Skip to content
SASE Platform Decision Guide 2026 | Intelligent Visibility
IVI SASE Platform Decision Guide · 2026

The SASE Decision
Your Network Will Live With

Every vendor calls their platform SASE. The architectures underneath are fundamentally different — and choosing wrong means managing that mismatch for the next five to seven years. This guide explains the three approaches IVI actually deploys and what drives the right choice for each environment.

IVI's position: We design and manage all three architectures — VeloCloud + Zscaler, VeloCloud + Palo Alto Prisma Access, and Cato Networks. Our recommendation is based on your existing investments, team structure, and what you're connecting together — not on which partnership benefits us most. This guide explains our reasoning.
70%

of SD-WAN purchases will be part of a SASE offer by 2028 — up from 25% in 2025 (Gartner)

3

distinct architectures IVI deploys — each with a different operational model and visibility profile

1

key differentiator for the Arista approach: unified visibility from branch WiFi to data center to cloud

5

questions that determine which architecture matches your environment and operating model

Context

SASE Is an Architecture, Not a Product

Gartner coined "Secure Access Service Edge" in 2019 to describe the convergence of WAN networking and network security into a cloud-delivered service. Every vendor now calls their platform SASE. What that actually means varies enormously under the hood.

A complete SASE architecture addresses two functionally distinct layers. Understanding where the boundary is — and which vendor covers what — is the foundation of every platform decision.

SD-WAN / Networking Layer
🔀App-aware WAN routing & DMPO path optimization
🔌Zero-touch branch provisioning
🛡️Edge stateful firewall / IPS / IDS
WAN failover & transport bonding
👁️Campus switching + WiFi management (Arista only)
🏢Data center + cloud routing via CloudEOS (Arista only)
SSE / Security Service Edge Layer
🌐Secure Web Gateway — URL filtering, SSL inspection
🔒ZTNA — identity-based private app access replacing VPN
☁️CASB — SaaS visibility, shadow IT, data controls
🚧FWaaS / DLP / advanced threat prevention
📡Digital Experience Monitoring (DEM / DEX)
The core question: Should these two layers come from a single platform that owns both (simpler operations, less per-layer control) — or from best-of-breed components assembled together (deeper per-layer capability, broader integration surface, richer end-to-end visibility)? The answer depends on your existing investments, team structure, what you're connecting, and what you need to see across your entire network.

The Three Architectures IVI Deploys

Each represents a different answer to that question — with a different operational model, management surface, security depth profile, and observability reach.

Architecture A

VeloCloud + Zscaler

Best-of-breed: SD-WAN + ZIA/ZPA

Arista VeloCloud handles the WAN underlay and edge security. Zscaler ZIA/ZPA delivers cloud SSE via automated IPsec tunnels from the VeloCloud Orchestrator. CloudVision unifies VeloCloud with campus switching and WiFi.

🔀Arista: VeloCloud + Campus + WiFi + CloudEOSNetworking
☁️Zscaler ZIA + ZPASSE
Architecture B

VeloCloud + Prisma Access

Best-of-breed: SD-WAN + Palo Alto SSE

Arista VeloCloud handles the WAN underlay. Palo Alto Prisma Access delivers SSE with App-ID depth and Panorama-unified policy across on-premises NGFWs and cloud-delivered security. CloudVision unifies the full network fabric.

🔀Arista: VeloCloud + Campus + WiFi + CloudEOSNetworking
🛡️Palo Alto Prisma AccessSSE
Architecture C

Cato Networks

Single-platform SASE

Cato's single-pass cloud engine delivers both SD-WAN and the full SSE security stack from one platform, one console, and one private global PoP backbone. Requires a separate campus networking stack for LAN and WiFi.

Cato: SD-WAN + full SSEPlatform
🔲Campus / DC / Cloud: separate stackNot included
Arista Differentiator

The Network Fabric Advantage: CloudVision End to End

The Arista best-of-breed architectures (A and B) offer something Cato cannot: a single unified management and observability plane that spans the entire enterprise network — from branch WiFi through campus switching, across the WAN, through the data center fabric, and into cloud routing. This is the operational case that enterprise infrastructure teams often weight more heavily than the SASE platform comparison itself.

