Brian Jackson - Fotolia


Viptela vs. Cisco: Comparing SD-WAN vendors' platforms

In a software-defined WAN showdown, network pro Will Murrell compares platforms from two top SD-WAN companies -- Cisco's Intelligent WAN and Viptela's Secure Extensible Network.

SDN is changing the face of the networking world, and nowhere is its influence more apparent than in the wide area...

network. There are quite a few players in the pool of software-defined WAN vendors, but one of them -- startup Viptela -- is making a bigger splash than most. With the largest worldwide deployment of SD-WAN appliances, Viptela is looking to go even bigger. The company recently penned a deal with Verizon to deploy its Secure Extensible Network (SEN) SD-WAN technology on the Verizon network. Compare its accomplishments to Cisco -- the largest networking vendor in the world -- which has been working on bringing SD-WAN to their devices in the form of Intelligent WAN. IWAN is a suite of products that forms a powerful approach for companies looking to make branch deployments easier. In this Viptela vs. Cisco showdown, let's see how the two SD-WAN vendors' offerings stack up.

Viptela vs. Cisco devices

Viptela: In comparing Viptela vs. Cisco, you'll find Viptela's SEN platform uses three hardware offerings -- the vEdge-100, 1000 and 2000 -- and is capable of throughputs of 100 Mbs, 1 Gbps and 10 Gbps, respectively. You can also deploy a virtual router, with throughput controlled by a license.

The devices have onboard Trusted Platform Modules that enable the devices to verify they are who they say they are, which adds an additional security layer to the network. Port options range from Ethernet ports on the vEdge-100, to both Ethernet and SFP ports on the larger vEdges.

While not as feature-extensible as Cisco's offerings, Viptela's vEdge 100 is more than enough for small branch offices that rely on external services located offsite. The larger vEdges can be easily integrated into the data center or larger enterprise offices that already have a more robust services infrastructure deployed.

Cisco: Currently, Cisco IWAN is only compatible with the new Integrated Services Router (ISR) 4000 series at the branch office, with the Aggregation Services Router (ASR) 1000 series acting as the hub.

While the ASR 1000 series has been in service for quite a few years, the ISR 4000 series is new and a massive upgrade from the Integrated Service Routers Generation 2 models. It has a completely redesigned physical architecture, reminiscent of the ASR series, and uses IOS XE instead of the traditional Internetwork Operating System.

Each of the models in the series is capable of various throughput speeds. These are controlled by a software license, which enables an organization to add processor cores as its bandwidth needs increase. Connectivity options range from standard Ethernet ports to SFP ports on some models.

The ISR 4000 series is a very attractive option for branches that want or need to consolidate additional services or devices down into a smaller package. Their architecture enables them to actually run a virtual machine (VM) on the router itself. That means that if you utilized Cisco Wide Area Application Services or a wireless LAN controller onsite, you could actually run an instance on the router as a VM, as opposed to deploying or keeping the stand-alone device. Additional modules allow for additional functionality, as has been the case with prior ISR series routers.

Comparing Viptela vs. Cisco design

Viptela: Viptela's approach aims for a flat network. As in the case of IWAN -- as well as offerings from many other SD-WAN vendors -- the vEdges make use of any WAN connectivity available, private or public.

The vEdge devices incorporate security mechanisms to protect the edge, mitigating the need for additional hardware. They also feature the vBond orchestrator software, which allows the authentication, configuration and management of the vEdge routers.

The resulting overlay is actually achieved using a Layer 3 virtual private network (VPN), allowing either full meshed capabilities between sites or only certain sites' access to other sites. The control plane and data plane are separated, with the control plane communicating with the controller using a proprietary protocol over a Datagram Transport Layer Security connection, while the data plane travels over Internet Protocol Security.

The vSmart controller is a VM appliance that provides the security, route and policy management instructions to the vEdge routers. The final component is the vManage VM appliance. It is the centralized component for configuration management and monitoring of the solution. The only purchasable component is the vEdge router; both vSmart and vManage are offered free as part of the platform.

Cisco: Cisco IWAN can make use of any WAN access available, be it private line or public Internet. If utilizing public Internet, the Cisco Validated Design calls for the use of a firewall between the connection and the router. While not necessary for deployment, using it adds complexity and additional hardware to the overall design, as well as an additional level of security.

Cisco IWAN creates a Dynamic Multipoint Virtual Private Network (DMVPN) overlay. The branch office ISR 4000s connect back to a central hub, the ASR 1000. Both the control plane and data plane traffic are transported via the overlay. In addition to the standard hub-spoke model, IWAN can create spoke-spoke VPN connections as needed, and tear them down once done.

DMPVN hub-and-spoke
Cisco IWAN creates a DMVPN hub-and-spoke overlay.

The system requires the deployment of the Application Policy Infrastructure Controller-Enterprise Module (APIC-EM) controller, which can be deployed on a VM or installed on a physical machine. APIC-EM determines the overall configuration and policies of edge devices; to add additional management features, additional licenses are required. To achieve full network monitoring, reporting and data visualization capabilities, Cisco also recommends the deployment of its LiveAction suite. Overall, the purchase of all components and applicable licenses is required to achieve the full vision of Cisco IWAN.

