SD-WAN Vendors Comparison Chart

How Cisco stacks up to the SD-WAN competition

See how Cisco outperforms VMware, Palo Alto Networks, Fortinet, and others. With innovations in software-defined networking, NFV, and integrated security, Cisco offers a more extensive solution and provides a foundation for intent-based networking. 

SD-WAN

Cisco

VMware

Fortinet

Silver Peak

Versa

Palo Alto Networks (Prisma SD-WAN)

Palo Alto Networks (PAN-OS NGFW)

Expand all

Networking

Supports traditional routing & SD-WAN on the same platformComprehensive traditional routing services. Smooth migration with features relevant to SD-WAN on the same platform. Unified image common across traditional routing and SD-WAN.No investment protection for smoother migration in relation to SD-WAN on same platform. Limited traditional routing feature set.Enabling SD-WAN does not require adding to, or changing, existing infrastructure.No investment protection for smoother migration in relation to SD-WAN on same platform. Limited traditional routing feature set.Requires adding new hardware to use SD-WAN.Enabling SD-WAN does not require adding to, or changing, existing infrastructure. Limited traditional routing feature set.Smooth migration to SD-WAN on the same platform. Complete traditional routing services available.
Comprehensive traditional routing services. Smooth migration with features relevant to SD-WAN on the same platform. Unified image common across traditional routing and SD-WAN.No investment protection for smoother migration in relation to SD-WAN on same platform. Limited traditional routing feature set.Enabling SD-WAN does not require adding to, or changing, existing infrastructure.No investment protection for smoother migration in relation to SD-WAN on same platform. Limited traditional routing feature set.Requires adding new hardware to use SD-WAN.Enabling SD-WAN does not require adding to, or changing, existing infrastructure. Limited traditional routing feature set.Smooth migration to SD-WAN on the same platform. Complete traditional routing services available.
Core, edge, and cloud SD-WANAppliances built to service core, edge, and cloud locations. Wide range of form factors with physical and virtual offerings. Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.
Appliances built to service core, edge, and cloud locations. Wide range of form factors with physical and virtual offerings. Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.Appliances built to service core, edge, and cloud locations.
Purpose-built SD-WAN ArchitectureDedicated control, data, and management plane components for scalability and performance, offering an SDN-compliant architecture. Flexibility of matching architecture to business Intent. Cloud-hosted deployment managed by Cisco Cloud Ops team.Integrated control and data plane components limit flexibility.Legacy firewall-based architecture.Legacy combined control and data plane architecture.Dedicated control, data, and management plane components.Integrated control and data plane components limit flexibility.Integrated control and data plane components limit flexibility.
Dedicated control, data, and management plane components for scalability and performance, offering an SDN-compliant architecture. Flexibility of matching architecture to business Intent. Cloud-hosted deployment managed by Cisco Cloud Ops team.Integrated control and data plane components limit flexibility.Legacy firewall-based architecture.Legacy combined control and data plane architecture.Dedicated control, data, and management plane components.Integrated control and data plane components limit flexibility.Integrated control and data plane components limit flexibility.
True zero-touch provisioningMutually authenticated, multi-factor authentication with zero-touch provisioning for all components. One touch provisioning for air-gapped networks and MSPs.Requires additional authentication steps to provision.Multiple touch points to enable ZTP process. As it is based on Firewall enabling SD-WAN, it requires manual policy configurations.EdgeConnect devices are preconfigured, however requires additional authentication steps to provision.Multiple touch points.The ION devices are pre-configured to authenticate to the portal and support zero-touch provisioning and deployment.Requires additional authentication steps to provision.
Mutually authenticated, multi-factor authentication with zero-touch provisioning for all components. One touch provisioning for air-gapped networks and MSPs.Requires additional authentication steps to provision.Multiple touch points to enable ZTP process. As it is based on Firewall enabling SD-WAN, it requires manual policy configurations.EdgeConnect devices are preconfigured, however requires additional authentication steps to provision.Multiple touch points.The ION devices are pre-configured to authenticate to the portal and support zero-touch provisioning and deployment.Requires additional authentication steps to provision.
Active-active dual router SD-WAN topologyAllows for active-active networking to provide higher throughput and greater reliability. Capability to horizontally scale with easy-to-use features.Does not support active-active connections.Additional WAN switch required, which creates dependencies.Allows for active-active networking but requires an additional switch, which creates dependencies.Does not support active-active connections.Does not support active-active connections.Supports active-active connections.
Allows for active-active networking to provide higher throughput and greater reliability. Capability to horizontally scale with easy-to-use features.Does not support active-active connections.Additional WAN switch required, which creates dependencies.Allows for active-active networking but requires an additional switch, which creates dependencies.Does not support active-active connections.Does not support active-active connections.Supports active-active connections.
