SD-WAN is certainly a popular tech buzzword nowadays, with a huge marketing effort and R&D dollars behind it. With all the buzz, the excitement can outweigh rational thought process and produce projects that are poorly planned and so end in disappointment. This article will help identify the keys to a successful project and provide a starting place for planning and selection of an SD-WAN solution that is right for your company.
In the right situation SD-WAN can provide significant impact to your organization, whether you are a single site business or one with many locations to manage and connect. When it comes to multi-site organizations with an existing MPLS network, the advantages can be tremendous. A well designed SD-WAN solution will improve access to your applications, reduce spend, dramatically improve bandwidth, and reduce cost. This all sounds groovy, but these solutions also come with significant risk related to network security, poor design, and unexpected costs. Our hope is that by understanding these 4 keys to success, you will improve your chances of a successful project and remove any headaches that can be involved.
1st Key: Know Your Network
The first step in any SD-WAN evaluation or deployment is a deep understanding of your data network, both LAN and WAN. Documenting your network routes and firewall solutions/settings, understanding how you are prioritizing packets and controlling Quality of Service is a good place to start. This knowledge will be critical for selecting and later deploying your chosen solution. If you are like most of our clients, your network has likely been managed and deployed by many hands throughout the years, so documentation, change management, and general understanding beyond the surface level is a real challenge. A network audit by an experienced partner can help you get on track if you don’t feel you have the internal knowledge. The SD-WAN solution you choose can have a major impact on the way your network operates, therefore lack of knowledge can lead to frustration, or worse yet, a failed project.
The S in SD-WAN does NOT stand for security! Most SD-WAN solutions are going to change your security strategy in a fundamental way, leaving your business exposed if you don’t prepare for it. 95% of SD-WAN solutions, known as premise or hybrid SD-WAN products, are also NAT routers, replacing a primary role of the existing firewall and requiring a change in thought process. With this change, it is critical we adjust our strategies to backhaul unknown traffic to a premise or cloud based firewall solution. Another option for those using hybrid or premise based solutions is implementing a solution using DNS like Cisco’s Umbrella product. If your company has a strong networking team and wishes to maintain the existing or new firewall solutions, a cloud only SD-WAN solution might be your best bet, allowing your firewalls to maintain IPSEC tunnels and providing traditional perimeter security. Understanding the flavors of SD-WAN and the impact on security will help you choose the right solution for your environment. To learn more about the various types of SD-WAN please read our SD-WAN Explained: The 3 Flavors of Software Defined WAN.
Author’s Note: Firewall vendors have begun offering “SD-WAN” in their nex-gen appliances. Be aware this is a PREMISE ONLY solution that is only a moderate improvement on the existing firewall failover solutions. SD-WAN is a broad, rather undefined term being used at times to drive new sales instead of solving the big problems, don’t think that just “turning on SD-WAN” on your existing firewalls will necessarily prepare you for MPLS replacement.
Networks are here for one primary purpose today: connecting us to the applications we depend on. In the past this was relatively simple for IT teams, as nearly all applications lived in a datacenter or in closets on premise. Today’s cloud based world is a bit more complex with application adoption happening rapidly, sometimes at a departmental level with very little IT oversight. MPLS solutions do little to nothing to support this adoption in comparison to a hybrid or cloud only SD-WAN solution that "automagically" optimizes this Internet traffic, controlling the flow and path then prioritizing the critical applications for you. Knowing where ALL your applications live ensures you choose a solution that matches the current and expected course of your IT strategy ensuring all your apps whether in the cloud, closet or colo will be highly available, at speeds that exceed end-users’ expectations.
2nd Key: Understanding Your MPLS Contract
Traditional MPLS contracts are written in a way that protects the carrier in two substantial areas, evergreen contracts and termination liability. Evergreen contracts include an automated clause that will renew the existing contract if not cancelled in the correct way within the defined time period (traditionally between 30-90 days prior to contract end dates.) Termination liability penalizes the customer for leaving the contract before completing the term. Once you have identified the specific terms of your contract and know your end date, you will want to communicate with your carrier that you wish to move your contract to a month to month status at the end of the term. This gives you the flexibility to turn down services as you roll out your SD-WAN solution without the stress of meeting a fixed date for losing services from the existing carrier. The move to month to month can include a price hike with some carriers but is a vast improvement over downtime due to poor timing or issues with delivery of your replacement circuit. In some situations, it can make sense to maintain all or part of an existing MPLS solution in tandem with your new SD-WAN deployment. The reasons for this could be a desire to have a private connection between key locations or the timing of the current contract doesn’t match your target dates for project completion. In this situation, it can be helpful to have a partner who will negotiate a buyout or a spend shift within the contract. A spend shift would be accomplished by sourcing circuits from the carrier equal to the displaced contract but with public internet, or a combination of public and private links. Carrier contracts are designed to be complicated, talk to an expert if you there is confusion around your options going forward.
3rd Key: Understanding Public Internet Fundamentals
The circuits you choose to implement with your SD-WAN solution can have a huge impact on the reliability and overall cost savings. To achieve maximum uptime the circuits should be sourced from different carriers, protecting against carrier backbone failures. It is also best practice to source different mediums for delivery, pairing some combination of fiber, coaxial, DSL and wireless. This ensures that a physical disruption like a cut shared fiber entry into a building doesn’t result in complete loss of service. When possible we even suggest separate entry to the building, further protecting against possible disruptions. The use of wireless LTE as a secondary or tertiary circuit is becoming a powerful solution. 4G service offers decent speed for smaller branch locations in the event of an outage and with SD-WAN optimizing the traffic, critical applications will be prioritized. As 5G hits the market LTE may be poised to play a larger role in connectivity, serving as a primary point of access in strategic locations. The advantages of blending your Internet delivery is huge, protecting against outages and eliminating one big headache from your day.
