What Software-Defined LAN Means for Campus Virtualization

2022.06.04
What Software-Defined LAN Means for Campus Virtualization

The separation of the logical and data planes supports LAN virtualization in exciting new ways. It's important to remember, though, that this isn't the first time an IT department has virtualized a LAN.

CASB and SASE: What's the difference?

Software-defined LAN, or SD-LAN, is actually the application of software-defined networking principles to non-data center LANs.

These principles include separating the logical control of the network (policy specifications governing what communicates with what) from the actual processing of packets. In practice, this means that the control plane (a management platform running in a virtual machine or cloud) directs network activity or forwards the data plane, mainly physical and virtual switches. Typically, the control plane has APIs that enable automation to programmatically control network policies.

The separation of the logical and data planes supports LAN virtualization in exciting new ways. It's important to remember, though, that this isn't the first time an IT department has virtualized a LAN.

Before SD-LAN: Virtual LAN

Virtual LANs (VLANs) have been around for decades and have traditionally been used primarily in campus LANs. Network engineers have long deployed VLANs to segment networks at Layer 2. For example, systems connected through ports on one VLAN cannot communicate directly with ports on other VLANs, but access them through routers or firewalls.

VLANs create separate network domains covering multiple logical LANs on top of a common physical network. Networking teams can use VLANs to isolate traffic in the following ways:

  • for different departments;
  • For different classes of devices, such as IP telephony VoIP traffic;
  • Alive for different security domains, such as VLANs for network management related traffic.

VLANs paved the way for SD-LANs by breaking the tight coupling between network usage and network infrastructure.

SD-LAN

VLAN is a Layer 2 networking mechanism that is fully embodied in the Ethernet frame header and deployed at the switch port level. SD-LAN goes a step further by not simply relying on Ethernet or other Layer 2 network protocols, but completely virtualizing the LAN, removing policy control from the switch, leaving only enforcement.

A fully implemented SD-LAN system looks at standards beyond the Layer 2 network to make decisions about access and visibility. For example, it should consider user, process, program and device identities. It may also take into account IP address, device location and even time of day. Regardless of which factors are supported by the system, network engineers can use them to define policies that govern access to the data network, as well as the range of activities allowed by network nodes.

Zero Trust, SDP and SD-LAN

The most exciting aspect of SD-LAN right now is its utility - for implementing a Zero Trust Network Access (ZTNA) architecture. With a comprehensive SD-LAN policy, a basic zero-trust approach can be implemented at the campus network level to block everything except explicitly permitted. That is, SD-LAN can serve as the campus side of a software-defined boundary (SDP).

After deploying a zero trust policy, SD-LAN blocks most lateral network traffic by default, such as Laptop A communicating with Laptop B. This, in turn, prevents the spread of malware from infected devices in the environment.

Take the classic scenario now, where an attacker uses a compromised IoT device as a platform to attack a workstation. And SD-LAN blocks the process. Those broken wall clocks or vending machines can only see and communicate with their management workstation, not the entire network segment. If the ports, protocols or traffic involved in the attack violate any access rules for the management connection, they may not even be able to compromise that management station.

Advantages of SD-LAN

SD-LAN has many advantages. On the operational side, the presence of controllers with APIs can help automate wider and more efficient LAN operations.

Improved governance means better ability to discover, map and audit the current state of the network. For example, network teams can track what's on the network, how each entity behaves, and what deviates from policy.

And, as demonstrated by deploying Zero Trust, SD-LAN can significantly improve the underlying security posture of an enterprise network. Significant improvements are possible even if an enterprise does not fully deploy Zero Trust.

Challenges of SD-LAN

SD-LAN also faces many challenges. Some of these challenges include:

  • The ability to deploy SD-LAN using existing infrastructure;
  • The cost of upgrading anything that cannot be properly integrated;
  • As well as giving employees time to redevelop core skills and utilize the full potential of SD-LAN.

And, as with the more general zero-trust strategy, when implementing ZTNA in a campus network, a major challenge for most enterprises is understanding which strategies to deploy—what needs to communicate with what.

SD-LAN will become an increasingly important tool in advancing enterprise goals as enterprises begin a broad shift toward higher network automation and tighter security.