Hardware and software requirements

Kaspersky SD-WAN has the following hardware and software requirements:

Hardware requirements depend on the number of CPE devices being managed (see the recommended deployment scenarios below). If you need to calculate hardware requirements for a specific deployment scheme more precisely, we recommend contacting Kaspersky Technical Support.

1. Recommended computing resources for solution components version 2.4 and higher.

The following are supported specifications for instances of Kaspersky SD-WAN Orchestrator (ORC), Kaspersky SD-WAN Controller (CTL), the monitoring component (MON), and the Kaspersky Deployment Toolkit (KDT) utility; these are valid as long as identical components and software versions are used.

1.1. SD-WAN Orchestrator

Table 1. ORC instance type definitions


Instance type	Number of CPE devices	Specifications (approximate)
Instance type	Number of CPE devices	CPU*	RAM	Storage size**	Storage IOPS**	Network adapter
Small ORC	1000	16 cores	32 GB	256 GB	3,000	2 x 1 Gbps
Medium ORC	5,000	24 cores	64 GB	512 GB	5,000	2 x 1 Gbps
Large ORC	10,000	16 cores	128 GB	1 TB	10,000	2 x 10 Gbps

* CPU without Hyper-Threading. Recommendations:

Xeon Silver 4314 for Small ORC instances
Xeon Gold 5318Y, Xeon Gold 5418Y, or higher for Medium ORC instances
Xeon Gold 6414U, Xeon Gold 6438Y+, or higher for Large ORC instances

** SSD

1.2. SD-WAN Controller

Table 2. CTL instance type definitions


Instance type	Number of CPE devices	Specifications (approximate)
Instance type	Number of CPE devices	CPU*	RAM	Storage size**	Storage IOPS**	Network adapter
Small CTL	250	16 cores	32 GB	64 GB	3,000	2 x 1 Gbps
Medium CTL	500	24 cores	48 GB	128 GB	5,000	2 x 1 Gbps
Large CTL	1000	32 cores	64 GB	256 GB	10,000	2 x 10 Gbps

* CPU without Hyper-Threading. Recommendations:

Xeon Silver 4314 for Small CTL instances
Xeon Gold 5318Y, Xeon Gold 5418Y, or higher for Medium CTL instances
Xeon Gold 6414U, Xeon Gold 6438Y+, or higher for Large CTL instances

** SSD

1.3. SD-WAN monitoring component

Table 3. MON instance type definitions


Instance type	Number of CPE devices	Specifications (approximate)
Instance type	Number of CPE devices	CPU*	RAM	Storage size**	Storage IOPS**	Network adapter
Small MON	1,000	8 cores	16 GB	1 TB	3,000	2 x 1 Gbps
Medium MON	5,000	24 cores	64 GB	5 TB	5,000	2 x 1 Gbps
Large MON	10,000	16 cores	96 GB	10 TB	10,000	2 x 10 Gbps

* CPU without Hyper-Threading. Recommendations:

Xeon Silver 4309Y for Small MON instances
Xeon Gold 5318Y, Xeon Gold 5418Y, or higher for Medium MON instances
Xeon Gold 6414U, Xeon Gold 6438Y+, or higher for Large MON instances

**SSD, RAID 10

1.4. SD-WAN All-in-One

An SD-WAN All-in-One (AIO) instance includes the following administration components: Kaspersky SD-WAN Orchestrator (ORC), Kaspersky SD-WAN Controller (CTL), and Kaspersky SD-WAN monitoring component (MON). The following instance specifications are supported:

Table 4. AIO instance type definitions


Instance type	Number of CPE devices	Specifications (approximate)
Instance type	Number of CPE devices	CPU*	RAM	Storage size**	Storage IOPS**	Network adapter
Small AIO	50	16 cores	32 GB	256 GB	3,000	1 Gbps
Medium AIO	100	24 cores	48 GB	512 GB	5,000	2 x 1 Gbps
Large AIO	250	32 cores	64 GB	1024 GB	10,000	2 x 10 Gbps

1.5. Host for SD-WAN deployment

To deploy and update the management components of the solution in High Availability and Distributed Deployment scenarios, you need a dedicated host with the Kaspersky Deployment Toolkit (KDT).

Table 5. KDT instance type definitions


Deployment scenario	Specifications (approximate)
Deployment scenario	CPU*	RAM	Storage size**	Storage IOPS**	Network adapter
High Availability and Distributed Deployment	8 cores	16 GB	512 GB	5,000	1 Gbps

* CPU without Hyper-Threading. Recommendations:

Xeon Silver 4309Y for KDT instances

** SSD

2. Administration system deployment scenarios

2.1. Standalone deployment

The standalone deployment scenario of the Kaspersky SD-WAN administration system is intended for demonstration purposes only and is not recommended for a production environment.

2.2. High Availability deployment

Deploying the Kaspersky SD-WAN administration system in a High Availability (HA) scenario requires three AIO instances (HA3). The hardware requirements of the instances are specified in Table 4. The following table lists sizing recommendations for HA3 deployment.

Table 6. Requirements of instances for HA3 deployment

Number of CPE devices	HA3 instance
50	3 x Small AIO
100	3 x Medium AIO
250	3 x Large AIO

2.3. Distributed Deployment

Deploying the Kaspersky SD-WAN administration system in a Distributed Deployment scenario requires three dedicated ORC instances, three dedicated CTL instances, three dedicated MON instances, and one KDT host.

