The terms SD-WAN ( Software-Defined WAN), uCPE ( Universal Customer Premises Equipment) and vCPE ( Virtual CPE) are used a lot these days, yet there is very little information on what are the differences and similarities between them i.e what is SD-WAN vs uCPE vs vCPE
So it is not uncommon that a vendor may mean virtual CPE but a customer understands it as a universal CPE and vice versa. And a vendor may present uCPE and the customer understands it as vCPE.
So this blog is an attempt to clarify and position these technologies in a simple way, so you can pick and choose the right one.
But this is not the only purpose. I will explain it in a way that you will understand the “WHY” behind each of these technologies. i.e. the motivation on why the industry adopted them in the first place.
We do it step by step starting with a traditional CPE and finally moving to the SD-WAN and uCPE. I recommend to follow the sequence in this way in order to have a clear understanding of SD-WAN vs uCPE vs vCPE
Traditional CPE, as you already know, is a physical box at the customer site. This CPE is usually a dedicated box like a router, a PBX, an IPS, etc. In the example below, there are three CPEs that are interconnected together so that packets are processed one after the other going through each box one by one.
Now as you probably have guessed that this is not a very efficient way for a customer to run his CPEs as he needs to manage multiple physical boxes that needs power and space. It is costly, CAPEX and OPEX wise and not a recommended solution today.
vCPE ( Virtual CPE)
Virtual CPE is an answer to the issues presented by physical CPE. vCPE does not need to sit at customer premises. Thanks to NFV, CPE can run in the cloud today ( Reference: ETSI). Any CPE function like routing, firewall, IPS for a customer can be hosted at a data center on NFVI ( NFV Infrastructure). The customer can access the functions remotely through a simple layer 2 switch. Therefore, these functions do not need to run at customer premises. See the diagram below.
Now, this is both a win-win situation for a customer and Service provider. From a customer perspective, he does not need to host anything at his branch office ( power and space savings). From a service provider perspective, he can get economies of scale by utilizing x86 servers as a pool to provide CPE services to its customers.
There are two models for running virtual CPE. In the first model, the virtual CPE is hosted at the service providers Data Center ( DC) as shown below.
Comparing it with the traditional CPE, the exact same functions are shifted now to the NFVI DC of a service provider, while a layer 2 switch just provides a simple transport for the customer traffic to reach the NFVI PoP for processing purpose. What on-premises CPE was doing before is done by the off-premises CPE in DC.
However virtual CPE is not limited to service provider’s DC. In a second model, virtual CPE can also be run at the customer’s own data center/NFVI as shown below ( insider customer’s HQ). In this model, the SP can offer the management of the NFVI but the NFVI itself runs on customer’s premises.
SD-WAN ( Software Defined WAN)
Before moving to uCPE concepts, it makes sense to understand SD-WAN first.
SD-WAN provides an overlay ( a separate network connecting CPEs whose characteristics do not depend on the underlay which is the actual transport like MPLS). This is a new type of connectivity that can use any transport network like MPLS and/or the internet etc. It provides seamless connectivity between customer sites using both MPLS and the internet. It does so by creating an overlay network over the underlay network ( MPLS or internet)
As you know that applications are moving to the cloud and more and more enterprises want to access their applications in the cloud ( also called SAAS). Therefore, let’s take the example of the previous customer topology and introduce a new “requirement” as shown in the diagram below. Before proceeding, consider that the current connectivity between the customer branch on the left and the customer HQ on the right uses an MPLS link from the service provider.
Here is the description of the requirement:
- The customer has decided to use Microsoft 365 that is hosted on Microsoft servers at a remote location as a SAAS application.
- The company wants to divert the social traffic ( like youtube, facebook) away from MPLS so as to offload some traffic from MPLS so backhaul cost can be reduced.
- The customer wants to use the internet as backup transport for the MPLS link.
The traditional way to solve this problem would be as shown below. ( Although a partial solution)
To access the SAAS application, the branch will send the traffic through MPLS and which in turn will route the traffic through the internet to the SAAS cloud. There are two issues.
