The big idea for SD-WAN is that multiple physical WAN links of any sort can be used to carry traffic without the network engineer having to do much engineering. Rather, the SD-WAN solution runs an overlay (tunneling) on top of the physical infrastructure, abstracting the actual links away.
SD-WAN forwarders (somewhat analogous to routers) monitor the performance of each physical link, and forward individual flows to remote SD-WAN forwarders across the link best able to handle that flow’s SLA requirements. Where did it get the SLA requirements? A network operator defined them in a central controller, which distributed that policy to all of the SD-WAN forwarders.
The practical upshot of all this? A company can reduce spending on private WAN links by adding cheaper broadband links to the WAN mix.
The Packet Pushers have heard from the following list of companies. Some of these vendors are Packet Pushers sponsors or podcast guests, meaning you can search our site to find more detailed information about their products and services.
Last updated 10-April-2019.
128 Technology (128T) makes routing software that runs on x86 and, eventually, ARM platforms. The software scales linearly with cores assigned, assuming DPDK capable hardware. A dual- or quad-core Intel Atom platform typically sees ~1Gbps, while a 22-core Intel Xeon will see ~100Gbps of throughput.
A 128T network forwards at each routing node independently, but is managed centrally via their Conductor controller. 128T routing technology forwards traffic based on sessions. Each node tracks session state, forwarding packets that are a part of a known session in accordance with policy defined on the Conductor.
128T routers can peer with each other for enhanced forwarding capabilities or with non-128T routers using standard routing protocols like BGP and OSPF. 128T nodes can forward to each other, allowing for sophisticated traffic engineered, per-session paths.
A 128T network creates a dynamic, session-oriented service fabric with a number of use cases. One of these use cases is SD-WAN. In an SD-WAN scenario, paths are engineered to forward specific traffic classes over specific links, or over links with specific latency, jitter, and loss characteristics in real-time, matching an SLA centrally defined.
The 128T pricing model is unique and potentially cost-effective, billing for aggregate traffic flowing through the network each month, as opposed to a static per-device, per-port, or throughput-limited model.
Adaptiv Networks hardware and software creates a virtual network overlay across the Internet. An Adaptiv Networks box connects to the Adaptiv Networks core, where traffic is optimized across the Internet backbone between the Adaptiv Networks cloud gateways. Note that the Adaptiv Networks core is managed and encrypted, but it is not a private WAN because it runs over the public Internet.
Adaptiv Networks technology translates to an SD-WAN offering as well as an SD-Internet offering.
Adaptiv Networks caters to the reseller market, partnering closely with firms who wish to offer SD-WAN to their customers. The Adaptiv Networks solution scales, but Adaptiv Networks considers small installs to be a good fit for their technology as well.
Aryaka’s global SD-WAN is used by 500+ global enterprises to replace their legacy MPLS-based connectivity worldwide.
The core of Aryaka’s global SD-WAN is a global private network with 26 points of presence (POPs) across six continents, less than 30 milliseconds away from 95% of the world’s business users. These POPs are interconnected by a backbone of private network connections delivered by top service providers. Enterprises use the internet for last-mile connectivity to Aryaka, but Aryaka’s global backbone delivers network transport that is far superior to the Internet and MPLS, with built-in cloud and SaaS connectivity. On top of this global network, Aryaka integrates SD-WAN technology, WAN optimization, content delivery network (CDN) functionality, mobile application acceleration, and connectivity to cloud platforms.
Aryaka’s global SD-WAN is delivered as a service, reducing costs by more than 50%, compared to legacy solutions like MPLS. Deployment of the Aryaka solution at a customer site takes hours compared to the months that it takes to set up MPLS.
Barracuda is a maker of various networking-related appliances aimed primarily at the mid-market. Their NextGen Firewall F-Series is a complexly featured firewall that includes some SD-WAN functionality.
SD-WAN devices perform load sharing by using multiple WAN connections simultaneously, distribute encrypted VPN tunnels across multiple WAN connections, and increase available bandwidth via built-in compression, caching, and WAN optimization technology. The result is significant cost savings due to simplified management and the reduced need for high-quality lines. The Barracuda NextGen Firewall F-Series is the only firewall with full, built-in next-generation security and SD-WAN capabilities.
The Packet Pushers haven’t had a chance to talk to BigLeaf in detail yet. Here’s a summary of their offering in their own words…
Bigleaf is an SD-WAN provider improving connectivity to the cloud. We don’t do site-to-site connectivity, which gives us an amazing security story since we don’t breach the security perimeter of the LAN, and our install is plug-n-play easy. Our Same-IP failover is a great BGP replacement, we intelligently load-balance all traffic in real-time based on ISP conditions, and our patent-pending Dynamic QoS system is core to our strength in optimizing real-time VoIP and other cloud traffic.
