5 reasons to move to an SD-WAN

Software-defined WANs can save money and improve network performance.

5 reasons to move to an SD-WAN

The enterprise WAN has transitioned from dedicated TDM circuits with Frame Relay and ATM, to Packet-over-SONET and MPLS, and now to Ethernet-access services. However, two things have remained constant, WAN bandwidth is still expensive and provisioning WAN services can take a long time.

In addition, WANs have challenges with backup link utilization, security of remote sites, traffic engineering, Quality of Service (QoS), touchless provisioning, and traffic visibility. These issues and many business drivers are causing companies to re-evaluate their WAN design and deployment and look for opportunities for improvement.

Software-Defined WANs (SD-WAN) offer many advantages that make them compelling.

What is SD-WAN?

Software-Defined has becoming an overused term, but it basically means software that helps automate manual tasks. Unfortunately, network devices are often manually configured one at a time using SSH (and hopefully not Telnet). We tend to think of Software-Defined Networking (SDN) as focused on building a data-center fabric and providing micro-segmentation.

+ MORE SD-WAN: SD-WAN: What it is and why you’ll use it one day +

The SDN concepts of a centralized controller with global network visibility can be applied to an SD-WAN. Network administrators use a controller architecture to create policy and allow the system to take action without explicit manual change control. The controller platform performs policy-based forwarding based on complete information about the current WAN conditions and the company’s application preferences. Global changes can be made immediately and simultaneously without manually logging into each router.

Here are five benefits of SD-WANs:

1. Transport independence

Imagine having the ultimate hybrid vehicle that can run on gasoline, diesel, electricity, CNG, hydrogen, and discarded French fry oil. SD-WANs have a similar characteristic called transport independence. This means that the WAN can be comprised of any combination of 3G/4G LTE, MPLS, Internet, Ethernet, Serial, or WiFi service. Having a WAN that can use any type of service allows for quicker installation and more bandwidth options.

The reliability and performance of business-class Internet services has increased over the past decade and Internet bandwidth costs are low compared to dedicated long-haul private WAN link that use distance-based pricing. High-bandwidth Internet service can be installed in days rather than weeks for an MPLS circuit.

2. Security

In the past, organizations have assumed that their WANs were secure because there was no way to apply policy to the carrier’s links. The assumption was that the carrier was not inspecting customer traffic and they were behaving with the same integrity as a postal carrier. Organizations trust their WANs because there isn't anything they can do to secure it.

Historically, organizations would need to purchase multiple security appliances for each branch office. Older routers lacked spare CPU capabilities to perform this type of firewalling, IPS, and malware protection. Instead, enterprises simply forced all branch traffic back through the primary data center where application security defenses existed.

However, SD-WAN solutions come with many of these security capabilities implemented on-box, which further reduces the total cost of a WAN. SD-WAN systems can integrate with a cloud web content filtering service making each branch router function like a web proxy server. SD-WAN systems can offer malware defenses and botnet command-and-control intervention for every branch and remote devices.

SD-WAN systems can preserve confidentiality by securing data in transit through encryption using IPsec or TLS/DTLS. SD-WAN devices have sufficient compute resources to easily perform high-speed encryption with multipoint GRE (MGRE) and Next-Hop Resolution Protocol (NHRP) for easy-to-configure full-mesh connectivity.

Security also means maintaining availability and SD-WAN systems do this with dynamic failover of independent WAN services. Security also implies integrity. When configuring each branch device manually, configuration inconsistencies can occur. With SD-WAN, each branch could implement the same security policy and configuration and out-of-compliance configurations can be easily remediated. SD-WAN systems maintain integrity of the configuration of every remote site by pushing out configurations with full configuration management and automatic roll-back of changes.

3. Intelligent path control

Companies place tremendous responsibility on the network and its availability. If the network is down, the employees go home for the day. Maintaining redundant networks can be costly; especially when one sits idle most of the time. An important characteristic of an SD-WAN is intelligent path control. SD-WAN systems can use application-based traffic steering to direct connections over any one of the transport options.

+ ALSO ON NETWORK WORLD How to make the transition to a software defined WAN +

These traffic forwarding policies can be created in a centralized controller system and pushed out to all the SD-WAN devices. Policies can be based on IP addresses, application profile or port number, time of day, QoS markings, IP SLA measurements, and near-real time current link utilization, delay, packet-loss, and performance thresholds.

SD-WAN solution can measure the type of WAN service and its characteristics, then adjust traffic forwarding accordingly. SD-WAN solutions can utilize Performance Routing (PfRv3) or proprietary algorithms to determine forwarding preferences to steer traffic toward the headquarters location, an alternate data center, or to a cloud service provider.

4. Improved end user experience

Because a high percentage of business value is generated by branch/remote office employees, getting them online quickly and keeping them productive is paramount. A side-benefit of an SD-WANs transport independence and intelligent path control is that the branch employees keep working and they get the best application performance. SD-WANs can help automate the creation of full or partial-mesh topologies to help alleviate latency impacts and improve application response times. If the end-users are accessing a public cloud application, then they can use the Internet link and secure tunnel to reach that directly rather than traverse the corporate WAN back through the headquarter hub.

