Documente Academic
Documente Profesional
Documente Cultură
Trend Report
11/10/2016
SD-WAN Trends
Disclaimer This document has been prepared solely for Trace3's internal research purposes without any
commitment or responsibility on our part. Trace3 accepts no liability for any direct or consequential loss arising
from the transmission of this information to third parties. This report is current at the date of writing only and
Trace3 will not be responsible for informing of any future changes in circumstances which may affect the accuracy
of the information contained in this report. Trace3 does not offer or hold itself out as offering any advice relating to
investment, future performance or market acceptance.
Report Scope
This trend report looks at how today's solutions are reshaping traditional WANs and was conducted from the customer's
point of view, gathering feedback from actual users, field engineers, published material and direct product
demonstrations. It analyzes each solution's ability to deliver the 26 use cases found to be most critical to customer
purchasing decisions [8]. These use cases can be categorized into four groups based upon how the solution reshapes:
The Remote/Branch Office
WAN Management
WAN Security
The WAN Itself
This study selected six of the leading SD-WAN solutions on the market today and the accompanying comparison matrix
presents each product's capabilities to support these key use cases. This report also makes predictions of future trending
and recommendations based on these predictions. This report does not delve into remote office onsite networking issues
such as ROBO wireless solutions.
A special note on Cisco's WAN solutions: No discussion on SD-WAN would be complete without a section on the WAN
market leader, Cisco. Their IWAN suite is a transport-independent design, intelligent path control, application
optimization, and secure encrypted communications between branch locations [7]. IWAN provides a highly configurable
series of networking components (e.g. DMVPN, LAN/WAN/DMVPN routing schemes, PFR traffic classifications and
policies, Frontend VRF and WAAS) from which to build complex network topologies requiring substantial manual
customization. They also offer APIC-EM for lighter weight implementations. As such, IWAN and its components fall
outside the primary evaluation feature set and will not be explored within the scope of this report. Cisco also recently
introduced Meraki MX for a more turnkey solution, but due to its newness to the market it is not covered in this report. For
organizations looking to implement bespoke WAN configurations, it is recommended that the Cisco suite be considered.
By the end of 2019, 30% of enterprises will use SD-WAN products in all their branches, up from <1% today. [2]
Redundant telecommunications links connecting remote sites date back to the 1970's, with X.25 links used for remote
mainframe terminal access.
The term SD-WAN started showing up in networking publications as early as 2014. [4]
Some of today's SD-WAN solutions also provide advanced "nice-to-have" features such as:
Remote office/branch office (ROBO) device reduction or elimination
Service chaining or service insertion (e.g., integration with Zscaler)
Cost-based/quality-based/performance-based connection selection
Traffic steering
Typically, these features are provided by an appliance installed at each remote location that is managed and configured
by a secure centralized cloud-based management console that sets access, routing and configuration policies for the
entire enterprise WAN across all media types. For this study, six leading SD-WAN products were selected based on
feature set and market presence; CloudGenix, Riverbed SteelConnect, Talari, Velocloud, Versa and Viptela. Of course,
there are many other companies including 128 Technology, Aryaka, Bigleaf, Cato Networks, Citrix, Cradelpoint, Ecessa,
Elfig, Fatpipe, Glue Networks, Mushroom Networks, Nuage Networks, Silver Peak and Sonus Networks who offer
solutions in the SD-WAN market and adjacent, but related, WAN spaces such as WAN security, WAN Optimization and
Hybrid WAN. However, due to the constraints of this study, are not covered here.
Traditionally networked remote offices typically include a plethora of network devices such as firewalls, routers and
switches, each of which requires periodic configuration, maintenance and tech refreshing. Many of today's SD-WAN
solutions pack a stack of functionality into their appliances, allowing for the removal of many remote network devices and
Customers consistently request that an SD-WAN delivers six key features for their remote offices:
Zero-Touch Install - Remote devices only require a local untrained staff member to connect power and network(s) to
complete a branch install.
Remote Device Elimination - The solution provides enough capability to eliminate other remote devices such as
routers and firewalls.
Service Chaining/Insertion - The solution provides a mechanism to chain or insert other services.
Automated IP Address Discovery - The solution can detect a DHCP server, address itself and update the address
table without human intervention.
Brown-Out Resiliency - The solution can maintain connectivity in the event of a transient drop in voltage.
MOS Scoring - The solution collects metrics that measure changes or degradation in the quality of video and voice
connections.
Edge Device - Describes the remote office deployment form factor
SD-WAN solutions also help to dispel the common misconception that MPLS is completely secure while every other
medium is rife with risk. However MPLS, at its core, is also a shared medium and subject to some of the same security
concerns as networking over another media. Nonetheless, many enterprises are still worried about leakage of highly
sensitive data and employ a hybrid strategy of MPLS plus another less expensive alternative and use SD-WAN to
segregate sensitive traffic to MPLS in normal operations.
Customers consistently request SD-WAN solutions deliver four key security features:
Built-in FW Capabilities - The solution provides basic firewall rule functionality.
Built-in IPS Capabilities - The solution provides a basic Intrusion Prevention System functionality.
