- 2 November 2016 13:47
How SD-WAN segmentation cuts network complexity
There are multiple reasons why the IT industry is so excited about software-defined wide area network (SD-WAN) solutions. Particularly compelling is the potential cost saving of leveraging broadband internet connections securely and with high reliability is particularly compelling.
But the true value of an SD-WAN encompasses many more benefits including agility, security and application Quality of Service (QoS).
Most SD-WAN solutions operate as an overlay to the underlying physical topology, which makes it ideal to extend the concept of segmentation out of the data centre and across the WAN and into branch offices.
Like VMware’s NSX (or other network virtualisation technologies) in the data centre, SD-WAN virtual overlays abstract the physical underlying transport services from the control and application layers.
However, unlike NSX, which can create thousands of microsegments to potentially segment every user-to-application session, users of advanced SD-WAN solutions typically configure a handful of segments – or virtual WAN overlays – are able to keep administration complexity from becoming unwieldy.
Simpler WAN admin
It is beneficial to think of virtual WAN overlays in the context of security and quality of service (QoS) policy templates or profiles that align to business application requirements. Each advanced SD-WAN overlay comprises a set of 256-bit AES encrypted tunnels. Each overlay is defined uniquely with different parameters to connect users to applications based on business intent. And each overlay may be defined to use any combination of underlying transport resources, enabling organisations to categorise and prioritise applications.
For example, one overlay might be created and assigned for VoIP and video application traffic. This communication overlay or ‘segment’ would typically be configured as a full mesh topology to interconnect all sites, fully leveraging both MPLS and broadband connections simultaneously using path conditioning to ensure high availability, and with stringent brown-out thresholds to intelligently and dynamically minimise latency and jitter.
Another segment might be defined for business critical applications. This virtual WAN overlay would be configured as a dual hub and spoke topology with QoS parameters programmed to deliver high throughput and perhaps even optional WAN optimization for application acceleration. Another segment might be created for guest wi-fi traffic, defined for ‘best efforts’ internet access that only utilises the inexpensive broadband underlay, reserving MPLS services for the more critical applications described above.
Finally, a fourth overlay could be defined solely for financial applications or healthcare records applications. This overlay would also have QoS parameters defined, but it’s main purpose would be to securely isolate specific types of application traffic for the highest levels of security, helping an enterprise maintain compliance with regulatory mandates.
The centralised control of SD-WAN also enables management efficiencies and consistency of policies. Because a select solution is managed by a central orchestrator, any new applications that must be mapped to an overlay or any changes to the parameters defining the QoS and security policies for a virtual WAN overlay, are programmed once and then pushed to hundreds or even thousands of locations across the WAN. This reduces operational complexity, cost and the potential for human errors.
For more information
David Frost, PR Deadlines, for Silver Peak. +61.2.7903 9567 email@example.com