Cisco Steps Up Its SD-WAN Game

Cisco’s reseller event, Partner Summit, kicked off on Tuesday, November 13. The highlight of the event was the new branding that revolves around building a bridge (see “The ‘Bridge to Possible,’ Brought to You by Cisco”). As far as news from the event goes, a close number two would be the updates to its SD-WAN solution. The press release on the news highlights how Cisco has brought together SD-WAN and security to address what it’s calling the new “cloud edge” -- but the features go beyond security.
 
The Cloud Edge
The new cloud edge, as Cisco is calling it, is a byproduct of the traffic patterns of an SD-WAN. With legacy WANs, there was a branch edge where all the traffic backhauled to the data center or other central hub. The Internet edge was located in the data center, so any traffic going from the branch to the Internet had to traverse the WAN, go through the data center, and then on to the Internet.
 
With an SD-WAN, traffic headed for the cloud goes directly to it, without having to make a pit stop in the enterprise data center. This greatly improves the performance of multi-media apps such as voice and video, as the number of hops is minimized. The cloud edge extends down to the user instead of being limited to a branch office. One of the great things about SaaS apps is that they can be accessed from anywhere regardless of whether the worker is in a company office location. The Internet has now become the new business network, with the cloud edge being where users, branches, and things sit.
 
Securing the Cloud Edge
The downside of the cloud edge is that all that expensive security the enterprise placed in the data center won’t see cloud traffic. This leaves the business wide open to attacks that are directed at users through the cloud. Securing the cloud edge can be a difficult task using traditional security tools, as those need to be placed in every location. This can be expensive, complicated, and time consuming. Another issue is that app performance can be inconsistent. While I said direct cloud connectivity can improve app performance, there’s a higher degree of variability in performance, as the Internet can be unpredictable, and erratic performance can frustrate users.
 
Cisco’s SD-WAN software addresses these issues through the following enhancements:
 
  • Integrated security -- The software now includes a “full stack” of security tools, including an enterprise firewall, intrusion prevention system (IPS), and URL filtering. The services are powered by Cisco’s Talos threat intelligence service and can be managed through a single dashboard.
  • Secure Internet gateway -- Cisco Umbrella is a cloud-based, secure Internet gateway that offers DNS-level security. Users point their DNS gateway at Umbrella and when a cloud service is accessed, traffic flows through Umbrella. The service then checks the integrity of the site and denies access to anything malicious. For example, a user might click on a spam link that directs them to a fake version of a banking website. Umbrella would know this and block access before a connection is ever established.
  • Improved Office 365 experience -- It’s nice when arch rivals team up to do what’s right for the customer. With this enhancement, Cisco has partnered with Microsoft to optimize the performance of Office 365 applications. Cisco SD-WAN continually monitors all available paths to the Office 365 cloud and can direct traffic to the closest cloud using the best performance. This can help smooth out the variances seen with over-the-top access to cloud applications.
  • DevNet updates -- It’s fair to say that Cisco’s DevNet has come of age. The skunkworks project started by VP Susie Wee in 2014 is now a major part of Cisco’s go to market. In one of its recent earnings calls with Wall Street, Chuck Robbins specifically mentioned DevNet growth. From what I understand, we will be seeing more DevNet updates moving forward, including more product launches -- and this announcement is no exception. Cisco has added a number of new learning labs, an SD-WAN sandbox, and code exchange to help developers and network engineers build custom features and applications to drive innovation.
  • New SD-WAN hardware -- What would a Cisco announcement be without some shiny new hardware? Cisco already has two new devices to add to its already broad line of SD-WAN infrastructure. The ISR 1111X-8P is a compact form factor, fixed branch platform that includes integrated Wi-Fi and LTE. With a list price of $1,595, it’s ideal for small- to mid-size offices. The ISR 4461 is the new high-end appliance. It’s modular in design, with a number of available modules including storage, compute, and switching. This is meant for high performance uses cases and large offices and has a list price of $24,000. At first glance, the $24K price point may seem way out of whack considering where SD-WAN appliances are selling, but this is the high end of the high end and includes storage and compute power. A small business could use this as a small data center in a box. Given the functionality, the $24K price tag is reasonable.
  • Deployment services -- Cisco has created a new quick start service that helps customers accelerate SD-WAN deployments while reducing risk. For a fixed fee, customers have access to remote implementation engineers and knowledge transfer capabilities.
  • Simplified licensing -- Cisco has a lot of products, which can make the process of buying them difficult. This is particularly true of the software, as Cisco has different options for buyers to choose from. Cisco has made the procurement task a bit easier by making network and security available as a single license model that can be managed through a single interface. It’s got more work to do here, but this is a good start.
This might be Cisco’s biggest SD-WAN update ever; it’s certainly the biggest since it acquired Viptela in mid-2017. The integration of security is well timed, as more and more customers I talk to are shifting their decision away from speeds and feeds and toward security. The cloud edge create by an SD-WAN is a fundamentally different architecture than the traditional branch edge, and security needs to available everywhere.