Building SD-WAN architecture into your world
A comprehensive collection of articles, videos and more, hand-picked by our editors
Eager to break away from the crowds at the Interop trade show in Las Vegas back in 2010, John Mulhall stepped into a quieter aisle of the expo hall.
The booths in that row weren't glitzy -- no sign of hourly iPad raffles or other crowd-pleasing gimmicks. They were populated by vendors that Mulhall, an IT director at Sno-Isle Libraries in Washington state, had never encountered before. One of them was a startup called Talari Networks, which back then billed its technology as "adaptive private networking." The company claimed its appliances could supplant a costly MPLS network by aggregating multiple Internet connections and dynamically selecting the best path for traffic, based on the real-time conditions of those links.
Sound familiar? It's one of the basic premises of what is now marketed as software-defined WAN (SD-WAN) by a growing pool of vendors that come from all corners of the networking market. It includes routing giants like Cisco, WAN optimization specialists like Silver Peak Systems, niche players like Talari, and a handful of startups like CloudGenix, Velocloud and Viptela.
SD-WAN is an alternative approach to designing and deploying enterprise WANs. It aims to replace traditional branch routers with appliances that use virtualization, application-level policies and network overlays to make several consumer-grade Internet links behave like a dedicated circuit. The intention is to simplify setup so that the only thing branch office personnel need to do is plug in a cable for the appliance to "phone home" and automatically receive its configuration from a central controller.
The ultimate goal is to eliminate or reduce the need for private WAN technologies like MPLS -- plagued by long provisioning times and expensive contracts -- while also making the WAN more responsive and less complex. But as many large companies hesitate to fully abandon the guaranteed control, reliability and performance of MPLS, SD-WAN is expected to be deployed mostly in hybrid WAN architectures that use a combination of public and private connections.
"It's a technology that I think is going to begin replacing MPLS if MPLS doesn't get cheaper," says John Shaffer, CIO of Greenhill and Co., an investment banking firm based in New York that's in the process of deploying Vitpela's SD-WAN boxes at its 15 offices. "A lot of our offices work independently of each other aside from email. You start wondering what you're using MPLS for and why you're paying so much money for it."
Yet not everyone believes SD-WAN is the panacea to all the world's WAN woes. The degree of abstraction these appliances use makes network engineers like Ivan Pepelnjak nervous. He contends the same ends can be -- and have been -- achieved with technologies that have been around for at least a decade. They do, however, require more manual labor.
"People always want to believe in Santa Claus and magic," says Pepelnjak, an independent network architect in Slovenia who operates ipSpace.net AG, a consultancy that provides software-defined networking (SDN) training and services. "They want to believe that there is new stuff that you can just deploy and it works -- and then the reality sets in, unfortunately."
But whether it's new and transformative or simply an old bag of tricks going by a catchier name, one fact about SD-WAN is undisputed: It has rapidly attracted interest over the past year as users increasingly access applications via the cloud, diminishing the need for dedicated pipes to enterprise data centers.
"The whole SDN movement opened up the market's eyes to the fact that there are better ways to solve longstanding challenges," says Andrew Lerner, a research director at Gartner. "Although SD-WAN is not SDN, that whole mindset and cultural shift brought in with SDN had an impact on the entire market.
"And while all the early talk about SDN was in the data center," Lerner continues, "if you actually talk to end customers, a big percentage of their spend on the network is typically on telecom -- in MPLS and branch connectivity."
Enabling hybrid WAN
At Sno-Isle Libraries, Mulhall says he continually looks for ways to cut costs and fulfill the library's goal of "being good stewards of public tax dollars." Shortly after visiting Talari's booth at Interop five years ago, he tested out the vendor's appliances at one of his branches in the hope they could help cut his WAN costs. They worked exactly as advertised, even handling VoIP traffic without any major hiccups.
John MulhallIT director, Sno-Isle Libraries
Mulhall deployed the appliances at all of the library's 23 locations and completely replaced his MPLS network with an assortment of standard Internet connections in 2011. The Internet-based WAN is supplemented by a few high-capacity dark fiber links for internal traffic between buildings.
"It was a little bit nerve-wracking," he acknowledges now. "As a matter of fact, the following year I was at Interop, and I was at one of the sessions where they were talking about new networking technologies. I talked about our move to Talari and mentioned that we ripped out all of the MPLS circuits. One person a couple rows back stood up and said, 'You're insane. That's crazy. Why would you do that?!'"
