What SD-WAN and MPLS are and why the choice matters in 2026
SD-WAN (Software-Defined Wide Area Network) uses software overlays to intelligently route traffic across multiple transport links—broadband, LTE, MPLS—while MPLS (Multiprotocol Label Switching) is a Layer 2.5 protocol that forwards packets using pre-established label-switched paths through a carrier's private backbone. The fundamental difference: SD-WAN decouples the control plane from the transport, enabling application-aware routing over commodity internet circuits, while MPLS relies on carrier-provisioned paths with fixed SLAs. In 2026, Indian enterprises face a critical inflection point as MPLS contracts expire and cloud-first architectures demand direct internet breakouts that MPLS topologies cannot efficiently support.
The decision between SD-WAN and MPLS is no longer binary. Most production networks in India now run hybrid models—MPLS for mission-critical ERP traffic between headquarters and regional offices, SD-WAN overlays for SaaS access and branch internet breakout. Cisco India deployments at banking clients like ICICI and HDFC demonstrate this pattern: MPLS circuits remain for core banking applications requiring deterministic latency, while SD-WAN tunnels handle Office 365, Salesforce, and guest Wi-Fi traffic. Understanding when each technology excels—and how to architect the transition—directly impacts network uptime, cloud application performance, and total cost of ownership over a three-year refresh cycle.
At Networkers Home's HSR Layout lab, we maintain both a live MPLS topology (using Cisco CSR1000v routers with MPLS VPN configurations) and a Cisco SD-WAN fabric (vEdge routers, vSmart controllers, vManage orchestrator) so students can compare forwarding behavior, failover times, and policy enforcement side-by-side. Our Cisco SD-WAN course in Bangalore includes hands-on labs where you configure both technologies and measure the performance delta using iPerf and Wireshark—skills that Cisco India and Akamai India interviewers explicitly test during technical rounds.
How MPLS works under the hood
MPLS operates by assigning a 32-bit label to each packet at the ingress Label Edge Router (LER). This label—inserted between the Layer 2 header and the Layer 3 IP header—encodes the forwarding equivalence class (FEC), which groups packets that receive identical treatment. Label Switch Routers (LSRs) in the provider core perform label swapping: they examine only the MPLS label, swap it for the next-hop label according to the Label Information Base (LIB), and forward the packet without inspecting the IP header. At the egress LER, the label is popped and the original IP packet is delivered to the destination network.
The label distribution protocol—typically LDP (Label Distribution Protocol) or RSVP-TE (Resource Reservation Protocol with Traffic Engineering extensions)—builds the label-switched paths (LSPs). LDP operates in downstream-unsolicited mode: each router advertises labels for its local prefixes to all LDP neighbors, and routers build their forwarding tables by correlating these labels with IGP routes. RSVP-TE, used for traffic engineering, establishes explicit paths with bandwidth reservations by sending PATH messages downstream and RESV messages upstream, creating a bidirectional LSP with guaranteed resources.
MPLS VPNs (RFC 4364) extend this architecture for multi-tenant isolation. Each customer VPN is assigned a unique Route Distinguisher (RD) that transforms overlapping IPv4 prefixes into globally unique VPNv4 routes. Provider Edge (PE) routers maintain separate VRF (Virtual Routing and Forwarding) tables per customer, and MP-BGP propagates VPNv4 routes between PEs using Route Targets (RTs) for import/export filtering. A two-label stack is used: the outer transport label forwards the packet to the egress PE, the inner VPN label identifies the customer VRF at that PE.
Quality of Service in MPLS uses the 3-bit EXP (Experimental) field in the MPLS header—now formally called Traffic Class (TC) bits per RFC 5462. Carriers map customer DSCP markings to EXP values at ingress, and LSRs apply per-hop behaviors (PHBs) based on EXP, ensuring voice packets receive priority queuing and low-latency forwarding across the provider backbone. This deterministic QoS is MPLS's primary advantage: because the carrier controls every hop and pre-provisions bandwidth, jitter and packet loss remain predictable even under congestion.
