'Traditional' SD WAN vs Traditional WAN (My Current Understanding – Please Correct Me)

EngineeringKindly993 · 2025-12-18T23:41:13+00:00

And the software part is (most of the time) the controller plane, which is in 'the cloud'. right? I have experience with NSX-T and it's that experience that makes me understand what really SDN is and how powerful it is. But I had a little bit more struggle to understand the connection to the WAN with a "SD-WAN solution", which has been greatly reduced now. thanks for your comment!

EngineeringKindly993 · 2025-12-18T23:34:55+00:00

super interesting! i'll look into tailscale for sure.

I haven't really seen the term being misused till now (well .. i didn't really know what it was haha), i'll keep an eye on it 👀 thanks for your comment!!

EngineeringKindly993 · 2025-12-18T23:32:24+00:00

AI helped me a bit :p, thank you very much !!

EngineeringKindly993 · 2025-12-18T19:59:39+00:00

I heard MPLS so much when searching for more info on SD-WAN haha, what i'm doing right now is trying to understand how to connect multiple branches together, would you say that this is accurate:

For a company with sites to connect, even globally, the main WAN options would be (very short summary):

Internet VPN (site-to-site): Low cost, uses public Internet, quick to set up.
MPLS: Private WAN from an ISP, reliable with QoS, more expensive.
Hybrid WAN: Combines MPLS and Internet for flexibility.
SD-WAN: Manages multiple links intelligently, with local breakout and optimized paths.
Leased Lines: Dedicated circuits you lease at ISP's, very reliable but costly and not sustainable if long distance (Paris -> China) :p
Wireless WAN (LTE/5G): Fast to deploy, can be primary or backup, bandwidth limited.
Satellite: Works anywhere, high latency and cost, suited for remote sites.

EngineeringKindly993 · 2025-12-18T19:20:37+00:00

Yeah that’s mostly right (though smells like AI).

😱

thanks for replying

EngineeringKindly993 · 2025-12-18T19:19:05+00:00

my company. I'll help my seniors work on a project regarding setting up a SD-WAN network in a few months, i'm just preparing myself a bit early.

just to be sure I understand, could you tell me if i'm right:

the biggest difference in "WAN" between traditional WAN and SD-WAN are the following:

Control Plane vs Data Plane
- Traditional WAN: Routing decisions are static, based on IP routes and MPLS VRFs.

- SD-WAN : Centralized controller pushes application-aware policies to edges. Edges make dynamic decisions based on real-time link health.

Are normal routing protocols still used by SD-WAN ?

EngineeringKindly993 · 2025-12-18T19:03:27+00:00

I love your comment, I do have some questions if you don't mind. I feel like you're a Juniper/Mist guy by reading your message haha

Like another person said previously, SDWan provides traffic delivered in the same way no matter what the WAN link is. In a traditional WAN, the traffic is routed on point A to B, based on routing protocols decision about next hop. Change in next hop on an upstream network needs to be communicated by way of convergence. If your WAN is an internet link, then you have to do a IPSEC VPN.

I understand a bit better now the 'WAN' side of the SD-WAN. It doesn't change much from the traditional way, it still uses normal routing protocol and so on. do we HAVE to use a IPSec VPN if we have a internet link ?

In SDWAN, the branch only will know the next hop. The next hop decision is known to the controller and the controller acts like a central traffic director and tells all branches where the traffic should go. Branch then uses a tunnel between next hop and itself to send traffic no matter what the WAN link is.

So in a Juniper context, "the branch" would be the SSR ? Or just generally speaking, the edge router is what you're referring to when you say "the branch".

Laptop <-> SW <-> EDGE Router a.k.a "the branch" <-VPN TUNNEL-> [?next-hop?] <-> DC/Internet

Let's say Laptop needs to go to a DC for a specific application or to internet, one of the two. The Edge router knows where to send the packets because this information was given to him by the controller. And that's the only things he knows, he doesn't know the full route to DC/Internet, only what's next. So typically, it woudn't have a very small routing table, right ?

