What Is SD-WAN?

SD-WAN in Industry Standards

Different SD-WAN vendors provide different definitions for SD-WAN. The following provides typical SD-WAN definitions in the industry.

What Are the Benefits of SD-WAN?

Enterprise networks are facing issues such as closed WAN architecture, difficult service experience assurance, slow service deployment, and difficult O&M. To address these issues, Huawei SD-WAN Solution implements all-scenario and on-demand interconnection between enterprise branches and between enterprise branches and data centers. This solution stands out with the application-based intelligent traffic steering and acceleration as well as intelligent O&M features to deliver better service experience and reshape the full-process service outcomes of enterprise WAN interconnections. Huawei SD-WAN Solution provides the following benefits:

• 5G ultra-broadband on-demand interconnection: Enterprise branches can connect to the headquarters and clouds via 5G and wired uplinks anytime and anywhere. Large-scale flexible networking enables reliable and scalable interconnection between enterprise branches.
• Intelligent traffic steering and smart experience: Application-based intelligent traffic steering and optimization ensures user experience of mission-critical local and cloud applications of branches at any place such as office and production branches.
• Unified management and control and intelligent O&M: Unified cloud-based LAN and WAN management simplifies service deployment and O&M for a large number of branches.

What Is the SD-WAN Architecture? How Does SD-WAN Work?

From the perspectives of logical layers and functions, the SD-WAN logical architecture consists of the service presentation layer, management layer, control layer, and network layer. Each layer provides different functions and consists of several core components, as shown in the following figure.

1. Service presentation layer

   The service presentation layer connects to a network controller in the southbound direction and implements SD-WAN service presentation and provisioning through service portals. The service presentation layer provides:

   • Self-developed portal: The SD-WAN solution provider provides a portal for customers to perform end-to-end SD-WAN service configuration and processing.
   • Third-party BSS/OSS: Based on service functions and GUI layout requirements, a third party can invoke northbound open APIs of the network controller to integrate the SD-WAN Solution and flexibly customize the GUI.
2. Management layer

   The network controller is the core component of the management layer and the "smart brain" of the entire SD-WAN Solution. The SD-WAN network controller provides network orchestration and management functions.

   • Network orchestration: The network controller abstracts service-oriented SD-WAN network models, orchestrates services related to enterprise WAN networking and network policies, and automatically provisions service configurations. The network controller abstracts and defines the network model of enterprise WANs, and shields technical details about SD-WAN deployment and implementation, and implements simplified and flexible WAN network configuration and service provisioning.
   • Network management: The management component of the network controller implements network management and O&M functions for enterprise WANs, including but not limited to the following: collection of fault information such as alarms and logs of SD-WAN NEs; collection, statistics, and analysis of performance data based on links, applications, and networks; collection and display of multi-dimensional O&M information such as network topologies, alarms, and performance data.
3. Control layer

   The route reflector (RR) is a core component at the control layer and is responsible for network control.

   The RR distributes and filters VPN routes of SD-WAN tenants, creates and modifies VPN topologies, and creates and maintains overlay tunnels between sites. Compared with the distributed control mode of traditional networks, this centralized control mode separates the control plane from the forwarding plane of enterprise WANs. This simplifies network O&M operations, reduces network configuration errors, and improves the O&M efficiency of enterprise WANs.

4. Network layer

   From the service perspective, enterprise sites include enterprise branches, headquarters, data centers, and IT infrastructures deployed on the cloud. Network devices used for WAN interconnection at different enterprise sites and the intermediate WAN constitute the SD-WAN network layer.

   SD-WAN network devices include edge devices and gateways.

   • Edge devices

     Edge devices refer to egress CPEs at enterprise headquarters, branch, data center, or cloud sites. They are start or end points of SD-WAN tunnels and also border sites of an SD-WAN network. Overlay tunnels between edge devices can be built on any wired or wireless underlay WAN links, and generally use a data encryption technology (such as IPsec) to ensure the data transmission security of enterprise WANs.

     Typically, both traditional hardware CPEs or universal (uCPEs) and virtual CPEs (vCPEs) can be used as edge devices in the SD-WAN Solution.

     • CPE: traditional hardware CPE. Initially, a CPE is a hardware device deployed at a site. From the hardware perspective, a CPE generally consists of a switching and routing unit (SRU), interface cards, multi-core CPUs, and various hardware components. From the software perspective, a CPE provides Layer 2 switching and Layer 3 routing functions to connect the internal and external networks of sites. Generally, such type of CPE is called traditional CPE.
     • uCPE: With the development of cloud computing and Network Functions Virtualization (NFV) technologies, cloudification and virtualization become irresistible trends. Functions provided by traditional dedicated hardware devices can be implemented through software instead. For example, functions such as security, WAN acceleration, and load balancing can be provided through virtual network functions (VNFs). Integrating these functions into CPEs can reduce the device cost and power consumption and implement flexible and fast service provisioning.
     • vCPE: When network functions of traditional CPEs are implemented through software instead of hardware devices, the software is decoupled from the hardware. These CPEs are called vCPEs. vCPEs can be deployed instead of dedicated hardware devices to implement functions of traditional CPEs through software. This facilitates fast service deployment, enhances service scalability and flexibility, and reduces deployment and operation costs.
   • Gateway

     An SD-WAN gateway is an intermediate device that connects new SD-WAN sites and legacy VPN sites of an enterprise. Due to the existence of legacy non-SD-WAN sites, gateways are deployed to implement interconnection between SD-WAN networks and legacy branch networks of enterprises.