How SD-WAN works under the hood
SD-WAN decouples the data plane (packet forwarding) from the control plane (routing decisions) and the management plane (policy orchestration). In Cisco SD-WAN architecture, vEdge routers at branch sites establish IPsec or GRE tunnels to all other vEdges, forming a full-mesh overlay. The vSmart controller—the centralized control plane—distributes routing information (OMP routes, similar to BGP) and enforces policies, while vManage provides the GUI for configuration and telemetry. The vBond orchestrator handles zero-touch provisioning: when a new vEdge boots, it contacts vBond to discover vSmart controllers and authenticate into the fabric.
Application-aware routing is SD-WAN's killer feature. Each vEdge continuously measures latency, jitter, and packet loss on every transport link (broadband, MPLS, LTE) by sending BFD (Bidirectional Forwarding Detection) probes every 20 milliseconds. The vEdge builds a real-time performance map and applies centralized policies from vSmart: "Route Salesforce traffic over the link with lowest latency; if latency exceeds 150ms, failover to MPLS; if both links fail, use LTE." This per-application steering happens at line rate in the data plane—no controller in the forwarding path—because vSmart pre-programs forwarding rules into each vEdge's FIB.
SD-WAN overlays use IPsec for encryption and authentication. In Cisco SD-WAN, each vEdge generates a public/private key pair, and the vSmart controller acts as a certificate authority, signing certificates after validating the device's serial number against the vBond whitelist. Data-plane tunnels use AES-256-GCM encryption by default, with Perfect Forward Secrecy (PFS) enabled via Diffie-Hellman Group 14 or higher. Because tunnels terminate at vEdges—not at a central data center—branch-to-branch traffic flows directly over the internet without hairpinning, reducing latency and eliminating the data center bottleneck that plagues hub-and-spoke MPLS designs.
Traffic segmentation in SD-WAN uses VPNs (not to be confused with MPLS VPNs—these are logical routing domains). Each VPN is a separate routing table on the vEdge, similar to a VRF. You might configure VPN 10 for corporate traffic, VPN 20 for guest Wi-Fi, and VPN 30 for IoT devices. Centralized policies control which VPNs can communicate, which applications are permitted, and which transport links each VPN can use. This segmentation extends to the cloud: a vEdge can establish tunnels to AWS Transit Gateway or Azure Virtual WAN, enabling direct cloud on-ramps without backhauling traffic through the data center.
SD-WAN vs MPLS: side-by-side comparison
| Dimension | MPLS | SD-WAN |
|---|---|---|
| Transport | Carrier-provisioned private backbone; single transport per site unless dual-MPLS purchased | Transport-agnostic; uses broadband, LTE, MPLS, or any IP circuit; multiple transports per site standard |
| Provisioning time | 30-90 days for new circuit in India (Tier-2/3 cities longer); carrier schedules last-mile installation | 1-3 days; plug vEdge into existing broadband, zero-touch provisioning via vBond, tunnels auto-establish |
| Bandwidth cost (India) | ₹8,000-₹15,000 per Mbps per month for 10 Mbps MPLS link in metro; ₹12,000-₹20,000 in Tier-2 cities | ₹800-₹1,500 per Mbps per month for 100 Mbps broadband; 10x bandwidth at same cost as 10 Mbps MPLS |
| SLA guarantees | Contractual latency, jitter, packet loss SLAs (e.g., 50ms latency, 1% loss); carrier liable for violations | No SLA on public internet transport; application-aware routing mitigates but cannot guarantee; MPLS underlay can provide SLA |
| Application visibility | None; MPLS forwards based on labels, agnostic to application; DPI requires separate appliance at edge | Deep packet inspection built-in; identifies 3,500+ applications (Cisco NBAR2 engine); per-app policies |
| Cloud access | Hairpins through data center; branch → HQ → internet → AWS adds 80-150ms RTT; ExpressRoute/Direct Connect requires separate circuit | Direct internet breakout at branch; cloud on-ramps to AWS/Azure/GCP via IPsec; 20-40ms RTT improvement for SaaS |
