N e m e r t e s R e s e a r c h G r o u p I n c . w w w . n e m e r t e s . c o m 1 - 8 8 8 - 2 4 1 - 2 6 8 5

Faster,Better,andCheaper?Building

theSD-WANBusinessCaseEmbracingLessExpensiveConnectivityMakesSD-WANaPowerfulEngineof

WANSavings

MixinglessexpensiveconnectivityintotheWANcannotjustslowthegrowthofWAN

spendingbutactuallyreduceit—whileimprovingperformanceanduptime.

Winter16

ByJohnBurke

CIOandPrincipalResearchAnalyst

NemertesResearch

CompassDirectionPoints:

± SD-WANcansavemoneyonconnectivity.GrowthinMPLSspendingcanbeeliminated,andannualspendactuallyreducedbysubstitutingInternetlinksforMPLSsomeorallofthetime.

± SD-WANcanimproveuptime.Nemertesresearchdatashowa92%reductioninWANoutagesatSD-WANsites.

± SD-WANcanreduceITWANmanagementcosts.Nemertesresearchdatashowa95%reductioninWANtroubletickets.

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5687

2

TableofContents

COMPASSDIRECTIONPOINTS: 1

TABLEOFFIGURES 3

EXECUTIVESUMMARY 4

THEISSUE 5

WHATISSD-WAN? 5

TYPESOFSD-WAN 6

OVERLAYSD-WAN 6IN-NETSD-WAN 6

THENEMERTESSD-WANCOSTMODEL 7

COSTCOMPONENT:CONNECTIVITY 7COSTCOMPONENT:CAPITALEQUIPMENT 8COSTCOMPONENT:TROUBLESHOOTINGANDPROBLEMRESOLUTION 9

CUSTOMIZINGTHEMODEL:MAKINGITWORKFORYOU 10

SIZEANDCONVERSIONPERCENTAGE 10CARRIERSERVICEOPTIONS 10CAPITALEQUIPMENTSHIFTS 11SD-WANAPPLIANCETYPE 11SITETYPES 11

MODELOUTPUTS 12

SD-WANVSCLASSICALWAN 12OVERLAYVSIN-NETSD-WANSAVINGS 13

SD-WANUSECASES 13

USECASE1:RESILIENCEANDGROWTHWITHHYBRIDSD-WAN 13MOREBANDWIDTH 13MORERESILIENCE 14EASIERBRANCHACTIVATIONFORBUSINESSAGILITY 15USECASE2:HYBRIDINFRASTRUCTUREANDCLOUDOPTIMIZATION 15IMPROVINGUPTIMEANDACCOUNTABILITY 16USECASE3:BETTERSECURITYANDLOWEROPERATINGCOSTS 16

CONCLUSIONANDRECOMMENDATIONS 17

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5199

3

TableofFiguresFIGURE1:SD-WANWITHMESHANDHUB/SPOKEVIRTUALWANS...................................................................5FIGURE2:SD-WANMODELVARIABLES..........................................................................................................................10FIGURE3:MODELINGCONNECTIVITYTOTYPICALSITES.....................................................................................12FIGURE4:MODELOUTPUTS.................................................................................................................................................12FIGURE5:REDUCINGDEPENDENCEONMPLS............................................................................................................14

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5687

4

ExecutiveSummarySD-WANisapotentialgame-changerforwideareanetworking—onthesamelevelasservervirtualization,whichtransformeddatacentersoverthelast10years.SD-WANcombinestheuseofmultipleactivebranchlinks,intelligentdirectionoftrafficacrossthoselinks,andcentralized,policy-drivenmanagementoftheWANasawhole.Theabilitytoleveragemultiplelower-costservices(includingInternetand4Gwireless)aswellastraditionalserviceslikeMPLSholdsthepromiseoftransformingIT’srelationshiptotheWANandtheWAN’srelationshiptothebusiness.Transformationalpotentialisnotenough.IThastobuildacompellingbusinesscaseformakingthetransition.Thebaseofthecasemustbecost.NemerteshasdevelopedandvalidatedanSD-WANcostmodelthatenablesenterpriseuserstobuildthatbusinesscase.Theshortversion?SD-WANdeploymentscancutmillionsfromlargeWANservicebills.ButconnectivityisnottheonlyavenuebywhichSD-WANcandrivesavings;byprovidingcheaperandmoretransparentandautomaticfailoverwhenWANlinksfail,SD-WANcanreducebranchWANoutagesandtroubleshootingcostsby90%.ForITandnetworkingprofessionalsthemessageisclear:nowisthetimetotakeacloselookatyourWANarchitecture,withtheaimofidentifyinglocationsthatcouldbenefitfromhigherbandwidth,lowerrates,increasedreliability,orallthree.ModelthecostofstickingwiththecurrentarchitectureandcomparethatagainstatleasttwoSD-WANsolutions.IftheSD-WANnumbersshowsignificantpotentialsavingsovertime,buildabusinesscasebasedonthem,aswellasotheroperationalsavingsandanybusinessvalueassignedbythebusinesslinestofasterbranchturn-up.

