Updated: June 22, 2026
The campus core gets the architecture diagrams. The data centre gets the budget. The branch gets whatever was left over, and a router picked off a price list. Then the branch turns out to be where the business actually touches the network: the till in an Indore store, the clinic in Coimbatore, the regional sales office in Kanpur that loses a day of orders every time its single broadband line drops.
India runs on branches, and most branch networks were never designed. They accreted, one site at a time, each a little different from the last, until nobody could say with confidence how any given location connects or what happens when its link fails. That is not a hardware problem. It is the absence of a reference architecture: a small set of standard designs you apply by branch size, so every site is predictable, supportable and built the same way on purpose.
This guide sets out three such designs, small, medium and large, built on Cisco Catalyst SD-WAN and the Catalyst 8000 edge family, with the Indian last mile in mind.
A branch reference architecture is a standard, repeatable design for connecting a branch office, defined once and reused across every site of a similar size. Instead of engineering each location from scratch, you classify a branch as small, medium or large, and apply the matching pattern: the router model, the number and type of internet links, the redundancy, the security and how it joins the wider network.
The value is uniformity. When every small branch is built the same way, your team can deploy, troubleshoot and replace any of them without relearning the site. Spares are predictable, documentation is real, and a fault in Nagpur looks like a fault in Surat because the design is identical. The question a reference architecture answers is not "how do we connect this office?" but "which of our three standard branches is this, and have we built it to pattern?"
Because the Indian last mile is the variable that breaks naive designs. A branch in a metro business district can take a fibre leased line; one in a tier-three town may have only consumer broadband and a strong 4G or 5G signal. Link quality varies by street, providers vary by city, and a single connection of any kind is a single point of failure waiting for monsoon season. A design that assumes a clean MPLS circuit everywhere does not survive contact with the country.
Cisco Catalyst SD-WAN exists precisely for this. It builds a secure overlay that runs over any transport, MPLS, internet broadband, leased line or cellular, and treats them as interchangeable paths, so a branch can mix whatever links it can actually get (Cisco Catalyst SD-WAN). The router stops caring whether the path is fibre or 5G; it cares whether the path is healthy. That single idea, transport independence, is what lets one set of designs cover the whole spread of Indian connectivity.
Two pieces make up every design below. The first is the edge router, drawn from the Catalyst 8000 family, which spans from a compact branch box to a regional aggregator:
| Platform | Role | Indicative performance | Typical site |
|---|---|---|---|
| Catalyst 8200 | Compact small-branch edge | Up to ~3.8 Gbps forwarding; IPsec ~0.5–1 Gbps with services | Stores, clinics, small offices |
| Catalyst 8300 | Modular mid-to-large branch / regional headend | Up to ~18.8 Gbps; hardware crypto up to ~8.6 Gbps IPsec | Mid and large branches, regional hubs |
| Catalyst 8500 | High-performance aggregation | 100+ Gbps | Regional and national hub sites |
| Catalyst 8000V | Virtual edge | Scales to instance | Cloud (AWS, Azure, GCP), data centre, colo |
All of them run Cisco IOS XE with Catalyst SD-WAN built in.
The second piece is the SD-WAN control plane, which is the same regardless of branch size. Catalyst SD-WAN Manager (formerly vManage) is the single console where you define policy and watch the network. The Catalyst SD-WAN Controller (formerly vSmart) distributes routing and policy using OMP, Cisco's overlay protocol. The Catalyst SD-WAN Validator (formerly vBond) authenticates each new router and introduces it to the rest. The branch routers inspect traffic up to Layer 7 and steer each application down the best available path. Define a policy once in the Manager, and every branch, small or large, enforces it identically.
For a store, a clinic or a small office, the design is a single Catalyst 8200 with two transports: a broadband or leased line as primary and a 4G or 5G connection as backup. The cellular link is not a luxury here; it is the difference between a site that rides out a last-mile failure and one that goes dark until an engineer is dispatched. SD-WAN moves traffic to the cellular path automatically when the primary degrades, and back when it recovers, without anyone intervening.
