How to Deploy SD-WAN Across Multiple Sites

Managing wide-area networking across multiple business locations has historically been one of the most complex, expensive, and frustrating aspects of enterprise IT infrastructure. Traditional approaches — dedicated MPLS circuits connecting each site to a centralised hub, with rigid traffic routing determined by the service provider — served UK businesses adequately when the majority of applications lived in an on-premises data centre. But the reality of modern business networking looks nothing like that model. Applications have migrated to the cloud. Employees work from branch offices, home offices, and client sites. Voice and video traffic compete with business-critical SaaS applications for bandwidth. And the cost of maintaining private MPLS circuits to every location has become increasingly difficult to justify when commodity broadband and dedicated internet access deliver more bandwidth at a fraction of the price.

Software-Defined Wide Area Networking — SD-WAN — was purpose-built to solve these problems. It decouples the network control plane from the underlying transport circuits, creating an intelligent overlay network that can utilise any combination of MPLS, broadband, dedicated internet, 4G, and 5G connections. Traffic is routed dynamically based on application requirements, circuit performance, and business policies rather than static routing tables maintained by a carrier. The result is a network that is more resilient, more intelligent, more cost-effective, and dramatically easier to manage across multiple sites than traditional WAN architectures.

For UK businesses operating across two, ten, or a hundred locations, SD-WAN represents a fundamental shift in how wide-area connectivity is designed, deployed, and operated. This guide explains the architecture, the planning process, the vendor landscape, and the practical steps required to deploy SD-WAN successfully across a multi-site environment.

Understanding SD-WAN Architecture: Overlay vs Underlay

Before planning a multi-site SD-WAN deployment, it is essential to understand the architectural distinction between the overlay and underlay networks. This separation is the foundational concept that makes SD-WAN possible, and misunderstanding it leads to poor design decisions that undermine the entire deployment.

The Underlay Network

The underlay is the physical transport — the actual circuits that carry your data between sites. In a traditional WAN, the underlay and the network are essentially the same thing: you purchase an MPLS circuit from BT, Virgin Media Business, or another provider, and that circuit defines your connectivity. With SD-WAN, the underlay becomes commoditised transport. Each site might connect via a fibre leased line from one provider, a broadband connection from another, a 4G/5G cellular backup, or any combination of these. The underlay does not need to be managed, intelligent, or even particularly reliable on its own — because the SD-WAN overlay handles all of that.

The key principle is transport independence. SD-WAN does not care whether the underlay is MPLS, FTTP broadband, EoFTTC, a dedicated Ethernet leased line, or a mobile connection. It builds encrypted tunnels across whatever transport is available and makes intelligent routing decisions across those tunnels. This transport independence is what enables the dramatic cost savings: instead of paying £1,500 per month for a managed MPLS circuit to a branch office, you can provision two diverse broadband connections for £200–£400 per month combined and achieve equal or better performance and reliability through SD-WAN’s intelligent overlay.

The Overlay Network

The overlay is the software-defined layer that SD-WAN creates on top of the underlay transport. It consists of encrypted tunnels (typically IPsec or a proprietary tunnelling protocol) between SD-WAN appliances at each site, forming a mesh or hub-and-spoke topology depending on your design. The overlay is where the intelligence lives: application identification, path selection, quality of service enforcement, security policy application, and traffic optimisation all operate at the overlay level.

The overlay abstracts the complexity of the underlying transport. From an application perspective, traffic enters the SD-WAN overlay at the source site and exits at the destination site — the path it takes through the underlay, the number of circuits it traverses, and any failover events that occur along the way are invisible to the application. This abstraction is what enables SD-WAN to deliver consistent application performance even when individual underlay circuits experience degradation or failure.

Planning a Multi-Site SD-WAN Deployment

Successful multi-site SD-WAN deployment starts long before any equipment is ordered or any configuration is written. The planning phase determines whether your deployment delivers the promised benefits or creates a new set of problems that rival those it was meant to solve.