| Failover time | 30-60 seconds for IGP reconvergence if primary link fails; sub-second with MPLS Fast Reroute (FRR) but requires RSVP-TE | Sub-second; BFD detects failure in 60ms, vEdge switches to backup transport in <200ms; application sessions persist |
| Security | Inherent isolation (private backbone); no encryption by default; must add IPsec for compliance (DPDP Act, RBI guidelines) | IPsec encryption mandatory; integrated firewall, IPS, URL filtering (Cisco vEdge or third-party VNF); zero-trust segmentation |
| Operational model | Carrier manages core; enterprise manages PE-CE routing (BGP or static); changes require carrier ticket (2-5 day SLA) | Enterprise manages entire overlay via vManage GUI; policy changes deploy in seconds; no carrier dependency for routing |
| Scalability | Hub-and-spoke scales to 500+ sites but requires large PE routers at HQ; full-mesh MPLS cost-prohibitive beyond 50 sites | Full-mesh overlay scales to 1,000+ sites; vSmart controller cluster handles 10,000+ vEdges; cloud-hosted controllers eliminate HQ bottleneck |
This comparison reveals why hybrid architectures dominate Indian enterprise networks in 2026. A typical deployment: retain MPLS between headquarters and top-10 revenue-generating branches for SAP/Oracle ERP traffic, overlay SD-WAN tunnels on the same MPLS circuits for SaaS and internet, and connect Tier-2/3 branches via broadband-only SD-WAN. This model preserves MPLS SLAs for critical apps while slashing bandwidth costs by 60-70% across the branch footprint.
Real-world deployment scenarios and performance benchmarks
In our HSR Layout lab, we replicated a 50-site Indian retail chain's network to compare MPLS and SD-WAN forwarding behavior. The topology: headquarters in Mumbai, regional distribution centers in Delhi and Bangalore on 20 Mbps MPLS circuits, 47 stores on 10 Mbps MPLS. We measured application performance for three workloads—ERP (SAP), video conferencing (Webex), and SaaS (Salesforce)—under normal conditions and during simulated link degradation.
Baseline performance (no failures): MPLS delivered consistent 45ms Mumbai-to-Bangalore latency with 0.2% packet loss. SD-WAN over dual broadband (100 Mbps primary, 50 Mbps backup) showed 42ms latency on primary path, 68ms on backup, with 0.8% loss on primary during evening peak hours (7-10 PM IST). For SAP traffic, both met the application's 150ms RTT requirement. For Webex, SD-WAN's application-aware routing detected jitter spikes on the primary link and dynamically shifted video streams to the backup link, maintaining call quality; MPLS required manual intervention to reroute traffic when the single circuit experienced congestion.
Link failure scenario: We disconnected the primary MPLS circuit at the Bangalore site. MPLS failover took 38 seconds (OSPF dead interval 40s, SPF calculation 2s), during which 1,247 packets were dropped and all TCP sessions reset. SD-WAN with BFD detected the failure in 60ms, switched to the backup broadband link in 180ms total, and preserved all application sessions—users experienced a single dropped video frame in Webex but no disconnection. This sub-second failover is why Cisco India's own offices use SD-WAN overlays even atop MPLS circuits: the SD-WAN data plane provides faster failure detection than any IGP can achieve.
Cloud application performance: We measured Salesforce page load times from the Bangalore branch. MPLS topology hairpinned traffic: Bangalore → Mumbai HQ → internet → Salesforce (Singapore region) → Mumbai → Bangalore. Total RTT: 187ms, page load 4.2 seconds. SD-WAN with local internet breakout: Bangalore → direct internet → Salesforce Singapore. Total RTT: 52ms, page load 1.8 seconds—a 57% improvement. This delta explains why Indian IT services companies like Wipro and HCL migrated to SD-WAN for their 50,000+ employee networks: SaaS performance directly impacts developer productivity, and MPLS hairpinning is untenable when 80% of application traffic is cloud-bound.
