About a year and a half ago, some Texas employees of the Federal National Mortgage Association (Fannie Mae) were leaving work early to work at home over the enterprise VPN because it gave them better application performance and less congestion than the office network.\nThat\u2019s also when the agency started moving toward a cloud-first environment and away from its legacy hub-and-spoke WAN.\n\n\u201cWhen we started this project the data center was still the center of the universe, where all traffic would be sent back through the data center, which was really inefficient,\u201d said Ken Reddick, Director of Network Engineering at Fannie Mae. \u201cWhat we are moving to is a cloud-edge environment where user traffic is now sent directly where it needs to go without hitting the data center, and what that has brought us is a four-fold increase in network performance and cut latency by 50%.\u201d\nThe cloud-edge project is about 70% complete and involves replacing Cisco ISR\/ASR-based hardware with Cisco\u2019s SD-WAN powered by Viptela appliances and software to create an intelligent SD-WAN environment.\u00a0 That system will ultimately tie together some 15,000 employees and partners in about 18 offices with Fannie Mae\u2019s ever-growing AWS and Azure cloud resources.\u00a0Key network hubs include two Equinix regional co-location facilities and Fannie Mae\u2019s Washington, D.C., headquarters\nFannie Mae\u2019s primary application is known as desktop underwriting, an automated approval system that calculates loan requirements. Together with its partners Fannie Mae\u2019s mission is to provide homeowners, homebuyers and renters across the country with access to affordable financing opportunities.\nMPLS still plays a role\nThe SD-WAN project supports a hybrid mesh of MPLS and direct internet access (DIA) across the country, Reddick said.\u00a0 \u201cWe decided to keep the MPLS plumbing we had but add a DIA option, and the software can decide which route to take based on policies and traffic patterns.\u201d\nThe company\u2019s traffic patterns shifted dramatically earlier this year with the work-from-home requirements forced on Fannie Mae by the COVID-19 outbreak.\u00a0 But the SD-WAN and cloud environment was up to the task, Reddick said.\u00a0 A week before the Reddick\u2019s team \u00a0of about 40 IT workers got the call that everybody would be working from home, it had been conducting work-from-home tests on the network with about half the company, and it was going well, Reddick said. \u201cThen we got the call that this was no longer a test but a reality.\u201d\n\u201cEveryone being forced to work from home accelerated our cloud\/edge strategy, but we were already prepared for a change in traffic patterns and capacity so it was pretty straight-forward as the traffic to the cloud shifted from being in the offices to coming from home,\u201d Reddick said.\nNow one of the biggest challenges is managing latency to provide sufficient QoS for voice and video, Reddick said.\u00a0\u201cMPLS has a lot of features to manage for that, but adding the DIA, which doesn\u2019t have the intelligence of MPLS, is a challenge.\u201d\n\u201cWhat we want to do is build on that SD-WAN intelligence so we don\u2019t have to constantly touch and tune it. Ultimately the SD-WAN platform will learn based on end user traffic patterns and behavior and the response it\u2019s getting from applications,\u201d Reddick said. \u201cBuilding toward an intelligent edge is where we are going.\u201d\nZero-trust security\nAnother challenge is security, mostly brought on by the increased use of DIA, Reddick said. The legacy hub-and-spoke environment provided centralized controls, but with the SD-WAN, \u201cyou need security products and technology that brings all of that to the edge without breaking the bank.\u201d\nThat has led the company to embark on a zero-trust path that involves the vManage platform and services such as Zscaler\u2019s cloud-security platform that provide secure connections between users and cloud-based applications. Zero trust is an approach to securing authentication and access while offering segmentation and policy-setting capabilities across an organization's networks and applications.\n\u201cWe are pretty early on in the zero-trust work but you can see even the most mundane things \u2013 such as how do you handle print services that many users need and are on the trusted side of the environment, but users of print services can be on the untrusted side.\u00a0 Lots of things like that need to be set up properly to secure them,\u201d Reddick said.\nThe company still predominantly depends on VPN technology for security now, but the mix is changing, he said. \u201cWe feel that as we move forward in our cloud journey that our reliance on VPNs will diminish and we\u2019ll move toward technologies such as [zero trust] connection brokers and private access,\u201d Reddick said.\u00a0\nWhile the SD-WAN portion of Fannie Mae is undergoing a major change, its data center is also morphing toward the cloud.\u00a0\nThe company is moving toward Cisco\u2019s Application Centric Infrastructure (ACI) technology on its core Nexus switches.\u00a0 ACI is Cisco\u2019s flagship software that promises to help customers grow and control hybrid, multi-cloud and SD-WAN environments.\u00a0 It also delivers the company\u2019s Intent-Based Networking technology, which brings customers the ability to automatically implement network and policy changes on the fly and ensure data delivery.\u00a0\n\u201cWe expect eventually to transform our data-center fabric and mange everything from a central overlay that helps us implement automation, provisioning and segmentation. The idea is to be agile to meet demand no matter what the vector is,\u201d Reddick said.