The Role of vCPE in Branch Offices

by Sorell Slaymaker

Virtual Customer Premise Equipment (vCPE) provides network routing, security, and other functions via software versus dedicated hardware devices.  While most enterprises have a virtualization strategy for their data center, few have one for the branch office.  This needs to change!

Ask any CIO what their virtualization strategy is for the branch office, and they will tell you that all applications are moving to the cloud (private, public, or hybrid), and that they do not need one.   Ask them what about routing, security, wireless LAN, printing, and other services that still reside in the local office, and their answer will still be the cloud.

The value of vCPE is to ensure delivery of services from the cloud to users in a fast, efficient, and secure way.  By providing a vCPE close to enterprise users in the branch office, one gets the following advantages:Fingerpointing

  • Demarcation point – Finger pointing is common in networking, where the problem is not on my network, it must be on yours. As networks become more virtualized and software driven, creating and managing demarcation becomes more difficult, but yet is as critical as ever.   T1 Channel Service Units (CSUs) are the best know demarcation point and came about after Ma Bell did not provide the network within an enterprise.  In VoIP, Session Border Controllers, are another good example of demarcation of voice services between networks.
  • Stop Backhauling – Most enterprises backhaul their Internet, WLAN, and Mobile data traffic to their data centers, go through a security stack, and then out to the Internet or cloud service provider. This is expensive and degrades application performance.  SD-WANs are addressing this market pain point, but most SD-WAN implementations to date are using appliances from the SD-WAN provider, which limits what other services the enterprise needs at the branch.
  • Zero Trust Security – No enterprise network is 100% secure. Because of this fact, enterprises need to change their security model to zero trust and provide security all the way to the very edge of the network.  In a world with cloud applications and mobile users, which are on different networks, data in motion needs to be encrypted as well as data at rest.
  • Performance – While the network intelligence and applications can be centralized, there will always be some functions that are based locally, such as routing, caching training videos and large files, printing, and security.

If you talk with the large Network Service Providers such as AT&T and Verizon, they would like to put the vCPE device within their central office.  Their value proposition is that an enterprise does not need to put any technology in a remote office and this can lead to greater enterprise agility.  The fallacy in this, besides being locked into a single vendor that will charge one too much, is the last mile is the bain of most networks.  Plus, while the NSPs will offer Network Function Virtualization (NFV) including security, their SLAs penalties will only offset the cost of their services, not the business impact from a network outage or security breach.