Using SD-WAN Templates for Simplicity, Scale, and Cost Effectiveness

Changing market dynamics require businesses to embrace digital transformation and to adopt new technologies that improve productivity and customer experience and reduce costs. Enterprises are rapidly adopting cloud services such as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as Service (PaaS) across multiple clouds. As a result, network administrators are struggling with never-ending changes to networks and with constant mergers and acquisitions, it’s difficult to integrate new networks into a single network.

When implementing complex network changes, it is always useful to rely on a set of guided templates. An SD-WAN template is a framework to create or modify a specific device’s configuration for global and local deployments. Using templates, network administrators can group branches with similar business roles together. And, they can avoid the need to repeat common configurations across multiple branch offices and data centers.

SD-WAN templates also help create standardisation, thereby avoiding mistakes in network deployments. Templates solve problems of scale, cost, and agility and also provide role-based access control to different administrators. For example, a highly-skilled IT administrator can design templates used for complex deployments that a commissioning engineer can deploy at a branch office. SD-WAN templates can help IT teams:

• Build in scale
• Reduce network deployment and management costs
• Avoid configuration errors
• Reduce complexity

SteelConnect EX Templates

Riverbed’s enterprise-grade SD-WAN solution, SteelConnect EX, offers both device and service templates.

Device Templates

Using device templates, network administrators can automate most of the device-specific configurations for branch devices. This feature helps to configure WAN and LAN interfaces (Static or DHCP), Routing, NAT, DHCP, and other device-specific parameters. Each branch type can have multiple device templates such as:

• MPLS and Internet WAN uplinks
• Dual Internet WAN
• DHCP LAN
• Cloud services, such as AWS or Azure

There are two types of device templates: staging and post staging. Staging templates require minimum set-up for the branch to reach the SD-WAN controller. When staging is done at a different location (DC or NOC), the device is shipped with pre-configured information.

Select type SDWAN Staging, give the template a name, and select parent organization

Create a new WAN Network

Name the WAN Network and select a transport domain

Select Interface Addressing type

Post staging templates are typically used to create final branch configurations. Organisation details, bandwidth subscription, Routing, NAT (Network Address Translation), DIA (Direct Internet Access), DHCP, NTP and other management details are entered. 

Create template, select controllers, organization, bandwidth

Assign LAN and WAN ports

Configure BGP, OSPF and static routes

DIA (Direct Internet Access) configurations

NAT, DHCP, Relay configuration and management details

Network administrators can then can add a Device Group and associate a staging or post staging template.

Select Devices/Device Groups

Service Templates

Service templates help configure services such as:

• Stateful Firewall
• NextGen Firewall
• Quality of Service (QOS)
• General
• Application
• Service Chain

Service Template Types

Let’s use the NextGen Firewall service template as an example. It defines various policies and profiles that enforce rules with appropriate actions for:

• DDOS
• Authentication
• Decryption
• Security

DDOS attacks the machine and the network becomes inaccessible by flooding the target with a huge rate of traffic. With service templates, network administrators can configure profiles and set thresholds for various events as described in the graphic below:

Configure DDOS profile

Kerberos Authentication profile, LDAP Authentication profile, or the SAML Authentication profile can be used. Authentication timeout based on IP or Cache modes can also be configured as shown in the graphic below:

Authentication profile

SSL decryption profiles can be defined based on configuration for each of the server certificates as shown below. Network administrators can decrypt the content with minimum key length supported. Various actions can be set for expired certificates or untrusted certificates to allow packets, drop packet, drop session, reject and alert. Similar actions for unsupported Cipher and Key Lengths can be configured.

SSL profile setting for the branch

The following graphic shows the configurations of various security aspects such as URL filtering, IP Filtering, Anti-Virus, and predefined vulnerabilities profiles.

Security profile

SteelConnect EX Workflows

The configuration of Controllers, Organization, Templates, and Device creation can be simplified by the use of workflows. To create a branch device, workflows need to create templates (staging/post staging), device groups, and bind device data.

To Onboard Branch/DC devices using a workflow, enter branch-specific information for the templates used by this branch. An existing Device Group is selected or created. Device groups contain information about which templates to use for this branch. Hence, automation and deployment sites or groups of sites are easier, enabling scale at lower costs.

Add a device

What Have We Learned?

Overall, SteelConnect EX templates offer an advantage to managing complex network deployments so network administrators can adapt networks to changing business dynamics with minimal costs.