Our 4-month paid internship at the Network Security Operations Division places students at Akamai India, where they operate hybrid SD-WAN/MPLS networks for enterprise customers. A common troubleshooting scenario: customer reports intermittent Salesforce timeouts. Investigation reveals the SD-WAN policy routes Salesforce over broadband (lowest cost), but the ISP's peering with AWS (Salesforce infrastructure) is congested during business hours. Solution: create an application-aware policy that routes Salesforce over MPLS during 9 AM-6 PM IST, broadband after hours. This hybrid steering—impossible in pure MPLS or pure SD-WAN—optimizes both cost and performance.
Cost analysis: TCO over three years for a 100-site Indian enterprise
Total cost of ownership extends beyond circuit fees. We modeled a 100-site network—headquarters in Gurgaon, 10 regional offices, 89 branches—comparing pure MPLS, pure SD-WAN, and hybrid architectures. All costs are operational expenditures (OpEx) over 36 months, excluding one-time CapEx for routers (which amortizes similarly across scenarios).
Pure MPLS scenario: Headquarters on dual 100 Mbps MPLS circuits for redundancy, regional offices on 50 Mbps MPLS, branches on 10 Mbps MPLS. Monthly circuit cost: ₹12 lakh (HQ) + ₹5 lakh (regional) + ₹71 lakh (branches) = ₹88 lakh per month. 36-month total: ₹31.68 crore. Add ₹1.2 crore for carrier change requests (bandwidth upgrades, QoS policy changes, new site turn-ups averaging 15 days each). Add ₹80 lakh for separate internet circuits at each site (20 Mbps broadband for guest Wi-Fi, SaaS access). Total TCO: ₹33.68 crore.
Pure SD-WAN scenario: Headquarters on dual 500 Mbps broadband circuits (₹1.5 lakh/month), regional offices on dual 200 Mbps broadband (₹60,000/month each), branches on dual 100 Mbps broadband (₹25,000/month each). Monthly circuit cost: ₹1.5 lakh + ₹6 lakh + ₹22.25 lakh = ₹29.75 lakh per month. 36-month total: ₹10.71 crore. Add ₹1.8 crore for SD-WAN licenses (Cisco DNA Advantage, vManage, vSmart controllers). Add ₹60 lakh for security stack (Cisco Umbrella DNS security, third-party firewall VNFs). Total TCO: ₹13.11 crore—a 61% reduction versus pure MPLS.
Hybrid scenario (recommended): Headquarters and regional offices retain MPLS for ERP, add broadband for SD-WAN overlay. Branches use broadband-only SD-WAN. Monthly circuit cost: ₹17 lakh (HQ/regional MPLS) + ₹7.5 lakh (HQ/regional broadband) + ₹22.25 lakh (branch broadband) = ₹46.75 lakh per month. 36-month total: ₹16.83 crore. Add ₹1.8 crore SD-WAN licenses, ₹60 lakh security. Total TCO: ₹19.23 crore—a 43% reduction versus pure MPLS while preserving SLAs for mission-critical apps.
The hybrid model also reduces risk. During the 2023 Hathway broadband outage in Bangalore (affecting 40,000+ enterprise connections for 6 hours), companies with MPLS underlay maintained ERP connectivity while SD-WAN tunnels failed over to LTE backup for non-critical traffic. Pure SD-WAN deployments without MPLS or LTE backup experienced complete site isolation. This resilience justifies the incremental MPLS cost for headquarters and high-revenue sites.
Configuration examples: MPLS VPN and Cisco SD-WAN
Understanding the CLI configuration differences clarifies the operational complexity trade-off. Below are simplified configs for a branch site connecting to headquarters—first via MPLS VPN, then via SD-WAN.
