Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

SD-WAN Vendors Comparison Chart

How Cisco stacks up to the SD-WAN competition

See how Cisco outperforms VMware, Palo Alto Networks, Fortinet, and others. With innovations in software-defined networking, NFV, and integrated security, Cisco offers a more extensive solution and provides a foundation for intent-based networking. 

 

Read customer reviews

SD-WAN

Cisco

VMware

Fortinet

Silver Peak

Versa

Palo Alto Networks (Prisma SD-WAN)

Palo Alto Networks (PAN-OS NGFW)

Expand all

Networking

Supports traditional routing & SD-WAN on the same platformComprehensive traditional routing services. Smooth migration with features relevant to SD-WAN on the same platform. Unified image common across traditional routing and SD-WAN.No investment protection for smoother migration in relation to SD-WAN on same platform. Limited traditional routing feature set.Enabling SD-WAN does not require adding to, or changing, existing infrastructure.No investment protection for smoother migration in relation to SD-WAN on same platform. Limited traditional routing feature set.Requires adding new hardware to use SD-WAN.Enabling SD-WAN does not require adding to, or changing, existing infrastructure. Limited traditional routing feature set.Smooth migration to SD-WAN on the same platform. Complete traditional routing services available.
Comprehensive traditional routing services. Smooth migration with features relevant to SD-WAN on the same platform. Unified image common across traditional routing and SD-WAN.No investment protection for smoother migration in relation to SD-WAN on same platform. Limited traditional routing feature set.Enabling SD-WAN does not require adding to, or changing, existing infrastructure.No investment protection for smoother migration in relation to SD-WAN on same platform. Limited traditional routing feature set.Requires adding new hardware to use SD-WAN.Enabling SD-WAN does not require adding to, or changing, existing infrastructure. Limited traditional routing feature set.Smooth migration to SD-WAN on the same platform. Complete traditional routing services available.
Core, edge, and cloud SD-WANAppliances built to service core, edge, and cloud locations. Wide range of form factors with physical and virtual offerings. Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.
Appliances built to service core, edge, and cloud locations. Wide range of form factors with physical and virtual offerings. Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.
Purpose-built SD-WAN ArchitectureDedicated control, data, and management plane components for scalability and performance, offering an SDN-compliant architecture. Flexibility of matching architecture to business Intent. Cloud-hosted deployment managed by Cisco Cloud Ops team.Integrated control and data plane components limit flexibility.Legacy firewall-based architecture.Legacy combined control and data plane architecture.Dedicated control, data, and management plane components.Integrated control and data plane components limit flexibility.Integrated control and data plane components limit flexibility.
Dedicated control, data, and management plane components for scalability and performance, offering an SDN-compliant architecture. Flexibility of matching architecture to business Intent. Cloud-hosted deployment managed by Cisco Cloud Ops team.Integrated control and data plane components limit flexibility.Legacy firewall-based architecture.Legacy combined control and data plane architecture.Dedicated control, data, and management plane components.Integrated control and data plane components limit flexibility.Integrated control and data plane components limit flexibility.
True zero-touch provisioningMutually authenticated, multi-factor authentication with zero-touch provisioning for all components. One touch provisioning for air-gapped networks and MSPs.Requires additional authentication steps to provision.Multiple touch points to enable ZTP process. As it is based on Firewall enabling SD-WAN, it requires manual policy configurations.EdgeConnect devices are preconfigured, however requires additional authentication steps to provision.Multiple touch points.The ION devices are pre-configured to authenticate to the portal and support zero-touch provisioning and deployment.Requires additional authentication steps to provision.
Mutually authenticated, multi-factor authentication with zero-touch provisioning for all components. One touch provisioning for air-gapped networks and MSPs.Requires additional authentication steps to provision.Multiple touch points to enable ZTP process. As it is based on Firewall enabling SD-WAN, it requires manual policy configurations.EdgeConnect devices are preconfigured, however requires additional authentication steps to provision.Multiple touch points.The ION devices are pre-configured to authenticate to the portal and support zero-touch provisioning and deployment.Requires additional authentication steps to provision.
Active-active dual router SD-WAN topologyAllows for active-active networking to provide higher throughput and greater reliability. Capability to horizontally scale with easy-to-use features.Does not support active-active connections.Additional WAN switch required, which creates dependencies.Allows for active-active networking but requires an additional switch, which creates dependencies.Does not support active-active connections.Does not support active-active connections.Supports active-active connections.
Allows for active-active networking to provide higher throughput and greater reliability. Capability to horizontally scale with easy-to-use features.Does not support active-active connections.Additional WAN switch required, which creates dependencies.Allows for active-active networking but requires an additional switch, which creates dependencies.Does not support active-active connections.Does not support active-active connections.Supports active-active connections.
