SD-WAN has to evolve, says Cisco exec

SD-WAN is in for some big changes, at least according to a panel of executives from Cisco, Itential, and Volterra, who discussed the future of the WAN during this week’s Open Network User Group (ONUG) Virtual Live conference.

“There are so many changes going on in the network, SD-WAN has to evolve,” said Steven Wood, Cisco’s principal engineer of enterprise architectures and SD-WAN.

Wood, alongside Itential co-founder Chris Wade and Volterra VP of Technology Nuno Ferreira, discussed a wide variety of forces working to shape the evolution of SD-WAN during Thursday’s panel discussion.

SD-WAN Plays Leapfrog

Kicking off the discussion, Wood made the case for expanding beyond the traditional single-hop overlay to one that, based on routing metrics, hop counts, and policy, chooses the best route to the edge.

“We will see, I think, consideration of breaking these tunnels up so that we can aim the first tunnel at the right point at the edge constellation, pick the best performing edge, the least loaded edge, or multiple edges that might be available,” Wood said.

Alongside a transition to multi-hop overlays, Wood anticipates that the underlay network — the physical network upon which the traffic is carried — will see even greater degrees of programmability.

“In traditional SD-WAN, what we’ve told you is, hey, go ahead build your underlay and then we’ll just throw the overlay overtop,” he said. The problem, he explains, is that while SD-WAN may be easy to use and manage, the process of building out the underlay remains quite complex.

It’s here where API-driven software-defined cloud interconnects have a role to play, Wood said.

“The potential for some of these programmable underlay providers or software-defined cloud interconnect providers is to reduce the time to getting that service up and running,” he said. “With the APIs that they’re providing, we can do API-driven enablement of the underlay from the SD-WAN controller itself.”

The result is a WAN that essentially builds itself.

Along with smarter underlays, Wood said there is also an opportunity to take advantage of segment routing, essentially breaking the underlay into several segments like lanes on a highway. On each of these segments, service providers can apply different service level agreements (SLA), like speed limits or HOV lanes on a freeway.

“You could think of those as separate access networks, but in fact they’re just different segments in the [service provider] network,” he said.

The Challenges of a Mobile Workforce

Pivoting back to SD-WAN overlays, Ferreira touched on several issues facing enterprises as their workforces become increasingly mobile. It’s an issue that has become all too real as the COVID-19 virus has forced millions of employees to work from home.

According to Ferreira, this sudden and unexpected transition revealed numerous bottlenecks in existing SD-WAN offerings.

“Typical hub-and-spoke technologies such as centralized VPN concentrators to give routed access to the corporate resources have now completely clogged,” he said. “User experiences and even simple user connectivity suffered.”

As a result, many corporations found themselves having to adjust schedules and even limit the time spent connected to corporate resources, Ferreira said.

“SD-WAN clients are going to start prevailing because the user needs to have access from his location, his home environment or mobile,” he said. The trick is that termination point also has to be at the edge, Ferreira explained, noting “If you don’t distribute the termination point we haven’t solved the problem.”

5G’s Part to Play in SD-WAN

And when it comes to latency and performance, Wade says 5G is more than just another “G” with higher throughput.

“With 5G and the rise of edge compute it’s now possible to put users less than 10 milliseconds from the applications they rely on,” he said.

And this kind of performance effectively eliminates the need for a heavy footprint branch office, Wade claimed.

“From a pure SD-WAN concept perspective, it’s really …  about how do we provide the ability to place these in these certain locations while taking advantage of new underlay technologies and the push toward the cloud,” he said.

The Security Problem

The culmination of these capabilities presents a new problem: a vastly expanded security perimeter.

As enterprises increasingly rely on the cloud, more data, users, applications, and services are being used outside the data center and this means the traditional security perimeter is no longer a location, Ferreira said. “It’s a set of edge capabilities. And these edge capabilities are going to be delivered as a service whenever they are needed,” he explained.

Because of this shift toward the edge, enterprises are forced to approach connectivity, security, and how they manage risk.

At the same time, Ferreira says this added complexity can also reduce visibility. “So the SD-WAN fabric needs to extend closer to where the users are; very close to the location where applications and services are deployed,” he said.

One solution to this challenge is what Wood refers to as underlay telemetry sharing.

“We generally don’t have any visibility in SDN other than at the endpoints,” Wood explained. “As vendors continue to integrate with the underlay providers through telemetry sharing APIs, there is the potential for visibility across the middle mile.”

But while middle-mile visibility will help, it still doesn’t address the security challenges. For this reason, Ferreira says enterprises need an SD-WAN platform that can apply policy based on identity rather than location.

“It’s no longer just the user that is connected and trying to access applications,” Wood said, injecting a bit of humor into an already highly technical discussion. “For example, I’m working from home and my fridge, which is connected and might want to order some milk, so identity will drive policy because my fridge doesn’t really need to talk to my corporate file share.”

And once you are able to assign identities to specific users you can start to implement features like zero-touch provisioning and zero-trust security, even at the edge of the perimeter, Wood said.

―SDX Central