The Bigger Picture (of WAN and Branch Networks)
November 7, 2015
If you’ve been reading IT trade publications lately, you may have seen a new networking sector called software-defined WAN (SD-WAN).
SD-WAN provides several value propositions for the enterprise in the form of lower connectivity costs by adding broadband/Internet options to your MPLS WAN, improved application performance through “app-aware” routing, and reduced complexity and operational delays by centrally managing branch appliances with zero-touch provisioning.
But it doesn’t take a hardened network manager (or IT purchasing department analyst) to conclude that while SD-WAN improves connectivity, key branch services like security and WAN optimization are not part of the solution. Hence branch architectures after SD-WAN is installed are still very complex and appliance-ridden, with multiple configuration and monitoring systems that don’t talk to each other. Clearly, branch architectures need to be viewed holistically across connectivity and services.
But there is a bigger networking challenge facing enterprises, and the carriers that build and sell managed services to many of them – the fundamental way branch networks are designed needs to move into the 21st century. Let’s take a look at how most branch networks are built today (and have been since the mid-1990s):
As we can see, both the branch office and head-end (either provider PoP/CO or enterprise data center) are sprawling with network and security hardware. Proprietary devices like routers, firewalls, WAN optimization boxes and advanced security appliances. Several major analyst firms cite the total cost of branch office network/security infrastructure ranges from $10,000 to over $50,000 depending on the size of office, bandwidth and level of security/compliance required.
And Capex is just the start of the issues. Other major challenges that will continue to exist with/without SD-WANs: operational complexity (with connectivity and services each having configuration, monitoring and event correlation consoles), inflexible architectures for where functions are located (branch vs. head-end), and for service providers, a still challenging business model to create profitable and easily operable managed service offerings.
Enterprise IT departments and Internet providers faced this challenge for many years with computing and storage – using rigid hardware resources and having to over-purchase and over-provision them, as well as a lack of resource agility. Yet the answer came over the last 10 years – server and storage virtualization in the data center, and cloud computing models. Basically, virtualizing and de-coupling computing and storage functions from their underlying hardware, as well as location.
With the recent innovations in virtualized network functions (VNF), it is time to apply the same principles to WANs and branch networks – de-coupling higher level network and security functions from proprietary hardware appliances, and running them on commodity x86 white box appliances and servers. Just like virtualized computing, the agility and flexibility of software-based network functions increases dramatically, as does scalability and cost efficiency.
Another key benefit that comes with software-based network and security functions: the ability to create far more flexible branch and WAN architectures, as well as more targeted managed service offerings. Instead of forcing specific functions to reside in the branch office – or not applying them to the branch to avoid complexity or cost – virtualized functions can be placed wherever best meets IT and business needs, as well as budgets. VNFs should support a flexible set of deployment models, including white box appliances, bare metal servers, VMs and containers, as well as be centrally provisioned, monitored and managed.
Here are some examples of different branch architectures that can be created using VNFs:
As you can see, virtualizing network and security functions can lead to very innovative new branch network architectures, and resulting WAN designs as well.
So while SD-WAN is an incremental step forward in WAN innovation, it’s still a small subset of the bigger picture that service providers and enterprises will create by transforming their network and security resources from hardware- to software-based – and the new branch architectures this will enable – to create next-generation WANs and branch networks.