How Is SD-WAN Related to MPLS VPNs?

In a traditional WAN topology, MPLS VPNs are used for branch interconnection, which ensures the bandwidth and reduces the transmission delay of data packets. SD-WAN is evolved from the MPLS technology. SD-WAN implements interconnection of WAN branches through flexible combinations of MPLS, Internet, LTE, and 5G links.

MPLS and SD-WAN technologies are compared as follows:

• Cost: MPLS VPNs are more expensive. SD-WAN supports flexible combinations of MPLS, Internet, LTE, and 5G links, reducing overall link costs.
• Security: MPLS provides secure and reliable connections and is applicable to applications that require high security. In the SD-WAN Solution, MPLS links are preferentially used to ensure connection security.
• Performance: Internet links have lower performance than MPLS links with the same bandwidth. SD-WAN can aggregate multiple Internet links into one logical link, which ensures performance.
• Stability: For key services that are sensitive to the network delay and packet loss rate and have high link quality requirements, MPLS does not provide a mechanism to differentiate priorities. In contrast, the SD-WAN Solution provides the policy management and intelligent traffic steering capabilities, which enable traffic of higher-priority applications to be preferentially processed upon congestion. That is, traffic of key services is transmitted over MPLS links, and traffic of other services is transmitted over high-bandwidth Internet links.
• Deployment efficiency: MPLS deployment may take 1 to 6 months, while SD-WAN deployment takes only a few hours.
• Support for mobile applications such as cloud computing and software as a service (SaaS) applications: It is difficult to apply cloud computing and SaaS applications on MPLS networks on a large scale. To support faster access to cloud applications, the SD-WAN Solution allows users to configure traffic diversion rules to enable traffic of cloud applications to be transmitted over Internet links. Cloud traffic is transmitted directly from branches to the Internet, instead of being diverted through the headquarters. Some SD-WAN operators also allow traffic to be directly transmitted to cloud data centers (such as AWS or Microsoft Azure) from their gateways to improve the performance and reliability of applications on these clouds.

SD-WAN makes it easier to build hybrid WANs, maintains a balance among the cost, reliability, and performance, and enables traffic of various applications to be transmitted over hybrid links.

How Is SD-WAN Security Ensured?

The SD-WAN security can be ensured from two aspects: system security and service security. System security is a mandatory, basic security capability of the SD-WAN Solution. After system initialization, the SD-WAN Solution should have capabilities to ensure secure and reliable system running. Service security is ensured by separately deploying flexible security functions based on the service security requirements of enterprises.

• System security

  System security covers communication security between components in the SD-WAN solution, multi-tenant security, and component security. The SD-WAN Solution consists of multiple components. The components and the communication between them may encounter security threats. Security measures must be taken to ensure the security and reliability of the SD-WAN Solution.

  These measures include identity authentication, data encryption, data verification, and permission control, which prevent security issues such as unauthorized access, information leakage, and data tampering. Especially in CPE access scenarios, the SD-WAN Solution strictly verifies CPE identity information based on the Zero-Trust concept. This approach ensures that only authorized and trusted CPEs can access the network, preventing CPE identity spoofing.

• Service security

  Service security involves the security of services carried by the SD-WAN Solution. Based on the service model of an enterprise, service security covers the security of the inter-site access, Internet access, and cloud access services.

  To meet service security requirements, proper security measures must be taken for the services. For example, for the inter-site access service, data must be encrypted for secure transmission on the Internet. For the Internet access service, CPEs or uCPEs provide security functions such as ACL-based packet filtering, firewall, intrusion prevention system (IPS), URL filtering, and VAS advanced security functions, preventing various attacks and intrusions. These security functions can be configured for each VPN. That is, differentiated service security measures can be taken for different departments of a tenant.

  In addition, the SD-WAN Solution can connect to a third-party cloud security gateway to protect SaaS service traffic and traffic for accessing public clouds.

How Is SD-WAN Related to Clouds?

In the cloud era, a growing number of enterprises are migrating their IT systems to public clouds. Enterprise WANs also require flexible access to various cloud resources, including infrastructure as a service (IaaS) cloud services and SaaS cloud applications.

vCPEs can be deployed as edge nodes at public cloud sites to provide software-based security, WAN acceleration, and load balancing functions through VNFs. Integrating these functions into CPEs can reduce the device cost and power consumption and implement flexible and fast service provisioning.

Multiple paths to SaaS cloud applications may be available to ensure access efficiency. Leveraging the intelligent traffic steering function, the SD-WAN Solution detects the Service Level Agreements (SLA) of each available path in real time. With the help of a centralized network control system, the SD-WAN Solution can adjust and select optimal paths for accessing SaaS cloud applications in real time.