RAD is a global leader for telecom access solutions. As an industry pioneer for over 40 years, RAD reliably supplies worldwide communications service providers and critical infrastructure operators with best-of-breed Ethernet access devices, industrial IoT gateways, 5G xHaul, and Operational WAN solutions. Offering always-on connectivity from anywhere, along with data-driven, AI-powered actionable insights, RAD is distinguished for its supply-chain stability, which outsteps the market in delivery times. Founded in 1981, RAD serves as the anchor of the $1.6 billion RAD Group, an umbrella of independent companies that develop diverse networking and data communications solutions.

Contact Us

This information will be used according to our Privacy Policy

Scroll to top of page

vCPE and the Intelligent Edge

You are here

The CSP Guide to NFV, Disaggregation and Automation

The virtual customer premises equipment (vCPE) have matured over the years to become a pivotal tool in helping communications service providers (CSPs) address major shifts in the market. Chief among these shifts is the acceleration in enterprises’ digital transformation, which drives major changes in telcos’ business customer needs. By the end of 2021, 80% of enterprises will be on the way to cloud-centric infrastructure and applications1.  From SMEs relying on SaaS, enterprises moving to XaaS and all the way to “Born in the Cloud” organizations, these changes drive the transformation of the network and CSP offerings. 

In addition to businesses transitioning to the (multi) cloud, other trends are challenging the CSP landscape, including the rise of the mobile worker and the work from home (WFH) boom – especially as COVID-19 work patterns have become the New Normal.  Pre-pandemic IP VPN topologies and business network services no longer fit the new “work from anywhere” paradigm. And as if that isn’t enough of a challenge, over the top (OTT) SD-WAN and secure access service edge (SASE) players are cannibalizing traditional telcos’ market share.

As emerging services and applications pose special requirements in terms of performance, latency, resiliency, and local storage, compute infrastructure is increasingly getting closer to the edge. As a result, CSPs are extending compute services and storage closer to users to avoid transmitting large amounts of data to remote data centers and to enable new applications: IoT, software defined branch (SD-Branch), autonomous systems, client/server, device/cloud applications, and more. 

This is where vCPE comes into play, allowing CSPs to move their business customers from legacy VPNs to cloud access services, connect new locations and IoT devices, deliver business class networking for WFH employees, and host value added services (VAS) either at the CSP edge or at the customer edge. 

1 IDC top 2021 predictions, Dec 2020


Scroll down to read on about vCPE, uCPE, SD-branch and the intelligent edge. 


What is vCPE 

vCPE is a major example of network disaggregation, i.e., the separation of software from the hardware appliance it runs on. Instead of the inflexible hardware appliances with pre-determined functionalities of days past, virtualized CPE involves separation of the various components with the CSP-operated service delivery platform: Hardware, operating system (which includes the virtualization infrastructure) and software-based virtual functions. 

Hardware, operating system and software-based virtual functions

Network disaggregation, network functions virtualization (NFV) and software defined networking (SDN) allow CSPs to choose best-of-breed products and solutions to meet their operational and business needs. They can make their technology validation and procurement cycles more agile and introduce new services faster. This, in turn, makes them less dependent on their traditional network equipment providers and frees them from vendor lock-in. 

Such flexibility is also appealing as it allows providers to launch new services, such as a combination of networking, security and IT services, which, in many cases, they were not able to offer before. These can be specifically customized for various market segments and verticals such as hospitality, retail and supply chain management.

The new breed of networks described above follows a model of Disaggregation, Automation and Virtualization

Model of Disaggregation, Automation and Virtualization:

vCPE deployments for businesses are among the most important revenue-generating segments of virtual network functions (VNFs) and are expected to triple the VNF market by 2025, generating more than US$15 billion in revenue globally. 2

2 ABI Research, April 2021

uCPE and pCPE

There are various types of vCPE hardware that serve as the basis of an intelligent edge platform in which VNFs are hosted. These are the major types: 

uCPE – The Thick CPE

A universal customer premises equipment, or uCPE, allows CSPs to tailor a multi-function vCPE with a single device hosting virtual machines (VMs) and/or VNFs. This helps users not only to avoid the use of multiple concatenated devices at their premises, but also to augment edge functionality on-demand by remotely downloading new functions onto their vCPEs. uCPE vendors typically design their platforms based on an x86 server.

pCPE – The Thin CPE

The pCPE is a thin, economical and disaggregated CPE in which value-added services are hosted as containers. Thin CPE can run on a range of hardware boxes, from a two-core ARM device to an x86 off-the-shelf hardware. Ideally, the pCPE includes an embedded router and firewall.

IoT Gateway

The IoT Gateway is a pCPE that is packaged in a ruggedized device to address extreme temperatures and dust. It can also host third-party containers.

RAD’s business edge portfolio features a range of hardware devices catering to the requirements of business sites, all featuring an embedded virtual router and a next-generation virtual firewall. These include a disaggregated uCPE (Thick CPE) hosting VMs/VNFs over an x86 NFVI; a disaggregated pCPE (Thin CPE) – a cost-effective ARM-based platform hosting value-added services as containers; and an IoT Gateway that is ruggedized for business sites with harsh environmental conditions, and hosts value-added services as containers.