Site Classification and Tiering

Not every site in your organisation has the same connectivity requirements. A headquarters location with 200 employees running voice, video, and business-critical ERP applications has fundamentally different needs from a three-person satellite office that primarily accesses cloud email and a CRM system. Classify your sites into tiers based on user count, application requirements, uptime criticality, and existing infrastructure.

A typical three-tier model for UK multi-site deployments works as follows. Tier 1 sites are headquarters and data centres requiring high availability, high bandwidth, and full security stack deployment. Tier 2 sites are major branch offices with 20 or more users, running voice and video, requiring dual diverse circuits and local security enforcement. Tier 3 sites are small branches, retail locations, or home offices with fewer than 20 users, where a single broadband connection with 4G backup and cloud-delivered security is sufficient. This tiering drives every subsequent decision: appliance sizing, circuit provisioning, security architecture, and budget allocation.

Application and Traffic Analysis

Before deploying SD-WAN, you need a clear understanding of what traffic your network carries, where it goes, and what performance characteristics each application requires. Conduct a thorough traffic analysis across your existing WAN, examining bandwidth utilisation by site and time of day, application breakdown (which applications consume the most bandwidth and which are most latency-sensitive), traffic flow patterns (site-to-site, site-to-data centre, site-to-internet, site-to-cloud), and peak versus average utilisation to ensure circuits are sized appropriately.

This analysis is particularly important for the transition from MPLS to SD-WAN. If 70% of your branch office traffic is destined for cloud applications (Microsoft 365, Salesforce, cloud-hosted ERP), that traffic is currently backhaul through your MPLS network to a central internet breakout point — adding latency and consuming expensive MPLS bandwidth unnecessarily. SD-WAN enables local internet breakout at each site, sending cloud-bound traffic directly to the internet whilst routing site-to-site and data centre traffic through the overlay. Understanding your traffic patterns quantifies this opportunity and informs your circuit sizing decisions.

Circuit Diversity and Resilience Planning

Circuit diversity is the single most important factor in SD-WAN reliability. SD-WAN’s ability to failover between circuits in sub-second timeframes is only valuable if the circuits do not fail simultaneously — which they will if they share common infrastructure. True diversity requires different physical paths (not two broadband circuits delivered over the same Openreach copper or fibre), different access technologies (fibre leased line plus broadband, or broadband plus 4G/5G), different last-mile providers where possible (BT Openreach plus Virgin Media, or CityFibre plus a fixed wireless provider), and different exchange or cabinet dependencies (particularly relevant in rural areas).

For Tier 1 sites, specify dual circuits from different providers using different access technologies and different physical paths into the building. For Tier 2 sites, dual circuits from different providers or different technologies (fibre plus broadband, or broadband plus 4G) provide adequate resilience. For Tier 3 sites, a primary broadband connection with 4G failover is typically sufficient and cost-effective.

SD-WAN Vendor Comparison: Meraki, Fortinet, and VMware

The SD-WAN vendor market has matured considerably, with dozens of platforms available ranging from purpose-built SD-WAN solutions to integrated networking and security platforms. For UK multi-site businesses, three vendors consistently emerge as leading options based on capability, channel support, and alignment with SME and mid-market requirements.

Cisco Meraki SD-WAN

Meraki’s approach to SD-WAN reflects its broader philosophy: cloud-managed simplicity with enterprise-grade capability. The entire Meraki platform — switches, access points, security appliances, and SD-WAN — is managed through a single cloud dashboard, making it exceptionally straightforward to deploy and operate across dozens or hundreds of sites. Meraki’s SD-WAN capabilities are built into its MX security appliances, meaning each site gets SD-WAN, firewall, content filtering, intrusion prevention, and VPN connectivity in a single device.

For multi-site deployments, Meraki excels at zero-touch provisioning: you configure site templates in the dashboard, ship appliances to each location, and they pull their configuration automatically when connected to any internet connection. A new branch office can be brought online in under fifteen minutes without requiring an engineer on site. Meraki’s Auto VPN technology automatically establishes encrypted tunnels between sites based on your defined topology, and its application-aware traffic shaping prioritises critical applications over recreational traffic without complex QoS configuration.

