Contents
Summary
This playbook explains:
- SD WAN in the modern enterprise
- What you need to know now
- How it works with AI and cloud first applications
- Where MPLS still fits
- How to blend SD WAN with MPLS
- How to roll-out an SD-WAN network
- How SASE and platforms such as Cisco Meraki are shaping the next era
1. SD-WAN vs MPLS: The shift in enterprise network connectivity
MPLS: The legacy backbone
For two decades, Multiprotocol Label Switching (MPLS) was the market standard for enterprise WAN connectivity. It offered predictable performance, low latency, and strict service level agreements that carriers were contractually obligated to meet. This made it ideal for applications like voice, video conferencing, ERP systems, and financial transactions where even minor delays or packet loss could cause problems.
MPLS circuits are private links between sites, meaning they do not share bandwidth with the public internet. This isolation is part of what makes them reliable, but it also makes them expensive. Provisioning a new MPLS connection often requires months of lead time.
Organizations are typically locked into multi-year contracts, and increasing bandwidth can be slow and costly. In global networks, these constraints are more pronounced when carriers have limited reach in certain regions, forcing the business to manage multiple provider contracts.
SD-WAN: The new model
Software-Defined Wide Area Networking (SD-WAN) changes the economics and flexibility of WAN design. Instead of relying on a single private underlay like MPLS, SD-WAN creates a secure overlay that can run on any transport such as broadband, dedicated internet access (DIA), 5G, LTE, or satellite.
SD-WAN continuously measures link performance, including latency, jitter, and packet loss, and routes each application flow along the best available path. This can happen in real time without manual intervention. A Teams call can move from a degraded broadband circuit to LTE without the user noticing.
Because SD-WAN is transport-agnostic, organisations can use multiple ISPs and connection types at a site. This reduces reliance on a single carrier and speeds up site activation by allowing the use of whatever connectivity is available immediately.
Why this matters for modern networks
Enterprise traffic patterns have shifted. With cloud platforms like Microsoft 365, Salesforce, AWS, and Azure, a large portion of enterprise traffic now flows directly between branch sites and the internet. Backhauling all this traffic through a central MPLS link adds latency and creates bottlenecks.
SD-WAN enables direct-to-cloud connections while maintaining centralized security and performance policies. MPLS can be kept where it adds value, such as for critical real-time applications, while more general traffic is moved to lower-cost internet paths.
Example in practice
A global retailer with 500 locations using an MPLS-only model waits up to four months for new sites to go live. By deploying SD-WAN, it can open sites in days using broadband and LTE, then add DIA for higher capacity when available. MPLS is retained for payment processing and voice traffic, while other workloads use internet links. The result is faster growth, lower costs, and more resilient connectivity.
2. What SD-WAN is and how it works in a modern WAN
Defining SD-WAN
Software-Defined Wide Area Networking separates the control of traffic from the physical connections that carry it. Instead of configuring routers and firewalls at each site independently, SD-WAN provides a centralised control plane that manages traffic across the entire WAN.
The control plane communicates with edge devices at branch offices, data centers, and cloud gateways. These devices forward packets while the control plane decides the most efficient route for each flow based on application type, performance requirements, and real-time link conditions.
The overlay and underlay model
SD-WAN uses an overlay network on top of existing underlay connections. The underlay can be any mix of broadband, DIA, LTE, 5G, satellite, or MPLS. The overlay contains the intelligence that encrypts traffic, makes routing decisions, and optimises performance.
Multiple providers and connection types can be used at the same site. This avoids reliance on a single carrier and creates redundancy and cost control.
Real-time performance management
SD-WAN monitors each link in real time, measuring latency, jitter, and packet loss. If a link drops below a set performance threshold, the system automatically reroutes traffic to a better-performing link. For example, voice traffic can always take the lowest-latency path, while file transfers use the most available bandwidth.
Security built in
All overlay traffic is encrypted. Many SD-WAN platforms integrate with cloud-based security services or on-premises firewalls so that security policies are applied consistently. Network segmentation can be used to separate sensitive traffic from general business applications, which is essential for compliance-heavy industries.
Example in practice
A manufacturer with plants in multiple countries connects sites with local broadband, regional DIA, and LTE backup. The SD-WAN overlay routes traffic based on application priority and link quality. If a plant’s broadband connection develops high jitter, voice and video traffic move to DIA while file downloads stay on the degraded link, all without user intervention.
3. Key Benefits of SD-WAN
SD-WAN improves performance, security, and flexibility by using all available network paths intelligently instead of relying on a single connection type.
