dokucama

At its core, SD-WAN manages traffic across different WAN connections (like multiple ISPs or MPLS circuits) to optimize performance, security, and cost. The key idea is application-aware routing—you can define which applications use which connections based on policies you set.

For example:

• ISP-1 for critical apps like video conferencing,
• ISP-2 for regular web browsing,
• ISP-3 for backup or non-critical traffic.

Normally, SD-WAN requires two 'edge' devices. The SD-WAN device (either physical or virtual) at each site monitors the quality of each link (latency, jitter, packet loss, etc.) and dynamically switches traffic between them based on real-time performance or failover scenarios. So, yes, you can map applications to paths based on your example.

IPSec tunnels securely connect different sites over the public internet or other untrusted networks. IPSec provides encryption, integrity, and authentication to secure traffic because SD-WAN often uses public internet links from different ISPs.

Yes, IPSec tunneling was available in older technologies like DMVPN (Dynamic Multipoint VPN) and MPLS VPNs, but SD-WAN manages traffic and integrates IPSec with broader network intelligence in ways that differ from traditional methods.

• Dynamic Path Selection:
  1. In DMVPN, tunnels were static or dynamic but lacked flexibility in choosing traffic paths.
  2. SD-WAN uses a dynamic overlay network. The SD-WAN controller monitors WAN link performance and reroutes traffic based on link conditions. For instance, if ISP-1 experiences packet loss, SD-WAN quickly shifts traffic to ISP-2 without manual intervention.

• Application-Aware Routing:
  1. DMVPN couldn’t inspect traffic based on applications. Routing was based on IP or protocol.
  2. SD-WAN uses deep packet inspection (DPI) to classify applications, allowing policies to direct traffic over the best-performing link. It adjusts routes dynamically if performance degrades.

• Centralized Management and Automation:
  1. DMVPN required manual configuration at each site. Managing policies and changes across many sites was time-consuming.
  2. SD-WAN offers centralized policy management via a controller. Global or per-site policies are applied automatically to all edge devices, reducing the admin burden.

• Simplified Overlay Management:
  1. DMVPN used static or dynamic IPSec VPNs, but the overlay networks were rigid.
  2. SD-WAN builds a flexible overlay network on top of any combination of transport links (MPLS, Internet, LTE) with automated encryption and dynamic routing. The SD-WAN controller abstracts these tunnels for seamless failover and link optimization.

• Better Analytics and Performance Monitoring:
  1. DMVPN offered limited monitoring (e.g., up/down status, latency). Proactive tuning wasn’t possible.
  2. SD-WAN provides real-time analytics and performance monitoring, tracking jitter, latency, packet loss, and bandwidth. It uses these insights to dynamically adjust traffic paths and can trigger alerts or automated responses to network issues.

• Active/Active Mode: All WAN links are used simultaneously to balance traffic and improve redundancy.
• Active/Standby Mode: One link is primary, another is backup. The backup link only takes over if the primary fails.
• Failover Mode: Traffic switches to a backup link if the primary fails, without load balancing.

SD-WAN also supports:

• Traffic Shaping and QoS: Ensures important applications (e.g., VoIP) get necessary bandwidth and low latency.
• Zero Touch Provisioning (ZTP): New SD-WAN devices can be deployed and configured remotely, without manual setup.

• SASE (Secure Access Service Edge):
  1. SASE integrates SD-WAN with cloud-based security services like firewalls, secure web gateways, CASB (Cloud Access Security Broker), etc. SD-WAN handles intelligent traffic routing, while SASE adds security in the cloud.
  2. SD-WAN is the network foundation of SASE, which embeds security directly into the network at all edges (on-prem or in the cloud).

• ZTNA (Zero Trust Network Access):
  1. ZTNA verifies users every time they access a resource, enforcing strict identity checks, even inside the network. It treats all requests as untrusted, ensuring each interaction is authenticated and authorized.
  2. In a SASE framework, ZTNA works alongside SD-WAN to ensure appropriate access controls, so no implicit trust is given based on network location.

• SD-WAN uses IPSec tunnels like DMVPN but manages them dynamically, making smarter routing decisions based on real-time performance and application needs. It also integrates centralized control and application awareness.
• IPSec tunnels in SD-WAN offer security, but they’re part of a broader system where dynamic path selection, application-based routing, and centralized policy management take precedence.
• DMVPN provided static or semi-dynamic IPSec VPNs, while SD-WAN turns those tunnels into an intelligent, software-defined overlay that adapts to network conditions and application requirements.
• SASE adds cloud-based security services on top of SD-WAN, while ZTNA enforces strict user access controls within that framework.