Arista Architecture A or B: Unified Network Fabric
Remote User
VeloCloud Edge Client VeloRAIN path optimization
Branch / Site
Arista WiFi (CloudVision managed) Arista Campus Switching (EOS) VeloCloud Edge (VCE)
WAN
VeloCloud Orchestrator (VCO) DMPO over broadband / LTE / MPLS
Data Center
Arista VXLAN/EVPN fabric (EOS) CloudEOS cloud routing
Cloud
CloudEOS on AWS / Azure Arista AI Networking (GPU clusters)
CloudVision (CVP) manages, monitors, and provides telemetry across ALL LAYERS ABOVE
Cato Architecture C

Cato's SD-WAN and SSE run over its private PoP backbone — but campus switching, WiFi, data center fabric, and cloud routing are outside Cato's platform. Each requires a separate management stack. When a user reports a performance issue, the investigation spans Cato's console, your campus network tools, and your data center monitoring — separately.

What This Means for Mean Time to Innocence

Mean Time to Innocence (MTTI) — the time it takes to determine that the network layer you manage is not the cause of a problem — is where unified observability pays back every day. When a user reports that an application is slow:

Arista Architecture A or B

CloudVision provides a correlated view across every hop: WiFi signal quality at the branch → campus switch port health → VeloCloud path metrics → data center fabric latency → CloudEOS cloud path performance. The entire network path from the user's device to the application is visible in one platform, from one telemetry source.

Result: 1 platform. MTTI measured in minutes.
Cato Architecture C

Cato's console shows the WAN and security layer clearly. But WiFi and campus switching are on a separate platform (Arista, Cisco, or otherwise) with separate telemetry. Data center and cloud routing are outside Cato's view entirely. Correlating the full path requires switching between platforms and manually reconciling timestamps and metrics.

Result: Multiple platforms. MTTI measured in tens of minutes.
CloudEOS specifically: Arista's CloudEOS brings EOS routing into AWS and Azure — the same operating system and CloudVision management that runs your campus switches and VeloCloud WAN. For organizations with significant cloud workloads, this closes the last visibility gap in the path. A performance problem between a branch user and an AWS-hosted application can be traced through every Arista-managed hop end to end.
Decision Framework

Five Questions to Find Your Architecture

Answer honestly — there's no right answer. The result reflects what IVI would recommend based on your environment and operating model.

Question 1 of 5

Do you have existing enterprise security investments with Palo Alto or Zscaler?

Existing NGFWs, licenses, Panorama deployments, or active vendor relationships.

Question 2 of 5

How are your Network and Security teams structured?

This is one of the most predictive factors for SASE architecture fit.

Question 3 of 5

How much of your enterprise network does Arista currently manage?

This determines how much you'd gain from CloudVision's unified observability across the full network path.

Question 4 of 5

What best describes your current WAN situation?

Where you're starting from shapes how much architectural change you're taking on.

Question 5 of 5

Which best describes your most important security depth requirement?

This reflects what the SSE layer needs to deliver for your compliance and security posture.

Architecture Deep-Dives · Comparison Matrix · Vendor Questions

The Full Technical Picture

Enter your email to unlock the complete architecture guides, 15-dimension comparison matrix, and the 15 questions to ask in every SASE vendor conversation.

  • Architecture A: How the VCO-to-Zscaler IPsec tunnel works, management plane split, and when ZPA replaces VPN
  • Architecture B: VeloCloud Non-VeloCloud Site integration, Panorama unified policy across on-prem and cloud
  • Architecture C: Cato's single-pass SPACE engine, private PoP backbone, and the campus stack tradeoff
  • Unified CloudVision fabric: How VeloCloud, campus switching, WiFi, and CloudEOS share a management plane — and what that means for DEM and MTTI
  • 15-dimension comparison matrix across all three architectures
  • 15 questions to ask any SASE vendor that reveal what the platform actually covers

IVI respects your privacy. No spam. Unsubscribe anytime.

Architecture A — Deep Dive

Arista VeloCloud + Zscaler ZIA/ZPA

VeloCloud handles the WAN networking underlay and edge security. Zscaler delivers the cloud SSE layer via automated IPsec tunnels from the VeloCloud Orchestrator. The entire Arista network fabric — VeloCloud, campus switching, WiFi, and CloudEOS data center/cloud routing — is unified under CloudVision for end-to-end observability.

