The challenge for International businesses required to deliver cloud application performance, reduced complexity, security policies, monitoring, delivery and maximum uptime via redundant circuits represents serious business.
What are the basics of procuring Global SD WAN?
There are a number of challenges associated with procuring Global SD WAN services. IT Managers and their teams are faced with greater focus on creating an architecture which encompasses user cloud access and security. At the same time as ensuring traffic performance is acceptable both within national reach and across international connectivity. IT Managers must consider the architecture of Global WAN services across network performance, business continuity and support.
To meet this challenge, software-wan capability globally is required to offer benefits which include WAN optimization, granular next generation security policies, reporting analytics, network monitoring, and global path selection.
Perhaps one of the key data points to understand is that SD WAN is not singularly an Internet VPN technology.
If we believe the massive amount of hype, software networking allows you to begin leveraging any low cost ISP connectivity in the confidence that your SD WAN device (virtualised or otherwise) will sort out any performance issues. In many cases, the technology will certainly assist with degraded circuits but we need to remember, deploying cheap Internet between core Enterprise business offices is probably not the best idea unless you are buying from a single public IP backbone provider.
MPLS, VPLS and VLL services represent a great option as part of the overall global WAN architecture mix. With Cisco Meraki and Viptela, businesses are able to leverage the right circuits across Internet, MPLS and VPLS with an acceptable SLA.
What is the state of international SD WAN services in 2020, is MPLS really dead?
In 2019, most large enterprises are now aware of SD WAN and many have even migrated all or select portions of their global WAN to an SD WAN platform. While each SD WAN vendor introduces features as a point of differentiation, most mature platforms have settled around a core set of mature common features, though these features may be implemented slightly different among each vendor.
The most common feature touted by nearly all SD WAN platforms is the ability to use two or more secure flexible WAN connections simultaneously, as opposed to the previous common paradigm of active/standby links. The hype surrounding SD WAN is propagated by claims of the ability to use simple commodity broadband circuits and even wireless 4G/5G connections for all of your connectivity needs with the promise of drastically lowering your monthly WAN operating costs. This claim is touted by all major SD WAN vendors, but circuit costs and performance in the real world are not so black and white. The major variables are network application requirements, the types of connectivity available at your locations, and the cost to deliver that connectivity to you with a secure feature-set.
Some network applications require a lot of bandwidth, like large file transfers. Some have a low tolerance for delay across the WAN, such as VoIP telephony. Still, other applications require both high bandwidth and low latency, like video conferencing for example. This is why Service Level Agreement (SLA)-backed private WAN circuits such as MPLS, Virtual Leased Lines (VLLs), and multipoint VPLS remain very popular in 2019. In many cases, these private circuits are still the only way to guarantee the performance you need for your applications.
Why SD WAN is here to stay?
Just five years ago the concept of SD WAN was fairly new and different vendor platforms were still up and coming. Today, SD WAN vendors have rich, flexible, scalable, mature platforms that take advantage of previous years of operational experience and exposure to customers’ live production networks. Many vendors now include capabilities within their platform beyond just utilizing multiple links simultaneously, such as WAN optimization and Forward Error Correction (FEC) that enables your locations to get the very best performance possible across all of your connections.
SD WAN represents a new way to utilize and manage your WAN infrastructure. When you couple the WAN optimization capabilities with general platform orchestration and zero-touch provisioning (ZTP), these are the reasons why SD WAN is here to stay. Many people equate SD WAN as simply a VPN over the Internet, but this is not true. SD WAN platforms like Cisco Meraki and Cisco Viptela are transport agnostic and can use whatever kinds of connectivity you provide, whether it is through the public Internet or through private services like MPLS. In each case, Meraki and Viptela will utilize all of the available features of the underlying connectivity, such as Quality of Service (QoS) if the connection supports it.
How to design SD WAN architecture for your Global Enterprise?
Large enterprise networks with a global reach have different requirements from those that only have a regional presence. When you require global connectivity, it is critical for your overall SD WAN architecture to account for the time it takes for your packets to go around the world (propagation delay). This is why most large global enterprises still use SLA-backed private connectivity in their backbone network.