The design leans on zero-touch provisioning. A new router can be shipped directly to the site, plugged in by a non-technical person, and configured automatically from the central Manager, which matters when you are opening twenty stores and have no engineer to send to each. The trade-off you accept at this tier is a single router, so a hardware failure means a replacement visit, mitigated by holding a spare 8200 that any site can use because every small branch is built identically. For a low-cost, high-count estate, that is usually the right balance. Does every one of your small sites today have a second path when its line fails? Most do not.
For a larger branch with more users and business-critical applications, the design steps up to a Catalyst 8300 with dual transports of better quality: typically a leased line or MPLS circuit paired with business broadband, and cellular as a third fallback where the site warrants it. The 8300's hardware-based encryption matters here, because at this size you are running encrypted tunnels at a throughput that would tax a smaller box, and you want crypto handled in silicon rather than stealing CPU from forwarding.
This is where application-aware routing earns its place. The branch classifies traffic into voice, video, business applications and bulk data, and steers each down the path that suits it, keeping a video call off the congested link while bulk backups take the cheaper one. The result is that a single pair of ordinary internet circuits delivers the application experience that once needed a premium private line. You can add a second power supply or plan for rapid router replacement depending on how much downtime the site can absorb. The design question at this tier is which applications must never degrade, and the SD-WAN policy is where you answer it.
For a head office, a large branch or a site that aggregates others, the design prioritises resilience over economy. Two routers, a high-end Catalyst 8300 or a Catalyst 8500 at a true aggregation point, run in a high-availability pair so the failure of one does not take the site offline. Transports multiply too: a leased line, two internet circuits from different providers to avoid a shared last-mile failure, and cellular for genuine diversity. Dual power and careful physical separation of links follow from the same logic.
A large branch often hosts more than connectivity. It may run a local security stack, terminate connections from smaller branches in its region, and hold services that those branches depend on, which is why the aggregation-class 8500 exists. Here the architecture starts to resemble a small data-centre edge, and the design decisions, how many tunnels, how much throughput, how to segment tenants or departments, deserve real engineering rather than a template. The smaller tiers are about repeatability. This tier is about getting one important site exactly right.
Through one policy plane over many transports. Every branch in the three designs above, whatever its size, connects to the same Catalyst SD-WAN controllers and obeys the same centrally defined policy. You set application priorities, security rules and path preferences once in the Manager, and they apply consistently from the smallest 8200 store to the 8500 hub. Add a branch and it inherits the policy on bring-up rather than being hand-built.
This is also where security and segmentation live. SD-WAN lets you carry separate segments across the overlay, so guest traffic, point-of-sale systems and corporate users stay apart end to end, which matters for both safety and for the data-protection obligations now in force under the DPDP rules. A branch estate built this way is not a collection of independent sites. It is one network that happens to be distributed, managed from one place and observable as a whole. How long does it take you today to answer "are all our branches healthy?" On this architecture, it is one screen.
Reference architectures are a starting grammar, not a finished sentence. The platforms and patterns above are stable; the right number of transports, the redundancy each site truly needs, the segmentation, the way regional hubs aggregate, all depend on your business, your geography and your tolerance for a site going quiet. That mapping, from a brochure's block diagram to a design that fits a few hundred Indian branches with their messy, real connectivity, is the actual work.
Proactive Data Systems has spent 35 years designing and running networks for Indian enterprises across more than 1,500 customers, as a Cisco Preferred Partner in Networking, Security, Collaboration, Cloud and AI, and Services. We size the Catalyst 8000 platform to each branch tier, design the SD-WAN policy and segmentation around your applications, account for the last mile you actually have rather than the one a diagram assumes, and operate the result from a 24x7 NOC in India with CCIE-led design behind it. Routing across a distributed estate is precisely the expertise that separates a network that works from a set of routers that merely power on.
If your branch network grew by accretion rather than design, ask us to map it to a reference architecture. The exercise alone usually reveals which sites are one bad monsoon from going dark.
Proactive, Enterprise Networking Team
We'll get back to you shortly.
