Cutting through the Noise
When you look at the vast landscape of SD-WAN vendors, there are a plethora of features and differentiators each vendor touts as part of their marketing pitch. It’s extremely challenging for the IT department to navigate claims and counterclaims by SD-WAN vendors while keeping an eye firmly on the business needs.
In this blog, we cut through the noise to give you an unbiased insight into the specific capabilities of top SD-WAN providers that we believe have demonstrated solution maturity, implementation success and scale.
This article aims to highlight the key elements of each vendor platform and their differentiators. For the purpose of simplicity, we categorized SD-WAN vendors into two:
- SD-WAN Complete Branch
- SD-WAN Edge Only
In addition to vendor comparison, we have created a handy checklist that you can download and use as a template for evaluating SD-WAN solutions for your enterprise.
SD-WAN Vendor Categories Included in This Evaluation
1. SD-WAN – Complete Branch
This category of SD-WAN platform includes solutions with a unified architecture that offers:
- SD-WAN orchestration and traffic control
- Native Next-Generation Firewall (NGFW) capabilities
- Single vendor branch infrastructure (Switching and wireless access points (WAPs) controlled via a common orchestration platform)
The main benefits of leveraging these platforms is that there is a much lower total cost of ownership (TCO) when compared to edge only solutions and a separate cloud security solution. This is not only achieved through the fact that the SD-WAN and NGFW functions are bundled, TCO is also lower because the licensing is typically less expensive and is not throughput based.
2. SD-WAN – Edge Only
This category includes solutions that are purpose-built to perform edge SD-WAN functions. Their main features include:
- SD-WAN orchestration and traffic control
- Application performance monitoring
Edge Only platforms are focused on application delivery and reliability as their main function. Some of the edge only SD-WAN platforms offer network administrators a sophisticated application monitoring and analytics capability to help identify root causes of performance problems.
Edge Only platforms typically have a higher TCO than complete branch solutions.
Top Vendors SD-WAN – Complete Branch
There are two main players in the SD-WAN complete branch category, Fortinet and Cisco Meraki.
Fortinet
Founded in the year 2000, Fortinet has been building security products for 20 years. Their flagship product is an enterprise firewall platform called a “FortiGate”. SD-WAN features have been added to the flagship products and are available in the latest firmware revisions. As an SD-WAN solution, Fortinet has ascended to the top right corner of the Gartner Magic quadrant for WAN Edge Infrastructure. This is a benefit to clients already leveraging the platform as enabling best in class SD-WAN may be as simple as upgrading to a later revision of FortiOS, assuming the existing devices support it.
Fortinet also has a wide range of switches and wireless access points, allowing for a homogeneous branch infrastructure.
Templates/policy packages are created in FortiManager and are either pushed to the device during enrolling or can be automatically associated with the FortiManager by using FortiDeploy.
Users can define SLAs and the configuration of prioritization is very granular.
Supports SSL decryption and steering based on user identity, which is a plus when network administrators want complete control over how applications and users are treated.
Pros
- First Packet Identification
- Active Steering
- SD-WAN edge, switching, and WAPs controlled through single pane of glass
- Best of breed security
- No SD-WAN throughput licensing
- Deep, granular control over application SLA and steering
- SSL decryption
- Easy configuration of remote VPN users using Forticlient
Cons
- Orchestration and visibility require separate licenses
- Limited application performance monitoring.
Summary: Fortinet is a platform for businesses that need best of breed security and flexibility to support non-standard designs and standard designs alike. Not overly difficult to configure but will work best when configured and administered by experienced network engineers.
Cisco Meraki
Meraki was founded in 2006 as a wireless access point platform and added switching and edge routing to the technology stack as the company grew. After being acquired by Cisco in 2012, Meraki has grown substantially and has operated largely as an independent platform and as a lower cost alternative to Cisco native products. Meraki added SD-WAN to their marketing materials as the demand grew. Similar to Fortinet, Meraki has a wide variety of switching and wireless access points.
Organizations and networks are configured, and templates are established for device profiles.
