Cisco SD-WAN

Introduction and Technical Deep Dive

John M Curran
Systems Engineer
 Why SD-WAN

High Customer Demand & Rapid Adoption

By the end of 2019, 30% of enterprises will have deployed SD-

WAN technology in their branches, up from less than 1% today.1
The overall branch office router marketing will experience a
CAGR of -6.3% and the legacy router segment will experience a
-28.1% CAGR by the end of 2020.2

Explosive Market Growth & Revenue Opportunity

SD-WAN Technology and Services market poised to reach $6

Billion by 2020.3

Disrupt or be Disrupted
1GartnerPredicts 2016: Enterprise Networks and Network Services, Dec 2015 2Gartner Predicts: SD-WAN and Its Impact on Traditional Router and MPLS Services, Nov 2016
Revenue, Worldwide, 2016-2020 3IDC Forecasts Strong Growth for Software-Defined WAN As Enterprises Seek to Optimize Their Cloud Strategies, March 2016
2 Viptela Confidential
 Why SD-WAN Matters to Customers
Legacy WAN Architecture Does Not Meet the Needs of the Business

• It costs too much

• It’s complex to install and manage
• It underperforms
• It’s not secure

Customers Need a Better Way

4 Viptela Confidential
 Viptela: The Leader in SD-WAN Innovation

Enterprise class SD-WAN

that is Simple to Operate, Secure and is
built for the Cloud

50% Lower Cost 10X More Bandwidth 5X Cloud Performance

Reduced CapEx and bandwidth No capacity restraints. No choke points. Cloud Aware architectures and SLA-
expense. Simplified management. Instantly add bandwidth anytime, anywhere based traffic steering deliver blazing
Rapid troubleshooting based on application requirements performance for applications like O365,
AWS, SFDC and more
5 Viptela Confidential
 SD-WAN Enterprise Grade Capabilities
Reducing Cost and Complexity for Agile IT
Separation of management, Redundant Zero-touch provisioning in
control, data for scaling management—cloud or minutes, not days
on premises

Full segmentation Choice of topologies with Complete visibility from

support for fast app point-and-click single pane of glass
deployment

Comprehensive and Flexible to Fit Your Business

PHYSICAL CAPEX WITH ANNUAL
IN-HOUSE IT
SECURE ROUTERS SUBSCRIPTION
OR OR OR
VIRTUAL ENTERPRISE-BASED
SECURE ROUTERS MANAGED SERVICE AGREEMENT
Viptela Company Overview

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela At A Glance

Retail Financial Healthcare Manufacturing

$110M VC funding: Sequoia,

Redline, Northgate

6 Continents

8 Tier-1 Carriers & Global SIs

Hospitality Transport Gov Tech

40 Fortune-500 customers

35,000 Devices deployed

24x7x365 Global Distribution Training and

Support and RMA Certification
8 Viptela Confidential
 CaseStudy:
Case Studies: GAP
Cloud onRamp
Global Retailer

Enabled Cloud-
Based Healthcare
Apps

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

Outages at Clinics MPLS à MPLS+ broadband Zero Outages

Couldn’t enable SaaS Apps Cloud-based EMR enabled Adding Bandwidth 120 à 2 days

Need to add to Office365 and Cloud- Next Phase: Migrate Office 365, Voice 10x Bandwidth
based Voice to Cloud
No wasted engineering hours

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 CaseStudy:
Case StudiesGlo
Global Retailer
Global Retailer

40%
Reduction in
WAN Costs

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

Reduce OpEx and CapEx costs Viptela SEN infrastructure 26x Bandwidth improvement

Re-energize customer 1600 stores globally 5x Improvement store conversions

in-store experience
MPLS à dual broadband $20M Saved over 3-years
Improve mobile application performance
7 Segments – PCI, guest WiFi,
security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Case Study: Global Industrial Firm

46
Technology Silos
Consolidated

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

Rapid M&A integration Viptela SEN infrastructure 14 to 1 Carrier MPLS VRFs

14 different environment, 8 carriers Enable active active à MPLS + internet Months to weeks rapid
M&A onboarding
Massive migration to O365 & AWS
46 Portfolios consolidated
Business unit segmentation

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Case Study: Banking – Fortune 500

80%
Less time
for deploying
new branch
WAN

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

High bandwidth apps (HD Video) Viptela SEN infrastructure 20x Bandwidth Improvement

Improve application performance 3000 locations 4x Improvement in app performance

Simplify branch IT operations Augment MPLS with broadband 50 Sites deployed per night
(incl ATMs)
1000 Devices upgraded in 4 hours