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5199

5

TheIssueIntheclassicengineer’sformulation,“Youcanhaveitcheaper,faster,orbetter…picktwo.”Fromtimetotimenewtechnologycomesalongand,bychangingthebasicassumptionsunderlyingexistingsolutions,managestobecheaperandfasterandbetterallatonce.SD-WANpromisestohitthetrifecta.BychangingtheunderlyingassumptionsabouthowyouconnectabranchtotheWAN(and,indeed,whatconstitutesabranch)itoffersthechanceofimprovingagility(i.e.beingfaster)andperformanceandreliability(i.e.beingbetter)whilealsoreducingcosts.BuildingabusinesscasefordeployingSD-WANinvokesallthreebenefitsbutrestsmostlyonthestrengthofsavings,whetherintheformofexpectedcostincreasesavoided,orasactualcostdecreases.

WhatisSD-WAN?Let’sstartfirstwithdefinitions.Software-DefinedWAN,orSD-WAN,incorporatesseveralkeyconcepts:

• Abstractionofedgeconnectivity:Makingalltheconnectionsintoalocationusefulasasinglepoolofcapacityavailabletoallservices.

• WANvirtualizationoftheWAN:OverlayingoneormorelogicalWANsonthepoolofconnectivity,withbehaviorandtopologyforeachoverlayWANdefinedtosuittheneedsofspecifictypesofnetworkservices,locations,orusers.

• Policy-driven,centralizedmanagement:KeytoanSD-WANistheabilitytodefinebehaviorsforanoverlayWANandhavethemimplementedacrosstheentireinfrastructurewithoutrequiringdevice-by-deviceconfiguration.

• Flexibletrafficmanagementforperformanceandsecurity:SD-

DC

BranchRTR

BranchRTR

BranchRTR

Internet

MPLSCarrierCore

SD-WAN

RTR

MeshWAN

SD-WAN

SD-WAN

SD-WAN

Hub-and-SpokeWAN

Figure1:SD-WANwithMeshandHub/SpokeVirtualWANS

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5687

6

WANscanoptimizetrafficinmanyways;foremost,theycanselectivelyroutetrafficacrosslinksbasedoncriteriasuchaslinkperformance.

TypesofSD-WANTherearetwokeywaystoprovidetheseservicesinaWAN.Nemertescallstheseoverlayandin-netSD-WAN.

OverlaySD-WANInanoverlaySD-WAN,thenewSD-WANappliancesaredeployedonanexistingroutednetwork,eitherbehindtheroutersorreplacingthemasthebranchconnectiontotheWAN.SD-WANappliancescanalsocollapsethetypicalbranchstackbyreplacingotherbranchWANappliancessuchasoptimizersandfirewalls.MorethanadozencompaniessellSD-WANappliances,bothphysicalandvirtual(whichallowextensionoftheSD-WANintopubliccloudspacessuchasAmazonEC2orGoogleComputeEngine).Someareintendedtoreplacerouters,sometoridebehindthem,otherscanfilleitherrole,andenterpriseITstaffneedtocarefullyevaluateeachagainsttheirspecificneeds.Forexample,thosewithanagingrouterplantbutmostlyMPLSandCarrierEthernetorbroadbandlinksmayfindrouterreplacementveryattractive.ThosewithalotofolderT1orT3connectionsthatcan’torwon’tbereplacedwithEthernetmaywanttokeeptheirexistingroutersinplace,toterminatetheolderconnectivity,whileusingtheSD-WANsolutiontosupplementitwithwiredor3G/4Gbroadband.Intheoverlayscenario,SD-WANappliancescomprisealayerofenterpriseinfrastructuredistinctfromtheWANconnectivitytheymanage,allowingITtoeasilyaddandremovenetworkserviceprovidersandlinktypes.Thisgivestheenterprisemaximumflexibilityonconnectivityservices,butincurstheburdenofmanagingthesolutionitself.Thisistypicallylesstroubletomanagethantheold-schoolrouterplant,andcanevenhelpmakeroutermanagementeasierwhereroutersstayinthepicture,butisstillasignificantoperationalresponsibilityforIT.

In-NetSD-WANIncontrast,in-netSD-WANtiestheSD-WANfunctionalitytotheconnectivityservices.Thesefunctionsmayallbeprovidedintheserviceprovider’sedgeandcoreinfrastructure,withthebranchusingatraditionalroutertoconnecttotheprovider’snearestpointofpresence.Or,someorallfunctionsmaybeprovidedon-premisesviaphysicalorvirtualappliancesunderserviceprovidermanagement;thispushesworkoutoftheserviceprovider’sinfrastructureandalsoallowsoptimizationoflast-mileconnectivity.

