SD-WAN, sense and nonsense

Geert Baeten

The latest game changer in IT is the growing importance of service oriented architectures. The last few years there’s been huge progress in the consumerization of IT with cloud service providers as challengers in a market that was previously dominated by monolithic on premise infrastructures. It provides business units with freedom of choice; if it exists then you can consume it. The limitations of your own private infrastructure and the boundaries of your physical locations no longer apply.

The challenge

The world is also becoming much smaller. Anyone can reach potential customers across the globe effortlessly. This ever increasing globalization combined with the fast adoption rate of cloud services however introduces new challenges for network administrators. Services are no longer close to home and satellite offices don’t have to be neither (or at least they seem to pop up further away than ever before). Connectivity is crucial: once merely a means of communication, it is now business critical, simply for everyone.

Traditional solution

Traditionally in such a situation you would start building your own private WAN using an MPLS provider. As bandwidth keeps dropping in price it still can be a good solution. But when going global, you’re in trouble. Providers that are globally active don’t have a fine grained network, only a big backbone. Getting those final miles of cabling to your doorstep in place suddenly becomes a slow and costly process. Choice is limited and depending on the partnership your global provider has with local loop providers, flexibility low and contract duration long. Introducing a new office or terminating one, moving locations, integrating an acquisition, … Not as easy as you’d like.

sd-wan_mpls

Alternatives

After hitting the wall a few times, some companies start building their own private WAN using combinations of point-to-point solutions. Leased lines, centralised network aggregation, site-to-site virtual private networks, they all have their use but they are a pain in the ass to manage on a larger scale due to lack of standardization. So instead of a solution to the challenge, its creating new questions on the go.

Plain internet nowadays has never been more stable in terms of reliability and performance. So why does everybody bother with private WAN connections? Simple: as a standard transmission platform, internet unfortunately is not a valid option. Security is non existent as anyone can be connected, connecting to you, connected to, man in the middle, etc.

SD-WAN vs DMVPN

Technically it’s not a new story: DMVPN (Dynamic Multipoint Virtual Private Network) has been used for years to create a private mesh network where all sites have a route to any of the other sites through a secured tunnel. So there’s in facto no difference except perhaps in service. Where DMVPN is only the technical mechanism, SD-WAN tries to add service by providing out-of-the-box a complete set of management tools and support services.

sd-wan_dmvpn

 Sense of SD-WAN

And all of the above are exactly what SD-WAN, or Software Defined Wide Area Network, promises to solve. By putting a standardized routing and security layer on any connection you can get your hand on, you’re able to deliver the required service with less overhead. We’ll go into some ‘cons’ later but there are certainly a lot of wins.

Some of the benefits:

  • Cost-effectiveness: SD-WAN uses plain internet capacity. If you can get a line to a location, then you’re ready for launch. Often cuts costly local loops that require civil construction. Choosing any available line is cheaper than getting a specific provider line introduced at your site.
  • Flexibility: get yourself an internet breakout at a new location and you’re ready to go. Standard internet connectivity contracts typically also have less minimum commitments enforced (contract duration).
  • Scalability: combine lines for load sharing and load balancing. Just adding lines increases your capacity.
  • MPLS-clone: SD-WAN puts a custom routing logic on top of the standard internet to provide MPLS-like features.
  • Security: a standardized security layer with tunnelling / encryption to provide the same experience as a physical private WAN. Push a general policy to all locations.
  • Client VPN: SD-WAN allows the tunnelling of individual clients as well, useful for home office or travelling users.
  • Multi-vendor: get multiple lines from multiple suppliers combined for redundancy, without the need for the lines to be mutually compatible or trunked at provider level.
  • Multi-technology: you can combine different transmission layers like hard lines and wireless technology (4G, 5G). Just check the solution you choose can aggregate different line types.

Or fata morgana?

But…

Yes, there’s a “but”. Nice stories are also often too good to be true. In this case rarely showstoppers for business users but be aware of the disadvantages for some types of production traffic.

The main issue is that you have to manage your network completely yourself again, including physical management of the routing devices at all the remote sites. The SD-WAN provider will not provide any service on the physical lines that you are using, whereas an MPLS provider will give you an end-to-end guarantee. Think about your 24*7 support for remote sites, the network engineers that you (still) need, the risks that are back in your own shopping basket and not transferred to the service provider.

There is also an overlap with traditional solutions in terms of technical challenges:

  • Keep redundancy always in scope. You still need 2 lines from 2 providers across 2 paths for critical sites.
  • Service level: make sure you have the right SLA in place for your internet breakouts.
  • Path diversity: for standard internet lines, you often have no control or even insight into the physical path. Combine 2 lines and they could come from the same local loop provider without your awareness. Result: no redundancy.
  • Performance: you don’t have control over latency on the internet, paths followed, etc.  This can introduce performance issues that you can’t influence.
  • Scale: make sure your solution can scale. Nothing as frustrating as a SD-WAN software solution that is reaching capacity limits and can’t be upscaled or preferably outscaled. If the softwares processing speed can’t cope, latency will go sky-high.
  • Lack of guarantees: due to the above fact, you also won’t get performance guarantees. Software or appliance vendors won’t take any responsibility over end-to-end communication performance.
  • QoS: QoS colouring over internet is useless so it will be up to the SD-WAN software to provide such features. Your conference call users will thank you.
  • Streams: some protocols are not happy with the possible out-of-order processing on the internet. You can get guarantees from MPLS providers that packets will arrive in-order but you have no control over streams across internet. Make sure your SD-WAN solution has buffering capabilities to get packets back in-order before transmission to the user/application.
  • Packet fragmentation: not different from site-to-site connections f.e. so packet fragmentation is bound to happen due to the additional tunnelling. Check how the SD-WAN solution manages that.
  • No lock in, through lock in: avoiding a lock in with a telecom provider only gets you locked in in terms of the SD-WAN solution you choose. Choose wisely, evaluate your exit strategy.

Cloud platforms as security appliances

The most dislocating solutions are actually cloud platforms. By not only connecting your sites to each other but also tunnelling all traffic from remote users, your security takes a huge leap forward. Endpoint protection can be increased by applying policies that a remote users traffic is directed to the cloud security platform for inspection before breaking out to the internet. The combined streams of all of the providers clients can show unusual behaviour allowing the provider to mitigate even unknown zero day exploits.

In a more traditional DMVPN or MPLS solution you need a separate way / tool set to enforce security policies on your users. The power of a unified connectivity and security solution is not to be underestimated. Standardization is also in the field of security a major benefit.

Case by case

There’s no “true” story, no single solution when investigating SD-WAN. You’ll need to look at your own requirements, analyse your traffic flows and test compatibility. Most cases are made or broken by the total cost of ownership. Make sure you calculate it correctly though: in your TCO you need to include all networrk engineering, remote site administration, additional training, etc.

Solutions are maturing though, making huge progress each day in terms of capabilities and stability. There’s no doubt SD-WAN will become a slow but sure gamechanger in the near future.

The most promising solutions are coming from cloud providers, not the traditional network hardware vendors, so make sure to check them out as well.

Some examples

  • Cisco Meraki
  • Cisco iWAN
  • Z-scaler
  • Barracuda
  • Nuage
  • Riverbed
  • Sonus
  • Aryaka
  • Viptela
  • Citrix Netscaler (CloudBridge)
  • CloudGenix
  • Ecessa

 

Published by Geert Baeten

IT service architect - cloud infrastructure solutions - datacenter infrastructure solutions - service design / governing processes

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s