The Lippis Report

There are multiple business and technology trends that are now interacting and forcing IT planners to rethink their wide area network (WAN) design. The macroeconomic downturn has proven once and for all that business and its processes are global. With economic globalization and the current turbulence people are required to collaborate more closely, more frequently and across greater distances, more so than at any other point in time. At the same time IT leaders have been consolidating IT service delivery into data centers as well as consolidating their number of data centers. Data center consolidation offers large economic efficiency but places greater distance between data, applications and end-users, putting great strain on application performance. Corporate green initiatives have driven up the number of home and mobile workers to the point that 15% of traffic flows to and from mobile workers and data centers. Adding more pressure, WANs have historically been designed in a piecemeal fashion with little to no regard for delivering consistent WAN Services among sites.

Add heightened security plus compliance requirements to new applications such as web 2.0, video conferencing, mobility, etc., and the result is unprecedented demands on the WAN to keep a corporation productive. At a time when WAN performance needs to be optimized and tuned as carefully as Local Area Networks (LANs) performance, it is unfortunately more difficult than ever to accomplish. These trends, if not addressed, will invariably negatively impact application performance and corporate productivity, especially among WAN-connected branch offices, larger corporate sites and data centers as 41% of network traffic now flows to and from branch offices.

Increased traffic load, application load, collaboration, distance, separation of data and applications and security/compliance requirements are all dynamics that are completely altering the design requirements for the WAN. To address these dynamics, IT leaders need to deploy consistent WAN Services so that tuning/controlling/optimizing of WAN Services and applications across all sites connected via the WAN are performed uniformly, saving both time and money while increasing corporate value. Having consistency in application optimization, collaboration, and security allows WAN services among corporate sites, large and small, to combine to form a WAN Advantage that enables business and IT leaders to boost collaboration throughout their business, strengthen security, speed access to data and ideas, optimize application performance end-to-end, and ultimately cut operating costs. In this Research Note we focus on the WAN Edge that connects branches to larger sites and datacenters; however the concepts and subsequent principles can be applied to other corporate WAN areas.

WANs Slow To Keep Pace

Wide area bandwidth has not kept pace with the rapid advance of LAN bandwidth and application demand where wide area connections are often at least one to two orders of magnitude (10 to 100 times) slower than the LANs they connect. This bandwidth mismatch is the root cause of slow application response time and poor voice and video user experience. In addition to WAN bandwidth, WAN Service delivery has also been slow to keep pace. To defend against security breaches, optimize application performance plus gain the benefits of unified communications and collaboration IT leaders have been forced to deploy a series of appliances in each branch office thanks to a lack of common WAN Service delivery options. Deficits in WAN bandwidth and service delivery increase complexity, which drives up life-cycle management cost and makes IT service delivery difficult.

Nowhere is the deficit in WAN bandwidth and services more acute than in connecting branch offices to larger corporate sites and datacenters, as the complexity it creates is magnified. This magnification is due to the fact that branches are widely distributed over large geographic areas resulting in a lack of WAN bandwidth consistency, meaning that some branch offices may connect at broadband speeds while others use frame relay; still others use MPLS or private lines, etc., while WAN Service appliances pile up in each branch. While IT leaders have limited control over WAN bandwidth provisioned by telecom service providers they do have total control over WAN Service delivery, which in turn exploits and manages WAN bandwidth. In short, WAN Service management is the key to complexity reduction and the basis for new thinking in WAN design.

Essential WAN Services

WAN design thinking is focusing on a set of common WAN Services available in both branch office and WAN aggregation routers, which are typically located within data center and larger corporate sites. This consistency in the WAN Services phase is akin to LAN evolution, maturity and value.

Thanks to WAN Services, WAN performance can approach that of LANs. There may not be a single WAN physical service such as ethernet any time soon but just as multi-protocol routing simplified LANs so too will WAN Services as it manages and masks the inconsistencies in different wide area facilities and injects value. In short WAN Services provide a set of logical components that rationalize a messy WAN world and replace it with user experience consistency and uniformed IT management and security.

To bring the discussion down to product level, it’s Cisco’s ISR and ASR 1000, 3Com’s 5000 and 6000, Juniper’s J and M Series, HP ProCurve’s 7000dl Series and others which offer the promise of consistent WAN Services. Of the above list only a few offer routers, which deliver consistent WAN Services at the branch office and the Enterprise WAN edge/aggregation respectively, thanks to a shared common software code enabling these routers to collaborate via protocol exchanges across the wide area. Part of this common WAN Services software code is based upon standards such as IPSec, SSL, MPLS, SIP (Session Initiation Protocol), Real Time Protocol (RTP), etc., while other aspects are company specific such as Cisco’s GET-VPN which simplifies the provisioning and management of VPN.