Cato Networks is a startup that’s aggressively competing against MPLS providers by offering its own cloud-based WAN backbone. Like other SD-WAN vendors, Cato provides a branch device that lets customers use multiple link types–broadband, LTE, and MPLS (or Cato’s own WAN instead of MPLS)–and provides application-based policy options to direct traffic over specific links. In addition, Cato offers a series of cloud-based security services including firewalling and malware detection. The company targets small and medium enterprises. Shlomo Kramer, who also helped launch Check Point Software, is a co-founder.
Note. The understanding of the Packet Pushers from the Cisco folks is that over time, IWAN will be deprecated in favor of Cisco’s acquired Viptela SD-WAN offering. We leave this entry here because there is still a lot of IWAN information to be found on the Internet.
Intelligent WAN (IWAN) runs on Cisco routers with the appropriate licensing. IWAN is a collection of Cisco technologies that work together to make dynamic path forwarding decisions. For example, IWAN uses DMVPN as the overlay and PfRv3 to monitor path quality, managed by a hierarchical arrangement of policy distribution routers and NBAR/Netflow for limited application recognition. Network operators will manage the system via the soon-to-maybe-GA APIC-EM controller.
The Cisco Meraki MX is a primarily a branch security platform, providing full next-gen firewalling, DPI, malware prevention, etc. However, Meraki has extended the MX platform to offer not only security services, but also WAN connectivity including an SD-WAN capability. To Meraki’s way of thinking, all branch WAN security providers will need to offer SD-WAN services eventually to remain competitive. From that point of view, it’s easy to infer Meraki’s target market with the MX: businesses desiring to keep branch operations as simple as possible.
Meraki’s SD-WAN solution supports dual-connected WAN interfaces. Typical customer deployments are broadband + MPLS, broadband + 4G, and dual broadband circuits. Over these physical circuits, Meraki uses their Auto VPN IPSEC technology, standing up all possible tunnels in the defined topology, either hub and spoke or mesh, with customers defining which sites are able to talk to which others.
Path quality testing is run on one second intervals, with results stored in a 30 second rolling average. When that rolling average exceeds a customer predefined threshold for loss, latency, and/or jitter, traffic is switched to the better performing path. Metrics tracked include MOS, which governs the path selected for VoIP, a class that has been predefined by Meraki.
As typical for Meraki, MX platform management is via a cloud-based controller. MX appliances report to the cloud controller, and receive instructions from it. To the best of our knowledge, customers do not have an option for a locally deployed controller.
In Q2 2017, Meraki expects to add SD-WAN templates and L7 application identification to the MX, providing centralized SD-WAN management and granular policy-based routing to the platform. Currently, policy can only impact flows up to L4. BGP is also coming to the MX for integration with complex branch and HQ routing scenarios. OSPF is already available, where an MX will announce to a site what subnets are reachable via that MX.
Viptela works with a central policy controller and SD-WAN forwarders. Viptela’s early differentiators have been high scalability and easy integration with traditional routing systems. The Gap (a retail clothing store) is a notable customer, with a Viptela install in excess of 1,000 locations.
In May 2017, Cisco announced that it was acquiring Viptela for $610 million.
NetScaler SD-WAN is an SD-WAN solution focused on optimizing traffic flows between a local office and cloud-hosted applications. Appliances are deployed at each remote location and the corporate data center. The appliance logically bonds multiple connections–including MPLS, broadband, mobile and satellite–into a single, virtual link. Connections between appliances can be encrypted using IPSec.
NetScaler (formerly CloudBridge) measures each packet to monitor link performance. If performance on one link degrages, the appliance can shift the flow to a different link. The appliance also includes WAN optimization features, including TCP termination, data decompression and deduplication, and caching for streaming video.
A controller manages the network, updates the software, and lets administrators set policies. Customers can prioritize applications based on business requirements; for example, VoIP calls can get the higest priority, while Web surfing gets best effort. Administrators can also prioritize link types; for example, 3G can be set only to use as a backup if other connections go down.
CloudGenix offers a full SD-WAN solution complete with forwarders, a policy controller, and a traffic analytics engine. It’s conceivable to replace traditional WAN routers with CloudGenix forwarders, which CloudGenix calls ION Elements, over time. CloudGenix prides itself on application and sub-application identification, an important capability when mapping application flows to specific WAN links for transport.
