WhIte PaPersd-lan

Evolving technology that will change the way customers monetize their enterprise networks.

White PaPer SD-LAN

2

SD-LAN or software-defined local area networking is an emerging technological concept that aims to extend the principles behind SDN and NFV to the “access” or “edge” layer of the enterprise network. The access layer is where users, guests, devices and machines connect to a company’s secure corporate network. Traditionally, the access layer of a network infrastructure includes the following main components such as LAN switches, wireless LAN (WLAN) access points and WLAN controllers. For medium-sized to large campus networks with multiple branch locations, there are also high capacity distribution and core switches used by the customer or its service provider to gather these multiple LAN networks together and connect them to the WAN (wide area network). Unlike SD-WAN, however, SD-LAN is still a developing service concept. As can be observed further in our discussion, there is no single definition yet for SD-LAN and vendors and service providers qualify SD-LAN differently. On one hand, some players consider current offers in the market as “pre-SD-LAN” and that there is no full-fledged SD-LAN offer yet in the market. On the other hand, some players consider existing vendor solutions as already SD-LAN. We will attempt in the next sections to highlight the main features of SD-LAN based on discussions with vendors, service providers and enterprise customers.

IntroductIon

defInItIons

From a previous white paper on SD-WAN, it was described that “with SDN, the network design and management reside in central con-trollers (based on mass-produced high performing servers or located in the cloud) that distribute instructions to many low-cost and “dumb” network nodes (such as mass-produced routers, switches, access points, etc.)”. Likewise, the concept of SD-LAN is to change the management from a device and command-centric approach to a “network-wide”, policy-based approach with the capabilities of a feedback mechanism to automatically react on certain conditions. The distribution of these policies is done by a controller that could be either deployed on-premise or in the cloud.

tradItIonal vs. cloud-managed vs. sd-lan: What are the dIfferences?

SD-LAN is often synonymized with cloud-managed LAN/WLAN tech-nology (also called cloud-based or cloud-controlled), but the two are distinct as cloud-managed LAN/WLAN has fewer customization fea-

tures and mainly targets customers with simpler networking needs. On the other hand, SD-LANs offer more enhanced network management and are best for customers that have higher security requirements and more complex network designs. A cloud-managed LAN/WLAN net-work already has many aspects of being a software-defined solution, such that instead of being seen as a precursor of SD-LAN, cloud- managed networks are typically equated with it. What may even add to the confusion is that in a traditional on-premise and fully managed LAN/WLAN environment, network configuration and management is already being done from a central site so in a sense there are also some aspects of being software-defined to it as well. From a network solutions architecture point of view, the idea behind SD-LAN is actually nothing new as there are already existing ways on how to achieve this using the available infrastructure and IT solutions. It begs the question thus: how different is SD-LAN with existing network deployments?

Traditional LAN/WLAN network operations and monitoring is typically on a per devices basis. This means that it requires effort to ensure that changes, compliancy settings etc. are done on all impacted devices or, generally speaking, it requires effort to make sure that corporate policies are current across all devices.

white paper sd-lan

3

Fig. 2a- Simple network diagram showing traditional on-premise LAN/WLAN

Fig. 2b- Simple network diagram showing cloud-managed LAN/WLAN

Fig. 2c- Simple network diagram showing SD-LAN network concept

Management data via MPLS-Link Management data via IPSec VPN Management data via IPSec VPN

User traffic User traffic User traffic

TRADITIONAL LAN CLOUD-MANAGED LAN

SD LAN

SWITCH SWITCH SWITCH

WAN-Router WAN-Router Universal CPE

Customer portal based on 3rd party solution

Cloud-based vendor dashboard

Cloud-based or hostedvendor central orchestration platform

Security-FW Security-FW Security-FW

WLAN-Contr. WLAN-Contr.

WLAN-Router WLAN-RouterRouter

Access Points Access Points Access PointsSwitches Switches Switches

CORE LAYER CORE LAYER CORE LAYER

DISTRIBUTION LAYER

DISTRIBUTION LAYER

DISTRIBUTION LAYER

ACCESS LAYER

ACCESS LAYER

ACCESS LAYER

Management data via MPLS-Link

Some vendor portals ease this burden, but having a look into the various vendor portals of cloud-managed solutions the availability of configurable features and the possibility to do changes varies a lot. In addition, the availability of northbound APIs (application program-ming interface) is different.