Meraki’s licensing model is subscription-based, with hardware and software bundled into annual or multi-year licences. For the MX series appliances commonly used in multi-site SD-WAN deployments, expect approximately £1,500–£4,000 per appliance for hardware plus £400–£1,200 per year for licensing, depending on the model and licence tier. The Advanced Security licence includes SD-WAN, firewall, IPS, content filtering, and Cisco AMP malware protection.

Fortinet Secure SD-WAN

Fortinet’s SD-WAN offering is tightly integrated with its FortiGate next-generation firewall platform, making it the natural choice for organisations that prioritise security alongside connectivity. Every FortiGate appliance includes SD-WAN functionality at no additional licence cost — a significant commercial advantage for businesses that already use or plan to deploy FortiGate firewalls. Fortinet’s approach positions SD-WAN as a feature of the security platform rather than a separate product requiring separate management.

FortiGate SD-WAN provides granular application-aware routing with support for over 5,000 application signatures, advanced traffic steering based on real-time path quality metrics (latency, jitter, packet loss, and available bandwidth), and integrated security inspection including SSL/TLS decryption, intrusion prevention, web filtering, and sandboxing. For organisations with stringent security requirements — financial services, healthcare, legal — Fortinet’s ability to apply full security inspection to all SD-WAN traffic without requiring separate security appliances is a compelling advantage.

Fortinet’s FortiManager provides centralised management for multi-site deployments, with template-based provisioning, firmware management, and policy orchestration. FortiAnalyzer provides centralised logging, reporting, and analytics. Pricing for FortiGate appliances suitable for branch SD-WAN (FortiGate 40F through 100F) ranges from approximately £400 to £2,500 for hardware, with annual security subscription bundles (FortiGuard) costing £200–£800 per device depending on the services included.

VMware SD-WAN (formerly VeloCloud)

VMware SD-WAN, acquired through the VeloCloud purchase in 2017 and now part of Broadcom following the VMware acquisition, takes a transport-independent, carrier-neutral approach to SD-WAN. Its architecture centres on a global network of SD-WAN gateways hosted in carrier-neutral data centres and public cloud regions, providing optimised paths for cloud-bound traffic that bypass the congested public internet. This gateway architecture is particularly valuable for businesses with globally distributed cloud applications, as it ensures consistent performance regardless of the local internet quality at each site.

VMware SD-WAN’s Dynamic Multi-Path Optimisation (DMPO) technology continuously monitors all available paths between sites and the gateway network, adjusting traffic distribution in real time based on measured performance. It can compensate for packet loss and jitter on degraded links through forward error correction and packet duplication, maintaining application quality even when individual circuits are experiencing problems. For voice and video traffic, this capability can be the difference between usable and unusable quality during circuit degradation events.

VMware SD-WAN Edge appliances are available in a range of models from small branch (Edge 510 and 520) through large campus and data centre (Edge 3800 and above). Pricing is subscription-based, with per-edge licence fees of approximately £100–£400 per month depending on edge model and bandwidth tier, plus hardware costs of £500–£3,000 per appliance. VMware’s Orchestrator provides centralised cloud-based management for the entire deployment.

Application-Aware Routing and Quality of Service

The intelligence that distinguishes SD-WAN from a simple dual-WAN router lies in its ability to identify applications in real time and route them across the optimal path based on both the application’s requirements and each path’s current performance characteristics. This capability — application-aware routing combined with quality of service enforcement — is the core value proposition of SD-WAN for multi-site businesses.

How Application-Aware Routing Works

SD-WAN appliances identify applications using a combination of deep packet inspection (DPI), DNS-based identification, IP address and port matching, and cloud-updated application signature databases. When a user at a branch office opens Microsoft Teams, the SD-WAN appliance identifies the traffic as a real-time voice and video application within the first few packets. It then consults its routing policy to determine which transport path should carry that traffic, based on both the policy you have defined and the real-time performance metrics of each available path.