Whitepaper: CloudGenix SD-WAN Whitepaper By Packet Pushers
Historically, Ecessa made appliances that could aggregate multiple DSL circuits to act as a single, logical WAN circuit. Over time, they added functions like special treatment for SIP & voice traffic as well as enhanced security features. These days, Ecessa can still do all of these things, but in an SD-WAN model that caters to smaller companies with 10-50 sites, although sites smaller than 10 or as large as 200+ are Ecessa customers.
Key architectural features of Ecessa include automatic failover, load balancing, traffic routing and seamless connectivity — table stakes for SD-WAN products these days. An Ecessa purchase comes with Ecessa engineering – a turnkey service where Ecessa helps the customer bring the appliances online, maps traffic patterns, and stands up site-to-site tunnels in a hub-and-spoke, partial mesh, or full mesh topology after determining the best fit.
Ecessa is quick to point out that they offer multiple SD-WAN products in a “good, better, best” tiering structure. Why? Ecessa does not believe that one size fits all. Not all of their customers will require full SD-WAN. Some customers might only need a few basic features to improve their WAN performance and uptime.
Ecessa claims a 100% retention rate over roughly 250 different customers. That’s an interesting commentary on how their clientele feels about their product after it’s been installed.
Historically in the Internet link load-balancing space, Elfiq has expanded their offering with SD-WAN capabilities. An engagement with Elfiq will likely involve their engineering services to get the system up and running initially, as endpoints need to be programmed to talk to one another. Once built, the endpoints maintain configuration synchronization with one another so that when new endpoints are added, all endpoints in the system are aware of the new destination.
Elfiq offers the core SD-WAN value proposition of secure transport over the Internet. Elfiq also offers an array of closely related products such as hybrid WAN and deep packet inspection that work together for a more complete WAN offering.
In October 2017, Elfiq announced branding of their SD-WAN platform as ATLAS. More details of the solution are yet to come according to their website, but the focus seems to be “SDWAN-as-a-Service.” ATLAS can be run on a hardware product called CORE, a box aimed at MSPs and HQ locations announced in April 2018. CORE complements Elfiq’s familiar EDGE appliance.
Elfiq joined Martello in January 2018 as a subsidiary organization.
FatPipe® has multiple patents in software-defined wide area networking since the late 1990’s. It’s been shipping since 2001 and delivering products for more than a decade. Its MPVPN product description seems most to align with what I’d expect from an SD-WAN forwarding appliance. Coupled with its Symphony orchestration platform, I believe we might see what I think of as a typical SD-WAN architecture.
FlexiWAN is open source SD-WAN, but that’s only part of the story. They are also building a virtual router and other infrastructure functions, such as security. As with many OSS projects, there will be a commercial variant.
On top of flexiWAN, you can, if you like, roll your own SD-WAN solution catered to your individual requirements. Ergo, the “flexi” in flexiWAN means the platform is customizable. There is an interface to write code, which you could leverage to handle in a unique way your own applications. For example, perhaps you’re a VoIP provider, and want to make decisions at the SD-WAN router level based on your VoIP system telemetry. FlexiWAN allows you to do this, something they claim is lacking in any other SD-WAN solution.
The big win for flexiWAN users is that they can construct a differentiated SD-WAN service offering. Another selling point is that it enables you to integrate any sort of cutting edge technologies as services. Not all apps you can make forwarding decisions on are chosen for you.
If the customization of flexiWAN isn’t that interesting to you, be aware that flexiWAN delivers SD-WAN out of the box, too. You aren’t required to create a customized SD-WAN solution to use flexiWAN.
Fortinet is a security vendor that has added SD-WAN functionality to their next-generation firewall appliances. This is similar to the “branch-in-a-box” move we’ve seen several vendors make, catering to customers who wish to consolidate their branch operations and physical appliances under one vendor flag in one single device.
As a branch-in-a-box play, Fortinet is not a pure-play SD-WAN connectivity tool. That said, it feels like Fortinet is playing to their strengths by leveraging their existing, scalable platform and management tooling and adding smarter routing. Perhaps security has been their historical focus, but adding SD-WAN forwarding capabilities sure feels like it dovetails in nicely. It’s hard to say whether this approach will win Fortinet new customers or merely keep existing customers from checking out the market.
Let’s review some speeds and feeds.
SD-WAN links are monitored for jitter, packet loss and latency using several different techniques, including ping, HTTP and TWAP (two-way active measurement protocol). When a WAN link moves to a degraded state, Fortinet expects failover to take less than 2 seconds.