Advanced routing protocols for brownfield integrationsExtends advanced routing intelligence, such as EIGRP, OSPF, RIP, and BGP, into cloud environments, allowing for faster, more reliable connectivity to cloud workloads. Supported with dual stack. Capability to also do underlay/overlay routing. Flexible policy and attribute support for easy routing manipulation.Advanced routing protocols such as BGP, OSPF supported but does not provide the most efficient path selection. Advanced routing protocols such as BGP, OSPF supported but does not provide the most efficient path selection. Supports advanced routing protocols like BGP but lacks advanced routing support for protocols such as OSPF.Supports advanced routing protocols, including BGP and OSPF.Supports advanced routing protocols, such as BGP, but lacks support for protocols such as OSPF.Supports advanced routing protocols, including BGP and OSPF, but does not provide the most efficient path selection.
Extends advanced routing intelligence, such as EIGRP, OSPF, RIP, and BGP, into cloud environments, allowing for faster, more reliable connectivity to cloud workloads. Supported with dual stack. Capability to also do underlay/overlay routing. Flexible policy and attribute support for easy routing manipulation.Advanced routing protocols such as BGP, OSPF supported but does not provide the most efficient path selection. Advanced routing protocols such as BGP, OSPF supported but does not provide the most efficient path selection. Supports advanced routing protocols like BGP but lacks advanced routing support for protocols such as OSPF.Supports advanced routing protocols, including BGP and OSPF.Supports advanced routing protocols, such as BGP, but lacks support for protocols such as OSPF.Supports advanced routing protocols, including BGP and OSPF, but does not provide the most efficient path selection.
Extensible Policy FrameworkDynamic path selection automatically steers critical applications around network problems. Microsegmentation and identity-based policy management drive consistent multidomain policy enforcement for a uniform user experience.Policy could be passed in the form of per-device profiles but would be limited in terms of traffic engineering for data plane.Policies for SD-WAN and firewall are managed separately, creating complexities in terms of traffic engineering and passing down centralized control and data plane policies.Policies can be created and reused from business intent perspective, but limitations exist in microsegmentation and multidomain policy enforcement.Has the ability to traffic-engineer based on application-aware policy, but limitations exist in multidomain policy enforcement.Has the ability to traffic-engineer based on application-aware policy, but limitations exist in microsegmentation capabilities and multidomain policy enforcement.Has the ability to traffic-engineer based on routing attributes, security policy, and application policy, but limitations exist in multidomain policy enforcement.
Dynamic path selection automatically steers critical applications around network problems. Microsegmentation and identity-based policy management drive consistent multidomain policy enforcement for a uniform user experience.Policy could be passed in the form of per-device profiles but would be limited in terms of traffic engineering for data plane.Policies for SD-WAN and firewall are managed separately, creating complexities in terms of traffic engineering and passing down centralized control and data plane policies.Policies can be created and reused from business intent perspective, but limitations exist in microsegmentation and multidomain policy enforcement.Has the ability to traffic-engineer based on application-aware policy, but limitations exist in multidomain policy enforcement.Has the ability to traffic-engineer based on application-aware policy, but limitations exist in microsegmentation capabilities and multidomain policy enforcement.Has the ability to traffic-engineer based on routing attributes, security policy, and application policy, but limitations exist in multidomain policy enforcement.
Complete SD-WAN/SASE IntegrationAutomated registration and creation for IPsec tunnels to Umbrella Secure Internet Gateway (SIG) with guided workflows on vManage. Complete integration with Cisco AnyConnect, Cisco Duo, etc.Workflows to SIG vendors with native SIG offering still a work in progress.No guided workflows for SIG integrations.No support for autoregistration or creation of IPsec tunnels for SASE, because they rely on third-party integrations.Support for complete SASE integration.Support for complete SASE integration with Prisma SD-WAN and Prisma Access. Complexities in API-based CloudBlades integration. No guided workflows for SIG integration.Support for complete SASE integration with SD-WAN-enabled PAN-OS NGFW and Prisma Access. No guided workflows for SIG integration.
Automated registration and creation for IPsec tunnels to Umbrella Secure Internet Gateway (SIG) with guided workflows on vManage. Complete integration with Cisco AnyConnect, Cisco Duo, etc.Workflows to SIG vendors with native SIG offering still a work in progress.No guided workflows for SIG integrations.No support for autoregistration or creation of IPsec tunnels for SASE, because they rely on third-party integrations.Support for complete SASE integration.Support for complete SASE integration with Prisma SD-WAN and Prisma Access. Complexities in API-based CloudBlades integration. No guided workflows for SIG integration.Support for complete SASE integration with SD-WAN-enabled PAN-OS NGFW and Prisma Access. No guided workflows for SIG integration.
WAN optimizationProvides WAN optimization services including TCP optimization, data redundancy elimination, FEC, and packet duplication.Provides limited WAN optimization services, including FEC. Provides limited WAN optimization services, including FEC. Provides WAN optimization services including TCP optimization, data redundancy elimination, and FEC.Provides limited WAN optimization services, including FEC. Does not provide WAN optimization services. Provides limited WAN optimization services, including TCP optimization, packet duplication, and FEC.
Provides WAN optimization services including TCP optimization, data redundancy elimination, FEC, and packet duplication.Provides limited WAN optimization services, including FEC. Provides limited WAN optimization services, including FEC. Provides WAN optimization services including TCP optimization, data redundancy elimination, and FEC.Provides limited WAN optimization services, including FEC. Does not provide WAN optimization services. Provides limited WAN optimization services, including TCP optimization, packet duplication, and FEC.

