11 Things You Must Know Before Trying Software Defined WAN
Introduction – Software Defined WAN
This article first articulates the top two Software Defined WAN offerings as per Gartner (Cisco’s Viptela, and Vmware NSX SD-WAN VeloCloud), and then double clicks on the top considerations when choosing an Software Defined WAN solution for your enterprise.
Why SD-WAN?
Traditional WANs have been hardware centric. You’ll need your branch and data center to have a router to route packets, a firewall to block packets, a load balancer to achieve elasticity, deep packet inspection to get better visibility, and tunnels to get better control and segmentation.
Software Defined WAN promises to make the WAN software centric, so that the control plane and the management plane resides centrally, and only the data plan resides at the edge. This lets you take intelligent and automated decisions on the centralized controller on how you want to treat different types of packet flows.
Core Use Cases of Software Defined WAN
- Branch Refresh: You wish to add a strategic capability to your existing network – by deploying virtual edges at a few branches when their WAN/VPN refresh is due.
- Multi Cloud: When you wish to move to the cloud. You could have a public cloud / multi cloud / or hybrid cloud strategy, and wish for better management of data and applications across legacy DC and cloud locations.
- Secure Branch / Secure Edge: You want more granular security and zero trust on who has access to what application, across your network.
What is SD-WAN?
SD-WAN or Software Defined WAN is an application of SDN (Software Defined Networking) and NFV (Network Function Virtualization) technologies to WAN connections, with the intent to connect enterprise networks to each other and to Cloud applications.
The basic idea is that traffic should be controlled dynamically, and the administrator should have centralized ability control, manage and monitor everything.
The traditional way has always been to buy expensive MPLS and leased lines and then configure static VPNs on them. Is SD-WAN, a Software Defined WAN, a centralized controller is used to manage tunnels between sites, it gives you better visibility on what’s going on between sites, and, using overlay,s can dynamically bring up or tear down tunnels that forward traffic across multiple network paths.
Ther is a CLI if you need it – but everything can be managed via an easy to use GUI. There are APIs available to programmatically control the WAN and to orchestrate flows.
The real benefit of SD-WAN is that it lets you build high performance wide area networks using commercially available internet access, or combine MPLS with DSL/LTE/FTTH connections (For example, MPLS at corporate and DSL at branches).
Software Defined WAN – Cisco’s story
I’ve been deploying and configuring Cisco DM-VPN for my customers for years now – and it was great! Cisco then incrementally added features on top of it – adding iWAN (Intelligent WAN) features on top that gave per-tunnel QoS among other things.
They tried to integrate iWAN with Cisco Prime Infrastructure for better management and monitoring. APIC-EM was brought in for ZTP and a few other features. And then, they bought Viptela in May, 2017! Then, all of sudden, iWAN messaging started dying down. IOS 4000 series IOS was augmented with Viptela features.
As a result, you get a buffett of data planes such as Cisco Integrated Series Routers and Cisco Aggregation Series Routers, the newer 1000 series routers, or Viptela’s virtual edges or vEdge boxes. The control plane (all routing / vpn decisions) are sucked out of the router and moved to the Viptela vSmart function. The management is provided by vManage component, and ZTP (Zero Touch Provisioning) is passed on to vBond.
Everything becomes API driven and accessible via a GUI. You get some interesting features as a part of pot pourri – for example, App Aware routing policies is a Viptela feature that monitors traffic and determines that certain traffic types will only use a particular circuit if it meets certain characteristic (similar to what IP SLA does). The vSmart can also log in to SAAS (Software as a Service) applications and check to see which circuit will perform the best for a certain application type.
They end up using a proprietary routing protocol called OMP (Overlay Management Protocol) which mimics BGP. IPSec tunnels exist – but no routing updates traverse between them.- everyone talks to vSmart.
Cisco still has their Meraki product line – it’ll be interesting to see whether Meraki will go the iWAN route or will it keep running as a separate product line.
That said, Cisco has done a fairly decent job integrating Viptela with their overall architecture. For example, while the Viptela tunnels inherently provide IPSec encryption and “Per App VRFs (Virtual Route Forwarders), there’s additional security being provided by Cisco such as URL filtering, DNS layer enforcement with Cisco Umbrella, IPS, and application aware firewalling!
Software Defined WAN – Vmware’s Story
Vmware has taken great strides in removing the notion amongst it’s customers that it’s just a one trick pony with it’s esxi hypervisor suite. It’s NSX data center virtualization product line has gained significant traction in the past few years.
The vCloud suite has matured to provide IaaS functionality to customers not ready to plunge full throttle into the public cloud. I’m very excited about their AppDefense product line when promises to integrate security with the hypervisor. But… I digress. In December 2017, Vmware acquired VeloCloud and changed it’s name to Vmware “NSX SD-WAN by VeloCloud”. The change in nomenclature makes sense, since NSX, the erstwhile Nicera product, is an overlay-SDN solution for the data center, and VeloCloud has the same promise – for the WAN.