Active Partnership: The Zscaler/Arista joint Business Development Guide (v2.0, January 2026) documents automated simultaneous provisioning of new branches and security services from the VeloCloud Orchestrator. This is a production-validated, commercially supported integration — not a DIY implementation.

How the Architecture Works

Branch User Arista WiFi (CUE) Campus Switch (EOS) VeloCloud Edge (VCE) VeloCloud Gateway (VCG) Zscaler ZIA PoP Internet / SaaS
Remote User Zscaler Client Connector Zscaler ZPA Private App (ZTNA)
Data Center Arista VXLAN/EVPN fabric CloudEOS (AWS / Azure) Cloud workloads
Management CloudVision (VeloCloud + Campus + WiFi + CloudEOS) + Zscaler Admin Console (SSE layer)

VCO automatically provisions redundant IPsec tunnels from the nearest VeloCloud Gateway to the closest Zscaler PoP. Only internet-bound traffic goes to Zscaler; internal routing stays on the VeloCloud DMPO overlay. CloudVision provides telemetry across all Arista-managed infrastructure.

What Each Layer Provides

Arista VeloCloud Provides

  • DMPO — real-time multipath selection across all WAN transports
  • VeloRAIN AI/ML predictive path optimization
  • 4,000+ application awareness and policy routing by app identity
  • Stateful edge firewall / IPS / IDS at every branch
  • Zero-touch provisioning via VCO — branches self-configure on first boot
  • Automated IPsec tunnel provisioning to Zscaler PoPs
  • Service chaining — internet-bound traffic steered to Zscaler inline

Zscaler Provides

  • ZIA — Secure Web Gateway, cloud firewall with IPS, SSL/TLS inspection
  • CASB — SaaS visibility, shadow IT discovery, DLP enforcement
  • Advanced Threat Protection — sandboxing, zero-day malware inspection
  • Zscaler Private Access (ZPA) — ZTNA replacing VPN for all users
  • DNS Security — inline inspection and sinkholing
  • Digital Experience Monitoring (ZDX) — user experience analytics
  • Zscaler Deception — active threat intelligence within ZIA
CloudVision Unified Fabric — Architecture A

Because VeloCloud WAN, Arista campus switching, Arista WiFi (CloudVision UNO / CUE), and CloudEOS data center and cloud routing all run EOS and report to CloudVision, the entire network path from a branch user's laptop through to an AWS workload is visible in one management plane. A user experience complaint becomes a structured investigation — not a multi-platform guessing exercise.

BRANCH
WiFi + Switch + VCE — one telemetry source
WAN + DC
VeloCloud + VXLAN/EVPN fabric — same platform
CLOUD
CloudEOS on AWS/Azure — EOS in the cloud

Ideal For

  • Existing Zscaler investments or ZIA/ZPA enterprise agreements
  • NetOps and SecOps as distinct teams with separate tooling and procurement
  • Organizations where cloud-first Zero Trust and proxy-model SSL inspection is the SSE preference
  • Arista-primary campus/data center environments where CloudVision fabric extension matters
  • Buyers who want maximum SSE vendor choice without Palo Alto commitment

Honest Tradeoffs

  • Two management consoles: VCO for networking, Zscaler Admin for SSE
  • Zscaler's proxy architecture differs from NGFW-model inspection — some protocol implications for legacy apps
  • Policy coordination across platforms requires operational discipline
  • Zscaler DEM (ZDX) and CloudVision DEM are separate tools — not fully correlated
  • Two vendor support relationships and license contracts
Architecture B — Deep Dive

Arista VeloCloud + Palo Alto Prisma Access

VeloCloud handles the WAN networking underlay. Palo Alto Prisma Access delivers SSE with full App-ID enforcement and Panorama-unified policy across on-premises NGFWs and cloud-delivered security. CloudVision unifies the complete Arista fabric for end-to-end observability.

Native Integration: Palo Alto's official documentation includes a dedicated VeloCloud SD-WAN solution guide under Prisma Access integrations. The VeloCloud Orchestrator configures Non-VeloCloud Site (NVS) IPsec tunnels to Prisma Access service IPs — a well-documented, production-supported architecture. IVI's SD-WAN page states explicitly: "Integrate VeloCloud with Zscaler, Prisma Access, and Netskope."

