Software-Defined WAN (SD-WAN) is fundamentally about separating the control plane from the data plane, allowing for centralized, intelligent management of network traffic across geographically dispersed locations.
Let’s see this in action. Imagine a retail chain with 100 stores and a central data center. Traditionally, each store would have a dedicated MPLS circuit for secure, reliable traffic back to HQ. Internet breakout for local services would be limited or non-existent.
[Store A] --(MPLS)--> [HQ Data Center]
[Store B] --(MPLS)--> [HQ Data Center]
...
[Store Z] --(MPLS)--> [HQ Data Center]
With SD-WAN, we introduce new capabilities:
[Store A] --(Internet/LTE)--> [SD-WAN Appliance @ Store A] --(IPsec Tunnel)--> [SD-WAN Appliance @ HQ]
|
+--(Internet Breakout for SaaS like Office 365)--> [Office 365 Cloud]
|
+--(MPLS/Dedicated Internet for critical apps)--> [HQ Data Center]
[Store B] --(Internet/LTE)--> [SD-WAN Appliance @ Store B] --(IPsec Tunnel)--> [SD-WAN Appliance @ HQ]
|
+--(Internet Breakout for SaaS like Salesforce)--> [Salesforce Cloud]
|
+--(MPLS/Dedicated Internet for critical apps)--> [HQ Data Center]
The SD-WAN appliance at each location (often a physical appliance or a virtual machine) is the data plane. It forwards traffic based on policies. The control plane, however, is centralized, typically in a cloud-based controller or a dedicated cluster at HQ. This controller dictates how traffic should flow.
What problem does this solve?
Traditional WANs are rigid and expensive. MPLS circuits are costly, have long lead times for provisioning, and offer limited flexibility. Direct internet access at branch offices for cloud applications (SaaS, IaaS) was often difficult to implement securely and reliably, leading to backhauling all traffic to the data center, which creates latency and consumes expensive MPLS bandwidth for cloud-bound traffic.
SD-WAN addresses this by:
- Optimizing Traffic Steering: The centralized controller, aware of application types, network conditions (latency, jitter, packet loss), and available transport links (MPLS, broadband internet, LTE), can dynamically steer traffic. For example, critical VoIP traffic might be prioritized over a low-latency MPLS link, while less sensitive SaaS traffic might be sent over a cheaper broadband connection, potentially even directly from the branch.
- Simplifying Branch Deployment: New branches can be brought online quickly. A pre-configured SD-WAN appliance can be shipped to the site, and upon powering up and connecting to the internet, it automatically establishes a secure tunnel back to the controller and receives its configuration. This eliminates the need for complex on-site IT intervention and lengthy MPLS provisioning.
- Enhancing Application Performance: By intelligently choosing the best path for each application and enabling direct internet breakout for cloud services, SD-WAN reduces latency and improves user experience.
- Improving Security: SD-WAN solutions typically include integrated security features like next-generation firewalls (NGFW), intrusion prevention systems (IPS), and secure VPN tunneling (IPsec) for all traffic, regardless of the underlying transport.
The key components are:
- SD-WAN Edge Devices (Appliance/vEdge): These are deployed at branch offices and data centers. They perform packet forwarding, implement security policies, and establish tunnels.
- SD-WAN Controller: The brain of the operation. It’s a centralized management platform that provides a single pane of glass for configuration, policy definition, and network monitoring. It pushes policies down to the edge devices.
- Orchestrator: Often integrated with the controller, this component handles provisioning, zero-touch deployment, and overall lifecycle management of the SD-WAN devices.
- Transport Independence: SD-WAN can utilize various underlay transport technologies, including MPLS, broadband internet, 4G/5G LTE, and dedicated internet access (DIA).
Here’s a simplified configuration snippet for steering Office 365 traffic on an SD-WAN device running a Viptela/Cisco IOS XE configuration:
policy
application-aware routing
policy-map "O365-TRAFFIC"
class-map "MS-Teams-Video"
match application Microsoft-Teams-Video
class-map "Office-365-Web"
match application Office-365-Web
policy
service O365-SaaS
type application-aware
class "MS-Teams-Video"
best-effort
loss-tolerance 1
delay-tolerance 100
backup-interface GigabitEthernet0/0/0 // Primary Internet
backup-interface GigabitEthernet0/0/1 // Secondary LTE
class "Office-365-Web"
best-effort
loss-tolerance 5
delay-tolerance 300
backup-interface GigabitEthernet0/0/0 // Primary Internet
backup-interface GigabitEthernet0/0/1 // Secondary LTE
This configuration tells the SD-WAN device that if it sees traffic matching Microsoft-Teams-Video, it should prioritize it with low loss and delay tolerances, using the primary internet (GigabitEthernet0/0/0) and failing over to LTE (GigabitEthernet0/0/1) if needed. For general Office 365 web traffic, it has higher tolerances. The service O365-SaaS is a custom service defined to group these application policies.
The most counterintuitive aspect of SD-WAN is how it leverages "unreliable" public internet links to provide a more resilient and performant network than traditional private links alone. By using sophisticated algorithms to measure link quality in real-time and rapidly failover or load-balance traffic across multiple paths, it can actually provide a better experience for applications than a single, expensive, and potentially congested MPLS circuit. The intelligence isn’t in the circuits themselves, but in the software layer managing them.
The next step in understanding SD-WAN involves exploring the different overlay network topologies and how they are constructed.