Once you have selected the Internet delivery medium, work with the underlying carrier or your partner to provide an SLA on the connection. Private circuits often include SLAs by default, when you transition to public internet you will need to request and at times pay more for a SLA. When choosing speeds for your Internet circuits consider that upgrading is relatively simple and a minor cost increase, very few providers will allow you to downgrade a circuit and reduce spend. After your new SD-WAN solution is in place you will have great visibility into the usage of these circuits and can upgrade them as needed. Generally, SD-WAN solutions do not need static IPs on circuits, as they have a mesh VPN built in. This can be another area of cost savings, unless you plan to NAT public services through the SD-WAN solution.
Again: use an Expert!
SD-WAN is a new technology with a broad range of offerings and varying designs. The industry is also further complicated by the number of players involved, many of whom won’t survive. Knowing who the strongest players are financially can save significant headaches down the road. It is critical that those in charge of a SD-WAN evaluation include a resource with broad experience with the available deployment models and specifics of each underlying company being evaluated.
4th Key: Understand Your Options for Where to get SD-WAN
Technically anyone with access to Google can procure SD-WAN with minimal effort. However, as we have determined in this article it is vitally important to engage an expert in your decision making and implementation process. Experts can generally be broken into three distinct categories: carrier service providers, consultants, or ITSP/VAR/MSP.
Carrier or Aggregator
This would be your traditional type ISP – think Centurylink, Windstream, ATT and the likes.
- Pros – The carrier has control of both the circuit and your SD-WAN solution, allowing visibility into some of the backend that others may not have. They can also take advantage of the fact that they own the data circuits coming into the building, providing financial incentive for clients by discounting the overall project.
- Cons – Although carrier services are core to any deployment, working with a carrier limits you to what they happen to offer in relation to SD-WAN (usually one solution) and often positions you to be highly dependent on one of the carriers’ backbones, a definite downside when considering overall reliability. Reliability is also limited by the design, with all the SD-WAN core equipment located on the chosen carriers’ network, an outage of the network could take down all sites regardless of whether you deploy a secondary Internet circuit from a different ISP. Although these carriers have experience with WAN connectivity, they often come up short when it comes to security and general network design compatibility. We strongly advise against using a carrier as your SD-WAN provider.
This would be an individual or group who has vast experience with these types of deployments but does not offer a SD-WAN or carrier service to sell the client.
- Pros – An honest consultant is working directly with you, reducing the probability they are going to suggest a solution for their own financial gain. Using a consultant can provide insight and honesty that might be missing from engagements where the end game is to provide you a billable service. In other words, a consultant is acting as an employee on your behalf. Good consultants spend enormous amounts of time researching, testing, and evaluating a variety of solutions ensuring you have a strong picture of the overall market.
- Cons - Not all consultants maintain a distance from the providers meaning they might be receiving some sort of kickback from a carrier or SD-WAN player for referring business. Many consultants lack a team of engineering talent that can truly understand and evaluate your internal network or security practices. Consultants add significant cost to a project as they are (should) not be compensated directly by the solution provider you select, in many ways it is more like hiring a part-time employee specifically for the project. Depending on your business, goals, financial flexibility and the consultant’s unique capabilities this can be an excellent way to ensure success.
IT Service Provider, Value Added Reseller, or MSP
This grouping generally resells the services you are requesting and then will assist with deployment and long-term support.
- Pros – This group includes many of the advantages of a consultant: experience in the industry, the ability to be agnostic when selecting a solution, and highly educated on the offerings on the market. In addition to this overlap, the reseller should have a deep bench of network engineers who can evaluate, design, configure, test, and support the SD-WAN solution you select, tuning it for your specific environment and avoiding cookie cutter type solutions. The likelihood this group steers you into the bad product is slim. Unlike the consultant, they must deliver the solution in the end and won’t be compensated if it doesn’t work or the underlying provider fails. In many ways, this gives you the advantage of a consultant’s knowledge without the hefty price tag.
- Cons – Most resellers will have a short list of SD-WAN players and carriers they prefer to work with, although not as restrictive as a carrier, this means some solutions won’t be included in the process that might be a better fit. Resellers vary greatly in skills and experience, some offering a SD-WAN product they barely know. Understanding the primary qualifications of the reseller is critical before a choice is made. An experienced and trusted reseller makes an excellent partner for a SD-WAN deployment.
The advantages of SD-WAN aren’t difficult to understand but can be challenging to achieve without a solid understanding and a well thought out plan. Through preparation, patience, and the help of an expert our clients have seen a tremendous increase in bandwidth, unmatched reliability and visibility. SD-WAN is clearly the future of the Wide Area Network. The first step will always be understanding your network and how a SD-WAN solution can fit, ensuring you get the correct technical fit. After you have identified your preferred technical direction, make sure you understand your existing contracts and the impact they will have on timing and cost. Source diverse circuits that optimize the value of SD-WAN by allowing it to steer across the best network at the moment, without depending on one carrier or delivery mode. Most importantly, make sure the expert you engage has your best interest at heart, understands your desired outcome, and has the technical chops to understand how the available solutions will help you drive to the finish line and beyond!
Follow-up Article: Managing Multiple Locations? SD-WAN & VPN FTW!
Complimentary SD-WAN Solution Guide
(featuring Bigleaf & VeloCloud)
Author: Kyle Holmes