Enterprise SD-WAN Deployment: Lessons From the Field

Why SD-WAN exists

Traditional enterprise WANs were built on MPLS — reliable, expensive, and slow to provision. SD-WAN replaces the carrier-managed routing with software-defined overlays on commodity internet links. The promise is lower cost, faster deployment, and application-aware routing.

The promise is real. The execution determines whether you realize it.

The major platforms

Cisco Catalyst SD-WAN (formerly Viptela), VMware VeloCloud, Fortinet Secure SD-WAN, and Versa Networks are the established enterprise platforms. Each has a credible product. The differentiation is in the operational model and the integration with the rest of your security and networking stack.

If you already operate Cisco, Catalyst SD-WAN's integration with the broader Cisco stack is worth the lock-in. If you operate Fortinet firewalls, Secure SD-WAN is the obvious complement. Lead with operational fit, not feature comparison.

Underlay matters more than overlay

SD-WAN does not fix bad internet. A dual-broadband site with 4G failover gives the overlay something to work with; a single asymmetric DSL link does not. Plan the underlay before designing the overlay.

For critical sites, retain at least one MPLS or dedicated circuit alongside the broadband links. The cost saving is real but does not justify outages.

Security integration is the hard part

SD-WAN backhauls traffic to a security stack. Where that stack lives — on-prem firewalls, regional hubs, cloud-delivered SSE (Zscaler, Netskope, Cisco Umbrella) — defines the architecture.

Secure Access Service Edge (SASE) is the marketing term for SD-WAN plus cloud-delivered security. For greenfield deployments, SASE is increasingly the default. For brownfield, plan the migration in phases — security policy first, traffic redirection second.

Deployment patterns that work

Pilot on three sites that span the use case range: a large headquarters, a typical branch, and an edge site with constrained connectivity. Run the pilot for at least 90 days. Build the operational runbooks during the pilot, not after.

Phase the broader rollout by region. Carry MPLS in parallel for at least one quarter per region before decommissioning. The cost of parallel running is much less than the cost of a failed cutover.

What kills SD-WAN projects

Underestimating the application discovery work. Application-aware routing requires accurate application categorization, which requires both a good DPI engine and disciplined exception handling.

Treating SD-WAN as a network project when it is a security and application project. The networking team can install the hardware; the broader change requires the security team and the application owners.