Comparing SD-WAN Appliances? Here’s What You Need to Know

If you’re in the market for an SD-WAN solution, you’re painfully aware of the lack of consistency in features and capabilities from one appliance to another. 

While the appliance you favor might have site-to-site VPN capabilities, it might not offer the active load balancing capabilities you need to support your network uptime standards. 

In short - not all SD-WAN provider appliances are created equal, which makes SD-WAN procurement all the more complicated.  

This post walks through what you should consider when comparing SD-WAN appliances. 

Do you need site-to-site VPNs?

If your network has ultra-low latency requirements, you’ll want to make sure that your SD-WAN appliance is able to facilitate inter-office virtual private networks (VPNs); however, not every SD-WAN appliance has these capabilities. 

Without site-to-site VPNs, your traffic moves from office to office in a hub and spoke model rather than an any-to-any topology (i.e. directly to its destination). The downside of hub and spoke is the inevitable latency that comes with your traffic having to make more “hops” to reach its destination. 

So, if your network requires ultra-low latency, you want to look for an SD-WAN appliance that can facilitate at least the number of VPN tunnels that you require in your current state (and ideally more for future network expansion). When scoping out appliances, look for the “maximum tunnel scale” - that’s the number of tunnels your appliance can support.  

See page 6 of this VMWare document for an example of how VPN capabilities (aka maximum tunnel scale) are noted. 

Why doesn’t every SD-WAN appliance support site-to-site VPNs? 

In order for an appliance to run site-to-site VPNs, it must learn routes and track metrics for each of the sites which takes significant computing power. Similar to CPU and RAM considerations when buying a computer, your SD-WAN appliance also has maximum processing capabilities that you run up against when facilitating VPN tunnels. 

Do you need active load balancing? 

Given the “smart traffic queuing” that is a staple for all SD-WAN solutions, you’d be surprised to learn that not all SD-WAN appliances offer active load balancing. Active load balancing is when traffic is spread (i.e. balanced) across network nodes or circuits to avoid a traffic jam of data. 

Example: 

You have a 500Mbps (fixed bandwidth), Dedicated, primary circuit (Circuit A) and a 100Mbps, best effort, secondary circuit (Circuit B) in your office running through your SD-WAN appliance. At average daily peak utilization your office utilizes ~400Mbps of capacity on circuit A. However, you observe that traffic spikes ~50Mbps during the “busy season” on average. If your SD-WAN is enabled to deliver active-load balancing, you can configure that appliance to shift lower-priority traffic from Circuit A to Circuit B during the busy season. You can manage this through traffic prioritization queues and user profiles. If your SD-WAN does not allow active load balancing, you are running dangerously close to maxing out your bandwidth capacity during the high season which will result in lower network quality and lost productivity among your workforce. 

If you require active-load balancing capabilities, make this known up front in your procurement process to avoid wasting time vetting a provider that does not have this capability. Meraki is an example of a provider who does not support active load balancing, they only support failover. The name “failover” is quite literal; in our example, failover would be Circuit B taking over in the event that Circuit A experiences an outage or “completely fails”.  

It’s worth noting that not every enterprise even needs or wants active load balancing. 

Example: 

Instead of a best effort, broadband connection, let’s say your Circuit B is a cellular, wireless internet connection. Cellular connections tend to be slower and much more expensive than your regular way, wired circuits per Megabit. This is an example of where you might not want to employ active load balancing from Circuit A to Circuit B due to the cost implications; you would only want to utilize Circuit B when absolutely necessary (e.g. an outage at Circuit A). 

What type of routing do you require? 

Different SD-WAN appliances are able to facilitate different types of routing; some can only do packet based routing while others can only do flow based routing.  

Packet based routing means that your SD-WAN appliance can analyze, route, prioritize, and load balance your traffic across multiple circuits on a packet-by-packet basis. In other words, every set of data that you want to move across your network (say, a video call) is chopped up and prioritized on an individual packet basis. 

Example: 

Your branch office network is running SD-WAN over both a primary (Circuit A) and secondary circuit (Circuit B) with packet based routing. You are mid-sentence on an important video call with the boss at headquarters when Circuit A experiences an outage. Real-time, your SD-WAN will detect the outage on Circuit A and load balance your traffic over to Circuit B. As this is done on a packet by packet basis, your call will not drop and you will likely only experience minor latency on the video call. Velocloud is an example of an SD-WAN appliance with these capabilities.