Configuration variables are applied to the Meraki devices when they are added to an organization and templates applied.
Has DPI and SSL decryption.
SLAs for steering can be user defined, although custom applications are not currently supported.
Provides real time and historical statistics on network availability.
Ease of use for configuration is a high point for the Meraki controller at the expense of some granularity and flexibility.
Pros
- SD-WAN edge, switching, and WAPs controlled through single pane of glass
- Advanced security license includes important security features
- No SD-WAN throughput licensing
- Meraki Controller included in license
- Ease of use and configuration
- SSL decryption
Cons
- Organization scale becomes an issue for larger clients, sometimes requiring multiple organizations for a single customer WAN
- Limited application performance monitoring
- No forward error correction
- No dynamic bandwidth detection
- No identity-based steering
Summary: Meraki is a platform for businesses that have a straight forward network design with limited security considerations, do not need the SD-WAN dynamic path selection bells and whistles that other platforms have, and need a network stack that is easy to configure and support.
Top Vendors SD-WAN – Edge Only
There are two main players in the SD-WAN complete branch category, Fortinet and Cisco Meraki.
VMware Velocloud
VeloCloud was founded in 2012 with a vision to use cloud and virtualization to reinvent the WAN. Their fundamental differentiator early on was their ability to virtually bond multiple underlay circuits on a single virtual overlay link as well as enhance the user experience on a single connection using forward error correction and other proprietary mechanisms.
Their unique delivery model that included cloud gateways and a strong marketing strategy helped VeloCloud to grow rapidly until it was acquired by VMware in 2017.
Per packet steering, per session steering, and packet duplication are available but SLAs are pre-defined, so the user selects from one of the available traffic classes to assign priority for each policy.
Menus are easy to navigate and configuration changes are easy to deploy.
Has network performance as well as application performance monitoring.
Pros
- Easy to configure
- Cloud hosted gateways allow for easy implementation of multi-path session survivability
- Application performance monitoring
- First packet identification
Cons
- No SSL decryption
- Canned application SLA configuration
- No NGFW capabilities
Summary: Early entrant with a mature and stable platform. Ease of configuration and management at the expense of some flexibility. A good platform for customers with straight forward network requirements that are considering a DIY SD-WAN solution.
Silver Peak
Silver Peak Systems was founded in 2004 and their first product was an NX-series hardware appliance and their focus until launching an SD-WAN platform was WAN Optimization. In 2015 Silver Peak launched the Edge Connect platform for SD-WAN. As of this writing HPE has announced its intent to acquire Silver Peak.
Templates are created based on business intent and applied to Edge Connect devices with location specific variables.
Users can define SLAs and the number of applications for steering is extensive (industry leading as of this writing).
Does not support SSL decryption and steering based on user identity.
Also has a license add-on for boost which enables WAN Optimization functions like TCP optimization and de-duplication.
Pros
- Granular control over application SLA and prioritization
- Application performance monitoring (Mean Opinion Score)
- First packet identification
- Full featured SD-WAN path control including duplication
Cons
- No SSL decryption
- No NGFW capabilities
- MOS monitoring but no MOS steering
- Requires deep knowledge of platform to properly configure
Summary: Silver Peak is an SD-WAN platform with all the path selection bells and whistles you would expect in an industry-leading solution with a high level of configurability for those that want to be able to turn knobs and levers to fine tune performance. Option for WAN Optimization is beneficial for businesses that will benefit from it. However, the high level of configuration variables requires a high level of expertise to successfully implement this solution.
Cisco Viptela
Viptela was founded in 2012 as an SD-WAN edge company. Viptela’s orchestration platform (vManage) was built to be a comprehensive but easy to use tool and provides more familiar functions (Command Line interface, granular configuration, and SLA control) to network engineers when compared to some other early entrants to the SD-WAN market.
Viptela was acquired by Cisco in 2017 and Cisco has undergone a process of supporting the Viptela software on their ISR platform. As of this writing Cisco still offers Viptela native hardware.
vSmart is used to authenticate vEdges (Viptela hardware + software) for provisioning or now cEdges (Cisco ISRs running Viptela software).
