SD-WAN Primer Part 2: How It Works

After explaining why organizations are choosing SD-WAN over MPLS in part one of this series, Tom Fenton now takes a look at the components underlying the technology approach and how they work.

In the first part of this series (SD-WAN Primer Part 1: The Why) on software-defined wide-area networking (SD-WAN), I discussed what SD-WAN is and also provided some background information on Multiprotocol Label Switching (MPLS), a network connectivity method largely used by corporations prior to SD-WAN becoming available and some of its limitations that SD-WAN technology helps to address.

Finally, I gave an overview of some the potential benefits and drawbacks of using SD-WAN. In this article, I will discuss SD-WAN's components and how it works. As I mentioned in my first article, I will be taking a lot of liberties by using generalizations and simplifications when describing SD-WAN because these articles are intended to serve as a general synopsis of this technology.

SD-WAN Architecture
As MEF-70 from MEF is the standard, I will be using its terminology as much as possible when describing SD-WAN and its functions, but it's worth noting that SD-WAN companies may use different terminology. MEF lists the components as SD-WAN Edge, SD-WAN Controller, Service Orchestrator, SD-WAN Gateway and the Subscriber Interface.

The SD-WAN Edge can be a physical device or a virtual machine (VM) that provides SD-WAN functions in a datacenter, main office, IoT location, public or private cloud, or other places that need network access. They can replace or (in some cases) supplement existing, usually physical WAN routers. These SD-WAN devices implement the network overlay and polices of an SD-WAN deployment and they also allow consumer-grade broadband to act more like a dedicated circuit.

SD-WAN Edge devices are usually less expensive as they tend to be either VMs or run on commodity x86 servers. Many of the WAN routers that they have replaced have had dedicated, proprietary hardware based on ASIC chips and were non-scalable and difficult to update. While ASIC chips have traditionally been the norm due to their speed, advances in x86 chips have allowed them to process network traffic at approximately the same speed as ASIC chips, with any loss in performance being offset by their flexibility and scalability. SD-WAN devices are easier to deploy and set up in remote locations as they are centrally managed and do not rely on local IT talent.

SD-WAN Edge devices can provide other virtual networking functions (VNF) services such as load balancing and because they are software rather than hardware-based, additional VNFs can be implemented without upgrading an SD-WAN Edge device.

The SD-WAN Controller provides central management for an SD-WAN implementation. The central console, or subscriber interface, allows an operator to see the entire corporate network through a single pane of glass. Because the SD-WAN Controller is software, it can be implemented either on-premise or in the Cloud. Also, since it only pushes the network overlays and policies to the SD-WAN Edge devices, it will not actually do the packet inspection and its network usage will be minimal. From this console, IT operations can set policies which the orchestrator will then execute.

The SD-WAN Edge implements these policies to make forwarding decisions depending on the type of application that is being used. It does this with Layer 7 introspection; for example, highly sensitive stock price traffic will have a higher priority than a streaming music service in a financial institution, yet a media company may decide to implement an exact opposite policy.

Report generation is handled by the SD-WAN Controller. From these reports, IT operations and management can make informed, holistic decisions about the network activity of an organization. For example, sudden spikes or pauses of network activity may need to be investigated. Historical trending is also useful so that organizations can proactively, rather than reactively, acquire or decommission network resources. Reporting is often an overlooked aspect of SD-WAN as WAN implementations have historically not been able to provide the detailed and insightful information that an SD-WAN Controller can.

The SD-WAN Orchestrator is the virtualized network manager which oversees traffic and applies policy and protocol set by operators. The SD-WAN Orchestrator, which typically also includes the SD-WAN Controller functionality, is used to set centralized policies which are then used to make forwarding decisions for application flows. Application flows are IP packets that have been classified to determine their user application, or grouping of applications, to which they are associated. The grouping of application flows based on a common type (e.g., conferencing applications) is referred to as an Application Flow Group (AFG) in MEF-70.

Because SD-WAN is still in its infancy, many terms and their boundaries are still being formulated. One of the more oblique terms is the SD-WAN Gateway. Some SD-WAN implementations use SD-WAN Gateways in the datacenter or main office to optimize traffic and provide additional security, while other implementations may have a far more reaching definition. Some SD-WAN implementations have all network traffic routed through a central site for security reasons, but this can lead to a hairpin problem in which traffic travels a long distance just to be routed back near its location of origin; to alleviate this problem, we now have SD-WAN Gateways for public clouds as well as datacenters.

Basically, SD-WAN Gateways provide an optimal data flow for applications from an endpoint to deliver network services to and from the cloud. A distributed network of gateways, deployed both around the world and on-premises at service providers, provide scalability, redundancy and on-demand flexibility.

Besides the fact that SD-WAN Gateways provide an optimal path, they can also provide a virtual private network (VPN) to the Quality of Service (QoS) between global cloud services for Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) and network services to SD-WAN Edge, with the capability to do so over multiple transport mediums. This allows SD-WAN Gateways to appear as a single, high-performance WAN that is transparent to users.

The SD-WAN User Network Interface (UNI) is the demarcation point between the responsibility of a service provider and that of a subscriber.

SD-WAN is a policy-driven construct in which IP packets are classified into Application Group Flows (AGFs). The classification is determined by their use of protocols such as Voice over Internet Protocol (VoIP). AGFs can be based on Open Systems Interconnection (OSI) Layer 2 through Layer 7 classification. Moreover, the AGFs have policies to either block or allow an IP packet to be forwarded based on the availability of a route to the destination SD-WAN UNI on a remote SD-WAN Edge.

[Click on image for larger view.]

MEF has come up with a basic set of policies for SD-WAN, including Encryption, Public/Private, Internet Breakout, Billing Method and Primary Backup. A few of these terms may need further clarification. Public/Private specifies that an AGF can use either a public or private transport medium. Internet Breakout specifies whether or not an AGF should be forwarded to an internet destination. Billing Method specifies whether an AGF can go over a usage or flat-based billing transport media. Bandwidth sets the rate limit of an AGF. As MEF-70 and SD-WAN are still fairly new, not all providers use these terms but instead rely on property policy terms. However, new universal MEF policies and their definitions are expected to emerge as the technology matures.

In this article, the second in my SD-WAN series, I discussed how SD-WAN is an abstracted architecture divided into two parts: the control plane and the forwarding plane. This architecture has many components that move the control plane to a centralized location. The main components to SD-WAN as can be located in a corporation's main office, a datacenter, or in the cloud platform. SD-WAN Orchestrator oversees traffic and applies policies to the network. SD-WAN Controller is the central management component that enables IT operations to monitor the network holistically and specifies the policies that the orchestrator executes. In the next and final article on SD-WAN, I will look at a few different deployment models.

Other articles in this series:

About the Author

Tom Fenton has a wealth of hands-on IT experience gained over the past 25 years in a variety of technologies, with the past 15 years focusing on virtualization and storage. He previously worked at VMware as a Senior Course Developer, Solutions Engineer, and in the Competitive Marketing group. He has also worked as a Senior Validation Engineer with The Taneja Group, where he headed the Validation Service Lab and was instrumental in starting up its vSphere Virtual Volumes practice. He's on Twitter @vDoppler.