SD-WAN products are, by design, supposed to provide highly available network connections by automatically failing over from one link to another.
Cato Networks is extending that availability to other components of its SD-WAN offering with a new appliance and features that aim to keep packets moving regardless of device failure, network changes, or even the loss of Cato’s private network.
Making The Swap
Cato Networks offers an SD-WAN platform based on a global private network. Branch and remote offices connect to that network via appliances that use last-mile broadband, MPLS or LTE connections to reach the nearest Cato Point of Presence (PoP).
The traffic then goes across the Cato network (which it calls the Cato Cloud), exits at the PoP closest to the destination, and terminates at the local branch appliance. Cato has more than 40 PoPs around the world.
Recently Cato added a new appliance to its product family, the X1700. This is a 1RU device that includes hot-swappable power supplies and storage. The X1700 joins the X1500 appliance, which only has a single power supply.
Both the X1700 and the X1500 appliances can be clustered in active-active and active-passive pairs for high availability, but Cato positions the X1700 as extending its HA profile with the hot-swappable components; for example, a power supply failure in the X1700 won’t take down the box.
Cato’s SD-WAN offering includes the option to deploy next-gen firewalls. The company has updated its management capabilities so that security policies on these Cato firewalls will automatically update to match network changes.
The goal is to prevent users from being accidentally blocked from accessing applications and resources when network changes occur.
For example, if a VM hosting a business application typically runs in a data center in Chicago, but gets v-motioned to a data center in Dallas, firewall policies at the Dallas data center will automatically update so that branch offices that used to connect to the VM in Chicago via the SD-WAN will be able to reach that VM in its new location, without an administrator having to make any changes.
Note that this capability only works with Cato’s firewall service; it’s not available for third-party firewalls.
Cato has also added features to its appliances to continue operating if a PoP goes offline, or even if Cato’s private backbone goes done.
In the first case, if a branch office’s nearest PoP is in, say, Florida, and that PoP goes down because of a natural disaster, the appliance at the branch will rehome to next nearest location where Cato has a PoP.
In the second, if Cato’s entire private network goes down (which the company would like to reassure you is unlikely because it runs its network across multiple Tier-1 carriers), the Cato appliances at each branch will find one another and essentially create peer-to-peer networks among the devices.
The appliances use Datagram Transport Layer Security (DTLS) to authenticate one another and set up encrypted tunnels to create this ad-hoc network. Note that performance is likely to be impacted in this scenario, but packets will still flow.
Availability As Differentiation
Given the congestion in the SD-WAN market, vendors are looking to create competitive differentiation. Cato’s focus on availability at multiple tiers of its offering is one such effort to set itself apart from its peers.
Of course, on a slide deck availability is always high and failovers are always seamless. If availability is a priority for your SD-WAN plans, Cato may be worth a look, but be sure to test these claims.