What Is SD-WAN EVPN?
Software-defined Wide Area Network (SD-WAN) Ethernet Virtual Private Network (EVPN) is a VPN solution that extends the existing EVPN technology to separate the overlay service network from the underlay transport network. It defines new BGP SD-WAN routes based on BGP and uses EVPN IP prefix routes to advertise service routes. In this way, data channels on the underlay network and service paths on the overlay network are established, improving enterprise network performance.
What Is the Relationship Between SD-WAN and EVPN?
In general, EVPN helps implement SD-WAN.
SD-WAN Overview
SD-WAN is a low-cost, easy-to-deploy, and easy-to-manage WAN solution for small and micro enterprises.
In the past, WANs were typically implemented through private lines and VPNs. A private line is a network transmission line that belongs exclusively to an enterprise. It is expensive and has poor mobility. Furthermore, using VPN technology to establish a VPN on a public network leads to extremely high maintenance costs. As such, existing resources need to be reused as much as possible to eliminate the need for purchasing new hardware, avoid the heavy workload involved in manual deployment, and ultimately achieve low costs. To tackle these problems, SD-WAN introduces controllers and hardware devices with multiple interface types so that the controllers can directly control hardware through the public network, proactively identify services through software capabilities, and deliver the appropriate service quality. For more information, see SD-WAN.
EVPN Overview
A WAN mainly implements cross-region network communication. However, for an enterprise, implementing Layer 2 network communication across regions can be a difficult task. Although the L2VPN technology was used in the past, the learning of remote MAC addresses relies heavily on ARP broadcast, which causes high bandwidth consumption and poor performance. With the emergence of new technologies and scenarios, L2VPN can no longer meet the private line requirements. Therefore, EVPN was proposed in the industry.
EVPN is a VPN solution that extends BGP to transfer MAC addresses on the control plane, overcoming the limitations of MAC address learning on traditional VPNs. For more information, see EVPN. SD-WAN uses EVPN to implement cross-region Layer 2 network connections on the public network.
Why Is SD-WAN EVPN Required?
An enterprise typically adopts a hub-spoke architecture to connect its HQ network and multiple branch networks, enhancing communication security. In most cases, for Internet access, the HQ uses static public IP addresses whereas branches use dynamic public IP addresses. In scenarios where cross-region interconnection is implemented through a carrier network, data needs to be transmitted between customer premises equipment (CPE) devices. The configuration becomes more and more complex as the networking scale increases.
Problems of Traditional Methods
Using IPsec or GRE over IPsec to Construct a VPN
Branches cannot obtain each other's public IP addresses and therefore cannot directly communicate with each other, meaning that data needs to be forwarded by the HQ (hub node). However, forwarding data through the HQ causes the following problems:
- The HQ is heavily burdened, and a significant amount of CPU and memory resources will be consumed.
- Additional encapsulation and decapsulation need to be performed on data, resulting in a longer network delay.
- As the Internet Protocol Security (IPsec) network expands, dynamic routing protocols need to be deployed on the network. Such protocols use multicast and broadcast packets to update routes; however, IPsec does not support the transmission of these packets.
Using DSVPN to Construct a VPN
The Dynamic Smart Virtual Private Network (DSVPN) solution combines the Next Hop Resolution Protocol (NHRP) and multipoint Generic Routing Encapsulation (mGRE) to resolve the preceding problems. However, as the number of enterprise branches continues to increase, DSVPN has many limitations, making it harder to expand the scale of sites.
- There are performance limitations for multi-link and multi-VPN scalability. The number of tunnels between two sites equals the number of links between the two sites multiplied by the number of VPNs between the two sites. In multi-department scenarios, small-capacity devices cannot support full-mesh networking, and the capabilities of a single site are limited. Additionally, Internet Key Exchange (IKE) negotiation, Border Gateway Protocol (BGP), IP flow performance measurement (IP FPM), and mGRE need to run on every tunnel, leading to a high system overhead. As a result, the service performance of the entire network is limited.
