What is SD-WAN and will it Replace MPLS?



I've noticed quite a lot of confusion in the networking realm over the last few years, even by experienced networking professionals, as to what exactly SD-WAN is and for what use cases one may consider using it for. Well, here's my take on hopefully clearing some things up.

First things first...

How SD-WAN compares to traditional MPLS L3VPN

They're both managed VPN services, it's mostly a difference of who's performing the encapsulation and doing the management. SD-WAN offers true CE-to-CE flow encryption, whereas MPLS isn't encrypted at all and performs encap/decap on the upstream PE routers for each site. SD-WAN needs this encryption since it relies on the Internet to be it's backbone, where MPLS is contained in a service provider's VRF.

Bottom line: Carriers are maddeningly slow and expensive, and the SD-WAN market wouldn't have been created at all if it weren't to give a giant middle finger to that.

SD-WAN technology isn't standardized; It's a marketing name like "Cloud"

You can think of Amazon's AWS or Google's GCP to "Cloud", OpenFlow or VXLAN to "SDN" just as you would Viptela or Velocloud (two popular SD-WAN providers) to "SD-WAN". The market was created to revolutionize the costly and slow-moving world of carrier-provided services, such as the insanely popular L3VPN. It's caught fire though and some even predict it taking over.

Each vendor implements their value-added features completely independently of each other. There's no RFC anywhere telling this crowded market how exactly certain features need to work or that there needs to be inter-operability between vendors...yet.

SD-WAN is still a nebulous term, which can cause problems, but is generally accepted as being described as "smart VPN". 

It may not actually make your job easier

SD-WAN has the potential to erase complexity in that instead of asking your carrier to drop links to their upstream PE LSRs at your sites weeks ahead of time, you instead can just make use of fast, natively-diverse (a la the Internet) DIA/transit links from any ISP, typically provisioned much, much faster. This fact alone can sell people on making the transition.

Another way is that most SD-WAN CPEs are smart enough to seamlessly multi-path and transition between multiple Internet links in the event of link failures (Cable Internet, LTE backup links, etc.) and should be easily programmable to allow direct spoke-to-spoke communication flows. Remember DMVPN? It's much like that under the hood but more valuable to businesses since it doesn't require Cisco experts to deploy and manage.

One of the ways it makes things arguably less simple is that SD-WAN gives you more control over routing and at the cost of your CPE handling encap/decap. This stands in contrast to your MPLS provider shielding that complexity from you at the PE level and up (such as a L3VPN cloud). This means that you're now the one responsible for steering traffic between sites, but that could be valuable to you if ... A.) You really want that, or B.) You want hardware control of end-to-end encryption.

Also, in the world of SD-WAN if you needed fast(er) links at remote sites it'd be more of a CPE hardware investment versus port upgrade.

Providers are now offering MPLS and SD-WAN managed services

And why wouldn't they be trying to - they're rightly trying to capitalize on this trend. What SD-WAN means as an offering to somebody like AT&T though, from what I've found, is mostly around self-service for their existing services. For example, instead of calling your provider to provision/modify upstream BGP policies or establish a new peering, a lot of these capabilities have been moved to online portals for you to do yourself, including things like cloud inter-connects. While nice, in this case though it's still just MPLS just with long overdue self-service functionality. Otherwise, SD-WAN offerings from a carrier should really be an end-to-end, out of box solution using just their DIA links everywhere - a model I've a hard time seeing them making much money on.

Is SD-WAN here to stay?

Time will tell. I can say that high-speed IPsec encryption hardware requirements are becoming rapidly less costly and the proliferation of affordable, high-speed Internet links are getting denser, so the platform for SD-WAN is only getting larger. Companies like Cisco and VMware are making very large bets, too.

My personal opinion is that the biggest threat to SD-WAN taking over the world is the removal of network neutrality protections here in the US. This could allow ISPs to prioritize their flavors of the service and eventually let them to go back to being their slow, unchallenged selves once more.

If nothing else though, I'm very happy to see a disruptive market like SD-WAN make the incumbents wake up, modernize their MPLS service features, shorten their provisioning times and get their costs under control.

Popular posts from this blog

Configuring Cisco ASA for Route-Based VPN

Running ASA on Firepower 2100: An End-to-End Guide

Up and Rawring with TRex: Cisco's Open Traffic Generator