matt-taylor.tech
← Back to projects

Work · National food brokerage · 2026 – in flight

Managed SD-WAN / ISP standardization (multi-region)

CommandLink SD-WAN / NaaS Cisco Meraki MX (dual-WAN) AT&T Business Fiber Spectrum / Comcast / Cox Entra Conditional Access

Most of the company's 80+ offices arrived through acquisition with whatever internet service they already had: individually contracted Comcast, Spectrum, AT&T, or Cox accounts, each with its own bill, contract term, and support path, and no common management layer over any of it. This program migrates offices region by region onto CommandLink, a managed SD-WAN / NaaS provider that standardizes the ordering, monitoring, and support layer on top of whatever last-mile carrier serves each address. The first region — 14 offices, 15 circuits on a 3-year term — is the deliberate dry run, with two more regions quoted behind it. First carrier installs began mid-July 2026, phased into early 2027.

Program design

The interesting part is the risk architecture, not the circuits:

  • Overlap-first cutovers Every site's new circuit lands on one WAN port of the existing dual-WAN Meraki MX alongside the old service, gets validated (throughput, static IP, any voice or alarm line), and runs through an overlap window before the old circuit is cancelled. Standing rule: never cancel until the replacement is live and validated. And since new circuits bill from installation rather than cutover, overlap windows stay tight — long enough to validate, short enough to limit double-billing.
  • Contract-aware sequencing Cutovers are timed to old-contract term ends so nothing incurs an early-termination fee; sites sharing a near-term contract deadline are sequenced first, month-to-month sites fill in around them. Priority logic: worst-performing connection first, HQ early as the dual-WAN pilot.
  • A schedule that held The vendor proposed compressing the installs into a two-week window; I kept the deliberately phased multi-month rollout instead, so each site gets a real validation window before its old circuit is touched.
  • Identity-aware IP planning One static IP per site feeding Entra Conditional Access named locations — network access policy and circuit procurement designed together, not separately.
  • LAN re-IP rides each cutover A stalled legacy IP-scheme migration is folded into each site's cutover, since the firewall swap and re-DHCP are happening anyway. One site visit instead of two projects.
  • Life-safety lines handled explicitly Fire-alarm lines get a line provisioned on the new service and validated against the panel before the old circuit carrying them is dropped.
  • Bandwidth bought to the workload When the preferred fiber product came back not serviceable at one site, the fallback was measured, not reflexive: actual upload usage peaked in the single-digit Mbps, so a lower-upload cable product was signed the same week and expensive dedicated fiber was ruled out on cost.
  • Install-day access codified from failure The first out-of-sequence carrier visit — a tech arriving at a telecom closet controlled by the building's property manager, not the company — became a standing pre-install checklist: confirm the carrier's arrival window, who on-site grants access, and the property-manager escort for the demarc closet, ahead of every install date.
  • Bills as the source of truth The cost baseline comes from actual invoices, not from what the asset system claims; the site inventory was reconciled across the ITSM asset database, live Meraki WAN data, and the public office listing.
  • Decommission discipline Per-vendor teardown tracking: every service and account enumerated, each account's actual cancellation terms verified rather than assumed (consumer accounts cancel at bill-cycle close with no notice but no proration; business circuits typically want 30 days written even month-to-month), written notice timed to term end, bill end date confirmed in writing, then the next one or two invoices reconciled to confirm charges actually stopped.
  • Program office as code The whole program runs out of a git-versioned repo: cutover plan with per-site status, order and provisioning tracker, decommission tracker, and a risk/issue log with rolling leadership status.

What it demonstrates

  • Telecom and WAN vendor management at scale SD-WAN/NaaS model evaluation, multi-year term negotiation, and holding a phased schedule under vendor pressure to move faster.
  • Contract lifecycle fluency Early-termination-fee avoidance, notice windows, auto-renew clauses, month-to-month-versus-term verification, invoice reconciliation after every change.
  • Cutover engineering Dual-WAN overlap, validation gates, static-IP and Conditional Access integration, LAN re-addressing bundled into the same maintenance window.
  • Risk management as a working practice A live risk log with severities, owners, and mitigations — not a kickoff formality.
  • Cross-functional coordination Accounting (bills and leases), regional office directors, the alarm vendor, four ISP carriers, and the SD-WAN provider, all sequenced from one plan.