Infrastructure › SD-WAN & WAN Edge

Pillar 01 · WAN Edge

Resilient WAN, designed on purpose.

Dual-transport SD-WAN fabrics with application-aware routing and cellular failover. We replace MPLS with architectures that are faster, cheaper, and survive a single-carrier outage without a hiccup.

Talk to an Engineer See Reference Architectures

99.98%

target uptime with dual-transport + 5G cellular failover

SD-WAN platforms we design on — Meraki, Fortinet, Cisco Catalyst

14 wk

reference timeline · 120-site phased rollout with rollback

SD-WAN · Overlay

Fortinet Secure SD-WAN hub-and-spoke reference architecture

The Problem

Every branch is a single point of failure until your WAN is resilient.

Legacy MPLS is expensive, slow to provision, and locks you into a single carrier. Pure-Internet WANs are brittle without active-active failover and application-aware routing. Either way, a fiber cut or a carrier-side outage takes a site off the air — and in retail, healthcare, or manufacturing, that's revenue, compliance, or physical-safety risk.

The modern answer is a dual-transport SD-WAN fabric: fiber + cable + 5G cellular working in parallel, with application-aware path selection that routes VoIP through the low-latency circuit and bulk data through the cheapest pipe — while failing over in under 500ms when a link degrades.

Netcom designs these fabrics on three platforms — Meraki MX for cloud-managed mid-market, Fortinet Secure SD-WAN for security-integrated deployments, and Cisco Catalyst SD-WAN for enterprise-scale topologies. We pick the platform based on your environment and operating model, not what we have a quota on.

Reference Architectures

Three tiers. Specific vendors. Named models.

Each tier is a production-tested architecture with a real BOM. Use the tabs to match your scale.

SMB · 1 HQ + 1–20 branches

Meraki MX with Cradlepoint cellular backup

Cloud-managed SD-WAN with auto-VPN mesh between sites. Verizon 5G cellular failover at every branch via Cradlepoint S700. Single-pane management in Meraki Dashboard; zero-touch provisioning (boxes ship pre-configured, plug in and online). Best fit for organizations that want an opinionated cloud-managed stack without a dedicated network engineer on staff.

Role	Vendor & Model	Notes	License
HQ SD-WAN hub	Cisco Meraki MX250	NGFW · IDS/IPS · AMP · 15 Gbps threat-inspected	Advanced Security
Branch SD-WAN	Cisco Meraki MX67 / MX75	Cloud-managed · auto-VPN mesh · app routing	Advanced Security
Core switch	Meraki MS355-24X2	Stackable · 10G uplinks · mGbE access	Enterprise
Access switch	Meraki MS125-24P	PoE+ · 24-port · supports APs + phones	Enterprise
Wireless	Meraki MR46 · MR36	Wi-Fi 6 · cloud-managed · 3×3 radio · multi-SSID	Enterprise
Cellular failover	Cradlepoint S700	5G modem · dual-SIM · Verizon business primary	NetCloud Essentials

Mid-market Fortinet Secure SD-WAN reference architecture with HA hub, dual transport, and FortiExtender cellular

Mid-Market · HA hub + 20–100 branches

Fortinet Secure SD-WAN — one vendor for firewall + WAN

Fortinet collapses SD-WAN and NGFW into a single appliance — the FortiGate is both the branch router and the firewall, managed centrally from FortiManager with logs streaming to FortiAnalyzer. FortiLink extends the same management to FortiSwitch and FortiAP, so the entire branch stack runs on one policy engine. Best fit for organizations with strict security posture requirements (PCI, regulated industries) and a preference for one-vendor operational simplicity.

Role	Vendor & Model	Notes	License
HQ SD-WAN hub (HA)	Fortinet FortiGate 600F · active-passive	12 Gbps threat-inspected · SD-WAN + NGFW	UTP Bundle
Tier-1 branch	FortiGate 80F + FortiExtender 511F	5G cellular built-in · FortiSwitch 124F uplink	UTP Bundle
Tier-2 branch	FortiGate 60F + FortiExtender 211F	Smaller footprint · FortiSwitch 148F + FortiAP 231G	UTP Bundle
Core switch	FortiSwitch 624F	24× 10G SFP+ · FortiLink zero-touch	N/A (FortiGate-managed)
Wireless	FortiAP 431G / 234F	Wi-Fi 6E · managed via FortiGate (no separate controller)	N/A
Primary-5G branch	Cradlepoint E3000	Pop-up sites · dual-SIM 5G primary · FortiClient agent	NetCloud Advanced
Central mgmt	FortiManager · FortiAnalyzer	Policy orchestration · log aggregation · threat intel	Per-device
Remote workers	FortiClient ZTNA	Identity-aware proxy · replaces VPN	Per-user

Cisco Catalyst SD-WAN

vManage / vBond / vSmart controllers · Catalyst 8300 branch · SD-Access fabric integration · deep QoS with sophisticated policy. Reference architecture diagram in production for enterprise customers — request a private design session to walk through it.

