Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Software-Defined WAN (SD-WAN) FAQ

Available Languages

Download Options

  • PDF
    (124.1 KB)
    View with Adobe Reader on a variety of devices
Updated:November 2, 2021

Available Languages

Download Options

  • PDF
    (124.1 KB)
    View with Adobe Reader on a variety of devices
Updated:November 2, 2021

Table of Contents

 

 

Overview

Q.  What is the Cisco ® SD-WAN solution?
A.  Traditional Wide-Area Networks (WANs), where the majority of branch office traffic flows within an enterprise’s intranet boundary, have been designed using Multiprotocol Label Switching (MPLS) for connectivity. However, new cloud applications such as Microsoft Office 365 and Salesforce.com, and public cloud services such as Amazon Web Services (AWS), Google Cloud, and Microsoft Azure are changing traffic patterns. Today, the majority of enterprise traffic flows to public clouds and the internet. This change creates new requirements for security, application performance, cloud connectivity, WAN management, and operations.
Cisco SD-WAN is a cloud-delivered overlay WAN architecture connecting branches to data center and multicloud environments through a single fabric. Cisco SD-WAN helps ensure a predictable user experience for applications; optimizes Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) connections; and offers integrated security either on-premises or in the cloud. Its analytics capabilities deliver the visibility and insights necessary to isolate and resolve issues promptly and deliver intelligent data analysis for planning and what-if scenarios. Above all, Cisco SD-WAN is simple to operate.

      Predictable application experience: Increase user productivity by optimizing cloud and on-premises application performance with real-time analytics, visibility, and control.

      Right security, right place: Protect users, devices, and applications by deploying a cloud-delivered Secure Access Service Edge (SASE) or on-premises model, depending on the business requirements and compliance needs of the enterprise.

      Simplicity at enterprise scale: Centralize cloud management to make it easy to deploy SD-WAN and security while maintaining policy across thousands of sites.

Q.  What problems does the Cisco SD-WAN solution help solve?
A.  The Cisco SD-WAN solution solves many critical enterprise IT problems, including:

      Establishing a transport-independent WAN for lower cost and higher diversity.

      Meeting Service-Level Agreements (SLAs) for business-critical and real-time applications on-premises and in the cloud.

      Providing complete security from branch to SaaS and internet.

      Enabling secure multicloud transformation for enterprises.

      Providing centralized management, analytics, and policy across the global WAN.

      Provide multitenancy for flexibility, security and platform efficiency

Q.  Who has deployed the Cisco SD-WAN solution?
A.  Cisco has one of the most widely deployed enterprise-grade SD-WAN solutions in the industry, with large deployments in many sectors in both enterprise and managed service provider infrastructures. The solution is deployed across Fortune 2000 company and 70% of Fortune 100 enterprises, with thousands of production sites in every major industry, including healthcare, manufacturing, retail, energy, oil and gas, insurance, finance, government, logistics, distribution, and more.

Deploy and manage

Q.  How do you manage and operate Cisco SD-WAN?
A.  Cisco SD-WAN is a centrally managed, orchestrated, and operated solution with a cloud-hosted Cisco GUI management console and provisioning platform, SD-WAN controller, and orchestration layer at the heart of the solution.
Cisco SD-WAN controllers are the centralized brain of the solution; they implement policies and connectivity between SD-WAN branches. The centralized policy engine in Cisco controllers provides policy constructs to manipulate routing information, access control, segmentation, extranets, and service chaining.
The entire solution is managed with Cisco vManage. vManage lets IT managers and network operators centrally automate the configuration, management, and operation of the entire SD-WAN fabric, all in a highly visualized and intuitive user experience.
vManage offers enhanced visualized experience that lets network operators quickly deploy, manage, and automate network and devices across the entire SD-WAN fabric:

      Highly visualized and intuitive interface for easy consumption.

      Pre-configured templates automate and expedite the deployment of most common use cases.

      Guided step-by-step configuration designed to intelligently expedite onboarding of new devices.

      Consistent user experience across Cisco solutions (Cisco DNA).