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5199

7

In-netSD-WANisoftentiedtoNetworkFunctionsVirtualization(NFV),withthevariousfunctionsoftheSD-WANsolutionprovidedbyseparate,cooperatingVirtualNetworkFunctions(VNFs)dynamicallydownloadedtotheon-premisesdevice(wherethereisone)orchainedintothetrafficpathinthecarrierinfrastructure.Thisopensthepossibilityoftheon-premisesdevicebeingwhite-boxgenericratherthanbespokefortheservice,decreasingvendorlock-insomewhat.Thetrade-offforhandingoffthemanagementburdenfortheSD-WANisthelossofautonomywithrespecttoconnectivity.Inthein-netscenario,youcan’tnecessarilymixandmatchlinksfromdifferentvendorsfreely.ThenewlevelofWANfunctionalityistiedtothein-netSD-WANprovider,afterall.Ifyouhavetroublegettingconnectivitytoallyoursitesfromasingleprovider,thatbecomesanissue.Likewiseifyouwanttohaveproviderdiversityforyourbranchconnectivity,aswellaspathandlink-typediversity:thatis,youwanttohaveeachbranchhavealinkfromatleasttwodifferentproviders,e.g.oneforMPLSandadifferentoneforInternet.Thein-netSD-WANproviderhastoallowfor(andpotentiallypartnerwith)theotherprovidersyouwanttouseinorderforyoutofoldinlinksfromthoseothervendors.Thissharplylimitsenterprisechoiceinthematter.

TheNemertesSD-WANCostModelTheNemertesmodelincorporatesthreekeycostcomponentsoftheWANandofSD-WANsolutions:connectivity,capital,andoperations.Itisbuilttosupportmultipledecisionpointsinregardstoeach.

CostComponent:ConnectivityInassessingcostsforanyWANarchitecture,circuitandservicecostsrepresentthelion’sshareofcostsoverall.And,asnoted,thelargestpieceofcostsavingsfromSD-WANcomesfromchangesincircuitandservicecosts.Whetheroverlayorin-net,thefundamentalconceptbehindSD-WANistouseanyavailablenetworkroutesthatdeliveranapplication’srequiredqualityofservice;wherebigcheapInternetlinksareavailable,alotoftrafficwillshiftontothemoffmoreexpensiveMPLSlinks,whichcanshrinkorgoaway.ThisprovidesITwitharangeofoptionsforaddingbandwidth,andletsnetworkprofessionalstotakeadvantageofthefullrangeofoptionstomeettheneedsoftheirparticularmixofservices,sitetypes,andusecases.Dependingontheorganizationanditsapplications,thatmaymean:

• Routingunifiedcommunicationsandotherreal-timetrafficoverMPLSwhileshiftingotherapplicationtraffic,filetransfers,andotherlatency-insensitiveapplicationstobusinessorconsumerInternetservices(whichcostupto10timeslessthancomparableMPLSservices).

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5687

8

• RoutingallapplicationsacrossMPLSwhereavailable,andusing4Gwirelessasbackuporforoverflowtraffic.

• ShiftingallapplicationsfromMPLStobusinessorconsumerInternetservicestomaximizecostsavings,withacoupleofprovidersperbranchsothesolutioncanstilltakeadvantageofdifferencesinperformanceinreachingvariousservicesacrossthevendors’respectivenetworks.

Soatthecoreofourcostmodelisthe“circuitcosts”component,whichincludesallservicesthatanenterprisehasinthe“beforeSD-WAN”stateandthoseitwillhaveafterdeployingSD-WAN,including:

• MPLScircuits:TraditionalMPLSserviceswithSLAandpossiblymultiplelevelsofQoS

• BusinessInternet:InternetservicesprovidedwithanSLAandsymmetricalservice,i.e.thesamebandwidthuptotheInternetanddownfromit

• ConsumerInternet:Consumer-gradeInternetservices(althoughalsotypicallyprovidedforsmallerbranchoffices)whichdon’thaveanSLAandmay,ifbasedoncableorDSL,beasymmetrical,withlowerbandwidthfortrafficgoinguptotheInternetthanfortrafficcomingdownfromit

• 4GorLTEwireless:Broadbandwirelessservicesusuallyusedasinitialconnectivityinanewbranch,orasbackuporoverflowcapacityforanestablishedbranchwithotherconnectivityavailable

