August 27, 2015

Who Has the Best WAN Solution?

Until recently, there hadn't been a fundamentally new WAN technology or service introduced into the market for over a decade. Driven by the lack of viable alternatives, over the last ten years the vast majority of network organizations implemented a branch office WAN based on each branch office having either a T1 link or a set of bonded T1 links that provide access to a service provider's MPLS network and having one or more higher speed links at each data center. In this design, it is common to have a variety of dedicated appliances in each branch office and to also backhaul all or some of a company's Internet traffic over the MPLS network to a data center before handing it off to the Internet.

I recently published The 2015 Guide to WAN Architecture and Design, which I encourage each of you to read. In that WAN report I described a hypothetical company called NeedToChange (NTC) which runs a traditional WAN and I had the sponsors of the report describe how NTC should evolve its WAN. As the responses from the sponsors indicate, network organizations today are facing a large and growing set of WAN architectural alternatives that they need to evaluate and determine which makes the most sense for them.

What I am now going to do is to start a 6 week long discussion of WAN architectures with the sponsors of the WAN architecture report. More specifically, I will post a series of three question to the sponsors and give them two weeks to respond to each question.

Readers are encouraged to join the discussion below by clicking on the "Reply" link at the end of any comment.  For background, please see The 2015 Guide to WAN Architecture and Design.


Ok, let’s get started.
The first question is: What are the key features of your company’s WAN solution?

Today's WANs are complex to operate and are both time consuming and cumbersome to augment. With our SD-WAN solution Virtualized Network Services (VNS) we set out to completely change the way businesses deploy and manage their wide area environment.

Before I run through some of the key features of VNS I’d like to highlight four of the key pain points with todays WAN environments we identified.

• Maintaining a real time view of the running configuration, routes used, addresses/subnets/VLAN tags consumed and the firewall/ACL rules deployed; think about the many Excel spreadsheets the network team maintains…

• The management and monitoring of the ACL’s and firewalls at the branches, HQ and data centers and the care and feeding of the mix of in-router features and dedicated appliances that protect the business traffic and enforce security framework.

• The cyclic pressure to rip and replace the existing branch hardware when bandwidth is increased or new features are deployed.

• The day-to-day pressures to squeeze every last drop of the scarce bandwidth resources and deliver a consistent network experience to an ever changing IT application environment.

To address these issues we based VNS on a three tier SDN based solution set. There is a central policy manager where we store templates and policies for the network, a set of SDN controllers that manage the control plane of the WAN, and lastly the branch software that performs the data plane functions issued by the SDN controllers.

This solution architecture then addresses the pain points from above by:

• Site additions are automated by VNS via its centralized policy manager. All you do to set up a new site is to complete some basic information on the location and branch type, select the functionality to be deployed from your template of networking and security polices and ship the branch hardware to the site. As the information is stored centrally the network team has full visibility in to the running configuration (routing topology, L2 and L3 addresses in use and the security policies deployed).

• VNS provides a different model that increases the micro-segmentation of the security within and across the whole WAN environment. With its comprehensive policy framework, data and location security are centrally controlled and pushed to the branch as a core function of the WAN service. If sites require encryption, you simply enable it on the VNS policy manager and instantly the traffic to and from the site is encrypted. The same applies to firewall rules; if a new rule is required due to business policy change or a new application rollout, via the central manager you select the new rule, the sites to deploy and push the button.

• The branch hardware used with VNS is based on open compute. That’s the same x86 architectures you use in your data centers today, and you know the investment advantage you got from moving to open compute there. With VNS we bring the same investment flexibility to the branch. Since its based on standard off the shelf hardware you have the choice, use Nuage Networks branch hardware or deploy the software at the branch on any suitable x86 based compute you have on hand.