On the other hand, both cloud-managed LAN/WLAN and SD-LAN are similar in terms of the intention to reduce provisioning time and to centralize the management of the network. However, SD-LAN takes it further by enabling greater control of the enterprise network down

to the application layer and providing deeper insight into the network’s performance and use. The features of SD-LAN will be discussed further in the next section, but based on these similarities, some industry experts refer to cloud-managed LAN/WLAN as “pre-SD-LAN”. In fact, since 2017, a couple of vendors have even started to market their product portfolio as SDN or even SD-LAN. However, we think that such simple transposition of meaning between SD-LAN and cloud-managed LAN/WLAN can be confusing for enterprise customers and minimizes what SD-LAN aims to achieve in the area of next generation enterprise network management.

White PaPer SD-LAN

4

Since SD-LAN is still an evolving technology and service concept, the definition of SD-LAN is still rather fluid. Interviewing different experts on the topic from both the vendor and service provider side (e.g. product managers, system engineers, network architects and technical marketing executives), we observed that each group has its own emphasis regarding what SD-LAN is or what it should be. In this section, we will discuss the characteristics of this technology and the pre-requisite features to be called “SD-LAN” as well as the perceived benefits of this service concept. The points below signi ficantly consider the customer perspective and may not always fit exactly with the marketing communications of a vendor or a service provider, but these are what we perceive as critical points for an enterprise customer.

Pre-requIsIte features of sd-lan as a vIrtualIzed controller envIronment

Based on these discussions, we arrive at the following common threads about seven features that SD-LAN should have:

1. Zero-touch provisioning This primarily involves technical features such as auto-discovery of devices (switches, access points, cameras, etc.) and auto-provisioning from templated configurations based on customer-defined segments (VLANs, subnets, SSID policy, etc.). This also includes automatic or scheduled firmware updates with no network downtime and fast on- boarding of additional network equipment.

2. Centralized network management This refers to the centralized orchestration platform that provides dash-board features for network planning, monitoring, configuration manage-ment, change management, access management, guest access and reporting. Apart from providing visibility, the advanced features of an SD-LAN solution enables the configuration of network policies from a centralized platform for mass distribution of these changes across all equipment in the enterprise network or only for specific parts of the network (i.e. only one site, one device family …). One major advantage of SD-LAN as far as network management is concerned is that LAN and WLAN can now be managed under a single platform, whereas traditionally, LAN and WLAN are managed separately with LAN having more configuration possibilities than WLAN. However, this single management possibility is part of a closed vendor solution or has limitations in regards of a multi-vendor network. Thus, today multivendor networks require a further abstraction layer that consolidates the vendor-specific orchestrators.

3. Application awareness Using deep packet inspection technology, SD-LAN enables visibility up to the application layer for traffic prioritization and bandwidth manage-ment. Customers can implement security device type of features to control which application or which websites are allowed for certain segments, prioritize traffic of mission critical applications or user groups, set bandwidth control for certain applications and define routing rules for specific application groups (e.g. collaboration tools via the MPLS network, browser via the broadband Internet network, etc.). With analytic tools provided by some vendors, this helps network administrators to identify if a user-reported problem is caused by the network or caused by an application. In case of a security policy violation identified in the SD-LAN, some vendors offer either automatic remediation or alert the administrator to take action providing insight on the violation. In both described cases, the orchestrator can assist in the root cause analysis. Looking at industry trends, the support of AI or Machine learning is possible to further help the administrator in identifying or even solving the issue.

4. Role-based authenticationUsing principles behind identity and access management solutions, SD-LAN’s role-based authentication enables network administrators to segment the network and define the access of different users based on their roles (e.g. staff, guests, BYOD devices and IoT machines). This makes the access of the corporate network policy- driven, thereby increasing the security of the entire network and expanding security beyond existing authentication protocols (port-based authentication, 802.1x). This is enabled via the integration of SD-LAN with user databases such as Active Directory or LDAP and adding further segmentation mechanisms (micro segmentation) or through an internal database system that can perform access management and authentication with the switches and access points acting as RADIUS servers. It must be noted that the access management features of SD-LAN pertain only to the access of the corporate network, but not necessarily to the corporate applications themselves. For this, additional security layers such as Network Access Control solutions, Single Sign On (SSO) or Unified Endpoint Management (UEM) solutions are required in addition.