- Expensive MPLS links are utilized to backhaul traffic to HQ for SAAS and social traffic, which increases the cost as more and more applications move to the cloud.
- We have not been able to solve the requirement of using the internet as a backup to the MPLS link from the Service provider. ( which means, we may end up buying another MPLS from another SP, to be a backup for this MPLS link)
Welcome to the world of SD-WAN. SD-WAN solves exactly these issues. See below.
By adding SD-WAN physical CPE at the branch and HQ and creating SD-WAN overlay seamlessly on MPLS and the internet, we get the following benefits.
- “Internet breakout” is achieved by providing a short path for the SAAS application to route through the internet ( The Green link) This is because the SD-WAN CPE is intelligent, so it can identify the application flows and knows which flows should be forwarded to HQ and which should be forwarded to the internet.
- The social traffic is also offloaded from the MPLS link so it can use the internet breakout path thus reducing MPLS costs. ( Again the green link)
- SD-WAN can seamlessly create a backup for the MPLS link over the internet path. ( Red dotted link)
We have killed multiple birds with a single stone, isn’t it? and this is the motivation for the SD-WAN today that it can provide an efficient way to route traffic directly over internet paths to applications that can reside outside the customer data centers.
uCPE -Universal CPE
OK, so where does uCPE come into the picture then?
While the SD-WAN concept became popular, someone thought, why the heck one should have dedicated physical CPE for the SD-WAN. As SD-WAN can also be a virtual function. Why not just put it on a server or a white box.
And if I can put SD-WAN as one application on the server, why not put more functions. At this point in time, the concept of uCPE was born. The same server that runs SD-WAN can now host more functions, with the result that it is called now universal CPE and it sits essentially at the customer premises.
So we started with the physical CPE at the customer site and we returned to a uCPE which is also at the customer site. However bottom line is that applications can run anywhere, so it makes sense to have a flexible way to run it whether at a data center ( virtual CPE) or whether at the customer premises (uCPE)
So universal CPE is nothing but a server or a white box that can run multiple virtual functions. It can be SD-WAN or it can be other functions like routing, filtering.
Welcome to the new age. There is no place where applications should sit. Applications are not just in Datacenter of the service provider, they are in public cloud, SAAS cloud, private cloud. Therefore having CPE that can have both SD-WAN functionality and other functions does make sense.
So here are the key points
- The focus of SD-WAN is on connectivity ( between customer sites and to the cloud) while the focus of virtual CPE is mainly on “virtual functions” like IPS, filtering, firewall, routing, etc..
- SD-WAN can also be run as a virtual function.
- When SD-WAN is run as a virtual function, it makes sense to be a part of uCPE in addition to other functions on the same box.
- virtual CPE runs at the data center while uCPE runs at customer premises ( Both on servers)
Leave a comment below if you agree or otherwise to this explanation of SD-WAN vs uCPE vs vCPE
55 thoughts on “SD-WAN vs uCPE vs vCPE- The Simple Guide”
Well explained Faisal.
Thanks for your useful blogs!
Thanks Imran for visiting and liking the blogs
Good summary Faisal. If you can expand, with market offerings and a very simple comparison or pointers to research would help a lot.
That seems like good suggestion….thanks Komatineni
Explained very nicely the concepts and brought out the difference.
One aspect i wanted to check, what were the main reason behind bringing the function to Cloud(vCPE) and to put it back to customer premise will that still be a problem.
One of the benefit i see with uCPE is that a single box for all functions that is really good.
May be if you can share some insight on the challenges and benefits will be easier to assess the use cases.
Thanks again for wonderful article and keep sharing
Great one Fisal. Just a small comment;
1. SD-WAN Edge or Gateway could be a VNF in uCPE. (They could also be VNFs anywhere, depending on the case)
2. vCPE could be a VNF in uCPE. (it could also be a VNF anywhere, depending on the case)
Well said Anuradha and thanks for commenting
Interesting read !!
Virtual CPE is providing functions of routing, IPS, firewall virtually at the box placed in “customer premises” , while iCPE does the same in a server at a “Data Center”.
Is my understanding correct?
A small typo in 2nd line of 2nd paragraph it should be:
“And a vendor may present vCPE and customer understands it as uCPE.”