While SD WAN will make the most of what is available, you still have far less control and no guarantees when you use the public Internet for your transport. ISPs may reroute their public Internet traffic on a whim to suit their needs which can introduce new levels of latency. This is not as critical for regional networks but can be greatly compounded as you add more public Internet hops and distance in the overall path. With private circuits, you are guaranteed a specific maximum amount of latency across the entire path, regardless of the number of hops the traffic passes through. Using private circuits with SD WAN across your global backbone ensures you get the performance quality guarantees along with the added-value features of the SD WAN platform.
Above. Global SD WAN design example using MPLS.
What does SD WAN offer in 2019?
SD WAN can work well for your core transport depending on your specific needs, but where it really proves its value is at the network edge. For example, if you have many smaller branch offices, Cisco has product offerings from both Meraki and Viptela that enable “branch in a box” functionality where a single device provides routing, switching, and WiFi access without the need for individual devices.
When coupled with zero-touch provisioning, it becomes possible to roll out new SD WAN connectivity to your locations without requiring advanced technical expertise with each subsequent installation. The orchestration features of SD WAN ensure each of your devices maintains a current and consistent configuration that is centrally-managed. Centralized management is an important part of how SD WAN provides value to your organization. Cisco Meraki and Viptela both offer dashboard portals that provide up-to-date statistics and insights about the performance of your WAN.
You can quickly obtain both a global overview and drill down to individual sites and devices as necessary. The dashboard can show you how many wireless clients are connected at each site, how much bandwidth is being utilized, whether you are having performance issues with your circuits, and much more. This trending data is built into the SD WAN platform and can let you know in advance when it might be time to upgrade your bandwidth capacity.
Are large telcos still relevant with SD WAN?
Large telcos still have a major role to play despite transport independence being a fundamental tenet of SD WAN. For instance, most large service providers offer multiple kinds of connectivity. For each of your locations, you could provision a more expensive private circuit to take advantage of its performance along with a less expensive broadband solution for backup or additional bandwidth. Setting WAN pricing is important. The detail is critical to understand.
Both of these can usually be provided by the same telco along with the SD WAN service itself which gives you the advantage of a single point of billing and support. When it comes to network support, a large telco is more likely to have a higher number of expert-level staff employed who can handle the deepest of technical issues. The other major advantage of using a large telco for your SD WAN service when you have a global enterprise is that large carriers often have their own global reach and strategic partnerships as well. This has the dual advantage of higher-performing circuits within the carrier’s network as well as a potential for faster resolutions when network issues arise since the telco will have visibility into their own global network whereas a public Internet solution may pass through many different independently-owned networks.
How to consider your own global enterprise challenges?
With a global enterprise, your migration to a new service will happen in multiple stages. SD WAN’s transport independence makes it easier to migrate from one provider to another. Even if you purchase your new SD WAN service through a single carrier, there are multiple ways to migrate to the new carrier even if some of your sites are still under contract with the old provider. One of the options is to maintain multiple separate VPN environments. As sites are transitioned to the new service, they can communicate with the locations that have not yet been migrated through centralized meeting points.
For example, you could use BGP as a method of distributing your sites’ routes between the existing environment and the new SD WAN service. This ensures global policy-based connectivity as you transition. Another option is to connect the existing infrastructure directly into the new SD WAN service as a secondary or tertiary connection during migration and until the old contract expires. If your existing circuits are Ethernet-based, this is usually a very simple procedure. When using older serial technologies like E1/E3 circuits, your existing terminating equipment may need to be reconfigured to provide an Ethernet handoff to the new SD WAN routers.
How SD WAN is the enabler to security and cloud?
SD WAN has the potential to provide a new operational paradigm with regard to enterprise-wide network security. SD WAN edge appliances, whether physical or virtual, are points of network policy in addition to traditional network transport. Each appliance can serve as a firewall itself or integrate with other security solutions. With SD WAN it is easy to centrally control and manage security policies across your global enterprise. This has the advantage of ensuring your policies are consistent across all security zones.
