SD-WAN发展到今天已经有7个年头了,很多企业都在推SD-WAN, 很多企业都在用SD-WAN。按理说SD-WAN的原理和优势应该被人所熟知。但是即使作为一个老通信人,接触SD-WAN也有2年多,但是对于SD-WAN,也只能说出智能选路 和 降低成本两个优势。
后来我又去看了业界领先的SD-WAN厂商先容,结果发现自己又被埋没在各种营销术语和车轱辘话中,例如SD-Branch、SEE、SASE、AI SDWAN。
为了能让大家更好的了解SD-WAN,不被各种宣传搞蒙,我在这里尝试使用做研究的方法,来详细的解构SD-WAN,看看SD-WAN到底给大家带来了什么。 1 什么是SD-WANSD-WAN是 software-defined WAN, 这个大家都知道。具体的理解大家看看厂商都是怎么定义的 思科: SD-WAN is a software-defined approach to managing the WAN.
Key advantages include:
Reducing costs with transport independence across MPLS, 4G/5G LTE, and other connection types.
Improving application performance and increasing agility.
Optimizing user experience and efficiency for software-as-a-service (SaaS) and public-cloud applications.
Simplifying operations with automation and cloud-based management Fortinet: SD-WAN is a software-defined approach to transforming
the WAN that helps accelerate the adoption of cloud-based
applications and other digital transformation initiatives.
SD-WAN creates overlay tunnels that can handle a variety
of connections and dynamically move traffic over the best
transport available. It can provide both redundancy and
much more capacity using lower-cost links. 从中大家提取关键词:Reducing costs lower-cost dynamically agility cloud-based
applications
网路技术的发展,从根本上讲,一直在追求的就是: 而上面的关键词似乎说明了SD-WAN的关注方面似乎应该为(优先级从高到低): 其实说到底,SD-WAN的引入就是为了降低价格:使用价格更低的Internet代替常规的专线或者MPLS VPN(MPLS VPN应该算是专线的低价格历史演进)。而价格的降低促进了带宽的提升,为了方便管理,又引入了Software来管理。 因此SD-WAN中的S并不是SD-WAN出现的原因,App行业的进步的确使SD-WAN成为可能,但是家宽技术提升(100M -- 500M --千兆宽带)可能占更大的因素。国家在这方面投入了巨量资金:提速降费、楼宇光纤强制铺设等等。而世界范围内对光纤的认可也和我国的光纤政策是相符的。美国联邦就投入了大量的资金支撑各州光纤的建设 2 SD-WAN的应用场景那么SD-WAN是如何降低价格的呢,很简单:将部分流量分流到价格远低于专线的Internet(宽带)上面,如下图所示:
Alt text
SD-WAN的创新主要在这个分流技术上面: 从传统的基于目的IP,目的端口,报文协议,发展到了基于应用的分流。
讲到这里,大家应该觉得SD-WAN除了智能选路,也没有什么原创的技术创新,值得业界这么大张旗鼓吗?大家先保留这个问题,看看SD-WAN实际中是怎么使用的 2.1 分支机构部署SD-WAN分支机构的SD-WAN部署,大家认为分成两种情况: 上面两个的主要差别是:人员是经常流动的,不会永久的处于某个网络设下面,而设备是比较固定的 2.1.1 远程设备的接入这种应用场景,一般对网络有强管控,常见的场景有:
这种场景下,设备一般是一直联网:访问企业的内部系统,或者对接公有云/私有云的业务系统,没有访问互联网的需求。 同时有以下的要求: 这种其实是非常适合SD-WAN的部署场景: - 站点量大, 适合SD-WAN的自动化部署
- 强调安全,可以直接使用SD-WAN设备内置的安全特性:IPSEC、URL过滤等
- 强调可靠性,SD-WAN的多链路备份能够提送很好的可靠性
2.1.2 远程人员的接入需求对于一个中型企业,一般的员工办公需求有: - 访问Internet:互联网公开资料查询,客户微信交流
- 访问SAAS应用:飞书 钉钉
- 访问企业内网系统:OA ERP CRM系统等
这些需求,一般SSL VPN都可以满足,SD-WAN,尤其是SD-WAN叠加IPSEC,一般用不上 3 SD-WAN的突破技术因此从上面的应用场景分析,大家可以看到 - SD-WAN的主要应用的功能还是流量分流
- SD-WAN的应用场景,主要偏向于物联网的设备连接
除了能够大幅减少专线费用,没有什么创新 3.1 费用的降低参考: https://www.idcbest.com/idcnews/11006222.html
什么是专线:
家用的宽带上下行是不对等、带宽共享、没有固定IP
专线是相对于家宽来说的:上下行对称、带宽独享(不会出现人多了,带宽被挤占的情况)
什么是MPLS:
专线只是在接入侧实现了带宽的独享,而MPLS是在端到端实现了带宽的独享,因此价格更贵 左边的专线价格,右边的为MPLS价格,因此常用的是用SD-WAN+专线来替代MPLS
可以参考5.1描述的用户,也是用DIA(Dedicated Internet Access)来替代了MPLS
Alt text
3.2 可靠性的增强SD-WAN通过降低价格,允许两条链路(专线/家庭宽带/LTE/5G)的接入,确实提升了站点的可靠性
而可靠性的提升对于企业的业务来说,非常重要 如果网络在你需要的时候,却掉线了,你其实没有网络 4 SD-WAN的集成技术那为什么各大设备厂商还在大张旗鼓的搞呢,我的理解是SD-WAN可以作为很多技术的载体,SD-WAN CPE可以用作: - IPSEC网关
- NGFW设备
- 边缘计算设备
- 广域网加速设备
上面多个技术的归一,其实是简化的客户的设备部署 和 管理,并能实现实时的监控,赋予了网络的可视化能力。 4.1 广域网加速技术https://www.fortinet.com/blog/business-and-technology/fortinets-advanced-sdwan-capabilities-help-achieve-max-performance 4.1.1 WAN Path Remediation使用FEC技术,可以监测丢包,减少重传 Forward error correction (FEC) is a digital signal processing technique used to enhance data reliability. It does this by introducing redundant data, called error correcting code, prior to data transmission or storage
