SD-WAN is the marketing umbrella that replaced "we just bought a bunch of MPLS circuits" as the default enterprise WAN answer. The technology underneath is older than the term, the value proposition has shifted three times since 2015, and the vendor landscape is now consolidating. This is the five-minute primer: what SD-WAN actually is, what problem it solves, and how it differs from the MPLS designs it is replacing.
For the deeper dive on the technology and configuration, see the SD-WAN complete guide. For the WAN technology it is displacing, see the MPLS pillar.
What SD-WAN is, in one sentence
SD-WAN is a software-defined overlay network that runs across whatever physical transport you happen to have, with a centralized controller pushing policy down to edge devices and a data plane that picks paths per-application in real time based on link health.
Three words in that sentence carry the weight: overlay, controller, and per-application. Each represents one of the historical things wrong with traditional WAN that SD-WAN solved.
What it actually replaces
The branch office WAN of 2010 looked like this:
- One MPLS L3VPN circuit from a carrier, hand-priced per location, 30 to 90 day install lead time
- A backup DSL or LTE link that the router would failover to via static routing or a slow IGP reconvergence
- All internet-bound traffic backhauled to a central data center for filtering, then back out to the cloud
- QoS was the only knob, and tuning it required carrier coordination
The branch office WAN of 2025 looks like this:
- Two or three commodity broadband circuits (cable, fiber, LTE/5G), often from different ISPs
- An SD-WAN edge device (or a cluster of them) that builds IPsec tunnels across all available transports simultaneously
- Per-application path selection that can send Microsoft 365 traffic out the local internet break, voice traffic over the lowest-latency path, and bulk backup over the highest-throughput path, all from the same device
- Central orchestration via a controller, with policy expressed in business terms ("Office 365 gets best-quality path; YouTube gets cheapest path")
The four-plane architecture
Every SD-WAN platform, regardless of vendor, organizes itself into four planes. Knowing them helps when you read vendor docs because the names map cleanly across products.
| Plane | What it does | Cisco Catalyst SD-WAN name | VMware VeloCloud name |
|---|---|---|---|
| Management | The UI you log into. Policy authoring, dashboards, reports. | vManage | VCO (VeloCloud Orchestrator) |
| Control | Learns the overlay topology. Distributes routing and policy. | vSmart | VCO + Gateways |
| Orchestration | Authenticates edges, manages certificates, brokers initial control connections. | vBond | VCO |
| Data | The edge devices themselves. They build the tunnels and forward traffic. | cEdge / vEdge | VeloCloud Edge |
Cisco's separation between vSmart and vBond is unique to their architecture. VMware folds them together. Versa, Fortinet, Palo Alto Prisma all split the planes differently but the conceptual model is the same.
The two things that make SD-WAN different from MPLS
1. Transport independence
An MPLS L3VPN is a service contract. The carrier promises a certain bandwidth between a defined set of sites, with QoS classes you negotiate up front, on a circuit they own end-to-end.
An SD-WAN overlay does not care what the underlying transport is. The edge builds IPsec tunnels across whatever IP-reachable transport you give it. Three cable modems from three different ISPs work. A 5G hotspot plus a Starlink link works. Adding a new transport is a software change on the edge, not a carrier truck-roll.
2. Application-aware path selection
Traditional routing makes one path decision per destination, based on routing-protocol metrics. SD-WAN makes a path decision per flow, per application, refreshed every few seconds based on real-time link telemetry.
If your fiber link's loss spikes to 2% for the next 30 seconds, the edge notices, marks the path as out-of-policy for voice and video, and shifts those flows to the cable backup, while keeping bulk-backup traffic on the fiber where loss does not hurt. That decision happens at the edge, in milliseconds, without a routing convergence event.
The three deployment styles
| Style | What it looks like | When organizations pick it |
|---|---|---|
| Hybrid (MPLS + broadband) | Keep the MPLS for predictable performance to the data center; add broadband for everything else. | Large enterprises with existing MPLS contracts they cannot exit yet. Transitional architecture. |
| Internet-only | Multiple broadband circuits, no MPLS. SD-WAN does the heavy lifting. | Greenfield branches, retail, healthcare. Cost-driven decision. |
| Cloud on-ramp | SD-WAN edges peer directly with cloud provider points-of-presence (Azure vWAN, AWS Cloud WAN, Google Cloud NCC). | SaaS-heavy organizations where the data center is no longer the gravitational center. |
Where SD-WAN does not help
SD-WAN is not magic. The places it routinely disappoints are predictable.
- You still need underlay bandwidth. SD-WAN cannot synthesize throughput. Three saturated cable links plus SD-WAN is still three saturated cable links.
- Latency-sensitive flows on long-haul links. If your branch is in Singapore and your data center is in Frankfurt, the speed of light is the speed of light. SD-WAN picks the best available path but cannot beat physics.
- Strict regulatory requirements for circuit isolation. Some regulated environments (defense, certain financial) still require dedicated circuits where SD-WAN's "any IP-reachable transport" model does not pass an audit.
- Branch-of-one without diverse transport. If the branch has exactly one ISP available, SD-WAN reduces to "an edge device with policy controls" with no transport-diversity benefit.
The vendor landscape in 30 seconds
| Vendor / product | Strength | Watch out for |
|---|---|---|
| Cisco Catalyst SD-WAN (Viptela) | Deepest IOS XE integration. Strong cloud on-ramps. Mature CLI. | License complexity. vManage scale ceilings on the largest deployments. |
| VMware VeloCloud (now Broadcom) | Easiest controller UX. Strong DMPO (Dynamic Multipath Optimization). | Broadcom acquisition uncertainty. Roadmap clarity. |
| Fortinet Secure SD-WAN | Best price/performance. Built into FortiGate firewalls so no extra appliance. | Security-vendor mindset; networking features sometimes lag. |
| Palo Alto Prisma SD-WAN (CloudGenix) | Strong app identification. Tight integration with Prisma Access SASE. | Smaller ecosystem. Premium pricing. |
| Versa Networks | Most feature-complete single-vendor SASE story. | Steepest learning curve. Smaller install base. |
Key takeaways
SD-WAN is an overlay that runs on top of any IP transport, picks paths per-application based on real-time link health, and is managed from a central controller. It replaces the static carrier MPLS model with something cheaper and more flexible, at the cost of taking the WAN architecture decision back from the carrier and putting it on your team. If you are designing a greenfield branch network in 2026, internet-only SD-WAN is the default; MPLS shows up only when latency or compliance forces it.
For the deeper architecture and configuration walkthroughs, see the SD-WAN pillar.
