SD-WAN and value added services: One size does not fit all

null

SD-WAN (Software Defined Wide Area Network) extends the concept of SDN to enterprise branch connectivity, offering a way of replacing or augmenting traditional enterprise VPN service (such as MPLS or VPLS) with a secure automated connectivity model that can work on any access network (MPLS, Internet, 3G/LTE etc.). With SD-WAN, the policy and network state are programmed into standardised end devices (x86 based CPEs) by a cloud based management and policy plane, to create site to site network overlays. The use cases for SD-WAN include Hybrid WAN (ability to use multiple access networks simultaneously), seamless interconnect to public cloud, Offnet extension services (ability to connect “external” branch sites over internet to “internal” branch locations bonded by L2/L3 VPN) etc.

WAN connectivity is one part of the enterprise networking puzzle. Modern enterprise sites require a range of networking value added services in addition to WAN connectivity. These include security functions such as Firewall, ACL, URL filtering, Intrusion detection/prevention, NAT), traffic optimisation services, DPI/Analytics, VOIP gateways, IOT agents, Wireless LAN controllers etc. These functions are typically delivered as standalone appliances (physical or virtual) with no unified cloud based management or control, requiring rigid/manual traffic steering to the function itself and without any direct tie-in with DC services. Overall, the enterprise value added services are limited by lack of flexibility, easy lock-in and high operational expense.

However, there is an alternative approach. SD-WAN can be used as a platform for delivering enterprise value added services. The technological advantages of such a consolidation come from a centralised & unified policy/control for all services, seamless extension into the DC, unified interfaces to orchestration, ease of traffic selection & chaining from and to the service functions. The business benefit to the telcos comes in the form of the ability to offer on-demand, programmable value added services alongside connectivity with SD-WAN. The enterprise benefits from a dev-ops style agility of service deployment, resource allocation and cost.

There are 3 primary architectural models for delivering value added services with SD-WAN:

  • Embedded on-board services
  • Service chained (including cloud hosted services)
  • Hosted on premise services (aka Branch in a Box)

Embedded on-board services: Utilisation of commodity (x86) CPE hardware and software based forwarding in a modified general purpose OS (mainly Linux), implies that a range of value added service functions can be embedded within the SD-WAN CPE software itself. These functions are typically the ones where choice of specialised vendors are not a requirement and lock-in is not an issue. Examples of embedded valued added services include NAT, ACL, DHCP, application aware steering, analytics, Layer 7 ACLs, URL filtering etc. The management and policy constructs for these functions are built into the SD-WAN management/policy layers.

Service chained (including cloud hosted services): Value added service functions can be hosted in a Datacentre – a centralised DC or a distributed telco site (POP or a CO). SD-WAN control & policy layer can chain branch traffic flows of interest to the service functions in the DC. The key requirement here is to ensure that the SD-WAN platform works across the WAN & DC domains, thereby offering seamless connectivity between the two without requiring manual intervention at a Provider Edge router or a DC gateway for tunnel termination. The single WAN+DC SDN platform also allows for single hop redirect of traffic from a CPE source in the branch to a VM target hosting the function in the DC. For SD-WAN use cases such as SaaS traffic offload to internet from branch, several enterprises prefer using cloud hosted security scrubbing services such as Zscaler. The SD-WAN solution should be capable of chaining to these services as well.

Hosted on premise services (aka Branch in a Box): Branch in a box is the most self-contained of the models for delivering VAS with SD-WAN. The idea here is to provide all functionality needed to operate a branch in a single box with unified/secure policy, control as well as life cycle management of the additional functions. Branch in a box involves the hosting of value added service as a virtual appliance on the CPE.

In this model, the centralised cloud based SD-WAN management and control plane is responsible for:

  • VAS function repository (including image library) and (lightweight) lifecycle management of the virtual appliance functions in the branch (including create, bootstrap, upgrade and delete functions)
  • Providing initial startup configuration and assigning local resources (CPU, memory, storage) for the VAS appliance.
  • Policy logic for local traffic re-direction into and out of the function
  • Providing APIs to (optional) northbound service orchestration system

On the other hand, the branch CPE is responsible for:

  • Hosting of virtual appliance using a hypervisor such as KVM or container framework such as docker. Resource assignment for the appliance, while defined in the cloud policy plane, is enforced at the CPE
  • Local service chaining i.e. implementing forwarding rules to get specific traffic flows into and across multiple VAS functions
  • Health checks on VAS appliance to provide assurance and performance checks

Branch in a Box is similar to Fat CPE or Universal CPE models prevalent in the industry but distinguishes itself with:

  • Openness: Ability to host 3rd party value added appliances via an open ecosystem and not be restricted to a specific vendor’s functions. This is an important differentiator for SD-WAN hosted VAS. The VAS functions must include both virtual machines and containers.
  • Self-contained VNF management: Lightweight life cycle management (LCM) of appliances is part of the basic functionality of branch in a box and does not require additional management/orchestration systems. Complex LCM schemes can co-exist and be implemented outside of the SD-WAN system. This self-contained approach also ensures that any integration with a higher level orchestration system is simplified and shields the orchestration from device by device (site by site) management.
  • Secure and Tamper proof operation: SD-WAN solutions include a secure, authenticated message channel between cloud policy plane and branch device. It is used for device bootstrapping, pushing policy/forwarding updates and extracting SD-WAN analytics data. Branch in a box utilises the same channel for VAS appliance bootstrapping and lifecycle management, ensuring fully secure, tamperproof and encrypted operation.
  • Traffic monitoring and insight: In order to get full benefit from SDN based automation for VAS, it is essential that the system provide pan-network flow/traffic analytics which are easy to consume via APIs and in built visualisation. The flow data can be used to create automatic policy based on real time traffic, thereby dictating service chaining, mirroring, shaping for VAS traffic. For example, a flow can be automatically redirected or mirrored to an intrusion detection function in a DC based on real time pattern detected by SD-WAN platform.

In summary, the ability of a SD-WAN platform to deliver value added services for the branch extends the reach of SD-WAN beyond connectivity and enables a cloud based, on-demand, flexible model for enterprise value added functions. The 3 models for VAS with SD-WAN include embedded functions within the SD-WAN software, service chained functions from branch to DC or SaaS providers and hosted VM/container functions (branch in a box). There is no one size fits all. A small branch site may require embedded FW (firewall) functions that provide basic functionality, a mid size site with low speed connections may need hosted container based TCP optimised function, another site may choose service chaining to intrusion detection functions hosted in a service provider DC or in HQ site, while another location may need a fully functional branded FW VM hosted locally for internet breakout. It is important to select a SD-WAN platform that offers all 3 models (with an open 3rd party VAS ecosystem) without relying on complex integrations with other management or orchestration systems.

Saurabh Sandhir is VP of Product Management team at Nuage Networks
Image Credit: Nuage Networks