Top SD-WAN Vendors

Subscribe to our blog for latest updates

Subscribe to our blog for latest updates

Top SD-WAN Vendors in 2020 & How to Select One for Your Enterprise

When you look at the vast landscape of SD-WAN vendors, there are a plethora of features and differentiators each vendor touts as part of their marketing pitch. It’s extremely challenging for the IT department to navigate claims and counterclaims by SD-WAN vendors while keeping an eye firmly on the business needs.

In this blog, we cut through the noise to give you an unbiased insight into the specific capabilities of top SD-WAN providers that we believe have demonstrated solution maturity, implementation success and scale.

This article aims to highlight the key elements of each vendor platform and their differentiators. For the purpose of simplicity, we categorized SD-WAN vendors into two:

  1. SD-WAN Complete Branch
  2. SD-WAN Edge Only

In addition to vendor comparison, we have created a handy checklist that you can download and use as a template for evaluating SD-WAN solutions for your enterprise.

SD-WAN Vendor Categories Included in This Evaluation

1. SD-WAN – Complete Branch

This category of SD-WAN platform includes solutions with a unified architecture that offers:

  • SD-WAN orchestration and traffic control
  • Native Next-Generation Firewall (NGFW) capabilities
  • Single vendor branch infrastructure (Switching and wireless access points (WAPs) controlled via a common orchestration platform)

The main benefits of leveraging these platforms is that there is a much lower total cost of ownership (TCO) when compared to edge only solutions and a separate cloud security solution. This is not only achieved through the fact that the SD-WAN and NGFW functions are bundled, TCO is also lower because the licensing is typically less expensive and is not throughput based.

2. SD-WAN – Edge Only

This category includes solutions that are purpose-built to perform edge SD-WAN functions. Their main features include:

  • SD-WAN orchestration and traffic control
  • Application performance monitoring

Edge Only platforms are focused on application delivery and reliability as their main function. Some of the edge only SD-WAN platforms offer network administrators a sophisticated application monitoring and analytics capability to help identify root causes of performance problems.

Edge Only platforms typically have a higher TCO than complete branch solutions.

Top Vendors SD-WAN – Complete Branch

There are two main players in the SD-WAN complete branch category, Fortinet and Cisco Meraki.

Fortinet

Founded in the year 2000, Fortinet has been building security products for 20 years. Their flagship product is an enterprise firewall platform called a “FortiGate”. SD-WAN features have been added to the flagship products and are available in the latest firmware revisions. As an SD-WAN solution, Fortinet has ascended to the top right corner of the Gartner Magic quadrant for WAN Edge Infrastructure. This is a benefit to clients already leveraging the platform as enabling best in class SD-WAN may be as simple as upgrading to a later revision of FortiOS, assuming the existing devices support it.

Fortinet also has a wide range of switches and wireless access points, allowing for a homogeneous branch infrastructure.

Evaluation FactorsObservations
Initial Configuration and DeploymentAchieved through FortiDeploy and FortiManager.

Templates/policy packages are created in FortiManager and are either pushed to the device during enrolling or can be automatically associated with the FortiManager by using FortiDeploy.

Speed and ReliabilityPer-session and per-packet steering are available.

Users can define SLAs and the configuration of prioritization is very granular.

Supports SSL decryption and steering based on user identity, which is a plus when network administrators want complete control over how applications and users are treated.

Network Visibility and ControlAchieved through FortiAnalyzer. Provides real time and historical statistics not only on network availability, but also security functions like; compromised endpoints, IPS/IDS events, blocked URLs, to name a few.
Evaluation factors and Observations
Achieved through FortiDeploy and FortiManager.
Templates/policy packages are created in FortiManager and are either pushed to the device during enrolling or can be automatically associated with the FortiManager by using FortiDeploy.
Per-session and per-packet steering are available.

Users can define SLAs and the configuration of prioritization is very granular.

Supports SSL decryption and steering based on user identity, which is a plus when network administrators want complete control over how applications and users are treated.

Achieved through FortiAnalyzer. Provides real time and historical statistics not only on network availability, but also security functions like; compromised endpoints, IPS/IDS events, blocked URLs, to name a few.

Pros

  • First Packet Identification
  • Active Steering
  • SD-WAN edge, switching, and WAPs controlled through single pane of glass
  • Best of breed security
  • No SD-WAN throughput licensing
  • Deep, granular control over application SLA and steering
  • SSL decryption
  • Easy configuration of remote VPN users using Forticlient

Cons

  • Orchestration and visibility require separate licenses
  • Limited application performance monitoring.

