Tuesday, February 25, 2020

Introduction to SD-WAN

Software Defined WAN (SD-WAN) is hot nowadays. Why?
Private WAN connections like MPLS are reliable but also expensive. WAN connections are usually a big chunk of the IT budget, so it’s understandable that organizations are interested in replacing their private WAN connections with regular Internet connections to reduce costs.


To understand SD-WAN, we first have to talk about some “problems” with traditional WAN connections. We can choose between private WAN connections or public Internet connections. Let’s compare these two options:
  • Cost: private WAN connections like MPLS are way more expensive than regular Internet connections.
  • Time to deploy: it takes longer to deploy a private WAN connection than a regular Internet connection.
  • SLA: Service providers offer SLAs for private WAN connections that we don’t have for regular Internet connections. There are providers who offer SLAs for “business” class Internet connections, but these are usually way more expensive than regular (consumer) Internet connections.
  • Packet loss: Internet connections have a higher packet loss rate compared to private WAN connections like MPLS.
  • QoS: Internet connections don’t offer any QoS. You can prioritize your outgoing traffic but that’s it, the Internet itself is like the wild west. Private WAN connections often support end-to-end QoS.
The way we use our WAN has also changed throughout the years. Most organizations had an HQ, remote users, and perhaps some branch offices. Branch offices were connected to the HQ with private WAN or VPNs over the Internet. Remote users used remote VPN over the Internet to connect.
Hq Branch Remote User Internet Wan
Nowadays, organizations also run their own applications in the cloud instead of on-premises, and they use applications like Office 365 or Gsuite. Our traffic patterns look different now:
Hq Branch Remote User Cloud Internet Wan
What about network management? Each router has its own control plane, and we use the CLI to manually create our router configurations “box-by-box”. This is time-consuming and prone to errors. We can use network automation tools to make our lives easier, but the control plane remains decentralized.
SD-WAN promises to save money by using a combination of Internet and private WAN connections and make network management much easier.
One problem with SD-WAN is that each vendor has a different idea about what SD-WAN is. I’ll give you a basic overview of what SD-WAN is about. An SD-WAN solution has parts of the control plane centralized and is built with network automation and orchestration in mind. We create network policies globally and push them to all routers from a central location. You could create a QoS policy and push it to all your 500 branch routers with a single mouse click. We don’t use the CLI anymore. Instead, we have a GUI and use APIs to configure and manage our WAN connections. Some vendors still support a CLI if you want to do some troubleshooting.
We use multiple WAN connections and active/active per-application load-balancing. Let’s say we have a site with a fiber, cable, 4G, and DSL connection. SD-WAN monitors all these WAN connections and keeps track of performance metrics like the throughput and delay. It selects the WAN connection with the lowest latency and highest throughput.
When a certain link fails then it can fail over to the next best option. It can also do this on a per-application level. You could use the fiber connection for traffic to the public cloud and the cable connection for low-priority FTP traffic. It protectson traffic over public Internet connections with IPSec.
SD-WAN could be an alternative to an expensive private WAN link with an SLA that promises “five nines” of uptime (99.999%). The idea behind it is that multiple WAN connections are always more reliable than a single WAN connection.
Sd Wan Cloud Multiple Wan Links

Cisco SD-WAN Solutions

Cisco offers three SD-WAN solutions:
    • Intelligent WAN (IWAN)
    • Meraki SD-WAN
    • Cisco SD-WAN (Viptela)
IWAN is Cisco’s first SD-WAN solution for the ISR platform and intended for hybrid WAN (MPLS and Internet) or Internet-only connections.
Behind the scenes they use some familiar protocols:
Meraki SD-WAN is for existing Meraki customers that are interested in the advantages of SD-WAN. Here are some features that it offers:
  • Apply bandwidth, routing, and security policies from a central location to all WAN connections (MPLS, Internet, 4G, etc.)
  • Centralized network visibility and control.
  • QoS and bandwidth management with Meraki traffic shaping
  • Dynamic policy and performance-based path selection with automatic load balancing.
  • Secure connectivity with cloud applications, remote offices, or datacenters.

Cisco SD-WAN (Viptela)

Cisco acquired Viptela, a major SD-WAN player, in 2017 and re-branded it to Cisco SD-WAN. This is Cisco’s enterprise SD-WAN solution.

