Home » SD-WAN Architecture: Overlay, Underlay, ZTP, Application-Aware Routing
SD-WAN Architecture: Overlay, Underlay, ZTP, Application-Aware Routing
SD-WAN Architecture: Overlay, Underlay, ZTP, Application-Aware Routing
SD-WAN (Software-Defined Wide Area Network) เปลี่ยน WAN จาก hardware-centric ไปเป็น software-defined approach Overlay network สร้าง encrypted tunnels บน underlay transports (MPLS, internet, LTE), ZTP (Zero Touch Provisioning) ทำให้ deploy branch sites ได้ภายในนาที และ Application-Aware Routing เลือก path ที่ดีที่สุดสำหรับแต่ละ application ตาม real-time performance metrics
Traditional WAN ใช้ MPLS ที่ ราคาแพง, bandwidth จำกัด, provisioning ช้า (สัปดาห์ถึงเดือน) SD-WAN ใช้ internet broadband + LTE ที่ราคาถูกกว่า 5-10× เป็น transport ร่วมกับ MPLS ทำให้ bandwidth เพิ่ม, cost ลด, deployment เร็ว และ application performance ดีขึ้นจาก intelligent routing
SD-WAN Components
| Component |
Role |
รายละเอียด |
| vEdge / Edge Device |
Branch CPE |
SD-WAN appliance ที่ branch (physical or virtual) |
| Controller / Orchestrator |
Central management |
Define policies, manage fabric, monitor performance |
| vSmart / Head-end |
Control plane |
Distribute routing + policy information to edges |
| vManage / Dashboard |
Management plane |
Web UI สำหรับ config, monitoring, troubleshooting |
| vBond / Authentication |
Orchestration |
Authenticate + onboard new edge devices (ZTP) |
Overlay vs Underlay
| Feature |
Underlay |
Overlay |
| คืออะไร |
Physical transport (MPLS, internet, LTE, 5G) |
Virtual tunnels built on top of underlay |
| Encryption |
Depends on transport (MPLS = no, internet = need) |
IPsec encrypted tunnels (always encrypted) |
| Routing |
ISP/carrier routing |
SD-WAN routing (application-aware) |
| Visibility |
Limited (ISP controls) |
Full visibility (SD-WAN controller sees all) |
| Flexibility |
Fixed by ISP contract |
Dynamic (add/remove tunnels, change policies) |
Transport Options
| Transport |
Cost |
Performance |
Use Case |
| MPLS |
สูง |
Best (SLA guaranteed) |
Critical apps (voice, video, ERP) |
| Internet Broadband |
ต่ำ |
Variable (best-effort) |
Bulk data, web browsing, backup path |
| DIA (Dedicated Internet) |
กลาง |
Good (symmetric, SLA) |
SaaS access, cloud workloads |
| LTE/5G |
กลาง-สูง |
Variable (wireless) |
Backup, temporary sites, mobile |
| Starlink/LEO Satellite |
กลาง |
Moderate (higher latency) |
Remote/rural sites |
Application-Aware Routing
| Feature |
รายละเอียด |
| DPI (Deep Packet Inspection) |
Identify applications (Zoom, Teams, SAP, Salesforce) from packet inspection |
| SLA Metrics |
Monitor per-tunnel: latency, jitter, packet loss (real-time) |
| Policy-based Routing |
Voice → MPLS (low latency), Web → Internet (cheap), Backup → LTE |
| Dynamic Path Selection |
ถ้า MPLS latency > threshold → switch voice to DIA automatically |
| FEC (Forward Error Correction) |
เพิ่ม redundant packets → recover lost packets without retransmission |
| Packet Duplication |
ส่ง packet ทั้ง 2 paths → use whichever arrives first (critical apps) |
| QoS |
Per-application QoS marking + scheduling (prioritize critical traffic) |
ZTP (Zero Touch Provisioning)
| Step |
Action |
| 1. Ship device to site |
ส่ง SD-WAN appliance ไป branch (pre-staged with serial number) |
| 2. Power on + connect WAN |
On-site staff เพียงเสียบสายไฟ + สาย WAN |
| 3. Auto-discover |
Device contacts orchestrator (vBond) via DHCP/DNS |
| 4. Authenticate |
Orchestrator validates serial number + certificate |
| 5. Download config |
Device downloads config + policies จาก controller |
| 6. Join fabric |
Device builds tunnels to other sites → operational |
| 7. Total time |
~15-30 minutes (vs weeks for traditional WAN) |
SD-WAN Vendors
| Vendor |
Product |
จุดเด่น |
| Cisco |
Catalyst SD-WAN (Viptela) |
Largest market share, Cisco ecosystem integration |
| Fortinet |
FortiGate SD-WAN |
Built-in NGFW (security + SD-WAN in one), good price |
| VMware |
VeloCloud |
Cloud-first, strong SaaS optimization, acquired by Broadcom |
| Palo Alto |
Prisma SD-WAN (CloudGenix) |
AI-driven, integrated with Prisma SASE |
| HPE/Aruba |
EdgeConnect (Silver Peak) |
Strong WAN optimization heritage, Unity Orchestrator |
| Versa Networks |
Versa SASE |
Integrated SASE (SD-WAN + security), flexible deployment |
SD-WAN vs Traditional WAN
| Feature |
Traditional WAN |
SD-WAN |
| Transport |
MPLS only |
MPLS + Internet + LTE (any transport) |
| Cost |
สูง (MPLS expensive) |
ลด 40-60% (use cheaper transports) |
| Deployment |
Weeks-months |
Minutes-hours (ZTP) |
| Application Routing |
Destination-based (L3) |
Application-aware (L7) |
| Cloud Access |
Backhaul to DC → cloud |
Direct internet breakout at branch |
| Visibility |
Limited (per-device CLI) |
Centralized dashboard (all sites) |
| Failover |
Manual or slow (IGP convergence) |
Sub-second (real-time SLA monitoring) |
SASE (Secure Access Service Edge)
| Feature |
รายละเอียด |
| คืออะไร |
SD-WAN + cloud-delivered security (CASB, SWG, ZTNA, FWaaS) |
| Benefit |
Single vendor สำหรับ networking + security (converged) |
| Components |
SD-WAN + ZTNA + SWG + CASB + FWaaS + DLP |
| Trend |
SD-WAN evolving into SASE (all major vendors offer SASE) |
ทิ้งท้าย: SD-WAN = Intelligent, Cost-Effective WAN
SD-WAN Architecture Overlay: encrypted tunnels over any underlay (MPLS + internet + LTE) ZTP: ship device → power on → auto-join fabric (~15-30 minutes) App-Aware: DPI identifies apps → policy routes per app → dynamic path selection SLA: real-time monitoring (latency, jitter, loss) → auto-failover sub-second Cost: 40-60% reduction vs MPLS-only WAN SASE: SD-WAN + cloud security (ZTNA, SWG, CASB) = converged networking + security
อ่านเพิ่มเติมเกี่ยวกับ VPN Technologies IPsec WireGuard และ MPLS Fundamentals Traffic Engineering ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