1.5 Engineering hours plan / site

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
(contrast with 40 hours earlier)
 Case Study: Network As a Service

Transformed
Customer
Experience

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

Customer Experience Applications
• Self-service kiosks
• Video conf with live experts
• New Retail Bank Apps
Simplify branch IT operations
(incl ATMs)
Improve Business continuity with
Data ©loss
2017 prevention,
Cisco and/or its affiliates. All rights reserved.
Verizon Managed SD-WAN with Video and WiFi inside Branches
Viptela SEN
Faster Applications
1400 locations
Agile Operations
Augment MPLS with LTE
Business Continuity: Data loss
Prevention and Backup
backups
Cisco Confidential
Cisco SD-WAN
Solution Elements and Overview

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Solution Philosophy
Most Comprehensive Solution on the Market
Application Traffic Per-Segment Secure Cloud Cloud Transport
SLA Engineering Topologies Perimeter Path Accel Hub

Analytics

Application Policies
Routing Security Segmentation QoS Multicast Svc Insertion Survivability
Monitoring

Delivery Platform
Operations
Broadband MPLS Cellular

Transport Independent Fabric

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Cisco SD-WAN Architecture
The Power of Abstraction
vManage

APIs Management Plane

3rd Party
vAnalytics
Automation

vBond
Control Plane
Orchestration Plane vSmart Controllers

MPLS 4G

INET
vEdge Routers

Data Plane
Cloud Data Center Campus Branch SOHO
Cisco SD-WAN Solution Elements
Orchestration Plane
Orchestration Plane

vManage Cisco vBond

APIs
• Orchestrates connectivity
3rd Party
vAnalytics between management,
Automation
control and data plane
vBond • First point of authentication
• Requires public IP Address
vSmart Controllers
• Facilitates NAT traversal
• All other components need to
MPLS 4G
know the vBond IP or DNS
INET information
vEdge Routers
• Authorizes all control
connections (white-list
model)
Cloud Data Center Campus Branch SOHO • Distributes list of vSmarts to
all vEdges
Cisco SD-WAN Solution Elements
Management Plane
Management Plane

vManage
Cisco vManage
APIs
• Single pane of glass for Day0,
3rd Party Day1 and Day2 operations
vAnalytics
Automation
• Real time alerting
vBond • Centralized provisioning
• Configuration standardization
vSmart Controllers • Simplicity of deploying
• Simplicity of change
MPLS 4G • Supports
INET • REST API
vEdge Routers • CLI
• Syslog
• SNMP
• NETCONF
Cloud Data Center Campus Branch SOHO
Cisco SD-WAN Solution Elements
Control Plane
Control Plane

vManage Cisco vSmart

APIs
• Centralized brain of the solution
3rd Party
vAnalytics • Facilitates fabric discovery
Automation
• Establishes OMP peering with all
vBond vEdges
• Implements control plane policies,
vSmart Controllers such as service chaining, traffic
engineering and per VPN topology
MPLS 4G • Dramatically reduces complexity of
INET the entire network
vEdge Routers • Distributes connectivity information
between vEdge
• Orchestrates secure data plane
Cloud Data Center Campus Branch SOHO connectivity between vEdges
Cisco SD-WAN Solution Elements
Data Plane Data Plane
Physical/Virtual

vManage Cisco vEdge

APIs • WAN edge router

3rd Party • Provides secure data plane with
vAnalytics remote vEdge routers
Automation
• Establishes secure control plane
vBond with vSmart controllers (OMP)
vSmart Controllers • Implements data plane and
application aware routing
policies
MPLS 4G
• Exports performance statistics
INET
vEdge Routers • Leverages traditional routing
protocols like OSPF, BGP and
VRRP
Cloud Data Center Campus Branch SOHO
• Support Zero Touch Deployment
• Physical or Virtual form factor
 Cisco vEdge Routers

1/10Gb
vEdge 2000

1Gb
vEdge Cloud
vEdge 1000

100Mb

vEdge 100

Small Office Branch Large Campus Virtualized Branch

Home Office Campus
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Center Cloud
Controllers
Cloud or On-Premise Delivered
On-Premise Hosted
vBond* vManage vSmart vSmart vBond vManage vSmart vSmart

ESXi or KVM AWS or Azure

VM VM

Physical Server vContainer vContainer

* Can be deployed as physical vEdge appliance

Cisco SD-WAN
Technology Deep Dive

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN
Zero Trust Fabric

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco vEdge Router Identity
During Manufacturing
• Each physical vEdge router is uniquely
TPM identified by the chassis ID and
Chip certificate serial number
• Certificate is stored in onboard Tamper
Proof Module (TPM)
- Installed during manufacturing process
Device
Certificate • Certificate is signed by Avnet root CA
- Trusted by Control Plane elements
• Symantec root CA chain of trust is used
to validate Control Plane elements
Root Chain • Alternatively, if used, Enterprise root CA
chain of trust can be used to validate Control
Plane elements
In Viptela Software - Can be automatically installed during ZTP
Cisco vEdge
Zero Touch Provisioning
Control and Policy
Zero Touch Provisioning Elements
Server