Fortinet can support sizable clients, with solid scaling ability and multi-tenancy. One of their largest deployment of Fortigate appliances exceeds 13K sites, with typical deployments ranging between the 100s and 1,000s of sites.
Tunneling architecture between branches can be whatever you like. Fortinet supports hub and spoke, partial mesh, full mesh, and on demand VPN. Up to 4,000 tenants (administrative domains and virtual domains in Fortinet-speak) are supported.
FortiGate appliances come in several form factors with varying degrees of throughput ranging from 200Mbps to 20Gbps, depending on the features being deployed. These appliances can completely replace a WAN router. In fact, FortiGate claims that this is the typical deployment for their customers. Physical ports supported include RJ45 copper, SFP, SFP+, ADSL/DSL/ADSL+, LTE and wireless 802.11a/b/g/n. Routing protocol support includes static, BGP, OSPF, RIP and IS-IS. The appliances support HA as well as clustering.
Centralized management, monitoring, and reporting are available with the FortiManager and FortiAnalyzer products.
Brief: FortiGate Solution Brief
Demo: Fortinet SD-WAN Demo
Formerly Glue Networks, Gluware launched their Gluware 2.x orchestration system in early 2016. Gluware’s initial use-case was orchestration of Cisco’s IWAN, but the system has grown to be a toolset for broader networking engineering configuration needs. One of the Gluware use cases remains SD-WAN, although they have expanded the offering to automate any aspect of any network, with support for twelve vendors and sixteen network operating systems as of April 2018.
Gluware is based around the idea of models used to push complex changes to a variety of devices. The system is not “dumb,” in that it doesn’t blindly push code out to devices. Rather, Gluware knows the current state of a device as well as the intended state, and pushes only the required changes as well as removing extraneous, out-of-standard code. Therefore, the system is intelligent, with logic checks that occur before, during, and after deployment task execution.
The system is impressively powerful and readily intuitive to network engineers used to writing code stanzas at the CLI to configure Cisco devices, Juniper devices, etc. Gluware maps well to existing operational practices, with customers making Gluware part of their change control approval process and deployment workflows.
Based in Canada, Multapplied Networks is a provider of SD-WAN technology primarily to service providers and managed service providers. SPs and MSPs use Multapplied technology to create their own service offerings for their customers, placing Multapplied in a similar space to TELoIP, VMware’s VeloCloud, and a few others.
Multapplied is not in the hardware business, although they have a series of x86-based CPE boxes they test. Test results are published to help Multapplied buyers make informed decisions about what hardware they should choose to obtain the performance from Multapplied software they require. This approach underscores Multapplied’s focus on enabling SPs & MSPs to build whatever branded service they wish to offer their customers.
Multapplied, like most SD-WAN offerings, is physical layer agnostic, aggregating WAN services over a mix of DOCSIS, LTE, MPLS, and so on. The technology works by delivering IP over whatever the physical layers happen to be, enabling a carrier & circuit diversity design that guarantees application availability.
Multapplied capabilities also include multiple tiers of encryption that can be leveraged on an application-by-application basis, a claimed 90%-95% circuit utilization efficiency, single flow distribution across multiple physical circuits at a time, and hitless real-time transfer of flows away from circuits that begin to underperform.
Multapplied licenses based on circuits in use, truing up on a monthly basis. This gives customers low startup costs and flexibility, enabling a slow business ramp up as they sort out their service offerings.
We were briefed on Mushroom Networks by Cahit “call him Jay” Lad, CEO. Like Talari, mentioned below, Mushroom has been around for a while. It got its start making broadband bonding appliances, maximizing traffic throughput by making multiple physical links, of whatever type, behave as one single link. Some of you might think of MLPPP; Mushroom offered a more comprehensive solution than that.
With that heritage, Mushroom has moved into the SD-WAN space. Mushroom can still tie all links together, and push a single flow across all links. For those of you who shuddered at this notion, thinking of “per packet load balancing” in ECMP scenarios, consider that Mushroom deals with re-ordering of packets when needed, etc. for you — and it’s old hat to them. Other vendors such as Silver Peak and Talari can perform this exact same feat.
Mushroom can also manage sensitive traffic such as VoIP or video with its Armor products that specialize in these sorts of traffic flows.
