Securely connecting a branch office to a corporate network and keeping it connected is no easy task. Cisco promises to reduce this from months to minutes with Unified Branch (and new Secure Routers). That’s quite a statement. We wanted to hear more about it.
A branch environment is completely different from that of an organization’s head office. Of course, employees want a fast and, above all, reliable Wi-Fi connection there too. The same applies to the internet connection. In addition, employees also see workloads disappearing to other locations. In addition to SaaS and public cloud, they are also moving to the company’s central data center. New AI workloads at the branch, like more automated customer services at retail sites, certainly don’t make the branch environment any easier to manage.
Furthermore, there is often little to no support in branch environments. Finally, in terms of security, these environments deserve the same as the head office. This certainly applies in specific cases such as banks. Nowadays, it actually applies to all branch environments that security there should be no less than elsewhere. Ultimately, that is also an interesting place for attackers to enter.
Unified Branch: full-stack and validated
With the above in mind, Cisco has conceived and developed Unified Branch. We speak to Vikas Butaney, SVP & GM, Secure Routing & Industrial IoT at Cisco, about the importance of this announcement.
According to Butaney, Unified Branch is a “full-service branch platform for partners and customers.” In our words, we would call it a combination of hardware and software. It allows branches to connect to the corporate network simply, securely, and quickly.
Organizations purchase access points, routers with Next-Generation Firewall (NGFW) capability, switches, and software together as a full-stack solution. This means that there are fixed combinations from which customers can choose. It is possible to work in a modular way. For example, if an organization has just invested in access points, it can start with routing and switching.
The whole system is managed from Cisco Meraki, which as of recently integrates with Cisco Catalyst Center. That is the actual platform Butaney is talking about. With the integration of Cisco ThousandEyes into Unified Branch, customers also gain insight into network performance. According to Butaney, the goal of this integration is to “work towards full assurance.” The latter, assurance in the field of networking, or the certainty that networks will continue to do what they are supposed to do, is something Cisco has focused on a lot lately, specifically through ThousandEyes.
To ensure that the Unified Branch stack that Cisco offers to customers does what it should do, Cisco has also developed Cisco Validated Designs (CVDs) for this. We are familiar with these from the CVDs for AI PODs and FlexPod (together with NetApp) stacks for ready-made and use-case optimized infrastructure, among other things. These CVD guides allow customers to set up their branch with Cisco’s recommended and validated best practices.
Automation Toolkit for Unified Branch
The CVDs that Cisco offers for Unified Branch undoubtedly reduce the time it takes to provide a branch with a network. In principle, everything should work well together. We assume that Cisco tested this extensively.
However, rolling out a network in a branch environment is not just a matter of finding the right hardware. The set up of the entire stack also plays a very important role. You can find the best hardware, but if the configuration is wrong, its performance will not meet customer expectations and requirements. To address this, Cisco has developed an automation toolkit. Among other things, this includes Branch-as-Code and Cisco Workflows. Branch-as-Code uses principles as seen in Infrastructure as Code to set up infrastructure faster and more easily. Cisco Workflows is available in the cloud dashboard. It intends to help automate tasks that are routine and guide users through complex operations.
AI Assistant speeds up rollout even further
When it comes to rolling out CVDs for Unified Branch, there is another component worth mentioning: the availability of the AI Assistant. The AI Assistant can start the rollout of a CVD for Unified Branch upon request. It then initiates a workflow. You go through it step by step. You can still enter and adjust a few things yourself, such as VLAN ID and whether RADIUS should be activated on all SSIDs, to name a few options.
Once all this is done, you will be asked to review the workflow. Users can track the step-by-step updates of these workflows either directly through the Cisco AI Assistant or by viewing the visual progress of the workflow on the Automation tab within the dashboard. You can see what has been done in terms of updating SSID, firewall rules and other settings.
During our conversation with Butaney, one of his colleagues shows us a demo of how AI Assistant receives a command from the Meraki dashboard to set up a Unified Branch. This is done according to a specific Unified Branch workflow. Of course, it always looks pretty slick in a demo. However, the AI Assistant sets up a fully configured Unified Branch network stack in less than a minute. That’s pretty impressive. Admittedly, the demo only consisted of configuring and rolling out a network of three products, but that doesn’t matter in terms of the total time it takes. According to Butaney: “The workflows are executed in parallel. That means that whether it’s one branch or 1,000 branches, it takes the same amount of time.”
