One of the biggest headaches for networking teams is supporting the rollout of new enterprise applications. Initially, the challenges were associated with data-center complexity, but increasingly they have shifted to the WAN.
That’s because the exploding use of the cloud for applications such as ERP and CRM is placing new and greater demands on the WAN, which isn't well suited to support many of those applications in its current incarnation. Ever since the WAN was transformed into an MPLS Layer 3 VPN infrastructure more than a decade ago, not much has changed. It generally lacks the flexible connectivity to keep up with growing cloud bandwidth requirements which makes it costly and difficult to provision new applications.
One of the biggest challenges to deploying new applications is lack of control over WAN services. In the current model, enterprises must rely on carriers to implement infrastructure changes for new applications and locations, which can take weeks or months. In addition, because there’s no way to instantiate VPNs independent of the underlying transport, implementing different service levels for individual applications is difficult, if not impossible.
Instead of relying exclusively on MPLS for transport, what enterprises need to make application rollouts easier is a hybrid WAN. For example, a single enterprise VPN infrastructure could encompass MPLS, carrier Ethernet, and the Internet for transport, while providing coherent connectivity for all required applications. Since the Internet is ubiquitously available, it can serve as the core of the enterprise WAN and include branches of other types of transport, thus forming a complete infrastructure. This would allow enterprises to acquire services with different SLAs, based on application use and location.
To make hybrid WANs a reality, we need connectivity that is based on service topology and can be centrally managed using policies. Currently, WAN connectivity is based on network topology and managed using a peer-to-peer model.
This means routing relationships are established by multiple control planes that operate independent of each other. Routing protocols like OSPF and BGP are used to establish site VPN routes and IPsec is used to secure the location. These routing and security control planes run independent of each other and have their own scaling, convergence and policies. Since most control planes are setup on a peer-to-peer basis, each requires its own policy and configuration. As a result, when a configuration change is required in the network, it has to be provisioned and propagated across all the control plane peers, creating an operational nightmare.
To transition from network to service-oriented WANs, the control plane must be decoupled from the physical topology. Today, control intelligence is discovered and processed independently by each and every network element. By decoupling the control plane from networking nodes we gain key benefits:
- Most computationally extensive calculations, such as best path, alternate paths, policies, and configurations are centralized
- The control plane can be provisioned as a virtual machine that can reside in either the data center or in the public or private cloud such as Amazon or Azure.
- Deploy any type of data plane topology with limited control plane connections
New site bring-ups only need to authenticate with a few controllers to get their connection policies rather than the extensive peer-by-peer adjacencies currently required
- Security services such as IPS, firewalls, and IDS no longer need to be in physical paths and can be on virtual paths
The cloud is evolving into the largest VPN ever built. To support applications on this new infrastructure, we need a network that is capable of providing security at Internet scale, can support segmentation for lines of business, and is decoupled from physical circuit-based topologies.