Maintaining Quality of Service (QoS) settings manually across many branches can be burdensome and cause many organizations to punt and not implement QoS in any useful manner. WAN service providers lack knowledge of the customer’s application traffic crossing their networks and WAN service providers only get a sense of this through packet QoS markings (e.g. DSCP). SD-WAN solutions can be aware of the applications traversing the network with techniques such as Network Based Application Recognition (NBAR) and application fingerprinting. For example, an SD-WAN device would be able to understand which video codec is being used and would chose the best traffic path for that application.

SD-WAN systems can have sophisticated centrally defined but globally distributed QoS policies. Compared with traditional manually-configured static QoS policies on routers, SD-WAN QoS policies can by dynamic and easily changed. SD-WAN systems can also integrate local caching, storage replication, WAN optimization and acceleration, compression, and traffic shaping. Traffic avoidance techniques can block unwanted applications and rate-limit greedy application types.

5. Auto-provisioning and management

Enterprises remotely maintain their WANs and minimize having IT staff visit branch locations, except when new branches are installed. Lights-out management sounds cost effective, but organizations need better visibility to WAN traffic patterns. SD-WAN solutions offer zero-touch automated provisioning that makes it easy to ship a device to a site and get the site running without booking an airplane ticket.

SD-WAN devices are sent to sites unconfigured. The device gets connected and then boots up using either DHCP, PXE or ONIE, obtains an IP address, perform a DNS query, and then tries to reach the centralized/virtualized controller. The device then downloads its policy, crypto certificate and keys, then forms adjacencies and starts to learn traffic patterns. SD-WAN offerings can also use a cloud-based controller system that facilitates provisioning over the Internet. These methods can improve failures by decoupling configuration from the hardware and make device replacement painless.

Organizations often lack visibility to WAN application traffic. Even if there is an SLA and class of service in place, WAN carriers do not provide good statistics about their services. Effective monitoring priorities should include: up/down monitoring, time stamped centralized logging, capacity-planning statistics, and application performance metrics.

This data can be collected with NetFlow/IPFIX/sFlow or SNMP. SD-WAN systems can provide detailed application statistics and show the results of their synthetic test traffic measurements. Some SD-WAN systems even possess application performance management (APM) functionality.

Who are the players?

Traditional routers are special-purpose computers with very specialized CPUs and operating systems. SD-WAN devices do not necessarily have to be specialized devices. They could be simple x86 servers with compute resources for applying policy and just a few 1GE NICs. However, x86 hardware and standard operating systems may not be capable of connecting TDM-based synchronous interfaces that require a real-time OS. For example, CloudGenix’s SD-WAN devices only support Ethernet interfaces, because Ethernet has become the dominant WAN interface type.

Traditional router-based solutions have evolved and gained more SD-WAN features. Most notably, Cisco’s Intelligent WAN (IWAN) has all the essential SD-WAN features within their routers. However, IWAN requires faster routers like the ISR G2 2900/3900, ISR 4000, or ASR1000 routers to perform some of the more CPU-intensive functions.

Some SD-WAN solutions use commodity servers to either replace existing routers or can be used in conjunction with current gear. Companies like Pluribus Networks and Talari use Super Micro’s x86 hardware. Companies like Viptela, CloudGenix, and Sonus Networks use their own custom hardware.

Vendors like VeloCloud have features that direct cloud traffic to specific cloud service providers, thus improving end-user experience for public cloud applications. Some SD-WAN vendors, like FatPipe, have been developed from companies that have traditionally offered WAN bonding and WAN link aggregation solutions.

Several of the traditional WAN optimization vendors are labeling what they have traditionally offered as SD-WAN products. Some of the WAN optimization companies that now have SD-WAN features include: Riverbed, Citrix CloudBridge, and SilverPeak.

SD-WAN vendors also vary based on their licensing models. Cisco offers Cisco ONE licensing options for IWAN routers. Other SD-WAN vendors may be licensed yearly, based on number of sites, amount of interface bandwidth, or even operate like an equipment lease.

There are also several SD-WAN management systems that act as the centralized controller and policy store and perform many of the features of a traditional NMS. Cisco IWAN solutions can use the Cisco Prime Infrastructure (CPI) version 3.0 system or use the Application Policy Infrastructure Controller (APIC) Enterprise Module (APIC-EM). Other popular SD-WAN management platforms include LiveAction and Glue Networks.

Migration to an SD-WAN can range between gradual and consistent to quick and aggressive. It is highly unlikely that even the most cash-flush enterprises could afford to immediately replace all their WAN hardware. It is more likely that upgrades would occur a few sites at a time as old hardware ages out. Some of these SD-WAN solutions can co-exist with the current routers. Some SD-WAN vendors treat the current IP network as an underlay and could operate in a hybrid deployment. Some SD-WAN solutions can be deployed in a monitor-only mode (like an IDS), then later be put into an active mode (like an IPS) after the organization is comfortable with the solution.


As enterprises continue to do more with less and eke out IT efficiencies, they will be taking a hard look at their WAN costs and link utilization statistics. The SD-WAN market is crowded and vendors are aggressive with pricing and developing new features to remain competitive.

2016 will be the year that most enterprises look to take a step toward SDN with their WANs. Enterprises can benefit financially and operationally from transport independence and intelligent path control, security, auto-provisioning, and increased traffic visibility. End-users will appreciate the improved application performance, intelligent QoS, and traffic optimization. The next step is to determine which SD-WAN product is right for your organization and proceed with deployment.

Scott Hogg is the CTO for Global Technology Resources, Inc. (GTRI). He also writes the Core Networking and Security blog for Network World. He can be reached at scott@hoggnet.com.


Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022