When it comes to designing and building a modern wide area network (WAN) architecture, several new and traditional technologies are available to build the most appropriate and cost-effective solution for your organisation. Today, SD WAN often serves as a focal point of connectivity, but other traditional technologies like MPLS, VPLS, and private circuits still hold value and can provide services that Internet-only SD WAN cannot, such as true quality of service (QoS) and multicast. Continuous improvements in wireless technology such as 5G enable more flexible connectivity options, and potentially quicker start-up times as you might no longer need to rely on wireline services, depending on your location circumstances.
Hybrid SD WAN
The technologies that enable SD WAN serve as the cornerstone for today’s hybrid WAN. SD WAN enables simultaneous WAN link usage with traffic steering along with technologies like Forward Error Correction (FEC) and platform automation and orchestration. SD WAN is considered a “transport agnostic” technology and makes the most out of the different kinds of connections you use. Most SD WAN platforms can take advantage of any underlying features of your circuits such as QoS marking.
Many traditional WAN configurations rely on either single connections or bonded links. The bonded links must additionally be identical in nature (speed, type, etc.). SD WAN lets you perform link aggregation across multiple circuits simultaneously, whether or not they use the same underlying technology. Individual packets are automatically steered down the most appropriate link for that particular packet based on business policy. For example, voice over IP (VoIP) traffic will usually traverse the link with the lowest latency and lowest error rate, even if it is not necessarily the fastest link. Similarly, bulk file transfers may use a link that is faster, even if it has an increase in latency compared to other connections.
FEC refers to the SD WAN’s ability to make the most of your connections by remediating issues that can be encountered with lower-performing circuits. For example, the same packet could be sent across multiple links at the same time, and the packet that arrives first and intact at the other end is the one that ultimately gets transferred onward. Another example of FEC is sending multiple copies of the same packet down the same link or including extra parity information along with the packet so that it can be rebuilt on the other side if it experiences errors during transmission. The usage of FEC is automatic and useful on connections that have constantly changing end-to-end performance characteristics, such as wireless 4G/LTE/5G and general Internet links.
Another very attractive aspect of SD WAN as part of your hybrid WAN strategy is the automation and orchestration of your chosen platform. Sometimes used interchangeably, automation refers to performing individual tasks while orchestration provides a workflow and determines in what order the automated tasks are performed, A common example is making a business policy configuration change, such as specifying a newly-deployed application should receive preferential treatment across your network. With SD WAN, you make the policy change once in your orchestration platform, and the changes are automatically propagated to all of the SD WAN edge devices through automation. In the past, you would have had to configure each router independently, or generate your own tooling such as custom scripts. These features are simply included and built in to the SD WAN platform.
MPLS Layer 3 VPN is a service that supports different kinds of network topologies, with the most common being any-to-any, where each site has direct access to every other site within the VPN. With an MPLS L3VPN service, your routers peer with the service provider so that they know where each of your IP subnets are and they can route traffic appropriately across their backbone network.
Hub and spoke topologies are also possible and frequently used in a “centralised services” model where all sites need to access the services of a central location, such as a main file server, but do not necessarily need to communicate directly with each other. Your service provider may also offer additional centralised services of its own such as firewalled Internet access or SIP-based telephony services. An increasingly common and popular centralised service is private interconnections with public cloud offerings like Amazon AWS, Microsoft Azure, and Google GCP which are easily facilitated in an MPLS L3VPN.
MPLS L3VPN is still a very popular service and remains an important part of a hybrid WAN strategy. With MPLS, the carrier can offer service-level guarantees and support additional end-to-end features like QoS and multicast. While some SD WAN platforms can emulate QoS and multicast features across Internet links, they can never be as reliable as a single carrier that controls the connection through the backbone. If you have applications that rely on multicast or are considered mission-critical, MPLS L3VPN is still a popular component with SD WAN deployments as the edge appliances can take advantage of the additional features offered in an MPLS link.
Virtual Private LAN Service (VPLS) uses the same underlying technology as MPLS L3VPN but operates at Layer 2 instead. With VPLS, the carrier’s backbone network appears as a virtual switch where each site has direct access to every other site at Layer 2. Instead of peering routes with the service provider, you establish your own routing adjacencies directly with your network equipment across your different locations. VPLS is also known as a Layer 2 VPN, or L2VPN service.
VPLS, like MPLS L3VPN, frequently has a service-level agreement (SLA) attached to guarantee performance. VPLS is an appropriate technology to use as a component of a hybrid WAN when you have multiple sites to connect, but you need the SLA guarantees and you additionally wish to define your own routing structure without involving the carrier.
A subset of VPLS functionality is a pseudowire connection, or virtual leased line (VLL). Pseudowires are point-to-point and connect two locations together at Layer 2, but still use the same underlying MPLS technology that L3VPN and L2VPN use. While MPLS networks have service-level guarantees, they still use a shared backbone infrastructure that is statistically multiplexed with other customers.
Hybrid Private Circuits
Private circuits can be delivered in various forms, but they are generally point-to-point in nature and designed to connect exactly two endpoints together, with the exception of Metro Ethernet which can either be point-to-point or multipoint. Private circuits are often used for high-performance datacentre interconnects (DCIs). Unlike MPLS and VPLS, the available bandwidth of private circuits is almost always dedicated exclusively to the customer.
