Category: Tags

Software-Defined WAN (SD-WAN) is the second “software-defined” marketing attempt (after the original SDN) to dress a conglomerate of old technologies into shiny new clothes. Even Wikipedia article promotes some of the usual software-defined hype, quoting Network World claim that:

SD-WAN simplifies the management and operation of a WAN by decoupling the networking hardware from its control mechanism. This concept is similar to how software-defined networking implements virtualization technology to improve data center management and operation.

Is It Real?

Want to know how real those claims are? Start the journey with this series of myth-busting blog posts:

• Software-Defined WAN:Well-Orchestrated Duct Tape? (2015)
• Routing Protocols and SD-WAN: Apples and Furbies (2015)
• Do Enterprises Need MPLS? (2016)
• Lack of Fast Convergence in SD-WAN Products (2018)
• Lock-In and SD-WAN: a Match Made in Heaven (2019)
• Impact of Controller Failures in Software-Defined Networks (2019)
• Fast Failover in SD-WAN Networks (2020)

Does SD-WAN make sense? Sure:

• Business Case for SD-WAN (2015)
• Reliability of SD-WAN and Hybrid WAN Solutions (2015)

Need More Details?

I covered the basics of SD-WAN in Choose the Optimal VPN Service and SDN Use Cases webinars.

Pradosh Mohapatra described the basics of SD-WAN and its typical components and architectures:

• What Is SD-WAN?
• SD-WAN Reference Design
• SD-WAN Backend Architecture
• SD-WAN CPE Architecture
• Security Aspects of SD-WAN

Want to know more about Cisco’s SD-WAN solution (formerly known as Viptela)? Enjoy David Peñaloza Seijas’ deep dive into its architecture and implementation details:

• Going Beneath the Cisco SD-WAN Surface
• Cisco SD-WAN Fundamentals and Definitions
• Cisco SD-WAN Solution Architecture and Components
• Cisco SD-WAN Routing Goodness
• Cisco SD-WAN Onboarding Process
• Cisco SD-WAN Policies and Centralized Magic
• Cisco SD-WAN Policies Review
• Cisco SD-WAN Routing Design
• Cisco SD-WAN Site Design
• Cisco SD-WAN Policy Design

Real-Life SD-WAN

SD-WAN sounds great, but does it work as expected? Maybe not:

• SDN, SD-WAN and FCoE on Gartner Networking Hype Cycle (2015)
• SD-WAN Reality Gap (2019)
• Real-Life SD-WAN Experience (2019)
• Worth Reading: SD-WAN Scalability Challenges (2020)
• Feedback from Another SD-WAN Fan (2020)

Is it secure? Some products seem to be nothing more than a bunch of open-source component glued together with clueless Python code:

• Security Aspects of SD-WAN Solutions (2018)
• SD-WAN Security Under the Hood (2019)
• SD-WAN Security: A Product Liability Insurance Law Would Certainly Help (2020)
• Another SD-WAN Security SNAFU: SQL Injections in Cisco SD-WAN Admin Interface (2021)

Some service providers want to use SD-WAN to offer managed services. Not surprisingly, some people¹ don’t find that a good idea:

• SD-WAN: A Service Provider Perspective (2020)
• Managed SD-WAN Services (2022)
• Challenges of Managed SD-WAN Services (2022)

Then there are some technical details vendors love to gloss over:

• Does Unequal-Cost Multipathing Make Sense? (2021)
• Topology- and Congestion-Driven Load Balancing (2021)

Does it work within a public cloud? Yeah, sort of… with a few challenges:

• Azure Route Server: The Challenge (2021)
• Azure Route Server: Behind the Scenes (2021)

Want Even More?

Love marketing-related rants? Here are a few:

• Some Ridiculous SD-WAN Claims (2015)
• What Is Software-Defined Security? (2016)
• This Is Why I’m Not Doing SD-WAN Webinars (2016)
• The Ever-Increasing Complexity (2017)
• SD-WAN Vendor Landscape (2019)

Last, but definitely not least, you might enjoy these (more esoteric) solutions:

• DLSP – QoS-Aware Routing Protocol on Software Gone Wild (2015)
• Changing Cisco IOS BGP Policies Based on IP SLA Measurements (2019)
• Overlay Networking with Ouroboros on Software Gone Wild (2020)
• Scalable Policy Routing (2021)

Blog Posts I Forgot to Categorize

• Does EVPN/VXLAN over SD-WAN Make Sense?

EIGRP was the best choice for an interior gateway protocol in late 1990s – it was fast, efficient, and easy to deploy. OSPF and IS-IS implementations improved in the intervening 30 years, slowly turning EIGRP into a forgotten technology.

On a more serious note, I wouldn’t deploy EIGRP in new network designs for compatibility reasons (no major networking vendor apart from Cisco implemented it), and I’d use BGP in designs where a single router has to deal with hundreds of adjacent routers (the only scenario where EIGRP still outshines OSPF and IS-IS).

While the ultimate sources of EIGRP wisdom remain the EIGRP Network Design Solutions Cisco Press book and RFC 7868, you might want to read these articles and blog posts describing EIGRP implementation details and deployment guidelines.