Disaggregated vCPE Operating System 

In addition to white boxes and VNFs, NFV architecture also requires an operating system that serves as the virtualization infrastructure (NFVI). It is an important part of the wan edge infrastructure in any intelligent edge network and needs to integrate with the SDN controllers, orchestrators and operations/business support systems (OSS/BSS) that are used in the NFV network. 

Most vCPE offerings today include a vendor-locked operating system that is typically tied to the specific uCPE or pCPE in use. 

RAD’s vCPE-OS an open, disaggregated operating system for network edge virtualization. The Linux-based, carrier-class vCPE-OS runs on any white box server and is pre-loaded in RAD’s vCPE platforms, whether x86 or ARM-based. It combines powerful networking capabilities with virtualization for hosting value-added VNFs from any vendor. The lightweight vCPE-OS features a powerful embedded virtual router, virtual firewall and virtualization resources manager. It runs on a fraction of a CPU core, requires extremely low memory and provides market-leading throughput. It is interoperable with open source management platforms, and easily integrates with standards based SDN controllers, orchestrators and OSS/BSS from major providers.

vRouter & vFirewall

Among the various NFV VNF applications required in any NFV network the virtual router and virtual firewall are probably the most popular, as these functionalities are staples for business services. Until recently, a typical deployment of a virtual firewall appliance and a disaggregated router required separate vRouter and vFirewall VNFs that need to be licensed separately from their respective vendors to be hosted on the vCPE platform and managed separately. There’s also the issue of performance. In their VNF form, Provider Edge virtual router and firewall vary greatly in their performance and demand quite a lot in terms of CPU resources and network throughput capacity.

RAD’s vCPE-OS includes feature rich embedded virtual WAN router and next-generation virtual firewall that eliminate the expense of licensing and hosting third-party vRouter and vFirewall VNFs. This allows flexible deployment options, as well as unified management for both the operating system and virtual router and Firewall appliances. Advanced functionalities include:

  • Dynamic routing with OSPF, BGP, VRF and secure VPN using IPsec, DMVPN and NAT for flexible connectivity
  • Cyber security suite: 802.1X, IPsec encryption with automated PKI, stateful firewall

All of which delivered at high performance and requiring low CPU resources

SD-WAN Connectivity and Multi-Cloud Access

Over the last few years, software defined wide area networking (SD-WAN) has had a huge success as a cheaper alternative to costly IP/MPLS VPNs. SD-WAN connectivity has migrated from a WAN product sold by vendors directly to enterprises, to a legitimate element in CSP service mix. Despite growing adoption and a very crowded market, there are still several key challenges that SD-WAN poses to service providers. First, most current SD-WAN architecture is built for legacy systems and traffic patterns — where branch offices must connect to HQ to access applications and data that are stored in a handful of private cloud locations. However, today’s landscape looks very different, with the explosion in public cloud adoption resulting in a pivotal shift in topologies from mesh to hub & spoke or direct branch-cloud connectivity. SD-WAN services have, in many cases, fallen behind.
Then there’s the issue of the role of the CSP. As an over-the-top (OTT) solution, current SD-WAN offerings relegate service providers to the role of resellers, as they can’t use their own network edge assets to add value to their business customers beyond simple connectivity. 

In other words, CSP need to find ways to build their SD-WAN architecture with cloud traffic in mind, as well as move up the value chain where it comes to SD-branch service offering.

RAD’s SD-CloudAccess is a service provider-native solution, helping them deliver intelligent multi-link cloud access services for cloud-centric business customers. It’s an economical SD-WAN solution, allowing application-aware traffic distribution across multiple links with SLA-guaranteed access to public, private and telco cloud services. 

  • Enables CSPs to offer differentiated VAS using their own edge assets
  • Advanced traffic distribution policies 
  • Cost optimized pCPE, centralized DPI Eliminates the need to set multiple overlay tunnels 
  • High security over any transport link

SD-CloudAccess is a book-ended solution featuring a client that is either embedded in vCPE-OS or available as a uCPE-hosted VNF, and a hub software running as a VM in a cloud gateway.

The main difference between SD-CloudAccess and OTT SD-WAN offerings are summarized in the table below:


The difference between SD-CloudAccess and OTT SD-WAN offerings

NFV Orchestration

The final element in any NFV network is the orchestration layer. An NFV orchestrator (NFVO) is needed to manage NFVI resources and their virtualized infrastructure managers (VIMs), coordinate resource allocation to meet requests from VNF managers and handle policy enforcement issues. In addition, NFV orchestrators are required for the lifecycle management of network services, including VNF service instantiation.


The RADview Domain Orchestrator offers full life cycle management for vCPE-OS and hosted VMs/VNFs, VNF onboarding and chaining and VNF management. It enables automation with zero-touch provisioning, firewall configuration, fault management and reporting, bulk software upgrade, and database management, as well as SDN/NETCONF support and automatic set up of network tunnels.


