- Jim Metzler, Ashton Metzler & Associates
- Distinguished Research Fellow and Co-Founder
- Webtorials Analyst Division
Until recently, there hadn't been a fundamentally new WAN technology or service introduced into the market for over a decade. Driven by the lack of viable alternatives, over the last ten years the vast majority of network organizations implemented a branch office WAN based on each branch office having either a T1 link or a set of bonded T1 links that provide access to a service provider's MPLS network and having one or more higher speed links at each data center. In this design, it is common to have a variety of dedicated appliances in each branch office and to also backhaul all or some of a company's Internet traffic over the MPLS network to a data center before handing it off to the Internet.
I recently published The 2015 Guide to WAN Architecture and Design, which I encourage each of you to read. In that WAN report I described a hypothetical company called NeedToChange (NTC) which runs a traditional WAN and I had the sponsors of the report describe how NTC should evolve its WAN. As the responses from the sponsors indicate, network organizations today are facing a large and growing set of WAN architectural alternatives that they need to evaluate and determine which makes the most sense for them.
What I am now going to do is to start a 6 week long discussion of WAN architectures with the sponsors of the WAN architecture report. More specifically, I will post a series of three question to the sponsors and give them two weeks to respond to each question.
Readers are encouraged to join the discussion below by clicking on the "Reply" link at the end of any comment. For background, please see The 2015 Guide to WAN Architecture and Design.
Ok, let’s get started.
The first question is: What are the key features of your company’s WAN solution?
Today's WANs are complex to operate and are both time consuming and cumbersome to augment. With our SD-WAN solution Virtualized Network Services (VNS) we set out to completely change the way businesses deploy and manage their wide area environment.
Before I run through some of the key features of VNS I’d like to highlight four of the key pain points with todays WAN environments we identified.
• Maintaining a real time view of the running configuration, routes used, addresses/subnets/VLAN tags consumed and the firewall/ACL rules deployed; think about the many Excel spreadsheets the network team maintains…
• The management and monitoring of the ACL’s and firewalls at the branches, HQ and data centers and the care and feeding of the mix of in-router features and dedicated appliances that protect the business traffic and enforce security framework.
• The cyclic pressure to rip and replace the existing branch hardware when bandwidth is increased or new features are deployed.
• The day-to-day pressures to squeeze every last drop of the scarce bandwidth resources and deliver a consistent network experience to an ever changing IT application environment.
To address these issues we based VNS on a three tier SDN based solution set. There is a central policy manager where we store templates and policies for the network, a set of SDN controllers that manage the control plane of the WAN, and lastly the branch software that performs the data plane functions issued by the SDN controllers.
This solution architecture then addresses the pain points from above by:
• Site additions are automated by VNS via its centralized policy manager. All you do to set up a new site is to complete some basic information on the location and branch type, select the functionality to be deployed from your template of networking and security polices and ship the branch hardware to the site. As the information is stored centrally the network team has full visibility in to the running configuration (routing topology, L2 and L3 addresses in use and the security policies deployed).
• VNS provides a different model that increases the micro-segmentation of the security within and across the whole WAN environment. With its comprehensive policy framework, data and location security are centrally controlled and pushed to the branch as a core function of the WAN service. If sites require encryption, you simply enable it on the VNS policy manager and instantly the traffic to and from the site is encrypted. The same applies to firewall rules; if a new rule is required due to business policy change or a new application rollout, via the central manager you select the new rule, the sites to deploy and push the button.
• The branch hardware used with VNS is based on open compute. That’s the same x86 architectures you use in your data centers today, and you know the investment advantage you got from moving to open compute there. With VNS we bring the same investment flexibility to the branch. Since its based on standard off the shelf hardware you have the choice, use Nuage Networks branch hardware or deploy the software at the branch on any suitable x86 based compute you have on hand.
• With VNS you get the choice to augment that bandwidth with any connectivity available at the location. With our intelligent traffic steering you can set the branch (via our centralized policy manager) to send your business critical traffic via your premium circuit and to securely offload the more bursty non-critical traffic to another link including the Internet or even mobile broadband. Another area where VNS can utilize alternative bandwidth options at the branch is to improve the availability of your branches. As VNS can utilize any available access technology you can augment your primary branch connection with alternatives. In the event of a failure of the primary connection VNS will automatically invoke the backup circuit and reroute your branch back into the corporate network.
