Comparing the SD-WAN Licensing Needs of Major Vendors
With more enterprises adopting SD-WAN technology, SD-WAN vendor support can be a key to success. We break down the licensing of five major SD-WAN vendors.
As Megaport launches and expands our global SD-WAN coverage with Megaport Virtual Edge (MVE), SD-WAN vendor support is a key requirement and understanding the relevant licensing needs per vendor and per customer use case becomes very important to fully realizing the benefits of MVE, which can include better network performance and security, reduced operating costs, and simplified network management.
Let’s review the licensing approaches of each of Megaport’s partner SD-WAN vendors:
Cisco DNA Software for SD-WAN is composed of Cisco DNA Essentials, DNA Advantage, and DNA Premier all with varying levels of SD-WAN features available.
The only supported Software-Defined Cloud Interconnect (SDCI) license types (a.k.a. Cisco SD-WAN for MVE) are Cisco DNA Advantage and Cisco DNA Premier. These licenses support the Catalyst 8000V image which is needed for MVE.
Existing Cisco customers would utilize their current DNA Advantage or DNA Premier licenses for installation of the Megaport Virtual Edge service.
The terms for DNA Advantage are three, five, or seven years while for DNA Premier it is a three or five year subscription option.
In addition, the bandwidth selection process for the Catalyst 8000V has been simplified where the choices are now simply Tier 2 and Tier 3 bandwidth options.
Tier 2: Up to 1 Gbps (Suitable for Small and Medium MVE instances)
Tier 3: Up to 10 Gbps (Suitable for Large MVE instances)
For reference, the Catalyst 8000V license tiers and bandwidth options are detailed below:
|DNA Cat 8K License Tier||Bandwidth|
|DNA-C8KV-T2-A-SDCI||Up to 1 Gbps|
|DNA-C8KV-T3-A-SDCI||> 1 Gbps|
As a summary, if you wish to provision Cisco SD-WAN using Megaport, you simply choose the bandwidth needed, the term of the license and what feature set is required between DNA Advantage and Premium.
For further information please refer to:
Cisco DNA Software SD-WAN and Routing Matrices
Cisco Catalyst 8000V Edge Software Ordering Guide
The Fortinet approach to FortiGate-VM licensing is simply based on the number of virtual CPU’s configured in the applicable MVE service. The SD-WAN components of FortiGate and FortiOS do not need any additional licensing or bundles (it is still advised to procure the SD-WAN orchestrator license for easy deployment and management of edge devices).
The RAM/memory restriction no longer applies for FortiOS 6.2.2 and later versions, Megaport supports FortiOS 6.4.4, so there are no additional RAM/memory licensing requirements for the MVE service.
As a reminder, the MVE vCPU options are as follows:
Small: Two (2) vCPUs
Medium: Four (4) vCPUs
Large: Eight (8) vCPUs
FortiGate-VM offers a perpetual licensing option (normal series and V-series) as well as an annual subscription option (S-series).
Normal and V-series licenses are perpetual. You’ll need to contract separately for support services.
The annual S-series license contains the Fortinet-VM base package and a FortiCare service bundle with the support service options as follows:
- Only FortiCare
- Unified Threat Management (UTM)
- 360 protection
You can read the full details here.
For example, for a small MVE with 2 vCPUs, your options would be FG-VM02, FG-VM02V, or FG-VM02S.
The “V” suffix means no virtual domains (VDOMs) by default and the “S” suffix is a subscription-based license. If a license has no letter at the end, it means it’s a perpetual license.
For the perpetual or “V” license option,you would then choose the applicable additional security features like Intrusion Protection System (IPS), antivirus, sandboxing, and others if required.
Versa Secure SD-WAN
Versa offers licenses based on feature set requirements as well as the bandwidth that the specific device is allowed to consume. Each Versa Operating System (VOS) device that you deploy as a customer-premises equipment (CPE) is associated with a license.
Like all vendors, the feature set on offer depends on the specific solution tier with more features increasing the cost of the license.
The breakdown is as follows, with each tier being cumulative:
- Pro Net: Basic and advanced routing features which are Layer 2 bridging, carrier-class Layer 3 routing, bridging, Layer 4 security, universal customer-premises equipment (uCPE), and zero-touch provisioning (ZTP)
- Prime SD-WAN: All Pro Net tier features plus SD-WAN connectivity, application identification (App ID), application policy-based forwarding, and traffic engineering
- Prime Secure SD-WAN: All Prime SD-WAN tier features plus next-generation firewall (NGFW), which provides Layer 7 security, Secure Socket Layer (SSL) proxy (for captive portal), and application delivery controller (ADC) and traffic load balancer (TLB) (for reverse proxy)
- Premier Secure SD-WAN: All Prime Secure SD-WAN tier features plus application performance optimization for best application experience
- Premier Elite SD-WAN: All Premier Secure SD-WAN tier features plus unified threat management (UTM) and transmission control protocol (TCP) optimization.
