Wanted to share some of my thoughts on the topic in simple words and being a bit more technical than the average on the internet.

What it is

Basically SD-WAN is a new way to build enterprise WAN infrastructure by employing some of the principles coming from SDN. Each SD-WAN vendor has its own view but what all the solutions have in common is

  • centralized control and management and
  • some form of Zero-Touch Provisioning for branch devices.

Besides branch devices (appliances or virtual machines) that plays the role similar to that of a customer-edge router typical SD-WAN solution has a Controller that ties together all the branches, some peace of software that manages configurations for both controller and branches and some monitoring/analytics software.

Central components may be composed in a different manner, for example Controller may also do the configuration management, or configuration management software do the monitoring as well but the functional blocks remain the same.

How it works

Branches interconnection

Controller and branch devices form an overlay network and provide at least hub-and-spoke connectivity for the whole enterprise. In most cases direct spoke-spoke tunneling is also possible which is important if you have significant VoIP and Videoconferencing traffic between branches. This is something similar to Cisco DMVPN. What most SD-WAN vendors try to add to this is multipath over redundant underlay WAN-circuits and greater control over traffic paths.

Traffic path control

In a traditional WAN architecture it was common to use some expensive WAN-circuit with guaranteed SLA as primary and then have some backup possibly over the Internet. SD-WAN solutions give you an opportunity to use primary and backup circuits in an active-active manner. They normally have some built-in mechanisms that monitor quality of each link and are able to distribute traffic between links dynamically as these links degrade and recover. In some solutions you can define SLA levels for each type of traffic you have, defining it by application signature or just L4/L3 information and the infrastructure will make sure it is always sent via circuits that satisfy these SLA at any given moment at the same time make sure not to use expensive bandwidth for non-sensitive traffic. In some cases this may mean that customer may cease to use MPLS circuits and move to 2 or 3 good internet connections from different service providers. The latter won’t have guaranteed SLA but branch and SD-WAN controller will be able to figure out where to send sensitive traffic to provide the best possible experience for end-users.

All this is typically implemented with some extensions to open-standard routing and monitoring protocols and functions. An interesting thing to note here is that some vendors completely hide this from system administrator providing him or her with a simple interface with sliders and boxes while others let you go deep and highly customize the operation.

Zero-Touch Provisioning and Configuration Management

All the SD-WAN solutions have some way to simplify new branches deployment as these has always been a huge burden on people who support WAN-infrastructures. The best analogy here would probably be a centralized Wi-Fi architecture. Just as in Wi-Fi you have a controller where you configure everything you need,  plug your AP into switch port pointing it somehow to the controller with SD-WAN you do the same with the box you install in your branch. Again every SD-WAN vendor is different but normally you create the configuration in your Management Software, deliver the box on site where someone connects it to the WAN, the box somehow finds the Controller and Management Software, gets the configuration and starts doing its job. “Somehow” here may mean for example querying some predefined DNS-record or running a script with some parameters.

Same Wi-Fi analogy works with Configuration/Policy Management. One of the main benefits of SD-WAN is that an administrator no longer has the need to implement changes on each device when implementing a new application across the enterprise. All the changes are made centrally in the Management Software, typically based on predefined templates and pushed to all or selected the branch devices.

Direct Internet Access

Even though branch devices are centrally managed and the WAN traffic is typically tunnelled to a central site or some other branch location they are still able to do at least basic NAT to provide internet access locally. This is becoming essential as there are more and more cloud services being used by the enterprises. Some SD-WAN vendors provide Firewall and UTM functionality at the branch, so there is no need to backhaul all the traffic to your Datacenter for inspection and policy enforcement.

Other features

LTE support – several vendors already have it, some boxes may even support more than one SIM-card. Some vendors have in roadmap. Having LTE support makes it easier to acquire backup channel and allows to use boxes in vehicles.

Whiteboxing – yes, there are vendors that allow you to make CPE by installing their software on an x86 hardware from third-party vendors. Normally this hardware still has to be tested and approved by SD-WAN vendor but you have a better choice and lower price because hardware vendors competing with each other.

NFV – some vendors allow you to run/integrate 3rd party virtualized network services into their solutions.

As for CPE hardware an interesting moment might be that some vendors offer rugged appliances.


SD-WAN solution becomes the more attractive the more sites an enterprise have. There is already a bunch of successful implementation stories in retail, banking and insurance sector. More and more service providers sell SD-WAN as managed services. On the other hand there is a lot of diversity in understanding of what SD-WAN is among vendors, so you need to study particular solutions very well from the technical point of view in order to make sure it suits your needs.



One thought on “SD-WAN

Comments are closed.