Here are the various elements coming into play in service lifecycle management:

Comprehensive Life-cycle Management

vCPE Services

vCPE enables a variety of business connectivity services ranging from VPN to cloud access services. With the right vCPE solution in place, different businesses and even different sites are free to choose their preferred connectivity option based on their current requirements and upgrade it later in time as their needs evolve. Various sites of the same organization may deploy different business edge vCPE options and have them stitched together into a single business VPN.

Key vCPE-based services where CSPs can add value include multi-cloud access, smart branch connectivity/SD-Branch and even VPNs:

Managed Business Router / Customer Edge Replacement
A disaggregated vCPE is an ideal fresh alternative for legacy business routers that are due to be replaced. This would typically include a managed business router that provides MPLS VPN access and can be used to host multiple functions that otherwise may have been implemented using several boxes.

The disaggregated vCPE releases the service provider from vendor lock-in, allowing the hosting of best-of-bread functions and the use of off-the-shelf hardware.

Managed Business Router / Customer Edge Replacement

Managed Business Router / Customer Edge Replacement



Overlay VPN over Fixed/Mobile Broadband Network
With VPN over broadband, business sites are not bound to MPLS access links and can instead connect to the organization’s VPN over fixed or mobile broadband access links, either as the primary link or as backup to the MPLS ones. This allows the CSP to expand its L3 VPN services to unserved sites, as well as offer its enterprise customers the ability to connect pop-up business sites to the corporate VPN.

Such connectivity services use a secure overlay either over the service provider’s own broadband access links or over third-party provider networks.

Overlay VPN over Fixed/Mobile Broadband Network

Overlay VPN over Fixed/Mobile Broadband Network



SD-CloudAccess is designed for “cloud-first” enterprises, or business customers that are transforming to the cloud. CSPs can introduce application-aware traffic steering across multiple links, so that businesses can benefit from SLA guarantees for their cloud access services.

Business traffic is forwarded in overlay tunnels, ideally over a single set of overlay tunnels that are terminated at a virtual cloud gateway, typically deployed at the service provider’s edge. By landing all traffic at their network’s edge, service providers can use their own footprint to host value-added cloud and cloud on-ramp services, such as hosted SASE. For a local internet breakout, predefined application traffic is forwarded directly to the internet and excluded from the traffic sent towards the cloud gateway. This requires a next-generation firewall to protect against malicious attacks from the internet.




Policy-Based Traffic Distribution

Policy-Based Traffic Distribution


The Essential vCPE Checklist

Carrier-grade NFV/vCPE implementation requires a holistic view that takes into account every phase within the service lifecycle. Below is a list of best practices and agile tools to accelerate the adoption of NFV and vCPE:

Operating System:
Must provide true openness to prevent vendor lock-in and ensure high performance of all vCPE aspects, including third-party VNF hosting, yet remain slim and agile.

High Availability:
Backup and redundancy of the network, connections, vCPE system uptime, NFV infrastructure (NFVI) stability and VNF performance, including service chained VNFs.

A range of security measures, from TPM to secure tunneling/VPN and management channels over public networks to allow direct and secure connection to data centers.

Zero-touch provisioning, VNF onboarding, instantiation and chaining, as well as maintenance, updates, rollback/reconfiguration, and tear down.

WAN Connectivity: Ubiquitous service look & feel over PON, Carrier Ethernet, xDSL, LTE, and even TDM access. Such variety of WAN connections and interfaces enables a unified global deployment for any NFV VAS.

RAD’s Intelligent Edge vCPE Solutions

vCPE edge portfolio includes everything CSPs need to deploy virtualization services today:

  • Slim, high performance disaggregated operating system
  • A range of thin and thick CPEs hosting VMs or containers
  • A domain orchestrator to remotely manage virtualization functionalities and automate operations


It is designed to help service providers leverage their “real estate” – that is, the network and customer edge – in introducing VAS beyond simple connectivity. These include hosted zero-trust secured access (Secure Access Service Edge services – SASE), latency-sensitive applications and more.


Why RAD?

  • Freedom to choose any vCPE hardware, per branch site requirements, with a common operating system in all vCPEs to minimize integration efforts and reduce costs.
  • Host value-added VMs and containers on premises or in data center/cloud as needed
  • Rapid transition from branch-HQ connectivity to branch-cloud connectivity
  • Open, lightweight vCPE-OS with a powerful embedded router, firewall and virtualization resources manager. It runs on a fraction of a CPU core, requires extremely low memory and provides market leading throughput
  • Support “Cloud-First” business customers with SD-CloudAccess

Business Edge vCPE – Cloud Adoption Made Easy


Not sure which deployment option is right for your vCPE services?

We’ve collected some interesting insights that could help you make the right decision.


Contact Us 

and we’ll happily share them with you. 

Contact Us

Got a specific question in mind? Need a quote? One of our experts will be happy to provide you with further information. Please fill out this short form and we'll make sure someone contacts you.

This information will be used according to our Privacy Policy

What would you like to do?