SD-WAN FAQ from Network Field Day 9

By Steve Woo
Co-Founder and Vice President of Products, VeloCloud
February 23, 2015

VeloCloud recently participated in the Network Field Day 9 to discuss our Cloud-Delivered SD-WAN solution with a group of networking experts. We wish to thank all the delegates for their participation and informative discussions. Many questions were raised and discussed, including those from the blogs of Ethan Banks – “Questions I’m Asking Myself About SD-WAN Solutions”, Lindsay Hill – “NFD9 Prep: SD-WAN”, Peter Welcher – “Network Field Day 9: Wednesday 2/11/2015” and during the NFD9 event. For a description of this event and the full list of delegates, please see In addition to the recordings of the live presentation, demo and engaging discussions, we thought it would be useful to follow up on some common questions.

Network Field Day Q&A

How would I go about deploying an SD-WAN solution? Do I have to rip & replace everything, or can it integrate with existing networks?

A key characteristic of VeloCloud’s SD-WAN architecture is the ability to coexist with the installed network, as well as deploy in phased stages. VeloCloud’s unique cloud network of distributed gateways offered as a service further enables incremental integration into existing networks. For example, datacenters can be connected without installing nor replacing any equipment in the datacenter via secure tunnels from existing routers to the cloud network.

Does it supplement or replace my WAN or Internet edge router?

VeloCloud’s Edge can coexist with or replace the branch edge router. Connectivity to datacenters can solely use an existing router or supplement with an on-premise Edge typically deployed off path.

How does the SD-WAN solution get traffic into the system? Do the SD-WAN endpoints interact with the underlay routing system with BGP or OSPF or are they placed inline?

VeloCloud Edges may be placed inline, for example at small branch sites, to directly receive traffic and forward via various tunnels depending on business policies as well as application performance objectives. Edges may also be deployed off-path, using routing protocols (e.g. OSPF) to interact with the underlay routing system to attract selected traffic.

What about traffic I don’t want to go through the overlay fabric? How do I exempt it?

Traffic can be exempted from the overlay either via LAN routing of only select traffic to a VeloCloud Edge, or by business policy at the Edge exempting select traffic from traversing the overlay tunnels/paths.The Edge supports application category and granular application and sub-application control of traffic.

Does it do load balancing? How about QoS in the form of local policy for priority traffic and bandwidth allocation? And QoS in the form of SLA support and traffic shifting between links?

VeloCloud’s SD-WAN delivers holistic application “quality of experience” with local prioritization and bandwidth allocation as well as steering between links and remediation of link quality issues. Granular application recognition, simple business prioritization policies and continuous monitoring of available link capacity and quality drive VeloCloud’s dynamic multi-path optimization. Application flows can be shifted on a per-packet basis, mid session, between different links or split across links. This ability combined with on-demand remediation including error correction and jitter buffering enables use of broadband Internet as an integral part of an enterprise grade WAN. Priority or network sensitive traffic eg VOIP, video conferencing, etc no longer must require nor be limited to private/MPLS circuits to meet SLA objectives.

What are the hardware requirements & price-points? VM options?

VeloCloud offers both hardware and virtual appliances for branch deployments. Hardware appliances are optimized for zero touch deployment and multi-WAN connectivity. For datacenter deployments, in addition to these on-premise hardware and virtual appliances, connectivity is available via secure tunnels from existing third party routers to cloud hosted gateways.

What’s the impact to hosts on virtual machine based endpoints, i.e. how much CPU does an SD-WAN VM eat for solutions that use VMs?

VeloCloud’s portfolio of x86 based appliances cost effectively deliver WAN network service levels from 50Mbps to 1Gbps. Guidelines for VeloCloud’s Virtual Edge appliance deployment draw from these hardware specifications with allowance for virtual machine overhead.

Most SD-WAN models have some form of controller – can I run this in my own DC, or is it always managed by the vendor?

VeloCloud’s Orchestrator is available as a service, or for large enterprises for single tenant, enterprise managed operations.

How much latency does the SD-WAN controller introduce, and under what circumstances?

No latency is introduced. Our SD-WAN design has all forwarding decisions made locally, for all circumstances including blackouts and application performance brownouts, based on local path and performance metrics monitoring. The endpoints that are in the data path add less than 1msec of latency.

