The Networking world is being bombarded by so many “new” technologies that it is difficult to keep up with them all, from Software Defined Networking (SDN) to Network Function Virtualization (NFV) and now Software-Defined Wide Area Network (SD-WAN). At the center of all these technologies is a focus on software versus tightly-knit hardware/software combinations. In this article, we will be discussing SD-WAN and see if it is really something new or just hype around a repackaged product(s).
What is a WAN?
A simple definition of a Wide Area Network (WAN) is a collection of Local Area Networks (LANs) separated by geographical location. Even though when we talk about WANs, we usually refer to Private WANs wholly owned by organizations (i.e. under the same administrative domain), we also have Public WANs and the Internet can be considered as one big WAN.
In this article, we will be discussing concepts that mostly apply to Private WANs. For example, a bank with several branches across the country will normally have a WAN that connects its branches (remote sites) to its HQ or Data Center (hub site). Traditionally, remote sites connect to the hub through private links/leased circuits/MPLS even though other forms of connectivity like Internet may also be used for backup purposes.
What is SD-WAN?
There is really no standard definition for SD-WAN and whatever definition you get will be dependent on the vendor defining it. Generally speaking, looking at the various SD-WAN products/services available from different vendors, we can come up with certain characteristics of SD-WAN including:
- Centralized Control
- Multiple WAN Links
- Path Optimization
- Reduced Costs
- Quick Provisioning
- Unified Devices
SD-WAN is an application of SDN whose main aim is to decouple the control and data planes of networking devices. Usually, this involves a centralized controller that has a bird-eye view of the network and can instruct forwarding devices on the best line of action to take for different types of traffic.
In the same way, SD-WAN aims to bring centralized control to the WAN edge through some form of controller or orchestrator that can route traffic intelligently. This will also reduce administrative burden at the branch/remote sites as management can be done from the HQ/Hub site, leading to the minimal or zero-touch configuration on remote devices – they just need to connect to the controller and automatically get the appropriate configuration.
Multiple WAN Links
Many SD-WAN products offer the ability to aggregate multiple WAN links of varying technologies like MPLS, Internet (broadband), 3G and so on, resulting in a type of Hybrid-WAN design. Therefore, we can say that SD-WAN is agnostic to the transport layer (i.e. type of connection) and usually builds some form of overlay network between the remote site and the hub.
While this type of design is not new to the WAN, it was usually done in an active/standby fashion where the private line/leased circuit/MPLS link was used as the primary link and the other link (e.g. Internet link with VPN) is only used for backup purposes. With SD-WAN, multiple links are used in an active/active fashion with policies defined (on the controller) to determine what type of traffic should use which link.
With SD-WAN, there is real-time, dynamic path optimization of traffic. For example, the controller can monitor various things like delay, jitter, etc on a link and decide that certain traffic will be better forwarded through another link to maintain the necessary level of quality for that traffic. In some cases, these SD-WAN products can even use various techniques like Forward Error Correction in a bid to increase the reliability of data.
One of the main selling points of SD-WAN is the fact that you can replace (or supplement) your expensive MPLS WAN links with less expensive Internet links (with security e.g. VPN) and still get the same experience. These Internet links are usually 100 times less expensive than MPLS links and even though they do not provide the corresponding guaranteed Service Level Agreement (SLA) or Quality of Service (QoS), by using various techniques like aggregation and optimization, they will serve as a good enough replacement.
Author’s note: This particular point is not a reality in most parts of Africa (e.g. Nigeria) where the cost of an Internet link is usually more than that of corresponding leased circuit/MPLS.
Also, some SD-WAN vendors offer their products as virtual machines that can run on commodity hardware (e.g. x86 servers) thereby eliminating (or reducing) the cost of purchasing proprietary and usually expensive hardware.
A corresponding characteristic of SD-WAN using Internet links is that it is usually easier and faster to get Internet links than it is to bring up MPLS links at remote sites. By leveraging on this fact, it means branch offices can be brought online faster than they would be using traditional MPLS links.
Most of the characteristics of SD-WAN that we have described can be achieved with existing technologies (e.g. DMVPN, IPsec, NHRP, Policy-Based Routing (PBR), Routing protocols). However, many SD-WAN products provide all these features in one box usually with automated deployment, meaning that all the heavy lifting has already been done for you.
Examples of SD-WAN Products
There are several vendors in the SD-WAN space, both newcomers (e.g. VeloCloud) and industry titans (e.g. Cisco). The list here is not exhaustive and only provides a handful of SD-WAN products that have flooded the market.
Silver Peak Unity EdgeConnect SD-WAN Solution consists of three products:
- Unity EdgeConnect which is like a WAN router that can be deployed as a physical appliance or a virtual appliance
- Unity Orchestrator (the controller)
- Unity Boost (optional WAN optimization)
They have a video here showing their dynamic path control for various types of traffic over both MPLS and Internet links.
Cisco Intelligent WAN (IWAN) basically uses existing Cisco infrastructure (Cisco Integrated Service Routers) along with well-known technologies like:
- Dynamic Multipoint Virtual Private Network (DMVPN) to build overlay
- Cisco Performance Routing (PfR) for intelligent path control
- Cisco Application Visibility and Control (AVC) and Cisco Wide Area Application Services (WAAS) for application optimization, and
- Cisco IOS Firewall/IPS for Secure connectivity
Note: The general consensus is that Cisco IWAN is complicated and difficult to set up because of the many technologies that you have to configure.
VeloCloud SD-WAN Solution consists of the VeloCloud Edge which sits at the branch like a router, the VeloCloud Orchestrator (i.e. the controller) and a distributed network of VeloCloud Gateways to provide optimized data paths.
They have a video here showing how easy it is to set up the VeloCloud Edge in a branch.
Challenges of SD-WAN
As with any technology, especially a new technology like SD-WAN, there are a couple of challenges including:
- Security: By using Internet links, those remote sites become more susceptible to attacks like Denial of Service (DoS) attacks unlike on private MPLS links.
- Reliability: Generally speaking, Internet links are usually delivered as “best effort” service – there is no guarantee that your data will get to its destination. Also, if the link goes down, there is only so much you can do because SLAs are not guaranteed. This can be a problem for mission-critical applications. One way to reduce the risk of this issue is to use multiple ISPs.
- Vendor Lock-in: One of the aims of SDN is to reduce vendor lock-in. However, with many of the various SD-WAN products using proprietary technology for various aspects (e.g. overlay, path control), vendor lock-in is probably inevitable.
- Support: When something goes wrong with IPsec, you can troubleshoot and probably find the problem because it is a documented standard with many years of deployment. In the case of SD-WAN with many vendors using proprietary technology, support may be a nightmare if something ever goes wrong.
- Interoperability: While it may be easy to install an SD-WAN device in a new branch (as long as the device supports the terminating connection method e.g. Ethernet), deploying SD-WAN in existing locations may be more difficult because of interoperability issues with the devices already in use at those locations.
SD-WAN offers some really cool benefits especially for people with a large number of remote sites and not as many staff to administer those sites. The administrative burden is reduced and in some cases, nothing needs to be done at the remote site except to plug in the device. It also offers cost savings (in some cases) as Internet service is usually less expensive than private MPLS links.
However, SD-WAN is not without its challenges including those of security, reliability, and interoperability and before going for an SD-WAN solution, you may want to consider how they solve these issues.
Some SD-WAN products discussed in this article include Silver Peak, Cisco IWAN, and VeloCloud.