Components

This solution consists of four main components and one optional analytics component:
  • vManage (management)
  • vSmart (controller)
  • vEdge (routers)
  • vBond (orchestrator)
  • vAnalytics (analytics)
Cisco Sdwan Overview
Let me explain these components.

vManage

vManage is the Network Management System (NMS) to configure and manage the entire SD-WAN solution. You can use a GUI or REST API to access it. This is where you create device configurations and network policies. vManage also alerts you when there are events or outages.
Cisco Vmanage Dashboard
Vmanage Monitor Network
Vmanage Maintenance Software Upgrade

vSmart

vSmart is the control plane of the architecture. vSmart controllers advertise routes, security, and policy information. Cisco SD-WAN uses the proprietary Overlay Management Protocol (OMP) for this. vSmart implements the policies that you configure through vManage.
For example, imagine you create a policy through vManage where real-time voice traffic requires a latency of less than 100 ms. The vSmart controller downloads the policy, converts it into a format suitable for the vEdge routers and then implements it on all vEdge routers.
All vEdge routers peer with a vSmart controller, it’s a hub and spoke topology. It’s similar to a BGP route reflector or a DMVPN NHRP server. The vSmart controller only lives in the control plane and is never in the data plane.

vEdge

vEdge is the software or hardware routers at your sites and responsible for the data plane. vEdge routers connect to a vSmart controller through a Datagram Transport Layer Security (DTLS) connection. If you want to use hardware, you have the following options:
  • Viptela vEdge: 100, 1000, 2000, or 5000 series routers.
  • Cisco ISR and ASR: the IOS XE SD-WAN software image allows you to use Cisco SD-WAN on the ISR 1000, ISR 4000, and ASR 1000 series.
  • Cisco ENCS: similar to the ISR series, you can use the IOS XE SD-WAN software images for the ENCS 5000 series platform.
If you want to use software, you have two options for VMs:
  • vEdge Cloud
  • Cisco Cloud Services Router (CSR)

vBond

vBond is the orchestrator. It authenticates vSmart controllers and vEdge routers and coordinates connectivity between them. It tells vEdge routers where and how to connect to vManage and vSmart controllers. vBond requires a public IP address so that all devices can connect to it. When a vEdge router joins the SD-WAN, the first thing it talks to is the vBond orchestrator.

vAnalytics

vAnalytics is an optional analytics service. It gives you visibility of applications and your infrastructure in the entire SD-WAN. You can use it for forecasting, and it gives you recommendations about your traffic and WAN connections. This can be useful to figure out whether you need to upgrade or downgrade certain WAN connections.

Cloud or on-premises

You can implement Cisco SD-WAN with a combination of cloud and on-premises options:
  • The vEdge routers and vBond orchestrator are available as hardware or VMs.
  • vManage and vSmart controllers are only available as VMs.
You can run the VMs on-premises on ESXi or KVM, or host them at cloud providers like Amazon AWS or Microsoft Azure.

Cloud onRamp

In the traditional model, you find all on-premises infrastructure and applications in a central HQ site or data center. We connect our branch offices in a hub and spoke topology and route all traffic from the branch offices to the HQ or datacenter.
Organizations nowadays often use cloud SaaS applications like Office 365, Gmail, or Salesforce. Instead of running everything on-premises, we also use IaaS services in the public cloud.
The traditional hub and spoke model where we connect and route all branch traffic to the main site or datacenter doesn’t work anymore. Cisco SD-WAN connects sites directly to these SaaS applications or IaaS services using one or more WAN connections.
There are two options:
  • Cloud onRamp SaaS
  • Cloud onRamp IaaS
Cloud onRamp SaaS monitors the performance of all WAN connections from a branch office to a SaaS application. Each path gets a “quality of experience” performance score from 0-10, 10 being the highest score. It makes real-time decisions to choose the best performing path between the end users at the branch office and the SaaS application in the cloud. You can monitor this in the vManage GUI.
Cloud onRamp IaaS extends the SD-WAN network into the public cloud. Through vManage, you can automatically create vEdge cloud routers in the public cloud provider infrastructure. This allows you to connect directly from your on-premises vEdge routers to the vEdge cloud routers at the public cloud provider.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)