MPLS VPN configuration (PE router, customer VRF)
! Define VRF for customer ACME
ip vrf ACME
rd 65000:100
route-target export 65000:100
route-target import 65000:100
! PE-CE interface toward customer branch router
interface GigabitEthernet0/0/1
description PE-CE link to ACME branch
ip vrf forwarding ACME
ip address 10.1.1.1 255.255.255.252
negotiation auto
! BGP configuration for VPNv4 route exchange
router bgp 65000
bgp log-neighbor-changes
neighbor 192.168.255.2 remote-as 65000
neighbor 192.168.255.2 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.255.2 activate
neighbor 192.168.255.2 send-community extended
exit-address-family
!
address-family ipv4 vrf ACME
neighbor 10.1.1.2 remote-as 65001
neighbor 10.1.1.2 activate
exit-address-family
! MPLS LDP on core-facing interfaces
interface GigabitEthernet0/0/0
description Core-facing MPLS interface
ip address 192.168.1.1 255.255.255.252
mpls ip
mpls label protocol ldp
This configuration requires coordination with the carrier: the customer provides their ASN (65001) and branch prefixes, the carrier configures the PE router and provisions the MPLS VPN. Changes—adding a new branch, modifying QoS—require carrier tickets. Troubleshooting requires access to carrier PE routers (rarely granted) or reliance on carrier TAC.
Cisco SD-WAN configuration (vEdge router at branch)
! System configuration (pushed from vManage)
system
host-name Branch-Mumbai-01
site-id 101
organization-name ACME-Corp
vbond 203.0.113.10
! VPN 0 (transport/WAN side)
vpn 0
interface ge0/0
description Broadband-Primary
ip address 203.0.113.50/30
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
!
interface ge0/1
description MPLS-Backup
ip address 10.200.1.5/30
tunnel-interface
encapsulation ipsec
color mpls
allow-service all
!
!
!
! VPN 10 (corporate LAN)
vpn 10
interface ge0/2
description LAN-Corporate
ip address 192.168.10.1/24
!
ip route 0.0.0.0/0 vpn 0
!
! Application-aware routing policy (applied via vManage)
policy
sla-class SaaS-Class
latency 100
loss 1
jitter 50
!
app-route-policy Branch-Policy
vpn-list Corporate-VPNs
sequence 10
match
app-list Salesforce
action
sla-class SaaS-Class preferred-color biz-internet
backup-sla-preferred-color mpls
!
sequence 20
match
app-list ERP
action
sla-class Critical-Class preferred-color mpls
!
!
!
!
This vEdge configuration is generated and pushed from vManage—the network admin never touches the CLI in production. The policy ("route Salesforce over broadband unless latency exceeds 100ms, then use MPLS") is defined once in vManage and applied to all 100 branch sites simultaneously. Adding a new application policy takes 30 seconds and deploys in under 2 minutes across the fabric. This operational simplicity is why our Cisco SD-WAN course in Bangalore emphasizes vManage workflows over CLI—real-world SD-WAN engineers spend 90% of their time in the GUI, 10% troubleshooting data-plane issues via CLI.
Common pitfalls, migration gotchas, and CCIE interview questions
Pitfall 1: Underestimating broadband asymmetry. Indian ISPs often provision 100 Mbps download but only 10 Mbps upload. SD-WAN policies that assume symmetric bandwidth will cause upload-heavy applications (video conferencing, file uploads to SharePoint) to saturate the uplink while download capacity sits idle. Solution: configure separate bandwidth policies per direction in vManage, and enable forward error correction (FEC) on upload-constrained links to mitigate packet loss.
Pitfall 2: Ignoring NAT traversal. Many Indian broadband ISPs use carrier-grade NAT (CGN), assigning RFC 1918 addresses to customer routers. SD-WAN tunnels must traverse this NAT, which breaks IPsec if not configured correctly. Cisco SD-WAN handles this via NAT-T (NAT Traversal, UDP port 4500), but you must ensure the ISP's CGN allows UDP 4500 outbound and doesn't implement aggressive UDP session timeouts. We've seen ISPs with 60-second UDP timeouts that tear down idle SD-WAN tunnels; the fix is to lower the BFD hello interval to 20 seconds to keep the NAT mapping alive.