Summary: Fortinet is a platform for businesses that need best of breed security and flexibility to support non-standard designs and standard designs alike. Not overly difficult to configure but will work best when configured and administered by experienced network engineers.

Cisco Meraki

Meraki was founded in 2006 as a wireless access point platform and added switching and edge routing to the technology stack as the company grew. After being acquired by Cisco in 2012, Meraki has grown substantially and has operated largely as an independent platform and as a lower cost alternative to Cisco native products. Meraki added SD-WAN to their marketing materials as the demand grew. Similar to Fortinet, Meraki has a wide variety of switching and wireless access points.

Evaluation FactorsObservations
Initial Configuration and DeploymentAchieved through the Meraki controller.

Organizations and networks are configured, and templates are established for device profiles.

Configuration variables are applied to the Meraki devices when they are added to an organization and templates applied.

Speed and ReliabilityPer-session steering is available. However, per packet steering or duplication is not available.

Has DPI and SSL decryption.

SLAs for steering can be user defined, although custom applications are not currently supported.

Network Visibility and ControlAchieved through the Meraki controller.

Provides real time and historical statistics on network availability.

Ease of use for configuration is a high point for the Meraki controller at the expense of some granularity and flexibility.

Evaluation factors and Observations
Achieved through the Meraki controller.
Organizations and networks are configured, and templates are established for device profiles.
Configuration variables are applied to the Meraki devices when they are added to an organization and templates applied.
Per-session steering is available. However, per packet steering or duplication is not available.
Has DPI and SSL decryption.
SLAs for steering can be user defined, although custom applications are not currently supported.
Achieved through the Meraki controller.
Provides real time and historical statistics on network availability.
Ease of use for configuration is a high point for the Meraki controller at the expense of some granularity and flexibility.

Pros

  • SD-WAN edge, switching, and WAPs controlled through single pane of glass
  • Advanced security license includes important security features
  • No SD-WAN throughput licensing
  • Meraki Controller included in license
  • Ease of use and configuration
  • SSL decryption

Cons

  • Organization scale becomes an issue for larger clients, sometimes requiring multiple organizations for a single customer WAN
  • Limited application performance monitoring
  • No forward error correction
  • No dynamic bandwidth detection
  • No identity-based steering

Summary: Meraki is a platform for businesses that have a straight forward network design with limited security considerations, do not need the SD-WAN dynamic path selection bells and whistles that other platforms have, and need a network stack that is easy to configure and support.

Top Vendors SD-WAN – Edge Only

We evaluate five market leaders in the SD-WAN Edge Only category in this section.

VMware Velocloud

VeloCloud was founded in 2012 with a vision to use cloud and virtualization to reinvent the WAN. Their fundamental differentiator early on was their ability to virtually bond multiple underlay circuits on a single virtual overlay link as well as enhance the user experience on a single connection using forward error correction and other proprietary mechanisms.

Their unique delivery model that included cloud gateways and a strong marketing strategy helped VeloCloud to grow rapidly until it was acquired by VMware in 2017.

Evaluation FactorsObservations
Initial Configuration and DeploymentAchieved through the VeloCloud Orchestrator (VCO). VCO templates are built and applied to VeloCloud Edges (VCE) upon activation.
Speed and ReliabilityVeloCloud has deployed VeloCloud Gateways (VCG) in large data centers distributed globally and can provide on-demand link steering for cloud applications without passing through a customer data center.

Per packet steering, per session steering, and packet duplication are available but SLAs are pre-defined, so the user selects from one of the available traffic classes to assign priority for each policy.

Network Visibility and ControlAchieved through the VCO, ease of use is a big plus for VeloCloud.

Menus are easy to navigate and configuration changes are easy to deploy.

Has network performance as well as application performance monitoring.

Evaluation factors and Observations
Achieved through the VeloCloud Orchestrator (VCO). VCO templates are built and applied to VeloCloud Edges (VCE) upon activation.
VeloCloud has deployed VeloCloud Gateways (VCG) in large data centers distributed globally and can provide on-demand link steering for cloud applications without passing through a customer data center.
Per packet steering, per session steering, and packet duplication are available but SLAs are pre-defined, so the user selects from one of the available traffic classes to assign priority for each policy.
Achieved through the VCO, ease of use is a big plus for VeloCloud.
Menus are easy to navigate and configuration changes are easy to deploy.
Has network performance as well as application performance monitoring.

