From Clean Slate to Brownfield Reality
The first and most significant difference is the starting point. A proof-of-concept (PoC) or lab environment is what engineers call a “greenfield.” You’re working with new hardware, fresh software installs, and a controlled set of applications. It’s a pristine
sandbox designed to showcase the technology’s best-case performance. Production, however, is a “brownfield.” It’s a messy, complex ecosystem that has evolved over years. You aren’t replacing everything at once; you’re integrating SD-WAN into a live network that includes legacy routers, long-standing firewall policies, existing carrier contracts, and business-critical applications with quirky dependencies. The challenge isn't just making SD-WAN work; it's making it work with everything *else* without causing an outage. This means painstaking planning, phased rollouts, and navigating political and technical debt that a demo simply ignores.
The Underlay Will Not Be Ignored
In a lab, the “internet” connections that SD-WAN manages—known as the underlay—are perfectly simulated. They have zero packet loss, consistent latency, and no outages. In the real world, the underlay is a chaotic mix of different ISPs, from high-grade fiber to consumer-grade broadband and fickle 4G/5G connections. This is where the theory of SD-WAN meets a harsh reality. While SD-WAN is designed to mitigate underlay problems, it can’t perform miracles. If both of your internet circuits at a branch office are suffering from the same regional fiber cut or ISP congestion, your performance will suffer, SD-WAN or not. Production deployment involves far more time spent on carrier management, testing link diversity (ensuring your two providers don’t rely on the same physical infrastructure), and fine-tuning the SD-WAN policies to handle real-world link “flapping” and brownouts, not just the simple failover shown in a demo.
Security: More Integration, Less Magic
Modern SD-WAN vendors often bake in impressive security features, like a next-generation firewall (NGFW) or unified threat management (UTM). In a demo, enabling this is a simple checkbox. In production, it’s a major architectural decision. Most companies already have a significant investment in a security stack from vendors like Palo Alto Networks, Fortinet, or Cisco. Getting a new SD-WAN solution to play nice with your existing security infrastructure is a monumental task. Do you replace your trusted branch firewalls with the SD-WAN’s built-in security? Do you continue to backhaul traffic to a central data center for inspection, partially defeating the purpose of direct internet access? This complexity is driving the move toward a Secure Access Service Edge (SASE) architecture, which tightly integrates networking and cloud-based security. But SASE itself is a strategic journey, not a feature you just turn on. A production rollout forces you to confront these deep architectural questions that a simple PoC conveniently sidesteps.
The Human Element: New Skills and Workflows
Perhaps the most underestimated difference is the operational shift. For decades, network engineers have lived in the command-line interface (CLI) of routers and switches. They understand how to troubleshoot on a device-by-device basis. SD-WAN replaces this with a centralized, software-based controller. While this is powerful, it represents a fundamental change in workflow and requires a new set of skills. Your team needs to learn how to think in terms of policies, templates, and application-level performance rather than IP addresses and routing tables. They need to trust the automation and learn to use the new visibility and analytics tools to troubleshoot. This isn’t trivial. A successful production deployment requires investment in training, redefining team roles, and developing new operational procedures. Without this, you risk having a powerful new system that no one fully understands how to manage or optimize when problems inevitably arise.
