Tech Reads Series

By Kunal Thakkar

Head of Network Engineering at Apcela

While most infrastructure engineers with some exposure to SD-WAN are familiar with its core value proposition, not all are taking advantage of the full feature set that the technology has to offer.  Below are three of my favorite innovations in SD-WAN that have made a world of difference in removing the complexity in how we manage networks.  

1. Zero Touch Provisioning (ZTP)

Almost all mature SD-WAN products support what is referred to as Zero Touch Provisioning. As the name suggests, ZTP configures an out-of-the box device without any console or in-band management connection. All the device needs is a connection to the Internet and communication over standard protocols like TLS and DTLS.

With ZTP, when the device phones home for the first time, it is assigned a ‘staging template’ which contains common/shared configuration attributes for a given SD-WAN deployment (e.g. Org-name, AAA settings, DNS/DHCP, NTP, and such).  The device subsequently gets a more robust template depending on the specification of the site (number of transports, function of the site, business unit, etc).

2. Frequent Key Rotation

For most SD-WAN platforms, encryption keys providing data plane protection are refreshed as often as every hour (3600 seconds) by default. Timers can be tweaked to make the key rotation more or less frequent; however, most SD-WAN vendors enforce an upper limit on the number of hours after which the keys have to be rotated.  For example, for Cisco SD-WAN, the upper limit is 14 days. 

The key rotation happens without any interruption to the data plane traffic.  Compare this with the conventional (non SD-WAN) based IPSec VPNs where months or years goes by between the key rotation unless the process is governed by a compliance policy and enforced using automation. The conventional event of key rotation also requires significant planning and downtime which differs greatly from with SD-WAN. 

3. Number of VRFs/VPNs

Depending on the licensing available, SD-WAN can allow multiple VPNs or VRFs to be multiplexed with a single overlay. This was not feasible with the SD-WAN predecessors like DMVPN and GETVPN.  The feature allows for logical isolation (air-gapping) of traffic between multiple business/functional units of a given organization, with minimal to no added complexity.

SD-WAN: What’s next? 

The evolution of SD-WAN over even the last 2 years has been pretty remarkable.  What do you think is next?  We would love to hear your thoughts and learn about some of your favorite SD-WAN features. Pop us a note at  

For more information, check out our on-demand webinar “MPLS in the Age of Software-Defined WAN.”

How can we help? 

We love talking about software-defined networks and the cloud! Let us know if we can help by filling out the form. Cheers!