Viptela – Software Defined WAN (SD-WAN)

The source for this blog post is taken from Ivan Pepelnjak’s Software Gone Wild Podcast on Viptela – SEN Network.


Why can’t enterprise networks scale like the Internet? What if you could virtualize the entire network?

Wide Area Network (WAN) connectivity models follow hybrid approach and companies may have multiple types – MPLS and the Internet. Branch A has remote access over the Internet while branch B employs private MPLS connectivity. Internet and MPLS have distinct connectivity models and different types of overlay exist for the Internet and MPLS-based networks. The challenge is to combine these overlays automatically and provide a transport-agnostic overlay network.

The data consumption model in enterprises is shifting. Around 70% of data is; now, Internet-bound and its expensive to trombone traffic from defined DMZ points. Customers are looking for topological flexibility, causing a shift in security parameters. Topological flexibility are forcing us to rethink WAN solutions for tomorrow’s networks.


Solution – Viptela

To address these challenges, Viptela created a new overlay network called Secure Extensible Network (SEN). For the first time, encryption is built into the solution. Security and routing are combined into one solution. Enables you to span environments, anywhere-to-anywhere in a secure deployment. Type of architecture that is not possible with today’s traditional networking methods.

Founded in 2012, Viptela is a Virtual Private Network (VPN) company-utilizing concepts of Software Defined Networking (SDN) to transform end-to-end network infrastructure. Based on San Jose, they are developing a SDN Wide Area Network (WAN) product offering any-to-any connectivity with features such as application-aware routing, service chaining, virtual Demilitarized Zone (DMZ) and weighted Equal Cost Multipath (ECMP) operating on different transports.

The key benefit of Viptela is any-to-any connectivity product offering. Connectivity previously found in Multiprotocol Label Switching (MPLS) networks. They purely work on the connectivity model and not security frameworks. They can, however, influence-traffic path to and from security services.




Ubiquitous Data Plane

MPLS was so attractive because it had a single control plane and ubiquitous data plane. As long as you are in the MPLS network, connection to anyone is possible. Granted you have correct Route Distinguisher (RD) and Route Target (RT) configurations. Why can’t you take this model to Wide Area Network? Invent a technology that can create a similar model and offer ubiquitous connectivity anywhere-to-anywhere regardless of transport type ( Internet, MPLS ).



The business today want different types of connectivity modules. When you map a service to business logic, the network / service topology is already laid out. It’s defined. Services have to follow this topology. Viptela is changing this concept by altering data and control plane connectivity model by using SDN to create an SDN WAN technology.

SDN is all about taking intensive network algorithms out of hardware. Previously, in traditional networks, this was in individual hardware devices using control plane points in data path. As a result, control points may become congested (example – OSPF max neighbors reached). Customers lose capacity on control plane front but not on the data plane. SDN is moving the intensive computation to off the shelf servers. MPLS networks attempting to use the same concepts with Route Reflector (RR) designs. They started to move route reflectors off the data plane to compute the best-path algorithms. Route reflectors can be positioned anywhere in the network and do not have to sit on data path. Controller-based SDN approach, you are not embedding the control plane in the network. The controller is off path. Now, you can scale-out and SDN frameworks centrally provision and push policy down to the data plane.

Viptela can take any type of circuit and provide ubiquitous connectivity that MPLS was providing but now, it’s based on policy with a central controller. Remote sites can have random transport methods. One leg could be the Internet and other could be MPLS. As long as there is an IP path between endpoint A and controller, Viptela can provide the ubiquitous data plane.


Secure Extensible Network (SEN) – Managed Overlay Network

If you look at existing WAN, its two-part: routing and security. Routing connect sites together and security secures transmission. In the current model we have too many security and policy configuration points in the network. SEN allows you to centralize control plane security and routing resulting data path fluidity. The controller takes care of routing and security decisions. It passes the relevant information between endpoints. Endpoints can pop up anywhere in the network. All they have to do is set up control channel to the central controller. This approach does not build excessive control channels as the control channel is set up between the controller and endpoints only. Not from endpoint to endpoint. The data plane can flow based on the policy in the center of the network.






Deployment Considerations

Deployment of separate data plane node at the customer site and this is integrated to existing infrastructure at Layer 2 or Layer 3. You can deploy incrementally and start with one node and end up with thousands. The reasons it is so scalable is because it is based on routed technology. Type of model allows you to deploy, for example, a guest network and then over time integrate further into your network. Internally they use Border Gateway Protocol (BGP). One the data plane they use standard IPSec between endpoints. It also works over Network Address Translation (NAT), meaning its IPSec over UDP.

When an attacker gets access to your network, easy for them to beachhead and hop for one segment to another. Viptela enables per segment encryption so even if they get to one segment they will not be able to jump to another. Key management on a global scale has always been a challenge. Viptela solves this with propitiatory distributed manager based on a priority system. Currently, their key management solution is not open for the industry.


SDN Controller

You have a controller and VPN termination points i.e data plane points. The controller is the central management piece that assigns the policy. Data points are modules that are shipped to customer sites. The controller allows you to dictate different topologies for individual end point segments. Similar to how you influence-routing tables with RT in MPLS.

The control plane is at the controller.


Data Plane Module

Data plane modules are located at customer site. They connect this data plane module, which could be a PE hand-off to the internal side of the network. The data plane module must be in the data plane path on customer site. Internal side, they discover the routing protocols and participate in prefix learning. At Layer 2, they discover the VLANs. Their module can either be the default gateway or perform router neighbor relationship function. WAN side, data plane module register up link IP address to WAN controller / orchestration system. Controller builds encrypted tunnels between the data endpoints. The encrypted control channels are only needed when you build over untrusted third parties.

If the problem occurs with controller connectivity, the on-site module can stop being the default gateway and normally participate in Layer 3 forwarding for existing protocols. It backs off from being the primary router for off net traffic. It’s like creating VRF for different business and different default routes for each VRF with a single peering point to the controller; Policy-Based Routing (PBR) for each VRF for data plane activity. The PBR is based on information coming from the controller. Each control segment can have a separate policy (example – modify next hop). From a configuration point of view, you just need a IP on the data plane module and the remote controller IP. The controller pushes down the rest.


Use Cases

For example, you have a branch office with three distinct segments and you want each endpoint to have its own independent topology. Topology should be service driven and the service should not follow existing defined topology. Each business should depict how they want their business to connect so the network team should not say this is how the topology is and you must obey our topology.

From a carrier’s perspective they can expand their MPLS network to areas, they do not have a physical presence. And bring customers with this secure overlay to their closest pop where they have an MPLS peering. MPLS providers can expand their footprint to areas where they do not have service. If MPLS have customers is region X and they want to connect to the customer in region Y they can use Viptela. Obviously, you should have those extra data plane endpoints go through a security framework before entering MPLS network.

Viptela allows you to steer traffic based on SLA requirements of the application aka Application Aware Routing. For example, if you have two sites with dual connectivity to MPLS and Internet, data plane modules (located at customer sites) nodes can steer traffic over either the MPLS or Internet transport based on end-to-end latency or drops. They do this by maintaining real-time characteristics of loss, latency and, jitter and then apply policies on the centralized controller. Critical traffic is always steered to the most reliable link. This architecture can scale to 1000 of nodes in a full mesh topology.


About Matt Conran

Matt Conran has created 184 entries.

One Comment

  • ajoy

    global SD-WAN, delivered as a service, provides the core benefits of SD-WAN while enabling secure direct internet access, SLA-backed connectivity, and seamless extension of the WAN to cloud datacenters and mobile users.

Leave a Reply