• With VNS you get the choice to augment that bandwidth with any connectivity available at the location. With our intelligent traffic steering you can set the branch (via our centralized policy manager) to send your business critical traffic via your premium circuit and to securely offload the more bursty non-critical traffic to another link including the Internet or even mobile broadband. Another area where VNS can utilize alternative bandwidth options at the branch is to improve the availability of your branches. As VNS can utilize any available access technology you can augment your primary branch connection with alternatives. In the event of a failure of the primary connection VNS will automatically invoke the backup circuit and reroute your branch back into the corporate network.

This is a limited view of the complete feature set of VNS but we think that resolving the key pain points of today's WAN including; adding sites, maintaining real-time documentation, enforcing security, and opening up alternative bandwidth options goes a long way to changing the way WAN’s are deployed and managed.

Viptela's SD-WAN solution is used by Mid to Large Enterprises and Global Top-10 Service Providers. The important features are:

  1. The ability to build Unified Hybrid WAN over MPLS, Broadband and 4G/LTE, so all WAN infrastructure can be consolidated and managed using one centralized controller

  2. A secure, encrypted fabric with Zero-trust Authentication so there is a consistently high security framework irrespective of whether its a public or private network

  3. End-to-end network-segmentation with discreet topologies per segment. So enterprises can be different logical topologies per requirement, e.g.: full-mesh for video collaboration and voice, Regional exit for Guest WiFI, Hub-and-spoke for PCI or Financial transactions etc.

  4. Real-time WAN Path Control for Application SLA, so important applications like PCI, Voice, ERP etc. will always be steered on high-quality links based on real-time brownouts or blackouts.

  5. Centralized administration, visibility and troubleshooting with zero-touch, automated provisioning, so Operations is greatly simplified and there is consistent policy across all WAN types.

See a short demo on Seamless Bandwidth Augmentation.

Cisco’s Intelligent WAN (IWAN) solution is designed to deliver an uncompromised user experience over any connection. IWAN is managed by a centralized controller APIC-EM (Application Policy Infrastructure Controller with Enterprise Module) which provides centralized automation and orchestration of your WAN using the following key features:

  1. Transport independence allows provider flexibility and distribution of branch-office traffic over multiple transport options to lower costs.
  2. Intelligent path control maximizes WAN usage based on policy and real-time path status and improves network availability.
  3. Application optimization gives IT full visibility and control of network traffic, tunes the network for business-critical services, and quickly resolves network problems.
  4. Secure connectivity enables IT to simplify VPN connections across all sites to deliver high performance with high security. It can also enable direct Internet access for better SaaS application performance, while protecting all branch-office endpoints and maintaining a centralized infosec policy management paradigm.

These key features help organizations optimize their WAN investments with consistency as the volume of content and applications traveling across networks grows exponentially. All of this is done without compromising performance, reliability, or security, while freeing up resources for new and innovative business services.

To learn more about Cisco IWAN, go to

Silver Peak Unity EdgeConnect enables enterprises to dramatically reduce the cost and complexity of building a WAN by leveraging broadband to connect users to applications. By empowering customers to use broadband connections to augment or replace their current MPLS networks, Silver Peak improves customer responsiveness, increases application performance, and significantly reduces capital and operational expenses.

A technical overview of our SD-WAN solution--including zero-touch provisioning, packet-based dynamic path control, and business intent overlays--was presented at our 2015 Tech Field Day.

The Unity EdgeConnect solution consist of three components:

Unity EdgeConnect physical or virtual appliances (supporting any common hypervisor) deployed in branch offices to create a secure, virtual network overlay. This enables customers to move to a broadband WAN at their own pace, whether site-by-site or via a hybrid WAN approach that leverages MPLS and broadband Internet connectivity.

Unity Orchestrator is included with Unity EdgeConnect appliance deployments and provides unprecedented levels of visibility into both legacy and cloud applications, and the unique ability to centrally assign business intent policies to secure and control all WAN traffic. Policy automation speeds and simplifies the deployment of multiple branch offices.

Unity Boost is an optional performance pack that accelerates application performance as needed. The Boost component is unique to Unity EdgeConnect and allows companies to improve the performance of specific applications or locations.

