There isn’t much doubt that SD-WAN is leading the way to mainstream adoption of SDx technologies in enterprise networks.  The WAN has traditionally been a portion of our network where required complexity has been prevalent.  Disparate types of service, different levels of quality, links with low/no utilization, and complex routing protocol interactions are common.  Add layer 3 tricks like PBR and GRE at any scale and the maintenance of the WAN becomes something only a top tier network engineer can coordinate without messing it up.

That’s where SD-WAN comes in.  SD-WAN, for the most part, isn’t doing anything we haven’t been able to do in our networks previously.  What SD-WAN providers are building are platforms that abstract the physical WAN links and routing technologies into highly orchestrated, policy driven architectures.  By abstracting these complex WAN technologies, SD-WAN providers are attempting to make technologies available to everyone that were previously only attempted by larger organizations with senior level networking resources on hand.

While in New York for the 2015 ONUG Fall conference, I was able to attend an event organized by the Packet Pushers and Viptela, where customers who had deployed Viptela SD-WAN technology in production were talking about their experiences rolling out the solution.  While there are many features of the Viptela platform highlighted by the engineers that were involved with the podcast*, the one that stood out the most to me was end-to-end network segmentation over a shared WAN backbone.

What is end-to-end network segmentation?  It really is nothing new.  In our current generation networks it would be called MPLS L3VPN.  Service providers have been using this type of technology for over a decade in order to carry traffic over their backbone while maintaining isolation between their customers.  Enterprises have been known to deploy it as well, but not as commonly as seen in service provider networks.

Why would an enterprise network want end-to-end network segmentation?  I would argue that there certainly is a need for this type of technology in a lot of enterprise scenarios.  Off the top of my head we see the need for this style of segmentation in multi-tenancy, guest wireless networks, kiosk style machines, and highly regulated network environments (think PCI/HIPAA) just to name a few.

With this kind of use case why isn’t it more common?  The answer is pretty simple.  Complexity.  With the technologies available today, you would need expertise in MPLS/LDP, MP-BGP, VRFs as well as standard underlay routing technologies to accomplish the end goal.  A lot of organizations simply don’t have the expertise on hand to manage these types of protocols effectively.

How does SD-WAN make a difference?  Well, this is where controller based networks and automated deployment come in to play.  The reason it is difficult now is because network architects needs to anticipate how the network is going to behave and then configure many independent routers to act in a coordinated fashion.  Independent being the key word in the previous sentence.  In today’s networks, routers make their own decisions.  Of course their decisions can be influenced by their neighbors but implementing a network wide policy, on many independent devices, can become a very complicated task.

Controller based networking is looking to fix that.  Better put, controllers are looking to abstract that complexity to the point that engineers do not need to look at their network on a router by router basis.  By maintaining operational knowledge of the entire network, controllers should be able to dynamically build the individual node configurations in such a way that they act in a coordinated fashion.

If that is a little confusing, let me put it a different way.  The controller is going to become your network architect.  The controller knows all of the nuances of protocols such as MPLS/LDP, MP-BGP, VRFs, and underlying routing protocols.  Much like a manager would provide a set of requirements to a network architect, engineers on a controller based network dictate the requirements to the controller.  The controller is then responsible for building out the configurations that enable the policy to be coordinated amongst many independent devices.

That is how SD-WAN is promising to deliver complicated network architectures to the masses, end-to-end network segmentation being just one feature.

Final Thoughts

Orchestrated controller based networks really shine when it comes to WAN technology and that is why it is no surprise that they are at the front end of enterprise adoption.  That being said, the SD-WAN space is currently oversaturated with vendors trying to convince buyers that they are the one true option when it comes to an orchestrated WAN.  Features like end-to-end network segmentation, when implemented correctly, have the ability to be a key differentiator in this very crowded market in addition to being a useful feature of the product.  In the end, consumers are getting choice and new features in a segment of the network that has been stagnant for some time and that is a good thing.

* At the time of this writing, the podcast that was recorded live in NYC had not been publicly released.  A link to the podcast will be added as soon as it is posted online.

Original Link: http://gestaltit.com/all/tech/networking/bcjordo/end-to-end-network-segmentation-on-sd-wan-networks/