The SD-WAN market is in high gear. The concept is solid and the benefits are real. There are, in fact, very few WAN situations that would not benefit greatly from this technology. However, all SD-WAN is not the same. There are multiple paths you choose as you endeavor to take your existing, running, trusted network…to a brand new modern one.
What is SD-WAN?
The primary value proposition for SD-WAN centers on the high cost of traditional WAN. As the internet has grown, it has become easier (and cheaper) to get broadband internet circuits just about anywhere. For many users, high speed bandwidth was no longer a benefit of driving to the office. I has become harder to explain why we had to build the networks that we did and as traffic patterns have migrated cloud-wise, these designs are showing their age.
More Options. Less Complexity.
MPLS has been the dominant form of enterprise WAN over the past few decades but it finally has a very viable competitor in SD-WAN. MPLS circuits provide a dedicated network that is completely distinct from any other network. Every remote connection has a specifically sized circuit delivered to them so you know exactly how much bandwidth you get at each site…it is all very predictable. Which is important. If any location needs to access ‘the internet’ than this is commonly done by routing that connection through a central office which has big pipes to the internet and various security mechanisms for filtering it.
Two big issues have come out of this:
- All internet traffic from branch sites is using those precious/expensive MPLS in two directions. This is secure….but wasteful.
- Internet use is rising fast along with it’s business critical nature with multiple Saas or IaaS resources are now used by the entire enterprise.
Enterprise IT has long been able to connect to the Internet directly from any remote office. This is not a new idea. It just came with too much risk.
SD-WAN is now offering a credible option for enabling a secure ‘hybrid’ WAN. The hybrid is a reference for how SD-WAN is here to augment, not necessarily replace those expensive MPLS circuits with a less expensive broadband internet.
There will be multiple, physical circuit terminations into the same edge point. Does the vendor have hardware routing experience? Some locations may need an MPLS line, pus two different sources of Internet connectivity. If it’s a really critical area, consider adding cellular failover, 4G LTE or other wireless that might be available. Make sure you can run active/active on those cabled circuits as well so that you are not paying for something ‘just in case.’
When SD-WAN is done right, it should offer a simplified ability to route enterprise traffic in a secure manner with a consistent quality of experience that is as good or better than what you are doing now.
If you are considering an SD-WAN solution, there are quite a few options in the market. Here is my shortlist for things you should make sure you dig into with any option under consideration:
1. Simplicity – the software defined part of SD-WAN refers to the control portion of your routers now being handled somewhere else. This is generally a cloud based that you access with what is hopefully a simple interface. Couple of quick things to check for here:
- Does the controller HAVE to be in the cloud? You may run a network that does not allow for this…make sure you know what you can do.
- Is ALL the policy control handled through this same interface? How granular can it get? You should be able to define and manage unique policies for every remote location down to the individual application requirements. Set it and forget it.
2. Security should be more than a passing mention to IPsec encryption.
- Check for how security is being handled across three dimensions: encryption, authentication and integrity. Zero-trust models are the goal but make sure that it’s not just a marketing term.
- The ease of bringing new sites onto the network is a common benefit. Ask what security is in place when doing this. Remote connections back to the centralized controller should have an authorization process that precedes any traffic flows.
- Security is very personal, unique to every organization. Make sure you like the options available for expanding security controls outside of the ones provided by your SD-WAN vendor.
- This move to SD-WAN is being driven by the incredible growth of cloud based applications we all now depend on. Security controls need to extend to these services as well..striking that balance between ‘secure connection’ and ‘most optimal route.’
- SD-WAN brings a lot of flexibility we have not had before. Take fully meshed connections for example. These were once too complex to configure in most situations. Dynamic, policy based routing should be easy for SD-WAN such that performance remains aligned with security. There should be no trade-offs here.
3. Quality of Experience – as opposed the ease of use pointer above, this QoE mention is really about the controls and design in place that benefit the end-user.
- The internet is still not controllable in the same sense as a private network. However, there are quite a few things that can now be done to minimize this. Hybrid network connectivity, combined with granular controls should allow for policies that can dictate the conditions under which an MPLS path might be chosen. This is a new middle ground option that previously did not exist. The idea is that your SD-WAN implementation should allow you to reduce the size of your MPLS circuits (which reduces operating costs) because you have policies that say that certain applications may work just fine over the internet ‘most of the time.’ What you want is a real time measurement that can choose that MPLS route for a specific conversation at a specific time…because the network is smart enough to pull it off.
- Non-core applications are generally the first to move to the cloud model. HR, scheduling, administrative stuff, these have become SaaS applications like Office 365 and Salesforce for example. User experience will vary by the state of multiple things that constantly change: from the internet gateway on one end, all the through to the hosting location on the other. How is this variation measured and then used to optimize the routing path?
Track Record
There are no shortage of SD-WAN vendors right now. This is truly where WAN networking is going, it is not a fad of any sort. But as much as networking changes, it still remains the same. Don’t overlook the importance of a good track record in both networking and security. Most vendors seem to have some experience in one but are then partnering for the other. Partnerships are hard. We do it. But if any one element that is important to you, is being handled through a partnership…make sure you are comfortable with how that will work for you if something goes awry. This is your network after all…everything and everyone is impacted.
Don’t run towards SD-WAN ONLY because it offers tremendous cost savings when compared to your private lines. There should be no increased risk or settling for sub-standard control options. SD-WAN is a technology your network should aspire to with better security, better visibility, control and ease of use. It’s all here and it’s fun to show off.
As always, I did not get to cover everything…but I hope it answered a few questions. We have a TechWiseTV episode on this of course but I do encourage you to check out the product page: cisco.com/go/sd-wan.
So, What are you looking to get out of SD-WAN? What would you add to this list of things to look for?
Learn More
Deep: Check out our TechWiseTV episode on SD-WAN. Ramesh Prabagaran and David Klebanov broke down the new options quite well. I believe they were both Cisco employees well before working with Viptela…I am glad to have them back.
Also, check out Anand Oswals blog on vAnalytics. I did not spend any time talking through the visibility options you should be ‘looking’ for…but he covers it well.
Deeper: David Klebanov also lead our workshop where he took live Q&A. These workshops are great for having a little more time to play with and of course, getting some interaction.
Deepest: Check out David’s session from Cisco Live: Delivering Cisco Next Generation SD-WAN with Viptela – BRKCRS-2110. I hardly ever have time to go to the Cisco Live sessions that I want to attend. I think there are over a 1,000 of them or so at each event? Meeting engineers and learning new stuff is what makes Cisco Live such a required event every year. David and Ramesh did a number of sessions in Orlando this summer. You can hear just how much real routing knowledge went into the Viptela design. I love the Q&A especially because a Cisco Live audience is filled with the smartest and most experience network engineers in the business.
TechFieldDay is a great resource. I really liked one that they did in 2016 for Networking Field Day 13. There are quite a few good demos from David in here.
For network security detail, I really got a lot out of some Viptela specific resources: Control Plane Security and Data Plane Security which examine how authentication, encryption, and integrity are implemented throughout the overlay network.
Thank you for watching. Thank you for reading.
Leave me a note below to tell me you read this far down the page…
Robb
@robbboyd
Watch all of our shows at techwisetv.com, follow the show on twitter @techwisetv
Integrating Viptela SD-WAN onto Cisco IOS-XE on TechWiseTV
What about the middle mile if the client prefers
to go 100% over internet?
If I understand your question correctly, you can still go 100% internet. Some connections like that will be great for just about everything you may want to do. It all depends on your own tolerance for risk and/or consistency.
Let's say we have a client who wants to remove MPLS completely and replace his WAN based on MPLS + DIA by SD-WAN only (2 WAN links DIA + Broadband for example), is your Cisco SD-WAN an MPLS-like ?
Yes you can remove MPLS completely. But MPLS is a service provided by an individual carrier from one end to the other. That is why the quality can be controlled. You will get exactly what you pay for…which is great. If you are asking if Cisco's SD-WAN is MPLS like…I would day no, it's the internet, it can't be MPLS like in that sense. Any path between two points will most likely traverse multiple networks…that's what makes the internet work so well..but it also means that congestion can happen and any priority settings would be ignored. Data and control signals can all be encrypted however so it is just as (or more) secure. Let me know if you want someone to follow up and/or get you in touch with an account manager. They could better guide on the specifics that may be required for your client.
Thank you, I have already an meeting scheduled for next week with a Cisco SE and an Account Manager to discuss Cisco SD-WAN in details.
Thank you, I have already an meeting scheduled for next week with a Cisco SE and an Account Manager to discuss Cisco SD-WAN in details.
“Non-core applications like Office 365” eh? You were doing good until that point. My business runs on O365. Is Spark the only SaaS collab/comms platform you deem essential enough for QoS?
Hi Admin Gal,
I appreciate your comment. Did I demean Office 365 with that 'non-core' preface? That's probably a bit sloppy on my part. I am really not talking about Spark here, but a reference to our Cloud on-ramp capabilities within SD-WAN. Robin James discusses it on Kiran's blog here: https://blogs.cisco.com/enterprise/improve-office-365-connectivity-with-cisco-sd-wan
If I completely missed your point….(entirely possible), please let me know!
Thanks,
Robb