Hi All,
yet another SD-wan bake-off post. We are in the process of evaluating the final two SD-wan vendors, Cloudgenix and VeloCloud. Yes we considered and looked at other vendors, but end of the day, this is the either-or decision.
Our Problem to solve / what SD wan does for us: Simplify the network (remove dmvpn and other complex routing rules), replace aging cisco equipment (hardware refresh), cost ($$mpls -> internet), breakout for SAS (currently backhaul to datacenters), and hopefully better end user experience, or at least no change (user experience generally is good)
Current environment is ~13 branch sites, 2 DC. Paloalto in the DCs, MPLS to sites, backhauling internet to DCs. Most sites either have the MPLS, or in some cases internet, and running DMVPN over the entire network (mpls+internet sites). Also some funky routing for the DC subnets (NSX cross vcenter, which is another story..). We do NOT have PANs at most sites, as we backhaul.
we have a current POC for both solutions, and from a pure SD-wan nuts and bolts, both work fine, able to aggregate traffic across multiple links, have a voip call while dropping links, etc.
Cloudgenix i think does a better job with L7 monitoring, and an overall better/simpler UI. Velo is a little light on details in their UI, but more feature rich for networking, and I like it supports ospf (no need to buy a BGP license for datacenter)
Of our branch sites, we have some international, including Argentina, Saudi, and Dubai. Dubai specifically has some issues in that IKE traffic is sometimes filtered on the internet connection, causing basic ipsec to fail to establish. Both Velo and Cloudgenix use non-standard tunnel formation, so this shouldn't be an issue for either.
I like the idea of the Velo cloud POP's for the international sites, although I don't have any real world experience for either solution in those countries.
The cost for both solutions is close enough to not be a deciding factor.
Regarding security posture of the two solutions, we are looking at these options:
Velo: only looking at 520v and 840v as devices, which enable the hosting of a vm50 or vm100 Paloalto firewall on the box. This means all branch traffic will hit the VM series PAN first, then onto the Velo engine before hitting internet / cloud pop, etc. We have Panorama already, and this would be an easy add-in for administration, and gives full visibility to traffic flows to panorama / cortex xdr / SIEM-SOC. Overall nice solution. Caveats are bandwidth throughput limitations on the VM series, although not really an issue for smaller sites. Also doesn't support HA (one larger site would be an HA pair), and overall adds some complexity to the solution.
Cloudgenix: Would pair with Paloalto Prisma, very neat and tidy API tie in from Cloudgenix. Traffic would flow first to Cloudgenix appliance, and SD-wan policy would push generic internet to Prisma for egress. Can also utilize Prisma for backhaul between sites potentially (it can act like a Velo cloud POP). The +/- from a security perspective, if you choose to let any traffic direct to internet (not via Prisma), PAN never sees those traffic flows, and you potentially have a lesser security posture. But if you send ALL traffic to Prisma, you loose some of the benefits of the SDwan, as it's basically just forwarding all traffic to the cloud pop anyway. And Prisma generally is more cost than the vm series firewalls on Vello.
Note.. I am aware Paloalto has an SD-wan subscription. We did look at it. it uses standard IKE ipsec protocols to create it's tunnels, which would get broken in Dubai.
So to all the other folks out there, please share your thoughts.
Which way would you go?
Anyone out there running either solution in Dubai? What has your experience been like?
Support experiences in North America vs International?
If you have deployed either solution, what has your experience been like, positive and negative?
Thanks!
No comments:
Post a Comment