SimplifyingtheBranchNetwork

By:LeeDoyle,PrincipalAnalystatDoyleResearch

SponsoredbyAruba,aHewlettPackardEnterprisecompany

ExecutiveSummaryAmajorityofITorganizationsareexperiencingsignificantchangesthatimpacttherequirementsfortheirdistributedbranchnetworks.Mobility,cloud-basedapplications,andInternetofThings(IoT)arealteringtrafficflowsandincreasingbandwidthrequirements.EmployeesandguestsexpectInternetconnectivity,whichmeansthatemployee-facingandIoTdevicesneedreliable,lowlatencyaccesstotheirdataandapplications,andmustbesecurelyon-boardedastheyinteractwithcentralizedservices.ITorganizationsdonothavethelevelofcontroltheyoncedidwithtraditionalarchitectures,andnowfaceincreasingpressuretosupportthesenewinitiativesevenasbudgetandresourcesremainlean.ITislookingtoSoftware-definedWAN(SD-WAN)tosatisfyprice-performancebenefitsofusingtheInternet,deeperapplicationvisibilityintoWANtraffic,simplertransportacrossmultipleuplinks,andgreaterflexibilitytoconnectwithcloudservice.ThismeansthatnewWANarchitecturecanimproveTotalCostofOwnership(TCO)withsimpleroperations,reducedhardwarecosts,andmoreefficientbandwidthutilization.AsITorganizationstaketheselearningsandapplysoftware-definedarchitectureacrossallbranchnetworkelements,theycandelivergreaterCAPEXandOPEXsavings.Thoseelementsinclude:

- WirelessandWiredaccessforemployeeandguestusers- Policyandsecurityservicesforonboardingendpoints- QualityofServiceforapplicationtrafficend-to-end- Closerintegrationwiththird-partyapplicationsandservices

ThisexpandedapproachtonetworkingdeliversaSoftware-definedBranch(orSD-Branch)solutiontoconvergeallnetworkelementsontoasingle,easy-to-manageplatform.ThisunifiedapproachprovidescloudmanagementandpolicyenforcementtosimplifyWAN,WLAN,andLAN,introducesrole-basedcontextawarenesstotheWAN,andintegratesmultipleservicestoeliminateonsiteappliances.SD-Branchsimplifiesbranchdesign,reducesCapitalExpenses(CAPEX),andoptimizesWANutilizationforgreatersavingsthanSD-WANalone.

ChallengesofBuildingandOperatingBranchNetworksLeadingITtrends,includingthemigrationofkeyapplicationstothecloud,useofawiderangeofmobiledevices(BYOD),andtheincreaseddeploymentofnumerousIoTend-points,posenewchallengesforoperatorsofdistributedbranchnetworks.IncreasedcloudandSoftware-as-a-Service(SaaS)utilizationhasresultedinprofoundchangesintrafficflows(towardstheInternetandawayfromthecorporatedatacenter)thatincreasedemandsonbranchperformance.Theincreasednumberandvarietyofdevices(personalandIoT)mandatesreal-timeapplicationperformanceandsecuritymonitoringtoensureuserexperience.Forecastsfromleadinganalystfirmshighlightthechallenges:

• GrowingIoT:Therewillbeover25billionIoTdevicesby2020• IncreasedBranchsecuritythreats:30%ofadvancedattacksenterviathebranch

(Gartner)• Changingtrafficflows:AccordingtoIDC,40-60%ofenterprisedatatrafficis

migratingfromWANstotheInternetLeadingITorganizationsrealizethattheinevitablechallengesformanagingcurrentbranchnetworksincludeeaseofdeploymentandoperations,applicationidentificationandprioritizationtoensureQualityofService(QoS),andreal-timesecurity/networkhealthmetrics.Capitalandoperationalcostsarealsokeyconcernsasitisexpensivetodeployandmanageacomplexassortmentofhardwareandsoftwareremotebranchlocations.SeeFigure1.