How the Architecture Works

Branch User Arista WiFi (CUE) Campus Switch (EOS) VeloCloud Edge (VCE) Non-VeloCloud Site (NVS) Prisma Access PoP Internet / SaaS
Remote User GlobalProtect Agent Prisma Access ZTNA Private App
Data Center PA-Series NGFW (on-prem) + CloudEOS routing Cloud workloads
Management CloudVision (VeloCloud + Campus + WiFi + CloudEOS) + Panorama / Strata Cloud Manager (all PA-Series + Prisma Access)

VCO creates NVS IPsec tunnels to Prisma Access service IPs. Internet-bound traffic is steered by VeloCloud routing policy through the tunnel for Palo Alto inspection. Panorama provides unified policy across on-premises PA-Series firewalls and Prisma Access — the same App-ID profiles, security policies, and threat prevention configurations apply on-prem and in the cloud.

What Each Layer Provides

Arista VeloCloud Provides

  • Same DMPO, VeloRAIN, app-aware routing, edge firewall as Architecture A
  • NVS tunnel provisioning to Prisma Access service IPs via VCO
  • Application-level policy to steer only internet-bound traffic to Prisma Access
  • CloudVision unified fabric across WiFi, campus, WAN, DC, and cloud
  • Consistent ZTP deployment model regardless of SSE vendor choice

Palo Alto Prisma Access Provides

  • App-ID — application classification consistent with on-premises PA-Series firewalls
  • Full SSL/TLS inspection with Palo Alto threat prevention profiles
  • Wildfire — cloud-based zero-day malware analysis and prevention
  • ZTNA via GlobalProtect — identity + device posture-based private app access
  • CASB / SaaS Security — inline and out-of-band SaaS data protection and DLP
  • Panorama unified policy — on-prem NGFW rules and Prisma Access policy share the same framework
  • Strata Cloud Manager — single management for all Palo Alto assets
The Dual Unified Management Advantage — Architecture B

Architecture B gives enterprises two powerful unified planes operating in complementary roles: CloudVision unifies all Arista network infrastructure (WAN + campus + WiFi + DC + cloud routing) for network operations and DEM. Panorama / Strata Cloud Manager unifies all Palo Alto security infrastructure (on-premises NGFWs + Prisma Access) for security policy and inspection consistency. Both teams get their unified management plane; neither compromises.

Ideal For

  • Existing Palo Alto NGFW investments where consistent security policy on-prem and cloud matters
  • Regulated industries (financial services, healthcare, government) requiring NGFW-model inspection depth
  • SecOps teams who operate Panorama and want Prisma Access under the same policy framework
  • Arista-primary campus/data center environments gaining full CloudVision observability
  • Organizations where App-ID behavioral detection is a compliance requirement

Honest Tradeoffs

  • Two management planes — CloudVision for networking, Strata/Panorama for security
  • Prisma Access licensing is typically higher cost than Zscaler at equivalent feature depth
  • Palo Alto's ZTNA (GlobalProtect) requires agent deployment across the user population
  • Integration testing required when upgrading either VeloCloud or Prisma Access independently
  • Two vendor support relationships and license contracts
Architecture C — Deep Dive

Cato Networks Single-Platform SASE

Cato built SD-WAN and the full SSE security stack on one cloud-native platform from the ground up. One management console, one policy framework, one private PoP backbone, one support contract. The right architecture when operational simplicity matters as much as per-layer security depth — with a clear-eyed understanding of where the management boundary sits.

IVI's honest framing: Cato delivers on its operational simplicity promise. It is genuinely one platform, not two products bolted together. The tradeoff IVI discusses explicitly with every Cato evaluation: Cato covers the WAN and SSE layers — campus switching, WiFi, data center fabric, and cloud routing are outside Cato's platform and require a separate management stack. For IVI customers already on Arista, this creates a visibility seam that the best-of-breed architectures do not have.