Advanced routing protocols for brownfield integrationsExtends advanced routing intelligence, such as EIGRP, OSPF, RIP, and BGP, into cloud environments, allowing for faster, more reliable connectivity to cloud workloads. Supported with dual stack. Capability to also do underlay/overlay routing. Flexible policy and attribute support for easy routing manipulation.Advanced routing protocols such as BGP, OSPF supported but does not provide the most efficient path selection. Advanced routing protocols such as BGP, OSPF supported but does not provide the most efficient path selection. Supports advanced routing protocols like BGP but lacks advanced routing support for protocols such as OSPF.Supports advanced routing protocols, including BGP and OSPF.Supports advanced routing protocols, such as BGP, but lacks support for protocols such as OSPF.Supports advanced routing protocols, including BGP and OSPF, but does not provide the most efficient path selection.
Extends advanced routing intelligence, such as EIGRP, OSPF, RIP, and BGP, into cloud environments, allowing for faster, more reliable connectivity to cloud workloads. Supported with dual stack. Capability to also do underlay/overlay routing. Flexible policy and attribute support for easy routing manipulation.Advanced routing protocols such as BGP, OSPF supported but does not provide the most efficient path selection. Advanced routing protocols such as BGP, OSPF supported but does not provide the most efficient path selection. Supports advanced routing protocols like BGP but lacks advanced routing support for protocols such as OSPF.Supports advanced routing protocols, including BGP and OSPF.Supports advanced routing protocols, such as BGP, but lacks support for protocols such as OSPF.Supports advanced routing protocols, including BGP and OSPF, but does not provide the most efficient path selection.
Extensible Policy FrameworkDynamic path selection automatically steers critical applications around network problems. Microsegmentation and identity-based policy management drive consistent multidomain policy enforcement for a uniform user experience.Policy could be passed in the form of per-device profiles but would be limited in terms of traffic engineering for data plane.Policies for SD-WAN and firewall are managed separately, creating complexities in terms of traffic engineering and passing down centralized control and data plane policies.Policies can be created and reused from business intent perspective, but limitations exist in microsegmentation and multidomain policy enforcement.Has the ability to traffic-engineer based on application-aware policy, but limitations exist in multidomain policy enforcement.Has the ability to traffic-engineer based on application-aware policy, but limitations exist in microsegmentation capabilities and multidomain policy enforcement.Has the ability to traffic-engineer based on routing attributes, security policy, and application policy, but limitations exist in multidomain policy enforcement.
Dynamic path selection automatically steers critical applications around network problems. Microsegmentation and identity-based policy management drive consistent multidomain policy enforcement for a uniform user experience.Policy could be passed in the form of per-device profiles but would be limited in terms of traffic engineering for data plane.Policies for SD-WAN and firewall are managed separately, creating complexities in terms of traffic engineering and passing down centralized control and data plane policies.Policies can be created and reused from business intent perspective, but limitations exist in microsegmentation and multidomain policy enforcement.Has the ability to traffic-engineer based on application-aware policy, but limitations exist in multidomain policy enforcement.Has the ability to traffic-engineer based on application-aware policy, but limitations exist in microsegmentation capabilities and multidomain policy enforcement.Has the ability to traffic-engineer based on routing attributes, security policy, and application policy, but limitations exist in multidomain policy enforcement.
Complete SD-WAN/SASE IntegrationAutomated registration and creation for IPsec tunnels to Umbrella Secure Internet Gateway (SIG) with guided workflows on vManage. Complete integration with Cisco AnyConnect, Cisco Duo, etc.Workflows to SIG vendors with native SIG offering still a work in progress.No guided workflows for SIG integrations.No support for autoregistration or creation of IPsec tunnels for SASE, because they rely on third-party integrations.Support for complete SASE integration.Support for complete SASE integration with Prisma SD-WAN and Prisma Access. Complexities in API-based CloudBlades integration. No guided workflows for SIG integration.Support for complete SASE integration with SD-WAN-enabled PAN-OS NGFW and Prisma Access. No guided workflows for SIG integration.
Automated registration and creation for IPsec tunnels to Umbrella Secure Internet Gateway (SIG) with guided workflows on vManage. Complete integration with Cisco AnyConnect, Cisco Duo, etc.Workflows to SIG vendors with native SIG offering still a work in progress.No guided workflows for SIG integrations.No support for autoregistration or creation of IPsec tunnels for SASE, because they rely on third-party integrations.Support for complete SASE integration.Support for complete SASE integration with Prisma SD-WAN and Prisma Access. Complexities in API-based CloudBlades integration. No guided workflows for SIG integration.Support for complete SASE integration with SD-WAN-enabled PAN-OS NGFW and Prisma Access. No guided workflows for SIG integration.
WAN optimizationProvides WAN optimization services including TCP optimization, data redundancy elimination, FEC, and packet duplication.Provides limited WAN optimization services, including FEC. Provides limited WAN optimization services, including FEC. Provides WAN optimization services including TCP optimization, data redundancy elimination, and FEC.Provides limited WAN optimization services, including FEC. Does not provide WAN optimization services. Provides limited WAN optimization services, including TCP optimization, packet duplication, and FEC.
Provides WAN optimization services including TCP optimization, data redundancy elimination, FEC, and packet duplication.Provides limited WAN optimization services, including FEC. Provides limited WAN optimization services, including FEC. Provides WAN optimization services including TCP optimization, data redundancy elimination, and FEC.Provides limited WAN optimization services, including FEC. Does not provide WAN optimization services. Provides limited WAN optimization services, including TCP optimization, packet duplication, and FEC.

