Don’t Fall Victim to the SD-WAN Shell Game

Watch carefully. Three shells before you, one with a ball. I’m going to move them around like so. Select the shell with the ball and you win, select wrong and you lose. Are you ready? Here we go one, two, and three. 

Sometimes selecting an SD-WAN can feel an awful lot like playing a shell game on the street corner, as I recently saw with two of my clients. SD-WAN RFP responses can suck you in with their slick brochures and claims of new features wrapped up with prices that sure seem awfully competitive. And like a shell game, selecting the right SD-WAN proposal can be, well, tricky to say the least. Proposals that might sound great on paper fail to include key features, only activating for a hefty premium. 

So before you settle on that SD-WAN because of its great WAN optimization module or its built-in security, ask yourself this: Are you really getting the SD-WAN experience you expect? 


The Channel Impacts Far More Than Service and Support

Now, it’s no surprise that a vendor’s channel partner profoundly impacts the deployment experience of the SD-WAN. I’ve spoken about how one of my customers was about to ditch their Velocloud SD-WAN because of what they thought were the complexities of configuring Velocloud appliances. As I looked into the issue, I found that their problems had very little do with Velocloud and far more to do with the ignorance of the VAR delivering and servicing the Velocloud platform. A few calls, a change in provider, and, voila! The customer was in love once more with their Velocloud SD-WAN. 

But what I’m speaking about here are the actual capabilities of the underlying SD-WAN appliance. All too often, the SD-WAN channel partner will deactivate key features of the SD-WAN platform in their bids. Sometimes it’s because of vendor limitations. At other times, it’s the MSP’s own lack of knowledge. At yet other times, it is to low-ball a bid by quoting a CPE that can’t handle the additional feature.

Catching such channel twists and turns isn’t always obvious. It involves being intimately familiar with the nuances of the vendor platform. But for anyone who studies SD-WAN as closely as we do here at SASE Experts, it’s a well-known phenomenon. Over the hundreds of RFPs that I’ve run, invariably there’s at least one proposal in each round containing some hidden deactivated features that were not mentioned. 

Detecting those “gaps” is important for several reasons. For one, they often indicate the true limitations of the vendor platforms from the people outside the organization who know them the best, the resellers. What’s more, failing to recognize these deactivated features can lead to unfounded assumptions about your SD-WAN solution, which will impact your design. 

Never Run Security In An SD-WAN Appliance On A Tight Budget

Case in point is SD-WAN appliances with advanced security. In the past month alone, I’ve had two bids where the carriers offering an SD-WAN platform did not quote the bundled NGFW that the underlying technology advertised. In one case, Vodafone didn’t activate anything more than the stateful firewall in a Juniper Contrails proposal. In another case, Tata Communications didn’t activate the NGFW in a Versa Networks appliance, quoting zScaler instead. 

Wow. I was shocked. In both cases, we wanted an SD-WAN with integrated security to simplify branch deployments and protect against malware spreading east-west within a site. The latter isn’t something that zScaler helps with but it is something that the security capabilities of Juniper and Versa would have accomplished. 

But including the converged NGFW would have put both carriers in a difficult position. An NGFW requires significant horsepower, which would have required them to quote higher-end, more expensive appliances. What’s more, over time those appliances would likely have to be further upgraded as traffic increased or additional security features enabled. Rather than trying to make that argument, both carriers chose to avoid the issue —  and failed to meet customer requirements in the process. 

There are solutions, mind you, to the appliance problem. The compute limitations of branch appliances led Fortinet to develop a custom ASIC, extending the longevity of its branch appliances.  SASE MSP Open Systems includes free appliance upgrades as part of their managed service. And finally, another SASE provider, Cato Networks, moves security processing into the cloud, avoiding the problem altogether. 

Check The Features Activated In Your SD-WAN Software 

But advanced security processing isn’t the only case where you might not get what you’re looking for in an SD-WAN appliance. Vendors will often only activate certain features depending on the payment tier. It’s an approach that allows them (and their partners) to advertise lower prices and some high-end features, neither of which can be had together. 


Take Cisco Viptela, for example. On a single Cisco Viptela platform, you can get SD-WAN capabilities, scaling beyond 50 sites, URL filtering, and Cisco Umbrella, Cisco’s integrated cloud-delivered security solution. 

Cisco Viptela’s software, Cisco DNA Essentials, will cost you $4,399 (list price) (assuming 100 Mbits/s license). Pretty good, right? But here’s the thing. If you want more than 50 devices, URL filtering, or any of a dozen other features (see diagram), expect to purchase the DNA Advantage packet not the DNA Essentials package. 

The difference between the two packs is very significant. Cisco DNA Advantage is more than twice the list price at $11,999. And to take advantage of Cisco Umbrella you’ll need double the Cisco DNA Essentials cost and go with DNA-Premier (not shown here) at $24,000.

Don’t Fall For The SD-WAN Shell Game

So when you go out to bid for an SD-WAN solution be sure to bone up on what’s possible and what’s available. Read between the words in any SD-WAN proposal. Understand what features are advertised and which are included. And, of course, if we can help, you know where to find me.


Share this post