While there are a growing number of WAN Services we’ll focus on the three most important or essential ones, those being security, unified communications and WAN optimization that support the above WAN requirements.

Network/IT Security: To readily adapt to new business requirements, reduce qualification time for new deployments, proactively monitor and provide pervasive integrated security services, meet and comply with federal or industry regulations requiring confidential communications, ASR 1000, for example, can be deployed as a Secure WAN Aggregation router with integrated firewall, IPsec encryption and a wide range of VPN termination options.

Unified Communications Video and Telepresence: The WAN requires increased collaboration frequency over larger distances to support unified communication (UC) plus video, and telepresence services. There are specific WAN Services that ensure the user UC and video experience remains excellent even while other applications compete for WAN resources and/or during network disruption such as backhoe fade, etc.

WAN Optimization: WAN optimization is a WAN Service that is embedded as a series of application optimization features/functions within branch and WAN aggregation routers that strive to deliver local drive response time to applications that are delivered over the WAN. WAN optimization services include WAN optimization and traffic classification.

There are more WAN Services such as mobility and others to come over the next business cycle. The value WAN Services delivers is rooted in the fact that WAN Services are logical components embedded into the wide area simplifying IT operations, accelerating the absorption of innovation and delivering end-user performance consistently independent of their physical location.

The New WAN Advantage

Old World WAN

Traditionally, connecting branch offices to larger corporate facilities and data centers has been implemented in a piecemeal fashion, meaning that most IT organizations have not architected or designed the WAN Edge as a holistic solution. For these firms, branch office WAN connections are a mixture of disparate transport services, their routers have little to no WAN Service consistent with headquarter and data center aggregation routers while the branch offices are populated with special purpose WAN Services appliances. This lack of planning results in much higher IT capital and operational spend. But more troubling is that poor business performance results, thanks to inconsistent application performance and branch IT delivery difficulty especially of new collaboration services and tools.

New World WAN Advantage

The new approach to WAN design is based upon business initiatives and user experience expectations independent of geographic location. This shift from piecemeal to end-to-end design considers secure access to corporate data, applications, people, ideas, etc., from anywhere. This approach requires a comprehensive, cohesive WAN design with end-to-end support for services because after all, a network delivers applications and application performance governs a user’s experience and productivity.

The new WAN delivers a consistent user experience in the same way as LANs do, by switches and routers offering a common set of LAN services. For the new WAN, considerations of WAN bandwidth plus a common set of WAN Services between branch and aggregation routers delivered end-to-end can result in consistent user experience. This is primarily achieved through a common set of tools that provide network operations with access to tune/tweak/optimization/configure/etc., WAN Services throughout branch offices and aggregation sites so that a user’s experience is the same, independent of location, LAN and/or WAN. With well over 6 million Cisco ISRs in production and most firms running sophisticated applications and services in the branch, it’s only logical that these ISRs be terminated at an aggregation router over the WAN equipped with common WAN Services to achieve a WAN Advantage.

Recommendations

The following recommendations are offered which focus specifically on WAN Services at the WAN Edge. Consider the following:

1. Nonstop Forwarding To Boost Redundancy/Availability: Consider redundancy and fail-over capability across switching, routing, tunneling, WAN access, etc. With new services such as UC and video being massively adopted, convergence time or the time to recover from a WAN transport outage needs to occur within tens of milliseconds.
2. Consistent WAN Optimization and Performance Routing: Consider the consistent implementation of WAN optimization and performance routing between branch and aggregation routing.
3. VPN and WAN Scalability: Consider scale when designing a WAN that connects a large number of branch offices into a set of aggregation routers. Scale such as bandwidth and VPN support can be limiting factors. Aggregation router VPN service in particular should scale up toward 20,000 tunnels to support multiple VPNs per branch as well as mobile users.
4. Consider Integrated Management: Consider network management that integrates WAN Services configuration, troubleshooting, fault isolation as well as security management including threat reporting and compliance reporting. Management that provides constant audits to ensure QoS should be considered as well, as a means to monitor application performance.
5. Consistent Application of QoS/Encryption/Security Across Routers and Tunnels: Consider consistency of services across different branches especially with QoS, security, routing and switching. Ensure that security policy enforcement is the same at headquarters, data centers and branch levels.
6. Confidentiality And Integrity: As aggregation routers support widely geographically distributed branch offices and mobile users, confidentiality and integrity are important security attributes to be considered as part of the WAN security service. Confidentiality ensures that only authorized individuals, processes, or systems have access to information. Identification, authentication, and authorization through access controls maintain information confidentiality. Encrypting information also supports confidentiality by limiting information usability in the event it is viewed while encrypted. Integrity means that information should be protected from intentional, unauthorized, or accidental changes.