One of the biggest headaches for networking teams is supporting the rollout of new enterprise applications. A hybrid WAN can ease application deployment, but to make it a reality, we need to switch from a network topology to a service topology. Modern WAN requirements command a new corporate connectivity model.

Initially, data center complexity hindered the rollout of new applications. Increasingly, however, application rollout challenges have shifted to the WAN. That’s because the exploding use of the cloud for applications such as ERP and CRM is placing new and greater demands on the corporate WAN, which isn’t well-suited to support many of those applications. Ever since the WAN was transformed into an MPLS Layer 3 VPN infrastructure more than a decade ago, not much has changed. It lacks the flexible connectivity to keep up with growing cloud bandwidth requirements, making it costly and difficult to provision new applications.

One of the biggest challenges to deploying new applications is a lack of control over WAN services. With the current model, enterprises must rely on carriers to implement infrastructure changes for new applications and locations. This can take weeks or months. And because there’s no way to instantiate VPNs independent of the underlying transport, implementing different service levels for individual applications is difficult, if not impossible.

Hybrid WAN: Flexible, Service-Oriented Connectivity

Instead of relying exclusively on MPLS for transport, enterprises need a hybrid WAN to make application rollouts easier. For example, a single enterprise VPN infrastructure could encompass MPLS, carrier Ethernet, and the Internet for transport while it provides connectivity for all required applications. Since the Internet is ubiquitously available, it can serve as the core of the corporate WAN and include branches of other types of transport to form a complete infrastructure. This would allow enterprises to acquire services with different SLAs, based on application use and location.

In addition to providing flexible transport, hybrid WANs need connectivity that is based on service topology and centrally managed usage policies.

Currently, WAN connectivity is based on network topology and managed using a peer-to-peer model. This means routing relationships are established by multiple control planes that operate independently of each other. Routing protocols like OSPF and BGP are used to establish site VPN routes, and IPsec is used to secure the location. These routing and security control planes run independent of each other and have their own scaling, convergence, and policies. Since most control planes are set up on a peer-to-peer basis, each requires its own policy and configuration. As a result, when a configuration change is required, it has to be provisioned and propagated across all the control plane peers, creating an operational nightmare.

To transition from network- to service-oriented hybrid WANs, the control plane must be decoupled from the physical topology. Today, control intelligence is discovered and processed independently by each and every network element. By decoupling the control plane from networking nodes, we gain the following key benefits:

  • Most computationally extensive calculations, such as best path, alternate paths, policies, and configurations, are centralized
  • The control plane can be provisioned as a virtual machine that can reside in either the data center or the public or private cloud, such as Amazon or Azure.
  • Deployment of any data plane topology with limited control plane connections
  • New site bring-ups only need to authenticate with a few controllers to get their connection policies instead of the extensive peer-by-peer adjacencies that are currently required
  • Security services, such as IPS, firewalls, and IDS, no longer need to be in physical paths and can be on virtual paths

The cloud is evolving into the largest VPN ever built, ushering in an era of modern WAN requirements. To support applications on this new infrastructure, we need a network that is capable of providing security at Internet scale, can support segmentation for lines of business, and is decoupled from physical circuit-based topologies.