What Software-Defined LAN Means for Campus Virtualization

Software-defined LAN, or SD-LAN, is the application of software-defined networking principles to non-data center LANs.

These principles include separating the logical control of the network (policy specifications that govern what communicates with what) from the actual processing of packets. In practice, this means that the control plane (a management platform running in a virtual machine or cloud) directs network activity or the forwarding data plane, primarily physical and virtual switches. Typically, the control plane has an API that enables automation to programmatically control network policies.

The separation of the logical and data planes supports LAN virtualization in exciting new ways. However, it is important to remember that this is not the first time that IT departments have virtualized LANs.

Before SD-LAN: Virtual LAN

Virtual LANs (VLANs) have been around for decades and have been primarily used in campus LANs. Network engineers have long deployed VLANs to segment networks at Layer 2. For example, systems connected through ports on one VLAN cannot communicate directly with ports on other VLANs, but rather access them through a router or firewall.

VLANs create independent network domains, covering multiple logical LANs on top of a common physical network. Network teams can use VLANs to isolate traffic in the following ways:

• Targeting different departments;
• Target different categories of devices, such as IP phones and VoIP traffic;
• Or for different security domains, such as VLANs for traffic related to network management.

VLANs paved the way for SD-LAN by breaking the tight coupling between network usage and network infrastructure.

SD-LAN

VLAN is a Layer 2 network mechanism that is fully reflected in the Ethernet frame header and deployed at the switch port level. SD-LAN goes a step further. It does not rely solely on Ethernet or other Layer 2 network protocols, but completely virtualizes the LAN, thereby removing policy control from the switch and leaving only enforcement.

A fully implemented SD-LAN system looks beyond Layer 2 network criteria to make decisions about access and visibility. For example, it should consider user, process, program, and device identity. It might also consider IP address, device location, and even time of day. Whatever factors the system supports, network engineers can use them to define policies that govern access to data networks and the scope of activities allowed for network nodes.

Zero Trust, SDP, and SD-LAN

The most exciting aspect of SD-LAN right now is its utility - for implementing a Zero Trust Network Access (ZTNA) architecture. With a comprehensive SD-LAN policy, a basic Zero Trust approach can be implemented at the campus network level to block everything except what is explicitly allowed. In other words, SD-LAN can serve as the campus face of a Software Defined Perimeter (SDP).

With a zero-trust strategy in place, SD-LAN blocks most lateral network traffic by default, such as laptop A communicating with laptop B. This in turn prevents a large amount of malware from spreading through the environment from an infected device.

Take the now classic scenario where an attacker uses a compromised IoT device as a platform to attack a workstation. The SD-LAN prevents that process. Those compromised wall clocks or vending machines can only see and communicate with their management workstation, not the entire network segment. They may not even be able to compromise that management workstation if the ports, protocols, or traffic involved in the attack violate any access rules for the management connection.

Advantages of SD-LAN

There are many advantages to SD-LAN. On the operational side, the presence of controllers with APIs can help automate more extensive and more efficient LAN operations.

Improved management means better ability to discover, map, and audit the current state of the network. For example, network teams can track what is on the network, how each entity is behaving, and what deviates from policy.

And, as the deployment of zero trust demonstrates, SD-LAN can significantly improve the underlying security posture of an enterprise network. Even if an enterprise does not fully deploy zero trust, significant improvements may be achieved.

Challenges of SD-LAN

SD-LAN also faces many challenges. Some of these challenges include:

• The ability to deploy SD-LAN using existing infrastructure;
• the cost of upgrading anything that doesn’t integrate properly;
• As well as giving employees time to redevelop core skills and exploit the full potential of SD-LAN.

And, as with more general zero-trust strategies, the main challenge most enterprises face when implementing ZTNA in campus networks is understanding which policies to deploy—what needs to communicate with what.

As enterprises begin a broad shift toward greater network automation and tighter security, SD-LAN will become an increasingly important tool for advancing corporate goals.