This is a limited view of the complete feature set of VNS but we think that resolving the key pain points of today's WAN including; adding sites, maintaining real-time documentation, enforcing security, and opening up alternative bandwidth options goes a long way to changing the way WAN’s are deployed and managed.
Viptela's SD-WAN solution is used by Mid to Large Enterprises and Global Top-10 Service Providers. The important features are:
See a short demo on Seamless Bandwidth Augmentation.
Cisco’s Intelligent WAN (IWAN) solution is designed to deliver an uncompromised user experience over any connection. IWAN is managed by a centralized controller APIC-EM (Application Policy Infrastructure Controller with Enterprise Module) which provides centralized automation and orchestration of your WAN using the following key features:
These key features help organizations optimize their WAN investments with consistency as the volume of content and applications traveling across networks grows exponentially. All of this is done without compromising performance, reliability, or security, while freeing up resources for new and innovative business services.
To learn more about Cisco IWAN, go to www.cisco.com/go/iwan.
Silver Peak Unity EdgeConnect enables enterprises to dramatically reduce the cost and complexity of building a WAN by leveraging broadband to connect users to applications. By empowering customers to use broadband connections to augment or replace their current MPLS networks, Silver Peak improves customer responsiveness, increases application performance, and significantly reduces capital and operational expenses.
A technical overview of our SD-WAN solution--including zero-touch provisioning, packet-based dynamic path control, and business intent overlays--was presented at our 2015 Tech Field Day.
The Unity EdgeConnect solution consist of three components:
• Unity EdgeConnect physical or virtual appliances (supporting any common hypervisor) deployed in branch offices to create a secure, virtual network overlay. This enables customers to move to a broadband WAN at their own pace, whether site-by-site or via a hybrid WAN approach that leverages MPLS and broadband Internet connectivity.
• Unity Orchestrator is included with Unity EdgeConnect appliance deployments and provides unprecedented levels of visibility into both legacy and cloud applications, and the unique ability to centrally assign business intent policies to secure and control all WAN traffic. Policy automation speeds and simplifies the deployment of multiple branch offices.
• Unity Boost is an optional performance pack that accelerates application performance as needed. The Boost component is unique to Unity EdgeConnect and allows companies to improve the performance of specific applications or locations.
The key features of Unity EdgeConnect are:
• Business Intent Overlays – globally defined policies folded into discretely managed virtual topologies. Using the key tenets of SDN and virtualization, these overlays ensure proper end-to-end handling of WAN traffic according to its business intent.
• Zero Touch Provisioning – A plug-and-play deployment model enables Unity EdgeConnect to be deployed at a branch office in seconds, automatically connecting with other Silver Peak instances in the data center, other branches, or in cloud Infrastructure as a Service (IaaS) with the likes of Amazon, Microsoft Azure and VMware’s vCloud Air. Once connected, the EdgeConnect instances register with Unity Orchestrator. Upon registration, local profiles are mapped to the global business intent overlays. This ensures a highly-visible, tightly-controlled, secure, and high-performing enterprise WAN.
• Dynamic Path Control (DPC) – real-time traffic steering over any broadband or MPLS link based on administratively-defined route policies. There may be multiple paths to and from any corporate location, and DPC monitors and adjusts the usage of these paths based on link quality (loss, latency and jitter are measured at the packet level) and any applied policies (associated with an application or group of applications). In the event of an outage or brownout, DPC automatically fails over to a secondary connection in about one second.
• WAN Hardening – With Unity, all data is secured edge-to-edge via 256-bit AES encrypted tunnels. No unauthorized outside traffic is allowed to enter any branch. WAN hardening secures branch offices without the appliance sprawl and operating costs of deploying and managing dedicated firewalls. There are no middle elements encrypting or decrypting traffic.
• Path Conditioning - overcomes the adverse effects of dropped and out-of-order packets that are common with broadband Internet and MPLS connections. Path Conditioning provides private-line-like performance over the public Internet.
• Cloud Intelligence – tracks and delivers SaaS application data to enable real-time updates on the best performing path to reach hundreds of applications, ensuring users connect to their applications in the fastest, most intelligent way available.
Thank you for developing the guide and giving each of us the opportunity to respond.