How SD-WANs Can Help Prevent User Misconfigurations

A few years ago, when I ran SD-WAN Experts’ predecessor MPLS Experts, a customer approached me to help solve an MPLS issue. This customer had noticed packets with unknown IPs on its carrier-managed private network. As it turned out, one of the carrier techs had misconfigured the VRF/VFI identifiers, connecting a third party – one of the carrier’s other customers – to this customer’s private network.

Outages happen all the time in the enterprise network, but it’s made worse when the culprit is a simple configuration error. Unfortunately, people make mistakes. Fishing trawlers and seismic events can cut underwater cables. And construction workers sometimes take out local access loops. Things happen, but you need to be prepared for when they do. Here are some of the ways SD-WANs can help:

No more snowflakes

I live in the Northeast,  so I like snow as much as anyone, but “snowflake” configurations where there are slight inconsistencies between locations, is another matter. It’s those little configurations that add up to big problems. With SD-WAN’s,  use of application performance policies and node configuration policies you can eliminate much of the high-touch, site-by-site configuration that causes snowflake installations and configuration drift.

Management sweetness

When it comes to human errors, the management interface plays a significant role in an engineer’s chance of causing a network outage. For this reason, vendors invest in their management interfaces. SilverPeak’s Unity Orchestrator, for example, is a good example of an easy-to-use SD-WAN interface for large enterprises. SMEs might need to all of the detail Orchestrator provides. Other vendors, such as Viptela, do good job augmenting their GUIs with iOS-type CLIs, perfect for those Cisco hands on site.

Notification are sweet

When using SD-WANs, the platform should notify you when there are configuration errors or conflicts. Otherwise, you may end up eliminating a service chain, a misconfigured traffic policy or some other nasty that can disrupt your backbone.

Different strokes for different folks

You also need to ensure your SD-WAN platform allows different levels of access. These levels will allow those in charge to push a policy across your entire SD-WAN network, but prevent less authorized users from negatively impacting your connectivity. The lower levels of access may be able to deploy policies in smaller locations, but they should not have access to the larger network.

Plan for configuration errors

To avoid or at least recover from errors like that, your SD-WAN interface should log all configuration changes and allow you to roll back configurations for applications, individual locations, network, and groups of users, if relevant. Time-stamping these rollbacks means you’ll have an easier time reverting to the last functional iteration.


Share this post