Pros

  • Easy to configure
  • Cloud hosted gateways allow for easy implementation of multi-path session survivability
  • Application performance monitoring
  • First packet identification

Cons

  • No SSL decryption
  • Canned application SLA configuration
  • No NGFW capabilities

Summary: Early entrant with a mature and stable platform. Ease of configuration and management at the expense of some flexibility. A good platform for customers with straight forward network requirements that are considering a DIY SD-WAN solution.

Silver Peak

Silver Peak Systems was founded in 2004 and their first product was an NX-series hardware appliance and their focus until launching an SD-WAN platform was WAN Optimization. In 2015 Silver Peak launched the Edge Connect platform for SD-WAN. As of this writing HPE has announced its intent to acquire Silver Peak.

Evaluation FactorsObservations
Initial Configuration and DeploymentSilver Peak uses the Unity Orchestrator for template management.

Templates are created based on business intent and applied to Edge Connect devices with location specific variables.

Speed and ReliabilityPer-session steering, per-packet steering, and packet duplication are available.

Users can define SLAs and the number of applications for steering is extensive (industry leading as of this writing).

Does not support SSL decryption and steering based on user identity.

Also has a license add-on for boost which enables WAN Optimization functions like TCP optimization and de-duplication.

Network Visibility and ControlNetwork statistics and health can be obtained through Unity Orchestrator. Has application monitoring (MOS) (Mean Opinion Score).
Evaluation factors and Observations
Silver Peak uses the Unity Orchestrator for template management.
Templates are created based on business intent and applied to Edge Connect devices with location specific variables.
Per-session steering, per-packet steering, and packet duplication are available.
Users can define SLAs and the number of applications for steering is extensive (industry leading as of this writing).
Does not support SSL decryption and steering based on user identity.
Also has a license add-on for boost which enables WAN Optimization functions like TCP optimization and de-duplication.
Network statistics and health can be obtained through Unity Orchestrator. Has application monitoring (MOS) (Mean Opinion Score).

Pros

  • Granular control over application SLA and prioritization
  • Application performance monitoring (Mean Opinion Score)
  • First packet identification
  • Full featured SD-WAN path control including duplication

Cons

  • No SSL decryption
  • No NGFW capabilities
  • MOS monitoring but no MOS steering
  • Requires deep knowledge of platform to properly configure

Summary: Silver Peak is an SD-WAN platform with all the path selection bells and whistles you would expect in an industry-leading solution with a high level of configurability for those that want to be able to turn knobs and levers to fine tune performance. Option for WAN Optimization is beneficial for businesses that will benefit from it. However, the high level of configuration variables requires a high level of expertise to successfully implement this solution.

Cisco Viptela

Viptela was founded in 2012 as an SD-WAN edge company. Viptela’s orchestration platform (vManage) was built to be a comprehensive but easy to use tool and provides more familiar functions (Command Line interface, granular configuration, and SLA control) to network engineers when compared to some other early entrants to the SD-WAN market.

Viptela was acquired by Cisco in 2017 and Cisco has undergone a process of supporting the Viptela software on their ISR platform. As of this writing Cisco still offers Viptela native hardware.

Evaluation FactorsObservations
Initial Configuration and DeploymentTemplates are built in vManage and provisioned using vBond.

vSmart is used to authenticate vEdges (Viptela hardware + software) for provisioning or now cEdges (Cisco ISRs running Viptela software).

Requires network engineering expertise and/or assistance from Cisco engineers for set-up.

Very flexible but not as simple as some other platforms that are GUI only.

Speed and ReliabilityViptela uses traditional routing protocols rather than proprietary software and has session-based steering but no per packet steering.

Packet duplication is available.

vSmart controller functions as the routing engine and SLAs can be user defined.

Viptela has extensive applications for steering, although the vEdge supports more applications than cEdge/ISR.

Network Visibility and ControlNetwork statistics and health provided through vManage (vAnalytics) and has an extensive knowledge base on the Cisco website.
Evaluation factors and Observations
Templates are built in vManage and provisioned using vBond.
vSmart is used to authenticate vEdges (Viptela hardware + software) for provisioning or now cEdges (Cisco ISRs running Viptela software).
Requires network engineering expertise and/or assistance from Cisco engineers for set-up.
Very flexible but not as simple as some other platforms that are GUI only.
Viptela uses traditional routing protocols rather than proprietary software and has session-based steering but no per packet steering.
Packet duplication is available.
vSmart controller functions as the routing engine and SLAs can be user defined.
Viptela has extensive applications for steering, although the vEdge supports more applications than cEdge/ISR.
Control Network statistics and health provided through vManage (vAnalytics) and has an extensive knowledge base on the Cisco website.