He answers that question now without hesitation: The library has not only saved at least $400,000 annually as a result, but it has also improved the performance and redundancy of its WAN. Whereas each branch previously only had one MPLS link that backhauled internal and external traffic to Sno-Isle's data center, a typical branch now aggregates four different Internet connections. The Talari appliance identifies traffic that doesn't need to be filtered to be in compliance with the Children's Internet Protection Act and sends it directly out to the Internet.
"It's allowed us to really use the intelligence of those appliances to say, 'OK, what kind of traffic is it?'" Mulhall says. "We did notice a performance improvement because with our standard MPLS network, everything goes back via the WAN to your headquarters and then out to the main Internet connection. Now we can send it out to multiple routes."
While SD-WAN may be sufficient for guest Wi-Fi or processes that can be completed offline, the public Internet cannot be counted on as a completely reliable medium for critical services, cautions ipSpace.net's Pepelnjak. That makes it all the more important for network engineers to know which applications the business must have online at all times.
"It depends on how badly you want to fail -- honestly. Are you willing to lose a remote office because the Internet is down? For some people, the answer is yes," he says. "There is no Bandwidth Fairy. You have as much bandwidth as you have, and if you want more, you have to pay more. It's always the magic triangle of fast, cheap or good -- you only get to pick two. The only benefit of all these new offerings is that they are easier to consume."
SD-WAN can be deployed incrementally to minimize "the blast radius" in the event of a failure because it can be piloted in a single, isolated branch, says Gartner's Lerner.
"The beauty of SD-WAN versus SDN is that with SDN, if you apply it in a data center -- even though you can do it in a rack or a switch -- the reality is you're still in a data center and you could impact the full application environment. That's one of the reasons SDN adoption has just been so slow," he says.
At Greenhill and Co., Shaffer operates a hybrid WAN that uses MPLS links as primary connections, supplemented by Internet links. Initially, he planned to use SD-WAN to reinforce his traditional WAN. But as he continues to deploy more Viptela appliances at his offices around the world, Shaffer says he expects that dynamic may shift -- especially as he considers that $600,000 of his annual IT budget goes to MPLS.
Although it comes with a service-level agreement (SLA), MPLS historically has caused its share of headaches for Shaffer. Prior to his investment in SD-WAN, it took six months for a new office in Brazil to obtain MPLS connectivity.
"An MPLS network doesn't guarantee 100% uptime, and we do have outages. We have SLAs attached to them, but an SLA doesn't mean anything when people can't get connected," Shaffer says. "If I can buy a 100-meg Internet link and know that I only get 20 megabits out of it, that's still really good."
A WAN architecture for cloud
Cost savings are the most visible benefit of SD-WAN, but just as vital to its traction is that its architecture better suits the demands of cloud, mobile and real-time applications, says Nick Lippis, co-founder and vice chairman of the Open Networking User Group (ONUG).
"The concept of enterprise WANs is an old concept and a dead concept," says Lippis, who predicts most large enterprises will adopt SD-WAN within 24 months.
Giuseppe Genovesi, head of corporate IT at Interroll, a manufacturing company in Switzerland, adopted a hybrid WAN model five years ago when his company started increasing its use of public cloud services like Microsoft Office 365 and built out its own private cloud. At the beginning of this year, 80% of Interroll's WAN consisted of MPLS links, and 20% of it comprised standard Internet connections. Today those are split equally, and based on his successes so far, Genovesi says he plans to have MPLS make up just 20% of his WAN.
Interroll uses Silver Peak's WAN optimization appliances with Unity EdgeConnect, the vendor's SD-WAN product, as a replacement for branch routers at its 31 global offices. Genovesi still tags and prioritizes different types of traffic with MPLS, but the SD-WAN platform determines the best path to send it at any given moment.
"The Silver Peak device decides dynamically, 'Now you have more demand for this type of traffic. Let's increase the priority of this, put it in this class or delay this other thing.' And that is something that was not possible with just a router and MPLS," Genovesi says. "The router and MPLS can tell you what traffic is prioritized or what is skipped, dropped or just really slow. But you cannot have this dynamic approach."
What is SD-WAN?
"SD-WAN abstracts the underlying network transport/connectivity to present a business-centric or application-centric approach. In an SD-WAN implementation, traditional device-based command-line interface configurations can be replaced by centralized, network-wide control and orchestration….
