SD-WAN (Part 1)

The concept of SDN has been proposed for more than ten years. The idea of ​​"transmission and control separation" has been deeply rooted in people's minds and has been extended to other fields: software-defined wide area network, software-defined storage, software-defined edge... The proposal and implementation of any technology is oriented to solving user pain points. After experiencing the bubble period of concept speculation, the technology has begun to settle and become more pragmatic. This article will guide readers to deduce the use scenarios and user value of SD-WAN (Software Defined Wide Area Network).

[[220830]]

Unlike LAN and MAN, WAN achieves interconnection in a larger area, and the Internet is the largest wide area network. For government and enterprise units with branches in multiple locations, there is a need for remote interconnection. For the purpose of security, latency and bandwidth guarantee, it is often adopted to rent SDH/MPLS dedicated lines from operators. Dedicated line access realizes VPN and even physical isolation, provides natural security at the network level, and sufficient QoS mechanism guarantees reliable transmission of latency-sensitive applications (video conferencing, VOIP, etc.). However, dedicated lines also have the defects of high cost and slow opening: whether there is a POP point locally, whether there is a physical line to reach the POP point, cross-operator line leasing and coordination, and the deployment of each branch line and service one by one. The traditional dedicated line network model has increased the economic burden of enterprises in terms of dedicated line fees.

Figure 1 Traditional dedicated line network model

As shown in Figure 1, for security and auditing purposes, all branches' Internet access traffic must reach the headquarters through dedicated lines and enter the Internet through the headquarters' Internet exit. Although the emergence of WAN acceleration technologies (such as protocol optimization, connection multiplexing, data compression, etc.) has alleviated the demand for WAN link bandwidth to a certain extent by optimizing traffic, with the continuous expansion of enterprise IT infrastructure, WAN link bandwidth still needs to be continuously expanded. Enterprises with high business reliability requirements often rent multiple operators' lines for redundant backup, which has low bandwidth utilization. In order to cope with sudden traffic, some enterprises have to provide a resource environment that meets peak traffic, but these resources are idle most of the time and cannot be returned dynamically. All of these run counter to the idea of ​​resource pooling and dynamic scaling in the cloud era. With the development of cloud computing, the IT architecture of enterprises has undergone tremendous changes. Traditional DC cloudification constitutes the enterprise's private cloud. Enterprise IT resources are either completely migrated to the public cloud (classic network/VPC), or a hybrid deployment of private and public clouds is adopted to take into account data localization and resource elasticity. However, no matter which method is used, it is inevitable that access to the Internet has changed from a previous accompanying demand to a rigid demand, and data synchronization, backup, and migration have also become the norm.

It is obviously no longer appropriate for a large amount of public network traffic to continue to go through dedicated lines, so the form of WAN has changed - Hybrid-WAN. As shown in Figure 2, traffic to the headquarters DC or private cloud continues to go through dedicated lines, and access to the public cloud directly enters the Internet from the branch. The Internet diverts dedicated line traffic and reduces the traffic load of the dedicated line, but it also introduces security and confidentiality requirements in the branch. Originally, firewalls and security policies only needed to be deployed at the headquarters, but now they need to be deployed on the branch CPE. The boundary of the security domain is extended from the headquarters to the branch. At the same time, in order to safely transmit internal enterprise data on an insecure public network, a corresponding encryption transmission mechanism needs to be introduced.

Figure 2 Hybrid-WAN network model

The Internet link makes up for the shortcomings of the dedicated line. The security isolation of the firewall ensures a certain degree of security inside the branch CPE. SSL/IPSEC ensures the security of private enterprise data transmitted on the Internet. Hybrid-WAN seems to be perfect, but in actual application, it exposes some obvious problems:

1. Branch services cannot be quickly activated

Branch opening requires configuration of CPE services. Both CLI and network management need to configure and issue services one by one. Service changes will be disastrous for the maintenance of a large number of branches.

2. The routing strategy is based on routing and cannot dynamically perceive applications

The routing strategy is often based on a rough distinction between traffic destined for the headquarters or the public cloud. The detection granularity is not raised to the application level, so there is no way to consider the application's requirements for link quality.

3. The strategy model is too rigid and cannot adapt to dynamic changes in business

The biggest feature of cloud computing is that it is highly dynamic. The policy model on traditional communication equipment strictly relies on configuration. Changes in business or link quality often mean that the configuration must follow changes. Therefore, WAN has seen a major evolution in the SDN era - SD-WAN. SD-WAN inherits the idea of ​​"separation of control from transmission" and realizes unified control of various CPE devices through a unified central controller. New CPE can automatically connect to the controller to download configurations and policies through Call Home, truly achieving zero-contact rapid activation, and when the configuration is changed, it only needs to be modified once on the controller, and all branch sites will be automatically synchronized. Through CPE's deep identification of traffic and probe-based link status detection, the traffic routing strategy is made more refined and flexible, and the strategy and network quality are followed, which is a truly dynamic traffic scheduling.

SD-WAN reduces the cost of enterprises in using dedicated lines. It also meets the technical requirements of enterprises to use public clouds and hybrid clouds by using the Internet with lower rates and convenient opening. Rapid deployment and dynamic scheduling push this cost-effectiveness to the extreme. Although the functions of SD-WAN are more than this, this function is currently the most valuable to customers. The next article will analyze the specific SD-WAN technical solutions.