For example, you might define a policy that routes Microsoft Teams voice and video traffic over the fibre leased line (which provides low, consistent latency) whilst routing bulk file transfers and software updates over the broadband connection (which provides higher bandwidth but less consistent performance). If the fibre circuit degrades — latency spikes above 50ms or packet loss exceeds 0.5% — the SD-WAN appliance automatically moves Teams traffic to the broadband connection, provided it currently meets the quality thresholds you have defined. This happens in sub-second timeframes, often without users noticing any disruption.

Defining Quality of Service Policies

Effective QoS configuration is critical for multi-site SD-WAN deployments, particularly when voice, video, and business-critical applications share bandwidth with general internet browsing and bulk transfers. A well-structured QoS policy typically defines four to six traffic classes, each with specific bandwidth guarantees, priority levels, and quality thresholds.

The bandwidth guarantees ensure that critical traffic classes always have sufficient capacity, whilst lower-priority classes can utilise any bandwidth not consumed by higher-priority traffic. During periods of congestion, the SD-WAN appliance enforces these priorities strictly: voice traffic is never degraded to accommodate a large file download, and business-critical application traffic always takes precedence over recreational browsing.

Security Architecture for Multi-Site SD-WAN

Security is a critical consideration in any SD-WAN deployment, and it becomes more complex in multi-site environments where traffic takes multiple paths, local internet breakout exposes each site directly to the internet, and the traditional perimeter security model — where all traffic passes through a central firewall — no longer applies.

Encryption and Tunnel Security

All SD-WAN platforms encrypt overlay traffic using IPsec or equivalent encryption, typically with AES-256 encryption and SHA-256 authentication. This means that traffic traversing broadband or internet circuits between your sites is protected to the same standard as traffic on a dedicated MPLS circuit — arguably better, since MPLS traffic is typically not encrypted at all. Key exchange and certificate management are handled automatically by the SD-WAN controller, eliminating the manual key management burden that made site-to-site VPNs cumbersome at scale.

Distributed Security vs Centralised Security

The shift from centralised internet breakout (all traffic through headquarters) to local internet breakout (each site accesses the internet directly) requires a corresponding shift in security architecture. There are three primary approaches to securing local internet breakout across multiple sites.

On-premises security at every site. Deploy a next-generation firewall at each location — either integrated into the SD-WAN appliance (as with Fortinet and Meraki) or as a separate device. This approach provides the highest level of local security inspection but increases hardware costs and management complexity, particularly for Tier 3 sites where a full NGFW may be disproportionate to the risk.

Cloud-delivered security (SASE). Route internet-bound traffic from each site through a cloud security service — such as Zscaler, Palo Alto Prisma Access, or the cloud security components offered by your SD-WAN vendor — that provides firewall, web filtering, threat prevention, and data loss prevention in the cloud. This approach is particularly attractive for large, distributed deployments where deploying and managing physical security appliances at every site is impractical. The SD-WAN overlay tunnels internet traffic to the nearest cloud security point of presence, where it is inspected before being forwarded to its destination.

Hybrid approach. Deploy full security stacks at Tier 1 and Tier 2 sites, and use cloud-delivered security for Tier 3 sites. This balances security effectiveness with operational complexity and cost, applying comprehensive local security where it matters most and leveraging cloud security for smaller locations where simplicity is the priority.

Micro-Segmentation and Zero Trust

Modern SD-WAN platforms support network segmentation through virtual routing and forwarding (VRF) instances and security zones, enabling you to isolate different types of traffic even when they share the same physical infrastructure. A common segmentation model for multi-site deployments includes a corporate segment for business devices and applications, a guest segment for visitor Wi-Fi traffic that must not access corporate resources, an IoT segment for printers, CCTV cameras, building management systems, and other connected devices, and a PCI segment for payment processing traffic in retail or hospitality environments. SD-WAN extends these segments across the overlay, ensuring that a device on the IoT segment at one site can only communicate with the IoT segment at other sites — not with corporate resources at any location.

Migrating from MPLS to SD-WAN

For many UK multi-site businesses, SD-WAN deployment is not a greenfield project but a migration from an existing MPLS network. This migration requires careful planning to avoid disrupting business operations during the transition, and the approach you take depends on your risk tolerance, timeline, and the complexity of your existing network.