This improves ROI and TCO because less time will be spent troubleshooting policies across individual devices. Cisco Meraki and Viptela also both offer cloud service integration and optimization. Virtual Meraki and Viptela appliances are available that run in Amazon AWS and Microsoft Azure. These virtual appliances allow you to extend your private WAN into the public cloud environment just like any other physical location. Meraki and Viptela also offer integrations with AWS Direct Connect and Azure ExpressRoute, which are high-performance private connectivity options for the respective public cloud environments. As more enterprise workloads are placed into the cloud, having tight integrations with the largest cloud players like AWS and Azure ensure SD WAN solutions like Meraki and Viptela make the transition easier.
How to design an SD WAN for the larger global enterprise business?
The biggest challenge large global enterprises face is distributed access to various resources through the global WAN. There is always a balance between cost and performance. SD WAN helps in this regard with routing to regionalized resources. For example, if you have multiple file stores sharing the same content, you can easily establish policy within the WAN platform to automatically select the closest region. Security and traffic performance can also be improved by maintaining regional boundaries. For example, through policy, you could dictate that access to certain resources must always traverse private MPLS connections and not use the Internet.
Managing device network access across a global enterprise can also be a major challenge. Both Meraki and Viptela feature 802.1X and AAA integrations which can be used to allow or deny connectivity to individuals across the entire network. These integrations become critical as more companies are implementing Bring Your Own Device (BYOD) policies that allow employees to utilize their own computers, smartphones and tablets to access protected company resources.
An example comparison - Cisco Meraki or Viptela for Global SD WAN?
Cisco offers SD WAN solutions under the Meraki and Viptela platforms. There is an overlap of functionality between the two, and while both can be used with global enterprises, they do have two somewhat distinct operational considerations. Meraki was designed from the beginning to have operational simplicity. It is fairly easy to design and implement a global SD WAN infrastructure with Meraki which allows the solution to be supported by less knowledgeable IT staff. The trade-off is that there are some more advanced features and deployment scenarios that Meraki does not support.
The Cisco Viptela solution bridges the gap between simple SD WAN and very advanced deployment scenarios. Viptela supports more SD WAN uplinks than Meraki, along with IPv6 and multicast routing across the SD WAN fabric. These are all more advanced networking features that require support staff with a higher level of expertise to design and operate. The Viptela SD WAN software also runs on some of Cisco’s more advanced hardware platforms that are capable of higher levels of performance than the Meraki product line, which may be critical depending on the size of your datacentres and your WAN needs. However, just like in the migration scenario, there is nothing preventing you from operating both a Meraki and a Viptela environment simultaneously. With a global SD WAN environment, one possible approach is to use Viptela in your network backbone and larger sites and Meraki across smaller locations where IT support staff may be limited. This approach gives you the best of both including the advanced features of Viptela with the true operational simplicity of Meraki. Cisco Viptela Global SD WAN Diagram Above. An example Global SD WAN design using Cisco Viptela.
Should you choose DIY or Managed SD WAN for global business?
Enterprises that have a global presence are typically large enough to require employing IT staff with advanced technical knowledge. Frequently, large enterprise networks have specific requirements that are difficult to manage with outside support personnel who are not dedicated solely to your organization as they may not be familiar with the more intimate details of your company’s network. However, SD WAN makes general network operations much simpler through centralized policy management which can make outsourcing your WAN operations more enticing since you simply purchase connectivity along with the SD WAN service, and the managed SD WAN provider takes care of the details and maintenance which allows you to reduce your operational technical headcount.
One of the considerations of a managed service is that the managed services provider (MSP) will have the advanced technical staffing to handle your needs, but any changes that you need in the network may take additional time as compared to having your own technical staff. Ultimately, deploying SD WAN across a large global enterprise is similar to any other major project where you must determine your goals, requirements, and desired outcome. There are many ways to approach the deployment and with platforms like Meraki and Viptela, you can achieve exactly what you’re looking for in the network design.
Visit the Netify SASE Cybersecurity and SD WAN marketplace.
Get the data points you need to help with your SASE Cybersecurity and SD WAN decision making process.