What is new about Software-Defined Access?

Traditional networks had clear physical structures such as routers, switches and cables. With Software-Defined Access (SDA), these structures disappear into a cloud.

Falko is an architect in the Network & Mobility team and he remembers the networks of the past. He asks himself: What is actually new about Software-Defined Access?

Falko: I still have the diagram of my first network hanging above me in my office. There are routers, switches and lots of lines where I can see how the data flows. There are firewalls, a WAN router and dedicated lines to the locations. At some point, these leased lines were replaced by an MPLS provider. Then it was just a cloud. When I look at the network diagrams today, there are only clouds: services, users, mobile devices and, of course, the Internet.

The introduction of SDN

Everything changed with the introduction of Software-Defined Networking (SDN). Like everyone else, I had to forget everything I had learnt about networks and start from scratch. What exactly is Software-Defined Networking? As soon as I set up a VLAN, it’s already software-defined. So let’s take a closer look at the cloud.

There are still gateways in this cloud, which are now called Border. They are responsible for connecting to other clouds and they speak BGP (Border Gateway Protocol, first mentioned in RFC1654, 1994). This is the almighty internet protocol that all providers use to talk to each other and that works well.

But in my cloud there are many routers that have many connections to each other and speak IS-IS (first mentioned in ISO/IEC 10589, 1992). An intelligent routing protocol that always finds the shortest path to my destination. This reminds me of an article by Manay Bhatia, who explains why IS-IS is favoured by service providers over OSPF (Open Shortest Path First).

The data plane is realised with VXLAN (first mentioned in RFC7348, 2014). We turn our network upside down and transport layer 2 via layer 3 (according to the OSI Modell). Of course, all segmentation information is kept.

The role of virtual networks and network access control

But there are so many clients that belong to different groups and need to be separated from each other. I think of my MPLS provider, who of course didn’t build a separate network for us, but simply provided us with a VRF on their MPLS network. This also explains the technology behind the virtual networks, which is now called macro segmentation.

A network access control is still missing to assign the clients to these virtual networks. Such 802.1X projects (IEEE 802.1X, 2001 / first mentioned in RFC2058, 1997) have kept me busy since my first days at work. They also made it possible for me to dial into the Internet with my modem in the 1990s. But today we talk about micro-segmentation and use group tags to always label the packets that go through the network with the identity of the sender. The concept of TrustSec was first proposed by Cisco in 2007. It was so groundbreaking that other manufacturers jumped on board and adapted it.

To sum up, there is still a lot to learn, but in the end I didn’t discover anything new. At most that the individual instruments now play together in an orchestra and in the end it becomes a symphony. But it works and that’s why I can sleep peacefully.