How the Architecture Works

Branch Cato Socket (edge appliance) Cato Private Backbone PoP Single-pass SPACE engine Internet / SaaS / private apps
Remote User Cato Client Nearest Cato PoP Unified SSE inspection + ZTNA
Campus LAN Arista / Cisco / Meraki (separate stack) Cato Socket (WAN uplink only)
Data Center Arista / Cisco DC fabric (separate stack) Cato IPsec or vSocket
Management Cato Management Application (WAN + SSE) + Separate tools for campus / DC / cloud

Cato Sockets connect physical locations to the nearest Cato PoP over broadband, LTE, or MPLS. All traffic — SD-WAN routing and security inspection — is processed in a single pass inside the PoP by the SPACE engine. Campus switching and WiFi connect to the Cato Socket at the WAN uplink but are managed separately.

What the Cato Platform Provides

Networking

  • SD-WAN with active/active or active/standby transport
  • Private global backbone — 85+ PoPs, owned fiber
  • WAN optimization and QoS
  • Zero-touch site provisioning via Socket
  • AI-driven path optimization (Cato Neural Edge)

Security (SSE 360)

  • NGFW / FWaaS — stateful inspection with application awareness
  • Secure Web Gateway (SWG)
  • CASB — inline and out-of-band SaaS protection
  • ZTNA / Universal ZTNA — clientless and client-based
  • IPS, DNS security, DLP, RBI, sandboxing

AI / Analytics

  • Single data lake for all networking and security events
  • AI Security — governance for generative AI interactions and AI agents (Aim acquisition, 2025)
  • Unified threat intelligence and detection correlation
  • Terraform provider for IaC-driven management
  • 80+ SIEM/SOAR integrations
The Observability Boundary — Important for Cato Evaluations

Cato provides excellent visibility into what happens between the Cato Socket and the application — the WAN path, security inspection, and application-level performance for Cato-managed traffic. The visibility boundary is the Socket itself.

VISIBLE IN CATO
  • WAN path performance Socket → PoP → destination
  • Security events and policy enforcement
  • Remote user experience via Cato Client
  • SaaS application quality (Cato DEX module)
OUTSIDE CATO'S VIEW
  • Campus switch port and WiFi performance
  • Branch LAN between user device and Socket
  • Data center fabric performance and routing
  • Cloud routing and VPC/VNet networking

Ideal For

  • Organizations replacing both WAN and branch security appliances simultaneously
  • Lean IT teams managing both networking and security where one console is operationally essential
  • Environments where campus networking is already a separate managed service and the WAN/SSE seam is acceptable
  • Organizations without committed Palo Alto or Zscaler investments who want a clean-start SASE
  • Mid-market and high-site-count deployments where Cato's Socket simplicity and NaaS licensing model fits

Honest Tradeoffs

  • Campus switching, WiFi, data center fabric, and cloud routing require a separate management platform — observability seam at the branch LAN edge
  • MTTI for user experience problems that originate in campus or DC layer requires cross-platform investigation
  • Less per-layer control than best-of-breed — Cato's NGFW inspection model is less granular than PA App-ID
  • All-in on one vendor for both networking and security; platform changes require migrating both simultaneously
  • Cato PoP coverage matters — validate against your specific geographies
15-Dimension Comparison

Architecture Comparison Matrix

A direct evaluation across the dimensions that drive SASE platform decisions — scored honestly based on IVI's operational experience with all three.