Parallel Running (Recommended)

The lowest-risk migration strategy is to deploy SD-WAN in parallel with your existing MPLS network, validate performance and reliability, and then decommission MPLS circuits once you are confident in the SD-WAN overlay. This approach requires a period of dual running — typically three to six months — where you pay for both MPLS and internet/broadband circuits simultaneously. The additional cost is significant but justified by the risk reduction.

During the parallel running period, configure the SD-WAN overlay to carry non-critical traffic initially (web browsing, email, cloud application access) whilst MPLS continues to carry business-critical and real-time traffic. Gradually shift traffic categories to the SD-WAN overlay as you build confidence in its performance and reliability. Monitor application performance metrics closely throughout the transition, comparing SD-WAN performance against MPLS baseline measurements to ensure that the migration does not degrade the user experience.

Direct Cutover (Higher Risk, Lower Cost)

For organisations with lower complexity or higher risk tolerance, a direct cutover approach replaces MPLS with SD-WAN at each site in a planned migration window. This avoids the cost of dual running but requires thorough pre-migration testing and well-rehearsed rollback procedures. Typically, direct cutover is performed site by site, starting with low-criticality locations and progressing to headquarters and data centre sites last. Each site cutover should be scheduled during a maintenance window with adequate time for testing and rollback if needed.

Hybrid Long-Term (MPLS + SD-WAN)

Some organisations choose to retain MPLS for specific, high-criticality traffic whilst using SD-WAN for everything else. In this model, MPLS becomes one of the underlay transports available to the SD-WAN overlay, typically designated as the preferred path for real-time voice traffic or specific compliance-sensitive applications. This approach is common in financial services and healthcare, where regulatory requirements or extreme latency sensitivity justify the continued cost of MPLS for a subset of traffic. Over time, as SD-WAN platforms mature and broadband quality improves, the business case for retaining MPLS diminishes, and most organisations following this approach eventually decommission their MPLS circuits entirely.

Monitoring, Analytics, and Ongoing Operations

Deploying SD-WAN across multiple sites is not a one-time project but the beginning of an ongoing operational practice. The visibility and analytics that SD-WAN platforms provide are among their greatest advantages over traditional WAN architectures, but only if you use them actively to monitor performance, identify issues, and optimise your network continuously.

Real-Time Monitoring

All three major SD-WAN platforms provide real-time dashboards showing circuit health (latency, jitter, packet loss, bandwidth utilisation) for every path at every site, application performance metrics showing response times and throughput for identified applications, tunnel status and overlay topology health, failover events and path changes with timestamps and reasons, and alert notifications for circuit degradation, device failures, or policy violations. Configure monitoring thresholds that trigger alerts before users notice problems. For example, alert when latency on a voice-designated path exceeds 30ms (well before the 50ms threshold that degrades voice quality), or when bandwidth utilisation on any circuit exceeds 80% during business hours (indicating that capacity expansion may be needed before users experience congestion).

Historical Analytics and Capacity Planning

Beyond real-time monitoring, SD-WAN analytics provide historical trend data that informs capacity planning and cost optimisation decisions. Review monthly reports on bandwidth utilisation trends by site to identify locations approaching capacity limits, application mix changes that might require QoS policy adjustments, circuit reliability statistics to hold providers accountable against their SLAs, and cost-per-megabit metrics across different transport types to optimise your circuit portfolio. For UK businesses on contract broadband and leased line circuits, these analytics are invaluable when negotiating renewals or evaluating alternative providers. If your SD-WAN analytics show that a particular circuit at a particular site has delivered 99.2% uptime against a contracted 99.5% SLA, you have data to support a service credit claim or a decision to switch providers.

Centralised Policy Management

One of SD-WAN’s most significant operational advantages in multi-site deployments is centralised policy management. Rather than configuring QoS, routing, security, and access policies individually on each site’s router — a process that is error-prone, time-consuming, and virtually impossible to keep consistent across dozens of sites — SD-WAN policies are defined centrally and pushed to all sites automatically. A change to your QoS policy, a new application routing rule, or an updated security policy can be deployed across your entire estate in minutes rather than days. This centralisation dramatically reduces the operational overhead of managing a multi-site network and ensures policy consistency that is simply not achievable with traditional per-device configuration.

