A feature of modern SD-WAN technology is the ability for branch locations to build dynamic tunnels to each other for taking the shortest WAN path to circumvent transiting a central hub. This optimizes VoIP and data transfer between branches for the duration of the session and then tunnels are torn down automatically to save on processing resources. SD-WAN vendors often price their hardware and software licensing based on tiered models to handle processing the number of tunnels needed for the environment. Because of this, it is important to choose the most cost effective model for the needs of the particular hub/branch locations. Though many perform due diligence to appropriately size and license correctly, there can be some variables that throw a wrench in the works.
When planning the transition from traditional MPLS or static hub/spoke VPN topologies, the behavior of endpoint software on the network can be overlooked; specifically software that participates in peer-to-peer communications across the WAN. A good example of this is the Delivery Optimization for Windows 10 Updates (WUDO) protocol. It is a peer-to-peer protocol that fetches chunks of Windows software updates from other Windows 10 clients on the local or non-local network to reduce bandwidth usage. It can be thought of as similar to BitTorrent in that there are “seeds” that have full copies of Windows Updates and then share the copy of data they have to other machines that need a copy. Many organizations have been surprised when they upgraded to Windows 10 to see this new type of traffic flowing across the network.
Phantom Site to Site Traffic
In a domain controller environment, certain group policy settings can allow Windows 10 clients to be aware of all other Windows 10 clients in the same domain (across the WAN). In this scenario with an SD-WAN network, if the dynamic branch-to-branch feature is enabled, tunnels can automatically be built between multiple branches potentially causing full mesh with each other. This can lead to performance issues as branch SD-WAN hardware is constantly building and tearing down tunnels for the peer-to-peer traffic. There is also the possibility that tunnels that normally are not up are staying up resulting in resource exhaustion on the SD-WAN endpoint. On some platforms, there are licensing issues as well because only so many tunnels can be supported.
Truly Understanding Traffic Flows
In summary, it is important to be aware of software and endpoint devices on the network that engage in peer-to-peer activity for making the SD-WAN network secure and efficient. We recommend customers evaluate traffic patterns and flows across the network after SD-WAN is installed. This helps identify issues like the ones detailed here so they can be handled in a timely fashion. Some applications could be using the network much more than you expect and wasting precious resources. This type of situation could be a silent issue that one day hits a breaking point, taking down critical infrastructure.