Q.  How is Cisco SD-WAN deployed at branch offices and data center networks or regional hubs?
A.  Branch office and regional data center hub sites can be deployed and connected using either virtual or physical secure routers.
Enterprise customers and service providers can gain rich services such as WAN optimization and firewall or basic WAN connectivity for physical or virtual platforms across the branch, WAN, or cloud as follows:
Physical

      Branch: Cisco IOS® XE and Viptela OS-based devices.

      Branch: Cisco Catalyst® 8300 Series Edge Platforms and Cisco 1000, 1100, or 4000 Series Integrated Services Routers (ISR).

      Branch, regional hub, or data center: Cisco Catalyst 8500 Series Edge Platforms and Cisco ASR 1000 Series Aggregation Services Routers (ASR).

Virtual

      SD-Branch: Cisco 5000 Series Enterprise Network Compute System (ENCS) and Integrated Services Virtual Router (ISRv).

      Network hub, colocation facility, or data center: Cisco Cloud Services Platform 5000, Catalyst 8000V Edge Software, and Cloud Services Router (CSR) 1000V Series.

Public cloud (IaaS)

      Amazon Web Services.

      Microsoft Azure.

      Google Cloud Platform.

Security

Q.  What are the SD-WAN security features?
A.  Cisco SD-WAN builds on the Secure Access Service Edge (SASE) architecture. WAN security and features today must be distributed, cloud-based, flexible, and agile. Cisco SD-WAN is the industry’s first fully integrated SASE offering that combines best-in-class SD-WAN with the cloud-based Cisco Umbrella ® or on-premises security portfolio. Both security architectures provide full protection for enterprises connecting to cloud and internet applications. These security features are:
Enterprise firewall: Granular policy and control of thousands of applications.
Secure web gateway: Full protection against all kinds of web-based attacks, including SSL inspection.
DNS layer security and URL filtering: Stops threats at the earliest point, significantly reducing incidents.
Intrusion Prevention System (IPS): A built-in IPS within an on-premises enterprise firewall based on Snort ® and powered by Talos ®.
Cloud Access Security Broker (CASB): Protection against account compromises, breaches, and other major risks in the cloud application ecosystem.
Malware protection: An extended security features across both on-premises and cloud security using Cisco AMP and Secure Malware Analytics to prevent and detect malicious files with sandboxing.
To learn more about SASE, see the What Is SASE? page.
Q.  How is Cisco SD-WAN integrated with Cisco Umbrella cloud security?
A.  Cisco SD-WAN provides complete integration with Cisco Umbrella cloud security. Using Cisco vManage, automatic registration and setup of tunnels to the Cisco Umbrella cloud can be executed within a few minutes, so that the enterprise is completely protected.
Q.  Why does device and firmware security matter in Cisco SD-WAN?
A.  Firmware attacks on infrastructure have increased in frequency, severity, and costs, not just for public entities but also for enterprises and small businesses. These attacks are quiet, pervasive, and devastating, like many of the latest and most notable hacks. Cisco SD-WAN edge platforms and routers provide an extra layer of security via an advanced Trust Anchor, so that you can remotely activate, change, and control your SD-WAN platforms while remaining secure.
Q.  Does the Cisco SD-WAN solution support network segmentation, and what are the benefits?
A.  Yes, the Cisco SD-WAN solution supports network micro-segmentation and identity-based policy management across Cisco Software-Defined Access (SD-Access) and non-SD-Access branches. Micro-segmentation provides secure logical isolation on the SD-WAN network, where each segment is defined as a separate VPN and controlled centrally by access control policies. Some of the benefits of segmentation include:

      Security is increased by isolating your network from outside attackers and creating secure separation within multiple application segments.

      Acquisitions can be integrated on the parent network and yet kept separate. Policies control what applications the acquired company can access.

      Guest Wi-Fi can be maintained on a separate, low-priority segment and offloaded onto the internet at the closest exit points.

      Business partners can each be defined in a separate segment or in a collective business-partner network segment. Polices control business partners’ access to data center applications.

      A single pane of glass helps organizations to avoid complex configurations and frequent policy changes that lead to uneven user experience, thereby increasing overall network efficiency and reliability.

