With the recent announcement of Dell EMC Virtual Edge Platform (VEP) family, specifically the launch of VEP 4600 as the first product from this portfolio, I intend to commit a few posts on the subject of SD-WAN and Dell EMC’s offering in this context. VEP itself is a Universal CPE, offering hosted Virtualized Network functions. The initial service catalogue features SD-WAN, but this will subsequently expand to include a rich set of solutions including elements like Security, Load Balancer, WAN Optimization etc. While this first post will talk about SD-WAN in general (the challenges it addresses, value etc.), the next post will focus on the VEP platform. Subsequent posts will focus on the SD-WAN solutions being provided on these platforms – Silver Peak, VelocCloud, and Versa.
Gartner views SD-WAN as a replacement for traditional WAN routers. There are several high level traits that characterize SD-WAN.
- It is agnostic to the underlying transport
- It is able to provide policy based path selection across multiple wan connections
- It supports service chaining
We have discussed Software Defined Networking and its fundamentals, a number of times in the previous posts. Comparing Software defined WAN with Network/LAN, we find a number of similarities, as well as distinctions.
First, the key tenets that resonate across the board, whenever we talk software defined anything – Disaggregation, Modularity, Abstraction etc. – SD-WAN would disaggregate the overlay/services from the underlying transport, making them transport & technology agnostic to the IP transport. It will centralize the Management, Data plane Orchestration and Policy Definition via the Orchestrator, which will also enable Automation around provision and Life Cycle Management. These will sound similar to the Centralized Control Plane and Orchestration consoles of certain SDN solutions/approaches.
At the same time, a DC Network provides ample bandwidth and minimal latency for a prospective SDN solution. SD-WAN, unlike the DC LAN, is not owned in its entirety by the Enterprise. Bandwidth is more constrained, availability and latency of a lower order.
Let us review some of the needs driving the Next Generation Software Defined WAN Solutions.
Transport over traditional WAN Services such as MPLS or public internet itself, has faced a number of growing challenges over time. For MPLS, these have been issues like Cost, time to implement new circuits or add capacity, while the use of internet as the transport gives rise to issues like security, latency, packet loss etc. In addition, there could be concerns around Jitter, uptime.
The aforementioned concerns are more traditional in nature. However, there are emerging catalysts such as cloud native apps, Edge computing and App Aware routing, for which the traditional solutions were simply not built. Retro-fitting them to address these needs compromises performance & scale, among other things.
These concerns (alongside others), have resulted in the need for Next-Gen WAN Services which can offer:
- Reduced Cost – both Capex & Opex
- Agility & Automation – Add or modify scale, provision, re-config more readily.
- Flexibility – in a number of ways. Universal CPE boxes, Virtualized functions, a move away from proprietary/custom appliances to more standards based architectures etc.
- Higher Availability/Performance
- Better Visibility & Management
- Improved Security
Let us examine some of the drivers in detail
Application Consumption Model/Behaviour:
The dynamics of how Applications are being consumed, are changing. In a growing number of cases, the apps themselves no longer reside purely in DC. Instead, the increased use of cloud and SaaS applications has significantly altered WAN traffic flows in the Enterprise & Distributed Organizations. We are now in the day and age of Salesforce, Office 365, AWS, Box etc.
As far as the branch and remote user is concerned, these new requirements cannot be adequately met with the traditional approaches. The answer that traditional approaches have to these needs, would focus on adding proprietary hardware plus private circuits for each service. These are costly to procure, provision and maintain. If MPLS is branch’s primary access, to reach applications in the cloud, the traffic has to go from the branch over the MPLS line to the data center. From there, it goes via an exit point out to the Internet, and then to the application, and then back again. This is neither efficient, not viable beyond a certain scale.
A few of the possible solutions to the challenge of changing WAN Traffic flows, resulting from the altered dynamic of app location/consumption, could include:
- Option 1: Local Breakout – give each branch its own internet connection.
- Pro: Direct offload of Internet traffic.
- Con: Increases the number of appliances to buy, deploy, and manage. Security/Additional attack surface.
- Option 2: Backhaul Internet traffic to central locations, to secure the access to Internet destinations (IPSec tunnels between branch and DC)
- Pro: Maintains centralized security posture.
- Con: Sub-optimal attachment to cloud services, requires additional bandwidth to Internet at central locations
- Option 3: SD-WAN
- Pro: Local Breakout, Transport Agnostic, load sharing, App Aware Routing, Security. Ability to offload Internet-destined traffic closer to the edge of the network
- Con: Relatively new.
Application Aware Routing
Traditional WANs are not application aware, nor do they consider different application performance thresholds.
Today, Application or Performance aware routing is a true game changer. It enables customers to monitor the performance of the underlay, and make real-time dynamic routing decisions – by application. Essentially, the carrier becomes “next hop reachability” via IP circuits, with an intelligent overlay managed by the customer, to orchestrate Enterprise Routing.