Security

Remote Office Branch Office On-prem security servicesFully integrated UTM security capabilities in vManage, including enterprise firewall with application awareness, Snort IPS, URL filtering, AMP File Analysis, threat grid sandboxing, Cisco Umbrella DNS security, SSL and Talos threat intelligence.Basic stateful firewall.Integrated NGFW features with IPS/IDS/ApplicationControl/AMP capabilities.Lacks security integrations in the SD-WAN console.Integrated NGFW features with IPS/IDS/ApplicationControl/AMP capabilities.Only offers basic zone-based firewall. No integrated security features such as IPS/IDS/AMP/URL filtering.Integrated NGFW features with IPS/IDS/application control/AMP/URL filtering/DNS Security capabilities. Requires additional licensing.
Fully integrated UTM security capabilities in vManage, including enterprise firewall with application awareness, Snort IPS, URL filtering, AMP File Analysis, threat grid sandboxing, Cisco Umbrella DNS security, SSL and Talos threat intelligence.Basic stateful firewall.Integrated NGFW features with IPS/IDS/ApplicationControl/AMP capabilities.Lacks security integrations in the SD-WAN console.Integrated NGFW features with IPS/IDS/ApplicationControl/AMP capabilities.Only offers basic zone-based firewall. No integrated security features such as IPS/IDS/AMP/URL filtering.Integrated NGFW features with IPS/IDS/application control/AMP/URL filtering/DNS Security capabilities. Requires additional licensing.
Custom SiliconCustom silicon root of trust in hardware provides embedded defense against foundational attacks and back doors. The Cisco vEdge Routers have a factory-installed Trusted Platform Module (TPM) chip with a signed certificate. This built-in security helps ensure automated, foolproof authentication of any new Cisco vEdge Routers joining the network and is a major advantage when deploying tens of thousands of endpoints. Commercial off-the-shelf hardware with embedded defense unknown.Custom silicon with embedded defense unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.
Custom silicon root of trust in hardware provides embedded defense against foundational attacks and back doors. The Cisco vEdge Routers have a factory-installed Trusted Platform Module (TPM) chip with a signed certificate. This built-in security helps ensure automated, foolproof authentication of any new Cisco vEdge Routers joining the network and is a major advantage when deploying tens of thousands of endpoints. Commercial off-the-shelf hardware with embedded defense unknown.Custom silicon with embedded defense unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.
SegmentationProven, scalable MPLS/VRF-like end-to-end segmentation with support for multi-segment topologies and multi-tenancy support.VRF-based segmentation supported with no dynamic and flexible multi-segment topologies creation.Limited segmentation capabilities with complex VDOMs configurations with no dynamic and flexible multi-segment topologies creation.VRF-style segmentation, but with routing limitations in OSPF and Peer Priority.Proven, scalable MPLS/VRF-like segmentation from Layer 2 to Layer 7.Limited segmentation capabilities.Provides scalable VRF-like segmentation but no flexible multi-segment topologies creation.
Proven, scalable MPLS/VRF-like end-to-end segmentation with support for multi-segment topologies and multi-tenancy support.VRF-based segmentation supported with no dynamic and flexible multi-segment topologies creation.Limited segmentation capabilities with complex VDOMs configurations with no dynamic and flexible multi-segment topologies creation.VRF-style segmentation, but with routing limitations in OSPF and Peer Priority.Proven, scalable MPLS/VRF-like segmentation from Layer 2 to Layer 7.Limited segmentation capabilities.Provides scalable VRF-like segmentation but no flexible multi-segment topologies creation.
Encrypted traffic analysisCan detect malware by matching encrypted SHA patterns without decryption.Cannot detect encrypted malware.Not a robust ETA solution across network infrastructure/devices.Cannot detect encrypted malware.Provides TLS/SSL traffic encryption.Cannot detect encrypted malware.Can detect malware by decrypting, inspecting, and controlling inbound and outbound SSL and SSH connections.
Can detect malware by matching encrypted SHA patterns without decryption.Cannot detect encrypted malware.Not a robust ETA solution across network infrastructure/devices.Cannot detect encrypted malware.Provides TLS/SSL traffic encryption.Cannot detect encrypted malware.Can detect malware by decrypting, inspecting, and controlling inbound and outbound SSL and SSH connections.
Threat intelligenceGlobally recognized threat intelligence (TALOS) with the ability to deploy incident response services.No threat intelligence.Provides threat intelligence capabilities.No threat intelligence.Provides threat intelligence and monitoring.No threat intelligence.Provides threat intelligence capabilities as an add-on.
Globally recognized threat intelligence (TALOS) with the ability to deploy incident response services.No threat intelligence.Provides threat intelligence capabilities.No threat intelligence.Provides threat intelligence and monitoring.No threat intelligence.Provides threat intelligence capabilities as an add-on.