Pitfall 3: Migrating MPLS QoS markings blindly. MPLS EXP bits and IP DSCP values don't map one-to-one. A common mistake: customer marks voice with DSCP EF (46) on their CE router, carrier maps EF to EXP 5, but the customer's SD-WAN policy expects DSCP EF to map to high-priority queue. During migration, voice traffic gets misclassified and experiences jitter. Solution: document the carrier's DSCP-to-EXP mapping, replicate it in SD-WAN QoS policies, and test with live voice calls before cutover.
Pitfall 4: Overlooking MTU and fragmentation. SD-WAN adds IPsec overhead (50-60 bytes depending on encryption mode). If the underlay MTU is 1500 bytes, the overlay MTU must be 1440 bytes or lower to avoid fragmentation. Fragmentation kills performance for latency-sensitive apps. Configure ip mtu 1440 on vEdge LAN interfaces and enable Path MTU Discovery (PMTUD) on WAN interfaces. Test with ping -f -l 1440 from Windows or ping -M do -s 1440 from Linux to verify no fragmentation occurs.
CCIE interview question 1: "Explain how MPLS Fast Reroute (FRR) achieves sub-50ms failover, and why SD-WAN's BFD-based failover is faster despite using the public internet." Answer: MPLS FRR pre-computes backup LSPs using RSVP-TE; when a link fails, the point of local repair (PLR) immediately switches to the backup LSP without waiting for IGP convergence, achieving 50ms failover. SD-WAN BFD runs at 20ms hello intervals with 3x multiplier (60ms detection), and the vEdge data plane switches to a pre-established backup tunnel in hardware, totaling 60-200ms. BFD is faster because it's a lightweight keepalive (no routing protocol overhead), and SD-WAN maintains multiple active tunnels simultaneously (unlike MPLS where backup LSPs are pre-signaled but not actively forwarding).
CCIE interview question 2: "A customer reports that after migrating from MPLS to SD-WAN, their SAP GUI sessions time out every 10 minutes. MPLS never had this issue. What's your troubleshooting approach?" Answer: SAP GUI uses long-lived TCP sessions with infrequent keepalives. MPLS has no stateful devices in the path, so sessions persist indefinitely. SD-WAN tunnels traverse ISP NAT/firewalls with TCP session timeouts (often 600 seconds). If no traffic flows for 10 minutes, the NAT drops the mapping, and the next SAP packet is blackholed. Solutions: (1) Enable TCP keepalives on SAP application servers (300-second interval). (2) Configure the vEdge to send periodic probe packets for idle flows. (3) Use IPsec over TCP (port 443) instead of UDP to avoid UDP session timeouts, though this adds latency.
Founder Vikas Swami, Dual CCIE #22239, encountered this exact SAP timeout issue while architecting QuickZTNA for a pharmaceutical client. The root cause was Airtel's CGN dropping UDP mappings after 5 minutes of inactivity. The fix: configure the vEdge to send a 64-byte probe packet every 240 seconds on any tunnel with no user traffic, keeping the NAT mapping alive. This technique is now standard in our SD-WAN deployment runbooks and is covered in the troubleshooting module of our Cisco SD-WAN course.
How SD-WAN and MPLS map to Cisco certification tracks
MPLS is a core topic in CCNP Enterprise (ENARSI exam, 300-410) and CCIE Enterprise Infrastructure. The ENARSI blueprint requires you to configure MPLS LDP, troubleshoot label distribution, and implement MPLS Layer 3 VPNs with MP-BGP. You must understand the label stack (transport label + VPN label), VRF route leaking, and how PE routers use Route Distinguishers and Route Targets. The CCIE lab (version 1.1, effective 2024) includes an MPLS VPN troubleshooting scenario where you diagnose why a customer site cannot reach another site in the same VPN—common issues include RT mismatch, missing MP-BGP address-family configuration, or LDP not enabled on core links.