- The flexibility of the network topology is limited. The DSVPN solution requires a hub site that implements centralized control of spoke (branch) sites. Therefore, the network topology can only be hub-spoke or full-mesh and does not support hybrid networking. In this topology, the NAT traversal capability is weak, and only 1:1 NAT is supported.
Advantages of SD-WAN EVPN
It solves the problems of high network resource consumption, difficult deployment, and low network quality of traditional VPNs.
- Separates the service network from the transport network, and ensures that data can be transmitted quickly and securely.
- Implements full-mesh tunnels between sites, ensures data transmission on the service network, reduces the configuration workload, reduces the number of links on the network, and improves network performance.
- Enables fast and secure transmission of service traffic, guaranteeing operation services.
It eliminates limitations on the DSVPN network specifications and networking.
- BGP is introduced so that tunnel establishment does not depend on VPNs. The number of tunnels between two sites is the same as the number of links between two sites, and there is no need for the NHRP protocol. BGP peer relationships are not established based on links, and common sites only need to establish BGP peer relationships with route reflectors (RRs). In addition, keys are distributed in a unified manner, without requiring IKE negotiation.
- The control and data nodes are decoupled, and routing policies are used to control the network topology. Multiple topology modes, such as hub-spoke, full-mesh, and hybrid mode, can be deployed to adapt to more complex scenarios.
Components of SD-WAN EVPN
SD-WAN EVPN is a VPN technology that separates the overlay service network from the underlying transport network and separates service network routing from transport network routing. It is similar to BGP/Multiprotocol Label Switching (MPLS) IP VPN. By extending BGP, SD-WAN EVPN provides reachability information to enable underlying transport networks of different sites to interwork with each other. Leveraging the multi-VPN capability of BGP, SD-WAN EVPN implements uniform control of protocols and advertisement of routes, transferring tunnel encapsulation information between networks of different sites on the control plane instead of the data plane.
The following figure shows the basic application scenario of SD-WAN EVPN. Branches are located in different cities and need to connect to the carrier's network in order to implement WAN interconnection.
SD-WAN EVPN application scenario
The following table lists the key components involved in SD-WAN EVPN.
Component |
Function |
Description |
---|---|---|
Network controller (Agile Controller) |
Orchestrates network services. |
Controls the entire SD-WAN network. |
Regional controller (RR) |
Distributes BGP EVPN routes and SD-WAN tunnel information between CPEs. In the current solution, the regional controller typically functions as an RR. |
Forwards information about CPEs on the network. |
CPE |
Establishes SD-WAN data channels based on the information delivered by the controller and forwards service traffic. |
Establishes tunnels for communication between the local site and other sites based on RR information. |
TN |
Is short for transport network (TN). A TN is a WAN. The WANs provided by carriers include the carriers' private line networks and Internet public networks. TNs are the basis for constructing the SD-WAN overlay network. A transport network port (TNP) is a WAN interface used by a CPE to connect to a TN. Key information, including Site ID, Transport Network-ID, Public IP, Private IP, and Tunnel Encapsulation, is delivered by the controller to the CPE. |
A carrier network, which is the underlying transport network of SD-WAN EVPN. |
The following table lists the channel types involved in SD-WAN EVPN.