Enterprise · 100+ sites · complex topologies

Cisco Catalyst SD-WAN — for Cisco-estate organizations

Sophisticated policy engine, deep QoS, SD-Access fabric integration. Fits organizations with existing Cisco infrastructure, strict change-management requirements, and the need for centralized telemetry across hundreds of sites. Deployment model choice: on-prem vManage or Cisco-hosted.

Role	Vendor & Model	Notes	License
Controllers	Cisco vManage + vBond + vSmart	Cloud-hosted or on-prem · HA pair each	SD-WAN subscription
Branch edge	Cisco Catalyst 8200 / 8300	SD-WAN + routing + security · up to 10 Gbps	DNA Essentials / Advantage
Cloud-managed branch	Meraki MX (optional)	Where cloud-managed ops preferred over vManage	Meraki Advanced Security
Primary-cellular	Cradlepoint E3000 / E300	5G primary sites · NetCloud Manager integration	NetCloud Advanced
Core switching	Catalyst 9500 / 9500H	StackWise Virtual · VXLAN/EVPN fabric	DNA Advantage
Observability	Cisco ThousandEyes · DNA Center	Path visibility · SaaS performance	Per-agent

Vendor Fit

Which platform for which use case.

The recommendation Netcom makes depends on scale, security posture, operating model, and existing vendor investment. Here's how we think about it.

Use case	Primary	Alternates
Retail chain · 50–500 sites · centralized policy	Meraki MX	Fortinet Secure SD-WAN
Mid-market with strict security posture (PCI, regulated)	Fortinet Secure SD-WAN	Palo Alto Prisma SD-WAN, Cisco Catalyst
Enterprise · complex topology · Cisco estate	Cisco Catalyst SD-WAN	Fortinet for simpler branches
Industrial / IoT branches · ruggedized	Cradlepoint E-Series	Peplink MAX
Mobile / pop-up / events · SpeedFusion bonding	Peplink SpeedFusion	Cradlepoint COR IBR
Healthcare · HIPAA · strict change control	Cisco or Fortinet	Meraki MX with HIPAA BAA
Mission-critical primary-5G cellular	Cradlepoint E3000	Peplink BR2 Pro 5G
Construction · trailer / temporary site	Peplink BR1 Pro 5G	Cradlepoint S700, InHand IR315

What Netcom delivers

SD-WAN architecture design with per-site topology documents
Carrier-diverse circuit procurement (AT&T, Verizon, Lumen, Comcast Business, Spectrum)
Failover SLA target definition and validation testing
BOM + phased rollout plan with rollback at every stage
Staged configuration, pre-shipment to sites, on-site cutover
Cutover windows typically 2–4 hours per site, after-hours
90-day post-deployment optimization + traffic analysis
Optional managed service: 24/7 monitoring via our NOC partner with Netcom as your named engineer, change management, quarterly review

Our design process

30-day discovery: existing WAN audit, circuit inventory, app traffic analysis
Carrier landscape review per site (what's physically available)
Application criticality map — voice, video, SaaS, bulk data
Failover SLA per app class (RTO/RPO)
Security posture requirements (PCI, HIPAA, CMMC, SOC 2)
Platform recommendation with pro/con analysis, peer-reviewed
BOM, deployment sequence, cutover plan, acceptance criteria
Phased rollout with first site as a reference for all subsequent

Time to rethink the WAN?

Send us your existing circuit inventory and a rough site list. Within 10 business days you'll get a design memo with a recommended platform, a phased rollout plan, and directional pricing.

Request an Architecture Review Back to Infrastructure

Resilient WAN, designed on purpose.

Every branch is a single point of failure until your WAN is resilient.

Three tiers. Specific vendors. Named models.

Meraki MX with Cradlepoint cellular backup

Fortinet Secure SD-WAN — one vendor for firewall + WAN

Cisco Catalyst SD-WAN — for Cisco-estate organizations

Which platform for which use case.

What Netcom delivers

Our design process

Where SD-WAN shows up in real deployments.

Retail

Hospitality

Government

Industrial

Time to rethink the WAN?

Resilient WAN, designed on purpose.

Every branch is a single point of failure until your WAN is resilient.

Three tiers. Specific vendors. Named models.

Meraki MX with Cradlepoint cellular backup

Fortinet Secure SD-WAN — one vendor for firewall + WAN

Cisco Catalyst SD-WAN — for Cisco-estate organizations

Which platform for which use case.

What Netcom delivers

Our design process

Where SD-WAN shows up in real deployments.

Retail

Hospitality

Government

Industrial

Pairs naturally with

Security & Firewall

Cellular Networking

Managed Services

Time to rethink the WAN?