SD-WAN those things (2), sd-wan those things

SD-WAN those things (2), sd-wan those things

The last SD-WAN thing (I) deduced the changes in the WAN architecture, from WAN acceleration to Hybrid-WAN, to enhanced Hybrid WAN-SD-WAN. Using SD-WAN technology, enterprises can obtain the characteristics of similar leased line through the low-cost Internet, more adapt to the needs of business cloud, and enhance the network agility and robustness. This article continues to describe the characteristics and technical implementation of SD-WAN in hybrid WAN scenarios.

The pooling of computing resources constitutes cloud computing. SDN can be regarded as a cloud network, because network services and cloud computing have the same functional requirements as auto scaling, on-demand services, and rapid deployment. SD-WAN abstracts WAN links into resources, namely virtual Overlay, to service, shield the specific form of the underlying link, and help the business quickly obtain the resources matching the demand. From the implementation of SD-WAN can be roughly divided into three types.

1. Traditional device manufacturers

Traditional network equipment with SD-WAN function, for CPE or headquarters egress gateway, according to the pre-configured policy, through to the destination end of The Link Detection protocol, detection of link load, delay, jitter, packet loss rate, select a link that meets the service SLA requirements for routing. For example, the following policies are issued to the Controller:

• Video Service A needs to select A link with A latency less than 20 ms
• Data Service B needs to select a link with the remaining bandwidth greater than 10 MB

The device identifies application A and application B Based on the Controller Policy, selects matching links for forwarding, and dynamically adjusts according to link quality. Another common strategy is load balancing, which dynamically performs route selection and Correction Based on Link load to maximize link resource usage.

Application-Oriented Multi-exit Selection

In this scenario, services that do not require confidentiality directly enter the SP network, and services that require encrypted transmission enter the SP network through tunnels. Such tunnels can be considered as P2P Overlay, however, no matter which method the traffic enters the SP, it is out of control and the Underlay network performs the traditional routing. SD-WAN services are deployed by enterprises themselves, more controllable, but due to the burst and uncertainty of Internet traffic, sometimes unable to select the link to meet the SLA needs, enterprises need to provide multiple links.

Ii. SD-WAN service provider

SD-WAN service providers, represented by Viptela and Velocloud, provide access to software (NFV) or equipment by leasing the sp and data center, create an Overlay logical topology composed of multiple POP points on the Underlay network. As shown in the second, the edge of the user SD-WAN equipment nearby access POP, take a similar strategy with the top, through application identification and link detection, select a path that meets the service requirements from the Overlay Logical Network for routing, or select an integrated Overlay and Underlay. Due to the large number of POP network elements, the controllability and visibility of the network are enhanced, and it is easy to select links that meet the conditions. Service providers so that enterprises do not have to deploy their own controllers and other services, users only need to define policy templates to achieve, reducing the technical requirements of enterprises using SD-WAN.

Application-oriented Overlay Routing

3. Operator

The operator has the conditions to provide SD-WAN services directly on the Underlay network, and implements policy-oriented and business-oriented Routing Based on the traditional routing, this idea may be just an idea. The branch CPEs that provide software-defined functions for hybrid WAN scenarios have many features, and must meet the following business requirements:

1. Actively connect to the Controller to obtain the configuration and Policy

Traditional CPE equipment in the network is highly autonomous. Whether it is a command line, network management interface, or the so-called zero deployment implemented by the manufacturer, it is still oriented to isolated network elements and is still configuration-driven, if the business model changes, the configuration of the branch site needs to be modified. SD-WAN agreed to the transfer control separation, business configuration and policies are issued by the Controller, through the function layer makes the user interface from configuration-oriented to application-oriented, and achieves real plug and play.

Netconf is a typical southbound protocol in SD-WAN, which is a C/S model protocol, using SSH or TLS as a secure channel, YANG as the metadata to complete the definition of command description, the Controller acts as the Client to convert the REST call on the upper layer to the XML-RPC hosted in NetConf according to the YANG definition, and the configured device acts as the Server according to the YIN validation RPC valid and then converts it to the final device configuration.

2. Deep application Recognition

The premise of application-oriented is to be able to recognize applications. Traditional 5-tuples-based stream classification and routing policies are too rigid and require a large number of configurations to match applications one by one. The interface is unfriendly. In the SD-WAN scenario, the equipment needs to be able to carry out in-depth detection, through local identification or cloud Identification Classification application, according to the Controller Policy for dynamic traffic scheduling and key business assurance.

3. Link Quality Detection

Traditional route-based traffic scheduling is static, but the network environment changes in real time and cannot be dynamically adjusted based on changes in link quality, in the SD-WAN scenario, it is required that the equipment can carry out quality inspection for multiple leased lines or Internet links, and dynamically select the traffic according to the Service classification and the control policy.

4. firewall functions

Branch access to the Internet, shunting leased line traffic, and nearby access to the public cloud for a better user experience, but security issues are also introduced. The branch CPE must provide the security gateway function to divide security boundaries, clean illegal traffic, and prevent hacker intrusion. Firewall functions can be completed locally or through virtualization on the cloud.

5. Encrypted VPN connection

Enterprise data must be transmitted through a secure channel to prevent leaks during Internet uploading and transmission. The CPE must be able to establish an end-to-end IPSEC tunnel with the public cloud, headquarters, or other VPN gateways, and the traffic is encrypted through the IPSEC tunnel.

6. NAT Functions

For Internet traffic that does not require encryption, NAT translation is required to access the Internet, which solves the limitation of Internet address resources and also hides internal addresses.

7. Authentication and audit

Traditional network outlets are all in the headquarters, authentication and audit functions can be deployed in the Headquarters single point, authentication audit under the SD-WAN scenario has become distributed, requires each branch of the CPE equipment has the corresponding function, data logs can be sent back and synchronized on a regular basis.

SD-WAN can be implemented by using dedicated hardware or VNF orchestration, as long as the idea of centralized control, auto scaling, Dynamic Programmable can be included in the scope of software definition. SD-WAN is not a concept, is the use of software ideas to rethink the inevitable results of the network, is to be able to complete the network reconstruction to effectively solve the user's high-frequency pain points effective technology.