SD-WAN - A Cloud-focused WAN routing technique

What is SD-WAN?

Software-Defined Wide Area Networking (SD-WAN) architecture uses a centralized control function to steer traffic securely and intelligently across the WAN and directly to trusted SaaS and IaaS providers. This provides a more seamless experience and reduces costs for maintaining a more traditional WAN infrastructure, but the primary benefit is the enabled use of SaaS and IaaS services across the WAN. This is something like a traditional MPLS infrastructure cannot do natively with causing extra configuration and overhead.

Traditional WANs based on conventional routers weren't designed with the cloud in mind, and typically backhauled all traffic, including cloud-destined traffic, from branch offices to a hub or data center where advanced security inspection services can be applied. This delay caused by backhaul impairs application performance, resulting in poor user experience.

The SD-WAN model seeks to designed an architecture which fully supports applications hosted in on-premises data centers, public or private clouds, and SaaS services like Microsoft 365, Workday, Dropbox, and more. It supports these by providing the highest levels of performance.

How does SD-WAN work?

Traditional conventional router-centric models for WAN distributes control functions across all devices in the network and simply routes traffic based on TCP/IP addresses and ACLs. This traditional model is rigid, complex, inefficient, and not cloud-friendly resulting in a suboptimal user experience.

SD-WAN is intended to deliver a superior application quality of experience (QoEx) for users. By identifying applications, an SD-WAN provides intelligent application-aware routing across the WAN. Each class of applications receives the appropriate QoS and security policy enforcement, all in accordance with business needs. Secure local internet breakout of IaaS and SaaS application traffic from the branch provides the highest levels of cloud performance while protecting the enterprise from threats.

The networking-specifics of SD-WAN and its functionality are beyond the scope of this surface-level document, but it utilizes tunnels and routing protocols across various mediums in order to securely deliver traffic to the endpoints from the cloud. The rollout and deployment of this architecture is handled through the cloud WAN configuration page. 

SD-WAN vs. MPLS

The main gist of MPLS is that it is a common method for constructing the connections between LANs that make up wide area networks (WANs). MPLS uses specialized routers which are able to send and receive MPLS packets along predetermined paths, improving upon the typical way the Internet works. These predetermined network paths can be used as the connective tissue that comprises a WAN and allow multiple virtual WANs to coexist over a shared network backbone. However, they do take a lot of time to set up, can be expensive, and require a contracted service from a carrier or telecommunications company.

SD-WAN is a large network that connects LANs using software, not hardware like MPLS does. SD-WANs do not require any specialized equipment for routing. They run over regular Internet, making them cheaper to implement than other networking methods. It should be noted that SD-WAN does not exclude the usage of MPLS--MPLS can be one of the networking methods used in an SD-WAN--but overall SD-WANs are often more flexible and cost-effective by comparison.

Some benefits of SD-WAN over MPLS

• SD-WANs do not rely on specialized hardware.
• SD-WANs have no inherent bandwidth limits, as MPLS's bandwidth limits are more or less set in stone, unless reconfigured.
• SD-WANs are providor agnostic. MPLS requires you to use the same carrier at all WAN-connected sites, while SD-WAN can use any ISP.
• SD-WAN routing is more flexible, due to its multiple connectivity options. MPLS requires a dedicated private line.
• SD-WANs integrate more easily with the cloud. To connect to the cloud via MPLS, it requires a direct line which is offered by some MPLS providers for some cloud providers--not all.

Some drawbacks of SD-WANs compared to MPLS

• MPLS offers more granular control over where packets go, since routes can only be updated manually. SD-WAN--depending on what connection method you use--may not take the same path to a destination every-time.
• MPLS is sometimes more reliable. MPLS traffic is usually given higher priority over service provider backbone networks relative to Internet traffic, and MPLS services often include quality of service (QoS) guarentees. SD-WAN leverages best-effort Internet services and may experience occasional packet loss. Most SD-WAN services, however, compensate for this by intelligently steering traffic away from lossy connection.
• MPLS is better for real-time applications. MPLS has multiple classes of service which are preserved throughout the WAN. This makes it easier to ensure real-time applications have a better experience across the WAN.

