SDDC Gone Global with Software Defined WAN

2015 VMworld USA - David Klebanov @DavidKlebanov

As many organizations are reaping significant benefits from the Software Defined Data Center approach, the focus now turns to the new field of Software Defined WAN. Carrier and organizational Wide Area Networks remained relatively stale for well over a decade, but that is changing. Software Defined WAN goes hand in hand with Software Defined Data Center to deliver end-to-end secure, agile and scalable solution, which benefits carriers and organizations of all sizes. In this session we will review the principles behind SDWAN and see how SDWAN and can be leveraged to securely extend SDDC service delivery between multiple Data Centers or between Data Centers and remote branches.


David Klebanov Viptela

Director of Technical Marketing, ViptelaSenior infrastructure technologies professional with over 15 years of extensive experience in designing and deploying complex multidisciplinary networking environments.


My name is David Klebanov. I am a Director of Technical Marketing with Viptela. You can see here my contact information, my Twitter handle if you would like to get in touch with me in this way, or you can send me an e-mail.

Today we’re going to talk about a pretty interesting topic. We’re going to talk about how the software defined data center extends its reach into remote locations, be those remote data centers or be those remote branch offices or campuses. Our agenda is going to be, I’m going to talk to you a little bit about Viptela. Viptela is a relatively new company – it is three years old – so we’re going to give you a little bit of information about Viptela. We’re going to talk about state of affairs in the WAN market. We’re going to look at the transformations that are happening in the WAN market through the software-defined wide-area network. Then we’re going to look at how Viptela addresses the software defined data center market, and eventually, we’re going to look at how Viptela’s technology integrates and extends the software defined data center approach available from WM Ware and other infrastructure virtualization companies.

So what is Viptela? Viptela was founded about three-and-a-half years ago by ex-employees of Cisco, Juniper, some from Alcatel. WE have been funded by Sequoia Capital exclusively in two rounds, raised $33.5 million, which gives us enough to develop our product in the three-and-a-half years we’ve been around. We actually started shipping our product about a year and a half ago. We’ve been deployed in numerous Fortune 500 and 100 customers. We have very significant traction with a service-provider community that views our solution as a managed-service offering to their customers. We’ve been recognized by the industry through several publications, several industry awards, and we are tracking a continuous and increased customer traction, be those businesses, enterprises, or service providers.

What are the current things that matter and that are not working quite well in the wide-area network? There are a few things I wanted to touch upon, namely four.

One is the non-scalable economics. The circuit costs and the cost to bring up and operationalize new WAN connectivity methods had become non-economical, and that’s not something that most of the organizations can cope with, especially when the needs for the bandwidth to cater to the communication of the applications is ever-increasing.

The extended service turnup is also a very significant concern for the organizations, because everybody’s trying to be agile. Everybody’s trying to turn up services as quickly as possible, and the provisioning time that it takes for a traditional, say, MPLS circuit that is something in a matter of weeks and most likely months. That’s not something that the traditional organizations can live happily with.

Security policy: Security is very important, especially when you’re talking about diverse transports. You’re talking about an MPLS, which is private, secure, SLA-driven, side-by-side with the Internet, which has no privacy, no SLA guarantees. So how do you deliver that ubiquitous experience as far as security is concerned across both?

And at the end of the day, it’s all about application performance, be those applications in your private cloud, public cloud – all of that must be factored in, and the WANs of today are not doing a particularly good job in addressing those things. So that’s when the world is gravitating toward something new. How can we change things? How can we do things better?

So software defined wide area network is a relatively new approach that was born several years ago, and it’s pioneered by several companies in the market. Viptela is definitely one of the most significant players for that. There are a few groundbreaking rules that exist for a software defined wide area network to be successful, and this is the transformation that I mentioned earlier.

First and foremost is the hybrid connectivity. As your transport becomes diversified, you have the MPLS circuit, you have the Internet circuits, you have the 4G LTE circuits. The solution has to cater to all of those and ubiquitously provide service across all of them.

Zero-touch authenticated edge: Not only do you need connectivity, you also have to make sure that the devices that participate in your connectivity are fully authenticated and fully authorized to actually take part in this WAN environment. Things like privacy, data privacy, data secrecy as it’s being transported through different means of communication is also very important. As I mentioned earlier, MPLS transports are inherently secured because they are private by nature, while Internet is not private and non-encrypted. How do you make this ubiquitously available through the private services of an MPLS and sort of public, unencrypted services of the Internet?

How do you carve different topologies out of what you’ve just constructed? Constructing a software defined wide area network is one thing, but having segregated connectivity across that ubiquitous infrastructure is a different thing, and it caters a lot to things like compliance that many organizations have a very strong need for. Different topologies that are constructed across your wide area network, because different up applications have different connectivity needs – be those full mesh connectivity needs, partial mesh, star topologies, hub-and-spoke topologies, all of those have to be factored in. At the end of the day, it is also things like layer four through layer seven service insertion that contributes overall to building a robust and secure infrastructure elements. So these are the groundbreaking rules for deploying a solid solution that is leveraging a software defined WAN approach.