Thanks Aamir, it is now corrected. vCPE is at data center, uCPE is at customer site.
very informative Thanks Faisal.
Thanks Javed, Nice to find you once again on the blog
Very nicely explained Faisal
One question – Can we not use virtual CPE for SD WAN use case?
Mukesh, SD-WAN is one application and it can run as VNF on any virtual CPE. Does this make sense ?
Thanks Faisal. It is informative and well presented
Thanks Praveen, Glad that you liked it
Very clear and concise! Informative! Thank you.
Thanks Tony for stopping by to read the blog
Very well explained Faisal…
I find very interesting and informative content. Thanks Faisal sir.
uCPE can host routing, security and IPs services with SDWAN. Shall we use uCPE without SDWAN as well?
Sure Sultan ! you an
Very clear and concise! Thank you very much!
Gald that you liked it Rafik!
Thanks Faisal for the excellent article. Previously when ever i tried to decode these concepts after sometime, i had a feeling of everything looks same. But now i got the difference through your article..
Can yo explain bit more on overlay network?
Thanks iyappan, I plan to write something to explain overlay….as it is important concept
Good one…indeed. In layman terms..
Very well explained. Thanks
@Hamza, glad that you liked it, thanks
very informative Thanks ,
Is there a way to do a lab on it?
Thanks aimane, that you found useful, Did not get your question very well. can you tell here more ?
Fantastic explanation! Very useful!
Thanks Fernando for taking time to visit
Like it very much. Very useful for me to understand those concepts!!! Thanks!!!
the reason why I like your blogs, is because these are small reads and also retention is easy.
Thanks Syed, Great that you liked it
Glad that you liked it
Now I know why do people log in to comment,
Really a fantastic blog.
Hope you ain’t phaijal khan from ‘Gangs of wasseypur’.
HAHA….of course not form “Gangs of wasseypur”
Glad that you liked it, Sarkar Ji !
How does vCPE connects to SD WAN cloud over internet ?
Hi Nimit, I am not sure if I understood your question well!
After a long time, I am back to your informative and very-well articulated conceptual blogs about networking. This blog too is the same. Thanks a lot!
Thanks for the feedback Rajesh ! and welcome back
Really nice blogs Faisal. I always refer to your blogs to have a very clear understading of SDN and NFV concepts. One thing which I am not very clear is the role of SDN Gateways in SD WAN landsacpe. Can you please provide details on the same with some good example as you always do.. 🙂 or if there is already an article on this please provide that link.
Thanks in Advance.
Hi Vaibhav, thanks, Can you clarify the “SDN Gateways”, I did not hear them in SD-WAN context
Well explained as always Faisal. Your explanations are straight to the point. Thank you very much!
Glad that you liked it ! Venkatesh !
Good explanation, Faisal. I just found your website, and have bookmarked it to read through your blogs.
One question regarding vCPE…
Your diagram shows a simple L2 connection from the customer premise to the vCPE in the cloud. While it makes sense from a resource and management perspective, doesn’t it make for a potential security issue because the presumption of traffic from the L2 switch to the vCPE being ‘open’ (not encrypted), and vulnerable to interception, sniffing, MITM, etc.
If the CPE was on-prem, the WAN connectivity from the SD-WAN device is typically carried over encrypted overlay tunnels, so it would be safe while traversing the Internet.
Thank you Ron B, The traffic can be encrypted at all layers ( L1, L2, L3) as customer wishes, Both approaches have benefits. The central DC allows to pool the recourses, the distributed option provides better latency and easy to install.
Hi Faisal, the topic was explained really well. Thank you so much.
As an extension to Ron’s question: “by removing L3 CPE at customer premises and moving all the functions to vCPE on the cloud (may be even the SD WAN functionality) and only have the L2 CPE at the customer premises, “Is there any any drawback or L3 functionality being missed”?
Hey Murali, thank you so much for comment and very sorry for late reply. No there is no drawback here. We are just shifting the L3 to the cloud, we are not removing L3 altogether.
Thank You for insightful information
Thank you Reema, for visiting my blog