Two Basic SD-WAN Use Cases
Two SD-WAN use cases are described below. These use cases illustrate variations around which devices constitute the hubs: a separate SRX Series device (in addition to the MX Series PE device providing underlay connectivity) dedicated to providing SD-WAN overlay connectivity for CPE devices; or a dedicated SRX Series device used for terminating overlay connectivity.
Managed SD-WAN - Overlay Access
This use case is most applicable when the provider wants to take advantage of their existing network, but maintain separation between the existing infrastructure and new SD-WAN infrastructure.
As shown in Figure 1, the existing PE devices deployed at POPs remain in place and continue to form that function. In addition, SD-WAN hub devices are deployed at POPs alongside the PE devices to terminate overlay tunnels from the spoke sites.
Again CSO manages the hub and spoke devices. In this use case it also makes use of its vRR to establish BGP sessions with the devices. The vRR advertises reachability information to all devices to provide site-to-site connectivity.
The core MPLS infrastructure is managed by the provider.
The access links can be MPLS or Internet.
The overlay tunnels extend from the spoke site CPE devices to the dedicated SD-WAN hub devices.
Multiple overlay encapsulations are supported.
MPLSoGRE (CE-PE/MPLS access)
MPLSoGREoIPsec (Internet access)
SRX Series devices are used as provider hubs for IPsec termination.
The SRX Series devices peer with the PEs for connectivity.
Provider hubs can be shared across multiple tenants.
Enterprise SD-WAN - Overlay
This use case is most applicable to larger enterprises to enable full, end-to-end overlay network connectivity, completely independent of the underlying provider networks.
With this use case, the enterprise customer (tenant or OpCo) owns the hub devices, not the provider. Only spoke sites belonging to this tenant can connect to the enterprise hub devices.
Figure 2 illustrates this use case. The enterprise hub devices are located at the customer sites, with overlay tunnels to each of the spoke sites. The hub devices are also interconnected through a provider service such an MPLS VPN, providing full site-to-site connectivity.
Again, CSO manages all hub and spoke devices, and its vRR advertises reachability information to all devices.
The overlay tunnels extend from the spoke site CPE devices to the hub devices.
The overlay tunnels use MPLSoGRE or MPLSoGREoIPsec encapsulation, as appropriate.
SRX1500, SRX4100, or SRX4200 Series devices can be used as enterprise hubs for IPsec termination.
Enterprise hub sites are located at customer sites.
PE resiliency can be implemented by connecting CPE WAN links to primary and secondary PE nodes.
CSO establishes BGP peering relationships between the CPE and PE nodes. See Adding an On-Premises Spoke Site with SD-WAN Capability for details.
Only supported when local breakout is configured on the CPE WAN link.
BGP underlay route advertising can be configured to the primary and secondary PE nodes from CPE devices when local breakout is enabled on the WAN interface. See Adding an On-Premises Spoke Site with SD-WAN Capability for details.