5. Deep dive performance reportingWith SD-LAN, the reporting features of the network is expanded beyond the usual operational and utilization indicators. SD-LAN aims to provide richer and more granular reporting of network performance and traffic use by location, segments, departments, SSIDs, users, devices and application and content usage. Customers can get reports on device health, clients, rogue devices, alarms and events

sd-lan: creatIng agIle and scalable netWorks

White PaPer SD-LAN

5

for management analysis. SD-LAN should also have open APIs to integrate analytics applications for big data, location-based and user/device behavior analyses. Traditionally, advanced technical or operational reports for LAN and WLAN require monthly subscription to premium reporting packages realized through third party solutions. With SD-LAN, network visibility and reporting are already possible with the same license.

6. Self-healing and self-optimizing networksSD-LAN-ready equipment comes with software-defined radios, power controls and Bluetooth low energy features which can be managed using the central orchestration platform in order to optimize the network. This has an impact on repair time because SD-LAN enables autodetection and automatic notification of faults or device/network failure. This is further enhanced with configuration capabilities that can automate features such as failover, best path forwarding, station load balancing, dynamic mesh routing, predictive stateful roaming and RF management (thus, “self-healing” networks).

7. Full policy integration between the LAN and the WANFinally, some service providers and even independent industry experts contend that SD-LAN is not specific to the local area network management alone. Under a SDN architecture, SD-LAN should have integration with the WAN under a single equipment (universal CPE) and/or single orchestration platform. The goal is to have a full policy integration between both the local area and the wide area networks in order to truly streamline the network structure and processes and build agile networks. An example of full policy integration is with respect to application-aware traffic prioritization. With SD-LAN, network administrators should be able to set policy permissions, bandwidth limits and routing rules for applications from the LAN to the WAN, thus controlling the movement and flow of traffic from end-to-end and ensuring high quality application performance in an optimized enterprise network.

To summarize, SD-LAN technology combines the existing functions of a managed LAN/WLAN network with features coming from four other IT solutions: identity and access management (IAM), network performance monitoring (NPM), application performance management (APM) and big data analytics.

benefIts of sd-lan: sImPlIfIed, flexIble and end-to-end management

With the above features defined, the benefits of SD-LAN should be towards creating simplified, flexible, agile and scalable networks. From a service provider or network administrator perspective, SD-LAN should lead to overall improvements in service provisioning and network maintenance in order to better meet customer demands.

Reduced provisioning lead timeWith zero-touch provisioning, network administrators or service providers hope to reduce provisioning lead time since devices no longer need to be pre-configured before installation. It may also lessen one-time costs by deploying the devices to the different office locations of a customer and letting the customer’s own team install the devices themselves since the equipment is basically plug and play. Enterprise customers nowadays want to fast-track the deployment of networks through automated scripts to define network configura-tions. This is to shorten the time-to-market for their products and business offerings. With automated network planning and deployment, instead of waiting two to three months from service order to service activation including equipment staging, the lead time can be shortened significantly.

Automated network configurationCreating agile networks is one of the buzzwords around SD-LAN and with the above features, the goal is to be able to quickly onboard, activate/deactivate, configure, change or update the network settings with minimal manual work and little to no network downtime. This means, networks can more easily adapt to the business needs of the customers rather than the other way around.

Shorter repair timesSD-LAN’s self-healing and self-optimizing functions can lead to shorter repair times and consequently lower costs to maintain and manage networks. At present, customers who manage their own enterprise networks spend a lot on IT resources in order to keep the network up and running at all business times. Those who have outsourced their networks to local system houses or service providers pay monthly recurring costs to proactively maintain their networks. With SD-LAN, network administrators and service providers can realize cost efficiencies since fewer resources are required to maintain the network. Instead, they focus more on making the enterprise network more adaptive and flexible to the business needs of the company.

