The 3 SD-WAN Solutions of Cisco
- dale warner
- Feb 24
- 3 min read
Updated: Feb 26
In the days of Frame Relay, the letters 'MPLS' were the future. A time when anyone could connect multiple sites together as long as they had dedicated WAN circuits, and the cash to pay for it. Then came VPN tunnels; GETVPN, DMVPN, and FlexConnect.
Today, in the age of broadband internet, SD-WAN stands tall. A badge of honour for any enterprise that has their own SD-WAN solution. Businesses need simplified solutions and WAN connectivity is no different.
Being a Cisco fan boy, I thought I'd cover the 3 (yes 3!) SD-WAN offerings from Cisco, detailing what is required for each and their differences.
Catalyst SD-WAN
Welcome to the world of vBond, vSmart, vManage, and vEdge. This is the boss of the SD-WAN world. Formerly Viptela, until Cisco acquired them back in 2017, there are more than 48,000 catalyst SD-WAN deployments worldwide.
The core components are:
vEdge Routers - available in physical and virtual forms, these are deployed at branch locations to provide secure connectivity and establish the SD-WAN overlay network.
vSmart Controllers: manage the control plane, handling policy enforcement, route distribution, and network orchestration.
vManage - centralized management platform that provides a single pane of glass for configuring, monitoring, and troubleshooting the SD-WAN.
vBond Orchestrators - automate the initial authentication of the vEdge routers into the SD-WAN fabric.
In essence, Cisco Catalyst SD-WAN empowers organizations to build agile, secure, and high-performing WANs that can adapt to the evolving demands of modern business. This is a comprehensive solution designed to optimise network performance, enhance security, and simplify WAN management
Secure Firewall Managed via cdFMC
The four components required for this setup:
1) Cisco Secure Firewall Appliance
2) SCC(CDO) base license
3) Firewall SCC(CDO) license
4) Whatever Firewall license you want (IPS, Malware, URL)
Essentially, you're purchasing a Firewall that is managed from a cloud delivered SaaS instance of Firewall Management Center (cdFMC). Too wordy? Fine, it's a cloud managed Firewall.
This should excite anyone familiar with FMC, not only as it's a SaaS solution (so a lot of your maintenance time has just been reduced) but for it's ease of use. For anyone who knows their HAGLE parameters, setting up a VPN tunnel in FMC is a doddle and when you consider the SD-WAN features that keep multiplying in each new software update for FMC and FTD, you could very well be seeing this as the norm for your more security conscious customers.
To get the most out of the SD-WAN features you do need to understand the basics of VPNing and, as with all security tooling (which this technically is), you should also be looking for what additional integrations you can add to your firewalls. For example, Cisco ISE and FMC is a match made in heaven for sharing contextual information.
SCC is so much more as well! There's enough in SCC (hypersheild, Secure Access, AI defence, Secure workload, etc) to fill 3-4 articles on SASE/SSE and a few hands on videos by itself, all of which could enhance a simple SD-WAN offering.
Cisco are also offering the incredibly powerfull 1000 and 1200 series Firewalls that offer amazing throughput speeds at a reduced price point.
Model | Throughput: Threat Defense Software | IPS Throughput | Interfaces |
FPR-1010 | 890 Mbps | 900 Mbps | 8 x RJ45 |
FPR-1120 | 2.3 Gbps | 2.6 Gbps | 8 x RJ45, 4 x SFP |
FPR-1140 | 3.3 Gbps | 3.5 Gbps | 8 x RJ45, 4 x SFP |
FPR-1150 | 5.3 Gbps | 6.1 Gbps | 8 x RJ45, 2 x SFP, 2 x 10G SFP+ |
1210CE | 6.0 Gbps | 6.0 Gbps | 8x 1000BASE-T Gigabit Ethernet (10/100/1000 Mbps) |
1220CX | 9.0 Gbps | 9.0 Gbps | 8x 1000BASE-T Gigabit Ethernet (10/100/1000 Mbps) 2x SFP+ 10Gbps Ethernet |
Meraki SD-WAN
Click, click, select, save.
Oh sorry, I was just setting up a site-to-site SD-WAN connection in Meraki. How does it work you ask?... ummmm... magic.
Okay, yes I'm being facetious. But the term 'Meraki auto VPN' might as well say "Meraki magic, no muggles allowed"
It's as simple as this; Buy a Meraki MX security appliance (it's not a firewall), install it, buy another, install that somewhere else, go to the Meraki dashboard, select the two sites under the VPN setting, press save. Hey presto! you have yourself a VPN tunnel.
There's no need to set or even know the HAGLE parameters. Diffie who-man?
There are limitations to be aware of with Meraki auto VPN. Although it achieves an aim and provides SD-WAN capabilities, it's VPN functionality to non-Meraki peers is incredibly limited. You are not given access to a wide range of settings and that is by design. The Meraki by it's very nature is for small to medium enterprises and adding in too much granularity would soon make the dashboard a confused mess of tick-boxes and drop-downs.
Conclusion
SD-WAN is and should be a bespoke decision for your environment and this article is only intended as a starting point for anyone who currently has or likes Cisco.