CostComponent:CapitalEquipmentGivenhowlarge,comparatively,thespendonconnectivityis,withalongenoughreplacementcycle(5to7years,althoughcostsareusuallyamortizedover3to5years)thecostofcapitalequipmentcanseeminsignificant.Evenasthebranchstackhasgrownfromjustaroutertoincludealsooptimizationandfirewalls,thiscanstilllooktrue.Thatis,itcanseeminsignificantifyouhaveeasyaccesstocapitalfunds.However,manyorganizationsfindcapitalfundsincreasinglypinched.That,coupledwithanacceleratingpaceoftechnologychangemakesabigupfrontinvestmentinalongreplacementcycleuntenable,fornow.So,theimpetusistoreducecapitalspendbyconsolidatingthestackintoasinglebox;ortoshiftcostsfromcapitaltooperatingexpenses.SD-WANappliances,especiallythenewestgenerationonesusedbycarriersandserviceprovidersintheirin-netsolutions,areintendedtobeabletoreplaceroutersandfirewallsandsomefunctionsofWANoptimizers,whetherviaintegralfunctionsofaunifiedappliance,or,intheNFVscenario,viarouter,firewall,oroptimizationVNFsrunalongsidethecoreSD-WANVNF.Inotherwords,anapples-to-applesbefore-and-aftercomparisonofcapitalequipmentmightinclude:

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5199

9

Ormanyothercombinations.Themodelaccommodatesselectinghowmanysiteshaveaseparatefirewallbeforethetransition,andhowmanyafter;likewiseWANoptimizers.Webundlebothsoftwarelicensingcostsandamortizedhardwareintoasinglelineitem.

CostComponent:TroubleshootingandProblemResolutionAlthoughtheyfeelkeenlythefactthattheyhavetoomuchtodoandtoolittletimeinwhichtodoit,networkprofessionalsusuallydon’tknowexactlyhowmuchtimethey(andtheirteams)spendintroubleshootingandresolvingWANproblems.That’sbecauseteamstypicallywearmultiplehats,andoutagesandissuesoccurrelativelyinfrequentlyinmostWANs.Overthecourseofayear,anetworkengineermightestimateshespends75%ofhertimeonupgradesandnewinstallations;10%ofhertimedoingarchitectureandplanning;andtheremainderontroubleshooting.Butunlessthecompanysheworksforisexceptionallyobsessiveabouttime-tracking,there’snowaysheknowsthis.Andwhensitesdoexperiencesignificantconnectivityissues,solvingtheproblemisparamountandtime-trackingwhatgoesintoitisnot;resolutionpushesasidenormalworkandofteninvolvesafter-hoursandweekendworkthatisrarelytrackedandaccountedforaccurately.Whatwefoundinresearchforthecostmodel,aswellasintheNemertes2016CloudandDataCenterBenchmarkresearch,isthatregardlessofhowmuchtimenetworkengineersinvestintroubleshootingandproblemresolution,thatnumberdecreasedbyroughly90%withdeploymentofSD-WAN.Thatmayseemcounter-intuitive,giventhatwithSD-WANnetworkarchitectsareintheoryputtingless-reliableInternetlinksintheroleofprimaryconnectivitybeside(orinplaceof)morereliableMPLSlinks.However,inpractice,mostusecasesinvolvemovingfromsingleMPLSconnectionstopoolsconsistingofMPLS-plus-Internetormultiple-Internetconnections—andaconsequenceofmovingtomultipleconnectionswithtransparentfailoveristoreduceoreliminatetheimpactofanysinglelinkhavingproblems.TheSD-WANtechnologyhappilyreroutestrafficoverthegoodlink(s),andsimplyresumesusingthelinkthatwentdownassoonasitisbackup.Whenthere’saserviceoutagewithasingleMPLScircuit,networkengineersneedtodropeverythinganddealwiththeoutageuntilthesiteisbackup.Butwhenacircuit

Before:

• Hardwarerouter

• HardwareWANoptimizer

• Nofirewall

• NoSD-WANappliance

After:

• Softwarerouter(VM)

• SoftwareWANoptimizer

• Softwarefirewall(VM)

• SD-WANappliance

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5687

10

goesdownandothercircuitstakeitsplace,it’snotreallyanoutage,it’smerelyaservicedegradation,andnotanemergency.Andgiventhatsuchoutagesareusuallytemporaryandself-correcting,oftennoactionbyITisrequired.

CustomizingtheModel:MakingItWorkForYou

SizeandConversionPercentageForacostmodeltoapplytoanygivenenvironment,usersneedtobeabletocustomizeittoreflecttheircurrentenvironmentandplannedchanges.Thisabilityiskeytoconducting“what-if”analyses:determiningwhichoptionsmakethemostsenseforagivendeploymentscenario.Toenablecustomization,Nemertesfocusedonafewkeyvariables.(PleaseseeFigure2.)Firstandforemost:theWANsize(numberofsites)andthepercentageoftheWANconvertedtoSD-WAN,becauseSD-WANdoesn’thavetobeallornothing.Userscaninputboth,andseehowtheresultschange.

