dokucama

At its core, SD-WAN manages traffic across different WAN connections (like multiple ISPs or MPLS circuits) to optimize performance, security, and cost. The key idea is application-aware routing—you can define which applications use which connections based on policies you set.

For example:

• ISP-1 for critical apps like video conferencing,
• ISP-2 for regular web browsing,
• ISP-3 for backup or non-critical traffic.

Normally, SD-WAN requires two 'edge' devices. The SD-WAN device (either physical or virtual) at each site monitors the quality of each link (latency, jitter, packet loss, etc.) and dynamically switches traffic between them based on real-time performance or failover scenarios. So, yes, you can map applications to paths based on your example.

IPSec tunnels in SD-WAN secure traffic over public internet links through encryption and authentication. While IPSec was used in older technologies like DMVPN, SD-WAN offers dynamic path selection, rerouting traffic based on real-time link conditions.

SD-WAN also supports:

• Application-aware routing using DPI,
• Centralized management via a controller for simplified configuration,
• Flexible overlay management over multiple transport links,
• Real-time performance monitoring to adjust traffic dynamically based on link quality.

• Active/Active Mode: All WAN links are used simultaneously to balance traffic and improve redundancy. Example Active-Active fortigate https://www.youtube.com/watch?v=7OoFk0KvLzY
• Active/Standby Mode: One link is primary, another is backup. The backup link only takes over if the primary fails.
• Failover Mode: Traffic switches to a backup link if the primary fails, without load balancing.

SD-WAN also supports:

• Traffic Shaping and QoS: Ensures important applications (e.g., VoIP) get necessary bandwidth and low latency.
• Zero Touch Provisioning (ZTP): New SD-WAN devices can be deployed and configured remotely, without manual setup.

• SASE (Secure Access Service Edge):
  1. SASE integrates SD-WAN with cloud-based security services like firewalls, secure web gateways, CASB (Cloud Access Security Broker), etc. SD-WAN handles intelligent traffic routing, while SASE adds security in the cloud.
  2. SD-WAN is the network foundation of SASE, which embeds security directly into the network at all edges (on-prem or in the cloud).

• ZTNA (Zero Trust Network Access):
  1. ZTNA verifies users every time they access a resource, enforcing strict identity checks, even inside the network. It treats all requests as untrusted, ensuring each interaction is authenticated and authorized.
  2. In a SASE framework, ZTNA works alongside SD-WAN to ensure appropriate access controls, so no implicit trust is given based on network location.

• SD-WAN uses IPSec tunnels like DMVPN but manages them dynamically, making smarter routing decisions based on real-time performance and application needs. It also integrates centralized control and application awareness.
• IPSec tunnels in SD-WAN offer security, but they’re part of a broader system where dynamic path selection, application-based routing, and centralized policy management take precedence.
• DMVPN provided static or semi-dynamic IPSec VPNs, while SD-WAN turns those tunnels into an intelligent, software-defined overlay that adapts to network conditions and application requirements.
• SASE adds cloud-based security services on top of SD-WAN, while ZTNA enforces strict user access controls within that framework.