Cloud

SaaS ConnectivityTransport independence provides intelligent path selection to leading SaaS applications based on performance metrics and best path selection, such as Office 365, SIG, load-balancing, Cisco Webex, etc. SaaS optimization based on manual application rule creation through DIA broadband paths to colocations.Basic SaaS optimization with manual SLA creation for every application.Transport independence provides intelligent path selection to leading SaaS applications based on performance metrics and best path selection.Basic SaaS optimization with manual SLA creation for every application.Basic SaaS optimization with manual application rule creation for every application.Basic SaaS optimization with manual SLA creation for every application. Needs additional SaaS security platform for advanced SaaS optimization.
Transport independence provides intelligent path selection to leading SaaS applications based on performance metrics and best path selection, such as Office 365, SIG, load-balancing, Cisco Webex, etc. SaaS optimization based on manual application rule creation through DIA broadband paths to colocations.Basic SaaS optimization with manual SLA creation for every application.Transport independence provides intelligent path selection to leading SaaS applications based on performance metrics and best path selection.Basic SaaS optimization with manual SLA creation for every application.Basic SaaS optimization with manual application rule creation for every application.Basic SaaS optimization with manual SLA creation for every application. Needs additional SaaS security platform for advanced SaaS optimization.
IaaS ConnectivityGuided workflows for automated deployment of Cisco SD-WAN Cloud OnRamp for IaaS connectivity.Either manual gateways or shared resources. Automation only with Microsoft Azure vWAN.Manual gateway configuration.Either manual gateways or shared resources.Either manual gateways or shared resources.Manual gateways, shared resources, or complex API integration through CloudBlades.Either manual gateways or shared resources.
Guided workflows for automated deployment of Cisco SD-WAN Cloud OnRamp for IaaS connectivity.Either manual gateways or shared resources. Automation only with Microsoft Azure vWAN.Manual gateway configuration.Either manual gateways or shared resources.Either manual gateways or shared resources.Manual gateways, shared resources, or complex API integration through CloudBlades.Either manual gateways or shared resources.
Colocation-cloud gatewaysSimplified network management with traffic aggregation through colocation hubs to cloud workloads, with guided workflows for automated deployment.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.
Simplified network management with traffic aggregation through colocation hubs to cloud workloads, with guided workflows for automated deployment.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.
Multi-Cloud connectivityGuided workflows for automated deployment across various cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).Partnership with Microsoft Azure vWAN. Guided workflows.Limited workflows for multicloud connectivity.Manual deployment across various CSPs.Manual deployment across various CSPs.Manual deployment across various CSPs or through complex CloudBlades API integration.Manual deployment across various CSPs.
Guided workflows for automated deployment across various cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).Partnership with Microsoft Azure vWAN. Guided workflows.Limited workflows for multicloud connectivity.Manual deployment across various CSPs.Manual deployment across various CSPs.Manual deployment across various CSPs or through complex CloudBlades API integration.Manual deployment across various CSPs.