The key features of Unity EdgeConnect are:

• Business Intent Overlays – globally defined policies folded into discretely managed virtual topologies. Using the key tenets of SDN and virtualization, these overlays ensure proper end-to-end handling of WAN traffic according to its business intent.

Zero Touch Provisioning – A plug-and-play deployment model enables Unity EdgeConnect to be deployed at a branch office in seconds, automatically connecting with other Silver Peak instances in the data center, other branches, or in cloud Infrastructure as a Service (IaaS) with the likes of Amazon, Microsoft Azure and VMware’s vCloud Air. Once connected, the EdgeConnect instances register with Unity Orchestrator. Upon registration, local profiles are mapped to the global business intent overlays. This ensures a highly-visible, tightly-controlled, secure, and high-performing enterprise WAN.

Dynamic Path Control (DPC) – real-time traffic steering over any broadband or MPLS link based on administratively-defined route policies. There may be multiple paths to and from any corporate location, and DPC monitors and adjusts the usage of these paths based on link quality (loss, latency and jitter are measured at the packet level) and any applied policies (associated with an application or group of applications). In the event of an outage or brownout, DPC automatically fails over to a secondary connection in about one second.

• WAN Hardening – With Unity, all data is secured edge-to-edge via 256-bit AES encrypted tunnels. No unauthorized outside traffic is allowed to enter any branch. WAN hardening secures branch offices without the appliance sprawl and operating costs of deploying and managing dedicated firewalls. There are no middle elements encrypting or decrypting traffic.

• Path Conditioning - overcomes the adverse effects of dropped and out-of-order packets that are common with broadband Internet and MPLS connections. Path Conditioning provides private-line-like performance over the public Internet.

• Cloud Intelligence – tracks and delivers SaaS application data to enable real-time updates on the best performing path to reach hundreds of applications, ensuring users connect to their applications in the fastest, most intelligent way available.

Thank you for developing the guide and giving each of us the opportunity to respond.

I think that generalised solution features are being described and they sound good in principle, but if the service providers are not involved in the decision making then I'm not sure that business case will fly to do these dynamic changes. In some countries broadband costs are prohibitive compared to standard leased line connectivity which may be cheaper in other countries. Also upgrades etc. may not honoured if the solution is not prearranged or automated with the relevant the service povider. What I am trying to highlight is the fact that this (IWAN) and anything of a similar nature will need to be integrated with the relevant services providers network technically and commercially to really make the solution intelligent.

Thanks for your comment.

I have to admit that I normally work in countries where the cost of Internet is much less than the cost of MPLS. Would you kindly educate me relative to a few countries in which the cost of Internet is much more than the cost of MPLS?

Also, can you help me understand what coordination has to occur, both technically and commercially, with the relevant service providers if an enterprise wants to implement a SD-WAN that is above and beyond the coordination that has to occur if the enterprise wants to use MPLS and the Internet in a more traditional fashion?

The aspect of managing a WAN in-house is seen in the US, but seldom outside. In other words most of the world uses their carriers for such solutions. Having said that, the largest SD-WAN deployment to date is happening with a US retailer using their in-house IT teams where we are replacing all WAN gear at 1400-sites with Viptela SD-WAN. Currently 200 sites are complete and we are rolling out 20/night. Next, two of the top-10 carriers in the world, Verizon and Singtel, announced SD-WAN offering using Viptela SD-WAN (both with production customers).

Note the cost arbitrage between broadband and MPLS plays a factor but not always the driving force (otherwise the Carrier's wouldn't deploy it). The big benefits come from getting a unified WAN offering on any transport (Broadband, MPLS, and LTE) and even on other carriers transports i.e. you can manage the customer any part of the world even where the carrier doesn't have a footprint. Next is agility, the ability to operate the WAN centrally with zero-touch bring up and policy changes.

Thanks for bringing up a very important point, Shaun.

Leave a comment

Search Webtorials

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Trending Discussions

See more discussions...

Featured Sponsor Microsites



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2018, Distributed Networking Associates, Inc.