Netify have released our 2024 SD-WAN comparison blog article

Understanding the capabilities of SD WAN

Understanding the capabilities of SD WAN

How our Compare the Market Quiz can help you find the best fit SD-WAN Vendors

  • Answer 10 questions to find out which SD-WAN solution fits your business
  • Learn why each solution is a match for your business
  • Used by companies including CDC, Permira, Square Enix, British Legion and more
  • Totally free to use without commitment

Compare the SD-WAN Market

SD WAN is an integral part of overall network architectures as companies continue to expect new features and better, more reliable ways to interconnect sites together. We compare Cisco Meraki, Viptela, Silver Peak (HPE Aruba), Aryaka and Citrix. We've also written a comprehensive comparison of SD WAN providers & vendors for further perspective.

SD WAN vendors have various sets of features that all have diverse levels of stability and code maturity. We will examine controller architectures, VPN routing, link monitoring, site integration, and miscellaneous features across the Cisco Meraki, Viptela, HPE Aruba (Silver Peak), Aryaka and Citrix SD WAN solutions to see how they compare and help determine which platform may be right for your organisation.

What is SD WAN Framework Mindmap

What to consider when comparing SD WAN vendors?

1. Controller architecture.

2. VPN routing and tunnel capacity.

3. Link monitoring and failover.

4. Miscellaneous features.

Controller architecture

One of the keys to nearly all SD WAN providers and indeed what makes them “software defined”, is a centralized controller of some form. The software defined aspect comes from the fact that all of the SD WAN edges, whether they are hardware appliances or even just software routers running on a hypervisor (otherwise known as network functions virtualisation or NFV), receive their configurations and traffic forwarding instructions from the centralized controller.

Controller architectures vary by platform. With some platforms, the vendor always maintains full responsibility over the controller itself, which is usually cloud-based, though you (or a trusted third-party) provide the configurations that are relevant to your SD WAN environment, such as IP subnets and the way you want your traffic to be routed across the VPN overlay. With other platforms, you host the controller software yourself, typically in one or more centralized datacentres where you can support high availability and redundancy. This approach gives you full control over every aspect of the SD WAN platform.

  • Cisco Meraki is unique from the other platforms in that it has been controller-based from the very beginning, even before Cisco started offering SD WAN services. All Meraki devices connect over the Internet to the centralized cloud controller, with no options to run your own controller locally. Like all mentioned platforms, if the local device cannot reach the controller, it continues to operate with the last configuration it received. If your company already has an investment in Meraki MX appliances, you automatically receive SD WAN capabilities as part of your license subscription.
  • Cisco Viptela has three different models available for their controller architecture. The controller can be hosted by Cisco, by a third-party, or you can host it yourself for the greatest flexibility. Cisco has also announced that the Viptela software is now integrated into their IOS-XE operating system, and certain Cisco devices that run this operating system can gain SD WAN capabilities with a software upgrade.
  • HPE Aruba, like Viptela, supports a cloud-based controller deployment hosted by HPE Aruba themselves, third-party hosted, and self-hosted models. Aryaka’s controller architecture is similar to Meraki in that it is completely hosted and managed by Aryaka themselves.
  • Citrix NetScaler SD WAN uses a self-hosted controller and represents a do-it-yourself model where you maintain full control over the environment and all of the settings.

VPN routing and tunnel capacity

One of the fundamental tenets of SD WAN is transport agnosticism. This is achieved by each SD WAN edge communicating with the centralized controller which then orchestrates the establishment of VPN tunnels between locations, typically with some flavor of IPsec. This permits the SD WAN edge to use any kind of connection so long as the controller can be reached. Through tunnel orchestration, different routing architectures are possible including any-to-any, hub-and-spoke and hybrid designs where the edges connect to their nearest SD WAN gateway and the gateways then connect to each other in a full mesh.

SD WAN Vendor Design

The different VPN overlay routing architectures are important to consider because each have different implications on both latency and the tunnel capacity requirements of the SD WAN edge. For example, if your business has hundreds of sites that need to connect over the SD WAN service, having an any-to-any model where each site can establish direct VPN tunnels to each other could overwhelm the tunnel capacity of less expensive SD WAN edge hardware. Likewise, a strict hub-and-spoke model may introduce too much latency for some of your applications (such as VoIP) if your hub sites are very distant from your spoke sites. In this case, a hybrid approach of having regional SD WAN gateways may be your best option.

