SD-WAN Capabilities

This chapter describes the SD-WAN capabilities supported in the management center.

Overview of SD-WAN Capabilities

Software-Defined WAN (SD-WAN) solutions replace traditional WAN routers and are agnostic to WAN transport technologies. SD-WAN provides dynamic, policy-based, application path selection across multiple WAN connections and supports service chaining for additional services such as WAN optimization and firewalls.

As organizations expand their operations across multiple branch locations, ensuring secure and streamlined connectivity becomes paramount. Deploying a secure branch network infrastructure involves complex configurations, which can be time-consuming and prone to configuration errors if not handled properly. However, organizations can overcome these challenges by leveraging the Cisco Secure Firewall Management Center (management center) and the Cisco Secure Firewall Threat Defense (threat defense) devices for a simplified and secure branch deployment.

In this guide, we explore the concept of simplifying secure branch deployment using a robust firewall solution. By integrating a secure firewall as a foundational component of the branch network architecture, organizations can establish a strong security baseline while simplifying the deployment process. This approach enables organizations to enforce unified security policies, optimize traffic routing, and ensure resilient connectivity.

Some of the SD-WAN capabilities supported on the Cisco Secure Firewall are:

  • Simplified management:

    • SASE: Umbrella auto tunnel deployment

    • Dynamic VTI (DVTI) hub spoke topology simplification

  • Application awareness:

    • Direct Internet Access (DIA) for public cloud and guest user

    • Policy based routing (PBR) using applications as a match criteria

    • Local tunnel ID support for Umbrella

  • Increased usable bandwidth:

    • ECMP support for load balancing across multiple ISPs and VTIs

    • Application-based load balancing using PBR

  • High availability with near zero network downtime:

    • Dual ISP configuration

    • Optimal path selection based on application-based interface monitoring.

  • Secure Elastic Connectivity:

    • Route-based (VTI) VPN tunnels between headquarters (hub) and branches (spokes)

    • IPv4 and IPv6 BGP, IPv4 and IPv6 OSPF, and IPv4 EIGRP over VTI

    • DVTI hubs that support spokes with static or dynamic IP

Features

The following table lists some commonly used SD-WAN features:

Feature

Introduced in

More Information

Application monitoring using SD-WAN Summary dashboard

Release 7.4.1

SD-WAN Summary Dashboard

SD-WAN Summary Dashboard

Release 7.4

SD-WAN Summary Dashboard

Policy-based routing with user identity and SGTs

Release 7.4

Policy Based Routing

Policy-based routing using HTTP path monitoring

Release 7.4

Policy Based Routing

Loopback interface support for VTIs

Release 7.3

Configure a Loopback Interface
Support for dynamic VTI (DVTI) with site-to-site VPN

Release 7.3

Dynamic VTI

Umbrella auto tunnel

Release 7.3

Deploy a SASE Tunnel on Umbrella

Support for IPv4 and IPv6 BGP, IPv4 and IPv6 OSPF, and IPv4 EIGRP for VTIs

Release 7.3

BGP, OSPF, EIGRP

Route-based site-to-site VPN with hub and spoke topology

Release 7.2

Create a Route-based Site-to-Site VPN

Policy-based routing with path monitoring

Release 7.2

Policy Based Routing

The Site to Site VPN Monitoring Dashboard

Release 7.1

Monitoring the Site-to-Site VPNs

Direct Internet Access/Policy Based Routing

Release 7.1

Policy Based Routing

Equal-Cost-Multi-Path (ECMP) zone with WAN interfaces

Release 7.1

About ECMP

ECMP zone with VTI interfaces

Release 7.1

About ECMP

Backup VTI for route-based site-to-site VPN

Release 7.0

Route Traffic Through a Backup VTI Tunnel

Support for static VTI (SVTI) with site-to-site VPN

Release 6.7

Static VTI