Pros

  • Granular control over SLA
  • Familiar tools for network engineers (CLI, common routing protocols)
  • Single dashboard for visibility and control
  • Packet duplication
  • Software can be loaded on existing supporting ISRs
  • NGFW (Available when deployed on ISR)

Cons

  • No SSL decryption
  • No NGFW on vEdge platform
  • No custom applications or application monitoring

Summary: A platform for die-hard Cisco fans that want SD-WAN features but also want functions that are familiar like a command line interface and routing protocols like BGP/OSPF/VRRP for SLA management.

Palo Alto CloudGenix

CloudGenix was founded in 2013 and has built what they call a “Gen 2” SD-WAN platform. The solution is focused on application-level visibility and performance management rather than traditional transport layer prioritization that some other platforms use. CloudGenix was acquired by Palo Alto Networks in 2020 to help round out the company’s SASE strategy.

Evaluation FactorsObservations
Initial Configuration and DeploymentCloudGenix’s orchestration platform allows you to configure templates and deploy devices (IONs) based on standard configuration rules.
Speed and ReliabilityPer session steering is available, packet steering and duplication are not.

Allows customization of SLAs and applications.

Does not support SSL decryption but does have identity-based steering.

Network Visibility and ControlVisibility and analytics (Clarity platform) is the biggest differentiator of the CloudGenix platform.

While the SD-WAN path control may not be as advanced as some of the other platforms, the ability to measure and make on the path selection decisions based on application performance (like MOS based steering) is a differentiator.

Evaluation factors and Observations
CloudGenix’s orchestration platform allows you to configure templates and deploy devices (IONs) based on standard configuration rules.
Per session steering is available, packet steering and duplication are not.
Allows customization of SLAs and applications.
Does not support SSL decryption but does have identity-based steering.
Visibility and analytics (Clarity platform) is the biggest differentiator of the CloudGenix platform.
While the SD-WAN path control may not be as advanced as some of the other platforms, the ability to measure and make on the path selection decisions based on application performance (like MOS based steering) is a differentiator.

Pros

  • Active and passive performance monitoring provides extensive analytics on application flows
  • Cloudblades platform allows easy deployment of approved 3rd party branch infrastructure services like cloud firewall and UCaaS
  • Granular control over SLA and custom applications
  • Application-performance based steering

Cons

  • No packet level steering or duplication
  • No SSL decryption
  • No first packet identification
  • No NGFW
  • PAN (Palo Alto Panorama) integration is still a separate license and orchestration platform

Summary: A flexible SD-WAN platform geared towards customers that need a tool allowing visualization and analytics around application performance.

Versa

Founded in 2012, Versa has offered an SD-WAN solution with built-in security since inception. Several carriers chose Versa as their go to SD-WAN solution for enterprise clients before they moved to offering alternative solutions.

Evaluation FactorsObservations
Initial Configuration and DeploymentVersa uses Versa Director for template and lifecycle management.

Device templates are configured, and service templates are used for steering, security, and Quality of Service (QoS).

Both are applied to appliances during activation.

Speed and ReliabilityVersa has per-session and per packet steering, as well as packet duplication.

SLAs and applications are customizable, providing a high degree of flexibility in configuring policies for maximum network performance.

SSL decryption is supported but user identity-based steering and first packet identification are not.

Network Visibility and ControlVersa has Versa Director and Versa Analytics, providing a view into real time network and application performance as well as analytics with actionable insights on network security and application performance.
Evaluation factors and Observations
Versa uses Versa Director for template and lifecycle management.
Device templates are configured, and service templates are used for steering, security, and Quality of Service (QoS).
Both are applied to appliances during activation.
Versa has per-session and per packet steering, as well as packet duplication.
SLAs and applications are customizable, providing a high degree of flexibility in configuring policies for maximum network performance.
SSL decryption is supported but user identity-based steering and first packet identification are not.
Versa has Versa Director and Versa Analytics, providing a view into real time network and application performance as well as analytics with actionable insights on network security and application performance.

Pros

  • All of the SD-WAN path selection features with a high degree of flexibility
  • NGFW included
  • MOS based steering
  • SSL Decryption
  • Application performance monitoring

Cons

  • No identity-based steering
  • No first packet identification

In summary: Versa works well for companies that need all the traffic steering functionality that SD-WAN offers and want to administer security and SD-WAN in a single pane of glass.