Edge

StorageProvides IoT/OT automation with integrated branch storage and compute. Supported by Cisco Catalyst 8200 Series.VNFs can be deployed on VMware SD-WAN Edge appliances.No edge VNF hosting capabilities.No edge VNF hosting capabilities.VNFs can be deployed on Versa SD-WAN Edge appliances.No edge application-hosting capabilities.No edge application-hosting capabilities.
Provides IoT/OT automation with integrated branch storage and compute. Supported by Cisco Catalyst 8200 Series.VNFs can be deployed on VMware SD-WAN Edge appliances.No edge VNF hosting capabilities.No edge VNF hosting capabilities.VNFs can be deployed on Versa SD-WAN Edge appliances.No edge application-hosting capabilities.No edge application-hosting capabilities.
Multi-Cloud VisibilityVisibility across the internet, the cloud, and SaaS with the native integration of Cisco ThousandEyes on compatible Cisco Catalyst 8200 Series and Cisco Catalyst 8300 Series Edge Platforms.No edge application-hosting capabilities. VNFs can be deployed on VMware SD-WAN Edge appliances.No edge application-hosting capabilities.No edge application-hosting capabilities.No edge application-hosting capabilities. VNFs can be deployed on Versa SD-WAN Edge appliances.Visibility across the internet, the cloud, and SaaS with the native integration of Prisma Access ADEM.Needs integration with Prisma Access for visibility across the internet, the cloud, and SaaS through ADEM, which makes integration highly complex.
Visibility across the internet, the cloud, and SaaS with the native integration of Cisco ThousandEyes on compatible Cisco Catalyst 8200 Series and Cisco Catalyst 8300 Series Edge Platforms.No edge application-hosting capabilities. VNFs can be deployed on VMware SD-WAN Edge appliances.No edge application-hosting capabilities.No edge application-hosting capabilities.No edge application-hosting capabilities. VNFs can be deployed on Versa SD-WAN Edge appliances.Visibility across the internet, the cloud, and SaaS with the native integration of Prisma Access ADEM.Needs integration with Prisma Access for visibility across the internet, the cloud, and SaaS through ADEM, which makes integration highly complex.
Voice integrationCisco Catalyst 8000 Edge Platforms offer rich voice services in SD-WAN and traditional IOS XE software feature stacks. Cisco is the only SD-WAN vendor to natively integrate analog/digital IP directly into single CPE. In SD-WAN mode, the Cisco Catalyst 8300 Series also prevents internal and external outages using SRST. The series also continues to support a long list of traditional IOS XE voice use cases. No edge application-hosting capabilities. VNFs can be deployed on VMware SD-WAN Edge appliances.No edge application-hosting capabilities.No native voice integration.No native voice integration.No native voice integration.No native voice integration.
Cisco Catalyst 8000 Edge Platforms offer rich voice services in SD-WAN and traditional IOS XE software feature stacks. Cisco is the only SD-WAN vendor to natively integrate analog/digital IP directly into single CPE. In SD-WAN mode, the Cisco Catalyst 8300 Series also prevents internal and external outages using SRST. The series also continues to support a long list of traditional IOS XE voice use cases. No edge application-hosting capabilities. VNFs can be deployed on VMware SD-WAN Edge appliances.No edge application-hosting capabilities.No native voice integration.No native voice integration.No native voice integration.No native voice integration.
Advanced LTE SolutionsAdvanced cellular capabilities as a transport link supported with deployment flexibility of built-in module, card or external gateway on Cisco Catalyst 8000 Series.Cellular capabilities as a transport link.Cellular capabilities as a transport link.No significant cellular support.No significant cellular support. Cellular support on limited model (CSG1000).Cellular support on limited model (one ION 1200 model).Supports cellular capabilities in 5G-based NGFW.
