Click to open module...
It is common knowledge that the “SD” in SD-WAN stands for “software defined.” What does that mean, exactly? And how is a software defined WAN different from a traditional one? Today’s blog post explores these questions.
The concept of Software Defined Networking (SDN) is not new; the first standards-based SDN was born nearly a decade ago. Enabled by a vendor-agnostic protocol called OpenFlow, SDN effectively separates the configuration and control of switches and routers from their packet forwarding engines; the former is referred to as the control plane and the latter as the data plane. By making this separation, configuration and control functions can be centralized and accessed via APIs, empowering applications to configure network topologies and traffic flows per their requirements. This capability plays a significant and essential role in modern IaaS cloud computing, where IP subnets and VLANs are created upon demand as virtual servers and storage resources are spun up.
The notion of software-based control of switches and routers makes sense in the data center, but it breaks down in the wide area, where service provider networks become involved: these 3rd party networks may employ SDN internally, but they don’t expose that functionality to their customers. If 3rd party networks can’t be software controlled by their customers, can a WAN really be software defined? It can if it’s a virtual WAN.
Virtual Private Networks (VPNs) have been a part of the IP networking landscape since the 1990s. The idea is simple enough: a pair of hosts or routers connected to a public network exchange packets whose payloads are encapsulated private packets, thereby establishing a private tunnel across the public network. There may be many switches and routers between the two ends of a VPN tunnel, but these are invisible to the virtual private network.
SD-WAN leverages this idea by establishing VPN tunnels between its endpoints at the network edge, thereby creating a virtual private WAN atop one or more public or private IP networks. It is this virtual WAN that is software defined, with the data plane implemented in the endpoint hardware and the control plane as a distributed software application managed via a centralized orchestration server. In today’s nascent SD-WAN market there is no open standard like OpenFlow facilitating configuration and control of the virtual WAN; each SD-WAN vendor uses their own proprietary scheme.
Routing decisions in the software defined virtual WAN translate into tunnel selections. And unlike traditional routed IP WAN’s, these selections need not be based solely on the destination address. This frees SD-WAN to apply different routing logic to the applications using the network. For example, RTP traffic from voice or video calling might be routed site-to-site in a full mesh configuration to minimize latency, while general-purpose Web and Email traffic might be routed hub-and-spoke through regional data centers for security inspection purposes.
This notion of tailored routing from a security perspective is the basis of the Secure Access Service Edge (SASE), the next stage in the evolution of SD-WAN. SASE is the convergence of SD-WAN with cloud-based security, where the flexibility of software defined routing enables efficient integration with advanced security services.
GTT connects people across organizations, around the world, and to every application in the cloud. Our clients benefit from an outstanding service experience built on our core values of simplicity, speed, and agility. GTT owns and operates a global Tier 1 internet network and provides a comprehensive suite of cloud networking services. We also offer a complementary portfolio of managed services, including managed SD-WAN from leading technology vendors.