"SD-WAN solutions employ centrally managed WAN edge devices placed in branch offices to establish logical connections with other branch edge devices across the physical WAN. These logical connections create secure paths across multiple WAN connections and carriers, such as hybrid Internet and MPLS architectures."
-- "Technology Overview for SD-WAN," Gartner, July 2015
SD-WAN takes more of an application-centric approach to networking than the traditional hop-by-hop routing according to a destination IP address, says Gartner's Lerner.
"You can group things together and define applications based on some set of characteristics, which may include an IP address, but also say, 'This application, YouTube, goes this way,'" Lerner says. "So it's no longer just, 'YouTube has this IP address and goes this path.' It becomes, 'This is YouTube traffic. YouTube traffic has this policy associated with it, so we're going to forward it in this mechanism.'"
When OneCloud Networks, a unified communications as a service (UCaaS) provider based in Frisco, Texas, first launched its cloud-based voice and video conferencing services, providing each customer with redundant dedicated circuits seemed like the only way to guarantee service, says OneCloud CEO Haider Mirjat. It was an expensive approach, however, and didn't supply sufficient bandwidth.
As Mirjat learned more about the concept of hybrid WAN, the idea was appealing. But the execution was problematic. He used Cisco's Meraki MX Series firewalls to terminate WAN links, and while the appliances had the ability to load balance multiple connections, Mirjat said the configuration was complex, manual and static.
He eventually supplied customers with CloudGenix's SD-WAN platform on commodity hardware and redundant, consumer-grade Internet connections. The device is able to fingerprint different types of traffic and adapt its routing dynamically, based on real-time network conditions.
"It understands which applications are reliable on what connection and at what time -- and it learns it all in real time," Mirjat says. "That's really what helps us to say, 'OK, you know what? We don't need to do all dedicated circuits for redundancy.'"
SD-WAN vs. DIY
"Smart people were always trying to use whatever bandwidth they had available," says ipSpace.net's Pepelnjak. "There was no hype around it because it was just network engineers doing our stuff, but the concept of using VPN over the Internet in parallel with your private WAN to get cheaper bandwidth is, as a concept, at least a decade old."
One function that cannot be achieved without SD-WAN is dynamically shifting traffic across multiple links based on link quality, Pepelnjak acknowledges. But the ability to aggregate and load balance multiple WAN connections can be achieved with Cisco's dynamic multipoint virtual private network (DMVPN) technology, he says.
"If you want to deploy a DMVPN network, you have to know actually how it works. You have to do a proper design. You have to think about what you're doing. Maybe you even have to go to training, God forbid," Pepelnjak says. "With this new stuff, you just plug it in and it automatically registers with the controller. You click three buttons in the Web interface and it all works -- until it stops."
Prior to deploying Talari's appliances at Sno-Isle Libraries, Mulhall's networking team attempted to implement a hybrid WAN using DMVPN. But the technology proved too complex.
"If you have a whole fleet of network engineers on staff, I suppose you could do it yourself. But I don't know if that's a cost-effective way to do it," Mulhall says. "In fact, one of my network engineers swore up and down, 'By God, we'll just do it ourselves.' They tried with some limited success, but it just didn't make sense. And certainly if you're going to have all your data services rely on that, I'm not sure a whole roll-your-own approach would be a smart way to go. It's nice to have a vendor to point your finger at and say, 'It's your fault.'"
Meanwhile, some say the commercial products need further testing -- a task that members of ONUG's SD-WAN working group have been working on. This past spring, the group performed feature verification testing for several vendors' SD-WAN products. It will perform interoperability demonstrations for them at the organization's New York conference in November.
ONUG members, which consist of enterprise IT pros, have two main items on their wish lists for SD-WAN products: an open way to perform service chaining and more rigorous performance testing, says Lippis, the group's co-founder.
"A lot of the [SD-WAN vendors] have been shy to test their equipment at scale for performance, so clearly they're not ready for it, and then that's going to slow down the pace of deployment," Lippis says.
It's a concern Pepelnjak shares.
"Let's see how well they actually work in practice because right now everyone is in, more or less, early pilots," he says. "When someone deploys 5,000 nodes in production all over the globe, connecting weird countries like Kazakhstan and Mongolia and 1,000 nodes in China, then we'll see how well things really work."
Hybrid WAN, virtual WAN and SD-WAN: What's the difference?
The future of WAN optimization: SD-WAN
Case study: How one firm dumped MPLS using SD-WAN