SD-WAN vs. VPNs

SD-WANs and VPNs have similar functions. They both establish secure network connections over the Internet, ensuring data remains confidential and impervious to potential breaches. The difference is that SD-WANs is an approach to manage wide area networks (WANs) using software-defined methods. While VPNs establish a secure tunnel between two points, ensuring data remains confidential. So SD-WAN; many to many WAN connection and management. VPN; one-to-one secure connection.

SD-WAN vs. SASE

You already know what SD-WAN is. So what is SASE? Secure access service edge (SASE) is a new type of architecture which combines an organization's network and security functionalities into a single cloud service that operates closer to endpoints and distributes traffic quicker than traditional network services. SASE aims to simplify network and security management because it unites an organization's necessary network and security services, such as firewall as a service, secure web gateways and more, into one platform.

While SD-WAN's primary aim is to connect an organization's branch offices to a data center in an intelligent, cloud-friendly way, SASE focuses on endpoints and end-user services. SASE's traffic inspection occurs at various global points of presence (PoPs) rather than backhauling traffic to the data center, as SD-WAN sometimes does.

Deployment of SD-WAN involves creating an overlay network using physical, software or cloud-based appliances and is available through DIY, managed, or hybrid deployment. SADE is a cloud-based, globally distributed through as-a-service deployment. 

Further details of SASE will be covered in another document.

The Control Plane and the Data Plane

In networking, a plane is an abstract conception of where certain processes take place. The two most commonly referenced planes in networking are the control plane and the data plane (also known as the forwarding plane).

The control plane is the part of a network that controls how data packets are forwarded. The process of creating a routing table, for example, is considered part of the control plane. ARP tables, neighbor tables, link-state databases (LSDB), and the topology table are also in the control plane.

The data (forwarding) plane actually forwards the packets, while the control plane determines how they should be forwarded. The forwarding table is in the data plane.

Think of the control plane as stoplights that operate at intersections of a city. Meanwhile, the data (forwarding) plane is more like the cars thar drive on the roads, stop at the intersections, and obey the stoplights.

Protocols which create the routing tables in the control plane are ones which you heard of, or will hear of in the future; including, BGP, OSPF, EIGRP, IS-IS. 

The network topology refers to the way data flows in a network. The control plane establishes and changes network topology. The network topology is like the way the roads are arranged, and the computing devices within the network are like the destinations that those roads lead to.

SD-WAN's decentralized control plane

So... what was the point of talking about control and data planes? The reason is because of how SD-WAN "detatches" the control plane from a physical device and moves it to the cloud. Using the stoplight analogy, normally you'd have to configure a device to make any changes to routing, or the way which the stoplights work. You would additionally need to make changes manually to multiple devices if there are multiples of them. With SD-WAN, changes are defined in the SD-WAN software, which resides in the cloud. You make changes to the stoplight there, and it applies the change. You may also roll out changes to multiple stoplights in bulk, making management and configuration changes far more manageable.

To bring things back to a networking-level, routers all have control planes and data planes. Managing traditional routers involves interacting with each router's control plane to make changes. SD-WAN seeks to fix this issue, along with other WAN-related issues, by moving the control plane to a centralized platform where changes can be made to multiple router's control planes as defined in software. And with the additional benefits of its best-effort WAN routing and intelligent traffic steering, better cloud application and service support, and data encryption, SD-WAN proves itself to be a capable WAN management solution. But understanding the concept of planes and how SD-WAN differs from the traditional model of a on-premises per-device control and data plane router is essential to understanding its benefits in network management and security.

Cisco DNA Center and SD-Access

 (include here a diagram of Cisco SD-WAN's topology, and briefly describe its components, and compare it to SD-Access, while briefly explaining that)