Security

Remote Office Branch Office On-prem security servicesFully integrated UTM security capabilities in vManage, including enterprise firewall with application awareness, Snort IPS, URL filtering, AMP File Analysis, threat grid sandboxing, Cisco Umbrella DNS security, SSL and Talos threat intelligence.Basic stateful firewall.Integrated NGFW features with IPS/IDS/ApplicationControl/AMP capabilities.Lacks security integrations in the SD-WAN console.Integrated NGFW features with IPS/IDS/ApplicationControl/AMP capabilities.Only offers basic zone-based firewall. No integrated security features such as IPS/IDS/AMP/URL filtering.Integrated NGFW features with IPS/IDS/application control/AMP/URL filtering/DNS Security capabilities. Requires additional licensing.
Fully integrated UTM security capabilities in vManage, including enterprise firewall with application awareness, Snort IPS, URL filtering, AMP File Analysis, threat grid sandboxing, Cisco Umbrella DNS security, SSL and Talos threat intelligence.Basic stateful firewall.Integrated NGFW features with IPS/IDS/ApplicationControl/AMP capabilities.Lacks security integrations in the SD-WAN console.Integrated NGFW features with IPS/IDS/ApplicationControl/AMP capabilities.Only offers basic zone-based firewall. No integrated security features such as IPS/IDS/AMP/URL filtering.Integrated NGFW features with IPS/IDS/application control/AMP/URL filtering/DNS Security capabilities. Requires additional licensing.
Custom SiliconCustom silicon root of trust in hardware provides embedded defense against foundational attacks and back doors. The Cisco vEdge Routers have a factory-installed Trusted Platform Module (TPM) chip with a signed certificate. This built-in security helps ensure automated, foolproof authentication of any new Cisco vEdge Routers joining the network and is a major advantage when deploying tens of thousands of endpoints. Commercial off-the-shelf hardware with embedded defense unknown.Custom silicon with embedded defense unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.
Custom silicon root of trust in hardware provides embedded defense against foundational attacks and back doors. The Cisco vEdge Routers have a factory-installed Trusted Platform Module (TPM) chip with a signed certificate. This built-in security helps ensure automated, foolproof authentication of any new Cisco vEdge Routers joining the network and is a major advantage when deploying tens of thousands of endpoints. Commercial off-the-shelf hardware with embedded defense unknown.Custom silicon with embedded defense unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.Commercial off-the-shelf hardware with trustworthy solution unknown.
SegmentationProven, scalable MPLS/VRF-like end-to-end segmentation with support for multi-segment topologies and multi-tenancy support.VRF-based segmentation supported with no dynamic and flexible multi-segment topologies creation.Limited segmentation capabilities with complex VDOMs configurations with no dynamic and flexible multi-segment topologies creation.VRF-style segmentation, but with routing limitations in OSPF and Peer Priority.Proven, scalable MPLS/VRF-like segmentation from Layer 2 to Layer 7.Limited segmentation capabilities.Provides scalable VRF-like segmentation but no flexible multi-segment topologies creation.
Proven, scalable MPLS/VRF-like end-to-end segmentation with support for multi-segment topologies and multi-tenancy support.VRF-based segmentation supported with no dynamic and flexible multi-segment topologies creation.Limited segmentation capabilities with complex VDOMs configurations with no dynamic and flexible multi-segment topologies creation.VRF-style segmentation, but with routing limitations in OSPF and Peer Priority.Proven, scalable MPLS/VRF-like segmentation from Layer 2 to Layer 7.Limited segmentation capabilities.Provides scalable VRF-like segmentation but no flexible multi-segment topologies creation.
Encrypted traffic analysisCan detect malware by matching encrypted SHA patterns without decryption.Cannot detect encrypted malware.Not a robust ETA solution across network infrastructure/devices.Cannot detect encrypted malware.Provides TLS/SSL traffic encryption.Cannot detect encrypted malware.Can detect malware by decrypting, inspecting, and controlling inbound and outbound SSL and SSH connections.
Can detect malware by matching encrypted SHA patterns without decryption.Cannot detect encrypted malware.Not a robust ETA solution across network infrastructure/devices.Cannot detect encrypted malware.Provides TLS/SSL traffic encryption.Cannot detect encrypted malware.Can detect malware by decrypting, inspecting, and controlling inbound and outbound SSL and SSH connections.
