This article is written with an objective to help senior IT management decipher the high level differences between DMVPN and SD-WAN based network.
DMVPN was the buzz word in the data networking few years ago, SD-WAN is the buzz word today. Many enterprises with DMVPN based network have started to evaluate if they should replace their existing DMVPN based network with SD-WAN.
DMVPN is a technology used by the network devices to create secure internet based encrypted connections (also known as overlay) between the enterprise sites using both persistent (site to hub) and dynamic (site to site) tunnels.
When Cisco launched DMVPN in 2002, at the time it offered significant network benefits such as the ability for two remote sites to create a dynamic direct tunnel between them without creating fully meshed multiple N*(N-1) persistent tunnels between sites.
DVPN is still used in many networks. It requires the network administrator to understand and configure IPsec and dynamic routing protocol such as EIGRP. Creating and managing this configuration can be challenging for a junior network administrator specifically if recommended PKI certificate based authentication is used. For this reason, a lot of DMVPN deployments use simpler but less secured pre-shared key based authentication.
In summary, DMVPN enables a secure on-demand direct network communication path for enterprise site to site traffic while reducing the network configuration complexity when compared to creating a full meshed persistent tunnel based network. This was very important at the time because many enterprises were looking for a cheaper alternative to MPLS while retaining its inherent fully meshed benefits. DMVPN offered this alternative using cheaper internet circuits. However, to put things in today's perspective, DMVPN configuration is significantly complex when compared to a SD-WAN solution.
Despite its benefits, DMVPN could not easily address the enterprise requirement of offering a lower latency and high performance network path for the real-time latency sensitive business applications like VoIP. This made DMVPN less attractive for enterprises running these real-time applications. Many of these enterprise clients continue to use MPLS even today mostly because of this reason. This segment of enterprise clients either don't use DMVPN at all or use it only as a backup network to MPLS.
Sample DMVPN Topology:
image source: cisco.com
SD-WAN is much more than a technology that offers secure network connectivity. In 2014, SD-WAN started to gain momentum because it offered simplified network configuration, enabled one-click secure VPN, optimized private and cloud traffic flows and network performance while using one or more cost-effective internet based connections.
In simple words, SD-WAN seamlessly packaged many network functions and performance benefits in a single solution while offering a cost-effective alternative to MPLS. There are multiple SD-WAN solutions available today and the key difference between them is how well they package and seamlessly integrate these multiple network functions/features in a single solution.
Driven by its focus on maximizing network performance, SD-WAN has become a viable alternative for many enterprises including the enterprises running business critical real-time applications. This is something DMVPN could not solve without adding additional feature licenses and significant network configuration complexity.
SD-WAN offers most of the benefits of DMVPN plus many more in a single package. However, it is important to note that only a few SD-WAN vendors support dynamic tunnels for the remote site to site communication. Majority of the SD-WAN vendors support easy to configure but persistent (not dynamic) fully meshed tunnels. This is fine from the traffic flow perspective but it can have an impact on the hardware scalability in a large deployment.
Sample SD-WAN Topology:
image source: velocloud.com
DMVPN or SD-WAN?
Specifically as a senior IT manager of an enterprise using DMVPN, you should consider evaluating SD-WAN if any of the following applies:
- The hardware running DMVPN is end of support or end of life
- You are still using MPLS as a primary path and have done limited deployment of DMVPN (e.g. backup) because you did not feel comfortable putting business critical traffic on DMVPN
- You are using DMVPN for business critical traffic but are experiencing poor and inconsistent network performance
- Your network configuration is complex, making it difficult and time consuming to implement any network changes or add new sites
- Your network is unstable or you are not comfortable with making any network changes because of the configuration complexity
- You are experiencing challenges in scaling up the network bandwidth quickly because adding a 2nd network circuit to a site requires complex network configuration changes
- Making any traffic flow changes such as sending some specific cloud traffic via a different network path is proving to be challenging
- You have very limited or no visibility into how your network and DVPN tunnels are performing
- Your network takes a few minutes to automatically recover after a recoverable failure (brown-out) condition. This is impacting business operations as real-time applications such as VoIP experience an outage
- You don't have a senior network engineer resource to manage and make complex changes to the existing network configuration
For the enterprise clients that don't have any of the above triggers or challenges, their existing DMVPN deployment should be sufficient given their business requirements.
#SDWAN #DMVPN #NETWORK #MPLS #WAN