SD-WAN: Policy Unification

Software-Defined Wide Area Networking (SD-WAN) is an innovative new approach to the deployment, management and operation of WANs. In this 5-part series, the key benefits of this exciting new technology will be explored.

In a previous post, the benefits of centralized orchestration were discussed. Centralized orchestration creates an effective platform for policy unification. There are two aspects to policy unification:

  1. Unified SD-WAN

When multiple SD-WAN routers are managed via a centralized platform, it makes sense to configure those devices under a single, unified policy. Within this policy, a template can be used that stipulates essential components that a branch might require – DHCP properties, NAT rules, VLAN settings etc. With a template associated to a policy, the same policy and ergo the same configuration can be assigned to multiple routers with a few clicks. Not only does this greatly reduce the complexity of deploying a router to a new branch, it eliminates human-error that can occur as a byproduct of repeated and cloned configuration where the same elements must be replicated across multiple devices.

Unified SD-WAN policies greatly reduce maintenance and downtime. If a change needs to be made to multiple routers and locations, a single modification can be applied to the associated policy. As a result, a blanket update can be pushed to the entire WAN with little effort. These updates can usually be scheduled to occur out-of-hours to further reduce user impact.

VPN-specific elements can also form part of an SD-WAN policy, such as gateway/concentrator settings. Combining routing and tunneling under a single policy further enhances the administrative experience when managing a complex WAN that comprises multi-site VPNs. 

  1. Unified Full-Stack

Users connecting to a network have a set of expectations and demands around performance, responsiveness and security. To effectively meet these requirements, an administrator has to consider the end-to-end connection. There is no point in having a super-fast LAN if the internet line or VPN is terrible, and vice versa.

An access network policy can define Wi-Fi access, switch port properties, RADIUS authentication, application rate-limits and more. Ideally, the same policy should be applied to all users, regardless of how they access the network. Unfortunately, organizations commonly have a disjointed approach to this. While users may have one experience at HQ, that often changes (usually to the detriment) while at a remote site or utilizing the corporate VPN. This has a negative impact on user experience and manifests into yet another administrative struggle.

Full-stack management solves this problem. Security and performance profiles that are applied to the access network (LAN) can be honored and carried over to the WAN. This ensures the user has a consistent experience regardless of how they access the network. Merging SD-LAN and SD-WAN under a single policy further reduces configuration complexity, streamlines network maintenance and provides effective edge-to-core security enforcement. Combined with the traffic optimization capabilities of SD-WAN (more on this in a future post), users can also expect to see end-to-end performance gains.

Ultimately, policy unification greatly improves both the end-user and administrative experience.

Policy unification is only one piece of the puzzle that makes SD-WAN such an exciting new development.

In this series, the following is explored:

SD-WAN Series – Part 1: Centralized Orchestration

SD-WAN Series – Part 2: Policy Unification

SD-WAN Series – Part 3: Link-State Monitoring & Dynamic Path Selection

SD-WAN Series – Part 4: Application & Identity-Driven Policies

SD-WAN Series – Part 5: Zero-Touch Provisioning & Auto-VPN


Nathaniel Moore (CWNE #222) is a Product Marketing Manager for Aerohive Networks with experience as a Systems Engineer in computer networking and wireless systems across multi-vendor solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *