Over the past few years, I have become, what I would call, a passionate observer of the emergence of SD-WAN technology. Through my involvement in events like Tech Field Day, hearing first-hand from engineers who have deployed SD-WAN in their own networks (Viptela & Three Real-World SD-WAN Deployments, Inside Three Real-World SD-WAN Deployments), attending conferences with SD-WAN at the forefront (ONUG), and even occasionally writing my own thoughts about SD-WAN and some specific product lines (here, here, and here), I have had the opportunity to see the many pros and cons of this technology.
IP routing is hard. Resilient and dynamic IP routing is harder. Predictable, reliable, automated, flexible, and secure IP routing is… well, you get the point. The larger and more complicated our wide-area networks grow, configuring them in such a way that all devices react predictably, in all scenarios, can be a serious challenge. I see this all the time with my customers, and not just the customers with hundreds of WAN sites. Engineering teams are being pushed to more efficiently utilize their WAN equipment and links, significantly reduce cost in the process, and simply do far more with less resources. To add to that challenge, until recently, these engineers have been left with some fairly rudimentary tools to make that happen.
That’s where SD-WAN steps in. SD-WAN’s whole goal is to simplify the design, deployment, and management of wide-area networks while adding features that haven’t been possible with the traditional WAN technologies that have been in use. Whole articles can, and have, been written in an effort to lock-down what features a “true” SD-WAN would have, but there are some commonly agreed upon characteristics that all of these platforms share. SD-WAN solutions will facilitate connectivity across multiple types of links, including MPLS and Ethernet broadband. SD-WAN solutions will be configured centrally, with automatic and dynamic deployment of configuration to routing devices. SD-WAN solutions will use advanced telemetry, application awareness, and a holistic view of the WAN to make intelligent and dynamic path selections. And finally, SD-WAN solutions will protect traffic by encapsulating it within encrypted tunnels between endpoints. These components combine to provide a wide-area network that should have improved performance and resiliency, reduced complexity, and increased security.
That all sounds great and SD-WAN is all sunshine and rainbows, right? Not exactly. Like all new technology ideas, SD-WAN is being sold as if it will fix your WAN, wash your car, butter your bread, and… again, you get the point. Every technology solution has tradeoffs and caveats, SD-WAN is no exception. With a fancy, new, shiny year getting under way (reportedly a year that SD-WAN will gain significant market traction), now is as good as ever to break down what there is to be excited about, and what there is to be skeptical of, when it comes to SD-WAN.
- Controller Based Networking. This just makes sense. By adding a controller to the network, routers no longer have to make decisions independently. The controller determines optimal data paths and programs the routers to send traffic accordingly. This ensures that all devices are acting in unison and acting on the same view of network conditions. Additionally, traffic can route not only by IP source/destination, but also by properties like application and sub-application characteristics. This is like policy-based routing, NBAR, and IP SLA all put together, but with full network awareness and far less fuss.
- Zero-Touch/Automated Deployment. Centralized and policy-based configuration, teamed up with templated configurations, make new site deployments far simpler and less effort. Add the router to your controller, apply the template, fill in the variables like VLANs and segments addressing, and plug it in. This saves time and reduces errors.
- Automated Tunnel/Key Management. Seriously, who wants to manage the creation and rotation of dozens or hundreds of IPSec tunnel keys? If you do, you’re a strange, strange person. Most statically-configured tunnel keys are left the same as the day they were created and only changed if they are compromised. By letting the controller manage these keys, we save time, avoid annoying busy work, and improve our security posture. Win, win, win.
- Overlay/Underlay Abstraction. By removing the coupling between the physical and logical topologies, either can be changed without impacting the other. If you need to change carriers because contract renewal isn’t going so well, the logical flow of your data doesn’t have to change a bit. If you need to change the logical flow of your data due to a new business initiative or acquisition, you don’t have to physically change anything in the underlay network to make that happen. This flexibility allows for rapid response to business needs and a significantly reduced lock-in with specific carrier services.
- Improved Telemetry. One of the problems with traditional routing protocols is that the tools that we have to measure link performance are pretty rudimentary. Traditional routing protocols do not fail when there is low levels of packet loss or jitter on a link, leaving production traffic running across a degraded link even if a better performing backup exists. This may not be a big deal for something like a file transfer, but those kinds of problems can cause havoc on voice and video flows. Improved visibility and telemetry data allows for SD-WAN networks to more intelligently respond to these brown-out conditions.
The Jury Is Still Out
- Cost. The big pitch from SD-WAN vendors is that through the improved visibility and intelligent routing provided by the solution, you should be able to migrate away from, or significantly reduce dependence on, SLA based circuits. Evidence appears to support the claims that non-SLA broadband connections perform just as well as SLA backed circuits, but I’m not convinced that engineers and management are willing to stake their reputations on this just yet. With any hesitancy to move away from SLA based circuits, the solutions become less cost-neutral.
- Application Aware Routing. Another key feature that is being sold by SD-WAN vendors is the ability to route based off of application specific information. In a non-encrypted world, this sounds perfectly reasonable to me. But as encrypted traffic becomes the norm, I’m not confident how accurate these solutions will be without the ability to break through the encryption and see what application is in use, which just isn’t practical when milliseconds of latency matter to application performance.
- Vendor Lock In. On one hand, SD-WAN solutions provide an immense service in breaking the dependence on a specific carrier’s services. That carrier freedom comes with a price though, as SD-WAN has no defined open standards or interoperability built in. If you choose a vendor, you are stuck with that vendor unless you rip and replace the entire solution.
I have no doubts that SD-WAN is going to play a significant role in enterprise networks moving forward. The features these solutions provide, combined with the automation and optimization of repetitive maintenance tasks, make these solutions compelling to organizations of all sizes. A dose of skepticism is healthy when evaluating any new technology though, so both the advantages and disadvantages need to be weighed and considered before moving forward with a deployment like this. If SD-WAN is something your organization will be considering in the future, or you just want to learn more about SD-WAN in general, there is an excellent online virtual summit called FutureWAN happening January 16th-20th. This event is being sponsored by Viptela, but has presentations scheduled from many vendor neutral sources that will address the above items in more depth, as well as many other things you should consider when thinking about deploying an SD-WAN solution. Registration is free and can be completed here.