White PaPer SD-LAN

6

Policy-driven accessWith SD-LAN’s application level visibility and role-based authentication features, enterprise customers can strengthen the integrity of their networks and protect themselves better from unauthorized breaches by better segmentation of networks and by controlling the data traffic flows to these segments. According to some security experts, the currently “flat” design of networks with large domains have made it more vulnerable to ransomware and lateral movement attacks. Segmenting the networks into smaller domains and assigning policies for each of these segments will allow enterprise customers to shield their corporate networks more effectively from these malicious codes.

ScalableFinally, one key benefit of SD-LAN is to enable the expansion of the net-work in a scalable manner so that companies can build their networks as they grow, instead of making huge one-time investments or monthly operating costs. The scalable nature of SD-LAN will also help to manage around the different lifecycles of the existing network in order to more gradually transition into a fully software-defined environment.

some conclusIons and What to exPect In the future

Based on the above objectives for SD-LAN, some of the conclusions that we can arrive at present are:

SD-LAN is not necessarily cloud-based. Cloud-based is only one possible deployment model. A customer with higher security requirements may opt for a virtualized/hosted deployment in a more dedicated environment (e.g. on-premise or at a data center). Thus, it would be myopic to view SD-LAN simply as a cloud-based solution.

Cloud-managed LAN/WLAN is clearly not SD-LAN because cloud-managed vendor platforms can still be limited in terms of key features such as advanced authentication, deep dive network visibility and application-aware traffic prioritization. According to some MSPs, current cloud-managed solutions are not capable of further customizations on the network especially for large campus deployments. Thus, third-party IT solutions are still required in order to enable some services such as for security, monitoring, reporting and optimization. To differentiate cloud-managed LAN/WLAN from SD-LAN, some vendors have started to offer different licensing models. For instance, Aerohive and Aruba offer two licensing models:

1) a basic one (Aerohive HiveManager NG Connect and Aruba Central Device Management) which includes mainly connectivity and centralized network monitoring and

2) a full feature set (Aerohive HiveManager NG Select and Aruba Central Service) which has more advanced features and is closer to the definition of SD-LAN.

SD-LAN is still an evolving technology so a final definition cannot be made. The prerequisite features identified are a conglomeration of different aspects highlighted during vendor and service provider discussions. At the end of the day, each player has its own emphasis and thus, communication, of its SDN or SD- LAN strategy. A global managed service provider for instance may emphasize on the need for a full policy integration between LAN and WAN as their managed LAN/WLAN customers are also typically their WAN customers. Thus, to maximize the full benefits of an SDN environment, they would emphasize on the need to manage the entire network from end-to-end, from LAN to WAN. In the best case this is based on the same software-defined platform. A LAN/WLAN solution vendor, on the other hand, may highlight their current platform as a complete SD-LAN solution with the focus only on managing the local area network. Either way, the developments in the market are pointing towards eventual LAN-WAN integration with developments from Cisco Software Defined Access, Cisco Routers and Viptela under the Cisco DNA Center and Riverbed-Xirrus integration under SteelConnect as well as integration of branch gateways and LAN/WLAN networks from vendors such as Cisco Meraki, Aerohive and LANCOM.

Finally, as LAN-WAN integration for SD-LAN is not yet fully realized in the market, different MSPs have attempted to achieve a form of SD-LAN through the following intermediate network management models:

1) using separate software-defined platforms for LAN and WAN,

2) using a third-party IT service management platform like Service-Now or SolarWinds, Cisco Network Service Orchestrator or Aruba Airwave and

3) implementing a simple LAN-WAN integration using WAN, LAN and WLAN devices from the same vendor such as LANCOM, Aerohive and Riverbed which also has its own line of cloud-enabled routers and gateways even if the software integration is not full yet. These implementations will be discussed further in the next section.

White PaPer SD-LAN

7

The following are some of the emerging trends that we are seeing as regards SD-LAN that may have an impact in the future software upgrades of the system:

Big data analyticsProduct and customer experience managers whose job it is to analyze user or customer behavior seek to capitalize on the visibility offered by SD-LAN by integrating big data applications via API environments provided by current vendor solutions. This will transform switches and access points into data collectors that analysts can use in order to mine market insights. These applications are ideal for customers in the retail, hospital and education industries that have to deal with high density traffic, multiple device use and multiple OS environments. Vendors like Cisco Meraki and Aerohive already have these advanced analytics APIs to analyze location based statistics, consumer behavior and time and attendance management of employees. Riverbed has recently launched the integration of SteelConnect with Aternity to enhance its network monitoring and analysis capabilities.

