- Successfully deploying SD-WAN means moving from rigid, static policies to dynamic enforcement of your intentions.
- Static rules should be a thing of the past and alternative equivalent controls should be evaluated for any lingering static requirements.
Few technologies make me sit up and say, “I want that!” when I see them, and SD-WAN is a game changing technology for organizations that have more than a handful of remote offices and want a better, more efficient way of interconnecting branches and a better, more efficient way to manage them. Regardless of the product you choose, and I discuss them in “SD-WAN H1 2016 Market Update: Vendor Snapshots Show a Crowded, Competitive Field Attempting to Diversify,” the benefits of SD-WAN will seem remarkable, fantastical even, until you see it in action. Implementing the routing, firewall, VPN, link load balancing, application performance, failover, failback, and cost management with traditional branch office equipment is very complex and even more complex to change, including adding new sites.
Many companies simply hobble along with a very limited set of capabilities out at the branch and waste money on unused capacity, poor application performance, and inefficient operations as a result. If you haven’t taken the time to look at some of the demos SD-WAN vendors have produced, spend an hour or two watching the videos or take a test run if available. Forget who the vendor is you’re watching for the moment (that will come later), just focus on the capabilities.
However, getting all the benefit SD-WAN vendors collectively promise takes a very different approach to network management – one that most IT professionals aren’t used to. SD-WAN relies heavily on automation within the system to work its magic, and that means letting go of processes and mindsets that are static and immutable. The world is a dynamic place, and that includes what is occurring at and between branch locations.
Branch locations are set up with rules governing how network traffic is to be handled, and IT has taken great pains to simplify branch deployments by standardizing on models like hub-and-spoke as well as standardizing rule sets. The focus is on strict deterministic behavior. With SD-WAN, you should adopt an intentional management framework by defining your application access and performance requirements in general and letting the SD-WAN automation system figure out the implementation details. Typically, IT will look at all the competing application requirements and set up forwarding, QoS, and access rules in an effort toward predictively balancing traffic over multiple links.
However, network conditions change unpredictably, leading to times of congestion or unused capacity. But, if IT states its requirements as intentions, the SD-WAN can react as network performance characteristics change – sometimes on a per-flow or per-packet basis – to ensure its intentions are carried out. Using intentions decouples IT from manually reacting (or not) to changes, and it will reduce operational overhead and result in a more performant WAN strategy.
But, what about the sensitive traffic that the company thinks must traverse a MPLS network due to security or governance requirements? You can address those requirements with static policies, but they should be the rare exception and not the rule. However, I’d also encourage IT to examine whether those requirements are actual requirements or artifacts of history. Ask “Can I satisfy those security and governance requirements without using static rules?” If the answer is “Yes, we can use an IPsec VPN,” for example, then the traffic can be sent over any available network, and that’s better than maintaining static rules.
Let automation take over the details of enforcing policy and free your time for more productive work.