Alt text
4.1.2 SD-WAN Aggregation除了智能选路,链路聚合也是SD-WAN的一个杀手锏
Alt text
4.1.3 Tunnel QOS针对不同的IPSEC Tunnel,可以针对不同的Tunnel进行QOS优先级的排序 5 用户使用反馈这里整理一下真实的使用场景和用户反馈(剔除情感的发泄,没有真正深入用过的) DIA: dedicate internet access, 类似于国内的专线:上下行带宽对称 5.1 正方用户5.1.1 用户一信息来源链接 用户选择SD-WAN的原因: If I can replace a $3000 a month MPLS connection and get the same or better reliability with a $1000 DIA connection and 2 x $200 business grade connections from different providers why wouldn't I? Multiply that by a few dozen/hundred/thousand sites and you can easily see how compelling that is to any business. 用户关心的技术(基本都是在SD-WAN CPE上面叠加的功能) dynamic path steering based on SLA's
dynamic path steering based on SLA's
dynamic packet duplication and/or Forward Error Correction based on SLA performance
ideally with granular targeting of app's/ports to lower the overhead of dupe's(FEC的控制力度要够细,否则会给不关心的流量添加FEC数据,造成带宽的浪费)
ideally with granular targeting of app's/ports to lower the overhead of dupe's
zero touch provisioning (ZTP)
rich monitoring and traffic insights to the level of Netflow/IPFIX 5.1.2 用户二这个比较高级,用上了starlink,不过也说面了SD-WAN灵活性带来的好处:任意的互联 Company saved $50k/month by changing MPLS links to dual DIA, remote sites with shit infrastructure get reliable access by merging two DSL connections or DSL and Starlink, less fiddly to get going than an IPSEC DMVPN. It’s been a good switch for us. 5.1.3 用户三We got roughly 10x the bandwidth at 80% of the cost of dropping MPLS for DIA+DOCSIS
Let me just say this… if you are ONLY looking at sdwan as a multi to multi transport, you really missed the boat. The application optimization is so key and more so the value add than IPsec management. If you didn’t get that part, you may need to read up. 5.2 反方用户5.2.1 用户一:部署方式错误推行SD-WAN的时候,只把省钱作为目标: 把一条SLA更高的专线,替换成了更便宜,但是SLA很低的专线
由于专线成本只有10%的下降,省下的成本不能再增加一条专线,同时系统的的复杂度上升,导致使用体验严重降低 We ran into this. We had a high level person come in and decide leased circuits are out sdwan is in. We saved 10% in circuit budget and our KPIs were in the toilet with downtime. That circuit with 24/7 repair response and 99.99 sla was gone and replaced with you better hope it goes down before 12 or it was nbd before a repair tech was dispatched. It was 100% sold as cost savings, so to add a second link from a different carrier or even cell backup would have destroyed that. It lasted 6 months and we were converting sites back. Had it been sold as redundancy and not cost savings it would have made sense with multiple carriers at each site. Although you have to make sure they don't use the same fiber from the local telco to come in the site. 5.2.2 用户二We use SD-WAN at my organization being pushed from the corporate level, forcing us to move away from our MPLS network locally. Our director is old school and has fought it, but..
I don't think it's inherently bad, and I like the upsides of it, I personally am just not a fan of how it's being implemented in our org. Dealing with two third parties and extremely long lead times to get sites up. One company we deal with for technical issues and they contact another party for dealing with the ISP. We have no contact with ISP at all.
We have had far less reliability with SD-WAN compared to our MPLS as well.
|