Cisco SD-WAN is licensed per site on subscription tiers, with Catalyst SD-WAN running from about 250 dollars per site per year at the Essentials tier to roughly 1,000 dollars per site per year at the Premier tier, and the tier and bandwidth band you choose move the bill more than the site count does. Cisco sells SD-WAN through two architectures, Catalyst SD-WAN for the router-based estate and Meraki MX for the cloud-managed estate, and the licensing model differs enough between them that the first decision is which platform you are actually buying.
Two platforms, two licensing models
Cisco's SD-WAN portfolio runs on two distinct platforms that are licensed differently, and conflating them is the first source of confusion in any renewal. Catalyst SD-WAN, the architecture built on the IOS XE routing platform and managed through the Catalyst SD-WAN controllers, licenses per site on tiered subscriptions tied to a bandwidth band. Meraki MX, the cloud-managed security and SD-WAN appliance line, licenses per device on the Meraki subscription model covered in our Cisco Meraki pricing guide. An organization may run both, with Meraki MX at smaller branches and Catalyst SD-WAN at larger sites, and the licensing for each follows its own rules. The practical consequence is that an SD-WAN renewal often spans two licensing models at once, and the negotiation has to address both rather than treating SD-WAN as a single line.
Catalyst SD-WAN tiers and bandwidth
Catalyst SD-WAN licensing is built on per-site tiers, typically Essentials, Advantage, and Premier, layered on top of a bandwidth band that reflects the throughput each site needs. The tier sets the feature set, from basic connectivity at Essentials to integrated security and advanced routing at Premier, while the bandwidth band sets the per-site rate within the tier. The table below shows representative annual per-site list pricing across the tiers and a midrange bandwidth band.
| Tier | Capability | Approx. list per site / year |
|---|---|---|
| Essentials | Core SD-WAN connectivity and policy | $250 to $400 |
| Advantage | Adds advanced routing and analytics | $450 to $700 |
| Premier | Adds integrated security and full feature set | $800 to $1,000+ |
The most common overspend is buying Premier across every site for the integrated security when only the direct-internet-access sites need it, while the sites that backhaul through a regional hub could run Advantage or Essentials. Matching the tier to each site's actual role, rather than standardizing on the top tier for simplicity, is the largest controllable saving in a Catalyst SD-WAN estate.
The bandwidth-band creep: Each per-site license is tied to a bandwidth band, and sites provisioned for peak rather than typical throughput sit in a higher band than their real traffic requires. Bandwidth bands are reviewed at renewal, and a site whose actual utilization runs well below its provisioned band is paying for headroom it never uses. Pulling utilization data per site before the renewal and right-sizing the bands down where the traffic supports it routinely removes 10 to 15 percent from a Catalyst SD-WAN renewal, with no change to service.
Term, DNA, and the on-premises pairing
SD-WAN subscriptions are sold on terms from three to seven years, and as with the rest of the Cisco estate the longer term carries a deeper discount against a shorter one. The SD-WAN license also interacts with the Catalyst on-premises licensing managed through DNA Center, because the routing platform that runs SD-WAN frequently carries its own DNA subscription, and the two should be reconciled so you are not paying twice for overlapping capability. Our guide to Cisco DNA Center pricing covers the on-premises Catalyst model that pairs with SD-WAN, and the broader Cisco licensing guide places SD-WAN within the full Cisco subscription portfolio. Reconciling the SD-WAN and DNA subscriptions across the estate is where buyers find the duplicate coverage that a platform migration left behind.
SD-WAN inside the Enterprise Agreement
For estates of any scale, SD-WAN is a candidate to fold into a Cisco Enterprise Agreement, and the bundle-versus-standalone decision is the same one that runs through the rest of the Cisco portfolio. The EA prices SD-WAN alongside networking, security, and collaboration under a single committed term, which can lower the blended per-site rate and simplify the renewal, at the cost of committing to Cisco across the bundle. Our analysis of Cisco EA pricing and the trade-off in Cisco EA versus a la carte apply to SD-WAN directly, because SD-WAN is often the line that tips a large estate toward an EA. The calculation turns on how many sites you run and whether the EA prices the rest of your Cisco estate competitively enough to justify the commitment.
Controllers and the management layer
Catalyst SD-WAN runs on a control plane of management, orchestration, and validation components that direct the routers in the fabric, and how that control plane is hosted affects both cost and the licensing conversation. Cisco offers the controllers as a cloud-hosted service it operates or as software you host yourself, and the choice carries different cost and operational profiles. The cloud-hosted option folds the control plane into the subscription and removes the burden of running it, while self-hosting gives more control at the cost of operating the infrastructure. For most estates the cloud-hosted controllers are the practical default, but the point for licensing is that the per-site subscription assumes a control plane, so the controller hosting decision is part of the total SD-WAN cost rather than a separate infrastructure line. Reconciling what the subscription includes against what you separately operate prevents paying twice for the management layer.