  • Meraki supports a maximum of two active VPN uplinks and can perform per-flow path selection based on different criteria such as latency and packet loss. Meraki is also configurable for different topologies such as mesh and hub-and-spoke, where the latter can help overcome MX appliance tunnel capacity limitations.
  • Viptela offers tremendous flexibility with VPN routing and supports more than two simultaneous interfaces. Flexibility is achieved by hosting the controller yourself which lets you design VPN connectivity to fit your specific needs.
  • HPE Aruba supports many interfaces, along with flexible VPN routing architectures including a very high tunnel capacity for each EdgeConnect appliance.
  • Aryaka offers a solution where they route all traffic to their nearest Point of Presence (PoP) and then backhaul the traffic across their private internal network, which improves latency and reduces VPN tunnel counts. They partner with different cloud companies and Software as a Service (SaaS) providers which have a direct connection into their private network to further improve performance if you use these services.
  • Citrix NetScaler SD WAN is similar to Viptela with its flexibility in VPN overlay routing architectures. Tunnel capacity is based on hardware appliance models and software licensing.

Link monitoring and failover

One of the largest and most immediate benefits of many SD WAN platforms is increased visibility into individual link performance metrics. While separate network management and monitoring platforms have existed for decades, SD WAN often brings new visibility baked directly into the platform with a graphical display of link performance history.

Another benefit of SD WAN is the ability to use multiple independent links simultaneously. Many platforms even support per-packet load distribution to better utilize all available transports. Having multiple links used actively enables extremely rapid failover when one of the links begins having performance issues. Some of the SD WAN platforms have more maturity in handling these kinds of issues.

Each of the vendor solutions discussed in this article have graphical dashboards displaying individual link status and history, including latency, jitter and packet loss. Some of the dashboards also provide Mean Opinion Score (MOS) and Quality of Experience (QoE) values which are beneficial for gaging general performance. Failover can be as simple as switching to another link if the upstream ping test fails, or more advanced such as using Bidirectional Forwarding Detection (BFD) to ensure rapid detection of failed uplinks. When considering deploying SD WAN, it most often comes in the form of existing router replacement or augmentation. You need to ensure your chosen SD WAN platform can integrate into your existing network by supporting the protocols you need. Not all platforms support all protocols and protocol support can have differing levels of code maturity. For example, nearly all SD WAN platforms support OSPF for an interior gateway routing protocol, but only Cisco IOS-XE devices support the EIGRP protocol. Likewise, BGP, multicast and IPv6 support might be a present or future consideration for your network.

Cisco Meraki SD WAN MPLS and Internet 2

Above: SD WAN supporting failover including MPLS primary connectivity.

  • Meraki supports OSPF and BGP. Limited support is available for IPv6 and multicast, though these features continue to be developed over time.
  • Viptela, as mentioned, supports the widest range of network protocols of all the presented solutions due to being integrated now with IOS-XE which has a long history of extensive protocol support.
  • HPE Aruba also supports OSPF and BGP, along with full support for IPv6. Multicast support is still a work in progress as of this writing.
  • Aryaka claims complete integration with your existing network but does not publicly specify details such as routing protocol support nor IPv6 and multicast capabilities.
  • Citrix NetScaler SD WAN includes rich protocol support, including OSPF, BGP, IPv6 and multicast.

Miscellaneous features

Many SD WAN platforms offer edge devices containing additional features which may be important to your network environment. Though most SD WAN platforms have built-in management and monitoring capabilities, most companies have their own pre-existing monitoring platforms they would like to have integrated into the SD WAN environment. Most SD WAN vendors support these kinds of integrations through APIs and even traditional SNMP.

Another common feature is WAN acceleration. Some SD WAN vendors, such as HPE Aruba, were previously known for their WAN acceleration products before they entered the SD WAN market. WAN acceleration is the process of optimizing different application traffic for transport over lower-quality links, which is a perfect fit for integration into an SD WAN environment that uses broadband and wireless 3G/4G/5G links.

High Availability (HA) features may be important for larger campus and datacentre edges. When you have a lot of clients depending on constant connectivity, SD WAN platforms can support HA at the edge in various ways. For example, you can have hardware-level redundancy by having two edges synchronized with each other such that they appear as a single device. When a single edge in the HA cluster fails, the remaining edge takes over as if nothing happened.

Most SD WAN platforms include firewall capabilities and some offer the ability to perform local Internet breakout where whitelisted Internet-bound traffic uses the directly-connected Internet link instead of being backhauled through the VPN to a more centralized location.