Advanced cellular capabilities as a transport link supported with deployment flexibility of built-in module, card or external gateway on Cisco Catalyst 8000 Series.Cellular capabilities as a transport link.Cellular capabilities as a transport link.No significant cellular support.No significant cellular support. Cellular support on limited model (CSG1000).Cellular support on limited model (one ION 1200 model).Supports cellular capabilities in 5G-based NGFW.
Industrial SD-WANRuggedized SD-WAN options, for adverse and industrial environments.No ruggedized SD-WAN options.Ruggedized SD-WAN options.No ruggedized SD-WAN options.No ruggedized SD-WAN options.No ruggedized SD-WAN options.Ruggedized SD-WAN options.
Ruggedized SD-WAN options, for adverse and industrial environments.No ruggedized SD-WAN options.Ruggedized SD-WAN options.No ruggedized SD-WAN options.No ruggedized SD-WAN options.No ruggedized SD-WAN options.Ruggedized SD-WAN options.
Wi-Fi /5G-readyUses advanced wireless frequency and protocol technology.Uses advanced wireless frequency and protocol technology.Uses advanced wireless frequency and protocol technology.No advanced wireless capabilities.Uses advanced wireless frequency and protocol technology.No advanced wireless capabilities. Dependence on third parties to enable features.No advanced wireless capabilities. Dependence on third parties to enable features. Does have 5G-ready NGFW hardware.
Uses advanced wireless frequency and protocol technology.Uses advanced wireless frequency and protocol technology.Uses advanced wireless frequency and protocol technology.No advanced wireless capabilities.Uses advanced wireless frequency and protocol technology.No advanced wireless capabilities. Dependence on third parties to enable features.No advanced wireless capabilities. Dependence on third parties to enable features. Does have 5G-ready NGFW hardware.
Data center integration (Common policies across domains)Cross-domain integrations, common QoS policies between Cisco ACI and SD-WAN. Extend TrustSec security group tags (SGTs)/metadata from WAN to campus to data center.Unifies data center policies with edge needs.No data center integration.No data center integration.No data center integration.No cross-domain integration.No cross-domain integration.
Cross-domain integrations, common QoS policies between Cisco ACI and SD-WAN. Extend TrustSec security group tags (SGTs)/metadata from WAN to campus to data center.Unifies data center policies with edge needs.No data center integration.No data center integration.No data center integration.No cross-domain integration.No cross-domain integration.
Micro-segmentationSupports microsegmentation and policy enforcement through scalable group tags for user groups.Minimal Layer 2 microsegmentation and policy enforcement.Minimal Layer 2 microsegmentation and policy enforcement.Supports microsegmentation and policy enforcement through scalable zones.Supports microsegmentation and policy enforcement through scalable zones.No microsegmentation and policy enforcement.Supports microsegmentation and policy enforcement through scalable zones.
Supports microsegmentation and policy enforcement through scalable group tags for user groups.Minimal Layer 2 microsegmentation and policy enforcement.Minimal Layer 2 microsegmentation and policy enforcement.Supports microsegmentation and policy enforcement through scalable zones.Supports microsegmentation and policy enforcement through scalable zones.No microsegmentation and policy enforcement.Supports microsegmentation and policy enforcement through scalable zones.