- End to end security: Traffic is encrypted between sites and users. Segmentation keeps sensitive workloads isolated. SD-WAN integrates with existing firewalls and cloud security so one policy covers the whole estate. This reduces configuration drift and simplifies audits.
- Real time performance optimization: The platform measures latency, jitter, and packet loss every few seconds. If a path degrades, traffic automatically moves to a healthier link. Voice and video stay stable. File transfers keep moving.
- Cloud application performance: Local breakout avoids hairpinning — the slow detour through a central site — so apps connect over the shortest, best-quality path. Microsoft 365, Salesforce, Webex, AWS and similar apps open faster and calls sound clearer.
- Consistency for hybrid and remote work: Policies follow the user to any location — branch, home, or hotel. Same controls. Same experience. That means fewer support calls and less troubleshooting across locations.
- Cost control and flexibility: Keep MPLS for workloads that truly need it. Use DIA, broadband, and LTE for the rest.
- Active-active links use all available capacity at once for more bandwidth and instant failover. Active-standby keeps a second link ready for critical sites without doubling spend.
4. When to deploy SD-WAN in your global network
SD-WAN delivers the most value in global networks where performance, security, and agility must be maintained across diverse sites, connections, and application needs.
Multiple sites with inconsistent performance
If branches in different regions experience unstable connections, SD-WAN continuously monitors link quality. When the primary path degrades, it automatically shifts critical traffic — like voice or video — to a backup link so work continues without interruption.
Heavy use of cloud and SaaS applications
For organizations running Microsoft 365, Salesforce, AWS, or similar services, local breakout sends traffic directly to the internet instead of detouring through a central data centre. This improves speed, reduces congestion, and frees data centre bandwidth for workloads that need it.
Unified security across locations
SD-WAN enforces one centralised security policy for every site, whether it is a headquarters, branch, or remote office. This keeps access controls, segmentation, and encryption consistent, reducing configuration errors and simplifying compliance audits.
Mergers, acquisitions, and rapid expansion
When you need to bring new sites online quickly, SD-WAN can be deployed over any available connectivity — DIA, broadband, LTE — while still enforcing corporate security and performance policies. This shortens time-to-service for new locations.
Redundancy without doubling costs
Instead of paying for two premium circuits, SD-WAN uses lower-cost connections as active backups or in active-active mode for extra bandwidth. This provides resilience while keeping spend under control.
5. SD-WAN architecture explained
SD-WAN brings together central control, automation, and real-time traffic decisions to keep the network fast, secure, and easy to manage.
· Control plane
The control plane is the brain of the SD-WAN. It holds the central policy engine that defines how traffic is routed, how quality of service (QoS) is applied, and how security rules are enforced. Hosted in the cloud or a central data centre, it communicates with every site to keep configurations consistent. This centralisation removes the need for manual device-by-device updates.
· Data plane
The data plane lives at the network edge, in physical or virtual SD-WAN devices. It forwards packets, applies encryption, and enforces the policies it receives from the control plane. By processing traffic locally, the data plane ensures minimal latency while keeping sensitive data secure in transit.
· Orchestration
Orchestration automates deployment, provisioning, and policy updates across all sites. It connects the control plane to the data plane, pushing changes instantly without manual intervention. Zero-touch provisioning allows new locations to come online simply by powering up a device, with configuration handled remotely.
· Dynamic path selection
Dynamic path selection works in real time, continuously checking link metrics like latency, jitter, and packet loss. Based on these measurements, it directs each application flow — or even each packet — over the best available path. This keeps voice, video, and critical data flows stable even during network degradation.
How it works together
The control plane defines the rules, orchestration pushes them out, the data plane applies them to live traffic, and dynamic path selection ensures every flow uses the optimal path. Together, they provide a network that is fast, resilient, and easy to manage.
6. Deployment models for Managed SD-WAN services
Choosing the right SD-WAN deployment model depends on how much control you want, the skills and resources in your team, and the compliance or performance demands of your network. Managed Connectivity underpins every SD-WAN deployment model by ensuring the underlying circuits are monitored, supported, and optimized. Whether the platform is fully outsourced, run in-house, cloud-hosted, or appliance-based, Managed Connectivity provides the consistent, carrier-agnostic performance needed for the SD-WAN to work as intended.
Fully Managed
The service provider handles design, deployment, monitoring, and ongoing operation. They source and manage connectivity from multiple carriers, apply security policies, and handle incident resolution. When combined with Managed Connectivity, this model delivers complete visibility and control over both the SD-WAN layer and the underlying circuits, ensuring consistent performance across every site.
