When comparing MPLS VPN and SD-WAN solutions, people fail to mention the one true complication with SD-WAN solutions: finding the right product for your business.
Why choosing an SD-WAN solution is more complicated than the legacy MPLS option
When looking at a MPLS VPN solution, it’s simple: You get virtual routing and forwarding (VRF) on a service provider core, link your branches through encrypted, logical point-to-point links, and configure quality of service (QoS).
The basis is the same for all businesses, regardless of your individual requirements or the service provider (SP) providing it. With MPLS, your differentiators are limited to service provider performance, costs and value-added services.
On the other hand, SD-WAN comes in many flavours. Each vendor has their own vision guiding their product offering. The few aspects that seem to be consistent are central orchestration, zero-touch deployment (ZTD) and a method for private, inter-branch communication.
Some vendors focus on security, some on simplification, some on integration of all security, local area network (LAN) and wide area network (WAN) infrastructure, and some on WAN traffic management, optimising user experience. All the different products have mostly the same features embedded in their offering; however, they normally excel in one or two of these features.
How to know which SD-WAN deployment will be the best for your business
The key is to understand your environment, map the flow of traffic and identify security checkpoints and risks. Then decide on your preferred end-state in conjunction with “best practice” infrastructure service availability, business continuity and security practices. With this mapped out, comparing products to best suit your business is straightforward.
Don’t be afraid to segment your services: separating WAN connectivity, WAN traffic management, internet security, endpoint protection, application (DC) security, LAN infrastructure, and LAN access control by using different vendors and service providers, allows you to choose best-fit services. This modular approach also permits the ability to replace services with future best-in-class services without impacting any of the other services used.
Whilst there are a number of options available to organisations, this transition creates an opportunity to work with an SD-WAN Managed Service Provider (MSP) like Intelys Telecom as opposed to your incumbent ISP or network provider.
Managed Service Providers are generally niche and focused, and typically deliver SD-WAN as a service. This engagement would typically start with a network assessment where we will get a view of your current estate as well as your future technical and business requirements. These would be mapped to a solution that is most suitable to deliver on your requirement.
10 Notable SD-WAN features to consider when choosing the right solution for your business:
1. VPN: With SD-WAN the virtual private network (VPN) aspect of the solution is done through multiple means: Standard GRE/ IPsec tunnelling, proprietary tunnelling protocols and per session encryption options, each with their own pros and cons. AES 128 bit encryption should be a minimum requirement, and the ability to support 256 bit encryption, even better.
2. Transport: Using User Datagram Protocol (UDP) tunnels (with indexing to ensure packet delivery) will boost throughput due to reduced packet overheads and increased packet data frame size when traversing high latency internet services. This circumvents the inherit flaws of TCP/IP handling latency the same way as congestion, reducing data frame sizes in packets.
3. Traffic Management: Traffic is managed either “per session” or “per packet”, the latter providing more control over your traffic. This includes failover in milliseconds without interrupting sessions, real-time traffic packet duplication over multiple WAN links, as well as instantaneous route changes based on link load and performance. “Per session” options are fine when using stable, SLA-backed WAN connectivity and when load, or user experience is not an issue.
4. Quality of Service (QoS): Quality of Service will be applied at an application level for most, if not all SD-WAN services. Some products have advanced QoS engines allowing for more intelligent and dynamic management of traffic than the standard bandwidth assignment for your traffic priority groups. This flexibility will allow maximum utilisation of bandwidth without compromising business critical service delivery.
5. Segmentation: Proper segmentation of the data plane helps to contain threats and data leaks. Having the ability to create virtual routing layers across your overlay, with the ability to utilise the same underlying infrastructure and applying QoS across your virtual routing and forwarding layers, would be ideal.
6. Optimisation: The optimisation stack is becoming less relevant. Utilising a SD-WAN solution that uses UDP tunnels, will basically nullify the need for TCP/IP or protocol acceleration. Deduplication, compression and caching capabilities are hard to justify when looking at the costs associated with licencing and the hardware requirements, compared to the cost of bandwidth. That said, long range communications paired with severe bandwidth restrictions may result in positive feasibility.
7. Security: Integrated security of most SD-WAN product consists of at least a SPI layer 7 firewall. When looking at combining unified threat management (UTM) features with SD-WAN in a single product, you will probably lose a lot of WAN traffic management functionality. Separating these services will come at a cost, but will provide you with the best of both worlds.
Moving your internet security as well as your application security to a cloud service is also a very good option. This will allow for a “always-on” service, consumed through an “as a service” model, as well as reducing the on-site hardware footprint.
8. Simplicity: SD-WAN services simplify configuration and management of your WAN infrastructure, or at least it should. When migrating from a MPLS VPN solution, you can expect significantly more configuration than migrating from an internet-based service. The more automation in the configuration process the easier integration, future changes and site moves will be. Have a look at the orchestration and configuration processes for each of the options on the table. Having central orchestration does not necessarily mean the service is simple to implement.
9. Monitoring: Monitoring your solution performance is included with all SD-WAN products and most allow for Simple Network Management Protocol (SNMP) access to hook up to your own or service provider’s monitoring tool. You should be able to monitor both the underlay and overlay to independently rate performance. The ability to monitor application performance is a key differentiator to look out for.
10. Support: As with any service, having tried, tested and highly rated support from your service provider is essential. Another important requirement is local vendor support and stock availability. There is no sense in using a product that requires you to import replacement hardware, leaving your site open to attacks or without connectivity.
Our advice is to see as many service providers as possible; do not settle for high level designs; go into granular detail regarding capability, configuration, transition and support, and proof of concept (PoC) your preferred options.
We live in an age of options and you don’t need to adjust your vision to complement the available technology, the technology is available to complement your vision.
An option is to work with a niche, focused SD-WAN Managed service provider like Intelys Telecom who have a tried and tested approach.
This article was published in partnership with Intelys.