SD-WAN / SASE technology vendor
Cisco
Cisco sources evidence SD-WAN Cloud OnRamp, Meraki SD-WAN, and SD-WAN + Secure Access SASE integration.
Netify profile
Cisco in depth
Platform and architecture
Cisco offers two SD-WAN families. Catalyst SD-WAN (formerly Viptela) is the enterprise platform: vEdge and Catalyst 8000 routers, separated control and data planes, and vManage (now Catalyst SD-WAN Manager) for orchestration. Meraki is the cloud-managed alternative, with MX appliances configured entirely from the Meraki dashboard. Both integrate with Cisco's wider switching, wireless and identity portfolio, and cloud on-ramps cover AWS, Azure and Google Cloud. The two platforms remain distinct, so buyers should choose a track early.
Security and SASE capability
Cisco's SASE position combines Cisco Secure Access (the successor to Umbrella for SSE), Duo for identity and device trust, and Talos threat intelligence. ZTNA, SWG, CASB and DLP are delivered from Cisco's cloud with single-console ambitions under Secure Access. On-box security on Catalyst and Meraki includes NGFW, IPS and content filtering. The strongest story is for Meraki estates pairing MX SD-WAN with Secure Access in a Cisco-only stack.
Service, support and channel
Cisco sells through the largest partner ecosystem in networking. Most buyers consume Catalyst SD-WAN through managed service providers, including BT, Verizon, Orange and NTT, while Meraki suits in-house teams and MSPs alike. Cisco TAC provides 24x7 follow-the-sun support; named technical account management comes via Cisco CX or the partner. UK channel depth is extensive at every tier.
Commercials and the Netify verdict
Licensing is subscription based: Cisco DNA/Catalyst licences per device tier plus Secure Access per user, with Meraki licences per appliance. List pricing is partially public via partners. The Netify verdict: shortlist Cisco when you already run Cisco switching, wireless or identity, when your operations team knows the tooling, or when you want one vendor across campus and WAN. Expect platform choice (Catalyst vs Meraki) to shape cost and operations more than headline pricing.
Questions
Cisco: common buyer questions
Should I choose Catalyst SD-WAN or Meraki SD-WAN?
Catalyst SD-WAN suits large, complex WANs needing granular routing control, segmentation and scale. Meraki suits lean IT teams and distributed estates that value dashboard simplicity over deep configurability. They are separate platforms with separate management, so pilot the operational model, not just the data sheet.
Does Cisco offer a full single-vendor SASE?
Yes in portfolio terms: SD-WAN (Catalyst or Meraki) plus Cisco Secure Access for SSE, with Duo identity and Talos intelligence. Policy and console unification has improved but is newer than rivals built single-stack from day one, so validate console workflows in a proof of concept.
How do most UK enterprises buy Cisco SD-WAN?
Through managed service providers and Cisco Gold partners. BT, Verizon, Orange, NTT and many UK MSPs run managed Catalyst and Meraki offers, which suits buyers who want carrier-grade delivery without operating vManage themselves.
Key differentiators
- Broadest platform portfolio in the category, covering Catalyst SD-WAN for enterprise WAN, Meraki MX for cloud-managed branch, and Cisco Secure Access for converged SASE delivery.
- Cloud OnRamp provides automated optimisation paths for Microsoft 365, Salesforce, and major cloud providers, with native integration into the Cisco security stack.
- Large global partner and integrator ecosystem reduces delivery risk for buyers wanting managed or co-managed delivery.
Best fit for
- Enterprises already standardised on Cisco networking who want platform consistency from LAN through WAN to security.
- Multinational organisations needing strong vendor presence across regions and a deep partner channel.
- Buyers prioritising single-vendor risk consolidation across networking and security.
Watch-outs
- Two distinct SD-WAN product lines (Catalyst and Meraki) means buyers should confirm which fits the target deployment profile and the longer-term roadmap.
- Managed delivery is partner-led rather than first-party, so service quality varies meaningfully by integrator.
- Private global backbone is not part of the platform; cloud transport relies on internet and partner gateways.
40 features, 6 categories
Capability matrix
Each capability is graded against public source evidence. Hover any status grade for a definition. Where evidence is limited, the grade reflects that uncertainty rather than assuming the capability is present.