For more information, see the Segmentation (VPN) Overview.
Q.  What are the SD-WAN security capabilities, and which platforms support SD-WAN security?
A.  Cisco SD-WAN security capabilities include an application-aware enterprise firewall, intrusion prevention, DNS layer enforcement (Cisco Umbrella), and URL filtering. Cisco SD-WAN reduces complexity by having a single management interface (vManage) for both the network and security.
Platform support for SD-WAN security is as follows:

Table 1.        SD-WAN security highlights

Platform

Enterprise firewall

Enterprise firewall application awareness

IPS

URL filtering

AMP and Secure Malware Analytics

Full cloud security with Cisco Umbrella

Cisco 1000 Series ISRs

Yes

Deep Packet Inspection (DPI) using Qosmos

X

X

N/A

Yes

Cisco CSR 1000V

Yes

Yes

Yes

Yes

Yes

Yes

Catalyst 8000V Edge Software

Yes

Yes

Yes

Yes

Yes

Yes

Cisco ISRv, 5000 Series ENCS

Yes

Yes

Yes

Yes

Yes

Yes

Cisco Catalyst 8300

Yes

Yes

Yes

Yes

Yes

Yes

Cisco 4000 ISRs

Yes

Yes

Yes

Yes

Yes

Yes

Cisco 1111X-8P ISR

Yes

Yes

Yes

Yes

Yes

Yes

Cisco 1111-4P, 1111-8P, 1116-4P, and 1117-4P ISRs (ISR 1000)

Yes

Yes

X

X

X

Yes

Cisco Catalyst 8500

Yes

Yes

X

X

X

Yes

Cisco ASR 1000 Series

Yes

Yes

X

X

X

Yes

Q.  Can the Cisco SD-WAN solution provide insight into threats in encrypted traffic, without the need for decryption?
A.  Encrypted Traffic Analytics (ETA) for the Cisco SD-WAN solution is not currently supported but is planned to be introduced in the future. For more information on ETA, see https://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-networksecurity/eta.html.

Application visibility

Q.  How does a lack of application visibility impact overall IT operations?
A.  Applications and users are more distributed than ever, and the internet has effectively become the new enterprise WAN. As organizations continue to embrace internet, cloud, and SaaS,  network and IT teams are challenged to deliver consistent and reliable connectivity and application performance over networks and services they don’t own or directly control.
Network teams often carry the burden of proving the network innocent when something goes wrong. Application issues might manifest as network issues. Finger pointing and wasted cycles searching for the source issues can lead to prolonged service disruptions that ultimately damage the revenue and reputation of the business.
Q.  How does Cisco SD-WAN deliver greater application visibility?
A.  Cisco SD-WAN is fully integrated with Cisco ThousandEyes in a turnkey solution that enables greater visibility for IT operators to drive optimal digital experience across the internet, cloud, and SaaS. With this turnkey solution, you can:

      Gain hop-by-hop visibility into network underlay, including detailed path and performance metrics.

      Measure and proactively monitor SD-WAN overlay performance and routing policy validation.

      Determine the reachability and performance of SaaS and internally owned applications.

      Establish network and application performance baselines across global regions before, during, and after deployment of SD-WAN to mitigate risk and establish/validate Key Performance Indicators (KPIs).

Q.  What are the benefits of this expanded visibility?
A.  With Cisco SD-WAN and ThousandEyes, IT managers can rapidly pinpoint the root cause of application and network disruptions, provide actionable insights, and accelerate resolution time.

      Lower Mean Time To Identification (MTTI) of issues: Fast root cause isolation and intuitive, easy-to-understand visualization of the entire service delivery chain.

      Eliminate wasteful finger-pointing: Correlated visibility across the application, hop-by-hop network path, underlay and overlay performance and internet routing to immediately isolate issues to the right problem domain (network or application) and responsible party (internal team or external service).

      Enable effective escalation: Concrete proof to successfully escalate issues to providers and effectively manage Operational Level Agreements (OLAs) and SLAs.