Updated November 2021, based on public information.

Routers

Cisco

HPE

Huawei

SD-WAN Vendors

Expand all

User Experience

Application-aware WANMonitor more than 1400 applications and network performance. Troubleshoot issues ​quickly. Deploy business-intent policies across the entire network with no probes or additional hardware.LimitedLimited router and network performance monitoring, primarily with sFlow tools.LimitedApplication monitoring through NetStream supports the NetFlow v9 export format. NetStream is sampled Layer 4 (flow-based) and not true deep-packet-inspection technology.LimitedSupport varies between basic and advanced application visibility and performance monitoring.
Monitor more than 1400 applications and network performance. Troubleshoot issues ​quickly. Deploy business-intent policies across the entire network with no probes or additional hardware.Limited router and network performance monitoring, primarily with sFlow tools.Application monitoring through NetStream supports the NetFlow v9 export format. NetStream is sampled Layer 4 (flow-based) and not true deep-packet-inspection technology.Support varies between basic and advanced application visibility and performance monitoring.
Application high availabilityMonitor path performance and apply what is learned to select the best network path for a given application. Effectively load-balance across paths while delivering ideal application-level SLAs.LimitedSupports basic routing metrics and load balancing.LimitedHuawei offers basic policy-based routing, which is static routing policy per application. The technology is not based on an application-level SLA.LimitedSupport varies from basic link monitoring to more advanced, per-application class-level monitoring.
Monitor path performance and apply what is learned to select the best network path for a given application. Effectively load-balance across paths while delivering ideal application-level SLAs.Supports basic routing metrics and load balancing.Huawei offers basic policy-based routing, which is static routing policy per application. The technology is not based on an application-level SLA.Support varies from basic link monitoring to more advanced, per-application class-level monitoring.
Enhanced application experienceCisco’s software- and hardware-integrated solution offers bandwidth optimization, application acceleration, and intelligent caching. LimitedSupports TCP Fast Open and Data Redundancy Elimination ​and LZ compression for general TCP optimization only. Lacks granular application.LimitedRequires extra hardware. Does not support intelligent caching or WAN acceleration.LimitedRequires third-party integration for most SD-WAN vendors.
Cisco’s software- and hardware-integrated solution offers bandwidth optimization, application acceleration, and intelligent caching. Supports TCP Fast Open and Data Redundancy Elimination ​and LZ compression for general TCP optimization only. Lacks granular application.Requires extra hardware. Does not support intelligent caching or WAN acceleration.Requires third-party integration for most SD-WAN vendors.
Seamless cloud extensionExtend the WAN to any private and public cloud. Get broad hypervisor and cloud support, seamless network extension and mobility, and advanced cloud security features.Supported by most vendors but not all.
Extend the WAN to any private and public cloud. Get broad hypervisor and cloud support, seamless network extension and mobility, and advanced cloud security features. Supported by most vendors but not all.
Last-mile network resiliencyProvide primary connectivity or backup communications. Cisco Advanced LTE Category 6 support offers network resiliency for business continuity up to 150 times faster and with far lower latency than 3G links offer.
Provide primary connectivity or backup communications. Cisco Advanced LTE Category 6 support offers network resiliency for business continuity up to 150 times faster and with far lower latency than 3G links offer.

Agility

SDN controller and appsGet software-defined networking for the enterprise branch, campus, and WAN. A simple user interface and plug-and-play protocols automate policy-based application profiles.Limited
Single enterprise network SDN controller for policy-based automation for access; WAN; and campus switching, routing, and wireless.Get software-defined networking for the enterprise branch, campus, and WAN. A simple user interface and plug-and-play protocols automate policy-based application profiles.
Open and programmableCisco offers NETCONF and YANG support across branch, WAN, and cloud platforms.LimitedCertain router models do not support NETCONF/YANG.
Cisco offers NETCONF and YANG support across branch, WAN, and cloud platforms. Certain router models do not support NETCONF/YANG.
Pay-as-you-grow servicesPerformance license upgrades add dedicated compute and storage resources for additional services.LimitedBasic VM capability in high-end routers but no advanced network services. Huawei offers basic VoIP modules and content caching. Huawei routers support modular software upgrades but do not offer systemwide in-service upgrades.LimitedMost vendors require third-party integrations.
Performance license upgrades add dedicated compute and storage resources for additional services. Basic VM capability in high-end routers but no advanced network services. Huawei offers basic VoIP modules and content caching. Huawei routers support modular software upgrades but do not offer systemwide in-service upgrades.Most vendors require third-party integrations.
Software licensing packagesCisco ONE Software suites make software buying simple. Instead of choosing from hundreds of separately priced software features, you purchase one software product, for predictable OpEx. Ties software licensing to the chassis. HPE offers no portability or investment protection with access to ongoing innovation.Offers perpetual software licenses for basic and advanced feature sets, and on a per-device basis. Huawei does not offer license portability.Most SD-WAN vendors offer subscription-based services with high recurring costs.
Cisco ONE Software suites make software buying simple. Instead of choosing from hundreds of separately priced software features, you purchase one software product, for predictable OpEx. Ties software licensing to the chassis. HPE offers no portability or investment protection with access to ongoing innovation.Offers perpetual software licenses for basic and advanced feature sets, and on a per-device basis. Huawei does not offer license portability.Most SD-WAN vendors offer subscription-based services with high recurring costs.