Deploying Viptela vs. Cisco devices

Viptela: Comparing deployment with Viptela vs. Cisco, the former is truly Zero Touch Provisioning (ZTP) -- the device just needs to have power and external network access. Once that happens, the vEdge router calls into Viptela's cloud-based service. Using unique device identifiers, the cloud service determines the customer the device belongs to and forwards the address of the customer's controller back to the vEdge router. Viptela's cloud service holds no other customer information, except for the address of the controller.

From there, the device makes a secure connection and begins to either download any updates or download the configuration and policy profiles for the device, via NETCONF over secure shell, bringing it online and meshing it to the rest of the network.

Cisco: Some SD-WAN vendors -- such as Versa Networks and Cisco-owned Meraki -- boast ZTP capabilities. While Cisco hopes to eventually achieve ZTP for IWAN utilizing the Cisco Cloud, the platform currently relies on a Minimal Touch Deployment model. Deployment of branch routers requires the use of a plug and play configuration file on a USB memory stick to give the router the address of the APIC-EM controller.

Other than this component, the router only needs to be plugged into the network and powered on. Once it receives the address of the controller, it calls in to the controller and registers itself. A check is done on the IOS XE version on the router, and if it needs to be upgraded, the proper version is pushed and the router rebooted.

Once it comes up the second time, or if it didn't need to be upgraded, the controller sends a security certificate to the router. It then establishes a secure connection between the devices and begins the configuration process using a combination of Simple Network Management Protocol and command-line interface commands. The controller then pushes all policies to the router, allowing it to be part of the DMVPN network.

Scalability of Viptela vs. Cisco offerings

Viptela: Viptela's SEN is only constrained by the number of controllers you have on the network. Like the APIC-EM, an individual vSmart controller handles up to 2,000 devices. But since the connection model of the network is determined by the Viptela customer, it is much simpler to add sites to the network without worrying about device sizing requirements.

Cisco: In comparing Viptela vs. Cisco, you'll find that each offering has different scalability limitations for deployments.

Cisco's Intelligent WAN can be scaled to meet deployments of almost any size, with a few caveats. The APIC-EM only supports up to 2,000 devices, so you have to make sure you deploy enough controllers to accommodate the total number of sites in your wide area network.

Additionally -- due to the bandwidth and hardware constraints of the DMVPN's hub-and-spoke model -- your hub router and WAN connection needs to be appropriately sized, sometimes requiring the deployment of additional hub routers.

Comparing Viptela vs. Cisco security

Viptela: Viptela's Trusted Platform Modules offer an additional layer of security on each individual device, recognizing connections only from other Viptela devices. On top of that, it utilizes AES-256 encryption of the IPsec tunnels built across the network. Viptela also utilizes public key infrastructure (PKI) for communications and supports re-keying of the private keys across the network at the press of a button.

Cisco: Cisco makes use of standard IPsec tunnels to send data back to the hub router, offering a proven and trusted security approach. In addition, the APIC-EM utilizes PKI to secure communications from the server to users and devices.

Viptela vs. Cisco analytics

Viptela: Viptela uses Bidirectional Forwarding Detection and application-aware routing to analyze link performance metrics -- such as jitter, state, delay and packet loss -- and to make routing decisions based on the user's policies. The vManage server provides the overall single-pane-of-glass view, and is used to generate reports and visualize analytics data.

Cisco: Cisco utilizes its proprietary Performance Routing version 3 to make decisions about packet routing. It analyzes application type, performance and path status. Utilizing this information in conjunction with customer-determined policies, it load balances and makes decisions to route applications over the best performing path. These decisions are made at the master controller, after having the metrics forwarded to them from the border routers.

While you can monitor link status and get basic metrics and visualizations from the APIC-EM, deploying Cisco's LiveAction gives you the best insight into the network and the most options for reporting and visualizations.

Viptela vs. Cisco

Viptela vs. Cisco face-off conclusions

So, in the Viptela vs. Cisco faceoff, which SD-WAN offering wins? Ultimately, as when making all such decisions, your organization has to first determine its own particular needs.

If you want full-featured routers that can offer additional modules and functionality, IWAN is an excellent choice. Cisco's routers offer power and performance, and can be used to deploy virtual machines on-site that can declutter the network closet at a branch location. The obvious downside: There is a lot more cost in regards to equipment, licensing and software.

Viptela's SEN, while not as feature-rich as Cisco IWAN, offers proven and easily deployable functionality at the branch at a lower cost and with less complexity. Gap Inc. reportedly made the decision to switch from Cisco IWAN to Viptela, based solely on how difficult it was to get IWAN up and running. Both options provide for a robust hybrid network model, each with its own strengths and drawbacks.

Next Steps

Learn software-defined WAN basics

IBM innovation executive supports SD-WAN startup

How managed SD-WAN services work

Considering SD-WAN? What you need to know

Do managed SD-WAN services hurt providers?

What SD-WAN means for networking teams

This was last published in March 2016

Dig Deeper on Software-defined WAN (SD-WAN)