Unified Branch and the workflows associated with it don’t just integrate with the AI Assistant (available today). Cisco has also planned an integration with AI Canvas. This makes sense, because we are basically talking about optimizing IT operations. Since AI Canvas embodies Cisco’s AgenticOps vision, the telemetry from Unified Branch will also be available in AI Canvas. The alpha program for this will start this month.
Below are several screenshots. We took them during a demo of Unified Branch. The three screenshots at the top show several stages of interaction with the AI Assistant. The two at the bottom are part of the review process.
Secure Routers are an important part of Unified Branch
Rapid rollout and proper configuration are undoubtedly important for what Cisco wants to achieve with Unified Branch. However, it is also important to secure the network well. Branches are particularly attractive targets for attackers, precisely because they may expect security to be less robust there. Security is, of course, partly a matter of proper configuration, which closes many common gaps.
However, Cisco is also launching the necessary hardware alongside Unified Branch. This should also contribute to the security of this type of network. Specifically, this refers to the Cisco 8000 Series Secure Routers. Cisco launched these at the same time as Unified Branch during Cisco Live earlier this year. All models in this line are now available. The 8100, 8200, and 8300 will be particularly interesting in combination with Unified Branch. Cisco wants to reach small and medium-sized branches with these models. The 8400 is aimed at enterprise networks and large branches. The 8500 focuses on data centers.
What do Cisco 8000 Series Secure Routers add?
The Cisco 8000 Series Secure Routers are interesting for organizations for several reasons, according to Butaney. First of all, the routers have Next-Gen Firewall (NGFW) capabilities with deep packet inspection. In addition, threat protection is built in and organizations have the option of creating policies based on identity. Furthermore, SD-WAN functionality is built in. This allows you to connect the router (and thus the network) to Cisco Secure Access for Secure Access Service Edge (SASE). Third-party Security Service Edge (SSE) solutions can also connect to this. Finally, it is worth mentioning that the routers are ready for Post-Quantum Cryptography (PQC).
From a hardware perspective, we find it particularly interesting that Cisco has incorporated its own network processors into the 8000 Series Secure Routers. This is not particularly surprising, as Cisco has a very active ASIC design department. What is interesting is that this new processor can handle traffic through IPsec tunnels three times faster than previous generations. According to the spec sheets we have reviewed, the maximum IPsec throughput for this series is 63 Gbps. The maximum throughput for SD-WAN is 21 Gbps.
The above values are for the most powerful model, the 8500. It is important to bear in mind that the 8500 (and to a lesser extent the 8400) are significantly more powerful than the other models. For the entry-level model, the 8100, Cisco specifies values of 1.5 Gbps for IPsec and 900 Mbps for SD-WAN. It is therefore important to take this into account when making your choice.
Perhaps even more interesting than the throughput speeds today are the figures for energy consumption. According to Butaney, this is 40% lower than was previously the case. This obviously also improves the price-performance ratio considerably. After all, performance is increasing rapidly, while energy consumption is falling sharply.
Conclusion
All in all, Cisco has thought carefully about the direction it wants to take for branch networks. It is a full-stack approach, so relatively prescriptive. This is undoubtedly also driven by sales considerations. After all, if you can sell a complete stack in one go, including the necessary software (licenses), this will generate more revenue more quickly. At least, that is the idea.
There is nothing wrong with the above, as long as there is something in return. With the new services in Unified Branch, the Automation Toolkit in combination with the AI Assistant and AI Canvas plus the Secure Routers, Cisco is certainly offering something that organizations that fit the profile should consider, especially as the demands of AI at branch sites continue to accelerate. Of course, everything has to perform as promised, but a rollout time for branch networks of minutes, coupled with a high level of security, certainly sounds good.
On a higher level, Unified Branch fits in nicely with Cisco’s overarching full-stack approach to infrastructure lately. Only last week it launched Unified Edge (see link below for full story), a full-stack edge solution that echoes what Unified Branch is about. In fact, the two unified solutions share something. That is, if customers want a Unified Edge solution with a router integrated, that router is an 8200 Secure Router. As we noted before, the full-stack AI PODs it launched last year are more or less cut from the same cloth too.
When it comes to infrastructure, it is clear what Cisco is thinking, as far as we are concerned. Cisco sees the increase of complexity, in large part caused by the advent of AI, as a good reason to go full-stack. We think it has a good point there, even though it is up to the execution whether it will also be beneficial to partners and customers. Especially the promise to go full-stack but also remain open is one we are very eager to see fulfilled.
Also read: Cisco extends data center to the edge with Unified Edge