Hello, everyone!
I am looking to get some feedback from those of you who have gone down the path of SD-WAN and get your opinions on if it makes sense for my current environment. I don't think my company is in need of SD-WAN but I have been tasked with working with vendors to select a service. My boss seems pretty sold that we should go down this road. I don't. I want to make sure I am not missing something. Let me lay it out for you.
Current Environment:
- There are 2 of us responsible for building and maintaining the current infrastructure
- I have over 100 locations that all need to connect to Azure
- Current connectivity to Azure is an IP-SEC to a VM firewall in Azure w/split tunnel
- I would say that less than 2% of our combined time involves troubleshooting the VPNs
- Cradlepoint routers are the edge devices at the remote locations
- We have a DIA and LTE connectivity for each site with LTE acting as failover only
- Failover times are in the 2 packet loss range and less than 10 seconds in total to bring LTE and VPN up
SD-WAN "Requirements":
- Improved WAN Management
- Automated or Reduced time building/maintaining tunnels
- Metrics overview
- Decreased costs over current solution
- Automated PCI compliance
- Increased uptime for POS (Currently at 99.99% or better for things in my control)
So far we have looked at SD-WAN solutions with 3 different ISPs and Fortinet. Two of the ISP packaged solutions use Velocloud and the third uses Nuage. I brought Fortinet in as I believe it will allow me to retain the most control over my networks and is already a system I am fairly familiar with. From all of the calls/meetings we have had with the ISP solutions, I honestly feel like I am handing everything over to a third party and will loose most of the control I have over my systems. Based on what I have seen, if I need to make changes or troubleshoot issues, I will have to call in, hope and pray I get a competent tech and go from there. There are only two things I have seen from these solutions that we could benefit from having is a metrics/reporting dashboard and packet persistence. The thing with those though is that for the metrics I am sacrificing overall control. And with packet persistence it requires the ability to duplicate the packets and send them through both WAN interfaces at the remote site. This is just simply not cost effective for us on a pay-per-GB data plan! I also feel like the solutions presented by these ISPs are very new to them and that this is all being built on the fly to capitalize on the latest buzz word.
Another reason I am not too keen on these ISP bundled solutions is that we previously tried an MPLS solution with NBS. It. Was. Awful! I can't tell you how many hours I spent on the phone trying to diagnose why certain traffic was failing at the NBS address, being told by the provider "nothing is wrong", then magically everything works again with a closed ticket saying "came clear while testing". This would happen at least once a month and sometimes even more frequently. With that, I would rather be handed a DIA circuit and be the one responsible for the routing/fire walling from there.
The Fortinet solution is great as far as I can tell and allows me to have my cake and eat it too for the most part. The only issue I have here is that I still need LTE failover capability meaning I will still need a Cradlepoint or other LTE modem device thus essentially doubling my cost per location on hardware/licensing.
Am I missing something?
No comments:
Post a Comment