This industry viewpoint was authored by Gilles Geerts, IP Consulting Engineer, Nokia
There is a good deal of buzz around SD-WAN these days. One of its great virtues is its flexibility in delivering secure, connectivity over multiple transport technologies. So, for instance, if a service provider wants to extend its VPN business services to areas of its territory where it doesn’t have IP/MPLS technology, it can use SD-WAN over best-effort internet.
However, we shouldn’t overlook that SD-WAN can also be implemented over the underlying layer of the IP/MPLS network that supports predictable QoS capabilities. In other words, instead of offering separate services — MPLS VPNs with QoS and SD-WAN over best effort IP — SD-WAN services can combine the best of both options. This gives the operator a unified service interface despite using multiple underlay technologies. Enterprises get full visibility over all their VPN services, including management of users and permissions and setting security policies, all from one SD-WAN interface.
There are a number of other benefits that flow from having a unified SD-WAN service for business VPN services. Being SDN-based, it provides service intelligence. The SDN controller is able to set up connectivity and enforce service levels, and it can automate operations and provide overall policy management. Integration with the cloud is also easier, allowing connections with cloud resources, whether compute or storage, to be set up and managed in a more automated and secure way.
To deliver SD-WAN services with all these capabilities over a mainly IP-based underlay, VXLAN-EVPN is the ideal choice. Ethernet VPN (EVPN) is an overlay solution for connecting dispersed groups, such as branch offices. Like IP VPNs or VPLS, EVPN provides logical separation between customers using shared network resources. EVPN uses both L2 and L3 connectivity. Virtual extensible LAN (VXLAN) defines a tunneling scheme to overlay L2 networks on top of L3 networks. Unlike VLAN tunneling, VXLAN solves the scaling problem by expanding the address space from 4K to 16 million making it more suitable for large carrier deployments. It is also the most widely used tunneling protocol in data centers (DCs).
There are a number of advantages to using EVPN as the transport layer. Principal among these is that EVPN uses switching or flow-based forwarding, which is installed by the SDN controller. This is more resource efficient than Layer 3 (L3) routing, where each packet is routed separately. It is also able to connect directly to Layer 2 (L2) devices, such as bare metal servers, as well as through VRF tables to L3 routing.
For branch office connectivity, classic Customer Premises Equipment (CPE) separates L2 and L3 services, with integration being handled through the OSS/BSS. EVPN, in contrast, supports both layers, treating them as a single service type. This allows local subnets to be integrated with routing context.
Other service intelligence characteristics include the ability of the SDN controller to remotely download and install forwarding information for full mesh branch connectivity. It also allows for centralized policy enforcement and, because EVPN is also L2, this includes domain, security zone, subnet and branch for hierarchical policy schemes. EVPN’s Ethernet segment identifier (ESI) provides an abstraction layer between redirect target and destination, along with supporting multi-homing (A/A). EVPN also supports automatic VNF discovery upon activation.
On the security front, EVPN is no different than IP-VPNs for controlling the data path. It allows for service segregation and also provides isolated MAC (L2) and ARP (L3) awareness. Using MP-BGP, it provides horizontal scaling of SDN controllers with redundancy, standardized and transparent attributes, such as MED and LPREF, as well as policies and other security attributes.
To handle multiple underlay technologies, such as both IP and MPLS (untrusted and trusted), EVPN supports VXLAN using encryption, such as IPsec, for untrusted networks, and various IP transport tunnels, such as VXLAN, MPLSoGRE and MPLSoUDP, for trusted.
VXLAN and MPLSoUDP can be used, as well, to extend tunnels beyond the border gateway directly into the data center to connect securely with cloud compute and storage resources. In this way, cloud resource access policies and permissions can also be extended, by the SDN controller, to specific security zones or subnets within connected branch offices.
This extension into the cloud is one of the principal benefits of using EVPN as the transport layer for SD-WAN. Secure and policy-driven integration of cloud value-added services into general business services is one of its key differentiators. EVPN supports hardware or software-based VTEP, or VXLAN end-points, within the private data center or, for public clouds, using VXLAN over IPsec.
SD-WAN can also be integrated with legacy services that are using IP-VPNs. There are two possible ways to achieve this interconnectivity. The first uses BGP/VLAN to connect the IP-VPN and EVPN border routers. This method is necessary when there are owner/permission issues for locating the EVPN IRB on the IP-VPN legacy border router. But where these permission issues don’t exist, it is preferable to integrate them by stitching the EVPN in the IP-VPN using EVPN RT-5. This allows for the SD-WAN policy server to create the service dynamically using NETCONF or YANG.
SD-WAN and EVPN complement each other and together enable service offerings that fully support traffic steering, service intelligence and security. The cherry on top is the level of integration they enable with cloud services, which is a key objective for today’s enterprise customers.
If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!
Categories: Ethernet · Industry Viewpoint · Internet Backbones · SDN
Could you please explain the pros and cons of both SD-WAN based IPSec-VPN and VXLan-VPN