Migration from legacy WAN and double-running
Most SD-WAN deployments replace an existing MPLS or traditional WAN estate, and the transition period is where cost quietly doubles, because the old circuits and the new SD-WAN licenses run in parallel until every site is cut over. A migration that drifts over many quarters pays for both the legacy WAN and the SD-WAN subscriptions across the overlap, and that double-running cost frequently exceeds the SD-WAN saving for the duration of the transition. The discipline is to compress the migration timeline so the overlap is short, and to negotiate the SD-WAN subscription start dates to align with the cutover rather than the contract signing, so you are not paying for SD-WAN licenses on sites still running on the old WAN. This timing is a real negotiating point, because the vendor would prefer the subscription clock to start at signing while the buyer needs it to start at cutover.
A worked branch estate
Consider a 120-site estate where every site was provisioned at the Premier tier for integrated security, but only the 30 direct-internet-access sites need it and the 90 hub-backhaul sites could run Advantage. The table below shows the tier-rationalization saving.
| Site group | Count | Tier | Approx. annual |
|---|---|---|---|
| Direct-internet sites | 30 | Premier (hold) | ~$27,000 |
| Hub-backhaul sites (before) | 90 | Premier | ~$81,000 |
| Hub-backhaul sites (after) | 90 | Advantage | ~$54,000 |
Moving the 90 backhaul sites from Premier to Advantage recovers roughly 27,000 dollars a year here, a 33 percent cut on that group, drawn entirely from matching the tier to each site's role rather than standardizing on the top tier. Layering the bandwidth-band right-sizing on top of the tier change compounds the saving further, which is why both reviews belong in the same renewal.
Security bundling and the SASE question
Cisco increasingly positions SD-WAN as part of a broader secure-access-service-edge offering that combines the network fabric with cloud-delivered security, and the bundling question materially affects cost. The Premier tier already includes integrated security at the branch, and layering a separate cloud-security subscription on top can mean paying twice for overlapping protection unless the two are reconciled. The SASE framing is attractive because it promises a single integrated platform, but for the buyer it raises the same discipline that runs through the rest of the estate: confirm that each security capability is paid for once, not once at the branch in the SD-WAN tier and again in a cloud-security subscription. Where a genuine SASE consolidation removes standalone security products, it can save money; where it adds a cloud-security layer on top of branch security already bought, it adds cost. Mapping the security capabilities across the SD-WAN tier and any cloud-security subscription is what tells the two apart.
Right-sizing at the hardware refresh
SD-WAN runs on routing hardware that is refreshed on a cycle, and the refresh is the natural moment to right-size both the hardware and the licensing together, because the two are chosen at once. A site whose traffic has grown can move up a bandwidth band, but more often a site provisioned years ago for projected growth that never arrived can move down, and the refresh is when that correction is cheapest to make. Buying the next hardware generation at the band the site actually needs, rather than matching the over-provisioned predecessor by default, prevents carrying forward a sizing mistake for another hardware cycle. Aligning the refresh schedule with the subscription renewal so the hardware and license decisions are made together, rather than on separate clocks, is what lets the estate track real demand instead of accreting headroom. The reconciliation with the on-premises Catalyst licensing in our Cisco DNA Center pricing guide belongs in the same refresh review.
Cutting the SD-WAN renewal
The SD-WAN renewal responds to three levers: tier rationalization by site role, bandwidth-band right-sizing against real utilization, and term commitment for the stable portion of the estate. Because SD-WAN is sold through Cisco partners, partner margin is also in play, and a competitive quote tests it the same way it does for Meraki. The structured approach in our software contract negotiation guide applies to SD-WAN, and a review through our software licensing advisory service models the per-site tiers, the bandwidth bands, and the EA alternative together so the renewal reflects what each site actually needs. An SD-WAN estate renewed at the provisioned tiers and bands pays for capability and headroom it does not use; an estate renewed against real utilization pays for what it runs.
Common questions
Is Catalyst SD-WAN or Meraki MX right for my sites?
Catalyst SD-WAN suits larger, router-based sites that need advanced routing and granular control, while Meraki MX suits smaller branches that benefit from cloud-managed simplicity. Many estates run both, with the platform chosen per site, and the licensing follows whichever platform each site uses.
What sets the per-site cost?
Two variables: the tier, from Essentials through Advantage to Premier, which sets the feature set, and the bandwidth band, which sets the rate within the tier. Matching both to each site's real role and traffic, rather than standardizing on the top tier, is the largest controllable saving.
Can I change tiers mid-term?
Tier and band changes are normally settled at renewal, which is why pulling utilization data before the renewal matters. A site sitting below its provisioned band or above its needed tier is the candidate to right-size when the subscription comes up.