
Software-defined wide area networks
Versatile Connections
The term "software-defined" usually refers to a technology that entered the IT market in the 2000s: virtualization. Although virtualization has been customary in a server environment for many years, the question arises as to how such basic structures as wide area network (WAN) routes can be virtualized and what their inherent benefits might be. A software-defined WAN (SD-WAN) comprises multiple components:
- Virtualization: frees the network from the physical infrastructure.
- Zero-touch provisioning: allows the timely addition of routes to the virtual infrastructure.
- Centralized management, automation, and the technologies of dynamic path conditioning.
- WAN optimization technologies: compression and deduplication, as well as high-speed TCP packet order correction and forward error correction.
Some manufacturers do without the last set of technologies listed; however, two definitive vendors, Silver Peak [1] and Riverbed [2], come from exactly this sector and continue to use their (partly) patented technologies for this new product line.
Network virtualization is the basis on which SD-WANs are built. At this level, the overlay network (logical connections) abstracts itself from the underlay network (physical connections). Examples of underlay networks include private multiprotocol label-switching (MPLS) networks leased from providers, directly leased point-to-point routes, and simple xDSL (i.e., ADSL, SDSL, etc.), cable, and LTE/UMTS Internet connections.
Separating the Network Layers
A well-known technology is used to separate the underlay networks from the logical (overlay) network: VPN connections that work with 256-bit IPsec encryption on all well-known SD-WAN products. These VPN connections form the underlay tunnel through which each site exchanges data. This abstraction alone still does not offer any advantages in terms of the dynamics of the WAN routes, but it does make Internet connections usable for site-to-site links.
Another abstraction layer is added to gain more flexibility. Above the underlay tunnel, more tunnels (i.e., the overlay tunnels) span the locations. These tunnels use encapsulation-only protocols; all manufacturers currently use generic routing encapsulation (GRE), which does not include any security features (e.g., encryption) and therefore only ensures logical separation of the data paths. These overlay tunnels are configured and optimized, depending on the application profile and purpose, and rely on one or more underlay tunnels to provide the connections. The total number of all overlay tunnels, along with their parameters, forms the virtualized overlay network, which is decoupled from the physical networks.
Transmission Capacity
At this point, it would be possible to replace individual site connections with other types of connections (e.g., expensive leased lines with less expensive Internet connections or MPLS with a faster LTE link). However, the different characteristics of the lines then play a role. An MPLS route typically has a service-level agreement (SLA) of 0.1 to 0.5 percent packet loss, compared with a connection on the public Internet of 0.5 to 1 percent. If you want to operate sensitive applications such as VoIP, video, or data acquisition systems on these modified routes, this amount of packet loss can quickly cause problems.
Latencies in the range of 50 to 200msec are also common for connections between continents via the Internet, often disrupting sensitive applications because of their susceptibility to interference. Also, manual connection management would be extremely complex given such a mass of tunnels and would completely rule out any advantages gained from its flexibility.
Automated Network Tunnels
Now the next two basic components of SD-WAN enter the scene: automation and dynamic path conditioning. Automation means that the process of creating underlay and overlay tunnels is completely automated for all fully functional SD-WAN solutions. The administrator specifies which sites to connect, and the IPsec configuration is done autonomously, with no need to define keys or exchange certificates; the systems handle this work.
The overlay tunnels are created as a function of the application profile. Silver Peak coined the term "Business Intent Overlay" for its SD-WAN product line. This defines exactly which applications have which requirements with respect to line bandwidth, packet loss, latency, and jitter. On the basis of these definitions, dynamic path conditioning then comes into its own.
One part of path conditioning is handled by means of load balancing across lines of different bandwidth, latency, and error rate. Previously it was only possible to distribute load in equal proportions across identical lines on the network. The algorithms used in dynamic path conditioning let you, for example, combine an MPLS and an LTE path for an application, which not only allows an increase in the bandwidth, but also provides resilience.
Minimal Packet Loss
With the help of WAN optimization technologies, forward error correction, and packet order correction, packet loss can be minimized over the various lines. Forward error correction is, put simply, RAID, known from the storage sector, applied to network packets. In a sequence of packets, a parity packet is added to, for example, every fifth packet. If one of the four data packets is lost, it can thus be computed from the packets received and the parity packet. This completely compensates for packet loss on the receiving side.
Packet order correction ensures that the packets are delivered in the correct order thanks to caching in a buffer, which prevents TCP re-transmissions and thus increases the reliability and the effective bandwidth of the lines. Because forward error correction ensures almost completely lossless transmission, no additional latency occurs. Other technologies in the field of WAN optimization can be used in an SD-WAN environment, but they are not necessarily assumed. Compression and deduplication, for example, increase the effective bandwidth of the connections. In some networks, 1:10 reduction rates are achieved; average reduction rates of 1:5 are not uncommon.
Autonomous Provisioning
To use such an SD-WAN in a global enterprise, two components are still missing: automatic provisioning and centralized management. All SD-WAN appliances have an automatic provisioning option. The appliances, whether virtual or physical, find their management interfaces practically by themselves, because SD-WAN appliances have access to the enterprise LANs across the Internet. The appliances then contact a cloud portal located on the manufacturer's server. Because the management solution also connects to this cloud portal, the cloud portal can supply the IP address to the appliances for centralized management. The SD-WAN products known on the market implement communication between the management solution, the appliances, and the cloud portal via HTTPS.
Centralized management provides an overview of all SD-WAN routes, the individual appliances, and all the various connected WAN routes. Latencies, data loss rates, and – if a WAN optimization technology is used – data reduction rates usually can be detected, as well. Thus, you can analyze information on the bandwidth used between locations and identify weak spots in your WAN topologies. Drilling down to individual flows across the WAN is possible for troubleshooting, which gives you full insight into the content of your enterprise WAN communications for the first time.
The appliances – at least those manufactured by Silver Peak – are maintained through templates and profiles so that a large number of locations and endpoints can be configured simply. Of course, the management solution also enables direct access to the individual components to allow for site-specific changes. Moreover, the manufacturers offer extensive reporting functionalities, so you can report on the utilization of WAN routes to enterprise management and, if necessary, apply for budget resources to make changes to the site connections.
Conclusions
SD-WAN products allow companies to reduce costs for their WAN routes while improving availability. As the administrator, you gain freedom from the underlying infrastructure while boosting visibility and control.