Q.  What is Cisco ThousandEyes?
A.  Cisco ThousandEyes enables enterprises that are increasingly dependent on internet, cloud, and SaaS to see, understand, and improve digital experiences for customers and employees. Its end-to-end visibility from any user to any application over any network enables enterprises to quickly pinpoint the source of issues, get to resolution faster, and measure and manage the performance of what matters.
ThousandEyes collects multilayer telemetry data from vantage points distributed throughout the internet, as well as in enterprise data centers and cloud, branch, and campus environments, providing detailed metrics on conditions between those vantage points and applications and services distributed throughout the globe. The result is insight into application experience and every underlying dependency, whether network, service, or application related.
For more information, see https://www.thousandeyes.com.
Q.  How is Cisco SD-WAN integrated with ThousandEyes?
A.  Cisco SD-WAN is the only SD-WAN solution with turnkey ThousandEyes vantage points. This solution supports eligible routers from the Cisco Catalyst 8200 and 8300 Series along with 4000 Series ISRs. Existing customers can expedite the deployment ThousandEyes agents with the vManage integration and enable faster time to value for their IT operators.
Q.  How is ThousandEyes ordered?
A.  Customers can leverage an existing ThousandEyes subscription with eligible Cisco Catalyst 8200 and 8300 Series platforms and 4000 Series ISRs.

      Existing ThousandEyes customers can use their available ThousandEyes license and units toward new tests.

      New ThousandEyes customers will need to purchase a ThousandEyes license to activate the ThousandEyes agents.

Multicloud

Q.  Can the Cisco SD-WAN solution provide automated connectivity and optimization for IaaS and SaaS platforms such as AWS, Microsoft Azure and Office 365, Google Cloud, Salesforce.com, Cisco Webex ®, etc.?
A.  The Cisco SD-WAN fabric connects users at the branch through internet, through interconnect providers, or even via colocation environments to applications in the cloud in a seamless, secure, and automated fashion. Cisco delivers this comprehensive capability for IaaS and SaaS applications with Cisco SD-WAN Cloud OnRamp, which is currently available with Cisco IOS XE SD-WAN or Viptela OS platform SD-WAN solutions.
With Cloud OnRamp, the Cisco SD-WAN fabric continuously measures the performance of a designated application through all permissible paths from a branch (MPLS, internet, 4G LTE, etc.). The SD-WAN fabric automatically makes real-time decisions to choose the best-performing path between the end users at a remote branch and the cloud application. Enterprises and service providers have the flexibility to deploy this capability in multiple ways and according to business needs and security requirements.

Positioning

Q.  What is the difference between Cisco SD-WAN and Cisco Meraki ® SD-WAN?
A.  Cisco SD-WAN can help your business no matter its size with a variety of deployment options. For lean IT operations, Cisco SD-WAN powered by Meraki is preferred, and for full-featured, sophisticated deployments, Cisco SD-WAN powered by Viptela is preferred.

      Lean IT: Deploy Cisco SD-WAN powered by the Meraki MX unified threat management hardware, and enjoy a unified, secure SD-WAN for businesses with lean IT teams.

      Branches and campuses: With both physical and virtual options, you can deploy Cisco SD-WAN on Cisco vEdge, Catalyst 8000V, CSR 1000V, Catalyst 8300 Series, 1000 and 4000 Series ISRs, or with Network Functions Virtualization (NFV) using Cisco SD-Branch with the ISRv on the 5000 Series ENCS and Cisco UCS®E-Series platforms.

      Headquarters, data center, and colocation: With physical or virtual options, deploy Cisco SD-WAN on Catalyst 8500 Series, ASR 1000 Series, or with NFV and network hub solutions on the Cloud Services Platform 5000.

Ordering and licensing

Q.  How is the Cisco SD-WAN solution ordered?
A.  Cisco SD-WAN software is included with each vEdge routing device and platform and can be enabled on some Cisco 1000 and 4000 Series ISRs, Catalyst 8300 and 8500 Series, ASR 1000 Series, the ISRv on the 5000 Series ENCS, and the Catalyst 8000V or CSR 1000V on the Cloud Services Platform 5000 Series with the latest Cisco IOS XE software. For a list of SD-WAN-capable Cisco IOS XE platforms, see the SD-WAN Release Notes.
Each device requires a subscription license (3 or 5 years) for Cisco SD-WAN software. The license fee is charged per branch device and is dependent on service bandwidth and feature content, with a single set of software licenses that includes security and access to ongoing innovation and the latest threat intelligence. License bundles include:

      Cisco DNA Essentials: Includes basic connectivity, security, and application visibility.

