-SG250MBPS

NCX-000x-SG500MBPS

NCX-000x-SG1GBPS

NCX-000x-SG2GBPS

NCX-000x-SG4GBPS

Service Gateway High Availability

Active + Standby 250 Mbps

Active + Standby 500 Mbps

Active + Standby 1 Gbps

Active + Standby 2 Gbps

Active + Standby 4 Gbps

NCX-002x-SGAS250MBPS

NCX-002x-SGAS500MBPS

NCX-002x-SGAS1GBPS

NCX-002x-SGAS2GBPS

NCX-002x-SGAS4GBPS

Secure Connect

Basic

Premium

NCX-0K0x-SC

NCX-0KPx-SC

SD-WAN

Basic

Premium

NCX-0L0x-SCSD

NCX-0LPx-SCSD

ZTNA

Per User

NCX-0E0x-ZTNA

 

Virtual Edge

NetCloud Essentials for Virtual Edge with Secure Connect

NetCloud Premium for Virtual Edge with Secure Connect

NCX-0M0x-VESC

 

NCX-0MPx-VESC

All Regions — Renewal:

Service Gateway

Renewal — 250 Mbps

Renewal — 500 Mbps

Renewal Active + Standby — 250 Mbps

Renewal Active + Standby — 500 Mbps

NCX-000x-SG250MBPS-R

NCX-000x-SG500MBPS-R

NCX-002x-SGAS250MBPS-R

NCX-002x-SGAS500MBPS-R

Secure Connect

Renewal — Basic

Renewal — Premium

NCX-0K0x-SC-R

NCX-0KPx-SC-R

SD-WAN

Renewal — Basic

Renewal — Premium

NCX-0L0x-SCSD-R

NCX-0LPx-SCSD-R

ZTNA

Renewal NCX ZTNA — Per User

NCX-0E0x-ZTNA-R

NetCloud Exchange Site Premium

Renewal — Premium

NCX-0NPx-HMFAI-R

Virtual Edge

Renewal NetCloud Essentials for Virtual Edge — Per Self-Hosted Virtual Appliance

Renewal NetCloud Premium for Virtual Edge — Per Self-Hosted Virtual Appliance

NCX-0M0x-VESC-R

 

NCX-0MPx-VESC-R

x= 1, 3, or 5 years