When WAN-based SD-WAN tunnel endpoints are inevitably separated from the controller due to a network fault, what happens?

The data plane with all tunnel endpoints will continue full functioning even when separated from the control plane, as a principle of our SD-WAN design. Only policy and configuration updates from our Orchestrator will be temporarily unavailable.

How does the SD-WAN infrastructure track tunnel availability, and how quickly does the controller react when a tunnel is down?

The tunnel endpoints, independently of the controller, track availability of multiple tunnels as well as application performance, and preserve application sessions with sub-second steering around tunnel down or degraded application performance conditions. Monitoring and steering around underlying individual link failures or application performance brownouts is also independent of the controller.

What happens to in-flight traffic when a tunnel dies?

VeloCloud Edges (tunnel endpoints) leverage both multiple links as well as diverse tunnel/paths. In-flight application traffic is steered both on the best link and best available tunnel/path without any flow disruption.

What happens if a cloud gateway fails?

VeloCloud’s network delivers the expected benefits of cloud scaling, redundancy and pay-as-you-go flexibility. Edge endpoints monitor gateway availability, as well as path performance metrics, and immediately switch to alternate gateways independently of the controller.

Double-encryption is often a bad thing for application performance. Can certain traffic flows be exempted from encryption?

Yes. Traffic, such as encrypted SaaS applications is, by smart default, tunneled without being encrypted a second time.

Is the encapsulation type standard or proprietary?

Encryption is standard IPsec with AES128 and optionally AES256 encryption and supports interoperable IPSec connections to non-VeloCloud VPN devices including Cisco ISR, Cisco ASA, Palo Alto Networks as well as Amazon VPC and others. An additional proprietary header between VeloCloud tunnel endpoints provides the “Dynamic Multi-Path Optimization” for per packet application steering and on-demand remediation while maintaining application sessions. However for encrypted traffic this can be entirely within standard IPsec transport.

Assuming unique keys per tunnel? How are these keys managed and by whom?

Yes, each tunnel has a unique session key that is periodically refreshed and negotiated using standard IKEv2 protocol.

Is path symmetry important and maintained when traversing an SD-WAN infrastructure?

Path symmetry is an important design goal achieved with VeloCloud’s SD-WAN design. Path symmetry is maintained throughout the overlay from tunnel entry to exit points. The dynamic multi-path optimization maintains application sessions/flows while uniquely steering per-packet within a single flow based on link performance and load, by buffering and re-sequencing at tunnel endpoints.

Selectively forcing certain flows to traverse firewalls or other security devices is part of the SD-WAN unicorn. How is services chaining achieved?

VeloCloud SD-WAN can insert services via a virtual switch within the on-premise Edges or cloud deployed Gateways. Our business policy framework simplifies tunnel or proxy based forwarding of traffic to cloud based services (e.g..Zscaler) or enterprise regional hub based services.

Just how granularly can I identify applications, considering progressively more applications are encrypted as they traverse the wire?

VeloCloud’s deep application recognition identifies applications and sub-applications via protocol data signatures, pattern matching, session negotiation correlation and certificate identification, even for encrypted application flows without requiring decryption.

How can I extract data – e.g. application performance data?

VeloCloud’s architecture includes REST APIs available for both integration as well as data access.

Do they simplify connections to major cloud providers – e.g. AWS VPC VPN connections?

VeloCloud simplifies connections to major cloud providers via its cloud gateways. Branch moves/adds/changes are automatically connected to the secure cloud VPN overlay that has existing connections to cloud datacenters, eliminating tedious branch by branch configuration of VPN tunnels to cloud datacenters.

How do the pricing models work? Am I paying per device, per month? If I decide I don’t like Vendor <X>, am I stuck?

VeloCloud’s all-inclusive annual subscription service offering that includes both the on-premise appliances or software, as well as hosted cloud gateway services and cloud orchestrator enables incremental, cost effective WAN migrations. There is no large, upfront investment that needs to be amortized over 10s to 1000s of branches over many years.


Add a comment.

Acclaim for VeloCloud

Hear what leading enterprises are saying about VeloCloud’s Cloud-Delivered SD-WANTM solution.