Did you know? We offer a free 2 hour SD WAN workshop at any UK location.SD WAN vendors have various sets of features that all have diverse levels of stability and code maturity. We will examine controller architectures, VPN routing, link monitoring, site integration, and miscellaneous features across the Cisco Meraki, Viptela, Silver Peak, Aryaka and Citrix SD WAN solutions to see how they compare and help determine which platform may be right for your organisation.
What to consider when comparing SD WAN vendors?
1. Controller architecture.
2. VPN routing and tunnel capacity.
3. Link monitoring and failover.
4. Miscellaneous features.
One of the keys to nearly all SD WAN platforms, and indeed what makes them “software defined”, is a centralised controller of some form. The software defined aspect comes from the fact that all of the SD WAN edges, whether they are hardware appliances or even just software routers running on a hypervisor (otherwise known as network functions virtualisation or NFV), receive their configurations and traffic forwarding instructions from the centralised controller.
Controller architectures vary by platform. With some platforms, the vendor always maintains full responsibility over the controller itself, which is usually cloud-based, though you (or a trusted third-party) provide the configurations that are relevant to your SD WAN environment, such as IP subnets and the way you want your traffic to be routed across the VPN overlay. With other platforms, you host the controller software yourself, typically in one or more centralised datacentres where you can support high availability and redundancy. This approach gives you full control over every aspect of the SD WAN platform.
- Cisco Meraki is unique from the other platforms in that it has been controller-based from the very beginning, even before Cisco started offering SD WAN services. All Meraki devices connect over the Internet to the centralised cloud controller, with no options to run your own controller locally. Like all mentioned platforms, if the local device cannot reach the controller, it continues to operate with the last configuration it received. If your company already has an investment in Meraki MX appliances, you automatically receive SD WAN capabilities as part of your license subscription.
- Cisco Viptela has three different models available for their controller architecture. The controller can be hosted by Cisco, by a third-party, or you can host it yourself for the greatest flexibility. Cisco has also announced that the Viptela software is now integrated into their IOS-XE operating system, and certain Cisco devices that run this operating system can gain SD WAN capabilities with a software upgrade.
- Silver Peak, like Viptela, supports a cloud-based controller deployment hosted by Silver Peak themselves, third-party hosted, and self-hosted models. Aryaka’s controller architecture is similar to Meraki in that it is completely hosted and managed by Aryaka themselves.
- Citrix NetScaler SD WAN uses a self-hosted controller and represents a do-it-yourself model where you maintain full control over the environment and all of the settings.
VPN routing and tunnel capacity
One of the fundamental tenets of SD WAN is transport agnosticism. This is achieved by each SD WAN edge communicating with the centralised controller which then orchestrates the establishment of VPN tunnels between locations, typically with some flavour of IPsec. This permits the SD WAN edge to use any kind of connection so long as the controller can be reached. Through tunnel orchestration, different routing architectures are possible including any-to-any, hub-and-spoke, and hybrid designs where the edges connect to their nearest SD WAN gateway, and the gateways then connect to each other in a full mesh.
The different VPN overlay routing architectures are important to consider because each have different implications on both latency and the tunnel capacity requirements of the SD WAN edge. For example, if your business has hundreds of sites that need to connect over the SD WAN service, having an any-to-any model where each site can establish direct VPN tunnels to each other could overwhelm the tunnel capacity of less expensive SD WAN edge hardware. Likewise, a strict hub-and-spoke model may introduce too much latency for some of your applications (such as VoIP) if your hub sites are very distant from your spoke sites. In this case, a hybrid approach of having regional SD WAN gateways may be your best option.
- Meraki supports a maximum of two active VPN uplinks and can perform per-flow path selection based on different criteria such as latency and packet loss. Meraki is also configurable for different topologies such as mesh and hub-and-spoke, where the latter can help overcome MX appliance tunnel capacity limitations.
- Viptela offers tremendous flexibility with VPN routing and supports more than two simultaneous interfaces. Flexibility is achieved by hosting the controller yourself which lets you design VPN connectivity to fit your specific needs.
- Silver Peak supports many interfaces, along with flexible VPN routing architectures including a very high tunnel capacity for each EdgeConnect appliance.
- Aryaka offers a solution where they route all traffic to their nearest Point of Presence (PoP), and then backhaul the traffic across their private internal network, which improves latency and reduces VPN tunnel counts. They partner with different cloud companies and Software as a Service (SaaS) providers which have a direct connection into their private network to further improve performance if you use these services.
- Citrix NetScaler SD WAN is similar to Viptela with its flexibility in VPN overlay routing architectures. Tunnel capacity is based on hardware appliance models and software licensing.
Link monitoring and failover
One of the largest and most immediate benefits of many SD WAN platforms is increased visibility into individual link performance metrics. While separate network management and monitoring platforms have existed for decades, SD WAN often brings new visibility baked directly into the platform with a graphical display of link performance history.
Another benefit of SD WAN is the ability to use multiple independent links simultaneously. Many platforms even support per-packet load distribution to better utilise all available transports. Having multiple links used actively enables extremely rapid failover when one of the links begins having performance issues. Some of the SD WAN platforms have more maturity in handling these kinds of issues.
Each of the vendor solutions discussed in this article have graphical dashboards displaying individual link status and history, including latency, jitter and packet loss. Some of the dashboards also provide Mean Opinion Score (MOS) and Quality of Experience (QoE) values which are beneficial for gauging general performance. Failover can be as simple as switching to another link if the upstream ping test fails, or more advanced such as using Bidirectional Forwarding Detection (BFD) to ensure rapid detection of failed uplinks. Existing site integration When considering deploying SD WAN, it most often comes in the form of existing router replacement or augmentation. You need to ensure your chosen SD WAN platform can integrate into your existing network by supporting the protocols you need. Not all platforms support all protocols, and protocol support can have differing levels of code maturity. For example, nearly all SD WAN platforms support OSPF for an interior gateway routing protocol, but only Cisco IOS-XE devices support the EIGRP protocol. Likewise, BGP, multicast, and IPv6 support might be a present or future consideration for your network.
Above: SD WAN supporting failover including MPLS primary connectivity.
- Meraki supports OSPF and BGP. Limited support is available for IPv6 and multicast, though these features continue to be developed over time.
- Viptela, as mentioned, supports the widest range of network protocols of all the presented solutions due to being integrated now with IOS-XE which has a long history of extensive protocol support.
- Silver Peak also supports OSPF and BGP, along with full support for IPv6. Multicast support is still a work in progress as of this writing.
- Aryaka claims complete integration with your existing network but does not publicly specify details such as routing protocol support nor IPv6 and multicast capabilities.
- Citrix NetScaler SD WAN includes rich protocol support, including OSPF, BGP, IPv6 and multicast.
Many SD WAN platforms offer edge devices containing additional features which may be important to your network environment. Though most SD WAN platforms have built-in management and monitoring capabilities, most companies have their own pre-existing monitoring platforms they would like to have integrated into the SD WAN environment. Most SD WAN vendors support these kinds of integrations through APIs and even traditional SNMP.
Another common feature is WAN acceleration. Some SD WAN vendors, such as Silver Peak, were previously known for their WAN acceleration products before they entered the SD WAN market. WAN acceleration is the process of optimising different application traffic for transport over lower-quality links, which is a perfect fit for integration into an SD WAN environment that uses broadband and wireless 3G/4G (and soon 5G) links.
High availability (HA) features may be important for larger campus and datacentre edges. When you have a lot of clients depending on constant connectivity, SD WAN platforms can support HA at the edge in various ways. For example, you can have hardware-level redundancy by having two edges synchronised with each other such that they appear as a single device. When a single edge in the HA cluster fails, the remaining edge takes over as if nothing happened.
Most SD WAN platforms include firewall capabilities, and some offer the ability to perform local Internet breakout where whitelisted Internet-bound traffic uses the directly-connected Internet link instead of being backhauled through the VPN to a more centralised location.
Finally, most SD WAN vendors that have physical hardware appliances offer models that integrate multiple discreet components into one. SD WAN edges often function as router replacements, but some also have integrated WiFi and multi-port switches which enables so-called “branch in a box” capability. Instead of having a separate router, wireless access point, and network switch, you can install a single hardware appliance at smaller branch offices which makes connectivity and troubleshooting much easier.
- Meraki supports both SNMP and API access. Meraki used to support WAN acceleration features, but this functionality was phased out of the product line. HA is achieved between two MX appliances in an active/standby fashion using Virtual Router Redundancy Protocol (VRRP). This means all traffic passes through the primary MX appliance unless it goes offline, in which case the secondary MX will assume all traffic. Active/standby based on VRRP has the disadvantage of requiring several seconds of delay and lost traffic before the standby takes over. The MX was originally designed as a security appliance, and therefore supports many firewall features including local Internet breakout. Meraki also has several MX appliances that function as a branch-in-a-box.
- Viptela with IOS-XE supports a wide range of miscellaneous features including SNMP/API access, several different modes of HA, firewalling and local Internet breakout capabilities, and branch-in-a-box depending on the appliance used. Viptela also supports WAN acceleration through TCP optimisation.
- Silver Peak has full SNMP and API access, and as mentioned, full WAN acceleration capabilities through its “Unity Boost” integration. Silver Peak also offers security integration with third-party products like zScaler. One particularly interesting feature of Silver Peak is their auto-RMA process where a device can automatically provide RMA details to Silver Peak if it detects component failure. Silver Peak does not currently offer any all-in-one branch-in-a-box solutions. HA is supported in both active/active and active/standby modes. Active/active HA uses an interconnect link between the two appliances, and active/standby uses VRRP.
- Aryaka offers its solution as fully-managed, which is sometimes referred to as “SD WAN as a Service”. Aryaka provides and manages all of the SD WAN hardware and software so there is no CAPEX involved and you pay based on an OPEX model. They also offer both their own SD WAN security solution as well as integration with third parties. WAN acceleration capabilities are built into the platform. Aryaka does not publicly provide the details of SNMP/API access nor HA capabilities.
- Citrix, like Silver Peak, began as a WAN acceleration solution. Citrix also includes built-in firewalling and security features with support for local Internet breakout, along with SNMP/API access and integration with existing network monitoring platforms through flow monitoring protocols like NetFlow and IPFIX. HA is achieved between a pair of appliances with a dedicated network interface between the two for heartbeat monitoring.
Questions to ask
As we have seen, major SD WAN vendors have different capabilities and feature maturities in their SD WAN product lines. You need to be aware of the features that are important to your organisation’s network when evaluating SD WAN platforms.
- Most platforms rely on a centralised controller, but do you need to host the controller yourself, or can you trust your vendor’s cloud offering to service your needs?
- Will the platform support your desired routing architecture in order to minimise latency and tunnel count?
- Will the vendor’s platform integrate with your existing network monitoring systems, or will you be relying on the features present in the SD WAN software?
- Does the platform support the protocols you need, along with features you may desire such as HA?
These are all important questions to consider when deciding on a single SD WAN platform.