      Cisco DNA Advantage: Includes everything in Cisco DNA Essentials plus application optimization, multicloud, on-premises security, etc.

      Cisco DNA Premier (replaces Cisco ONE®): Includes everything in Cisco DNA Essentials and Cisco DNA Advantage plus the Cisco Umbrella SIG Essentials package.

The subscription price of SD-WAN software includes cloud-hosted vManage, vSmart, and vBond devices, 24-hour daily Cisco SD-WAN support, next-day hardware replacement for Cisco SD-WAN platforms, software upgrades on all components, and the cost of hosting Cisco SD-WAN controllers in the Cisco SD-WAN cloud.
Q.  Are the Cisco DNA subscription licenses portable and able to be moved to another hardware platform?
A.  Yes, the Cisco DNA software licenses can be moved across routing platforms, including 1000 and 4000 Series ISRs, Catalyst 8300 and 8500 Series, ASR 1000 Series, 5000 Series ENCS, and Cisco vEdge routers. With software portability you have investment protection for your licenses, regardless of which Cisco routing platform you choose now or upgrade to in the future.

Multitenancy

Q.  Does the Cisco SD-WAN solution support multitenancy?
A.  Yes, a service provider can manage multiple customers, called tenants, from vManage running in multitenant mode. All tenants share a single vBond orchestrator. All tenants share the service provider’s domain name, with each tenant having a subdomain name to identify the tenant. For example, the service provider fruit.com might manage the tenant’s mango (mango.fruit.com) and plum (plum.fruit.com). For each tenant, you configure one or more vSmart controllers and edge platforms in the same way that you configure these devices on a single-tenant vManage Network Management System (NMS). Enterprise customers may also choose to implement multitenancy to ensure separation and security of organizations and their data.

Programmability

Q.  Is Cisco’s SD-WAN solution programmable, and does it support APIs?
A.  Yes, the Cisco SD-WAN solution is open and programmable, with open APIs. Cisco SD-WAN provides service providers and partners the opportunity to create new and unique services, including operational and business support systems. With Cisco SD-WAN you can access the available Representational State Transfer (REST) APIs, create API calls, obtain device and interface information using code, pass parameters and write applications, and work on innovative solutions.
As part of the SD-WAN developer resources and learning content, there are two additional resources that are great value-added services for developers:
DevNet Ecosystem Exchange makes it easy to find and share an application or solution built for Cisco platforms. Business leaders and developers alike can use this online portal to discover partner solutions that span all Cisco platforms and products. Currently, this central repository for developers contains over 1300 solutions.
DevNet Code Exchange gives developers a place to access and share software to quickly build next-generation applications and workflow integrations. It offers a curated list of sample code, adapters, tools, and SDKs available on GitHub and written by Cisco and the DevNet community. Code Exchange spans Cisco’s entire portfolio and is organized according to Cisco platform and product areas.
For more information, see the SD-WAN Developer Center at https://developer.cisco.com/sdwan.

Services and resources

Q.  Are any services available to support my SD-WAN solution?
A.  Regardless of where you are in your journey, Cisco Services offers a full lifecycle of services to support your transition. Our portfolio allows you to create a roadmap for success, speed deployment, and maximize network performance, security, uptime, and efficiency. Cisco experts will help you build your in-house IT expertise and effectively migrate and manage your SD-WAN solution to achieve high service levels at lower costs. Learn more.
Q.  Where can I find more information on Cisco SD-WAN?
A.  For more information about Cisco SD-WAN, visit https://www.cisco.com/go/sdwan.
Q.  What voice and application optimization features does Cisco SD-WAN support?
A.   

      Cisco has the only SD-WAN solution with full integrated unified communications support.

      On voice optimization, Cisco SD-WAN supports Forward Error Correction (FEC) and packet duplication.

      On internet optimization, Cisco SD-WAN supports TCP optimization.

      For on-premises applications, Cisco SD-WAN support SLA-based dynamic routing based on real-time network telemetry.

      For SaaS applications, Cisco provides dynamic routing based on cloud and internet telemetry.

 

 

 

Learn more