Advanced guest accessCurrent vendor solutions already include guest access and captive portal customization features. Some developments are in the works to further strengthen the functionalities for guest access settings including self-service, targeted location-based marketing, advanced user analytics and Network Access Controls for stronger authentication. Cisco already has its Identity Services Engine, while Aruba is offering ClearPass. To join the fray, Aerohive has recently launched its own Network Access Control (NAC) solution called A3 which is an additional license option to enterprise customers that want full control and management of access to its network.

IoT machine authenticationWe expect to see further developments in the area of authentication for IoT machines (e.g. cameras, PoS machines, smart office furnitures, lighting and temperature controls, etc.) that will further define and control the scope and access of these IoT machines in the context of data privacy regulations. These authentication features are likely to be part of NAC licenses as an expansion of current vendor solutions.

Multi-vendor supportFinally, multi-vendor support is one critical element that MSPs see as a differentiating factor for SD-LAN. Greenfield deployments are ideal scenarios, but the reality for multi-national companies is that the transition from a traditional to a virtualized enterprise network is a prolonged and phased migration because of various considerations such as heterogeneous networks, varying device lifecycles, SLA expectations and complex application environments. Most MSPs that work with multi-national customers are dealing with the effects of mergers and acquisitions on the physical and IT networks of the acquired company such that they often have to deal with a multi-vendor environment that they have to gradually migrate into a homogenous network. SD-LAN, thus, should ideally be able to support multiple vendor environments in order to fit more closely the use case scenarios of very large enterprises. Current vendor solutions are still closed environments in that their network management platform can manage only their own branded equip-ment. One tangential vendor example is Aruba’s AirWave, which is a vendor-agnostic network management solution. It is a manage-ment overlay that can provide advanced visibility and reporting tools in a multi-vendor environment, however it is not an SD-LAN solution because it does not possess advanced configuration, application-aware and self-optimizing functions. There are plans, however, from some vendors to expand their orchestration platforms to support multi-vendor environments.

White PaPer SD-LAN

8

Current solutions are still considered as pre-SD-LAN, but integration with WAN already in the roadmap. We talked to the different enterprise network vendors in the market and studied their portfolio to evaluate where they are in the SD-LAN development. Based on the current solutions and the characteristics of SD-LAN that was discussed in the previous section, none of the current vendors is offering what we can call a full-fledged SD-LAN solution—one which has an end-to-end integration with SD-WAN to form a complete SDN architecture. Thus, current offerings are often considered by some as pre-SD-LAN offerings.

There are three types of vendors that we are currently seeing in the market. First, there are vendors that have started to offer a form of SD-LAN and SD-WAN integration realized in different ways. Under this type are vendors like Cisco Meraki, Aerohive, LANCOM and Riverbed. One implementation is the use of an appliance like a security firewall in order to combine security, optimization and LAN/WLAN management with a software upgrade. Another example would be LAN/WLAN vendors that are also offering virtual VPN gateways and routers to realize secure IPSec VPN connections. These virtual and physical components along with the LAN/WLAN equipment are then managed under the same central orchestration platform where some end-to-end policy integration can be implemented (e.g. application-aware traffic prioritization and routing rules). However, these devices are more suitable for customers with smaller networks or enterprise customers with simpler network design requirements for their branch offices and/or telecommuters (e.g. used in home offices). They cannot be implemented yet in a headquarters setting or for large and complex deployments. Finally, another attempt at LAN-WAN integration is achieved at the central orchestration level where both LAN/WLAN management and other functions like optimization can be accessed, but end-to-end policy integration is not possible yet. A second type of vendors are those whose current SD-LAN solution offering is focused on the management of the local area network only. Aruba and Cisco Software Defined Access (SDA) are examples under this category. Finally, a third type of vendors are those that have a fairly market-competitive cloud-based network management platform, but where advanced features for authentication, applica-tion-aware traffic prioritization and deep dive network visibility and reporting are still in development. Under this type are vendors like Huawei and Ruckus who are popular brands in certain areas like

the Asia Pacific market or in the hospitality and retail industries. We can actually still refer to the offerings of this third vendor category simply as cloud-managed LAN/WLAN solutions rather than SD-LAN.

