What’s wrong with Cisco running SD-WAN on your routers?

Cisco’s announcement earlier this month that it will add the Viptela SD-WAN technology to the IOS XE software running the ISR/ASR routers will be a mixed blessing for enterprises.

On the one hand, it brings SD-WAN migration closer to Cisco customers. On the other hand, two preliminary indicators —  one-on-one conversations and Cisco’s refusal to participate in an SD-WAN test —  suggest enterprises should expect reduced throughput if they enable the SD-WAN capabilities on their routers.

Cisco’s easy migration to SD-WAN

By including the SD-WAN code with IOS XE, Cisco will provide a migration path for the more than one million ISR/ASR edge routers in the field. There’s been a lot of conversation as to whether or not SD-WAN is going to kill the router performance. Delivering SD-WAN code on the ISRs is Cisco’s answer: routers are here to stay but they’ll morph into SD-WAN appliances.

With Cisco IOS XE companies have an “instant upgrade path” to SD-WAN, notes Anand Oswal, senior vice president of network engineering in a blog post. Moving SD-WAN onto the routing platform appliance will provide users with a “…secure virtual IP fabric by combining routing, segmentation, security, policy, and orchestration. It eliminates backhauling from branches to headquarters to access SaaS applications, improving application performance and experience for a distributed and mobile workforce.”

Cisco will also be including support for vManage, Viptela’s dashboard for deploying SD-WAN resources, reports Network World’s Michael Cooney. Earlier this year Cisco added Viptela’s vAnaytics technology to its SD-WAN software to help enterprises identify the stress points and necessary policy or bandwidth changes that might be needed across an SD-WAN.

More is not necessarily better

The Cisco move reflects the shift towards appliance consolidation. Once a standalone appliance, SD-WAN has increasingly become part of a much larger network appliance offering.

Security vendors, like Fortinet, have added SD-WAN capabilities to their firewalls. The traditional WAN optimization vendors, such as Riverbed and Silver Peak, have done the same with their solutions. Of course, Velocloud’s acquisition by VMWare has given us a very different kind of integration, one merging SD-WAN with the hypervisor environment.

All of which has been well received by many of the enterprises I advise. Appliance consolidation enables a leaner footprint in the branch, making new offices easier to spin up. There are fewer boxes to configure, install and maintain.

The problem with appliances

What’s less clear is how the new SD-WAN-imbued routers will hold up in the field. If the history of appliances has taught us anything it’s that more is not necessarily better. Too many features and finite horsepower makes for products that might look good on the features table but in the long term deficient in the field.

Case in point are Unified Threat Management (UTM) appliances. All too many enterprises have seen how when traffic loads increase or more features are enabled, the security appliance ultimately run short on processing power. IT is invariably faced with disabling some functions on some of the traffic or, more likely, being pushed into an upgrade.  And even when they add all of these functions into a single hardware platform, enterprises are still left with the upgrade, patching, sizing, and management of each software function —  a significant operational cost.

What I worry is this:  Are we heading down the same road by loading SD-WAN code onto our ISRs/ASRs? Remember the ISRs/ASRs are far more than just routing platforms. Over the years, Cisco has added switching, optimization, security, VoIP (namely CallManager Express)  and more. With so many functions on one platform it’s inevitable that you’ll need to upgrade the hardware. Adding SD-WAN to the mix will only increase that load, ultimately undermining the performance of their routes. (If we can still call them that given all of their functions.)

ISR/ASR: a cause for concern?

Up until earlier this week, this had been a theoretical conversation but then in the course of running a proof of concept (POC) for one of my clients, we considered the Viptela solution. We didn’t progress to the evaluation phase for reasons unrelated to the specific technology, but it did open a conversation with one of the Cisco engineers who I’ve worked with over the years.

I aired my scalabilty concerns about running the Viptela code on the customer’s ISRs. He confirmed my suspicions, telling me that customers should not expect their ISRs to reach the aggregate throughput specifications by Cisco. One engineer’s answer isn’t definitive, of course. I wanted to see the device under test.

NSS Labs did recently try to test Cisco as part of its evaluation of SD-WAN appliances but Cisco reportedly refused to activate the Viptela software-defined WAN product NSS Labs had purchased for testing. “Cisco did not provide a reason for refusing to activate the product NSS Labs had purchased for between $30,000 and $40,000, Antone Gonsalves quoted NSS Labs CEO Vikram Phatak as saying. Perhaps, Cisco too was concerned about us seeing the scaling impact on the router publicly published.

One platform but still plenty of operational costs

Cisco’s always been in the upgrades and maintenance business. Yes, it’s sold the routers, switches and the rest of the hardware boxes that’s made networking possible for so many businesses. But the appliances themselves were often heavily discounted, knowing that customers would end up paying far more in upgrades, SmartNet maintenance renewals and service contracts.

This announcement is really no different. Organizations should expect that by deploying SD-WAN on already taxed routers they’ll be looking at upgrades, at the very least within the ISR/ASR family. They should also expect to still go through the operational cost of deploying and maintaining an SD-WAN even with a consolidated platform. How much that performance hit will deter enterprises with ISR/ASR from adopting Cisco’s approach to SD-WAN remains to be seen.