Figure2:SD-WANModelVariables

CarrierServiceOptionsThenextmostimportantvariableinthecostequationis,asnotedabove,thecostofconnectivityservices.Thiscomprisesmultiple,separatevariables:Whichproviderisdeliveringservices,andwhichservices—MPLS,businessInternet,consumerInternet,andLTE—areinuse,andathowmanysites.Themodelallowsuserstoselect“before”and“after”optionsforservicetypes,andtodefineconnectivityprofilesforafewcommonbranchscenarios(seebelow).Thecostforthoseserviceswilldrawfromoneofthreesources:

• Specificcarriercosts.Networkprofessionalswhoworkwithaspecificcarrier,orwhoareconsideringselectingthatcarrier,canselectthatprovider’scostsfortheoptions.

• Specificenterprisecosts.Networkprofessionalswhoknowtheirowncostsforservicescanplugthosein,andhavethemodelcompareconfigurationsbasedontheactualcostspaidforservices.

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5199

11

• Genericcosts.Networkprofessionalswhodon’tknowtheirowncostsandaren’tfocusingonaspecificcarriercanleverageanaverageofbenchmarkandsurveydatacollectedbyNemertes.Thesearepaidcosts,notlistprices,sotheyprovidearealisticsenseofactualmarketcosts.

CapitalEquipmentShiftsWealsoenableuserstoindicatebeforeandafterscenariosforcapitalequipment.Theseinclude:

• Routerreplacement.Asindicatedabove,somesolutionsallow(andevenencourage)routerreplacement.Atleastonemayrequireit(i.e.forin-routerSD-WANrequiringanewenoughroutertosupportit).Removingabranchrouterreducescapital,management,andmaintenancecosts.

• Branchfirewalls,pre-andpost-transition.AsignificantappealofSD-WANistheabilitytosendcloud-boundtrafficdirectlytothecloudratherthanroutingitbackthroughadatacenter;deployingmoreDirectInternetAccess(DIA)inbranchesmeansdeployingmorefirewallstosecurethoseconnectionpoints.SomeSD-WANsolutionsprovidestrongfirewallfunctionality,othersdon’t,andinsomecasesITwillwanttodeployastandalonenomatterwhat,asamatterofpolicy.

• WANoptimizers,pre-andpost-transition.Betweenincreasesinusablebandwidth(withconsequentdecreaseincontentionforcapacity)andtheabilityofSD-WANappliancestosupplycrucialWANoptimizationfunctionssuchasprioritizationandrouteoptimization,enterprisesoftenhavenoongoingneedforaseparateoptimizationapplianceinanSD-WANsite.

SD-WANApplianceTypeAlthoughthetypeofSD-WANappliancedoesn’taffectthecostofadeploymentdramatically,weletusersselecttheSD-WANappliancestheyareconsideringaspartofthemodeling.ThisisaparticularlyusefulcapabilitywhenitcomestocomparingoverlaySD-WAN(forwhichusersmustpurchasetheirownSD-WANappliances)within-netSD-WAN(inwhichprovidersdeliver,andmanage,theapplianceaspartoftheservice).

SiteTypesLastly,theNemertestoolallowstheusertodescribetheorganization’smostcommonsitetypesintermsoftheircurrentconnectivityprofileandtheprofiletheywouldliketoshifttoviaSD-WAN.(PleaseseeFigure3.)Sitetypescanrangefromalargeheadquartersordatacentertotypicalmidsizebranchofficestosmallbranchesorevenkiosksorotherunstaffednetworksites(e.g.anATMoraRedBoxorsimilarnetwork-connectedvendingmachine).

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5687

12

Figure3:ModelingConnectivitytoTypicalSites

ModelOutputsThemodel’sgoalistodeterminenotonlywhetherSD-WANcandelivercostbenefits,butparticularlywhatsortofSD-WANisoptimal:overlayorin-net.

SD-WANvsClassicalWANAsoutputs,themodelcomparescurrentcostswithSD-WANcosts,modelingbothanoverlayandanin-nettransition.(PleaseseeFigure4.)

Figure4:ModelOutputs

Per-Site VariablesSite Type

115%

Site Type

230%

Site Type

350%

Site Type

45%

Links per typical site (CURRENT) Number Mbps Number Mbps Number Mbps Number Mbps

MPLS 1 50 1 10 1 5 2 100

Business Internet 1 50 1 10 1 5 2 100

Commodity Internet

LTE

Links per typical site (AFTER) Number Mbps Number Mbps Number Mbps Number Mbps

MPLS

Business Internet

Commodity Internet

LTE

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5199

13

Thisprovidesnetworkprofessionalswiththeopportunitytogaintwopiecesofinsight.First,howmuch(ifany)willconvertingtoSD-WANsave?Andsecond,whichtypeofSD-WAN—overlayorin-net—savesmost?

