Home Search Center Intelligent Model Selection IP Encyclopedia


Software-defined Wide Area Network (SD-WAN) Ethernet Virtual Private Network (EVPN) is a VPN solution that extends the existing EVPN technology to separate the overlay service network from the underlay transport network. It defines new BGP SD-WAN routes based on BGP and uses EVPN IP prefix routes to advertise service routes. In this way, data channels on the underlay network and service paths on the overlay network are established, improving enterprise network performance.

What Is the Relationship Between SD-WAN and EVPN?

In general, EVPN helps implement SD-WAN.

SD-WAN Overview

SD-WAN is a low-cost, easy-to-deploy, and easy-to-manage WAN solution for small and micro enterprises. For more information, see SD-WAN.

In the past, WANs were typically implemented through private lines and VPNs. A private line is a network transmission line that belongs only to an enterprise. It is expensive and has poor mobility. Establishing a VPN on a public network by using the VPN technology also causes extremely high maintenance costs. As such, to achieve low costs, existing resources need to be reused as much as possible to avoid purchasing new hardware and prevent a heavy workload of manual deployment. To tackle these problems, SD-WAN introduces controllers and hardware devices with multiple interface types so that the controllers can directly control hardware through the public network, proactively identify services through software capabilities, and deliver the appropriate service quality.

EVPN Overview

The WAN mainly implements cross-region network communication. However, for an enterprise, it seems that it is difficult to easily implement Layer 2 network communication across regions. Although the L2VPN technology was used in the past, the learning of remote MAC addresses relies heavily on ARP broadcast, which causes high bandwidth consumption and poor performance. With the emergence of new technologies and scenarios, L2VPN cannot meet the private line requirements. Therefore, EVPN was proposed in the industry.

EVPN is a VPN solution that extends BGP to transfer MAC addresses on the control plane, breaking through the limitations of MAC address learning on traditional VPNs. For more information, see EVPN. SD-WAN uses EVPN to implement cross-region Layer 2 network connections on the public network.

Why Is SD-WAN EVPN Required?

An enterprise typically uses hub-spoke architecture to connect its HQ network and multiple branch networks, enhancing communication security. In most cases, the HQ uses static public IP addresses for Internet access, and branches use dynamic public IP addresses for Internet access. In a scenario where cross-region interconnection is implemented through a carrier network, data needs to be transmitted between customer premises equipment (CPE) devices. When the networking scale is large, the configuration becomes complex.

Problems of Traditional Methods

Using IPsec or GRE over IPsec to Construct a VPN

Branches cannot obtain each other's public IP addresses and so cannot directly communicate with each other. Data needs to be forwarded by the HQ (hub node). Forwarding data through the HQ causes the following problems:

  • The HQ is forced to withstand substantial performance pressure, and a significant amount of CPU and memory resources will be consumed.
  • Additional encapsulation and decapsulation need to be performed on data, resulting in a longer network delay.
  • As the Internet Protocol Security (IPsec) network expands, dynamic routing protocols need to be deployed on the network. Dynamic routing protocols use multicast and broadcast packets to update routes; however, IPsec does not support the transmission of such packets.

Using DSVPN to Construct a VPN

Dynamic Smart Virtual Private Network (DSVPN) solution combines the Next Hop Resolution Protocol (NHRP) and multipoint Generic Routing Encapsulation (mGRE) to resolve the preceding problems. As the number of enterprise branches continues to increase, DSVPN has many limitations, making it harder to expand the scale of sites.

  • There are performance limitations for multi-link and multi-VPN scalability. The number of tunnels between two sites equals the number of links between the two sites multiplied by the number of VPNs between the two sites. In multi-department scenarios, small-capacity devices cannot support full-mesh networking, and the capabilities of a single site are limited. Additionally, Internet Key Exchange (IKE) negotiation, Border Gateway Protocol (BGP), IP flow performance measurement (IP FPM), and mGRE need to run on every tunnel, leading to a high system overhead. As a result, the service performance of the entire network is limited.
  • In the topology networking, the flexibility is limited. The DSVPN solution requires a hub site that implements centralized control of spoke (branch) sites. Therefore, the network topology can only be hub-spoke or full-mesh and does not support hybrid networking. In this topology, the NAT traversal capability is weak, and only 1:1 NAT is supported.