Re orc
2

dir
ec hest
ztp

at l
ic tro
3

n
t t rat
Qu tela

io
5

un on
. vip

o c or

an tio e
ery .co

m c

vM ra vic
ag n
m ial
Full Registration and

orp

e
e
1

co nit

om ig d
to m
Configuration

fr nf a l
ora

u
co iti
In
te
4
Assumption:
§ DHCP on Transport Side (WAN)
§ DNS to resolve ztp.viptela.com*

vEdge
§ Delivered as-a-Service
* Factory default config
Cisco SD-WAN
Fabric Operation

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• Runs on top of TCP, extensible control plane
protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
vSmart vSmart • Advertises control plane context

VS
vEdge vEdge

Note: vEdge routers need no control connections amongst them

Bidirectional Forwarding Detection (BFD)
vEdge • Path liveliness and quality measurement
detection protocol
- Up/Down, loss/latency/jitter, IPSec
tunnel MTU
• Runs between all vEdge and vEdge Cloud
routers in the topology
- Inside IPSec tunnels
vEdge vEdge - Automatically invoked after each IPSec
tunnel establishment
- Cannot be disabled

• Uses hello (up/down) interval, poll (app-

aware) interval and multiplier for
vEdge vEdge detection
- Fully customizable per-vEdge, per-color
 Data Plane Privacy
Traffic Encryption vSmart
Controllers
§ Each vEdge advertises its local § Keys are rotated frequently
IPsec encryption keys through OMP
§ Encryption key is per-transport
OMP OMP
Update Update
Local Keys Local Keys

Transport1

TLOCs TLOCs

vEdge Transport2 vEdge

Remote Keys Remote Keys

Traffic Encrypted with

AES256-GCM
Traffic Encrypted with
Control Plane
 Fabric Operation
Fabric Walk-Through
OMP Update:
vSmart § Reachability – IP Subnets, TLOCs
OMP
§ Security – Encryption Keys
DTLS/TLS Tunnel
§ Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update

vEdge vEdge
Transport1
TLOCs TLOCs

VPN1 VPN2 Transport2 VPN1 VPN2

BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static

Subnets Subnets
Cisco SD-WAN
Application Experience and QoS

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Application Visibility
Cloud Data
Center Deep Packet Inspection

App 1
App 2

App 3,000
vEdge Router
Internet MPLS Data
Center
4G/LTE ü App Firewall
Small Office ü Traffic prioritization
Home Office
Campus ü Transport selection
Branch

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Critical Applications SLA
§ vEdge Routers continuously
perform path liveliness and vManage

quality measurements App Aware Routing Policy

App A path must have:
Latency < 150ms
Loss < 2%
Jitter < 10ms
1 Internet
vEdge Path vEdge
Router Router
Device QoS MPLS
Path 2
(shaping, policing,
queuing, marking)
4G LTE

Path1: 10ms, 0% loss, 5ms jitter Path

3
Path2: 200ms, 3% loss, 10ms jitter
Path3: 140ms, 1% loss, 10ms jitter Optimal Application Throughput
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Application Optimization
TCP Performance Optimization
Optimized
TCP Connections TCP Connections (Cubic) TCP Connections

SD-WAN
Fabric
Users vEdge vEdge Servers
High Latency Path

• High latency path between users and • Selective acknowledgements prevents

servers, i.e. geo-distances unnecessary retransmit of the successfully
• vEdge routers terminate TCP sessions and received segments
provide local acknowledgements to prevent • Hosts using old TCP/IP stacks will see the
TCP windowing from reacting most benefit
Cisco SD-WAN
Segmentation and Service Insertion

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN VPNs
vEdge Router Security Zones

IF, IF, MPLS

Sub-IF Sub-IF
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF
INET

Management
(VPN512)
• VPNs are isolated from each other, each
VPN has its own forwarding table
IF • Reachability within VPN is advertised by
the OMP
End-to-End Segmentation
Virtual Private Networks and Mapping
§ Isolated virtual private networks across any § VPN isolation is carried over all transports
transport - https://tools.ietf.org/html/rfc4023

