Reducing WAN Complexity with SD-WAN Segmentation

Reducing WAN Complexity with SD-WAN Segmentation

There are a lot of reasons why IT is so excited about SD-WAN solutions these days. Of course, the potential cost savings of being able to leverage broadband internet connections securely and with high reliability are particularly compelling. But the true value of an SD-WAN encompasses many more benefits including agility, security and application Quality of Service (QoS).

As Zeus Kerravala accurately frames in his recent SD-WAN Makes An Excellent Segmentation Tool WANSpeak blog published on September 27th, “most SD-WAN solutions operate as an overlay to the underlying physical topology, which makes it ideal to extend the concept of segmentation out of the data center and across the WAN and into branch offices”. Like NSX (or other virtualization technologies) in the data center, SD-WAN virtual overlays abstract the physical underlying transport services from the control and application layers.

However, unlike NSX, which can create thousands of microsegments to potentially segment every user-to-application session, Silver Peak SD-WAN customers typically configure a handful of segments – or virtual WAN overlays – to keep the administration complexity from becoming unwieldy.

Simplifying WAN Administration

It’s beneficial to think of virtual WAN overlays in the context of security and QoS policy templates or profiles. Each Silver Peak SD-WAN overlay is comprised of a set of 256-bit encrypted tunnels. Each overlay is defined uniquely with different parameters to connect users to applications based on business intent. And each overlay may be defined to use any combination of underlying transport resources.

For example, one overlay might be created and assigned for VoIP and video communications traffic. This communication overlay or “segment” would typically be configured as a full mesh topology to interconnect all sites, fully leveraging both MPLS and broadband connections simultaneously using path conditioning to ensure high availability, and with stringent brown-out thresholds to intelligently and dynamically minimize latency and jitter.

Another segment might be defined for business critical applications. This virtual WAN overlay would be configured as a dual hub and spoke topology with QoS parameters programmed to deliver high throughput and perhaps even optional WAN optimization for application acceleration. Another segment might be created for guest wi-fi traffic, defined for “best efforts” internet access that only utilizes the inexpensive broadband underlay, reserving MPLS services for the more critical applications described above.

Finally, a fourth overlay could be defined solely for financial applications or healthcare records applications. This overlay would also have QoS parameters defined, but it’s main purpose would be to securely isolate specific types of application traffic for the highest levels of security, helping an enterprise maintain compliance with regulatory mandates.

Zeus also mentions the management efficiencies and consistency of policies across the SD-WAN that centralized control enables. Because a Silver Peak SD-WAN solution is managed by a central Orchestrator, any new applications that must be mapped to an overlay or any changes to the parameters defining the QoS and security policies for a virtual WAN overlay, are programmed once and then pushed to hundreds or even thousands of locations across the WAN. This reduces operational complexity, cost and the potential for human errors.

About the author
Derek Granath
Derek has more than 20 years of technology product marketing, product management and business development experience with a focus on high-performance enterprise and service provider networking systems. At Silver Peak, he leads product positioning and messaging for service provider and enterprise SD-WAN offerings. Before joining Silver Peak, Derek held a number of senior management positions in marketing and product management at networking companies including Extreme Networks, ConSentry Networks, Woven Systems, Brocade, and Cisco Systems via the Stratacom acquisition. Derek holds a BSEE from Stanford University and an MBA from Santa Clara University.