In addition to the features needed, each VOS device has a limit on traffic. For SD-WAN deployments, this is measured across the WAN interfaces. The VOS device tracks the 95th percentile for both receive (RX) and transmit (TX) traffic on the WAN interfaces. It then uses the higher of the two values to calculate the amount of bandwidth used by each WAN interface.
VMware’s SD-WAN Edge licensing consists of 4 components, namely:
- Edge software edition (feature set)
- Gateway regional geolocation
Each component is summarized below:
|Bandwidth||10M, 30M, 50M, 100M, 200M, 500M, 1G, 2G, 5G, 10G|
|Editions||Standard, Enterprise, Premium|
|Region||North America, Europe Middle East and Africa, Latin America, Asia Pacific|
|Term||1 Year, 3 Years, 5 Years|
Edge Licensing allows a customer to link a software subscription to a specific Edge device.
Here are the VMware SD-WAN Edition types:
|Feature||Standard Subscription||Enterprise Subscription||Premium Subscription|
|VMware SD-WAN Orchestrator||✅||✅||✅|
|Dynamic Multi-Path Optimization (DMPO)||✅||✅||✅|
|Number of Edges supported||Unlimited||Unlimited||Unlimited|
|Maximum number of Data Segments||4||128||128|
|Maximum number of profiles||4||Unlimited||Unlimited|
|Partner Gateway Support||✅||✅||✅|
|Virtual services orchestration for NGFW deployment on Edges||✅||✅||✅|
|Routing support||BGP, OSPF||BGP, OSPF||BGP, OSPF|
|Cloud Gateway to SaaS and Cloud Security Service (without tunneling)||❌||❌||✅|
|Cloud Gateway to legacy DCs, IaaS, or Cloud Security Service via tunnels (non-SD-WAN destinations)||Add-on||Add-on||✅|
|Direct Edge to Internet/Cloud Security Service (BGP over IPsec*)||✅||✅||✅|
|Automated tunnel setup via API to IaaS or third-party Cloud Security Service||❌||From Edge||From Edge or Gateway|
|Gateways as Cloud VPN Hub||❌||❌||✅|
|Auto VPN setup||Hub to Spoke||Hub to spoke plus dynamic B2B||Hub to spoke plus dynamic B2B|
|Customizable business and security policy||✅||✅||✅|
|Path visibility||Last-mile||Last-mile plus site-to-site||Last-mile plus site-to-site|
|Wired/wireless/LAN/WAN analytics with ENI||Add-on||Includes 1 node, additional nodes available as add-on||Includes 2 node, additional nodes available as add-on|
For example, if you are provisioning an MVE to act as a private on-ramp to a Cloud Provider like Azure, AWS, or GCP, then the minimum subscription needed would be Standard. Alternatively, an enterprise-wide design using both Cloud Gateways and MVE may require a mix of Enterprise and Premium licensing to optimize resiliency and traffic shaping policies. If you are provisioning an MVE to act as an IPSEC gateway to a private network via a 1Gb, 10Gb or 100Gb Megaport only then you can also use the Standard subscription.
VMware provides the option for either POC or Production Deployments.
If a customer wants to runs a Proof of Concept, a POC license is available for this purpose with the following attributes:
|Region||North America, Europe, Middle East, Africa, Latin America, Asia Pacific|
When an Edge is deployed in a production environment, the license type assigned should align with the software subscription purchased. For example, if the subscription SKU “NB-VC100M-PRE-HO-HG-L34S312P-C” was purchased for use with the Edge being configured, the correct license type attributes as highlighted would be as follows:
Term: 1 Year
(HO: Hosted Orchestrator)
Aruba EdgeConnect SD-WAN
Aruba has a simple licensing approach which is valid for EdgeConnect Physical, Virtual, and Cloud based deployments.
Every EdgeConnect SD-WAN License supports all features except for WAN Optimization and is based on bandwidth tiers as detailed below:
- Unlimited bandwidth
- 2Gbps (full duplex)
- 1Gbps (full duplex)
- 500Mbps (full duplex)
- 200Mbps (full duplex)
- 100Mbps (full duplex)
- 50 Mbps (full duplex)
- 20 Mbps (full duplex)
All licenses are fully upgradable.
The WAN Boost license is optional (unique per customer) and priced per 100Mbps and is shared across the SDWAN Matrix.
Rarely does a one-size-fits-all approach work for a customer when it comes to deploying an SD-WAN solution. Many have different bandwidth, performance, features, and support requirements driven by various use cases as well as business needs. We hope this primer on the differences in licensing between major SD-WAN vendors will help you better understand the packages you’ll need to select to deploy Megaport Virtual Edge within your SD-WAN solutions and begin optimizing and modernizing your WAN, reducing operating costs, and improving network performance and security.