§ VPN mapping is based on physical vEdge Router

interface, 802.1Q VLAN tag or a mix of both
Site 1
IF
IF VPN
Transports
Transports
A
IF
VPN 802.1q
B
IF
VPN
C
802.1q Data Center

Site 2 IPSec
IP UDP ESP VPN Data

20 8 36 4 …
Label
Application Aware Topologies
Arbitrary VPN Topologies
Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point

VPN1 VPN2 VPN3 VPN4

Unified Security Regional Partner

Communications Compliance Services Connectivity

• Leverage control policies to influence per-VPN topology

 L4-L7 Service Insertion
Regional Secure Perimeter
• Can chain numerous L4-L7 services
vSmart

Policy L4-L7 Service

Advertisement* Advertisement

FW

VPN1
Regional VPN1
Hub
Data
Center
VPN1 MPLS INET

Remote 4G Control Plane

Office
Traffic Path
* For data policy only. Control policy enforced on vSmart.
 Application Traffic Security
Regional Secure Perimeter
Service Insertion
Policy Protected
Firewalls Data Compute Resources
IDS/IPS/DLP Center
Small Office
Home Office

Secure Data
Center
SD-WAN
Fabric Firewalls
Branch IDS/IPS/DLP Cloud
Data Center

Regional
Service Secure
Advertisement Perimeter
Campus
Cisco SD-WAN
Cloud Adoption

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for SaaS
SaaS Optimization

Loss/ Loss/ ISP2

Latency Latency
Regional Regional
! Hub
! Hub

ISP1 ISP1

SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site

Application Quality Probing

Cloud onRamp for IaaS
IaaS
Compute
VPCs/VNETs
Compute Compute
VPC/VNET BGP BGP BGP
VPC/VNET

Gateway
VPC/VNET

Cloud Cloud
Data Center Data Center

SD-WAN SD-WAN
Fabric Fabric
Campus Campus
Remote Site Remote Site

Branch Branch
IPSec Tunnel
Cloud Security
SaaS and Internet Security

Exploits Malware ATP Botnets

GRE Tunnel DNS Query

POP1 POP2

ISP1 ISP1

ISP2 ISP2

Remote Site Client Remote Site

• Eliminates backhaul of traffic destined to Internet and cloud applications

Cisco SD-WAN
High Availability and Redundancy

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Site Redundancy - Routed
§ Redundant pair of vEdge routers operate in
active/active mode
SD-WAN
Fabric § vEdge routers are one or more Layer 3 hops
away from the hosts
§ Standard OSPF or BGP routing protocols are
running between the redundant pair vEdge
vEdge A OS vEdge B routers and the site router
PF P
BG
/B
GP PF
/
§ Bi-directional redistribution between OMP and
OS
OSPF/BGP and vice versa on the vEdge
Site routers
Router
§ Site router performs equal cost multipathing
for remote destinations across SD-WA Fabric
- Can manipulate OSPF/BGP to prefer one vEdge
Host router over the other

84 Viptela Confidential
 Site Redundancy - Bridged

§ vEdge routers are Layer 2 adjacent to the

SD-WAN hosts
- Default gateway for the hosts
Fabric
§ Virtual Router Redundancy Protocol (VRRP)
runs between the two redundant vEdge
routers
- Active/active when using multigroup
vEdge A vEdge B
VRRP Active VRRP Standby § VRRP Active vEdge responds to ARP
requests for the virtual IP with its physical
interface MAC address
§ In case of failover, new VRRP Active vEdge
router sends out gratuitous ARP to update
ARP table on the hosts and mac address
Host table on the intermediate L2 switches
85 Viptela Confidential
Transport Redundancy - Meshed

§ vEdge routers are connected to all the

transports
§ When transport goes down, vEdge routers
MPLS Internet detect the condition and bring down the
tunnels built across the failed transport
- BFD times out across tunnels

§ Both vEdge routers still draw the traffic for

vEdge vEdge the prefixes available through the SD-WAN
fabric
§ If one of the vEdge routers fails, second
vEdge router takes over forwarding the
Site Network traffic in and out of site
- Both transport are still available

86 Viptela Confidential
Transport Redundancy – TLOC Extension

§ vEdge routers are connected only to their

respective transports
§ vEdge routers build IPSec tunnels across
MPLS Internet directly connected transport and across the
transport connected to the neighboring
vEdge router
- Neighboring vEdge router acts as an
underlay router for tunnels initiated from
vEdge vEdge the other vEdge

§ If one of the vEdge routers fails, second

vEdge router takes over forwarding the
traffic in and out of site
Site Network - Only transport connected to the remaining
vEdge router can be used

87 Viptela Confidential
High Availability and Redundancy
Connectivity Assurance
Site Redundancy Transport Redundancy
MPLS INET MPLS INET