Who it’s for:
- Multi-site, distributed enterprise with networks spanning multiple regions and uses several carriers.
- Businesses who want a single point of accountability with minimal in-house management.
DIY (do it yourself)
The enterprise owns, configures, and manages every aspect of the SD-WAN platform. This includes sourcing circuits, maintaining security policies, updating software, and resolving incidents. Managed Connectivity can still play a role here by consolidating carrier relationships under a single contract while leaving the SD-WAN platform under in-house control.
Who it’s for:
- Business with a skilled in-house network team, established carrier relationships, and 24/7 operational coverage.
Cloud-delivered
The control plane and orchestration tools are hosted by the vendor in their cloud environment. Enterprises connect to the vendor’s points of presence (POPs) for policy management and monitoring. Managed Connectivity ensures the last-mile links to those POPs are monitored and supported, reducing performance gaps caused by circuit issues.
Who it’s for:
- Businesses who need to deploy quickly, have sites in regions with strong POP coverage, and want minimal on-site infrastructure.
Appliance-based
All control and data plane functions run on physical or virtual appliances at the customer’s premises. Policies are managed locally, and traffic can be kept entirely within the customer network for compliance or security reasons. Paired with Managed Connectivity, this model gives regulated industries such as healthcare, government, and finance end-to-end control over traffic paths and encryption keys while still gaining proactive circuit monitoring and issue resolution.
Who it’s for:
- Businesses where compliance or data sovereignty rules require local control over traffic paths and encryption keys.
| Deployment model | Description | It's for you if... |
|---|---|---|
| Fully managed | Provider designs, deploys, monitors, and operates the SD-WAN. Manages connectivity from multiple carriers, applies security policies, and resolves incidents. When combined with Managed Connectivity, delivers end-to-end visibility and performance control across all sites. | Your network spans multiple regions, uses several carriers, and you want a single point of accountability with minimal in-house management. |
| DIY (Do It Yourself) | Enterprise owns, configures, and manages all aspects of the SD-WAN, including sourcing circuits, maintaining policies, updates, and troubleshooting. Managed Connectivity can simplify carrier management while keeping SD-WAN control in-house. | You have a skilled in-house network team, established carrier relationships, and 24/7 operational coverage. |
| Cloud-Delivered | Control plane and orchestration tools are hosted by the vendor. Enterprises connect to the vendor’s POPs for policy and monitoring. Managed Connectivity ensures last-mile links are monitored and supported. | You need to deploy quickly, have sites in regions with strong POP coverage, and want minimal on-site infrastructure. |
| Appliance-Based | All control and data plane functions run on physical or virtual appliances at customer premises. Traffic and policies stay local for maximum control. Managed Connectivity adds proactive circuit monitoring and support. | Compliance or data sovereignty rules require local control over traffic paths and encryption keys. |
7. SD-WAN vs MPLs
MPLS isn’t extinct – it’s just no longer the default. In the right situations, it still delivers reliability and control that even the best SD-WAN design can’t replace.
While SD-WAN brings flexibility and cost advantages, MPLS still has a place in certain network designs. It remains a reliable option when performance, regulation, or local infrastructure demands it.
When to keep MPLS:
· Regions with poor broadband or DIA availability – In areas where internet quality is unpredictable, MPLS offers stable, guaranteed performance.
· Regulatory or compliance mandates – Some industries require private, controlled circuits for sensitive workloads, making MPLS the simplest compliance path.
· Ultra-low-latency applications – Trading systems, industrial control, or voice platforms in high-traffic hubs may benefit from MPLS’s predictable routing.
· Hybrid deployments – MPLS can be retained for critical workloads while SD-WAN handles the rest, reducing cost without compromising reliability.
8. SD-WAN and SASE
SD-WAN and SASE aren’t rivals so much as two halves of a bigger picture. One focuses on moving traffic the smartest way possible. The other wraps that traffic in a cloud-first security framework.
SD-WAN is about performance and control. It steers traffic across the best available path, blends different link types, and keeps application experiences consistent. Security is often integrated from existing tools or added as a separate layer.
SASE (Secure Access Service Edge) folds SD-WAN’s routing intelligence into a package that also delivers security services from the cloud — things like secure web gateways, CASB (Cloud Access Security Broke), firewall-as-a-service, and zero-trust network access. The goal is to put both networking and security as close to the user or device as possible.