Take the pain out of SD-WAN selection and implementation

The Interface managed SD-WAN services is a turnkey network as a service offering comprehensive design, implementation and maintenance of a scalable, secure performance-oriented network so businesses can focus on what they do best.

Checklist for Evaluating SD-WAN Solutions

When evaluating SD-WAN solutions, there are three critical criteria that enterprises should consider:

  1. Initial and ongoing configuration aka orchestration
  2. Path selection and steering
  3. Security

Here is a checklist that’s designed for mapping SD-WAN feature sets offered by vendors to business needs.

Cost & Licensing
Determine Overall Budget GoalsDo you have the budget for active/active or active/passive connectivity?

Would you be using DIA/Broadband?

What are your connectivity options -wired/wireless?

Do you have aging/unmanaged switches and/or WAPs? If so, consider replacing them at the same time as the WAN edge.
Bandwidth SizingDetermine the throughput requirements and ensure proper sizing is factored into TCO.
Path Selection & Steering
Custom ApplicationsDo you have in-house applications that require prioritization? If yes, ensure the SD-WAN platform can identify that traffic.
Active Steering/Session SurvivabilityIf required, look for solutions that either have packet based steering or duplication.
Custom SLAs or Category SLADetermine if you need the ability to define SLAs rather than using canned priority classes.
Identity Based SteeringDo you need to steer traffic based on a user identity?
Security
NGFW CapabilitiesDo you prefer to have security enforced at the WAN perimeter or do you prefer to send all traffic to the cloud for inspection?
SSL DecryptionDo you require SSL inspection?
Configuration & Maintenance
Deployment / ConfigurationIf using an SD-WAN integrator, ensure they’re familiar with your existing architecture for a smooth transition.

If deploying using internal resources, ensure you have the level of expertise required to configure and implement the solution.

VisibilityDo you need to continually measure application performance and modify business policies to use the best path?
SLA ManagementDo you need the ability to measure SLAs to provide reports to carriers to request SLA credits?
AlertingIf using an SD-WAN integrator, ensure their monitoring and management includes everything required to maintain the SD-WAN edge, including connectivity.

If self managed, ensure you have the tools and personnel to deal with last mile issues.

Cost & Licensing
Do you have the budget for active/active or active/passive connectivity?
Would you be using DIA/Broadband?
What are your connectivity options – wired/wireless?
If so, consider replacing them at the same time as the WAN edge.
Determine the throughput requirements and ensure proper sizing is factored into TCO.
Path Selection & Steering

Do you have in-house applications that require prioritization? If yes, ensure the SD-WAN platform can identify that traffic.
If required, look for solutions that either have packet based steering or duplication.
Determine if you need the ability to define SLAs rather than using canned priority classes.
Do you need to steer traffic based on a user identity?

Security

Do you prefer to have security enforced at the WAN perimeter or do you prefer to send all traffic to the cloud for inspection?
Do you require SSL inspection?

Configuration & Maintenance

If using an SD-WAN integrator, ensure they’re familiar with your existing architecture for a smooth transition.
If deploying using internal resources, ensure you have the level of expertise required to configure and implement the solution.
Do you need to continually measure application performance and modify business policies to use the best path?
Do you need the ability to measure SLAs to provide reports to carriers to request SLA credits?
If using an SD-WAN integrator, ensure their monitoring and management includes everything required to maintain the SD-WAN edge, including connectivity.

If self managed, ensure you have the tools and personnel to deal with last mile issues.

The SD-WAN market continues to mature and is now a mainstream component of network refresh projects.

When looking at SD-WAN vendors, there is a large amount of feature parity and a majority of the differences are nuanced, for example, where to go in the Orchestrator to create a business policy. That being said, understanding whether or not you can tolerate a dropped session when a primary connection fails or whether or not you need the ability to add custom applications are just a few examples of the decision criteria you should use when comparing SD-WAN vendors.

Read this next

Recently Launched

4 Practical Considerations for SD-WAN Design

Get in-depth insights to help you understand the practical design considerations for your SD-WAN implementation

Free eBook Download

Subscribe to our blog for latest updates

2020-10-05T22:23:38+00:00September 30th, 2020|Networking, SD-WAN|0 Comments

About the Author:

Steve Womer has experience designing and deploying WAN/LAN infrastructure for distributed enterprise clients since 2008 and has served in various engineering, sales engineering, and operational roles for industry leading managed services providers.

Leave A Comment