Table 7. Requirements of instances for deployment

Number of CPE devices	ORC	CTL	MON	KDT
250	3 x Small ORC	3 x Small CTL	3 x Small MON	1 x KDT
500	3 x Small ORC	3 x Medium CTL	3 x Small MON	1 x KDT
1,000	3 x Small ORC	3 x Large CTL	3 x Small MON	1 x KDT
2,500	3 x Small ORC	15 x Medium CTL	3 x Small MON	1 x KDT
5,000	3 x Medium ORC	30 x Medium CTL	3 x Medium MON	1 x KDT
7,500	3 x Medium ORC	45 x Medium CTL	3 x Medium MON	1 x KDT
10,000	3 x Large ORC	60 x Medium CTL	3 x Large MON	1 x KDT
20,000	6 x Large ORC	120 x Medium CTL	6 x Large MON	1 x KDT
25,000	9 x Large ORC	150 x Medium CTL	9 x Large MON	1 x KDT

3. Third-party solution requirements

The following third-party solutions are required to deploy Kaspersky SD-WAN:

The Zabbix monitoring system versions 5.0.26 or 6.0.0. For details, please refer to the official documentation of the Zabbix solution.
The Docker cloud platform version 1.5 or later for deploying Docker containers of solution components. For details, please refer to the official documentation of the Docker cloud platform.
The OpenStreetMap service for viewing the transport service topology overlaid on a map. If the infrastructure of your organization does not provide for an Internet connection, you can use offline maps. Offline maps take up additional disk space:
- The offline map (central-fed-district-latest.osm.pbf) takes up approximately 100 GB.
- Geocoding data takes up approximately 10 GB.
For detailed information, please refer to the official documentation of the OpenStreetMap service.

Operating system requirements

The following 64-bit operating systems are supported:

Ubuntu 22.04 LTS.
Astra Linux 1.7 (security level: "Orel").
RED OS 7.3 "MUROM".

Requirements for links between nodes of solution components

When deploying Kaspersky SD-WAN, you can deploy multiple nodes of solution components. The following requirements apply to links between nodes of solution components:

Requirements for links between controller nodes:
- Bandwidth: 1 Gbps
- RTT (Round Trip Time): 200 ms or less
- Packet loss: 0%
Requirements for links between MongoDB database nodes:
- Bandwidth: 1 Gbps
- RTT: 50 ms or less
- Packet loss: 0%
Requirements for links between Redis database nodes:
- Bandwidth: 1 Mbps
- RTT: 50 ms or less
- Packet loss: 0%

Browser requirements

The following browsers are supported for managing the orchestrator web interface:

Google Chrome 100 or later
Firefox 100 or later
Microsoft Edge 100 or later
Opera 90 or later
Safari 15 or later

CPE device requirements

The following CPE device models are supported:

KESR-M1-R-5G-2L-W
KESR-M2-K-5G-1L-W
KESR-M2-K-5G-1S
KESR-M3-K-4G-4S
KESR-M4-K-2X-1CPU
KESR-M4-K-8G-4X-1CPU
KESR-M5-K-8G-4X-2CPU
KESR-M5-K-8X-2CPU

CPE devices of the KESR model are based on x86 (Intel 80x86) and MIPS (Microprocessor without Interlocked Pipeline Stages) processor architectures.

KESR M3–M5 CPE devices have Intel network adapters that are compatible with Intel SFP transceivers. For details about supported SFP transceivers, you can use the Intel Product Compatibility Tool

https://compatibleproducts.intel.com/ProductDetails?activeModule=Intel%C2%AE%20Ethernet#

(in the territory of the Russian Federation, the link is accessible only via VPN). When using the Intel Product Compatibility Tool, you need to select one of the following product categories:

500 Series to view SFP transceivers that are compatible with KESR M3 CPE devices.
700 Series to view SFP transceivers that are compatible with KESR M4–M5 CPE devices.

Kaspersky experts carried out tests to confirm the functionality of CPE devices when providing the L3 VPN service (see the table below). DPI (Deep Packet Inspection) was not used on the tested devices, and traffic encryption was disabled.

Model	Packet size (bytes)	Bandwidth (Mbps)
KESR-M1	IMIX (417)	30
KESR-M1	Large (1300)	115
KESR-M2	IMIX (417)	165
KESR-M2	Large (1300)	241
KESR-M3	IMIX (417)	805
KESR-M3	Large (1300)	1150
KESR-M4	IMIX (417)	1430
KESR-M4	Large (1300)	2870

For detailed information about the characteristics of CPE devices, please refer to the official page of the solution.

You can deploy uCPE devices on servers with x86 (Intel 80x86) or ARM64 processor architectures.

vCPE device requirements

The distribution kit includes the following firmware for deploying vCPE devices:

vKESR-M1
vKESR-M2
vKESR-M3
vKESR-M4

The following virtualization environments are supported for vCPE devices:

VMware 7.0 or later
KVM with kernel version 5.15 or later
Only the original KVM virtualization environment without additional orchestration tools is supported.

The following table lists the virtual resource requirements for deploying vCPE devices.

Firmware	CPU	RAM, GB	Disk, GB
vKESR-M1	2	0.5	1
vKESR-M2	4	8	1
vKESR-M3	12	16	1
vKESR-M4	24	32	1

When upgrading Kaspersky SD-WAN from version 2.2 to 2.3, you need to make sure that your previously deployed vCPE devices satisfy the requirements of the new version, after which you can update your vCPE devices using the vKESR-M1-5 firmware.

Page top