Flow based routing means that your SD-WAN appliance can analyze, route, prioritize, and load balance your traffic across multiple circuits on an aggregated basis. In other words, every set of data that you want to move across your network (say, a video call) is transferred as an aggregated, lump of data that cannot be broken down and moved from circuit to circuit.  

Example: 

Your branch office network is running SD-WAN over both Circuit A and Circuit B with flow based routing. You are mid-sentence on an important video call with the boss at headquarters when your primary circuit experiences an outage. Your call will drop because that entire flow of video call data was running on your primary circuit which is now down. Flow based routing is very common among SD-WAN providers. 

How many interfaces do you require?

For each location in your network, you’ll need to determine how many interfaces or “ports” you require on your appliance. 

Historically, SD-WAN appliances would have predefined wide area network (WAN) and local area network (LAN) ports. Nowadays, SD-WAN appliances come with all purpose interfaces where you can mix-and-match WAN and LAN ports.

There are a few things to consider when calculating the number of ports you require on your appliances; WAN Interfaces, LAN Segments, High Availability configuration, and directly connected devices (such as switches, firewalls, and peripherals).

When scoping SD-WAN appliances, make sure that they come with adequate interfaces or ports for the needs at all of your locations (some locations might require more ports than others). 

What are your network security needs? 

Security is a commonly noted disadvantage of SD-WAN, but this shouldn’t keep you from exploring the technology.  

SD-WAN appliances come with varying levels of security capabilities. Some SD-WAN appliances come with security capabilities built in. Other SD-WAN appliances do not come with security capabilities but have room to install a separate firewall on top. 

If you already utilize a separate security solution that you'd like to integrate with your SD-WAN, make this known up front during the procurement process as not all SD-WAN appliances offer such integrations.

Do you need your appliance to also serve as your Wireless Access Point (WAP)?

Do you also need your SD-WAN appliance to serve as the network’s wireless access point (WAP)? 

This typically isn’t advised given SD-WAN appliances often reside in an IT closet where WiFi signals cannot propagate out of. However, in some use cases, it is desired to have the SD-WAN appliance also serve as your WAP. 

If you need the SD-WAN appliance to also serve as your WAP,  add this to the list of features you need to scope out prior to choosing an appliance. 

How will remote users access the network?

Historically, enterprises have offered network access to remote employees through a VPN or remote desktop environment. While these have largely worked, the pandemic has put an increased focus on optimization for remote users. 

To this end, many SD-WAN providers offer small appliances for offices of one, and/or offer software that runs on a remote user's laptop. Both allow remote users not only to securely access the WAN, but also to gain access to preferred routes over a middle mile network. You can even enable traffic prioritization for remote workers with SD-WAN (i.e. prioritizing their file transfer data over their YouTube streaming data). 

As expected, if you require these remote worker capabilities with your SD-WAN, you need to make sure you’re procuring from a provider who offers these solutions. 

Do you like the Graphic User Interface (GUI)? 

Every SD-WAN appliance has its own, unique GUI for network reporting, troubleshooting and alerts. There’s no standardization in GUI across SD-WAN providers. 

This is mainly important when procuring SD-WAN appliances to be self managed by your IT team as you want them to feel comfortable with the interface. 

What is the bandwidth of the underlay network that the appliance is supporting? 

SD-WAN appliances have bandwidth restrictions. Meaning, they can only manage X amount of SD-WAN underlay network bandwidth. SD-WAN providers offer tiers of appliances and licenses that correspond to the amount of underlay bandwidth they support. 

It’s important to note that your SD-WAN appliance bandwidth capabilities need to take into consideration both the download and upload speeds of all underlying circuits.  

Example: 

If you are running a 500 Mbps / 500 Mbps DIA primary circuit and a 100 Mbps / 10 Mbps best effort secondary circuit, the SD-WAN appliance will need to be capable of transporting 1,110 Mbps throughout (500 + 500 + 100 + 10).

So you’ve scoped your SD-WAN appliance needs, what next?

We hope this post was helpful in understanding all of the different features and capabilities you need to vet when selecting an SD-WAN appliance. 

If the concept of transitioning to SD-WAN wasn’t daunting enough already, all of these appliance considerations might have your head spinning… if that’s how you’re feeling right about now, Lightyear can help.

Our team of telecom experts has led countless SD-WAN procurement and implementation projects, and we’ve built a product that has automated the process while guaranteeing money and time savings. 

If you’d like to learn more, or just want to kick the tires on your SD-WAN deployment, reach out to us here.