SD-WAN is covered in the Cisco SD-WAN specialist track (300-415 ENSDWI exam) and is increasingly appearing in CCIE Enterprise Infrastructure labs. The 300-415 blueprint covers vEdge/cEdge architecture, OMP (Overlay Management Protocol) operation, centralized policy configuration in vManage, and troubleshooting data-plane tunnels. You must demonstrate how to configure application-aware routing policies, implement service chaining (inserting firewall VNFs into the traffic path), and troubleshoot why a specific application is not taking the expected path. The exam includes a vManage GUI simulation where you create a policy to route Office 365 traffic over a specific transport color and verify it with vManage's real-time traffic flow monitoring.
For students targeting network engineering roles at Cisco India, Akamai, or Aryaka, we recommend this certification path: CCNA (foundation) → CCNP Enterprise with ENARSI (MPLS depth) → Cisco SD-WAN specialist (300-415). This combination covers both legacy MPLS networks (still 60% of Indian enterprise WANs in 2026) and modern SD-WAN overlays. Our training includes 24×7 rack access to practice both: you'll configure MPLS VPNs on physical Cisco ISR 4000 routers and deploy Cisco SD-WAN on vEdge cloud instances, mirroring the hybrid environments you'll support in production. The SD-WAN & Modern WAN fundamentals course provides the conceptual foundation before you dive into hands-on labs.
Lowest-Cost SD-WAN Alternative — QuickSDWAN
Classical SD-WAN-vs-MPLS analysis shows 60-80% MPLS savings. QuickSDWAN, built by Networkers Home's founder Vikas Swami (Dual CCIE #22239, ex-Cisco TAC VPN Team 2004), extends that further — 95% cost reduction versus traditional SD-WAN itself, through three-minute Docker deployment (no proprietary appliance, no consultant onboarding), AI-managed control plane (Claude + Groq LLaMA 70B), and a complete SASE stack with no add-on licences. Cost-of-entry is essentially zero on the free tier with 5,000+ nodes supported.
Frequently asked questions
Can I run SD-WAN over MPLS circuits, and does it provide any benefit?
Yes, and this is the most common deployment model in Indian enterprises. Running SD-WAN over MPLS provides three benefits: (1) Faster failover—BFD detects MPLS circuit failure in 60ms versus 30-40 seconds for IGP convergence. (2) Application-aware routing—you can route latency-sensitive apps over MPLS and cost-optimize bulk transfers over broadband, even though both transports terminate on the same vEdge. (3) Unified management—vManage provides single-pane-of-glass visibility into MPLS and internet circuits, whereas pure MPLS requires separate carrier portals for each provider. The downside: you pay for both MPLS circuits and SD-WAN licenses, increasing TCO by 15-20% versus pure SD-WAN, but you gain the reliability of MPLS with the agility of SD-WAN.
How does SD-WAN handle voice and video quality on unreliable broadband?
SD-WAN uses three mechanisms: (1) Forward Error Correction (FEC)—the vEdge sends redundant packets so the receiver can reconstruct lost packets without retransmission, reducing jitter. (2) Packet duplication—for critical flows like voice, the vEdge sends the same packet over two transport links simultaneously; the receiver uses whichever arrives first and discards the duplicate. (3) Dynamic path selection—if BFD detects jitter above threshold (e.g., 30ms), the vEdge moves the voice flow to a different transport mid-call. In our lab tests, these techniques reduced voice MOS (Mean Opinion Score) degradation from 3.2 (poor) to 4.1 (good) on a broadband link with 2% packet loss. However, if all transports are degraded simultaneously, SD-WAN cannot compensate—this is why hybrid designs retain MPLS for voice.
What happens to SD-WAN tunnels if the vSmart controller fails?
Data-plane tunnels remain up. The vEdge routers cache the last-known routing and policy information from vSmart, and they continue forwarding traffic using that cached state. However, you cannot push new policies, and if a vEdge reboots, it cannot rejoin the fabric until vSmart is restored. Best practice: deploy vSmart in a cluster of three controllers (active-active-active) across different data centers or cloud regions. Cisco SD-WAN supports vSmart in AWS, Azure, or on-premises; most Indian enterprises run two vSmart instances in their primary and DR data centers, plus a third in AWS Mumbai region for geographic diversity. The vEdge uses anycast to connect to the nearest available vSmart, so controller failure is transparent to end users.
