What is SD-WAN?

The concept of software-defined networking (SDN) can be traced back to common channel signaling (CCS) technology developed during the 1970's and 1980's for use in telecom networks. The CCS #7 protocol operates via a signaling network independent of the telephony traffic (e.g., bearer) network and provides call setup, routing, release and related functions. In an analogous fashion, SDN decouples the data or bearer plane from the control or signaling plane. As illustrated in Figure 1, the data plane comprises network routing hardware or virtualized network functions while the control plane includes software that “defines” or monitors, manages and reconfigures network routers to achieve optimal performance.

Software-defined wide area networks (SD-WANs), the WAN component of SDN, enable organizations to partially or entirely supplant private network services such as Multi-Protocol Label Switching (MPLS) in order to improve network performance, centralize provisioning, simplify operations, and reduce costs. These benefits can be realized via dynamic path selection for load balancing and redundancy as well as support for multiple network interfaces, e.g., for the Internet, VPN, 5G and MPLS.

SDWAN data and control planes
Figure 1: SDWAN control and data planes

The SD-WAN Controller is an entity within the control plane which performs the monitoring of network traffic and enables the dynamic configuration of software-defined routers (SD-routers) to enable routing over various networks with corresponding adjustments to application traffic prioritization, treatment and routing as necessary. To illustrate a benefit of the SD-WAN architecture, let’s contrast it to the traditional private WAN with a single Internet connection. In the traditional architecture, as illustrated on the left side of Figure 2, internal enterprise sites interconnect via a private network such as MPLS. Access to the Internet is funneled through one or just a few Internet egress points, secured via demilitarized zone (DMZ) infrastructure. One major benefit of this approach is a limited attack surface from which Internet-based attacks may target. However, it suffers from forcing enterprise devices from sites geographically dispersed, perhaps globally, to transit the enterprise network to the DMZ then to the intended Internet destination.


Figure 2: Traditional WAN with Single Internet Egress (left) and SDWAN with Internet Breakout (right)

As illustrated on the left of Figure 2, Internet traffic is routed to the destination nearest the DMZ, e.g. Cloud POP Y in the figure, not necessarily the originating device. Thus, accessing an Internet site physically located down the street could traverse the globe to route via the DMZ egress. This is particularly menacing when accessing enterprise applications hosted in the cloud where application traffic interfaces via the cloud point of presence (POP) closest to the DMZ and not the application user, potentially introducing excessive latencies.

Contrast this approach with the right side of Figure 2, where local Internet access has been provisioned to each site to support direct Internet access from each site. While we illustrate only the Internet “cloud” on the right of Figure 2, in practice two or more networks may be accessible from all or selected sites to enable multi-network access for particular connections or connection types. The local Internet “breakout” illustrated on the right side of Figure 2 accentuates the ability of each site to be routed to Internet destinations in an optimal fashion. This architecture enables each site to connect to the closest (in terms of routing) Internet-based destination, including cloud POPs, affording better application performance thanks to lower roundtrip time and latency than the traditional approach. The downside is a broader Internet-facing attack surface, which requires more protection and vigilance from a network security perspective.

While advantages and disadvantages can vary based on deployment, the key advantages of SDWAN include:
  • Network cost savings through the use of multiple network interfaces, reducing reliance on expensive private network services like MPLS.
  • Cloud adaptable with application performance through optimal routing among multiple interface options including Internet breakout
  • Flexibility in deployment enabling evolution from WAN to SDWAN and the addition or removal of selected network interfaces over time
  • Increased resiliency in the face of network outages to reroute among multiple networks
  • Improved device utilization efficiency with the use of orchestration for virtualized network functions or containers on some SDWAN routers enables deployment of additional network services such as DNS locally without additional hardware requirements (see my companion post on SD-IPAM for SD-WAN)
Some potential disadvantages include
  • Larger attack surface with more Internet access points, so security policies must be enacted across all Internet breakout points
  • Higher cost of network access of each network type across multiple sites as well as SD-WAN routers though this can be offset and paid back through network cost savings
  • While SD-WAN routers generally provide improved monitoring and reporting, staff need to remain vigilant and proactively manage; e.g., staff training required.
Use of SD-WAN managed services such as those offered by BT can offset most of these disadvantages by offering zero-touch provisioning, ongoing monitoring and management, and additional security surveillance and services. 

Comments

Post a Comment

Popular posts from this blog

Handy AAAA filter in BIND 9.8

The ISC introduced a pair of new configuration file options in BIND 9.8 to enable administrators to easily filter who may receive AAAA record type responses even if valid responses exist. For example, clients on subnets that do not have IPv6 network access can be excluded from receiving affirmative answers for AAAA queries. This feature provides simpler administration than the alternative mechanism using views. The first option, filter-aaaa-on-v4,defines whether the server will return AAAA records to certain clients. Such clients are defined by the address match list parameter of the second option, filter-aaaa. Note that BIND must be compiled with the --enable-filter-aaaa option on the configure command line to enable AAAA filtering. The syntax of these options is as follows: filter-aaaa-on-v4 (yes | no | break-dnssec) ; filter-aaaa {addr_match_list;} ; The filter-aaaa option identifies the address match list for which the filter-aaaa-on-v4 option is to be applied as described
Read more

Inglorious DDI

We all know how critical DHCP/DNS/IPAM (DDI) services are. Your network cannot function without them. But like most foundational elements of anything, they are certainly not glamorous...like good luck finding a home designer who specializes in home foundations. I would not be shocked should HGTV pass on my brilliant concept for a foundation building show. I suppose most people would find a show detailing footing depths and concrete pouring techniques rather boring.  Nevertheless, there are countless shows for redesigning and remodeling homes. On most episodes the foundation is out of sight, out of mind. If it's stable, no one wants to pay it attention, they just expect it to keep doing its job, supporting the structure. Once in a while a foundational issue is brought up that unexpectedly threatens to raise the budget to heighten the drama. All work stops until the issue is addressed. And you'll notice that the owner never denies paying the extra amount to fix the issue.
Read more

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?

BIND 9.8.0 introduced a new dns64 option statement that can be configured within the server named.conf options block or within a view options block. Recall from a prior post that DNS64 configures a recursive DNS server to issue A record queries on behalf of a client requesting AAAA records, then appends the returned IPv4 address to a defined IPv6 prefix. This manufactured IPv6 address enables the querying host to connect to a NAT64 gateway which will terminate the IPv6 connection from the client and map it to an outbound IPv4 connection to the appended IPv4 address, completing the connection! Whew! BIND offers a number of useful parameters within the dns64 statement to control this process. The statement syntax is: dns64 IPv6_prefix { [clients {address_match_list };] [mapped {address_match_list };] [exclude {address_match_list };] [suffix IPv6_addr;] [recursive-only (yes|no);] [break-dnssec (yes|no);] }; The IPv6_prefix parameter is the prefix to which returned
Read more