Threat intelligenceGlobally recognized threat intelligence (TALOS) with the ability to deploy incident response services.No threat intelligence.Provides threat intelligence capabilities.No threat intelligence.Provides threat intelligence and monitoring.No threat intelligence.Provides threat intelligence capabilities as an add-on.
Globally recognized threat intelligence (TALOS) with the ability to deploy incident response services.No threat intelligence.Provides threat intelligence capabilities.No threat intelligence.Provides threat intelligence and monitoring.No threat intelligence.Provides threat intelligence capabilities as an add-on.

Cloud

SaaS ConnectivityTransport independence provides intelligent path selection to leading SaaS applications based on performance metrics and best path selection, such as Office 365, SIG, load-balancing, Cisco Webex, etc. SaaS optimization based on manual application rule creation through DIA broadband paths to colocations.Basic SaaS optimization with manual SLA creation for every application.Transport independence provides intelligent path selection to leading SaaS applications based on performance metrics and best path selection.Basic SaaS optimization with manual SLA creation for every application.Basic SaaS optimization with manual application rule creation for every application.Basic SaaS optimization with manual SLA creation for every application. Needs additional SaaS security platform for advanced SaaS optimization.
Transport independence provides intelligent path selection to leading SaaS applications based on performance metrics and best path selection, such as Office 365, SIG, load-balancing, Cisco Webex, etc. SaaS optimization based on manual application rule creation through DIA broadband paths to colocations.Basic SaaS optimization with manual SLA creation for every application.Transport independence provides intelligent path selection to leading SaaS applications based on performance metrics and best path selection.Basic SaaS optimization with manual SLA creation for every application.Basic SaaS optimization with manual application rule creation for every application.Basic SaaS optimization with manual SLA creation for every application. Needs additional SaaS security platform for advanced SaaS optimization.
IaaS ConnectivityGuided workflows for automated deployment of Cisco SD-WAN Cloud OnRamp for IaaS connectivity.Either manual gateways or shared resources. Automation only with Microsoft Azure vWAN.Manual gateway configuration.Either manual gateways or shared resources.Either manual gateways or shared resources.Manual gateways, shared resources, or complex API integration through CloudBlades.Either manual gateways or shared resources.
Guided workflows for automated deployment of Cisco SD-WAN Cloud OnRamp for IaaS connectivity.Either manual gateways or shared resources. Automation only with Microsoft Azure vWAN.Manual gateway configuration.Either manual gateways or shared resources.Either manual gateways or shared resources.Manual gateways, shared resources, or complex API integration through CloudBlades.Either manual gateways or shared resources.
Colocation-cloud gatewaysSimplified network management with traffic aggregation through colocation hubs to cloud workloads, with guided workflows for automated deployment.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.
Simplified network management with traffic aggregation through colocation hubs to cloud workloads, with guided workflows for automated deployment.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.Limited colocated aggregation.
Multi-Cloud connectivityGuided workflows for automated deployment across various cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).Partnership with Microsoft Azure vWAN. Guided workflows.Limited workflows for multicloud connectivity.Manual deployment across various CSPs.Manual deployment across various CSPs.Manual deployment across various CSPs or through complex CloudBlades API integration.Manual deployment across various CSPs.
Guided workflows for automated deployment across various cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).Partnership with Microsoft Azure vWAN. Guided workflows.Limited workflows for multicloud connectivity.Manual deployment across various CSPs.Manual deployment across various CSPs.Manual deployment across various CSPs or through complex CloudBlades API integration.Manual deployment across various CSPs.