Requires network engineering expertise and/or assistance from Cisco engineers for set-up.
Very flexible but not as simple as some other platforms that are GUI only.
Packet duplication is available.
vSmart controller functions as the routing engine and SLAs can be user defined.
Viptela has extensive applications for steering, although the vEdge supports more applications than cEdge/ISR.
Pros
- Granular control over SLA
- Familiar tools for network engineers (CLI, common routing protocols)
- Single dashboard for visibility and control
- Packet duplication
- Software can be loaded on existing supporting ISRs
- NGFW (Available when deployed on ISR)
Cons
- No SSL decryption
- No NGFW on vEdge platform
- No custom applications or application monitoring
Summary: A platform for die-hard Cisco fans that want SD-WAN features but also want functions that are familiar like a command line interface and routing protocols like BGP/OSPF/VRRP for SLA management.
Palo Alto CloudGenix
CloudGenix was founded in 2013 and has built what they call a “Gen 2” SD-WAN platform. The solution is focused on application-level visibility and performance management rather than traditional transport layer prioritization that some other platforms use. CloudGenix was acquired by Palo Alto Networks in 2020 to help round out the company’s SASE strategy.
Allows customization of SLAs and applications.
Does not support SSL decryption but does have identity-based steering.
While the SD-WAN path control may not be as advanced as some of the other platforms, the ability to measure and make on the path selection decisions based on application performance (like MOS based steering) is a differentiator.
Pros
- Active and passive performance monitoring provides extensive analytics on application flows
- Cloudblades platform allows easy deployment of approved 3rd party branch infrastructure services like cloud firewall and UCaaS
- Granular control over SLA and custom applications
- Application-performance based steering
Cons
- No packet level steering or duplication
- No SSL decryption
- No first packet identification
- No NGFW
- PAN (Palo Alto Panorama) integration is still a separate license and orchestration platform
Summary: A flexible SD-WAN platform geared towards customers that need a tool allowing visualization and analytics around application performance.
Versa
Founded in 2012, Versa has offered an SD-WAN solution with built-in security since inception. Several carriers chose Versa as their go to SD-WAN solution for enterprise clients before they moved to offering alternative solutions.
Device templates are configured, and service templates are used for steering, security, and Quality of Service (QoS).
Both are applied to appliances during activation.
SLAs and applications are customizable, providing a high degree of flexibility in configuring policies for maximum network performance.
SSL decryption is supported but user identity-based steering and first packet identification are not.
Pros
- All of the SD-WAN path selection features with a high degree of flexibility
- NGFW included
- MOS based steering
- SSL Decryption
- Application performance monitoring
Cons
- No identity-based steering
- No first packet identification
In summary: Versa works well for companies that need all the traffic steering functionality that SD-WAN offers and want to administer security and SD-WAN in a single pane of glass.
Checklist for Evaluating SD-WAN Solutions
When evaluating SD-WAN solutions, there are three critical criteria that enterprises should consider:
- Initial and ongoing configuration aka orchestration
- Path selection and steering
- Security
Here is a checklist that’s designed for mapping SD-WAN feature sets offered by vendors to business needs.
Cost & Licensing
Would you be using DIA/Broadband?
What are your connectivity options -wired/wireless?
Path Selection & Steering
Security
Configuration & Maintenance
If deploying using internal resources, ensure you have the level of expertise required to configure and implement the solution.
If self managed, ensure you have the tools and personnel to deal with last mile issues.
The SD-WAN market continues to mature and is now a mainstream component of network refresh projects.
When looking at SD-WAN vendors, there is a large amount of feature parity and a majority of the differences are nuanced, for example, where to go in the Orchestrator to create a business policy.
That being said, understanding whether or not you can tolerate a dropped session when a primary connection fails or whether or not you need the ability to add custom applications are just a few examples of the decision criteria you should use when comparing SD-WAN vendors.