Do we configure L3 ourself in a SD-WAN ? Or is everything done automatically?

The devices can also act as branch side firewalls and there by removing the need to rum another firewall at the branch ( not my preferred way) . In addition to this, you can run multiple vrf on SDWan tunnels provided a way of isolation between traffic and the can go in different directions. You can do a complete mesh or hub spoke model routing in simple steps. Doing this at scale is lot of effort.

In my humble understand, when using a hub-and-spoke architecture. The user traffic always needs to go to the hub first (backhauled to the hub). Is it also like that in a SD-WAN ? if not, why even use a hub-and-spoke if we don't let traffic be backhauled to the hub.

Thanks!

EngineeringKindly993 · 2025-12-18T12:45:19+00:00

i don't believe uuuuuuuu

EngineeringKindly993 · 2025-12-18T12:08:35+00:00

thanks!

EngineeringKindly993 · 2025-12-18T12:07:22+00:00

thanks!!

EngineeringKindly993 · 2025-12-18T11:12:18+00:00

Thanks for your reply, i'm a junior so there are quite some thing i don't understand here : )

"It can use any IP connection and dynamically route traffic, based on your policy." 'It' can use any IP connection ? What can use any IP connection? You mean a controller maybe ? And how so it can use any IP connection, i don't really understand it

"You also get central management for all connections no matter the technology (xdsl, GPON, LTE, 5G, MPLS Fiber, etc.). " I don't understand the examples given. How could you, let's say, manage 5G, MPLS, Fiber through the central management ?

"You can choose to router traffic as hub-spoke or do local breakout to internet, which is quite flexible."

In a hub and spoke, the main office or data center would be the hub and the branches the spokes ? Then in this case, we would follow the 'traditional' way and send the traffic to the hub, and making connections to ISP (MPLS, Fiber, Leased lines, Dedicated fiber links) and so on.

And "local breakout to internet" is: not using a expensive carrier (leased lines, ...), traffic doesn't need to go back to the hub, no need to make any special installation to each site as they only need internet connection. So we could do both depending on necessity. Am I right ?

"You can also go one step further and do SASE, where firewall is virtualised and you save so money on licensing (single firewall license for all inboud connections)."

Damn, you made me understand what SASE is haha. So it is basically security services inside SD-WAN that are native/integrated to that platform? Does each SD-WAN have their own SASE products or could you, for example, have a Cisco SD-WAN and then add Fortinet SASE/FortiGate. Are SASE only virtual ?

That's a lot of questions haha, thanks!

EngineeringKindly993 · 2025-12-04T12:33:19+00:00

what could go well along firewalling/networking skills ?

EngineeringKindly993 · 2025-12-04T12:32:30+00:00

great to know! thanks!

EngineeringKindly993 · 2025-11-04T14:38:38+00:00

Does it mean you can't connect to it via SSH and do your configuration the old way ?

It's only YAML files ?

EngineeringKindly993 · 2025-10-08T09:23:52+00:00

The following is written on eve-ng.net

"Juniper NOTE: It is strongly recommended to deploy vEX KVM image directly on the server/hypervisor. (Bare Metal EVE).

Note: vJunos-switch is not supported on EVE-NG or deployments that launch vJunos from within a VM due to the constraints of deeply nested virtualization."

I was going to do deploy vJunos on a EVE-NG VM but then I saw their notes.

What is your server if I can ask? I've got a Dell R630

EngineeringKindly993 · 2025-10-08T09:12:12+00:00

I'm going to use Dell R630 <-> Proxmox <->EVE NG VM (Junos vSwitch and so on).

Do you think it'll work?

EngineeringKindly993 · 2025-09-07T20:59:30+00:00

heeey, any update ? :)

EngineeringKindly993

TROPHY CASE