Nuage’s SDN solution has found traction as network virtualization platform and in cloud operations. Nuage abstracts the physical network away, and automates virtual network services. The functionality is rich enough that Nuage has a play in the SD-WAN space as well, although that has not been its hallmark. If you’ve not heard of Nuage, you should put them in the same mental bucket as Cisco ACI and VMware NSX.
Open Systems is focussed on SDWAN with integrated security functions including a managed SOC. Edge appliances have NFV capability with routing, SDWAN, app firewall and more. The security focus is accompanied by analytics and visibility of the network performance. SDWAN isn’t that hard but adding security is more complex undertaking.
In December 2015, Cradlepoint announced that it was acquiring Pertino to integrate SD-WAN capabilities into Cradlepoint’s devices. The acquisition price was not disclosed.
Long the WAN acceleration king, Riverbed is adding SD-WAN capabilities to its strengths in traffic analysis and knowledge of WAN environments. Riverbed could be criticized for being a little slow to the SD-WAN party, but customers who are already using the venerable Steelhead products for WAN acceleration should be poking their reps about SD-WAN capabilities.
This is especially true for those enterprises consuming applications in the cloud, as Riverbed partners with cloud providers to position what we think of as “Steelheads in the sky.” The right license key gives you access to this functionality.
Riverbed purchased Ocedo in January 2016.
Historically a WAN optimization player like Riverbed, Silver Peak has released an SD-WAN product called Unity, including the Unity Edge appliance that can terminate WAN circuits. Silver Peak has always been good at application identification; it brings that capability, along with its policy controller, into a full SD-WAN solution. Silver Peak also offers a step-up called Unity Boost that adds WAN optimization capability to the SD-WAN platform.
Sonus manages application flows across a WAN infrastructure with its NaaS IQ product, conceptually similar to some of the other solutions mentioned. Where Sonus is unique is in how it directs traffic. Sonus manages WAN edge switches using OpenFlow, although it de-emphasizes OpenFlow specifically, pointing out that how it directs flows is less important than the fact that it does direct flows.
Talari is another SD-WAN firm with appliances as well as a controller. Its value proposition is for you to mix and match your WAN links while guaranteeing a particular user experience you define. Talari is notable in that the company has been around for a while, offering an SD-WAN solution before SD-WAN was a trendy buzzword. Even if you’ve never heard of Talari before, it isn’t a startup.
Talari was acquired by Oracle Systems in 2018.
VeloCloud’s SD-WAN focuses on optimizing user experience as they consume cloud applications. VeloCloud has appliances located globally, and makes certain that your LAN-to-cloud traffic traverses the optimal Internet path. VeloCloud also offers a brandable solution for managed service providers, and will be growing into the enterprise WAN space as well. At a couple of events, I’ve seen a fascinating demonstration where VeloCloud simulates a troubled link and pushes a video stream through it, both with and without VeloCloud impacting the flow.
A 2015 entrant to SD-WAN market formed by ex-Juniper staff. Key features are
- Focus on service injection/NFV in the edge node
- scaled deployment model through the use of BGP for configuration state
- targeting carrier and managed service providers
- NETCONF APIs for configuration and operational management
- strong focus on multi-tenancy in the data plane and controller platform
- many carrier features for SD-WAN
Virtela was acquired by NTT Communications in January 2014. While Virtela doesn’t market itself as SD-WAN, the company does offer functionality similar to SD-WAN with their global cloud product offerings. In short, Virtela abstracts away a variety of carriers, offering global service guarantees for different traffic classes from one end of the planet to the other. This core service is offered as a component of a variety of products, including IP VPN, Cloud-Based Application Acceleration, and Virtualized Overlay Networking.
Enterprises consuming these services connect to their own endpoints, or to endpoints in public clouds. The end user experience is optimized by Virtela’s platform, meaning that Virtela sorts out the best way across the global Internet for a given application beyond what comparatively simple BGP routing is able to achieve.
Aside from vendors making SD-WAN products, there are resellers specializing in SD-WAN solutions who can help you choose the platform that makes sense for your traffic mix, application deployment model, and business requirements.
MPLS-Experts is a WAN consultancy with SD-WAN expertise. Their approach is to perform detailed WAN traffic analysis at customer sites, then design a solution to best meet the needs indicated by the application mix. MPLS-Experts has no loyalty to any single SD-WAN solution, positioning the best technology to meet the organization’s needs.
Podcast: How To Shop for SD-WAN
WAN Dynamics is an SD-WAN VAR and integrator, reselling SD-WAN products from VeloCloud, BigLeaf, and Talari under the DynaWAN product name. WAN Dynamics’ calling card is no outsourcing. They do all their own work in-house.