In the recent past, private circuits were commonly delivered over SDH and serial technologies like E1/E3. Increasingly, private circuits are delivered through various fibre technologies. This could be fibres dedicated entirely to you as a customer, or through a multiplexed wavelength service where your traffic traverses the same backbone fibre links as other customers, but your traffic is kept private due to it being dedicated to its own optical wavelength. Unlike with MPLS technologies, you are physically guaranteed the entire bandwidth of the wavelength, even during times of congestion.
Fibre-based private circuits may be appropriate for you as a DCI if you need very low latency or you need to transport non-Ethernet traffic such as Fibre Channel for your SAN. With an optical wavelength service, your carrier may or may not support your required data framing, but you may have the option to lease dark fibre. With dark fibre, you provide the termination equipment at both ends, but you then have full control over what goes across the link, including how data is framed and whether the fibre is dedicated to a single communications channel or muxed with coarse or dense wave division multiplexing (CWDM / DWDM).
Hybrid Internet VPN
Increasingly, IPsec VPN over the Internet is becoming the common denominator in a hybrid WAN environment. Frequently coupled with SD WAN, Internet access is ubiquitous and considered a commodity, which offers attractive pricing for business customers. Using the Internet for VPN access offers performance that is good enough for most situations and can be a decent primary or backup connection, depending on your needs.
One consideration for Internet VPNs is that there is overhead involved as every packet must be encrypted and tunnelled. Likewise, all Internet traffic is considered “best effort” as you have absolutely no control of how your traffic is handled once it leaves your network. If you have demanding workloads such as those that require very high throughput or specific latency guarantees, you will probably be served better with MPLS, VPLS, or private circuits where there is more control over how the traffic is routed along with service level guarantees.
There are many different types of circuits available to deliver connectivity to your locations as part of your hybrid WAN. The broad categories include copper, fibre, and wireless. The types of circuits you can get depend highly on both your location and your service provider. Regardless of the underlying technology, almost all circuits today are delivered with a standard Ethernet handoff toward the customer premises equipment (CPE).
When it comes to WAN connectivity, copper circuits are usually delivered as serial connections like E1 and E3, or as broadband like DSL and cable. Serial connections are quickly falling out of favour for technologies such as cable modems which have continued to evolve speeds and capabilities. Many locations can now receive near-gigabit download speeds from cable connections. While DSL and cable are usually delivered with a standard RJ45 Ethernet handoff, serial connections typically require additional equipment to terminate the connection and produce an Ethernet handoff to be used with SD WAN appliances.
Fibre connectivity has traditionally been faster, more expensive, more reliable, but less available depending on your location. For many years, fibre has formed the backbone of the major carriers through point-to-point links, SDH rings, and Metro Ethernet in highly populated regions. As the need for fast, reliable WAN connectivity has grown, fibre has been deployed in more places and is easier to acquire now through technologies such as gigabit passive optical networks (GPONs) where fibre is distributed to entire neighbourhoods.
Wireless connectivity includes both cellular-based 4G/LTE/5G and 802.11-based WiFi. With a hybrid WAN, 4G/LTE/5G connections are frequently used as secondary links to be utilised if the primary link fails. This is because cellular-based services are typically slower, more unpredictable, and more costly as users are normally charged per-megabyte of data transfer. However, as the 5G standards continue to evolve, both speeds and reliability continue to improve, and carrier pricing models may change accordingly as well.
WiFi connectivity, when delivered as a WAN service, is typically done with point-to-point or point-to-multipoint links using small parabolic dish antennas. These are called “Line of Sight” (or LoS) connections. They are highly dependent on the location’s geography and the dishes are commonly mounted on poles or towers to improve the signal strength as trees and other foliage can cause signal interference. A properly-designed WiFi link, however, can provide an excellent alternative to a traditional wireline service that is less costly than using cellular-based services.
What Hybrid WAN options are right for your business?
The first step in any WAN design is to evaluate your network application traffic patterns and needs. You don’t want to overprovision too much, as that can be costly and wasteful. You must also be aware of your application requirements, such as their tolerance to latency and jitter. Choosing which connectivity types are appropriate and most cost-effective is easier than ever thanks to SD WAN.
With SD WAN as your central WAN routing service, you can add and remove different kinds of links as appropriate without changing your overall architecture. For example, if you decide to deploy a new application that has tighter network bandwidth and delay tolerances, you can choose an MPLS, VPLS, or private circuit that will support QoS. You can seamlessly add the new link to the SD WAN and adjust your traffic policy so that the application traffic prefers the higher-quality link. Likewise, SD WAN makes adding capacity to your WAN a simple and non-disruptive process.
Finally, wireless options are increasing in popularity as the technologies becomes faster and more stable. Locations can typically use wireless as a secondary failover circuit if the primary circuit is having issues, and smaller sites might even be able to use wireless as their primary means of connectivity.
Visit the Netify SASE Cybersecurity and SD WAN marketplace.
Get the data points you need to help with your SASE Cybersecurity and SD WAN decision making process.