SimplifyingBranchNetworkOperationsTomeetthechallengesofevolvingbranchnetworkrequirements,ITorganizationsaredeployingnewsoftwareandcloud-basedtoolstooptimizeWAN,WLAN,andLAN.ByapplyingSDNandSD-WANmethodology,existingnetworkcontextinformationaboutusers,devices,andapplicationscanbeusedtodynamicallyimproveQualityofService(QoS),policy,andconfiguration.ThisinformationprovidesSD-WANfunctionalitywithdeepernetworkandapplicationinsightsevenashybridWANarchitecturesleveragecommodityInternetbandwidthtoaugmenttraditionalMPLSnetworks.Centralizedmanagementprovidesforrapid(zero-touch)provisioning,pre-stagingconfigurations,andreal-timechangesatremotebranchlocations.Cloud-basedintelligenceprovidesforimprovedvisibilityintotrafficflowswithitsabilitytoidentifypotentialsecuritythreats.Centralizedpolicymanagementallowsthepolicytofollowtheclient/userandeliminatessecurityrisksassociatedwithtime-consuming,manualmanagementtasksforvariousnetworkoverlaysandfunctions.Withcentralized

New Requirements for Cloud, Mobile, and IoT

Users and Devices

Apps and DataWAN

Web AppsSaaS

Cloud

Internet of Things

Broadband

T1 E1 MPLS

Cellular Data Center

Disrupt traditional network architecture

Employees Contractors

Guests

Executives Unknown

HQ

Video Voice

managementconsoles,ITcanleverageestablishedbranchandheadendrulestoreducethecomplexityofsettingupsecureVPNtunnelsandestablishingthevirtualWANtopology.Newsecurityservicescaneasilybeservicechainedwithexistingbranchnetworksoftware.SeeFigure2.Figure2:SD-WANArchitecture

FurtherbenefitsaccruewhenorganizationscollapseanarrayofWAN,WirelessLocalAreaNetworks(WLAN),andLANservicesontoasinglebranchgatewayplatform.Underthismodel,completebranchnetworkfunctionalityiscombineduntoaunifiedandcentralizedmanagementframework.Thisfunctionalityincludes:

• WirelessLAN(Wi-Fi)• Ethernetswitching• SD-WANandWANoptimization• RoutingandVPN• Firewallandnetworksecurity

Theplatformprovideswirelessandwiredaccessforemployees,guests,mobiledevices,

andIoTdevices.Allpolicymanagementiscentralized,thusrequiringlittleornointerventionatthebranchlocation.SeeFigure3.Figure3:BranchNetworkElementConsolidation

BenefitsoftheSoftwareDefinedBranchNetworkIntelligentsoftwareprovidesanumberofsignificantbenefitsforbranchnetworkdeploymentandongoingoperations.SD-BranchprovidescontextawarenesstooptimizeQoSforcriticalapplicationsintheaccesslayerandimproveSD-WANroutingfunctionality.Theconsolidationofnetworkfunctionstosoftwareonacommonplatformreducesinitialhardwarecosts(CAPEX)andongoingmaintenancefees.Cloud-basedmanagementspeedsdeploymentandreducescomplexity–thusprovidingoperational(OPEX)benefits.Servicescanbedeployedviaasubscription-basedmodelthatreducesequipmentcostsandallowsITtoeasilydeploynewservices.

WLAN

LAN

WAN Opt

Firewall

VoIP

Cloud-based AppsCentralized Services

Branch-in-a-Box

ReduceBandwidthCosts

AsacriticalelementofSD-Branch,SD-WANprovidesorganizationstheabilitytobuildhybridWANnetworksthatleveragemultipleWANconnections(e.g.MPLSandInternet)toefficientlydeliverbandwidthtobranchlocations.Itscontextawareroutingidentifiesapplicationsandsteerstraffictotheappropriatenetworkwiththecorrectqualityofservice.Thisallowsorganizationstobenefitfromthe“Interneteconomics”wherecircuits(ethernet,DSL,cable,etc.)typicallyare1/3thecostofcomparablespeedMPLSlinks.InternetservicesalsohavetheadvantageofwideavailabilityandrapidprovisioningtimesascomparedtoMPLS.SD-WANalsoprovidestheabilityfororganizationstoleveragemultipleInternetserviceproviderswiththebenefitsofcostcompetitionanddiversityofcircuitsforhighreliability.