Now once you have this thing delivered, that’s when things become very interesting. Now you can deliver differentiated services on top of it. So what are examples of some of those differentiated services? You can deliver intelligent WAN path control services, where you decide on what are the all available paths that are used for a specific application to comply with the service level agreement that that application actually requires. Things like network-wide security and network wide qualitative service – click of a button, I want to make sure that I deploy ubiquitous security and apply qualitative service control throughout my entire wide area network. Things like application visibility and policies are extremely important, because at the end of the day, as I mentioned earlier, it’s about running applications, so you want to make sure that the policies that you have defined on top of your software defined WAN is something that can benefit applications, has deep-level visibility into the application characteristics, and make sure that the SLAs that those applications are requiring are actually respected by the underlying fabric. At the end it’s also about automation, orchestration, management. These are the things that are required to better operationalize this technology and make sure that’s it’s better integrated with the organizational toolset.

So how can Viptela solve this puzzle? Viptela has several components that exist in our solution. A fundamental component is the vEdge router, which is a full-featured router that runs standard routing protocols such as OSPF and BGP. It also supports static routing and can be integrated into any existing network and environment, no matter how complex it is. Those vEdge routers also perform security functions such as IPSEC encryption, SSL, public infrastructure certificates. So there is quite a lot of things that go into those vEdges. But is it important? Well, not really, because for us, vEdge is just a hardware platform to deliver software innovation on top. We need the vEdge as hardware footprint so we can provide conductivity, so we can provide fingerprinting each one of those devices, so that we know that whatever communicates on the network is totally allowed to do that. But at the end of the day, as I mentioned, it’s a platform to do encryption for applications for running on top.

The other component is the vSmart controllers, which are the controllers where the policy is being enforced and pushed to the vEdge routers so vEdge routers can actually act on that policy and enforce that policy on the common traffic, and this fabric is established through a secure channel, which at the end results in an actual data path, which is an IPSEC-encrypted traffic with AS 256-bit that runs across.

In order to manage this environment, the vManage component is something that is talking to other elements of the solution to make sure that we have the operation, administration, and management elements of the solution baked in. It also produces a set of RESTful APIs, so you can integrate this solution with the higher-level orchestrators.

Now let’s look for a second at what are the use cases behind using Viptela technology as a software defined WAN technology coupled with a software defined data center. So we are going to look at three different use cases.

The first use case is the extension of the software defined data center into the remote branch facilities. So as the software defined data center takes care of segmenting or micro-segmenting the types of traffic in the data center environment, it does not currently extensively extend into the wide area. So what we are talking about here is the interfaces, which are standard routed interfaces or bridged interfaces that go from the edge of the software defined data center into the edge of the software defined WAN, which is identified by the vEdge routers that I mentioned earlier. Once those are received on the vEdge router, they are mapped into the respective virtual private topologies, and at the end, they are transported securely and in a segmented way across the entire wide area network to the destination. In this case, the destination is the branch office, where they are handed off to an existing environment – be that a bridged or routed environment – where the actual user population connects. What it gives you is, it gives you seamless end-to-end segmentation that is carried all the way from the software defined data center through the segmented WAN fabric all the way to the remote branch, where it is handed off in a segregated fashion towards the users.

The other case is pretty much an extension of a previous case, where you have a situation where the remote branches actually have some of the compute power that is needed to provide services, application services, for local users. In that case, you can think about this as sort of distributed computing, where you have some computing resources in a data center, some computing resources are located into the branch office, and you want to make sure when those compute resources communicate between the data center and their own branch, that traffic is segmented across the WAN environment as it traverses between the data center and the WAN. Again, as in the previous case, you have the segmentation that is taken care of by the software defined data center on the data center side, you have the segmentation that is taken care of by either a software defined data center element in the branch office or as a vSphere, which is a more traditional virtual machine networking stack. But either way, the segmentation on either side of the connection is existing through an existing tool, and then you have the wide area network that enforces that segmentation across the WAN as the traffic traverses.

The last case is the segmentation or the extension of the micro-segmentation across multiple data centers. Again, this is the case where you have distributed applications that are positioned in each one of the data centers. So these are full compute stacks on each one of the sides, and also has the micro-segmentation as the networking stack. Those things take care of segmenting the traffic inside those respective environments. Once the traffic hits the wide area network, the segmentation needs to be carried through. Otherwise, if you don’t uphold the segmentation in this case, you can’t really guarantee that the traffic segregation is maintained end to end.

We are present at the event, so if you are here, if you are still here at the VMWorld in San Francisco, come see us. We are in the New Innovators area, booth 1637. We’d love to host you there, love to give you more information. Come and learn more about the software defined data center transformation and how Viptela helps transition your business through cost reductions, enhanced security, enhanced application performance in a private or public cloud, and how you turn up services in no time.

Thank you very much for listening.

Watch Now