My Journey with SD-WAN
by Wasiu Olaleye
A lot of network engineers feel that SD-WAN/SDN’s advent would result in playing down their expertise as the traditional way of routing and forwarding packets through CLI (command-line interface) placed so much value on their expertise. At first, I felt the same way too and a lot of us would definitely feel the same way but SD-WAN technology is a reality as an overlay VPN for enterprise businesses.
A few years back, cloud computing seemed completely impossible but it is a reality today and cloud skills are mandatory requirements for most IT professionals. The popularity of cloud-based services has necessitated the need for a simplified and highly scalable WAN solution and SD-WAN is the answer. As I have repeatedly emphasized that our knowledge is important and valued as it will always serve as the fundamentals.
Let’s look at the basic definition of SDN as a separation or decoupling of control plane (routes storage) from the data plane (packet forwarding) in a virtualized manner and traditionally these components (control, data, and management planes) are usually embedded on a single device. SDN has transformed traditional telecom and service providers to deliver their services on-demand and SD-WAN, on the other hand, is also based on the same methodology of decoupling of the control plane from data plane with different approach.
Let me dive a bit into their differences — SDN is to LAN or carrier’s core network while SD-WAN is used for connecting geographically dispersed sites and remote users. So the point is, it takes one with a good understanding of how those planes work to design and implement good SDN/SD-WAN solutions. Let’s now take a deep dive into some of the basic features of SD-WAN while its enhancements and other features will be discussed in future posts.
• Dynamic Connection Establishment: This is an extremely important function of the vendor specific SD-WAN architecture deployed in your organization as it is either automated or self-managed. Cisco SD-WAN for instance uses OMP(Overlay Management Protocol) for WAN routing while Versa uses traditional BGP routing concept for control planes. It is not news that more routing is required at the LAN side which has been defined at the data plane as routing stack — BGP route reflector as an option to alleviate iBGP fully meshed iBGP topology is highly emphasized at this plane. So this explains the testimony to the fact that good understanding of packet routing/forwarding is so required to set up SD-WAN
• Virtualized overlay VPN deployment: Of course a good understanding of traditional underlay and overlay VPNs will place most network engineers at the edge to better understand how SD-WAN virtualized overlay VPN works.
• Security ( IPsec Specifically): Cisco SD-WAN may have taken a fundamentally different approach basing its core security design around key exchange to be fully automated , however the core three security components — authentication, encryption and integrity are extremely factored in security the Cisco SD-WAN overlay network infrastructure. Fortinet SD-WAN security concept is fully automated but good understanding of security key exchange concept is required to fine tune to get better throughput and security. Strong knowledge of IKE phases (1&2) plays a vital role in troubleshooting or dive seep in setting up an overlay VPN between the endpoint devices.
• NAT: It is important to know that an integral part of SD-WAN architecture is local internet breakout at the remote sites which leverages NAT deployment to allow direct access to the cloud based applications such as Microsoft Azure, Google Cloud, AWS, Salesforce and others. Fortinet integrated NGFW, for instance, provides a key feature that provides ability to NAT inbound and outbound traffic with either source and destination NAT. Cisco SD-WAN also provides capability to implement destination NAT between multiple vEdges (endpoints). It is not news that there have been compatibility issues with IPsec and NAT in certain encryption types such as AH (authentication header) and the issue still exists in SD-WAN architecture. It requires a good understanding of NAT to have it set up accordingly without running into troubles.
• Better Prioritization, Flexible Bandwidth Allocation: A good understanding of traditional QoS algorithms are helpful setting up policies for prioritization and bandwidth allocation. QOS (Quality of Service) is essentially a technology often deployed to prioritize or manage data traffic by slowing less important data packets down while critical data packets are assigned with utmost priority to pass through first. The QOS tags have varying levels of importance, from high to medium to low or critical, then important or best effort. QOS is extremely important when implementing VOIP as parameters such as latency, jitter, packet loss and business of loss and jitter are to be seriously considered in course of the QOS design and implementation.
• Redundancy/High availability: As network engineers, we must have had a great understanding of technologies such as VRRP, HSRP, and GLBP plus a good knowledge of load balancing algorithm like Round Robin, Weighted Round Robin, Random, Source IP, URL hash, Least connections(weighted Least connections), Least traffic and weighted Least traffic, Least latency and finally UTM/NGFW high availability. These play vital roles in deploying SD-WAN’s auto-failover and high availability.
Having unpacked above a few out of many reasons why our expertise as network engineers is extremely needed. It is imperative for us as network professionals to accept the reality that network changes and deployment are mostly being done or executed via network automation tools such as Ansible, Chef, Git, Jenkins, Python, Cisco NSO and few others while few deployments are done via CLI. It is high time we started learning these new skills such as network automation, scripting, virtualization and cloud skills to set up highly resilient, simplified, scalable, flexible and changeable networks for enterprise businesses.
inq. is a pan-African cloud-based digital service provider with points of contact in 16 African cities, providing innovative, business-relevant services in Edge AI, SDN/NFV, Cloud Based solutions and Intelligent Connectivity.
Visit www.inq.inc for more information.
Wasiu Olaleye is an IP Design and 3rd Level Network Support Specialist at inq. Nigeria.