This dynamic detection and convergence capability greatly improves the overall service quality. The software platform is aware of the pool of connectivity. It continuously measures the performance and throughput available over each path, and makes a decision on a per-packet basis, taking QoS settings into account and duplicating critical packets across circuits if needed (details vary between different solutions).
Service Agility: Abstraction of the underlying infra/underlay into a pool of connectivity
Just like Compute virtualization, Overlay driven virtual wide-area networks (vWANs) will let you mix and match what’s underneath. This will decouple the WAN from the underlay/transport network, enabling agility as well as multiple types of connectivity at the physical layer, thereby reducing the dependency and scale limitations with the carriers.
Eliminating complexity also involves reducing the footprint of the number of boxes that have to be maintained, managed & supported. Instead of having dedicated appliances for functions such as WAN optimization, DPI and firewall, these can be consolidated as virtual, onto a single box – built for such a use (i.e. the right Architecture, CPU, Modularity, Expansion, Connectivity Options etc.) – precisely what the Dell VEP family has set out to achieve.
This allows both scale and economy for supporting the branch/remote user.
There are a number of ways in which SD-WAN offers cost reduction – both CAPEX and OPEX.
Foremost, as mentioned above under the Complexity/Convergence bullet, a device like the VEP 4600 can collapse multiple functions onto the box, as an alternative to having dedicated appliances for all those elements. Beyond the Network Functions, there is also the aspect of transport. Private Provider transport (e.g. MPLS) offers SLA & Security, but is expensive. Internet offers neither SLA nor security, but is massively cheaper in comparison. By using intelligent overlays on top of internet, offering path optimization and traffic steering, alongside security – the cheaper transport can be enhanced to offer a lot more. The specific features available would vary depending on the overlay/solution providing the WAN, I do intend to do follow-up posts covering options like Silver Peak and VeloCloud etc.
Security : Data Plane Encryption without IP-SEC layer over MPLS
Some customers elect to implement over-the-top IPSec to address data plane encryption, which may impact the traditional transport by
- Decreasing overall scale,
- Adding a fault domain layer.
- Additionally, this requires distributed configuration steps for setup and key management.
Many SD-WAN products come standard with data plane encryption and control plane security. It therefore becomes possible to provide a consistent authentication and transport encryption policy regardless of the underlying transport mechanism or service provider. Central policy management and segmentation becomes a reality.
Visibility: Routing Control Plane inside Provider Edge & Core (Control Plane):
Instead of traditional link state and distance vector protocol metrics, SD‐WAN solutions utilize new path metrics, which consider application performance requirements, throughput and network impairments.
In traditional Networks, customer’s Layer 3 routing control plane is outsourced to the MPLS service provider, as customers are required to inject their remote site routing table into the SP’s network, either statically or dynamically. At this point, the customer loses visibility with very limited access to the provider edge, not to mention the backbone. SD-WAN offers a means for achieving greater visibility into apps and flows over the WAN.
Life Cycle Management: (Turn Key & Automation for WAN LCM)
SD-WAN solutions establish a hierarchical, template-driven structure for the network, via the orchestrator. We define what each site type should look like in advance—single or dual WAN connections, VLAN settings for voice/data, etc. we then establish Enterprise-wide settings like QoS schemes, firewall policies etc.
Once this is in place, creating new sites or changing existing sites requires minimal effort. Such Automation was sorely missing in traditional solutions.
IPSec offers offload to the internet, with added security. SD-WAN can offer the same, but it also goes beyond that. It can offer
- Application Awareness – Identify Apps, decide the routing and security policy for each, Steer them appropriately
- Eliminate Distributed Configuration/provisioning, and provide a central Console for Orchestration & Management of all the physical/virtual appliances, & the WAN itself.
- Template driven Automation for overlays and business policies.
- Monitor and swap traffic over multiple links, in case of outages.
As long as the Applications resided in the Enterprise DCs and connectivity was not as abundant as today, MPLS was a pertinent & most relevant solution. Although it is costly and complex, it still offers Security & Reliability – the primary reasons behind the reluctance to switch to internet-as-a-transport. SD-WAN can mitigate these concerns, by using:
- high speed broadband/internet, mix and match different types of transport
- Technologies like Forward Error + Order Correction,
- WAN optimization features like de-duplication, shaping and compression.
- Secure Tunnels
Do note that we still need the underlying transport – SD-WAN is not a replacement for the physical transport itself. The Value-add that SD-WAN brings is in features like intelligence, automation, orchestration, visibility and optimization – to name a few.
SD-WAN vs. WAN Optimization
SD-WAN focus is on connectivity. WAN optimization focus is on performance. These are two different focus areas. WAN optimization is a mature market. SD-WAN on the other hand, is Emerging. It disrupts the branch infrastructure market and the MPLS services market. When we review silver Peak, we will see how its traditional pedigree around WAN optimization has enabled it to position a comprehensive, multi-faceted SD-WAN offering.
In the next post, we will review the Dell VEP Solution – The platform, the value and the vision.