It’s been 22 months since Cisco rocked the industry by acquiring SD-WAN leader, Viptela. To find out the status of acquisition and learn more about what Cisco has in store for Viptela, I sat down with Anand Oswal, Senior VP, Engineering for the Enterprise Networking Business at Cisco.
The big question on my mind, of course, was where Cisco stood with integrating Viptela’s SD-WAN technology into its router line. The Viptela already included its own routing platform, the vEdge routers, in its SD-WAN architecture. I wanted to find out where Cisco’s routers were going to fit in.
In the last two years, Oswal told me, Cisco has spent a lot of time moving the Viptela software into its router, the Cisco ISR. To date, they’ve integrated the control plane code that manages Viptela routing and performance management with the Cisco ISR platform. “Thousands of ISR users wanted to integrate Viptela into their platform. The ISR has the interfaces for everything but now it can all be managed from the cloud platform,” says Oswal.
Where’s the Security?
Next on my agenda was security. The SD-WAN industry has undergone significant changes since Viptela first introduced it’s SD-WAN solution. It’s increasingly common to hear, and something, we’ve been saying for some time, that for SD-WAN to deliver its cost savings, agility enhancements, and cloud performance improvements, local Internet breakout is a must. And once you start talking about connecting sites directly to the Internet then you have to consider how to secure those locations. Bottom line: branch security, once an add-on to SD-WANs has become an integral element in the SD-WAN selection process.
Viptela, for all its strengths, never fully addressed branch office security needs on its own. Relying on security appliances, though, is also problematic. “Dedicated security in the branch are not scalable nor cost effective in an SD-WAN,” says Oswal. It’s one benefit of the Cisco acquisition. “Application-based firewall, IDS/IPS, are already built in the ISR platform,” he says.
Viptela-Cisco integration was important not only from the aspect of deploying one less physical appliance but also in terms of security configuration and management. “You can set up the SD-WAN fabric, application optimization, and distributed security, all through one user interface,” says Oswal. “Customers can use the security on the ISR routers or the Cisco Umbrella in the cloud, as well as Cisco’s Stealthwatch anomaly detection.”
Patching and Scaling Appliances
A major challenge with appliance-based security architectures is their operational expense. There’s the staging, testing and deploying of the patches. And as traffic loads grow or processor-intensive features enabled, appliances need to be upgraded. All of which ends up exacting a significant toll in operational overhead.
I asked Oswal about those issues. He pointed out that ISR routers can all now be managed from the vManage cloud. The vManage cloud supports agility for automation and analytics and patching. vManage device can be controlled via APIs with full visibility; vAnalytics dashboard is all visible. Cisco users can “apply patches to single routers, multiple routers, roll them back and more.”
As for the processing constraints of Cisco appliances running the Viptela software, “The brains come from the cloud, not the processor of the CPE. Viptela services have very little overhead. The overhead is in the cloud.” More specifically, the only overhead is the data plane throughput: IPSec crypto takes a 5% increase in overhead.
Oswal says that customers who are concerned about scaling can also decide to use GRE tunnels, which have no impact on the router at all. “The ISR has plenty of processing power, so there is no decrease in ISR throughput when using GRE tunnels.” Personally, it’s difficult to imagine that companies will choose to run GRE tunnels, which are unencrypted, across the open Internet.
Mobility and WiFi
I also asked him about mobility and how the Meraki platform will play in Viptela’s plans. Mobility isn’t something commonly discussed in SD-WAN circles. But with applications moving to the cloud, office users working out off-site and on the road, and with teams involving external contractors, the traditional distinctions between WAN and mobile access make less sense. “Cloud security for mobile users is still a work in progress. I’m not ready to talk about it.”
As for Meraki, I was curious what kind of integration would happen between a Viptela and Meraki SD-WAN-WiFi combination. “It’ll remain a separate product, one that’s targeted only toward organizations with minimal IT departments.”
I was glad to hear that Cisco has made integrating Viptela SD-WAN into their ecosystem a priority and, overall Cisco’s story sounded quite compelling to me.
But then I had similar feelings when Cisco first introduced IWAN — and look where that’s gone. The integration and management of all security functions can be quite challenging and good chartware and marketing alone doesn’t disguise that fact.
Deployment at scale is the only way to accurately measure success. Only then can I get an accurate sense of how the integrated solutions really works, and what it ultimately costs from a licensing, management and training perspective. If you have done so, I welcome the opportunity to hear your experiences.
Until then I remain cautiously positive.