Finally, most SD WAN vendors that have physical hardware appliances offer models that integrate multiple discreet components into one. SD WAN edges often function as router replacements, but some also have integrated WiFi and multi-port switches which enables so-called “branch in a box” capability. Instead of having a separate router, wireless access point and network switch, you can install a single hardware appliance at smaller branch offices which makes connectivity and troubleshooting much easier.

  • Meraki supports both SNMP and API access. Meraki used to support WAN acceleration features, but this functionality was phased out of the product line. HA is achieved between two MX appliances in an active/standby fashion using Virtual Router Redundancy Protocol (VRRP). This means all traffic passes through the primary MX appliance unless it goes offline, in which case the secondary MX will assume all traffic. Active/standby based on VRRP has the disadvantage of requiring several seconds of delay and lost traffic before the standby takes over. The MX was originally designed as a security appliance, and therefore supports many firewall features including local Internet breakout. Meraki also has several MX appliances that function as a branch-in-a-box.
  • Viptela with IOS-XE supports a wide range of miscellaneous features including SNMP/API access, several different modes of HA, firewalling and local Internet breakout capabilities and branch-in-a-box depending on the appliance used. Viptela also supports WAN acceleration through TCP optimization.
  • HPE Aruba has full SNMP and API access and as mentioned, full WAN acceleration capabilities through its “Unity Boost” integration. HPE Aruba also offers security integration with third-party products like zScaler. One particularly interesting feature of HPE Aruba is their auto-RMA process where a device can automatically provide RMA details to HPE Aruba if it detects component failure. HPE Aruba does not currently offer any all-in-one branch-in-a-box solutions. HA is supported in both active/active and active/standby modes. Active/active HA uses an interconnect link between the two appliances, and active/standby uses VRRP.
  • Aryaka offers its solution as fully-managed, which is sometimes referred to as “SD WAN as a Service”. Aryaka provides and manages all of the SD WAN hardware and software so there is no CAPEX involved and you pay based on an OPEX model. They also offer both their own SD WAN security solution as well as integration with third parties. WAN acceleration capabilities are built into the platform. Aryaka does not publicly provide the details of SNMP/API access nor HA capabilities.
  • Citrix, like HPE Aruba, began as a WAN acceleration solution. Citrix also includes built-in firewalling and security features with support for local Internet breakout, along with SNMP/API access and integration with existing network monitoring platforms through flow monitoring protocols like NetFlow and IPFIX. HA is achieved between a pair of appliances with a dedicated network interface between the two for heartbeat monitoring.

Questions to ask

As we have seen, major SD WAN vendors have different capabilities and feature maturities in their SD WAN product lines. You need to be aware of the features that are important to your organisation’s network when evaluating SD WAN platforms.

  • Most platforms rely on a centralized controller, but do you need to host the controller yourself, or can you trust your vendor’s cloud offering to service your needs?
  • Will the platform support your desired routing architecture in order to minimize latency and tunnel count?
  • Will the vendor’s platform integrate with your existing network monitoring systems, or will you be relying on the features present in the SD WAN software?
  • Does the platform support the protocols you need, along with features you may desire such as HA?

These are all important questions to consider when deciding on a single SD WAN platform.

The 3 Tools You Need To Compare UK SD WAN Providers And Vendors.

  1. SD WAN Comparison Tool - Answer 10 questions to find your match.
  2. Read SD WAN Research - We've listed 25+ Solutions.
  3. Get the Guide - Top/Best SD WAN Vendors and Providers.

Suggested Posts

SD WAN Buyers Mindmap

Download the SD WAN Buyers Mind Map Feature Comparison Guide

Download the at-a-glance A3 PDF SD WAN Buyers Mindmap. Everything an IT decision making team need to consider when comparing vendors and managed service providers.

SD WAN Buyers Mind Map 2023

Your Mindmap is sent immediately. Complete the following information - check your junk folder if you do not receive the content within 2 minutes.

Download now

Explore Topics

Popular Article Topics

Find articles and helpful resources about any of the following:

Subscribe to Notifications

The Netify Learning Center

Learn more about comparison of SD WAN and SASE Cybersecurity with the Netify Learning Center.

See All Articles

Download the SD WAN Playbook

A comparison of SD WAN vendors & providers distilled into one page.

With the key features you should consider. And, build a vendor shortlist in less than 60 seconds with our comparison tool.