I’m proud to say that, as I write this essay, Zindagi Technologies is deploying the larges on-premises VeloCloud deployment of the country.
The heart of a VeloCloud deployment is the VeloCloud Orchestrator – a single pane of glass from where you can manage thousands of branches.
Application performance is improved by a proprietary technology called DMPO (Dynamic Multi-path Optimization). DMPO monitors the link for up/down status, delay, jitter, packet loss, etc. Now, the edge device is aware of the different traffic types traversing it – and, using DMPO, it can do per packet steering of traffic flows depending on the policies defined at the orchestrator. What’s actually quite brilliant about VeloCloud is how it handles remediation in case of circuit failure. I’ve seen examples where end users on VoIP call running Cisco IP phones didn’t face any “no audio” issues when we physically yanked out the primary link! DMPO handled the outage and started using the second link automatically. Impressive!
They also give you the option to deploy VeloCloud Gateway appliances in the cloud. Without this, if your user is accessing a SAAS application such as Office 365, they’d need to traverse the Internet to access it. The way to circumvent that – it to backhaul all traffic from the branch to the HQ, and then, from the HQ to the SAAS cloud. Using VeloCloud gateways, you get a secure tunnel to access your SaaS Applications – thereby gaining visibility, control and performance for this traffic, without clogging the internet bandwidth at the HQ.
Considerations when choosing a Software Defined WAN Solution
Number 1 – Zero Touch Provisioning for SD-WAN edges
Make sure it supports ZTP (Zero Touch Provisioning). This is, so that someone with very basic IT skill sets can also set up the branch router. Most leading players support this feature – Cisco, Vmware, Versa, Silverpeak, Riverbed, etc.
Number 2 – Application Awareness
Look for a vendor that has good coverage in recognising applications and can dynamically treat traffic based on different applications.
For example, Cisco Viptela treats Office 365 Outlook traffic differently than Office 365 Skype. This implies that, it can send each traffic via different circuits if vSmart so determines!
Number 3 – CPE (Customer Premises Equipment) Form Factor
Look for a vendor that gives you options to deploy the CPE as either a VM (Virtual Machine) or as a physical appliance.
Number 4 – Per flow and per packet load balancing in the SD-WAN
The ability to do link aggregation across multiple circuits to support a single session.
Number 5 – Forward Error Correction
The internet is cheap. In India, you can get a 500 Mbps link for 700 rupees. But we need to keep in mind that the FTTH GPON is being shared by multiple subscribers on the OLT. Reliability can be an issue. FEC can check for packet loss and can be useful on a best effort medium such as the Internet.
Number 6 – SD-WAN Data Encryption
At least AES-256 bit encryption should be available.
Number 7 – SD-WAN Network segmentation
Irrespective of whether this is achieved using VRFs at the CPE, or via proprietary VPN IDs in the IPSec header. There needs to be a way to slice the network traffic.
Number 8 – Support for different carrier types.
This depends on your specific requirement. The customer we’re currently working with, expects support for 4G LTE and 1G Ethernet. Look for a vendor that meets your specific requirement. Choose one that can provide an overlay over any medium – VSAT, LTE, MPLS, Broadband, etc.
Number 9 – Programmable and Open, powerful APIs and management interfaces.
Look for a vendor that provides rich API support via open standards such as REST API, Netconf, etc; also management interfaces such as IPFIX, SNMP, Syslog, etc.
Number 10 – Advanced security.
Choose a vendor that provides a zero trust model (i.e. all traffic is encrypted), and supports contextual awareness, ACLs, stateful firewalls, and security automation
Number 11 – Seamless extension to the cloud
Ability to effectively and securely move you to the public cloud, which providing you visibility and control. The cloud should be an extension of your enterprise network from a manageability perspective.
Summary
We hope you enjoyed this write up. We hope it helps you make a more informed decision when choosing your Software Defined WAN solution.
Are you looking for advisory, consulting and professional services that will help you meet your Information Technology goals? Zindagi can help!
Zindagi Technologies is an IT consultancy and professional services organisation based out of New Delhi, India. We’re experts in large scale data centre design and deployment, service provider network design, information security, blockchain, IoT, Smart Cities, and Private/Public/Hybrid cloud solutions. Each one of us has years of experience in large scale network design, deployment and automation. Our “customer first” motto drives us forward, and we believe in providing quality services to our clients always.
Contact us now, to know how Zindagi can help solve your IT / Information Security related problems. We’re also available on email and phone (India business hours).
Author
Chief Evangelist
Zindagi Technologies LLP