In simple terms, software-defined WAN (SD-WAN) refers to the application of software-defined networking (SDN) principles to the WAN. In SD-WAN, the path for the application traffic can be dynamically controlled and selected based on specified service-level agreement (SLA) criteria. Thus, SD-WAN enables you to identify the best path for an application’s traffic and to then forward the traffic on that path.
According to Gartner, SD-WAN has the following characteristics:
Support for multiple WAN connection types (such as MPLS, Internet, LTE) simultaneously.
Ability to select the traffic path dynamically, which allows for load sharing of traffic across WAN connections.
Ability to simplify the management and monitoring of WANs.
Support for VPNs and other third-party services, such as gateways and firewalls.
CSO supports the following SD-WAN service types for a site:
Secure SD-WAN Essentials—Provides the basic SD-WAN services. This service is ideal for small enterprises, looking for simplified management of their network and comprehensive NGFW security services at the branch sites. The SD-WAN Essentials service allows Internet traffic to breakout locally, and thus avoids the need to backhaul web traffic over costly VPN or MPLS links. This service supports features such as intent-based firewall policies, WAN link management and control, CSO-controlled routing between sites connected through the static VPN, and site to site communication through MPLS or internet links. A tenant with the SD-WAN Essentials service level can create only SD-WAN Essentials sites.
You can upgrade the SD-WAN service level of a tenant from SD-WAN Essentials to SD-WAN Advanced by editing the tenant information from the CSO Administration portal, provided that you have purchased the corresponding license.
Secure SD-WAN Advanced—Provides the complete SD-WAN service. All sites of the tenant with Secure SD-WAN Advanced service are connected in full mesh or hub-and-spoke topology. The SD-WAN Advanced service includes SD-WAN Essentials.
SD-WAN sites on CSO Release 5.4 or earlier versions are treated as SD-WAN Advanced sites. You cannot downgrade the SD-WAN service level of a tenant from SD-WAN Advanced to SD-WAN Essentials.
Branch Management Without and With SD-WAN
Figure 1 displays a topology in which a branch is managed without SD-WAN. In this scenario, the service provider (SP) maintains the quality-of-service-enabled (QoS-enabled) network and the branch, and manages the traffic (including route announcements), and VPN. In Figure 1, the area bounded by the shaded rectangles indicates the what the service provider manages and maintains.
The branch customer sends traffic, which is directed over one of the two redundant links to one of the two provider edge (PE) routers, where the traffic is forwarded inside the virtual routing and forwarding (VRF) instance. Typically, the PE routers are configured in an active-backup mode (for redundancy), where traffic flows only through one router at any given time. The PE router builds queues for the traffic and the queues are respected inside the QoS-enabled MPLS network meant for that branch customer. Additionally, bandwidth might be reserved for applications that need a guaranteed bandwidth. Optionally, the service provider can provide additional value-added services, where the traffic is marked using differentiated services code point (DSCP) values and the DSCP values are adhered to downstream in the network.
Figure 2 displays the topology for managing a branch with SD-WAN. In this scenario, the service provider provides the PE router and the MPLS network and can be the provider for the Internet network. However, the enterprise has an option to add a different network (for example, broadband Internet) instead of using the service provider’s network, and the enterprise can manage the customer premises equipment (CPE) device.
To build a VPN, the traffic must be tunneled through the different networks. So, instead of sending traffic through the underlay, you use the underlay to build tunnels through the networks to the next element (node). To dynamically select the traffic path, you need to have application-aware (also called app-aware) traffic steering that identifies the application, monitors the tunnel (path) that the traffic is on, and decides the tunnel on which to send the traffic. If a tunnel degrades, the SD-WAN controller can move the traffic to a different tunnel. In the SD-WAN scenario, both the tunnels are active simultaneously.
Therefore, in the SD-WAN scenario, you don't squeeze traffic into queues; instead, you identify the traffic and select the tunnel on which to send the traffic. Services provided throughout the network (such as route reflection) can be moved to the top as shown in Figure 2.
In branch management with SD-WAN, you can have redundant PE routers in the topology, if needed. (This is not shown in Figure 2.)
SD-WAN Overlay Tunnels
In SD-WAN, the overlay tunnels (see Figure 3) are transport-agnostic, which means that they are built independent of the underlying transport technology (such as MPLS or Internet) of the network. Tunnels are built based on the IP addresses assigned to the WAN interfaces, and can be between one spoke (branch) and another, or between a spoke and a hub (headquarters).
In CSO, you can build GRE tunnels or GRE tunnels with IPsec for additional security. When CSO identifies the application, it creates inner DSCP markings that are written to the outside tunnel so that the forwarding queues that might exist in the outside network are respected.
In CSO, the term MPLS refers to a QoS-engineered path and is used to designate the network. Therefore, CSO doesn’t create MPLS frames on the underlay and only creates Ethernet frames.
High-Level SD-WAN Architecture
Figure 4 shows an example of a high-level SD-WAN architecture. There are two branch sites connected to SD-WAN gateways (also known as spokes or CPE devices) and one central site (headquarters) connected to another SD-WAN gateway, which could be a hub device. In addition, an SD-WAN controller controls the SD-WAN gateways using a single UI, manages the devices, the creation of tunnels, and so on.
Figure 5 shows how SD-WAN is applied using CSO in a topology that has one branch site and one hub site. CSO builds one tunnel for the WAN links going over the MPLS network and a second tunnel for the WAN links going over the Internet. When you configure SD-WAN, you can ensure that mission-critical application data is sent over the MPLS link (reliable and secure path) and the non-mission critical application data is sent over the Internet link (best-effort, non-secure path).
For more information about CSO SD-WAN, watch the Contrail SD-WAN Demos—15 Features in 15 Minutes video.