Based on the available pre-SD-LAN solutions in the market, some of the challenges encountered in actual implementations are:

Challenges in implementing the available solutions in large campus and complex environment due to limited design customizations or network configuration

Traffic prioritization that is implemented at the WAN level and LAN level separately because routing rules cannot yet be implemented from end-to-end

Having to use separate management platforms for WAN and LAN

Still requiring the use of physical appliance like a firewall to access advanced management features

WAN components can only be used for branch or telecommuting networks, but are not powerful enough to be implemented at the head office or data center. Thus a separate vendor solution has to be put in place.

vendor solutIons

White PaPer SD-LAN

9

A note on Cisco Meraki and Cisco Software Defined Access and the overemphasis on WLANCisco Meraki is Cisco’s first foray into the software-defined LAN area with a purely cloud-managed and subscription-based solution. Last year, Cisco launched its Software Defined Access (SDA) portfolio, primarily targeting large enterprise customers. Heretofore, MSPs have largely built their offerings around solutions from Cisco Meraki, Aruba or Aerohive. Thus, questions have arisen as to the difference between Meraki and SDA.

To identify some, Cisco SDA is mainly an on-premise solution. It is an alternative for large enterprise customers that have more complex network configuration and security requirements and are basically not comfortable to put their network management platform on the public cloud. SDA currently requires an on-premise appliance to manage the network, but it can also be accessed via a private cloud through MPLS or site-to-site IPSec-VPN. It is expected to manage the latest models of Cisco’s legacy products such as Catalyst, Nexus and Aironet. So far, mainly data center equipment is compatible with SDA, but access layer infrastructure is expected to be integrated in the near future. The solution is fairly new, but there have already been major implementations involving multi- national customers who manage their own networks. Moreover, the discussion with global MSPs have started in order to integrate SDA into their service offerings.

Cisco’s latest financial results indicate a growing positive impact of SDA on their revenues, which would indicate the market response to this portfolio and a growing openness to software-defined technology especially among the large enterprise customers. Cisco’s financial results have also indicated a gradual shift towards software-based/subscription-based revenues such as those earned from purchase and renewal of subscription licenses from solutions like SDA and Meraki.

One advantage of SDA over Meraki, is the investment protection aspect. Meraki’s products are dependent on Meraki licenses to be able to function. On the other hand, Cisco SDA-compatible products can continue to function even without the central orchestration license, making it a more viable optional for long term use.

Cisco SDA is ideal for large enterprise customers that are still more oriented towards wired local area networks rather than wireless. This is interesting because contrary to what most literature says, our observation as far as the large enterprise segment is concerned is that there will be no significant migration from LAN to WLAN yet in the next couple of years and that WLAN will continue to be an extension of the corporate network rather than its main access technology.

Meanwhile, Cisco Meraki, Aerohive, Aruba, LANCOM and other vendor offerings are more WLAN-oriented. While these vendors also have a line of access switches, the options are much more limited than WLAN and these are mainly layer 2 switches that are more ideal for branch implementations rather than for headquarters or large campus requirements with high density specifications and data throughput requirements that are already in the industrial-level range of 10 to 400 Gigabit.

Because of its on-premise setup, Cisco SDA is similar to a traditional LAN/WLAN network management. But, it is considered as an SDN offering because it also separates and centralizes network management using software-defined technology. Cisco SDA’s orchestration platform is based on Cisco’s Digital Network Architecture (DNA) Center. Its features are similar to that of Meraki but according to Cisco experts, it provides more complex configuration especially for LAN environments. Cisco SDA is still mainly focus on LAN/WLAN, but there are plans to eventually integrate SDA and Cisco’s SD-WAN offering using Viptela under the DNA Center.

White PaPer SD-LAN

10

fInal PoInts

How will SD-LAN impact the market for managed LAN/WLAN services? In this section we will discuss prevalent customer expecta-tions in the market regarding SD-LAN.