OverlayvsIn-NetSD-WANSavingsWhichsolutiongeneratesgreatersavingsdependsonthetransitionscenariosenvisioned.Currently,userswillbemostlikelytoseein-netSD-WANgeneratinggreatersavingsinscenarioswhereMPLSconnectivityisleftintactandnoconsumerbroadbandisaddedtothemix.WhenconsumerservicescomeintoplayandMPLSuseisscaledback,overlayusuallytakesthelead.Itisimportant,though,tokeepinmindthattheattractionofoutsourcingabigpartofSD-WANmanagementviaanin-netsolutionmayoutweighsmalldifferencesinsavings.Someorganizationswouldthinktheprospectofsaving20%overcurrentspendinglevelsandoffloadingmanagementmoreattractivethansaving30%andkeepingit;offloadingtheworkfreesstaffuptoaddvalueinotherways.

SD-WANUseCases

UseCase1:ResilienceandGrowthwithHybridSD-WAN

MoreBandwidth

MostWAN-connectedbranchesofsignificantimportancehaveaprimarylink,typicallyMPLS,andabackuplink,usuallyanIP-VPNrunningacrossanInternetlink.Undernormalcircumstances,theyuseonlytheprimarylink.If,andonlyif,thatprimarylinkfailswilltheyusethebackuplink,andtheywillusethatonlyuntilserviceontheprimaryisrestored.Usually,thefailoverbetweenprimaryandsecondaryisslowenoughtobreakallnetworksessionscurrentlyrunningtoorfromthebranch,bootingpeopleoutofconferencesandhangingupvoiceorvideocalls,terminatingsessionsoncoreapplications.Inalltoomanycases,itwillbemanualandrequireWANstafftimetoexecute.Thewholedramaisreplayedwhentheprimarycomesbackupandservicesaremovedbacktoit,unlesstheWANstaffwaituntil“afterhours”tomaketheswapback—typicallystillpenalizingstaffwithpoorerWANperformanceinthemeantime(andpenalizingthemselveswithafter-hourswork).ThepresenceofthoseunusedbackuplinksisoneofthechiefavenuesbywhichSD-WANsolutionscanprovidevaluequickly.UsingNemertes’SD-WANTCOTooltomodelvariousscenarios,itiseasytoseethatevensomeonemakingthemostconservativechoicesaboutconnectivitycanrealizesignificantsavings.SD-WAN,bymakingactive/activeuseofallexistinglinkscanoffsetbigspendingincreasesassociatedwithbigbandwidthincreases.Forexample,considera200-siteWAN

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5687

14

spending$2.59MayearonMPLSandInternetfailoverlinks.Doublingspeedsbutstickingwiththesamearchitectureresultsina40%costincrease,to$3.64M.Switchingtohot/hotuseofalloriginallinksviaSD-WANinstead,uppingeffectivebandwidthwithoutactuallyincreasinglinkspeeds,avoidsthathugeaddedcost.DecreasingMPLSportspeedsandcountsandshiftingsomesmallerlocationsoffitentirely,can,whileretainingMLPSasacoretechnology,easilydecreaseconnectivitycostsby30%,to$1.82M.(PleaseseeFigure5.)Moreradical(andconsequentlyriskier)shiftsoffMPLScandrivesignificantlydeepersavings.

Figure5:ReducingDependenceonMPLS

MoreResilience

Notethatinthisscenario,halfofallsites(capturedasSiteType3),whichhadpreviouslyhadnobackupconnectivityatall,nowhaveredundantlinks!ManysmallandmidsizebrancheshaveonlyasingleMPLSlinkandnobackup,orasingleInternetVPNlink.Forsuchbranches,thecostofasecondlinkthatisusefulonlywhenthefirstfailsisseenasunjustifiablewhencomparedtothecostofdowntime.Butbyfullyexploitingasecondlinkassoonasitisavailable,SD-WANmakesinvestinginthesecondlinkpartofagrowthandperformancestrategyatthesametimethatitprovidesbusinesscontinuity.SD-WANlowersthebarrierstoinvestinginredundancyandimprovesenterpriseuptimeevenfurtherasaresult.Andofcourse,whenabranchhasmultipleactivelinksandintelligenceinhowtheyareused,difficultiesonanyonelinkhavelessimpact.Branchesexperiencelessdowntime,abouta90%reductioninNemertes’2016CloudandDataCenterBenchmarkdata.Thiscanrepresentenormousimprovementsinproductivityforbrancheswithpoorconnectivitycurrently.Suchimprovements,whichmostbusinessacknowledgeexisteventhoughtheyhaveahardtimequantifyingthem,shouldbementionedasancillarybenefitsinanySD-WANbusinesscase,eventhoughtheyaregenerallynotenoughtodriveapprovalofadeploymentinandofthemselves.