Channel Type |
Function |
Description |
---|---|---|
Network Configuration Protocol (NETCONF) management channel |
NETCONF management channels are established between Agile Controller and RRs and between Agile Controller and CPEs for Agile Controller to deliver system IP addresses to RRs and CPEs and allocate RRs to CPEs. |
Used by the network controller to manage components. |
Datagram Transport Layer Security (DTLS) management channel |
DTLS management channels are established between CPEs and RRs to notify each other of their TNP information and SD-WAN tunnel security association (SA) parameters in order to establish SD-WAN tunnels. |
Used by RRs to learn information about all CPEs. |
BGP SD-WAN control channel |
BGP SD-WAN control channels are established between RRs and CPEs by exchanging BGP packets through SD-WAN tunnels. A CPE advertises its TNP information, SA parameters of an SD-WAN data channel, and local service routes to an RR through a BGP SD-WAN control channel. The RR reflects the TNP information, SA parameters of the SD-WAN data channel, and service routes sent by the CPE to other CPEs. |
Used by a CPE to learn information about other CPEs and carried service route information. |
SD-WAN data channel |
SD-WAN data channels are established between CPEs to forward Layer 3 service traffic after the CPEs learn each other's TNP information, SA parameters of the SD-WAN data channels, and service routes through RRs. |
Used for communication between CPEs. |
The following figure shows the overall architecture of the SD-WAN EVPN solution.
SD-WAN EVPN solution architecture
How Does SD-WAN EVPN Work?
Working Mechanism of SD-WAN EVPN
- Configuring and onboarding the controller for device management
After Agile Controller is configured and onboarded, a network administrator defines services on its Portal page, and Agile Controller invokes a RESTful API to instruct the orchestration component to orchestrate network services.
- Establishing a NETCONF management channel
An RR goes online and registers with the controller. The controller then allocates a device management IP address to the RR, delivers TNP and IPsec SA information, delivers instructions to the RR to enable the DTLS server function and listening port, and delivers static routes to ensure that the RR and CPEs are reachable to each other.
A CPE goes online and registers with the controller. The controller then allocates a device management IP address to the CPE, allocates an RR to the CPE based on the obtained CPE information, delivers the registration address and port number of the RR to the CPE, delivers TNP and IPsec SA information, and delivers static routes to ensure that the RR and CPE are reachable to each other.
- Establishing a DTLS management channel
The CPE initiates a DTLS connection based on the RR registration address and TNP information delivered by the controller.
DTLS management channel establishment - Establishing a BGP SD-WAN control channel
The CPE and RR notify each other of their TNP and IPsec SA information through a DTLS connection. A BGP SD-WAN control channel is then established between the CPE and RR.
BGP SD-WAN control channel establishment - Establishing an SD-WAN data channel
The RR, managed by Agile Controller, establishes a neighbor relationship with the CPE, for example, a multiprotocol BGP (MP-BGP) peer relationship. The RR can receive the TNP information and IPsec SA information of all CPEs, and reflect the information to all CPEs, which then learn the TNP information of each other.
When CPE1 advertises a Local Area Network (LAN)-side route, CPE2 learns the route through the RR. In this manner, an SD-WAN data channel is established between CPE1 and CPE2.
SD-WAN data channel establishment - Orchestrating services
Agile Controller orchestrates the service-oriented policies defined by the network administrator and notifies the RR of the policies through a NETCONF interface. Based on the policies defined by the network administrator, the RR distributes VPN topology, routing, and tunnel information between sites to implement secure and on-demand interconnection between sites.
SD-WAN EVPN Data Forwarding
The SD-WAN EVPN data forwarding process is as follows:
- CPE1 receives an ordinary unicast packet from user A, searches the routing table of the SD-WAN EVPN instance, and forwards the packet based on the next-hop site of the matching SD-WAN EVPN route. Before forwarding the packet to CPE2, CPE1 adds GRE information to the packet and encapsulates it with an IPv4 tunnel header.
- CPE2 receives the packet, searches the SD-WAN tunnel decapsulation table based on the IPv4 source address (CPE1) and destination address (CPE2) of the packet, decapsulates the packet, removes the IPv4 header, searches the routing table of the SD-WAN EVPN instance based on the GRE Key value and destination address of the inner packet, and then forwards the packet to user B.
SD-WAN EVPN data forwarding and encapsulation process
- Author: Li Yefan, Meng Xianhai
- Updated on: 2024-04-15
- Views: 4419
- Average rating: