A typical branch office IT installation consists of multiple point products, each having a specific function, engineered into a rigid topology. Changing something in that chain, be it adding a new function or connection, increasing bandwidth, or introducing encryption, affects multiple separate products. This introduces risk, increases time to test, and increases roll-out time. If any piece of equipment requires a physical change, the time and personnel costs multiply. And with that additional roll-out time may delay your business objectives and cause productivity and innovation to suffer.
To help solve these challenges enterprise and service providers are redesigning the branch WAN network to consolidate network services from several dedicated hardware appliance types into virtualized on-demand applications running on software at the branch office with centralized orchestration and management – the Software-Defined Branch (SD-Branch).
Choosing the right hardware platform for these applications to run on is important when deploying a SD-Branch. For the SD-Branch customers have several choices which range from commercial off the shelf PC’s or larger servers – aka ‘white boxes’, to purpose built SD-Branch platforms or even a blade/module inserted into an existing router to add SD-Branch services, all of which can run x86 based applications. These white boxes may not be the best choice for running or managing networking services since they are mostly a collection of disparate applications loaded onto a device that may not have been built for a branch office environment and lacks sufficient resources for running network services for the branch, and are difficult to integrate together and manage all the elements including; the hardware platform, network services and applications as a whole.
The Cisco SD-Branch solution takes multiple functions previously existing as discrete hardware appliances and instead deploying these as virtual network functions (VNFs) hosted on an x86-based compute platform. The Cisco SD-Branch delivers physical consolidation, saving space and power and fewer points of failure, and substantially improves IT agility with on-demand services with centralized orchestration and management. Changes can be made quickly, automated, and delivered without truck rolls in minutes for what used to take weeks/months.
Hardware Hosting Platform – Pros and Cons
So how does one assemble a functioning and manageable deployment using white box hardware and various software frameworks without achieving a wobbly stack of uncertainty? First, the hardware matters. A SD-Branch hardware platform can be any x86-based server, a server blade that runs inside your existing routing platform, or a purpose built platform that provides options for specialized interfaces for WAN (T1, xDSL, Serial, etc.) and 4G/LTE access. It should be built for the Enterprise office environment – form factor, acoustics, multi-core capable, WAN/LAN ports with the option to support PoE, etc. Additionally, data encryption has become a mandatory requirement for providing data privacy and security.
Also when selecting a platform for the SD-Branch it is important to ensure that the performance will scale for the required VNFs and services and is built with enterprise-class components. Second, having an Operating System (OS) or hypervisor that can meet the needs for; security, manageability and orchestration is imperative. For a ‘white box solution’ this can be difficult and can only be achieved through close collaboration between the OS vendor, hardware vendor, the CPU manufacturer and application vendors, and can be problematic since none of these has likely been purpose built or tested for your networking applications.
In terms of physical interfaces, white-boxes typically do not offer features such as Power over Ethernet (PoE). This is highly attractive because many IoT sensors rely on this PoE. In addition, branches often also require WAN interfaces such as 4G LTE, essential not only for backup or load sharing, but also as a transport option for SD-WAN architectures. Also some locations may require legacy TDM links too, so it is important to deploy platforms having the flexibility to support more than simple Ethernet.
Figure 1 – Table of Pros and Cons
Deploy Cisco SD-Branch Platforms with Confidence
Cisco has developed purpose built hardware platforms for the SD-Branch running an OS and hypervisor (NFVIS) that is custom built for networking services and avoids the pitfalls of a generic x86 based Server or “white box” solution. The NFVIS implementation is designed for high levels of up-time by adopting a hardened Linux kernel and embedding drivers and low-level accelerations that can take advantage of modern CPU features such as Single-Root Input/Output Virtualization (SR-IOV), for plumbing high speed interfaces directly into virtual network functions. Also security is burned-in, simplifying day-zero installations with plug-and-play, and ensuring that only trusted applications and services will boot up and run inside your network.
Figure 2 – Cisco UCS E module for ISR 4000 Series and ENCS 5000 Series platforms
Features and advantages of ENCS 5000 Series, ISR 4000 Series with UCS E module and NFVIS are:
- Designed for Enterprise deployments and targeted for simplification for networking teams
- Optimized for the deployment and monitoring of Virtual Network Functions
- On-demand services with; plug and play and zero touch deployment
- Secure and trusted infrastructure software
- Security tested and certified
Cisco SD-Branch enables agile, on-demand service and centralized orchestration for integrating the new service into the existing ones. Enterprises and service providers gain the ability to choose “best of breed” VNFs to implement a particular service. By using SD-Branch, you can spawn virtual devices to scale to new feature requirements. For example, deploy the Cisco ENCS 5000 series as a single platform and virtualize of all your SD-Branch services, or with your existing ISR branch router you have an option of inserting a server blade and spawn up a SD-Branch element that provides additional security functionality or running multiple VNFs, service chained together for routing, security, WAN optimization, unified communications, etc. Similarly, SD-WAN can be deployed as an integral part of the routing VNF with a centrally automated and orchestrated management system.
Cisco’s Digital Network Architecture (DNA) provides the proven and trusted SD-Branch hardware, software and management building blocks to achieve the simplicity and flexibility required by CIOs and IT managers in today’s digital business landscape – here is a whitepaper, which dives deeper into this design guidance
Trusted Cisco Network Services
The Cisco SD-Branch solution offers an open environment for the virtualization of both network functions and applications in the enterprise branch. Both Cisco and third-party VNFs can be on-boarded onto the solution. Applications running in a Linux or Windows environment can also be instantiated on top of NFVIS and can be supported by DNA Center and the DNA Controller.
Some network functions that Cisco offers in a virtual form factor include:
- Cisco Integrated Services Virtual Router (ISRv) for virtual routing
- Cisco vEdge Router (vEdge) for virtual SD-WAN routing
- Cisco Adaptive Security Virtual Appliance (ASAv) for a virtual firewall
- Cisco Firepower™Next-GenerationFirewall Virtual (NGFWv) for integrated firewall and intrusion detection and prevention (IPS and IDS)
- Cisco Virtual Wide Area Application Services (vWAAS) for virtualized WAN optimization
- Cisco Virtual Wireless Controller (vWLC) for a virtualized wireless LAN controller
Third Party Open Ecosystem
Cisco’s open ecosystem approach for the SD-Branch allows other vendors to submit their VNFs for certification to help ensure compatibility and interoperability with the Cisco SD-Branch infrastructure. As a customer deploying Cisco’s SD-Branch solution with certified VNFs, you can be confident that the solution will successfully deploy, run, and interoperate with Cisco’s own suite of VNFs.
Some currently certified vendors and VNFs include:
- ThousandEyes – network intelligence platform
- Fortinet – FortiGate next generation firewall
- Palo Alto Networks – Next generation firewall
- Citrix Netscaler VPX – Application delivery controller (ADC)
- InfoVista Ipanema – SDWAN
- Ctera – Enterprise NAS/file services
Many more third party VNFs are now under test for certification.
Choosing the right Cisco ENCS 5000 or ISR 4K Series platform
In order to assist customers in choosing the right platform there are a few different tools and options as follows:
ENCS 5000 Series Sizing Tool – a dynamic tool that allows you to enter your VNF requirements and the tool advises the right ENCS 5000 Series platform and requirements for memory, CPU requirements etc, see:
https://www.cisco.com/c/m/en_us/solutions/enterprise-networks/encs/index.html
ENCS 5000 Series & ISR 4000 Series with UCS-E How to Order Guide – use this guide to determine what you will need when ordering, see:
For more information on Cisco SD-Branch please see:
https://www.cisco.com/go/sd-branch
Love to read this. Good Work
Good Read especially in front of ATT announcement
Great read! SD-Branch sounds amazing.