VRRP OSPF/ OSPF/

BGP BGP

Network/Headend Redundancy Control Redundancy

vSmart Controllers

Control
MPLS
Data
Center
Data MPLS
INET
Site
INET
Cisco SD-WAN
Analytics

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vAnalytics
• Offered as a SaaS Service
Visibility • Multi-customer sourced data
• Anonymous data-collection

What-If • Reports for Customers,

Partners and Viptela
• Included with Enterprise
Recommendations License tier

Forecasting

101 Viptela Confidential

vAnalytics Dashboard

102 Viptela Confidential

vAnalytics Main Characteristics
Network Centric Application/Flow Centric
• Site Availability • Based on DPI and cflowd
• Network Availability • Bandwidth Usage
- Top sources, destinations apps
• Site Usage Analysis
- Per-Site basis
- Top sites by bandwidth consumption
- Historical bandwidth consumption • Application Performance
• Application to tunnel binding and
• Carrier Performance performance information
- App-Route stats on a per-carrier basis
- Carriers health ranking • Anomaly Detection
- Baseline of application usage
- Anomaly detection based on
overall application usage (by
application family, by site)

103 Viptela Confidential

Cisco SD-WAN
Demo

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Viptela Integration Plan
Phase 1: At Close Phase 2 Phase 3
No Integration Platform Integration Management Integration
Deployment Scenarios

NEW
vManage vManage
vManage +
Cloud-hosted Cloud-hosted DNA Center Cloud-hosted

NEW ISR4K + vEdge SW

vEdge ISR4K + vEdge SW vEdge
vEdge
Benefits

Support and Scale the current Viptela SD-WAN on strategic Deliver end-to-end experience
sales motion ISR platform with full DNA integration

Platform: Platform: Management:

• As-is • vEdge capabilities integrated into all IOS-XE • Cloud hosted DNA Center integrates vManage
Details

Management: platforms (ISR, CSR, ENCS, ASR1K) capabilities

• vManage as-is Management: • Full DNA Center capabilities (SWIM,
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • vManage for SD-WAN capabilities on IOS-XE Assurance, Patch Management, Integrated
workflows for SD-Access and SD-WAN)
2-box solution: Possible Deployment Scenarios
ISR providing T1/E1/DSL Connectivity ISR providing services

vManage vManage
vManage vManage
Deployment Scenarios

TI / E! / DSL TI / E! / DSL
TI / E! / DSL Ethernet

ISR ISR
ISR vEdge

WaaS
vEdge UC vEdge
vEdge ISR

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN
Pricing and Licensing

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pricing Model
Subscription and Perpetual Elements
1. Subscription* license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE. This cost is
dependent on two factors:
• Service bandwidth
• Features

2. Perpetual cost of Cisco SD-WAN CPE** element.

Subscription
Perpetual cost cost of Cisco Operational
of Cisco SD-WAN
software
cost of Cisco
SD-WAN CPE (Includes SD- SD-WAN
hardware WAN controller solution
+ CPE software)

*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Cisco SD-WAN support, next day hardware
replacement for Cisco SD-WAN CPE, software upgrades on all components and the cost of hosting the Cisco SD-WAN controllers in the
Cisco SD-WAN cloud.

**Note: CPE can be Cisco SD-WAN owned or in the case of Virtual CPE customer owned. Cost here implies Cisco SD-WAN
CPE only.
Features
License Tiers
Plus Pro Enterprise
SD WAN SD WAN SD WAN Analytics
controllers controllers controllers
Dynamic Dynamic
Hub Routing Routing

Hub Spoke Spoke Hub Spoke Spoke

AAR
AAR AAR

Internet Local Internet Local MPLS Internet

MPLS MPLS
breakout E2E breakout
E2E
Segmentation SaaS onRamp
Segmentation

Spoke Spoke Spoke Spoke Spoke Spoke

Spoke Spoke Spoke

Dynamic Routing Dynamic Routing

• Routing: Static • Routing: Dynamic routing (OSPF/BGP) • Segmentation: Unlimited

• Topology: Hub-n-spoke only
• Internet/Cloud: NAT, Split tunnel
• Policy: Local ACL only, Data policy
• QoS
• SLA: Application aware routing (5 tuple only)
• Visibility : DPI for visibility only
• Topology: Mesh topology • Internet/Cloud: Cloud onRamp for SaaS
• Internet/Cloud: Cloud onRamp for IaaS • Analytics: vAnalytics platform
• Policy: Control policy
• Segmentation: 5 VPNs (1+4)
• SLA: Application aware routing (DPI)
• Multicast