(SVR). SVR attaches metadata, including the applicable tenant and policies, to the first ingressed packet in a conversation to build a session between two routers. The metadata is issued to establish the session on the next router, allowing for path symmetry and efficient distribution of necessary session tables, explained Juniper. The ingress router reads this metadata and selects a path for the session based on service level agreements. The metadata is sent only once to each participating hop, and that session can traverse non-session smart routers in the network, which forward packets in a session to the IP address of the next session smart router. On egress at each hop, the source and destination addresses are rewritten to allow for complete mobility of the original packet, regardless of the number of intermediate routers required to reach the destination. When the packet reaches the final hop, the original addresses are restored, and the first return packet in the conversation begins the process of sending metadata in reverse, said a Juniper whitepaper. “Effectively, this allows for full distribution of metadata once per session, unless path selection intervenes,” said the whitepaper. The elimination of IPsec tunnels brings a host of benefits to scalability and efficiency, argued Peronkov. Traditional SD-WANs create a mesh of tunnels. But they cannot be pre-configured to enable any-to-any networking in large networks, where interconnection between 100 sites might require 10,000 simultaneous tunnels or between 1,000 sites would need around a million tunnels, “hence large SD-WANs are constructed in hub and spoke architectures – driving up costs and driving down performance,” said Peronkov. Tunnels also can be inefficient for “short packet” applications such as voice where the tunnel overhead can often double the bandwidth needed for the same end-user experience, he said. Tunnels also encrypt everything, regardless of whether the traffic they are carrying is already suitably encrypted, Peronkov continued. “Managing tunnels is processor hungry, leading to larger and more expensive boxes at each site. Furthermore, with growing use of infrastructure-asa-service, cloud-based offerings such as AWS and Azure, not only does processing power cost, but traffic-out is charged by the bit so tunnels to the cloud drive up costs big time.” And perhaps surprisingly, routing by session can make the central management and control interfaces easier and more intuitive, said Peronkov. At set up, the network manager informs the central controller as to which endusers (IP addresses) are allowed to access which applications and where these applications are hosted. This information is then distributed and held at each router. The session smart routers then act on the first packet of every new session to determine whether it is allowed to be set up and its best path between the network of routers. “Requests that initiate new application access which is not allowed are just ignored – traffic is in effect black-holed – creating a deny-by-default/zero trust routing architecture,” Peronkov explained. “Abstracting the setting of policies to the real-world terminology of end users and applications (referred to as tenants and services) makes policy determination, set-up, and management far simpler than the design of a meshed tunnel network and deployment of routing rules by application type to this network.” Perhaps most important, suggests Peronkov, is the fact that this technology involves the routing, managing, and optimizing performance of what really matters to end users – their sessions. It’s also another example of a technology which enables a competitive internetbased WAN offering to compete with traditional MPLS and complement SD-WAN. J Juniper Session Smart SD-WAN Solution Source: Juniper Networks 34 THE CHANNEL MANAGER’S PLAYBOOK
RkJQdWJsaXNoZXIy NTg4Njc=