Will SD-LAN make managed network services cost less?One of the most compelling arguments often communicated for SD-LAN would be cost-efficiencies from reduced provisioning lead time and simplified network management. Indeed, experts from the vendors often underline the savings that can be generated because fewer technical people and man-hours will be required to deploy the infrastructure and activate it. Furthermore, fewer IT resources will also be required in order to manage the network and multiple IT solutions because of the integrated features within SD-LAN. Does this mean managed LAN and WLAN networks will cost less? We think this is not necessarily the case and it is a pie in the sky assumption to make because large enterprise networks are more complex than that.

First of, unless the company is completely greenfield, enterprises will likely need network consultants and migration support in order to implement their SDN strategy. Moreover, as far as large enterprise networks are concerned, there are really no true greenfield environments. Secondly, enterprise networks with complex user access, security policies and application environments will need to integrate all of these know-how into the new system, thus requiring specialized IT skills to facilitate the process. Third, enterprise networks have complex plans, thus site surveys and minimum of technical engineering is still required in order to specify which switches or access points will be deployed for each location and where they will be positioned. Thus, unless it is a company with only one or two switches/access points deployed per branch office, the zero-touch provisioning does not automatically translate to reduced costs. Thankfully, the promise of an SD-LAN technology will mean that as soon as these pieces of equipment have been plugged in, the platform will run the auto-discovery and the configurations will be pushed to the equipment en masse with no further work to be done.

Once the network is in place, the SD-LAN technology does indeed promise to simplify the workflow of IT resources (whether in-house or outsourced) and provide greater visibility and control of the network. As network management comprise a huge portion of the cost of having an enterprise LAN/WLAN network, cost-efficiencies may indeed be realized here. However, with more advanced features come more licensing costs and with more data comes more need to generate and translate these into meaningful actionable points for the management.

All in all, the total cost of ownership of the infrastructure may possibly become lower, however we think that the cost of provisioning and managing the network—the Professional Services and technical know-how needed to run and monetize it (e.g. big data analysts)—may just offset the cost savings generated from reduced provisioning and network administration man-hours.

Will it strengthen the customer’s network security?SD-LAN’s advanced authentication and firewall-like features such as content filtering, application/content restrictions, role-based application access and time and bandwidth controls are some of its major value propositions. Especially when combined with the possibility to segment the entire network and quickly manage access across multiple locations from a central platform, SD-LAN can indeed strengthen the security of an enterprise customer’s network with easy steps. For security experts, this is especially important as enterprises need to manage not only the access of their own staff, but also guests as well as different devices (BYOD) and machines (IoT).

However, the SD-LAN is more of a very strong gatekeeper to the entire network with enhanced authentication processes than a fool-proof security solution. In order to fully protect against malicious attacks and prevent data loss, enterprise customers still need to augment the security of their network with firewalls, Unified Threat Management (UTM) devices or Unified Endpoint Management (UEM) solutions. To this end, the overall discussion of SDN/NFV and universal CPEs (uCPEs) will be relevant as it aims to integrate routing, optimization, security and LAN/WLAN management under a single orchestration platform. With this, a “true” end-to-end security management may be achieved.

White PaPer SD-LAN

11

Will it optimize the customer’s network and application performance?SD-LAN’s application-aware traffic prioritization will provide enterprises the ability to optimize their network resources by assigning applications that will have higher priority in the network and by setting bandwidth and time limits and/or routing rules to non-mission critical applications. However, without full policy integration with the WAN, then essentially there is still more network management work to do and the customer still does not have complete control of the highway. With this, one cannot fully assure yet consistent application performance and quality experience from end-to-end. Additionally, what will contribute to the complication of this question would be enterprise customers with hybrid networks or customers with branch offices in remote locations that have no MPLS access and where the quality of Internet connection is not consistent. With this in mind, SD-LAN without any WAN integration is only half the promise it brings.