Key differences:
· Scope: SD-WAN manages performance and traffic steering; SASE adds a full stack of security controls.
· Deployment: SD-WAN can be on-prem, cloud-hosted, or hybrid; SASE is delivered from the cloud by design.
· Security: SD-WAN connects to security tools; SASE builds them in.
· Fit: SD-WAN is ideal for multi-site optimisation and hybrid networks; SASE suits businesses ready to combine networking and security into one cloud service.
9. Planning a successful SD-WAN deployment
A smart SD WAN rollout is not just about swapping boxes or turning up circuits. The right plan avoids downtime, protects critical traffic, and ensures your investment delivers from day one.
Step 1. Discovery
Map the network as it exists today.
- Inventory every site, circuit, and connection type.
- Document bandwidth, latency, and usage patterns.
- List the applications in play — from Microsoft 365 and Salesforce to voice, video, and any specialist workloads.
- Capture where your security controls sit and where compliance requirements must be met.
Step 2. Design
Translate business priorities into technical policies.
- Define routing rules for each traffic class.
- Set QoS so real-time apps get priority.
- Decide how you will segment traffic for security and compliance.
- Plan the underlay mix — broadband, DIA, 5G, MPLS — for each site based on performance and availability.
- Align the SD WAN design with your SASE or cloud security strategy so network and security policy are unified.
Step 3. Pilot
Run the new design in a controlled group of sites.
- Pick locations with different link types, user counts, and application mixes so you can test across real-world conditions.
- Monitor performance closely.
- Validate failover and application steering.
- Fine-tune routing and QoS before scaling out.
Step 4. Migration
Roll out in phases that match contract end dates, seasonal workloads, or business priorities.
- Start with lower-risk sites to build confidence, then move to high-traffic or mission-critical locations.
- Use zero-touch provisioning and pre-staged policies to cut activation time.
- Keep MPLS or legacy WAN links in place until each site’s cutover is stable.
5. Adoption
Train the teams who will operate and support the SD WAN.
- Show them the dashboard, alerting, and troubleshooting tools.
- Create playbooks for common scenarios.
- Gather feedback from users to catch any application or workflow issues.
- Refine policies over time to match changing traffic patterns, new apps, or shifts in business priorities.
10. How BCM One Delivers Managed SD-WAN and Connectivity
BCM One deliver SD WAN as a fully managed service, combining Cisco Meraki’s cloud-managed platform with our global carrier access and 24/7 support.
We design the architecture, pre-stage Meraki hardware, and ship it ready to plug in. All sites are managed through the Meraki dashboard, with traffic steered in real time based on application type and link performance. Our VitalView™ platform monitors the network around the clock, handling issues and ISP escalations before they reach your team.
With reach in over 80 countries, we source and manage connectivity from DIA and broadband to 5G and LTE. Security and segmentation policies are built in, aligned with your compliance needs, and kept consistent across every site. AI-driven analytics predict and prevent performance problems, keeping voice, video, and critical apps stable.
11. Frequently asked questions
What is SD WAN?
SD WAN is a software-defined overlay that runs on top of any mix of connections — broadband, DIA, 5G, LTE, or MPLS. It measures link performance in real time and automatically routes each application along the best path based on centralised policies. The result is a network that adapts instantly to changing conditions without manual intervention.
Is there still a place for MPLS?
Yes. MPLS still delivers predictable, low-latency performance for workloads where milliseconds matter, such as financial trading, industrial control systems, or high-quality voice. It’s also valuable in regions with poor broadband options or where regulatory requirements favour private links.
Can SD WAN and MPLS work together?
Yes. Many enterprises run a hybrid WAN, keeping MPLS for critical real-time traffic while using SD WAN over internet connections for cloud, SaaS, and general workloads. This approach balances performance, resilience, and cost, and allows for a gradual migration from MPLS where it makes sense.
How does SD WAN work with Cisco Meraki?
Cisco Meraki provides the cloud-managed SD WAN platform, with control and policy management handled through a single dashboard. BCM One manages the design, deployment, and ongoing operation, sourcing and managing global connectivity, integrating security policies, and monitoring performance 24/7 to keep the WAN stable and secure.
Will SD WAN improve Teams or Webex performance?
Yes — when designed correctly. With proper QoS settings, SD WAN can prioritise voice and video, route them over the lowest-latency link, and provide direct-to-cloud breakout to avoid unnecessary backhaul. Continuous link monitoring means the system can move a Teams or Webex call to a cleaner path mid-session without the user noticing.