Shotfacts:
- 150 Locations in 36 Countries
- 3 HUBS & Datacenters
- 8000 Employees
Actually we are planning to switch those low bandwith sites (2 to 20 Mbit) from MPLS (NTT, Level 3 etc.) to SD WAN. Mainly Appliance Based HA Clusters on each site with two broadband connections / depending on locations one broadband and one 4G connections (active/active). Local Internet Breakout and Application Detection if possible.
There is a proof of concept running with velo cloud / cato networks and we are comparing it with on premise / self configured Netscalers aka Citrix SD WAN (successor to CloudBridge).
I have been very open minded and optimistic towards the project start the technical part will be my job and i will be part of the decision after Proof of Concepts. But after we got our first offers i have to say: wtf thats expensive!
Maybe its because i am still used to european / public sector & science network prices from my last employer, which are quite payable for companies even if you need like 10 GBit/s bandwith over WAN. (~5k/month?).
Now we got our first offers for manged SD WAN Connections + ZScaler or Cato NGFW / URL Filtering / faster peering to AWS/ MS / Google (so traffic goes through grey tunnels to their datacenter, with local breakout for internet surfing etc.).
And its more expensive then i thought, sometimes even more expansive than a hosted 10-30 Mbit managed MPLS, atleast in Europe. Even if we take as low bandwith as 25 or 30 Mbit per Site (which isnt much if you take into account that you dont have guaranteed bandwidth on your last mile (only best effort) after switching away from MPLS contracts.
Just one example - we took like 70 sites around the world for example prices and would have to pay about 500k in total recurring costs, despite we took mostly 20-30 Mbit Connections with like ten sites with 100 Mbit connections on bigger locations. Thats almost as much as we pay for managed MPLS (with some discount for the number of connections).
Coming from a company where we used to connect every small branch with 1 Gbit/s and the big locations with 2x 10 GBit, thats not fast at all. If People gonna be allowed to use office 365 / onedrive / or other clouds like AWS / Google etc. 20-30 Mbit isnt really fast, even more if it is best effort.
But if you would choose 100Mbit+ per remote Site (5-50+ ppl per site with some 500+ ppl sites) the price would skyrocket to 7 figure prices, which is quite a lot for a recurring payment, even if we are a big company.
There is one additional downsite: Europe is kinda cloud sceptical, so 98% of our applications are on premise / self hosted, and we still got quite big own data centers which still have plenty of redundant free space (without own peering tho). So most of our stuff is self hosted and most traffic will be still to our hubs / data centers, even if we buy manged SD WAN with fast peerings into the cloud world. So i am not even sure if we will feel the advantage in compare of simple self made VPN tunnels, maybe together with local internet breakouts for traffic intense non secure applications / websurfing over local firewalls.
Another downsite is: SD WAN Appliances still got very limited firewall functionality - so we will still have to replace the old cisco 5505 ASAs for internal network separation (between production and office for example). We kinda hoped to avoid Ciscos Firepower mess / keep the old ASA 5005 for now until full EOL 2020/21 and do the network separation with the SD WAN Appliances after we migrated from MPLS to SD WAN (2-3 Year project, due to the high amount of locations and contract terms with existing MPLS providers). But we are not impressed from the configuration depth on the SD WAN Appliances. Basically we will still need to replace our old ASAs with newer ASA + Firepower Models or other vendors.
There are other Firewall Vendors which offer "SD WAN" functionality within their firewall devices (Fortinet/Fortigate?) but you have to put in quite some effort to separate Marketing from real technical possibilities - its no SD WAN Device for me if it has no active / active WAN Connections and relies on simple icmp for measuring the connection quality or uses simple round robin to split the packets on the wan interfaces. It should at least count jitter / latencys and copy the voice packets on both wan connections to good quality and faster failover on bad / congested or disrupted connections (especially on 4G / LTE secondary wan connections).
Maybe Netscaler is our answer, at least there is quite a bit of network separation possible. And we already use plenty citrix users and got two machines within the company. They dont offer cheap HA devices for little branch sites with 10-50 Mbit tho (did i miss it?) only the expansive 19" devices support HA Clustering, which are overkill for a 10 ppl site.
Maybe it would work with Single 210 SD-WAN devices with 2x WAN /LTE if we manage to get an SLA on fast replacement tho (like 4 hours or maximum next business day), but that wont be easy around the globe :) Kinda sucks to have a single point of failure on your wan device if you roll out SD wan... so far some locations only got 1 MPLS router too, but its the MPLS providers problem if the device is going down, and not ours so far.
Any Experience with On Premise SD WAN or with quite big Velocloud + Z Scaler Installations here?
Do you pay comparable prices or is it cheaper in america?
No comments:
Post a Comment