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5199

15

Similarly,anSD-WANbusinesscaseshouldmentionITtimesavings,aswell.Whenlinkproblemsdon’thavediscernibleimpactonusers,theurgencyoftroubleshootingtheissuesdecreases.Giventhatmostsuchproblemsaretransitory,ITcurrentlyengagesinalotoftroubleshootingonWANissuesthateventuallyjustresolvethemselves.Bymakingmostlinkissuesnon-eventsfortheusersandthebusiness,aswellasbyprovidingintelligenceontheexactnatureandtimingoftheproblems,SD-WANcandriveasmuchas90%reductioninWANtroubleshootingtime,accordingto2016CloudandDataCenterBenchmarkdata.

EasierBranchActivationforBusinessAgility

SD-WANpowersbusinessagility,bydecreasingbranchleadtime,thelengthoftimeittakestolightupanewsiteonthenetwork.ForMPLSnetworks,ITexecutivesbemoanlengtheningleadtimes,whichformanyofthemhavecreptupfrom30to60to90to120days.BycontrasttheycanoftenprovisionwiredInternetserviceinaweekortwo;LTE,inadayortwo.Withbusinessagilityonmanyminds,thisisnosmallimprovement.AsidefrommaskingthecomplexityofworkingwithmultiplelinksofdifferenttypesmostSD-WANsolutionsalsohaveeitherlow-touchorzero-touchdeploymentoptions,reducingtheburdenontheITstaffofbringingnewsitesupandmitigatinganotherpotentialsourceofdelay:contentionforscarcestaffresources.Whenlong-termconnectivityultimatelygetslitup,inwhatevermixofmediaandproviderispreferred,whoeverisonsitecanplugitintotheSD-WANwithoutaffectingusers(nodowntime),withminimalITstafftime(andprobablyallremote)ratherthanmostofaweektheoldway.Then,whateverwasbroughtintoallowrapidstart-uponthesitecanbekeptornot.ITcan’tbuildthebusinesscasefordeployingSD-WANsolelyongroundsofbusinessagility,usually,buteverybusinesscaseshouldmentionit.And,ifthereisanexplicitcorporatestrategybuiltaroundanimblerbranchstrategy,thebusinessmayhavedonetheworkofquantifyingthevalueofeachdayshavedofftheleadtimeforlightingupanewbranch,andITshouldleanheavilyonthatinbuildingitsSD-WANbusinesscase.

UseCase2:HybridInfrastructureandCloudOptimizationWithmorethan97%ofcompaniesnowusingSaaSand75%usingIaaSand45%usingPaaS,andnearlyhalfintegrateSaaSorIaaSapplicationswithin-houseapplications,theavailabilityandperformanceofcloudserviceshasbecomemissioncriticalformostorganizations.Asthisreliancehasgrown,sothetraditionalmodelofroutingalltraffictoorfromtheInternetthroughadatacenterhasbecomeasteadilypoorerfit.

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5687

16

SD-WANcreatesnewopportunitiesfortheenterprisetoeasilyandsecurelyembracealternativeoptions:directingtrafficstraighttotheInternetfromthebranches,orcreatingandutilizingregionalInternethubs.SD-WANcanalloweverylocation,oreachhublocation,topassselecttraffictoorfromsanctionedservicesdirectly.Insodoing,itcanvastlyreducelatenciesandmitigatevariabilityinperformanceonthoseservices,aswellasoffloadingtrafficfromWANlinks.SD-WANalsoallowsoptimizeduseoflinksbasedontheircharacteristic,andthiscanbeespeciallyhelpfulforcloudservices.Specifically,itcanselectivelydirectreal-timecommunicationstrafficdownlowest-latency/lowest-losslinkswheneverpossible,whileshuntingmoreforgivingtraffictolower-qualityconnectivity.Soforexample,inabranchwithbothbusinessandcommodityInternetlinks,theSD-WANmighthavepoliciesdefinedallowingtraffictoorfromGoToMeetingorWebExtopassdirectlybetweenbranchandInternet,usingthebusinesslinkaslongasitisdeliveringlowerlossandjitterthanthecommoditylinkandpushinglessdemandingtrafficmoretothecommoditylinktomakeroomfortheconferencingtraffic.Again,performanceforcloudservicesimproves.

ImprovingUptimeandAccountability

AnicesidebenefitofusingSD-WANanddirect-to-Internetpoliciesisthatitcreatesaself-healingmeshofaccess,routingtrafficautomaticallyaroundoutagesonanyoneprovideratasite,orproviderslowdowns,butthenrestoringexpectedlocallinkusewhenitresumesacceptableperformance.And,whetheritispossibleornot(forlinkorpolicyreasons)tomaintainconnectivitytoacloudservicewithsolidperformance,SD-WANtoolscantellITexactlywheretheproblemoccurred,whatitlookedlike,andhowlongitlasted,establishingaclearpictureofaccountability.