Advantages of SD-WAN EVPN

It solves the problems of high network resource consumption, difficult deployment, and low network quality of traditional VPNs.

  • Separates the service network from the transport network, and ensures that data can be transmitted quickly and securely.
  • Implements full-mesh tunnels between sites, ensures data transmission on the service network, reduces the configuration workload, reduces the number of links on the network, and improves network performance.
  • Enables fast and secure transmission of service traffic, guaranteeing operation services.

It eliminates the DSVPN network specifications and networking restrictions.

  • BGP is introduced to separate the service network from the underlying transport network. Tunnel establishment does not depend on VPNs, and the number of tunnels between two sites equals the number of links between two sites. The NHRP protocol is not required. BGP peer relationships are not established based on links, and common sites only need to establish BGP peer relationships with route reflectors (RRs). Keys are distributed in a unified manner, without requiring IKE negotiation.
  • The control and data nodes are decoupled, and routing policies are used to control the network topology. Multiple topology modes, such as hub-spoke, full-mesh, and hybrid mode, can be deployed to adapt to more complex scenarios.

Components of SD-WAN EVPN

SD-WAN EVPN is a VPN technology that separates the overlay service network from the underlying transport network and separates service network routing from transport network routing. It is similar to BGP/Multiprotocol Label Switching (MPLS) IP VPN. By extending BGP, SD-WAN EVPN provides reachability information to make underlying transport networks of different sites to interwork with each other. Leveraging the multi-VPN capability of BGP, SD-WAN EVPN implements uniform control of protocols and advertisement of routes, transferring tunnel encapsulation information between networks of different sites on the control plane instead of the data plane.

The following figure shows the basic application scenario of SD-WAN EVPN. Branches are located in different cities and need to connect to the carrier's network to implement WAN interconnection.

SD-WAN EVPN application scenario
SD-WAN EVPN application scenario

The following table lists the key components involved in SD-WAN EVPN.

Table 1-1 Key components of SD-WAN EVPN




Network controller (Agile Controller)

Orchestrates network services.

Controls the entire SD-WAN network.

Regional controller (RR)

Distributes BGP EVPN routes and SD-WAN tunnel information between CPEs. In the current solution, the regional controller typically functions as a route reflector (RR).

Forwards information about CPEs on the network.


Establishes SD-WAN data channels based on the information delivered by the controller and forwards service traffic.

Establishes tunnels for communication between the local site and other sites based on RR information.


Is short for transport network (TN). A TN is a WAN. The WANs provided by carriers include the carriers' private line networks and Internet public networks. TNs are the basis for constructing the SD-WAN overlay network. A transport network port (TNP) is a WAN interface used by a CPE to connect to a TN. Key information, including Site ID, Transport Network-ID, Public IP, Private IP, and Tunnel Encapsulation, is delivered by the controller to the CPE.

A carrier network, which is the underlying transport network of SD-WAN EVPN.

The following table lists the channel types involved in SD-WAN EVPN.

Table 1-2 Channel types involved in SD-WAN EVPN

Channel Type



Network Configuration Protocol (NETCONF) management channel

NETCONF management channels are established between Agile Controller and RRs and between Agile Controller and CPE for Agile Controller to deliver system IP addresses to RRs and CPEs and allocate RRs to CPEs.

Used by the network controller to manage components.

Datagram Transport Layer Security (DTLS) management channel

DTLS management channels are established between CPEs and RRs to notify each other of their TNP information and SD-WAN tunnel security association (SA) parameters so as to establish SD-WAN tunnels.

Used by RRs to learn information about all CPEs.

