SD-WAN Edge Appliance Product

Overview

An SD-WAN (Software-Defined WAN) edge appliance is a branch router that intelligently aggregates multiple WAN connections and steers traffic dynamically based on application performance metrics. Rather than routing all traffic over a single MPLS circuit (expensive and rigid), SD-WAN appliances bond broadband, LTE, MPLS, and even WiFi links into a unified fabric. The control plane continuously monitors latency, jitter, and packet loss on each link; the data plane then selects the optimal path per-flow.

The appliance runs a Linux kernel with OpenVPN or proprietary IPsec overlay tunnels to the central controller and other branches. End-to-end encryption protects all traffic; branch-to-branch communications occur without backhaul through headquarters, reducing latency for collaborative applications.

How it works

The Compute and Control Plane runs a real-time Linux kernel with the SD-WAN agent. On initialization, the appliance boots from the M.2 NVMe SSD, establishes control-plane connectivity to the SD-WAN controller (typically in the cloud), and downloads policies and tunnel configurations.

Data path flow begins at the LAN side: packets arrive on any of the 8 Gigabit ports connected to the switch ASIC. The switch performs MAC learning and VLAN bridging; traffic destined for the WAN is forwarded to the CPU via a dedicated "management" queue. The SD-WAN forwarding engine examines packet headers—IP 5-tuple (src IP, dst IP, protocol, src port, dst port)—and classifies the flow into a QoS class (e.g., voice, video, best-effort).

Once classified, the engine measures performance of each WAN uplink: latency via probing, jitter via packet spacing analysis, and packet loss via SACK or explicit feedback from remote branches. For real-time applications (VoIP, video), the engine selects the link with lowest latency; for bulk file transfer, it may select the link with highest capacity. This selection is updated every few seconds as conditions change.

The selected packet is wrapped in an IPsec tunnel, encrypted by the IPsec Encryption Accelerator, and transmitted via the chosen WAN uplink (broadband modem, LTE modem, or MPLS handoff). The Security and Encryption computes SHA-256 HMAC for integrity; the ASIC applies AES-256 encryption at the packet rate without burdening the CPU.

Return-path traffic follows the reverse: encrypted packets arrive on a WAN interface (broadband, LTE, or MPLS), are decrypted by the crypto ASIC, and then forwarded based on encrypted inner headers. The appliance maintains per-tunnel statistics (bytes, errors, latency) and reports them to the central controller for analytics.

Multi-WAN Bonding and Failover

Unlike legacy gateway routers that support one primary WAN and one backup, SD-WAN appliances actively load-balance across multiple WAN links simultaneously. A branch with broadband (10 Mbps), LTE (20 Mbps), and MPLS (50 Mbps) can aggregate 80 Mbps WAN capacity. Traffic splits dynamically: latency-sensitive flows (VoIP) prefer the MPLS link (lowest latency), bulk downloads balance across broadband and LTE, and mission-critical applications (ERP) use the MPLS uplink exclusively.

Failover is granular and flow-specific. If broadband link fails, existing broadband-routed flows move to alternate uplinks; new flows avoid the failed link. This avoids the hard-drop behavior of traditional backup circuits, where all traffic suddenly reroutes and may experience packet loss for 5–10 seconds.

Integration with Cloud and Controllers

The appliance maintains a persistent IPsec tunnel to the SD-WAN orchestrator (usually a cloud service), which pushes policies, approves new tunnel requests, and collects analytics. The controller assigns a unique site identity and maintains a global map of all branches and their uplink IPs. When a new tunnel is needed (e.g., between branch A and branch B), both appliances contact the controller, which orchestrates tunnel establishment without manual configuration.

Cellular Failover via LTE/5G

The LTE/5G Cellular Module provides genuine broadband-independent backup. The LTE modem maintains a persistent data connection via the ISP's LTE network; the applicance can select it as primary during broadband outage or use it for specific traffic classes (critical applications, real-time).

Dual SIM capability allows two carriers: primary SIM on one carrier (e.g., AT&T), secondary SIM on another (e.g., Verizon). If AT&T network becomes congested or unavailable, traffic automatically switches to Verizon. This is more reliable than relying on two broadband ISPs in the same area, since mobile networks provide nationwide coverage.

QoS and Traffic Steering

The Ethernet Switching and Ports supports 8 per-port priority queues with weighted round-robin scheduling. High-priority traffic (VoIP, video conferencing) is queued separately and transmitted first, ensuring low jitter. Lower-priority traffic (backup, web browsing) fills remaining link capacity. Marking is done via DSCP (Differentiated Services Code Point) in the IP header, standardized across vendors.

The Firewall State SRAM maintains per-flow state for stateful filtering: established connections are fast-tracked, while new connections are subject to policy rules. Connection rate-limiting (to prevent SYN floods) and geo-blocking (rejecting traffic from specific countries) can be enforced per-interface or per-application.

Deep Packet Inspection and Threat Prevention

The Deep Packet Inspection Engine coprocessor inspects packet payloads beyond headers. It identifies HTTP traffic (Port 80, 443) and applies URL filtering (blocking known malware sites), identifies P2P traffic and can throttle it, and detects patterns indicative of ransomware command-and-control callbacks. DPI is CPU-intensive; offloading to hardware keeps the main processor free for routing decisions.

Deployment Scenarios

Small branches with single broadband line deploy as a simple router replacement, enabling cloud-first architecture (all traffic to cloud first, then routed to branch). Medium branches with broadband and LTE bond both for resilience. Enterprise regional hubs with multiple MPLS and broadband circuits aggregate them for optimal utilization and disaster recovery. Campuses with multiple buildings deploy small appliances at each floor or building, with the campus core running a higher-capacity model.

Integration with Headquarters and Applications

The appliance integrates with application-aware networking via SD-WAN cloud gateways. For SaaS applications (Salesforce, Office 365), the appliance routes traffic direct to the nearest cloud POP, bypassing corporate HQ. For legacy on-premise systems, traffic is encrypted and tunneled back to HQ. This hybrid model reduces WAN cost and latency while maintaining security.