Dimension A: VeloCloud + Zscaler B: VeloCloud + Palo Alto C: Cato Networks
NETWORKING
WAN path optimization ●●● DMPO + VeloRAIN AI/ML ●●● Same VeloCloud DMPO ●●● Cato private backbone
Zero-touch provisioning ●●● VCO ZTP — branches auto-configure ●●● Same VCO ZTP ●●● Cato Socket plug-in
Edge stateful firewall / IPS ●●● VeloCloud built-in edge security ●●● VeloCloud + PA-Series on-prem ●●● Cato NGFW at PoP
Campus switching + WiFi management ●●● CloudVision (EOS campus + CUE WiFi) ●●● CloudVision (EOS campus + CUE WiFi) ●○○ Requires separate stack
Data center + cloud routing visibility ●●● CloudEOS (AWS/Azure under CloudVision) ●●● CloudEOS + PA-Series in cloud ●○○ Outside Cato's platform
SECURITY SERVICE EDGE (SSE)
Secure Web Gateway ●●● Zscaler ZIA inline proxy ●●● Prisma Access SWG ●●● Cato SWG
ZTNA / VPN replacement ●●● Zscaler ZPA — agentless and agent ●●● Prisma Access + GlobalProtect ●●● Cato Universal ZTNA
CASB / SaaS security depth ●●● Zscaler CASB — inline + SSPM ●●● Palo Alto CASB — deep SaaS control ●●○ Cato CASB — improving rapidly
App-ID / NGFW inspection depth ●●○ Zscaler proxy model — strong URL/DNS ●●● Palo Alto App-ID — full NGFW depth ●●○ Cato NGFW — app-aware, not App-ID
On-prem/cloud policy consistency ●○○ Separate Zscaler and on-prem frameworks ●●● Panorama unifies PA-Series + Prisma Access N/A No on-prem PA equivalent
OPERATIONS & OBSERVABILITY
Management console(s) ●●○ 2 planes: CloudVision + Zscaler Admin ●●○ 2 planes: CloudVision + Strata/Panorama ●●● 1 plane: Cato Management App
End-to-end DEM / path visibility ●●● Full path: WiFi → campus → WAN → DC → cloud in CloudVision ●●● Same as A, plus PA-Series at DC perimeter ●●○ WAN + SSE path visible; campus/DC require separate tools
Mean Time to Innocence (MTTI) ●●● Unified telemetry — correlate any hop instantly ●●● Unified telemetry — correlate any hop instantly ●●○ Good for WAN/SSE; seam at campus and DC
Existing investment leverage ●●● Maximizes Arista + Zscaler spend ●●● Maximizes Arista + Palo Alto spend ●●○ Requires replacing or running alongside campus stack
Operational simplicity ●●○ Best-of-breed requires coordination discipline ●●○ Best-of-breed requires coordination discipline ●●● One platform — lowest operational overhead per WAN+SSE function

●●● = Strong capability    ●●○ = Solid with caveats    ●○○ = Not native to this platform

Vendor Evaluation

15 Questions to Ask in Every SASE Conversation

These questions are designed to reveal the operational reality behind platform marketing claims. They apply across all three architectures — and the quality of the answers tells you as much as the answers themselves.

Networking & WAN

01

Where exactly does the WAN path performance visibility end? Show me where on the network diagram your management plane stops providing telemetry.

02

If a branch user reports an application is slow, how do I determine in your platform whether the problem is the WiFi, the campus switch, the WAN path, the security inspection, the data center, or the cloud application? Walk me through it.

03

What happens to branch sites during a Zscaler or Prisma Access outage? Does VeloCloud's edge firewall maintain policy enforcement, or is there a gap?

04

How are VeloCloud WAN upgrades coordinated with SSE platform upgrades? Who manages the compatibility matrix?

Security Depth

05

For regulated applications — healthcare, financial services, or government workloads — can you show me the inspection audit trail for a specific transaction from branch user to application? What does the compliance evidence look like?

06

Is SSL/TLS inspection enforced inline for all traffic through this architecture, or are there scenarios where inspection is bypassed? What are the policy exceptions?

07

For ZTNA: how is device posture assessed, and what happens when a device fails posture check? Is the fallback to VPN or is access denied?

08

How is security policy maintained for on-premises applications that aren't routed through the SSE layer? Is that traffic visible to the same security platform?

Operations & Integration

09

Show me a demo of a real incident investigation — not a happy path. A user at a branch says Teams is choppy. Walk me through how you identify root cause using this platform in real time.

10

How many separate management consoles does this architecture require for steady-state operations? Include all networking and security layers.

11

What does a policy change workflow look like? From request to enforcement, how many systems are touched, and how is the change documented for audit?

12

How do you handle new application onboarding for ZTNA? Who updates the policy, in which console, and what's the change propagation time?

Commercial & Lifecycle

13

What does the support model look like when a problem spans both the VeloCloud and SSE layers? Who do we call first, and how does joint escalation work between the two vendors?

14

What is the licensing model if we need to add sites, users, or capabilities mid-contract? Are there ratchet clauses, and what's the process for reducing licenses if we divest sites?

15

What is Arista's roadmap for tighter CloudVision integration with VeloCloud — specifically for unified telemetry and policy correlation? What is on the roadmap in the next 12 months?

Getting Started

IVI's SASE Engagement Roadmap

How IVI takes an organization from platform decision to fully managed, optimized SASE — across any of the three architectures.