The Basics

• Scaling EIGRP Networks with Stub Routers
• EIGRP Myths Debunked
• EIGRP: an MBA-Like Perspective
• EIGRP Loop Prevention Logic
• RFC 7868: The Definitive EIGRP Guide
• Missing Information for the EIGRP Network Design Solutions Cisco Press Book

Implementation Details

• EIGRP Goodbye Message
• EIGRP Load Balancing Based on Interface Load
• Changes in EIGRP Summary Address Are no Longer Disruptive
• EIGRP Neighbor Loss Detection
• EIGRP Load and Reliability Metrics
• EIGRP MTU “metric”
• EIGRP Offset Lists
• Beware of the Pre-Bestpath Cost Extended BGP Community
• EIGRP Third-Party Next Hops

EIGRP Deployment Scenarios

• Using EIGRP in MPLS VPN Networks
• Multihomed EIGRP Sites in MPLS VPN Network
• Leak Map Confusion
• Limitations of VRF Routing Protocols on Cisco IOS
• GRE Keepalives or EIGRP Hellos?
• Recommendations for Keepalive/Hello Timers
• Manipulating EIGRP Metrics
• Multiple EIGRP Autonomous Systems in a VRF
• EIGRP Summarization in DMVPN Phase 2 Networks
• Solution: EIGRP Summarization Breaks Phase 2 DMVPN
• OSPF Meets EIGRP
• IBGP, IGP Metrics, and Administrative Distances
• Does Unequal-Cost Multipathing Make Sense?

DMVPN is an old¹ Cisco-proprietary technology that combines NHRP, IPsec, IKEv2 and multipoint GRE tunnels to build dynamically-provisioned multi-access VPNs.

The easiest way to master DMVPN is to watch the ipSpace.net DMVPN webinars, and every now and then someone still finds them somewhat useful:

• Advanced DMVPN Webinar: Router Configurations
• DMVPN: How to Get from Zero to Hero?
• DMVPN Deployment Success Story
• Feedback: DMVPN Webinars

I also wrote dozens of DMVPN-related blog posts. Hope you’ll enjoy them!

The Basics

DMVPN always relies on a hub-and-spoke topology, but enables direct communication between spokes (Phase-2 DMVPN) and simplified routing with NHRP redirects (Phase-3 DMVPN).

• DMVPN Phase 1 Fundamentals
• DMVPN Phase 2 Fundamentals
• The Fundamental Difference between Phase 2 and Phase 3 DMVPN
• DMVPN Scalability
• Is Anyone Using DMVPN-over-IPv6?

Routing Protocols in DMVPN Networks

Routing protocols face significant challenges in DMVPN networks due to very large number of directly-connected neighbors, with EIGRP faring better than OSPF, and BGP being the only viable solution in deployments with a very large hub-to-spoke ratio.

• EIGRP Summarization in DMVPN Phase 2 Networks
• Solution: EIGRP Summarization Breaks Phase 2 DMVPN
• Can You Run OSPF over DMVPN?
• Using BGP in Phase 1 DMVPN network
• OSPF Configuration in Phase 1 DMVPN Network
• Configuring OSPF in a Phase 2 DMVPN network
• More OSPF-over-DMVPN Questions
• OSPF-over-DMVPN Using Two Hub Routers
• More Private AS Numbers
• BGP Routing in DMVPN Networks
• Scaling BGP-Based DMVPN Networks
• Changes in IBGP Next Hop Processing Drastically Improve BGP-based DMVPN Designs
• Reducing BGP SNMP Traps in DMVPN Networks
• DMVPN Split Default Routing
• Another DMVPN Routing Question

Typical DMVPN Designs

• Sometimes You Need to Step Back and Change Your Design
• VPN Network Design: Selecting the Technology
• DMVPN as a Backup for MPLS/VPN
• Redundant DMVPN designs, Part 1 (The Basics)
• Redundant DMVPN Designs, Part 2 (Multiple Uplinks)
• Regional Internet Exits in Large DMVPN Deployment

DMVPN Deployment Guidelines

• DMVPN: from Concept to Pilot in 36 Hours
• MPLS/VPN-over-GRE-over-IPSec: Does It Really Work?
• Migrating from Phase 1 DMVPN to Phase 2/3 Network
• Combining DMVPN with Existing MPLS/VPN Network
• Real Life BGP Route Origination and BGP Next Hop Intricacies
• Building a DMVPN Test Lab with netlab

Integration with Other Network Technologies

• End-to-End QoS marking in MPLS/VPN-over-DMVPN networks
• Spoke-to-Spoke IP Multicast over DMVPN?
• QoS in Large-Scale DMVPN Networks
• DMVPN: Spoke QoS Challenge
• RSVP over DMVPN
• Inter-VRF NAT in DMVPN Deployments

DMVPN Alternatives

• DMVPN or Firewall-Based VPNs?
• Open-Source DMVPN Alternatives

Quirks and Implementation Details

I wrote numerous blog posts documenting DMVPN quirks while preparing the materials for the DMVPN webinars. Most of these blog posts were written in early 2010s and might no longer be relevant.

• Tunnel Route Selection and DMVPN Tunnel Protection Don’t Work Together
• uRPF Violation Logging Is Not Working on 12.4T
• DMVPN: Non-Unique NHRP Registrations
• DMVPN Spoke NHRP Behavior Changed in IOS Release 15.0M
• NHRP Convergence Issues in Multi-Hub DMVPN Networks
• NHRP Rate Limiting Can Hurt Your DMVPN Network
• The Impact of Changed NHRP Behavior in DMVPN Networks

Other Blog Posts Vaguely Related to DMVPN

• DMVPN: Fishing Rod or Grilled Tuna?
• Where Would You Need GRE?
• Viptela SEN: Hybrid WAN Connectivity with an SDN Twist
• Should I Use L2VPN+MACSEC or L3VPN+GETVPN?
• Use Existing (DMVPN) Device Configurations in netlab