Edge

StorageProvides IoT/OT automation with integrated branch storage and compute. Supported by Cisco Catalyst 8200 Series.VNFs can be deployed on VMware SD-WAN Edge appliances.No edge VNF hosting capabilities.No edge VNF hosting capabilities.VNFs can be deployed on Versa SD-WAN Edge appliances.No edge application-hosting capabilities.No edge application-hosting capabilities.
Provides IoT/OT automation with integrated branch storage and compute. Supported by Cisco Catalyst 8200 Series.VNFs can be deployed on VMware SD-WAN Edge appliances.No edge VNF hosting capabilities.No edge VNF hosting capabilities.VNFs can be deployed on Versa SD-WAN Edge appliances.No edge application-hosting capabilities.No edge application-hosting capabilities.
Multi-Cloud VisibilityVisibility across the internet, the cloud, and SaaS with the native integration of Cisco ThousandEyes on compatible Cisco Catalyst 8200 Series and Cisco Catalyst 8300 Series Edge Platforms.No edge application-hosting capabilities. VNFs can be deployed on VMware SD-WAN Edge appliances.No edge application-hosting capabilities.No edge application-hosting capabilities.No edge application-hosting capabilities. VNFs can be deployed on Versa SD-WAN Edge appliances.Visibility across the internet, the cloud, and SaaS with the native integration of Prisma Access ADEM.Needs integration with Prisma Access for visibility across the internet, the cloud, and SaaS through ADEM, which makes integration highly complex.
Visibility across the internet, the cloud, and SaaS with the native integration of Cisco ThousandEyes on compatible Cisco Catalyst 8200 Series and Cisco Catalyst 8300 Series Edge Platforms.No edge application-hosting capabilities. VNFs can be deployed on VMware SD-WAN Edge appliances.No edge application-hosting capabilities.No edge application-hosting capabilities.No edge application-hosting capabilities. VNFs can be deployed on Versa SD-WAN Edge appliances.Visibility across the internet, the cloud, and SaaS with the native integration of Prisma Access ADEM.Needs integration with Prisma Access for visibility across the internet, the cloud, and SaaS through ADEM, which makes integration highly complex.
Voice integrationCisco Catalyst 8000 Edge Platforms offer rich voice services in SD-WAN and traditional IOS XE software feature stacks. Cisco is the only SD-WAN vendor to natively integrate analog/digital IP directly into single CPE. In SD-WAN mode, the Cisco Catalyst 8300 Series also prevents internal and external outages using SRST. The series also continues to support a long list of traditional IOS XE voice use cases. No edge application-hosting capabilities. VNFs can be deployed on VMware SD-WAN Edge appliances.No edge application-hosting capabilities.No native voice integration.No native voice integration.No native voice integration.No native voice integration.
Cisco Catalyst 8000 Edge Platforms offer rich voice services in SD-WAN and traditional IOS XE software feature stacks. Cisco is the only SD-WAN vendor to natively integrate analog/digital IP directly into single CPE. In SD-WAN mode, the Cisco Catalyst 8300 Series also prevents internal and external outages using SRST. The series also continues to support a long list of traditional IOS XE voice use cases. No edge application-hosting capabilities. VNFs can be deployed on VMware SD-WAN Edge appliances.No edge application-hosting capabilities.No native voice integration.No native voice integration.No native voice integration.No native voice integration.
Advanced LTE SolutionsAdvanced cellular capabilities as a transport link supported with deployment flexibility of built-in module, card or external gateway on Cisco Catalyst 8000 Series.Cellular capabilities as a transport link.Cellular capabilities as a transport link.No significant cellular support.No significant cellular support. Cellular support on limited model (CSG1000).Cellular support on limited model (one ION 1200 model).Supports cellular capabilities in 5G-based NGFW.