Will this push customers towards DIY networks?“DIY networks” is one of the buzzwords for SDN and also for SD-LAN. Questions have been floating on whether SD-LAN will indeed drive a tendency towards unmanaged networks (i.e. DIY networks). We think that this discussion will continue to persist while SD-LAN is still in its developmental phase. On one hand, some experts believe that SD-LAN’s more powerful orchestration platform can be an enabler for enterprise customers to manage the networks themselves. They see also that it can create more businesses for smaller system houses that manage the networks of local customers. On the other hand, large enterprise customers, especially multi-national companies, prefer to focus their resources on their core businesses rather than in managing their infrastructure. The crux of the matter, thus, lies in the size of the company, the industry, its business objectives and the complexity of the network requirements.

Thus, SD-LAN may indeed be a customer-enabler in terms of managing inhouse networks. It will also potentially bring more businesses to local system houses to manage such networks. However, we see this happening only in the small to mid-sized enterprise market segments (e.g. companies with 3,000 employees or less). In the large enterprise and especially MNC market, we do not expect a significant decline in existing fully managed networks as enterprises still prefer to focus on their core businesses. However, we do see the relevance and importance of co-managed network models emerging as a result of SD-LAN.

White PaPer SD-LAN

12

future outlook and recommendatIons

sd-lan WIll gIve rIse to neW servIce and cost models

Based on the feedback from implementation experts and various customer use cases, we think that an SD-LAN portfolio should consider the following:

Service offerings based on customer type/use caseThe existing cloud-managed LAN/WLAN offers (basic features) can be positioned towards the small to mid-sized market, in particular customers with simpler network requirements and budget constraints. This paves the way for future SDN transition without creating a finan-cial obstacle to adoption. On the other hand, SD-LAN should initially be positioned more towards large enterprise customers, customers with multiple branch offices and customers with higher security requirements.

New equipment cost modelsAside from the usual purchase or lease options (CAPEX vs. OPEX), we think that SD-LAN will give rise to new cost models as far as infrastructure ownership is concerned. Vendors are advocating for pay-as-you-grow models where customers can scale their infrastructure in line with their company’s growth. Other cost models that can be explored are port-based pricing models on-demand. This will be relevant for enterprises with peak and off-peak seasons such as in the manufacturing industry. In this sense, it is like a pay-as-you-use model for network services where service providers can activate/deactivate switch ports or access points based on the customer’s business demand.

New software licensing modelsAlso depending on the use case of the customer, an ideal SD-LAN portfolio should offer at least three licensing options. The first option addresses customers with simple connectivity needs—thus the basic license with network access and basic dashboard features will suffice. The second option is for customers that want more advance features such as the current full-feature-set licensing model that some vendors provide. This gives the customer a full access to all the visibility, reporting, authentication and traffic controls. Additional licensing options can be offered for API integration for analytics or location-based services. Finally, a third licensing option offers the premium solution of SD-LAN with WAN integration, thus a full SDN suite where both LAN and WAN are managed under a single pane of glass.

New managed services modelsAt this early stage of SD-LAN evolution, we think that Professional Services, in particular networking consultation, lifecycle assessment, network readiness, migration support and management takeover of existing infrastructure will be critical offerings to enable an enter-prise customer’s migration to an SDN environment. We also think that a future SD-LAN portfolio should offer three service options for the customer: 1) solution resale and provisioning, 2) co-managed services with provisioning, reactive monitoring and incident management and 3) fully managed services with provisioning and proactive management of the enterprise network.

In summary, the concept of SD-LAN provides enterprise customers and service providers greater visibility and flexibility in managing huge enterprise networks in a more seamless manner. With this, SD-LAN will give rise to new service and cost models to address the different use cases of enterprise customers.

However, SD-LAN is not for customers whose goal is to generate savings from the IT infrastructure. Rather, SD-LAN is for customers that want to have granular control of their entire network, optimize their network resources and monetize the big data that can be gathered in the process.

KONTAKT

T-Systems International GmbHUli KuneschMarket IntelligenceFasanenweg 570771 Leinfelden-EchterdingenUli.Kunesch@t-systems.com

T-Systems International GmbHPeter PlehpMarketing TC DivisionHohestr. 8044139 DortmundPeter.Plehp@t-systems.com

HERAUSGEBER

T-Systems International GmbHHahnstraße 43d60528 Frankfurt am Main

http://www.t-systems.de

Stand: September 2018