Software Defined WAN
Traditional MPLS, IWAN or SD-WAN
When we wrote about the benefits of Software Defined Access we wanted to show how it differs from your traditional LAN. This approach allows us to explain the benefits of this new solution. When it comes to Software Defined WAN the picture is a bit more complicated. That is because there is an existing Intelligent WAN standard (IWAN) that is also becoming legacy. Cisco now recommends its SD-WAN as the preferred solution for your Wide Area Network. In summary there are three typical designs that we intend to compare here:
- MPLS – Traditional Layer 3 based Wide Area Network
- Intelligent WAN (IWAN) – This has been Cisco recommended WAN until early 2018
- Software Defined WAN (SD-WAN) – Cisco acquired Viptela in late 2017 and adopted its solution
This paper is not written to discuss every viable WAN technologies out there like Dark Fibre or EVPL. Those solutions are perfect when your organisation needs point-to-point connectivity for high throughput between two locations. While EDNX architects have the experience in deploying solutions such as a Global Fibre Ring, the focus of this article is WAN designs for any-to-any connectivity.
WAN Design with MPLS and Internet
In a typical organisation there are a number of office or branch locations as well as company headquarters and data centers. Each of those locations is often connected to the public Internet as well as a private network such as MPLS. The Internet is often used for accessing cloud applications like Office 365, Salesforce or zScaler.
On the other hand, the private network is where collaboration and access to the internal resources takes place. The cost of the Internet is normally significantly cheaper than the cost of private MPLS network, but it doesn’t provide the required Quality of Service. The requirement to access different services over different networks have limited not only resilience but also flexibility. The cost of maintaining two independent networks is high from both a hardware and a circuit fee perspective.
Looking closer into the WAN design based on MPLS it often gives full routing control to the Service Provider. It doesn’t have to be viewed as a bad thing every time, but it certainly limits your organisation ability to change service provider or influence traffic paths. Imagine you need to quickly expand and open more branches in a short period of time. In this scenario private circuit delivery can become a bottleneck. Whist on the other hand, with Internet only access you can’t easily connect the new branches with the rest of the company WAN.
How about securing the connectivity between branches over the MPLS? Unless you are building overlay IPSEC VPNs your traffic between the locations isn’t encrypted. It is also subject to man-in-the-middle attacks because your native packets are routed across the Service Provider network. Building the tunnels manually isn’t easily scalable but there are solutions like DMVPN that allow automatic multipoint tunnelling. While all this is a step forward it adds complexity and doesn’t solve the problem of having to manage two networks.
The Birth of Cisco Intelligent WAN
A few years ago, Cisco announced its first iteration of Intelligent WAN (IWAN). The main concepts with this product were to provide:
- Transport Independent Path– Both Private and Public underlay networks form a single logical overlay
- Intelligent Path Control– Allows selecting the traffic path based on application requirements from QoS point of view
- Application Optimization– Also called Application Visibility Control that helps automatic application recognition
- Secure Connectivity– Building a secure overlay network with DMVPN and IPSEC encryption
All those four main pillars solve multiple problems that we described in the previous section. Both public and private networks are now just underlay to route traffic between tunnel / overlay endpoints. All user data travels in the overlay which provides multiple benefits including:
- Greater resilience – Merging two underlay networks allows greater path diversity between sets of endpoints
- Operational Cost – Due to increased redundancy and path diversity it is possible to reduce hardware and circuit costs
- Quality of Service – Smart Probes allow traffic to be sent based on application policy and current network state
- Provider Independence – The only traffic a Service Provider can see is between tunnel endpoints, they have no direct influence on routing native user packets
- Security – Traffic between any locations is always encrypted regardless of the underlay choice
- Ease of Deployment – Fully automated with template router configurations. Bringing a new branch online is possible as soon as it has a single circuit
Basic IWAN functionality
EDNX has vast experience when it comes to WAN Upgrades with dozens of locations worldwide. We have played the key role in changing service provider for one of the world’s largest pharmaceutical companies. This experience allows us to fully understand some drawbacks that legacy IWAN brings. Many engineers are very familiar with the basic IWAN functionality as well as its core components:
- Hub Master Controller – configuration of all policies
- Hub Border Router – this device can terminate multiple transports and acts as a border device at the hub site. It connects to the hub master controller to retrieve the policy.
- Branch Master Controller – located at the branch and receives the policy from the Hub Master Controller. It can also act as the border router at a given branch.
- Branch Border Router – learns policy configuration from the local master controller
IWAN is a hub and spoke topology with control plane elements distributed between hub and branch sites. Any traffic passing across two spokes needs to first flow via the hub where the process of NHRP redirect can help in establishing spoke to spoke traffic. IWAN allows building overlay networks with transport independent path. It also provides secure connectivity and application optimization with intelligent path control.
The problem with IWAN is that it achieves all this in a reasonably complex way. The control and data planes haven’t got full separation while the hub and spoke topology limits the scalability of the solution. There are also multiple design options and routing protocol choices when it comes to overlay. This leads to snowflake networks where there are a number of design permutations.
What makes the SD-WAN solution preferable to IWAN?
SD-WAN achieves the same objectives as IWAN does but in a more elegant and simpler way. Let’s look at some of its components in more details:
- vManage– management server with all policies
- vBond– single point of contact for all branches. All vEdge devices will connect to vBond to authenticate and make sure they are part of the network
- vSmart– control devices that receive policies from vManage and communicate with vEdge routers
- vEdge– located at the branch and used to forward the traffic
SD-WAN offers complete control plane and data plane separation. In addition to this it allows placing all control plane nodes (vManage, vBond, vSmart) either in the cloud or on-prem. This provides huge benefit and allows horizontal scaling of control and data plane traffic. In most deployment scenarios all control plane sits in the cloud and your organisation only needs to provide vEdge routers in each location. SD-WAN offers a Zero Touch Provisioning process that works as follows:
- SD-WAN Router (vEdge) boots up, contacts ztp.viptela.com and receives information about the vBond controller
- The vBond controller performs authentication and points the vEdge device to vSmart / vManage controllers
- The vEdge device builds a secure tunnel to vSmart and vManage devices
- The vSmart device provides all required route reflection, routing and policy updates to the vEdge device
This design is not only incredibly scalable and easy to deploy but also offers site to site connectivity that doesn’t depend on any other sites. The overlay routing protocol is viptela proprietary Overlay Management Protocol (OMP).
The way OMP works is similar to iBGP with Route Reflection where vSmart devices act as “Route Reflectors”. Losing the control plane only prevents any new policies and routing updates from propagating into the network. It doesn’t break the data plane, which is essential in a business-critical environment.
SD-WAN to benefit from Intent-Based networking
SD-WAN helps your organisation lower operational costs and improve resource usage for multisite deployments. It extends intent-based networking across the branch, WAN as well as cloud. It allows multiple independent underlay networks to provide better resilience, scalability and quality of service.
Next generation networking is the concept of deploying any application in minutes on any platform. It is also about delivering consistent user experience as well as predictable performance. The network is no longer a bottleneck for company expansion because deploying new branches with SD-WAN is trivial and can be fully automated. End-to-end security is consistent across the board regardless of which underlay network the traffic is flowing through.
Embrace Software Defined Networking with EDNX to provide your organisation with a solution where business intent programs the network fabric.