Advanced cellular capabilities as a transport link supported with deployment flexibility of built-in module, card or external gateway on Cisco Catalyst 8000 Series.Cellular capabilities as a transport link.Cellular capabilities as a transport link.No significant cellular support.No significant cellular support. Cellular support on limited model (CSG1000).Cellular support on limited model (one ION 1200 model).Supports cellular capabilities in 5G-based NGFW.
Industrial SD-WANRuggedized SD-WAN options, for adverse and industrial environments.No ruggedized SD-WAN options.Ruggedized SD-WAN options.No ruggedized SD-WAN options.No ruggedized SD-WAN options.No ruggedized SD-WAN options.Ruggedized SD-WAN options.
Ruggedized SD-WAN options, for adverse and industrial environments.No ruggedized SD-WAN options.Ruggedized SD-WAN options.No ruggedized SD-WAN options.No ruggedized SD-WAN options.No ruggedized SD-WAN options.Ruggedized SD-WAN options.
Wi-Fi /5G-readyUses advanced wireless frequency and protocol technology.Uses advanced wireless frequency and protocol technology.Uses advanced wireless frequency and protocol technology.No advanced wireless capabilities.Uses advanced wireless frequency and protocol technology.No advanced wireless capabilities. Dependence on third parties to enable features.No advanced wireless capabilities. Dependence on third parties to enable features. Does have 5G-ready NGFW hardware.
Uses advanced wireless frequency and protocol technology.Uses advanced wireless frequency and protocol technology.Uses advanced wireless frequency and protocol technology.No advanced wireless capabilities.Uses advanced wireless frequency and protocol technology.No advanced wireless capabilities. Dependence on third parties to enable features.No advanced wireless capabilities. Dependence on third parties to enable features. Does have 5G-ready NGFW hardware.
Data center integration (Common policies across domains)Cross-domain integrations, common QoS policies between Cisco ACI and SD-WAN. Extend TrustSec security group tags (SGTs)/metadata from WAN to campus to data center.Unifies data center policies with edge needs.No data center integration.No data center integration.No data center integration.No cross-domain integration.No cross-domain integration.
Cross-domain integrations, common QoS policies between Cisco ACI and SD-WAN. Extend TrustSec security group tags (SGTs)/metadata from WAN to campus to data center.Unifies data center policies with edge needs.No data center integration.No data center integration.No data center integration.No cross-domain integration.No cross-domain integration.
Micro-segmentationSupports microsegmentation and policy enforcement through scalable group tags for user groups.Minimal Layer 2 microsegmentation and policy enforcement.Minimal Layer 2 microsegmentation and policy enforcement.Supports microsegmentation and policy enforcement through scalable zones.Supports microsegmentation and policy enforcement through scalable zones.No microsegmentation and policy enforcement.Supports microsegmentation and policy enforcement through scalable zones.
Supports microsegmentation and policy enforcement through scalable group tags for user groups.Minimal Layer 2 microsegmentation and policy enforcement.Minimal Layer 2 microsegmentation and policy enforcement.Supports microsegmentation and policy enforcement through scalable zones.Supports microsegmentation and policy enforcement through scalable zones.No microsegmentation and policy enforcement.Supports microsegmentation and policy enforcement through scalable zones.

Updated November 2021, based on public information.