CAPEXSD-BranchallowsorganizationstoselectivelyconsolidateWANservicesincludingrouting,Wi-Fi,ethernet,firewalls,VPNs,andapplicationvisibilityintoasingleplatform.Thisconsolidationprovidesthepotentialforasignificantreductioninthehardwarecostsassociatedwiththemultipleboxsolutions.Consolidationofhardwarealsoreducesongoingmaintenancecosts(typically15%oftheinitialpurchasefee)foreachboxateachbranchlocation.

OPEX

OPEXprovidesameasureofongoingoperationalbenefitsprovidedbySD-Branchsolutions.OPEXbenefitsaccrueacrossanumberofcategoriesincludingagility,scale,management,andsecurity.

Agility:SD-Branchprovidesareductioninthetimetodeploynetwork

resourcestoneworexistingbranches.Theabilitytoquicklymakeadjustmentstothenetworktosupportthebusinessandoptimizetheapplicationexperienceimprovesthevalueofthenetwork.

Scale:Manyorganizationsarechallengedtodeployandmanagenetworksto

hundredsorthousandsofbranchnetworks.SD-Branchenableszero-touchprovisioning,centralizedmanagement,andcustomizablelogstoenablerapidremediationofnetworkingissuesatbranchlocations.

Management:SD-Branchsolutionsarecloud-basedtoenableITtocentrally

controlalargenumberofbranchnetworks.Pre-configurationinthecloudprovidesforeaseofinstallationandabilitytoimprovenetworkfunctionalityviasoftwareupdates.

Security:SD-BranchprovidesunifiednetworksecuritywithUTM,firewall,and

VPNcapabilities.Onesecurityconsolewithenhancedcontextawarevisibilitycanidentifyanomaloustrafficandspeedresolutionofsecuritythreats.ItprovidesvirtualWANtopologythatreducesthecomplexityofsettingupsecureVPNtunnels.

ArubaTCOmodelsindicatesignificantsavingsbymovingtoaconvergedbranchsolutionleveragingSD-WANtoaugmentorreplaceMPLSlinks.Atypicalorganizationwith100distributedbranchlocationscansave$millionsover3years.SeeTable1

Table1

CostSavingsasComparedtoUnconvertedMPLSOnlySolution

MPLS+Internet31%

InternetOnly76%

Aruba’svaluepropositionforBranchNetworksAruba7000seriesBranchGatewaysofferintegratedwireless,switching,andhybridWANservicesfordistributedenterprises,allmanagedbycloud-basedArubaCentral.TheyareoptimizedforcloudservicesandhybridWANconnections,andaredesignedtodelivertheperformance,reliabilityandsecurityrequiredtosupportthenumberofIoTdevices.Built-inWANoptimizationandgranularcontroloverapplicationsensureappropriateQoSforbusinesscriticalapplications.Arubacollapsesthecomplicatedpatchworkofbranchappliancesandaccessserversintoasingle,compactcloudservicesplatform.TheAruba7000seriesBranchGatewayseliminatethetime,costandcomplexityofmanagingdisparatesingle-purposepointproductsinthebranch.KeyfeaturesoftheBranchGatewayinclude:

• Zero-TouchProvisioning–Reducesthetime,costandcomplexityofinstallingbranchofficenetworks.

• ProgrammablePolicyEnforcementFirewall–Deliverscontext-awarecontroltoavarietyofbranchnetworkingrequirements.

• Cloud-basedApplicationQoS–WANoptimizationandapplicationvisibilityandcontrolimprovetheperformanceofbusiness-criticalappsinthecloud.

• AdvancedRouting–Implementscontext-basedroutingacrossdualEthernetWANandLTEWANlinkstopreservebandwidthforprioritized,business-criticaltraffic.