Advanced Security

Advanced branch threat defenseCisco’s converged branch platform integrates real-time contextual awareness, security automation, and industry-leading threat prevention, malware protection, EAL4-certified perimeter defense, and web security. LimitedOffers access-control lists, stateful firewall, and Network Address Translation only.Only supports basic access-control lists for filtering and encryption capability. AR routers lack sophisticated security protection such as web security, threat prevention, or malware protection.LimitedUsually require third-party integration.
Cisco’s converged branch platform integrates real-time contextual awareness, security automation, and industry-leading threat prevention, malware protection, EAL4-certified perimeter defense, and web security. Offers access-control lists, stateful firewall, and Network Address Translation only.Only supports basic access-control lists for filtering and encryption capability. AR routers lack sophisticated security protection such as web security, threat prevention, or malware protection.Usually require third-party integration.
End-to-end secure architectureSite-to-site and remote-access VPN technologies, DMVPN, GET VPN, FlexVPN, and SSL VPN help protect sensitive enterprise communications. NIST-approved, line-rate encryption secures data in motion. LimitedLimitedWhen an AR-series router uses encryption, it incurs a massive performance impact. Huawei does not publish its secure development lifecycle and trustworthy system.LimitedAll offer IPsec VPN but are not U.S. government FIPS140-2 certified.
Site-to-site and remote-access VPN technologies, DMVPN, GET VPN, FlexVPN, and SSL VPN help protect sensitive enterprise communications. NIST-approved, line-rate encryption secures data in motion. When an AR-series router uses encryption, it incurs a massive performance impact. Huawei does not publish its secure development lifecycle and trustworthy system.All offer IPsec VPN but are not U.S. government FIPS140-2 certified.
Real-time threat intelligenceCloud-delivered, integrated security service for Cisco branch routers, providing protection against malware, botnets, phishing, and targeted online attacks at the DNS layer. Limited
Cloud-delivered, integrated security service for Cisco branch routers, providing protection against malware, botnets, phishing, and targeted online attacks at the DNS layer.
Network as sensor and enforcerComprehensive network visibility with behavioral-based analytics enables faster anomalies detection and deeper forensics of internal and external threats. Offers sample-based network application visibility through sFlow, which is not sufficient as a security network sensor.Offers sample-based network application visibility, which is not sufficient as a security network sensor. Does not offer a security enforcer tool based on the NetStream flow information.
Comprehensive network visibility with behavioral-based analytics enables faster anomalies detection and deeper forensics of internal and external threats. Offers sample-based network application visibility through sFlow, which is not sufficient as a security network sensor.Offers sample-based network application visibility, which is not sufficient as a security network sensor. Does not offer a security enforcer tool based on the NetStream flow information.
Trustworthy systemsSecure development lifecycle is published and verifiable. Products have trust anchors, secure boot, and runtime prevention. Software is digitally signed.
Secure development lifecycle is published and verifiable. Products have trust anchors, secure boot, and runtime prevention. Software is digitally signed.

Virtualization

Enterprise Network Functions VirtualizationSimplify operations and deployment of virtual routing, security, and application services. LimitedHuawei offers up to 8 VMs or VNFs, but it uses basic supervisor hardware. Its capability is limited to the chassis.Most vendors support VNF only. Some also support NFVIS or VNF hosting.
Simplify operations and deployment of virtual routing, security, and application services. Huawei offers up to 8 VMs or VNFs, but it uses basic supervisor hardware. Its capability is limited to the chassis.Most vendors support VNF only. Some also support NFVIS or VNF hosting.
Native application hostingAutomate work flows, configuration, and operation of lightweight network functions or third-party tools natively on our IOS XE operating system.Open application platform.LimitedThe router OS, called VRP, does not offer native integration with a third-party tool or application unless it uses another VM.LimitedSome vendors support integrated, third-party VNF support.
Automate work flows, configuration, and operation of lightweight network functions or third-party tools natively on our IOS XE operating system.Open application platform.The router OS, called VRP, does not offer native integration with a third-party tool or application unless it uses another VM.Some vendors support integrated, third-party VNF support.
Integrated compute and storageIncludes local compute and storage resources for applications, network functions or services, data backup, and analytics.LimitedLocal compute and storage resources are offered in a main supervisor module, which is not replaceable or upgradable.
Includes local compute and storage resources for applications, network functions or services, data backup, and analytics. Local compute and storage resources are offered in a main supervisor module, which is not replaceable or upgradable.

Updated on January 2019, based on public information.

Customer reviews

 

Need a little guidance?

Use our Router Selector to find the right Cisco router for your needs.​

Compare other network technologies