UseCase3:BetterSecurityandLowerOperatingCostsInordertosupportsecuredirectInternetaccessatbranches,anSD-WANsolutionmustataminimumimplementastatefulfirewallandallowtightcontrolviapolicyofwhichkindsofInternettrafficareallowedinandoutatabranch.Ideally,itwillalsoallowforchaininginon-premisesorcloud-basedsecurityservices,againbasedonpolicyandwithfinegranularity.Forexample,ifanationallawfirmwaslookingtopassallitsSlacktrafficthroughaDLPappliance,itcoulddosobycreatingapolicythatdefinedamulti-startopologyforSlack,withthehubofeachstarbeingabranchwithanappliance,andallotherbranchesautomaticallydirectingtheirrelevanttraffictothenearesthub.SD-WANshouldsupportothersecurityeffortsaswell,rangingfromsegmentationoftrafficbyapplicationtorobustencryptionoftrafficatbothalinkandvirtual-overlaylevel.Ideallyitwouldalsosupportencryptionoffloadforothersystems.

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5199

17

And,bymakingiteasiertomanageandmaintaintheWANinfrastructure,SD-WANimprovessecurity,bymakingiteasierandcheaperbothtokeeppoliciesinlinewithcurrentrequirementsandrestrictions,andtokeepthegearuptodateonsecuritypatching.Itisasadfactthatmanyorganizations,inanattempttonotdisturbtheirrouters,refusetoapplysoftwareandfirmwarepatchesforweeksormonthsoryears,andtrytoavoidchangingconfigurationsasmuchaspossible.Theoperatingpremiseis,“Don’tmonkeywiththebuzzsawwhileit’scuttingwood!”WithanSD-WANsolution,thatchanges.Policychangescanbepushedouttohundredsorthousandsofsites—androlledbackfromthemintheeventoftrouble—withmereminutesofadministratortime,fromacentralconsole,inasingleoperation.Contrastthatwiththestaff-weeksinvolvedindoingasimilarrolloutconventionally,byseriallyupdatingeachdeviceandsiteindividuallyandusuallyforcingthesiteofflinewhilechangesaremade.

ConclusionandRecommendationsSD-WANcombinesactiveuseofmultiplebranchlinks,intelligentdirectionoftrafficacrossthoselinkstoprovidebetterperformance,security,andreliability,andcentralized,policy-drivenmanagementoftheWANasawhole.ItholdsthepromiseoftransformingIT’srelationshiptotheWANbysimplifyingmanagementofcomplexbehaviors,promotingresilienceandcontinuityofservice,empoweringmorenimblebranchstrategies,andradicallydecreasingthecostofmeetingrisingbandwidthandperformanceneeds.Asalways,IThastobuildacompellingbusinesscaseformakingatransitionlikethis,especiallywhereanup-frontinvestmentwillberequired.Thebaseofthecasemustbecost,and,basedonNemertes’SD-WANcostmodel,savingsshouldbeeasytocomeby.ThebiggestcostcomponentintheenterpriseWANistheconnectivity,andSD-WANcandrivemajorsavingsonconnectivityinacoupleways:preventingthemajorcostincreasesassociatedwithmajorbandwidthincreases,bymakingalllinkstoasiteusablesimultaneously;andallowingactualspendingreductionsbymeansofsubstitutingless-expensiveInternetbandwidthforsomeorallofanenterprise’smore-expensiveMPLS.Note,though,thatconnectivityisnottheonlyavenuebywhichSD-WANcandrivesavings.Bymakingredundantlivelinkscheapertodeployandmakingfailoveramonglinkstransparenttoendusers,SD-WANcanreducebothWANoutagesandWANtroubleshootingcostsby90%.ITstaffshould:

• Assesstheamountofbackupbandwidthyouarepayingfornow—thelinksonlyavailableasfailoverconnectivityintheeventanMPLSlinkfails.

©NemertesResearch2016!www.nemertes.com!888-241-2685!DN5687

18

• AssessyourdemandcurveforWANandInternetbandwidth:determinehowtheconnectivityprofilefortypicallocationsislikelytoevolveinthenextfewyearsbasedonexistingITstrategiesandroadmapsforUC,collaboration,andotherapplicationorservicerollouts.

• Modelthecostofstickingwiththecurrentarchitecture,goingoutatleastthreeyears.

• EvaluateatleasttwoSD-WANsolutions,overlayorservicebased,andmodelthecostofswitchingtothem.

• IftheSD-WANnumbersshowsignificantpotentialsavingsovertime,buildabusinesscaseonthem—butdon’tleaveoutanyotheroperationalimprovementsyouexpecttorealize.

• Lookforquantificationofthebusinessvalueofagilityinstartingnewbranches;businesscircuitsmayhavebuiltasignificantportionofthebusinesscaseforyou.

AboutNemertesResearch:NemertesResearchisaresearch-advisoryandconsultingfirmthatspecializesinanalyzingandquantifyingthebusinessvalueofemergingtechnologies.YoucanlearnmoreaboutNemertesResearchatourWebsite,www.nemertes.com,orcontactusdirectlyatresearch@nemertes.com.