Software is taking over the world, and the software-defined networking paradigm is extending into all aspects of networking, revolutionizing how we think about, configure, and deploy networks.
The wide area network’s fixed links became the SD-WAN, which gives companies multiple choices for connecting distributed sites to the corporate sites, to each other, and to cloud computing infrastructure. SD-WAN provides more network flexibility, lowers cost, and puts the company more in control of its WAN connectivity than was possible with MPLS. The capital expense of a site’s network systems might not significantly decline, but you should find reductions in operational expenses.
From SD-WAN to SD-Branch
The next step was to extend that control and monitoring into the branch networks. The same improvements in visibility and control that SD-WAN offered to the wide-area network have extended into the branch LAN.
SD-Branch provides a common interface for the configuration, monitoring, and troubleshooting of multiple functions (routing, switching, Wi-Fi, network security, micro-segmentation, and application support). It eliminates the need for different user interfaces for each function, which happened when each function was implemented by a separate appliance, even when the products were from the same vendor.
With SD-Branch, the typical suite of network devices is replaced with a simpler hardware platform on which virtual appliances are installed. Maintenance is greatly enhanced. Need new firewall functionality? Then update the firewall virtual instance. Don’t need BGP in the router? Simply install the image that doesn’t contain BGP. The installation of new software allows for new features and functionality, which normally would have come via a hardware platform replacement.
But Isn’t SD-Branch Just Automation?
You might be wondering how SD-Branch compares with the use of
automation to achieve the same result. SD-Branch is a more comprehensive approach that offers a single user interface for monitoring, management, and troubleshooting. It may use multiple components under the hood but hides this implementation detail. SD-Branch, like SD-WAN, allows for the definition of policies that define connectivity, quality of service, and security of endpoints and applications. For example, an SD-Branch product could be used to define a new VLAN, provision it across the router, switch, and Wi-Fi infrastructure, and add the application and security policies.
However, automation is more focused on lower-level configuration and control of the network, typically for one function at a time. You would need to implement an automation process for each of the infrastructure’s functional elements to replicate the functionality of SD-Branch. SD-Branch products can translate policy definitions into action, more so than network automation.
Advantages of SD-Branch
The centralized point of control makes it easier to manage multiple sites. You’ll need to have consistency across all branches to make this work to your advantage. Consistency extends to using the same interfaces for the same function. The below section on disadvantages explains further.
The improvement in IT security is a big advantage of SD-Branch. Standardization of security policies removes the chance of a site having a slightly different configuration that opens your network to intruders. The distribution of staff and endpoints now means that the big border firewalls at the DMZ are outdated. The centralized control of security policies allows you to better protect IoT devices from getting compromised and makes it easier to deploy new security practices like secure access service edge and zero-trust network access. Security needs to be pervasive and consistent — SD-Branch is a big step in making this happen.
Because SD-WAN is an integral part of SD-Branch, you can define policies that optimize the routing of application traffic over the link(s) that best match the application’s requirements. The characteristics of each path are monitored, and application traffic is forwarded on the links that best match the policy defined for each application. For example, voice traffic that needs low latency and low jitter would be routed over any link that exhibits the necessary characteristics.
The centralized control extends to the LAN configuration. Network monitoring and troubleshooting are easier when VLAN configurations are consistent. When a change is needed, it becomes a simple task to apply it to all branches.
Disadvantages of SD-Branch
It’s a new field, and vendors don’t yet have interoperability standards. You have to pick one vendor whose products best match your requirements. This may mean that you have sub-optimal functionality in some aspects of branch visibility and control. Maybe, one product does a better job of visibility and troubleshooting, while another product best matches your needs for the definition and application of security policies.
If a number of your branch sites are using unique designs, often called
snowflake networks, then the SD-Branch approach might not be as advantageous. Simple differences, like in interfaces, can make the creation of standard policies more challenging. You don’t want to have to maintain a set of policies that are similar but slightly different for each site. Standardizing the sites is the best approach and can reduce operational costs over the long term.
Applying SD-Branch
You may need to change some of the procedures used to configure, monitor, and manage branch networks. For example, a simple change should be validated on a subset of branches, starting with a test branch, expanding to a few sites, then to all sites. At each step, a comprehensive set of pre-change and post-change tests should be used to verify that the starting and ending network state is what you expected. Once the processes are in place, operational streamlining becomes a significant advantage.
What Does the Future Hold?
The software-defined movement will continue to expand. Network devices will become more standardized and easier to manage. We may even see the demise of the command-line interface in favor of programmatic interfaces that are driven by centralized control systems that combine a comprehensive view of the entire network with group policies to simplify network operations.