Frequently Asked Questions

Straight answers to the most common SD-WAN and SASE questions. No sales pitches.

Getting Started

What exactly is SD-WAN?

SD-WAN (Software-Defined Wide Area Network) decouples networking hardware from its control mechanism. It uses software-based controllers to intelligently route traffic across multiple connection types—MPLS, broadband internet, LTE/5G—based on application requirements, network conditions, and business policies.

How does SD-WAN differ from traditional WAN?

Traditional WANs rely on MPLS circuits with backhauled traffic through centralized data centers. SD-WAN provides centralized management, intelligent path selection, direct cloud access, and the ability to use lower-cost internet connections while maintaining enterprise-grade reliability.

Is SD-WAN a replacement for MPLS?

SD-WAN can complement or replace MPLS depending on your requirements. Many organizations adopt a hybrid approach, using MPLS for latency-sensitive traffic while offloading less critical traffic to broadband. Others fully replace MPLS with multiple internet connections.

What are the primary use cases for SD-WAN?

Common use cases include: connecting branch offices to cloud applications, enabling secure work-from-home, supporting M&A integration, improving application performance, reducing WAN costs, and providing business continuity through connection diversity.

Business Case & ROI

What ROI can I expect from SD-WAN?

Most organizations achieve ROI within 12-24 months through: reduced MPLS costs (30-50% savings), elimination of expensive router hardware, reduced IT operational overhead (up to 50% reduction in WAN management time), and improved productivity.

How much does SD-WAN cost?

DIY deployments typically range from $100-500 per site monthly for software licensing, plus hardware ($500-3,000 per appliance). Managed SD-WAN services range from $300-1,500 per site monthly, including management and support.

What are the hidden costs of SD-WAN?

Potential hidden costs include: professional services for deployment, staff training, integration with existing security infrastructure, bandwidth upgrades at branches, ongoing management tools, and potential vendor lock-in costs.

Technical

Does SD-WAN replace my firewall?

Maybe. Most enterprise SD-WAN appliances have a "Stateful Firewall" built-in—fine for basic branch security. However, for compliance-heavy industries (Healthcare/Finance), you likely need SASE (Cloud Firewall) or a dedicated NG-Firewall.

Can I install SD-WAN myself (DIY)?

Yes, if you are comfortable with routing protocols (BGP/OSPF), IP addressing, and managing IPSec tunnels. The "Zero Touch" marketing is a half-truth: it's "Zero Touch" for the install, but "Heavy Touch" for the design.

How much money will I actually save?

Typically 30-50% on monthly recurring costs (OpEx), after the hardware payoff period (12-18 months). The savings come from firing your MPLS provider and negotiating cheap broadband.

Can SD-WAN support real-time applications like voice and video?

Yes. SD-WAN's intelligent path selection and QoS capabilities make it well-suited for real-time applications. Features like forward error correction, packet duplication, and dynamic path switching ensure optimal performance.

What happens if my SD-WAN controller goes down?

Well-designed SD-WAN solutions continue operating during controller outages. Edge devices maintain local routing intelligence and established tunnels remain active. New policy updates are queued until connectivity is restored.

Does SD-WAN work with cloud providers like AWS and Azure?

Absolutely. Most SD-WAN vendors offer virtual appliances for major cloud platforms. Many also provide direct cloud on-ramps and optimized connectivity to SaaS applications like Microsoft 365 and Salesforce.

Implementation

How long does SD-WAN deployment typically take?

Pilot deployments: 4-8 weeks. Full enterprise rollouts: 6-18 months depending on site count. Zero-touch provisioning can accelerate deployment to 50+ sites per week once processes are established.

Can I migrate gradually or do I need a big-bang approach?

Gradual migration is recommended. Most organizations deploy to 5-10 pilot sites first, then expand in phases. This reduces risk and allows for process refinement.

What skills does my team need for SD-WAN management?

For DIY deployments: networking fundamentals, routing protocols (BGP, OSPF), security concepts, and vendor-specific platform knowledge. Managed service deployments require less technical depth.

What are common implementation pitfalls?

Common pitfalls include: inadequate initial assessment, underestimating bandwidth requirements, insufficient security planning, poor change management, inadequate testing, and failure to establish baseline metrics.

Vendor Selection

How do I choose between SD-WAN vendors?

Evaluate based on: technical capabilities matching your requirements, total cost of ownership, integration with existing infrastructure, security architecture, management interface usability, and customer references in your industry.

Should I be concerned about vendor lock-in?

Yes. Mitigate by: choosing solutions with standard protocols, maintaining documentation, understanding migration costs upfront, and considering multi-vendor strategies for large deployments.

DIY vs. Managed: How do I decide?

Choose DIY if you have strong networking expertise, unique requirements, and want maximum control. Choose managed if you need rapid deployment, have limited internal resources, or prefer predictable costs.

Glossary of Terms

The language of modern networking, decoded.

Application-Aware Routing: The ability to identify an app (e.g., Zoom) by inspecting packets and steering it to the best path based on real-time conditions.
BFD (Bidirectional Forwarding Detection): A rapid failure detection protocol that can detect link failures in milliseconds, enabling fast failover.
CASB (Cloud Access Security Broker): Sits between cloud service consumers and providers to enforce security policies, prevent data loss, and provide visibility.
DIA (Direct Internet Access): A dedicated internet circuit with an SLA. Guaranteed bandwidth and symmetrical speeds vs. shared broadband.
FEC (Forward Error Correction): Adding parity packets to a stream so the receiver can reconstruct lost packets without retransmission—critical for voice/video.
FWaaS (Firewall as a Service): A full Layer 7 Next-Gen Firewall delivered from the cloud provider's POP. Scales infinitely, no hardware lifecycle.
Jitter: The variation in latency between packets. High jitter makes voice calls sound robotic and video stutter.
MPLS (Multiprotocol Label Switching): A private, dedicated WAN technology with guaranteed SLAs. Reliable but expensive per megabit.
NaaS (Network as a Service): Consuming network infrastructure as an operational expense service rather than owning and managing hardware.
Overlay Network: A virtual network built on top of physical infrastructure. SD-WAN creates encrypted tunnels over any transport.
Packet Duplication: Sending the same packet down multiple paths simultaneously. First to arrive wins—eliminates loss for critical traffic.
PoP (Point of Presence): A cloud provider's edge location where traffic enters their backbone. More PoPs = lower latency.
SASE (Secure Access Service Edge): The convergence of SD-WAN networking with cloud-delivered security (SWG, CASB, ZTNA, FWaaS).
SSE (Security Service Edge): The security half of SASE—cloud-delivered security without the networking component.
SWG (Secure Web Gateway): URL filtering, malware scanning, and content inspection for web traffic—delivered from the cloud.
Underlay: The physical transport (MPLS, broadband, LTE) that carries the overlay network's encrypted traffic.
VRF (Virtual Routing and Forwarding): Technology that allows multiple routing tables to coexist on the same router—enables network segmentation.
ZTNA (Zero Trust Network Access): Replaces VPN with identity-based access. Users connect to specific apps, not the entire network.
ZTP (Zero Touch Provisioning): Ship a device to a site; it auto-configures by contacting a cloud controller. No on-site engineer needed.

Still have questions?

Get answers from a network architect who's actually deployed SD-WAN in production.

Chat with an Architect