Aruba’sSD-BranchsolutiontakesadvantageofthecloudtomanageandmonitorWAN,Wi-Fi,andethernetlinks.Monitoring,reportinganddeploymentishandledcentrallywithArubaCentral.Inaddition,ArubaoffersintegrationwithPaloAltoNetworksfirewallsandenhancedperformanceforMicrosoftUCcustomers.

Figure4

ConclusionandRecommendationsforCXOsTheemphasisofmobilityandcloud-basedapplicationsischangingtherequirementsfordistributedbranches.ITorganizationscontinuetobechallengedtoprovidehighquality,cost-effectiveservicestodistributedusers.TheadventofpervasiveIoTdeploymentsattheedgeofthenetworkwillfurtherstressexistingbranchWANconnectivity.ITorganizationsarechallengedtoupdateandmanagethedisparateelementsoftheremotebranch–i.e.routers,firewalls,Wi-Fi,switching,etc.ThesenewWANrequirements(e.g.changesintrafficflows)willrequireatransformationofthewaybranchnetworksarebuiltandoperated.Newsoftware-basednetworkingtechnologiessuchasSD-WANsignificantlyreduceoperationsandcapitalcostswhileimprovingqualityofserviceforcriticalapplications.Withintelligentnetworksoftware,ITorganizationscanconsolidateahostofnetworkfunctionsontoasingleplatform.TheSD-BranchisaconvergedbranchnetworkunifiesWi-Fiandethernetconnections,identifiestraffictypesandroutesthemtotheappropriatelink,

ARUBA SD-BRANCH SOLUTION

Branch Gateway

(7000 Series)

Headend Gateway

(7200 Series)

Aruba SD-WAN fabric

Access Point

Dynamic

Path

Selection

• Centralized Cloud

Management

• Branch-wide Network

Health and Configuration

• User-centric Policies with

Role-based Awareness

• UCC metrics and QoS for

2,600+ Applications

• Dynamic Segmentation

with Tunneled Node

Data Center3rd

Party Apps

KEY Internet Traffic

Corporate TrafficVoice Traffic

Cellular Failover

Internet

Branch Offices

Access Switch

andprovidesenhancedsecurity.Cloud-basedpolicymanagementallowscentrallybasedITstafftoefficientlytroubleshootnetworkissuesatremotebranchlocations.SD-Brancharchitecturesprovidecompellingbenefitsviaefficientbandwidthutilization,improvedapplicationQoS,andincreasedsecurity.ItsSD-WANfeaturesenablestheuseofhighlyefficient(andlowercost)Internetbandwidth.SD-Branchleveragesvirtualsoftwaretoreplacededicatedhardware(e.g.networksecurity,routers,Wi-Fi,ethernet,SD-WAN)withanall-in-oneplatform–thusconsiderablyreducingbranchhardwareandassociatedmaintenancecosts.Itscloud-basedmanagementsystemprovidesforrapidprovisionandnetworkupgrades–positivelyimpactingITagilityandimprovingoperations.ArubadeliversnetworkaccessandhybridWANsolutionstoremotelocationsthatneedsimplifiedenterprise-classconnectivityandsecureaccesstocorporateresources.Bycombiningintelligentwired,wireless,andWANintooneplatform,the7000SeriesdeliversasinglesolutionforLANandWANconnectivity.ITleadersshouldconsiderthebenefitsofbranchnetworkconsolidation,includingreducedhardwareandmaintenancecosts,improvedoperationsagility,andsuperiorapplicationQoS.

MeettheAuthor

LeeDoyleisPrincipalAnalystatDoyleResearch,providingclientfocusedtargetedanalysisontheEvolutionofIntelligentNetworks.Hehasover25years’experienceanalyzingtheIT,network,andtelecommarkets.LeehaswrittenextensivelyonsuchtopicsasSDN,NFV,enterpriseadoptionofnetworkingtechnologies,andIT-Telecomconvergence.BeforefoundingDoyleResearch,LeewasGroupVPforNetwork,Telecom,andSecurityresearchatIDC.LeecontributestosuchindustryperiodicalsasNetworkWorld,LightReading,andTechTarget.LeeholdsaB.A.inEconomicsfromWilliamsCollege.