BGP SD-WAN control channel

BGP SD-WAN control channels are established between RRs and CPEs by exchanging BGP packets through SD-WAN tunnels. A CPE advertises its TNP information, SA parameters of an SD-WAN data channel, and local service routes to an RR through a BGP SD-WAN control channel. The RR reflects the TNP information, SA parameters of the SD-WAN data channel, and service routes sent by the CPE to other CPEs.

Used by a CPE to learn information about other CPEs and carried service route information.

SD-WAN data channel

SD-WAN data channels are established between CPEs to forward Layer 3 service traffic after the CPEs learn each other's TNP information, SA parameters of the SD-WAN data channels, and service routes through RRs.

Used for communication between CPEs.

The following figure shows the overall architecture of the SD-WAN EVPN solution.

SD-WAN EVPN solution architecture
SD-WAN EVPN solution architecture

How Does SD-WAN EVPN Work?

Working Mechanism of SD-WAN EVPN

  1. Configuring and onboarding the controller for device management

    After Agile Controller is configured and onboarded, a network administrator defines services on the Portal page of Agile Controller, and Agile Controller invokes a RESTful API to instruct the orchestration component to orchestrate network services.

  2. Establishing a NETCONF management channel

    An RR goes online and registers with the controller. Then the controller allocates a device management IP address to the RR, delivers TNP and IPsec SA information, delivers instructions to the RR to enable the DTLS server function and listening port, and delivers static routes to ensure that the RR and CPEs are reachable to each other.

    A CPE goes online and registers with the controller. Then the controller allocates a device management IP address to the CPE, allocates an RR to the CPE based on the obtained CPE information, delivers the registration address and port number of the RR to the CPE, delivers TNP and IPsec SA information, and delivers static routes to ensure that the RR and CPE are reachable to each other.

  3. Establishing a DTLS management channel

    The CPE initiates a DTLS connection based on the RR registration address and TNP information delivered by the controller.

    DTLS management channel establishment
    DTLS management channel establishment
  4. Establishing a BGP SD-WAN control channel

    The CPE and RR notify their TNP and IPsec SA information to each other through a DTLS connection. Then a BGP SD-WAN control channel will be established between the CPE and RR.

    BGP SD-WAN control channel establishment
    BGP SD-WAN control channel establishment
  5. Establishing an SD-WAN data channel

    Under the management of Agile Controller, the RR establishes a neighbor relationship with the CPE, for example, a multiprotocol BGP (MP-BGP) peer relationship. The RR can receive the TNP information and IPsec SA information of all CPEs, and reflect the information to all CPEs, which then learn the TNP information of each other.

    When CPE1 advertises a Local Area Network (LAN)-side route, CPE2 learns the route through the RR. In this manner, an SD-WAN data channel will be established between CPE1 and CPE2.
    SD-WAN data channel establishment
    SD-WAN data channel establishment
  6. Orchestrating services

    Agile Controller orchestrates the service-oriented policies defined by the network administrator and notifies the RR of the policies through a NETCONF interface. Based on the policies defined by the network administrator, the RR distributes VPN topology, routing, and tunnel information between sites to implement secure and on-demand interconnection between sites.

SD-WAN EVPN Data Forwarding

The SD-WAN EVPN data forwarding process is as follows:

  1. CPE1 receives an ordinary unicast packet from user A, searches the routing table of the SD-WAN EVPN instance, and forwards the packet based on the next-hop site of the matching SD-WAN EVPN route. CPE1 adds GRE information to the packet, encapsulates the packet with an IPv4 tunnel header, and forwards the packet to CPE2.
  2. CPE2 receives the packet, searches the SD-WAN tunnel decapsulation table based on the IPv4 source address (CPE1) and destination address (CPE2) of the packet, decapsulates the packet, removes the IPv4 header, searches the routing table of the SD-WAN EVPN instance based on the GRE Key value and destination address of the inner packet, and then forwards the packet to user B.
SD-WAN EVPN data forwarding and encapsulation process
SD-WAN EVPN data forwarding and encapsulation process
About This Topic
  • Author: Li Yefan, Meng Xianhai
  • Updated on: 2023-06-19
  • Views: 785
  • Average rating:
Share link to