1

WAN and Security Assessment

We document your current WAN topology, circuit inventory (with contract renewal dates), security stack, MPLS cost model, and observability coverage. We assess network readiness for cloud voice and SSE traffic patterns. Output: current-state documentation, gap analysis, contract renewal schedule, migration readiness scorecard.

2

Architecture Decision Workshop

Based on assessment findings, IVI presents all three architectures with honest tradeoffs — including the CloudVision unified fabric value if you're Arista-primary, the existing SSE vendor leverage if you're on Palo Alto or Zscaler, and the operational simplicity case for Cato. We don't recommend before we understand your environment.

3

Reference Architecture Design

Full architecture design for the selected path: VeloCloud Orchestrator configuration, SSE integration design (tunnel configuration, policy framework, identity integration), CloudVision unified management design (where applicable), and site migration sequence aligned to MPLS contract renewals.

4

Pilot Deployment

Two to three pilot sites — typically headquarters and a representative branch type. Parallel operation with existing WAN and security infrastructure. Performance baseline on both transports. Policy validation. Failover testing. The pilot closes before we commit to the broader rollout.

5

Phased Site Rollout

Site-by-site deployment aligned to your MPLS renewal calendar. Pre-staged hardware shipped to site, auto-configured via ZTP. IVI coordinates field installation. Each site is onboarded and validated against the baseline before proceeding to the next batch. MPLS circuits retired on schedule.

6

Aegis Managed Operations

Post-deployment, your environment transitions to Aegis managed operations: 24/7 monitoring across all management planes, incident response with runbooks calibrated to your environment, configuration management, software lifecycle tracking, and quarterly operational reviews. IVI manages the complexity; you retain full visibility and control.

How IVI Engages

IVI Manages All Three Architectures

We don't recommend a platform and hand you documentation. We design it, deploy it, and operate it through Aegis — with the context of having deployed all three architectures across real enterprise environments.

🔍

Assessment & Platform Selection

Current-state WAN and security assessment, architecture recommendation based on your environment, honest platform comparison with IVI's operational experience on all three.

⚙️

Design & Deployment

Reference architecture design, phased migration execution aligned to MPLS renewals, VeloCloud and SSE integration configuration, CloudVision unified fabric setup where applicable.

📡

Aegis Co-Managed Operations

24/7 monitoring across all management planes, incident response, configuration management, software lifecycle, and quarterly business reviews. Your team governs; Aegis operates.

Quick Reference

Architecture Selection Quick Reference

Use this as a fast-path guide before your first IVI conversation.

Architecture A: VeloCloud + Zscaler

  • Choose when: Active Zscaler investment or agreement
  • Choose when: Separate NetOps and SecOps teams
  • Choose when: Cloud-first Zero Trust is primary SSE goal
  • Benefit: Full CloudVision fabric: WiFi → WAN → DC → Cloud
  • Tradeoff: Two management consoles (VCO + Zscaler Admin)
  • Best industry fit: Tech, retail, multi-site enterprise

Architecture B: VeloCloud + Palo Alto

  • Choose when: Existing Palo Alto NGFW / Panorama
  • Choose when: Regulated industry — PCI, HIPAA, FedRAMP
  • Choose when: App-ID inspection depth is a compliance requirement
  • Benefit: Dual unified planes: CloudVision + Panorama — both teams win
  • Tradeoff: Higher licensing cost than Zscaler; two vendor relationships
  • Best industry fit: Financial services, healthcare, government

Architecture C: Cato Networks

  • Choose when: Lean team managing both net and security
  • Choose when: No committed PA/Zscaler investment to leverage
  • Choose when: Replacing WAN + security appliances together
  • Tradeoff: Campus/DC/cloud visibility seam — plan separately
  • Tradeoff: Less per-layer control than best-of-breed
  • Best fit: Mid-market, high site count, operational simplicity priority
If you're already Arista-primary on campus and data center: The unified CloudVision + VeloCloud + CloudEOS fabric is a significant operational advantage over Cato that the SASE platform comparison alone doesn't capture. The DEM and MTTI benefit of a single visibility platform across your entire network path — branch WiFi through campus switching through WAN through data center through cloud — is the argument that often settles the platform decision for Arista-heavy shops.