Service delivery and operating model
| # | Capability | Status | Definition |
|---|---|---|---|
| F01 | Fully managed service | Partner / integrated | Provider designs, deploys, monitors, changes, supports and reports on the service. |
| F02 | DIY / self-managed model | Yes | Customer operates SD-WAN controller, policies, updates and incident response. |
| F03 | Co-managed service | Partner / integrated | Provider runs platform/support while customer retains selected policy or change rights. |
| F04 | Multi-tenant MSP / white-label support | Partner / integrated | Tenant isolation, delegated administration, branded portals, templates and service-provider scale. |
| F05 | Professional services and migration support | Partner / integrated | Discovery, design, pilot, staging, migration runbooks, rollback and training. |
| F06 | Last-mile circuit management | Partner / integrated | Sourcing, monitoring and support for broadband, DIA, LTE/5G, MPLS and cross-connects. |
| F07 | Lifecycle management | Partner / integrated | Hardware replacement, firmware upgrades, patching, renewals and EoL planning. |
| F08 | Flexible commercial model | Yes | Per-site, per-bandwidth, per-user, per-device, consumption, NaaS or bundled pricing. |
Network architecture and transport
| # | Capability | Status | Definition |
|---|---|---|---|
| F09 | Encrypted overlay fabric | Yes | Secure tunnels across broadband, DIA, MPLS, LTE/5G, satellite or private WAN. |
| F10 | Dynamic path selection | Yes | Real-time routing based on latency, jitter, packet loss, brownouts, MOS and policy. |
| F11 | Active-active link utilisation | Yes | Use multiple links concurrently rather than passive backup only. |
| F12 | Application-aware routing | Yes | Identification and routing for SaaS, UCaaS, ERP and custom applications. |
| F13 | QoS and traffic shaping | Yes | Per-application and per-class prioritisation, reservation and policing. |
| F14 | Packet loss remediation | Yes | FEC, packet duplication, jitter buffering, TCP optimisation and WAN optimisation. |
| F15 | Local internet breakout | Yes | Secure direct internet access from branch sites. |
| F16 | MPLS coexistence and migration | Yes | Hybrid MPLS/internet/cellular during transition. |
| F17 | Cellular and 5G support | Partial | Integrated/external modem, SIM management, signal monitoring and failover. |
| F18 | Cloud on-ramp | Yes | Automated/simplified connectivity to AWS, Azure, Google Cloud, Oracle, Equinix, Megaport and SaaS. |
Gateway, PoP and backbone design
| # | Capability | Status | Definition |
|---|---|---|---|
| F19 | Public cloud gateways | Yes | Vendor-operated gateways/PoPs for SaaS optimisation, remote access or security enforcement. |
| F20 | Private PoPs / dedicated PoPs | Unknown | Customer-hosted, dedicated or sovereign PoP options. |
| F21 | Private global backbone | Unknown | Vendor-owned or controlled backbone between PoPs. |
| F22 | Regional breakout and data residency | Yes | Pin traffic to countries, regions or approved inspection locations. |
| F23 | Multi-cloud transit fabric | Yes | Branch-to-cloud, cloud-to-cloud and user-to-cloud connectivity under common policy. |
| F24 | Flexible edge form factors | Yes | Physical, virtual, cloud marketplace, container or uCPE. |
| F25 | High availability design | Yes | Dual appliances, dual circuits, dual power, HA clustering and gateway redundancy. |
| F26 | SLA-backed service fabric | Partner / integrated | SLA for uptime, response, change handling and possibly latency/jitter/loss. |
Security and SASE capability
| # | Capability | Status | Definition |
|---|---|---|---|
| F27 | Integrated next-generation firewall | Yes | Stateful firewall, app control, IPS/IDS, malware inspection and URL filtering. |
| F28 | Full SASE platform | Yes | SD-WAN plus SWG, CASB, ZTNA, FWaaS, DLP, RBI, DNS security and threat prevention. |
| F29 | SSE ecosystem integration | Yes | Interoperation with Zscaler, Netskope, Palo Alto Prisma Access, Cisco Secure Access, Cloudflare etc. |
| F30 | Zero Trust Network Access | Yes | Identity and posture-based access to private applications. |
| F31 | Secure web gateway | Yes | URL filtering, SSL inspection, malware scanning and acceptable-use controls. |
| F32 | CASB capability | Yes | SaaS discovery, sanctioned/unsanctioned app control and SaaS policy enforcement. |
| F33 | Data loss prevention | Partial | Data classification, inspection, blocking, alerting and exception workflow. |
| F34 | Remote user access | Yes | Client or clientless access for remote workers, contractors and mobile users. |
| F35 | SOC/SIEM/SOAR integration | Yes | Syslog, APIs, event export, threat intelligence and workflow integration. |
Operations, assurance and automation
| # | Capability | Status | Definition |
|---|---|---|---|
| F36 | Centralised orchestration | Yes | Templates, intent-based policy, zero-touch provisioning and configuration compliance. |
| F37 | Customer portal and RBAC | Yes | Real-time status, role-based access, reporting, tickets and change requests. |
| F38 | Observability and digital experience monitoring | Yes | App experience, user experience, device health, SaaS telemetry and path analytics. |
| F39 | APIs and automation | Yes | REST APIs, Terraform, webhooks, event streaming and ITSM integration. |
| F40 | Managed service assurance | Partner / integrated | 24/7 NOC/SOC, proactive monitoring, incident ownership, RCA, service reviews and change governance. |
Commercial
Cost model and pricing visibility
Public pricing visibility
Quote-based. No complete public enterprise price was found in reviewed sources.
Cost model
Quote-based subscription/licence + appliance/support; Meraki public SKUs via partners, enterprise pricing varies by platform and term.
Evidence
Primary sources
Every capability grade traces back to one of these sources. Reviewed 2026-05-22.
- https://www.cisco.com/site/us/en/solutions/networking/sdwan/cloud-onramp/index.html
- https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Design_and_Configure/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/Meraki_SD-WAN
- https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/sd-wan/nb-06-sase-sd-wan-secure-access-aag-cte-en.html
Verification notes
Capability matrix sourced from Netify internal vendor research (May 2026). Status grades reflect public source evidence only. Confirm via RFP. Qualitative fields (differentiators, best fit, watch-outs) are Netify editorial synthesis based on the evidence summary and capability profile; review before publishing. Extended dimensions (regions, clouds, AI, resilience, deployment speed, sectors, organisation fit, identity, platforms, support, logging) are indicative desk research grades from June 2026; confirm via RFP.