Owner: Network Engineering · Platform: Cisco Catalyst SD-WAN (formerly Viptela) · Review Cycle: 6 months
The organisation is migrating all branch WAN connectivity to Cisco Catalyst SD-WAN. The platform replaces legacy MPLS-only connectivity with an active/active overlay that combines MPLS and broadband circuits, delivering improved resilience, application performance, and operational simplicity.
Rollout status: 28 of 42 sites live. Target completion: Q3 2026.
┌─────────────────────────────────────────┐
│ SD-WAN Controllers (DC1) │
│ │
│ vManage vBond vSmart │
│ (Mgmt) (Auth) (Policy/OMP) │
│ HA pair HA pair HA pair │
└──────────────────┬──────────────────────┘
│ DTLS/TLS Control Plane
┌─────────────────────────────┼─────────────────────────────┐
│ │ │
┌────────▼────────┐ ┌─────────▼───────┐ ┌─────────▼───────┐
│ HQ Site │ │ Branch Site A │ │ Branch Site B │
│ DC1 Hub vEdge │ │ C1101-8P │ │ C1101-8P │
│ (Cisco C8500) │◄─────────► MPLS + BB │ │ Broadband x2 │
│ MPLS + DC Link │ IPSec └─────────────────┘ └─────────────────┘
└─────────────────┘ Overlay
| Component | Function | Deployment |
|---|---|---|
| vManage | Centralised GUI/API management, policy push, monitoring | On-prem VMs, HA pair |
| vBond | Authentication orchestrator for onboarding new devices | On-prem VMs, HA pair |
| vSmart | OMP route controller, policy distributor | On-prem VMs, HA pair |
| Site Type | Device | Transport | Bandwidth |
|---|---|---|---|
| Hub (DC1/DC2) | Cisco Catalyst 8500-12X4QC | MPLS + DC interconnect | 10Gbps |
| Large Branch (>100 users) | Cisco Catalyst 8300-2N2S | MPLS 100M + Broadband 250M | Active/Active |
| Standard Branch (20-100 users) | Cisco Catalyst 1101-8P | MPLS 50M + Broadband 100M | Active/Active |
| Small Branch (<20 users) | Cisco Catalyst 1101-4P | Broadband x2 | Active/Active |
| Micro / Kiosk | Cisco Meraki MX68 | Broadband | Single transport |
| Colour Label | Transport Type | Priority |
|---|---|---|
mpls |
MPLS private circuit | Primary for sensitive traffic |
biz-internet |
Business broadband (static IP) | Secondary / active load-share |
lte |
4G/5G failover (on select sites) | Emergency failover only |
Traffic steering is driven by real-time SLA probes. Policies are centralised in vManage and pushed to all vEdge devices.
| Application | Primary Transport | Failover Condition | Failover Transport |
|---|---|---|---|
| Voice (RTP/RTCP) | MPLS | Latency >150ms or loss >1% | Biz-Internet |
| Video Conferencing | MPLS | Latency >200ms or jitter >30ms | Biz-Internet |
| SaaS (O365, Salesforce) | Biz-Internet (DIA) | Loss >2% | MPLS |
| ERP (SAP) | MPLS | Packet loss >0.5% | Biz-Internet |
| General Corporate | MPLS | MPLS down | Biz-Internet |
| Guest / Internet | Biz-Internet (DIA) | Biz-Internet down | MPLS (with restriction policy) |
Microsoft 365 and Salesforce traffic is sent direct-to-internet (DIA) at the branch using the Cloud onRamp for SaaS feature, bypassing the DC backhauling path. This reduces latency for Teams/Exchange by an average of 45ms across measured sites.
All SD-WAN sites have IPsec encryption enforced on every tunnel (AES-256-GCM). Additionally:
vManage provides real-time dashboards for:
Alerts integrate with ServiceNow for auto-ticket creation and PagerDuty for P1 site-down events.
| Alert | Threshold | Action |
|---|---|---|
| Site unreachable | >5 minutes | P1 — PagerDuty |
| Single transport down | >2 minutes | P2 — ServiceNow ticket |
| SLA breach (voice) | >3 minutes | P2 — ServiceNow ticket |
| WAN utilisation | >80% sustained 1hr | Warning — Capacity review |
https://vmanage.internal