AES-128 Encryption - The solution provides the Advanced Encryption Standard supporting 128 key length.
AES-256 Encryption - The solution provides the Advanced Encryption Standard supporting 256 key length.
FIPS 140-2 Certified - U.S. Government computer security standard used to accredit cryptographic modules.
Customers consistently request this new WAN topology deliver six key features:
MPLS Replacement - Solution allows for the replacement of one or more MPLS point-to-point connections to and
between remote offices.
Centralized Configuration - The solution makes WAN configuration changes from a centralized management console
instead of on each remote device.
2. Network service providers are taking advantage of emerging SD-WAN technologies to provide the MPLS alternatives
their customers demand. It is inevitable all carriers will need an SD-WAN solution and it is unlikely they will be able to
develop internal solutions that can compare in cost, features or agility of the products already on the market. As such,
Trace3 sees and expects to continue to see carriers abandon their own internal SD-WAN development projects and form
partnerships with the SD-WAN providers already on the market. The economics of the larger telecommunications
companies will also compel them to acquire SD-WAN product vendors.
3. SD-WAN killed the Optimization Star? In the past, technologies like traffic shaping, packet prioritization and other WAN
optimization solutions have been developed to overcome the runaway cost of MPLS connectivity as bandwidth demands
skyrocket. SD-WAN products are also targeting this very pain point and developing features to obviate this need for WAN
optimization or deliver these features "out of the box". However, Trace3 does not predict that SD-WAN solutions will
replace the need for WAN optimization, but they will certainly change the perception of WAN optimization as an advanced
standalone product into a table stake feature of a larger WAN platform. Some WAN optimization vendors, like Riverbed,
recognize this and are attempting to get ahead of this trend by developing and acquiring SD-WAN solutions and
integrating their optimization solution into a new larger SD-WAN platform - a tricky proposition to be sure, but Trace3
expects this trend to continue.
4. Looking longer term, Trace3 expects to see SD-WAN solutions continue to evolve into more of an on-demand
connectivity model much like other consumer products on the market today.
2. MPLS replacement should not be the sole driver for transitioning from a traditional WAN topology to an SD-WAN
implementation. Although the cost savings from MPLS replace can be compelling, in the long-term savings in the remote
office infrastructure, centralized management and security efficiency will approach MPLS savings.
3. Professional services costs are often overlooked when pricing SD-WAN solutions, which can hide the true TCO of a
solution requiring manual configuration as opposed to those that provide "out-of-the-box" implementation.
4. Failing to solidify your WAN underlay before rolling out an SD-WAN solution can become a showstopper during
deployment. A full WAN assessment and remediation is highly recommended.
5. Traditional WAN solutions are typically architected so that all remote internet bound traffic runs over the WAN back to
the corporate data center and out to the internet - a technique commonly dubbed 'data center backhauling'. Today's WAN
must handle an increasing amount of uncompressible, un-deduplicatable, and prioritized communications such as voice
and video, and so, the option to send this traffic directly from the remote site to the Internet is a very compelling
alternative to backhauling. Therefore, quantifying the amount of backhaul elimination is critical.
6. Conversely, while backhaul elimination is a boon for network simplification, it can present a larger attack surface that
must be protected. Many advanced security tools are housed in the corporate data center. Thus, it may make sense from
a security operations, management and cost perspective to have internet bound traffic flow back through the data center.
A close evaluation of corporate security policies and restrictions can help determine if backhaul elimination is desirable or
even possible.
7. There are three recommended methods to secure the Internet-connected branch office:
a). Service chaining additional security appliance features. However, if these virtual appliances do not incorporate a
strong central management strategy, this can be costly and arduous to manage.
b). Service insertion of cloud-based security features. This removes the need for an appliance to be managed in the
branch by providing centralized management.
c). Integration of a hybrid approach. This provides a combination of virtual appliances and cloud-based solutions in
which the onsite SD-WAN appliance provides local services but is managed by a central cloud-based solution service.
8. Finally, an SD-WAN solution should be viewed as a component of an overall WAN ecosystem that also includes WAN
Optimization, WAN Security, Analytics, Networking Infrastructure and even other IT operations use cases like DR, backup
and restore and copy data management.
Software-defined WAN (SD-WAN) is an approach to designing and deploying an enterprise wide area network (WAN)
that uses software-defined networking (SDN) to determine the most effective way to route traffic to remote locations.
Sources
1 IDC - IDC Forecasts Strong Growth for Software-Defined WAN As Enterprises Seek to Optimize Their Cloud
Strategies 2016
2 Gartner Market Guide for Software Defined WAN 2015
3 Forrester The Future of The WAN is Software-Defined 2016
4 Network Computing Software-Defined WAN: A Primer 2014
5 Fierce Telecom - Level 3: We dont want to release a me-too SD-WAN product 2016
6 - QOS Consulting - Debunking Common SD-WAN Misconceptions - 2016
7 - Cisco - Intelligent WAN Technology Design Guide - 2016
8 - Open Networking Users Group - SD-WAN Working Group - 2016
(end of report)