Carrier-Agnostic SD-WAN Design, Migration, and Day-2 Operations
Multi-CCIE engineers with 25 years in WAN architecture. Fixed-fee SOW — no hourly overruns. We design and migrate SD-WAN fabrics across Cisco Catalyst SD-WAN (formerly Viptela), Cisco Meraki SD-WAN, Fortinet Secure SD-WAN, HPE Aruba EdgeConnect, and Arista VeloCloud SD-WAN — with no vendor bias baked into the recommendation.
25 years of enterprise networking leadership
Multi-CCIE engineering bench
Ekahau Certified Survey Engineer (ECSE)
Minority-owned · Fixed-fee SOW on every project
SD-WAN decouples WAN transport policy from the physical circuit, letting your team swap MPLS for broadband or 5G without rewriting routing logic by hand. WiFi Hotshots engineers design, migrate, and validate enterprise SD-WAN fabrics across Cisco Catalyst SD-WAN and Fortinet SD-WAN platforms — on a fixed-fee SOW, with a multi-CCIE bench behind every engagement. If your branch traffic is failing over to LTE because MPLS latency spiked 40 ms, we find the root cause before the ticket queue does.
Our network security practice runs parallel when DIA breakout exposes new threat surfaces, and our unified communications team ensures UCaaS SLA classes are tuned before the first Webex Calling call hits the overlay.
Controller Plane Architecture
Cisco Catalyst SD-WAN runs a three-controller architecture that separates management, policy, and onboarding into discrete planes. vManage handles device configuration, template push, and REST API access for automation pipelines. vSmart functions as the OMP route reflector — it distributes TLOCs, routes, and policy across the overlay without data-plane participation. vBond handles NAT traversal and zero-touch provisioning, authenticating each new WAN Edge router before it receives a vSmart connection.
Getting these three controllers sized, HA-paired, and reachable across the underlay before you bring up a single branch router is the first place SD-WAN projects fail. Per Cisco Validated Designs, vManage requires dedicated CPU and memory headroom proportional to device count; under-provisioned controllers produce intermittent template push failures that surface as phantom config drift at scale. Fortinet’s equivalent splits management (FortiManager), analytics (FortiAnalyzer), and SD-WAN orchestration into comparable layers with analogous dependencies.
Overlay Transport and TLOC Fundamentals
Every SD-WAN path in the Cisco fabric is identified by a TLOC — a 3-tuple of system-IP, color (transport label: mpls, biz-internet, lte, etc.), and encapsulation (IPsec or GRE). OMP advertises TLOCs across the overlay the same way BGP advertises prefixes; AAR policy then matches application flows to TLOC sets that meet a defined SLA class. The default overlay encapsulation is IPsec ESP-in-UDP using AES-GCM-256, with an effective MTU of 1442 bytes for IPsec tunnels and 1468 bytes for GRE.
Overlay ports default to UDP 12346 with fallbacks at 12366, 12386, 12406, and 12426 for NAT traversal scenarios. A single-transport deployment — MPLS only, for example — eliminates the failover path that makes SD-WAN worth deploying. We always require a minimum of two diverse transports per site before signing off on a design.
BFD Telemetry and SD-WAN AAR SLA Classes
Application-Aware Routing uses real-time BFD telemetry — loss percentage, latency in milliseconds, and jitter in milliseconds — to score each tunnel and redirect flows when a tunnel falls outside its SLA class thresholds. BFD hello-interval is configurable from 100 ms to 310,000 ms; the AAR enhanced multiplier default is 6, meaning a tunnel is declared degraded after 6 missed hellos.
Sub-second path detection is achievable at 100–200 ms intervals with a multiplier of 3, but this configuration requires a stable transport baseline first — running aggressive BFD intervals on a residential broadband circuit with inherent jitter produces false positives and constant path flapping. Real-time traffic classes (voice, interactive video) should use Enhanced AAR with FEC and packet duplication enabled. Flat SLA class design — one class for everything — is the second-most-common configuration mistake we inherit on brownfield migrations, after single-transport deployment.
On Fortinet SD-WAN, the equivalent mechanism is the Performance SLA probe: default probe interval is 500 ms (configurable from 20 ms to 3,600,000 ms), using ICMP, HTTP, DNS, or TCP-echo; per FortiOS documentation, probe failure thresholds and SLA targets map directly to link health monitors that drive policy routing decisions. For independent SLA verification after go-live, our network validation practice runs synthetic traffic tests against each SLA class to confirm AAR is steering as designed.
Cloud OnRamp and Multicloud Path Optimization
Cloud OnRamp operates across three deployment modes. In SaaS mode, the vEdge/WAN Edge router probes multiple paths — direct internet, regional DIA, and backhauled MPLS — to destinations like Microsoft 365, Salesforce, and Webex, then steers each application to the best-performing path in real time. In IaaS/Multicloud mode, a transit VPC or VNet in AWS, Azure, or GCP anchors SD-WAN connectivity into cloud-hosted workloads, extending the overlay into the cloud fabric without a dedicated circuit.