Common Multi-Site SD-WAN Deployment Mistakes

Having supported numerous UK businesses through multi-site SD-WAN deployments, we consistently observe several mistakes that undermine otherwise sound implementations.

Undersizing circuits for local internet breakout. When migrating from centralised internet breakout to local breakout at each site, businesses often underestimate the bandwidth required. Traffic that previously traversed the MPLS to a central internet breakout — and was therefore not visible at the local site — now uses the local broadband connection. Ensure your traffic analysis accounts for this shift, and size local circuits with adequate headroom for cloud application traffic, software updates, and the general growth in internet bandwidth consumption.

Neglecting DNS and DHCP. SD-WAN controls traffic routing, but DNS resolution determines where traffic is directed in the first place. If your branch sites continue to use a centralised DNS resolver at headquarters, cloud applications like Microsoft 365 will resolve to endpoints optimised for your headquarters location, not the branch — negating the latency benefits of local internet breakout. Configure local DNS resolution at each site, or use the SD-WAN platform’s built-in DNS proxy to ensure cloud applications resolve to geographically appropriate endpoints.

Failing to plan for Day 2 operations. SD-WAN deployment projects focus heavily on design and implementation but often neglect the operational processes required to manage the network ongoing. Who monitors the dashboards? Who responds to alerts? Who manages firmware updates across the appliance estate? Who handles circuit faults and ISP engagement? Who reviews analytics and makes capacity planning recommendations? Define these responsibilities before go-live, not after.

Ignoring the LAN. SD-WAN optimises traffic between sites, but if the local area network at a branch office is a congested, unmanaged flat network with consumer-grade switches, SD-WAN cannot compensate for local performance problems. Ensure that each site’s LAN infrastructure is adequate to support the traffic patterns and quality requirements of your applications. This is particularly important for voice and video traffic, which is sensitive to local network congestion and jitter.

Choosing a vendor based on price alone. The lowest-cost SD-WAN platform is not the best value if it lacks the security features you need (requiring additional security appliances), the management simplicity your team requires (consuming more operational resource), or the path quality compensation your applications demand (resulting in poor voice and video quality over degraded circuits). Evaluate total cost of ownership including hardware, licensing, security, management, and operational effort — not just the per-appliance price.

Deployment Timeline and Project Phases

A multi-site SD-WAN deployment for a UK business with 10–30 sites typically follows a structured project timeline spanning 12–20 weeks from initiation to full operational handover, depending on the complexity of the existing network, circuit lead times, and the availability of on-site engineering resource.

Circuit procurement is almost always the longest lead-time item in a UK SD-WAN deployment. Fibre leased lines can take 60–90 working days to provision, and even broadband circuits may require 15–30 working days depending on the exchange and whether Openreach infrastructure upgrades are needed. Begin circuit procurement as early as possible in the project — ideally in parallel with the design phase — to avoid circuit delivery becoming the bottleneck that delays the entire deployment. Always order circuits with at least two weeks of buffer before the planned installation date, and have fallback plans (temporary 4G connectivity, for example) for sites where circuit delivery slips.

SD-WAN transforms how UK multi-site businesses approach wide-area connectivity. By decoupling network intelligence from physical transport, it delivers better performance, stronger resilience, tighter security integration, and dramatically lower costs than traditional MPLS architectures. But the technology is only as effective as the planning, design, and operational practices that surround it. A well-planned SD-WAN deployment — with properly diverse circuits, thoughtful application-aware routing policies, appropriate security architecture, and robust monitoring and operational processes — delivers a network that genuinely adapts to the needs of your business rather than constraining them. The UK businesses that invest in getting the design and deployment right are rewarded with a wide-area network that is faster, more reliable, more secure, and substantially more cost-effective than anything the previous generation of WAN technology could achieve.