Managing global WANs in multinational enterprises

global data flow thinkstock

Multinational enterprises face unique challenges when it comes to managing their WANs. Since they operate in many countries, these companies must reconcile different services from different service providers. For example, most IP VPNs are based on MPLS technology that cannot easily extend beyond each carrier's network. As a result, large enterprises outsource their entire global WAN to a single large carrier, who is then required to patch together the most cost-effective offerings from regional providers.

This challenge is being further complicated by a number of trends.

First, the Internet is disintermediating the traditional approach of using a centralized data center to support all applications. Current centralized architectures were designed for fixed network topologies with only a few applications, like voice and video, requiring site-to-site connectivity. Since Internet-based services have become the new normal, enterprises need to provide a better user experience by making the Internet an integral part of their WAN.

Second, customers were left with two options: either increase MPLS bandwidth, which is cost prohibitive, or supplement MPLS with Internet-based connectivity. Since the Internet is untrusted WAN transport, using it as part of a corporate backbone requires a lot of planning to secure dynamic connectivity. In many cases, retail and financial institutions have deployed separate networks with local Internet exit to offload certain traffic, such as guest Wi-Fi. This is done to preserve bandwidth for the corporate branch and also to segment guest traffic for security and compliance reasons.

smart exit n 01a Viptela

To take advantage of commodity Internet connections that can increase bandwidth up to 100 times and reduce WAN costs from 30% to 75%, companies must apply security to every new network element in a point-by-point manner. Obviously, this approach does not scale and eliminates operational savings of using the Internet as a part of the corporate wide-area backbone.

Third, currently all traffic originating from a remote router must pass through service nodes like IPS, IDS, Firewalls, etc. This technique reduces the life expectancy of network service elements. As we transition networks from defined topologies to dynamic topologies, voice and video should not have to pass through these service elements. Only data should. With virtualization techniques, we can build topologies so that only relevant application traffic is passed through relevant network elements.    

Building a WAN that can accommodate dynamic, arbitrary topologies and a fluid data plane across any kind of transport (Internet, MPLS, LTE, etc.) requires a policy-driven infrastructure. Traditionally, enterprise WANs have been limited by the capabilities of the carrier that provides their MPLS service. In order to use the Internet as a secure WAN, enterprises are forced to emulate a physical network that relies on shared subnet addressing, point-to-point security, and so on. This architecture limits the scale and mobility of the WAN for supporting cloud applications.

One way to overcome these limitations is to use SDN overlay techniques. This allows algorithms used to compute optimal paths to be removed from networking hardware. Eliminating the peer-to-peer control plane can significantly reduce policy and configuration. Removing computationally intensive operations from every router can extend the data plane life of these devices.

Meanwhile, moving intelligence to centralized controllers provides more flexible policy models. This approach can even be used to program stateless data plane devices that can connect a diverse set of networks owned by separate carriers.

smart exit n 02a Viptela

On the service provider side, carriers can use SDN to offer enterprises different circuits. For example, a single carrier can offer MPLS, Internet as a secure transport, and LTE for complete path diversity. They can also provide real-time path selection based on predefined application flow characteristics. For example, the network can be programmed to detect congestion, failure, loss and latency in the data plane, and react without injecting other explicit paths through the control plane. Traffic could be redirected to alternate paths in a few hundred milliseconds. Furthermore, this application-aware path selection approach provides virtual quality of service without forcing all carriers to honor marking across peering locations.

Cloud computing is forcing the once static WAN to transition from defined topologies to dynamic topologies. From both an enterprise and carrier perspective, managing global WANs in the age of the Internet requires the ability to unify different carrier networks as well as a mix of transport technologies. With the advent of SDN, it is possible for existing infrastructures to support hybrid-WAN services without the burden of patching together a diverse set of technologies. 

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022