In Colocation mode, regional hubs at Equinix or CoreSite aggregate branch traffic and hand it off to cloud or SaaS providers with optimal peering. DIA breakout through any of these modes without a SASE integration layer leaves PCI, HIPAA, or CIPA-regulated traffic exposed on the open internet. We co-design SASE integration — Cisco Umbrella SIG tunnel, Zscaler ZIA, or Palo Alto Prisma Access — as part of every DIA-enabled SD-WAN deployment, not as an afterthought.
Vertical Fit: Where SD-WAN Engineering Matters Most
Retail chains operating 50 or more stores need PCI DSS segment isolation at every branch, zero-touch provisioning for new-store standup, and Cloud OnRamp SaaS steering for POS cloud back-ends. A flat hub-and-spoke topology beyond approximately 50 sites creates a vSmart policy bottleneck and a single-region failure domain — regional mesh or regional hub design is the correct architecture at that scale.
Multi-site healthcare organizations require EMR application SLA classes with defined latency and loss thresholds, HIPAA-compliant IPsec encryption on every tunnel (AES-GCM-256 at the overlay layer satisfies the technical control), and burst capacity for DICOM imaging transfers that would otherwise saturate a fixed MPLS committed information rate.
Enterprise branch consolidation from MPLS to broadband-plus-LTE requires a UCaaS SLA class specifically tuned for the codec in use — G.711 or Opus — with packet loss tolerance typically below 1% and jitter below 30 ms; our UC migration team validates codec behavior against the overlay SLA before cutover. K-12 districts using E-Rate-funded broadband as primary with LTE backup benefit from SD-WAN’s automatic failover and the ability to route CIPA-mandated SIG tunnel traffic regardless of which uplink is active.
Our campus LAN practice handles the underlay refresh that makes SD-WAN uplink diversity viable when existing switching infrastructure lacks the port density or PoE budget for WAN Edge router deployment.
A site list with circuit types, current bandwidth, and existing router/firewall model per location gives us everything needed to scope the migration. Most engagements are scoped and quoted within two business days.
Frequently asked questions
How does the SD-WAN migration preserve application performance during the cutover from MPLS?
We run MPLS and SD-WAN fabrics in parallel during cutover — typically four to eight weeks for the parallel-run window at small deployments under 10 locations; mid-market deployments of 20-50 sites commonly require 10-16 weeks once underlay circuits are provisioned; large enterprise migrations are phased over multiple quarters. Application-aware routing policies using DPI classification are configured and validated on the SD-WAN overlay before MPLS is decommissioned at each site. For Cisco Catalyst SD-WAN, this means TLOC preference policies pinning latency-sensitive traffic (VoIP marked DSCP EF, video marked DSCP AF41) to MPLS until equivalent SLA thresholds are confirmed on the broadband paths. No site goes live without a documented SLA confirmation test.
What carrier circuits does an SD-WAN design actually support, and does it change the vendor choice?
SD-WAN runs on any IP-routed underlay: DIA broadband, cable, LTE/5G, Starlink for remote sites, and private MPLS. Carrier selection is independent from the SD-WAN platform — we assess existing circuit contracts before recommending a platform, because circuit diversity (at least two diverse underlay paths per site) matters more than the SD-WAN vendor brand. Fortinet Secure SD-WAN and HPE Aruba EdgeConnect both handle asymmetric underlay speeds well; Cisco Catalyst SD-WAN requires IPsec tunnel sizing math against SD-WAN Controller capacity at large site counts (500+ sites) — a multi-controller deployment is typically required at that scale. SASE integration path also factors into platform selection: Cisco Catalyst SD-WAN pairs with Cisco Secure Access (Umbrella); Fortinet with FortiSASE; HPE Aruba EdgeConnect with Axis Security; any platform integrates with Zscaler ZIA as a cloud SSE overlay.
Can SD-WAN replace a traditional DMVPN or MPLS hub-and-spoke design at a regulated site?
Yes, with segmentation controls validated against your compliance framework first. DMVPN Phase 2 and Phase 3 can be replaced by SD-WAN overlay in most enterprise designs — the dynamic IPsec mesh is automated rather than statically provisioned. Environments running EIGRP or multicast over DMVPN require a separate routing migration plan alongside the SD-WAN cutover. For HIPAA, PCI-DSS, or SOX-scoped environments, we design VPN segmentation at the SD-WAN VRF level so regulated and non-regulated traffic traverse separate overlay segments. Cisco Catalyst SD-WAN supports up to 300 VPN segments (VRFs) in the overlay by default; Release 17.13.1a extended this to 2,000 VRFs for large-scale segmentation deployments. Fortinet Secure SD-WAN uses VDOM-based segmentation with per-VPN NGFW policy enforcement, satisfying most PCI DSS Requirement 1 network segmentation audit requirements.