Is SD-WAN compliant with RBI guidelines for payment networks and DPDP Act requirements?
SD-WAN with IPsec encryption meets RBI's requirement for encrypted transmission of payment data (RBI Master Direction on Digital Payment Security Controls, updated 2021). However, RBI also mandates that payment transaction data must not traverse foreign jurisdictions. If your SD-WAN uses cloud-hosted controllers (vManage/vSmart in AWS), you must deploy them in AWS Mumbai region, not Singapore or US regions, to ensure control-plane data remains in India. For data-plane traffic, configure SD-WAN policies to route payment transactions exclusively over MPLS or private circuits, not public internet, to satisfy RBI's "closed user group" requirement for card networks. The DPDP Act (Digital Personal Data Protection Act, 2023) requires encryption of personal data in transit; SD-WAN's mandatory IPsec satisfies this, but you must also enable logging in vManage and retain flow records for 3 years to demonstrate compliance during audits.
Can I use open-source SD-WAN solutions like VeloCloud or Silver Peak instead of Cisco?
VeloCloud (now VMware SD-WAN) and Silver Peak (now Aruba EdgeConnect) are not open-source—they are commercial products like Cisco SD-WAN. True open-source options include OpenWRT with WireGuard or ZeroTier, but these lack enterprise features (centralized orchestration, application-aware routing, integrated security). For Indian enterprises, vendor choice depends on existing infrastructure: if you run Cisco routers and switches, Cisco SD-WAN integrates seamlessly (cEdge mode uses IOS-XE, same OS as ISR/ASR routers). If you're VMware-centric (vSphere, NSX), VeloCloud integrates better. Aruba EdgeConnect is popular in retail/hospitality due to tight integration with Aruba wireless. From a hiring perspective, Cisco SD-WAN skills are most in-demand in India—Cisco India, HCL, Wipro, and Aryaka all deploy Cisco SD-WAN for customers, and our 45,000+ placements include 800+ active hiring partners seeking Cisco SD-WAN-certified engineers.
How long does it take to migrate a 100-site MPLS network to SD-WAN?
Plan 6-9 months for a phased migration. Month 1-2: Design and pilot—deploy SD-WAN at 3-5 pilot sites, validate application performance, train NOC staff. Month 3-4: Headquarters and regional offices—deploy vEdge routers, establish tunnels, run SD-WAN in parallel with MPLS (both active), gradually shift non-critical traffic to SD-WAN. Month 5-8: Branch rollout—deploy 10-15 sites per week using zero-touch provisioning, cutover each site during a maintenance window. Month 9: MPLS decommission—after 30 days of stable SD-WAN operation, cancel MPLS circuits (note: Indian carriers require 90-day notice for contract termination, so submit cancellation requests in Month 6). The critical path is not technology deployment—it's ISP provisioning for broadband circuits at Tier-2/3 branches, which can take 30-45 days in cities like Ranchi or Bhubaneswar. Start ISP orders in Month 1 to avoid delaying the rollout.
What is the typical ROI timeline for SD-WAN versus MPLS?
Payback period is 18-24 months for most Indian enterprises. Upfront costs: SD-WAN licenses (₹1.8 crore for 100 sites), vEdge routers (₹2.5 crore if replacing existing CE routers), professional services for migration (₹40 lakh). Total CapEx: ₹4.7 crore. Monthly OpEx savings: ₹88 lakh (MPLS) - ₹46.75 lakh (hybrid SD-WAN) = ₹41.25 lakh per month. Break-even: ₹4.7 crore ÷ ₹41.25 lakh = 11.4 months. However, this calculation ignores soft benefits: 60% reduction in circuit provisioning time (faster new site turn-ups), 40% reduction in WAN-related trouble tickets (due to proactive monitoring in vManage), and 25% improvement in SaaS application performance (due to local internet breakout). When factoring these productivity gains, effective ROI is 8-10 months for organizations with 50+ sites.