Software Defined Network (SDN)


First of all, I wanna say thanks to Thomas Nadeau and Ken Gray for making the book (SDN – O’Reilly, 2013)

And now we start with the question…what IS that things called SDN…the trending topic in early-to-mid 2014

*dah lama ga write blog in English….and now…ENGLISH TIMEEEE



The Question is…what is SDN? Well to put it simple, is like this…

You know NMS (Network Management System) right? Like SolarWind, Paessler, OpenNMS, or even the infamous Cacti

They have common behavior…collect informations (by SNMP of course)

What information? Networks (traffic, data, device type, etc.), so we know the status of Our up and running production network and help Us (especially IT Managers/NetAdmins) make decisions for our current network (whether to Filter Traffic, Bandwidth Management, Policy Routing, and so on…you name it)

This SDN is pretty much behave like that, but not only collecting information, it also GIVES information/commands to our intermediary devices such as Routers, Switches, and Friends (friends?!?! O_o?!), so those devices can perform best path selection like PCE (Path Computational Elements, RFC 4655 link or WikiLink) like in MPLS or Quality of Services in the network

Figure 1. Image from Plixar video about SDN, link

Image the possibilities, we’ve been strangled by legacy protocols, in the past…we can only control network but as long as “those” protocols allow us to do, and with SDN…switches only lookup to Forwarding Table/Data Plane, leave the rest (read: control plane) handled by another device

Well…You’re probably right…

Here’s the definition of SDN from ONF…

see https://www.opennetworking.org/sdn-resources/sdn-definition

That’s SDN…in a nutshell



In the past, in order to run an Operating System (OS), we have to install it into hardware…a different OS, a different hardware, if you want to have 5 OS running (it doesn’t matter if same OS or not), you must buy 5 hardware

About 10 years ago, One Company had invented an interesting technology that allow host OS (Operating System, ex. Linux) that can run another OS (like Windows, a completely different OS) in that same physical devices

And guess what name the Company is…VMWare, the company that almost synonymous with term Virtualization technologies

And in the same time…our beloved network devices is still…(almost) stagnant, the only well-known virtualization are VLAN and VRF (maybe you can name it more…)

No protocol flexibility, very stiff, and function locked, for example…we cannot add OSPF LSA feature into EIGRP right? OSPF is OSPF…EIGRP is EIGRP…period

We cannot add static route with our terminology, we can only add static route by existing command that given to us by vendor (We often call these things “Vendor/Procotol Locked”)

And also the Price (yeaaa…now we’re talking), none of these Giants Enterprise Networking Companies (Cisco, Juniper, Extreme, etc.) devices are CHEAPPPSS (New ISR G2 Router 1941 price with many features enabled is over $1000…you’ve gotta be kiddin’ me right!?!?)

Building a hardware with proprietary software (ex. Router with its IOS) or building a software only (ex. IOS only but can be placed into any hardware), guess who comes cheaper…So that’s why many vendors turn and move fast into the next “green field

Juniper acquire Contrail™ for its SDN controller technologies, recently Cisco with Tail-F System™ (an SDN Swedish Startup Company focused on SDN Controllers), VMWare bought Nicira™, Brocade bought VYATTA™ (famous for that vRouter technology), BigSwitch with its BNC (Big Network Controller, proprietary) or with the Floodlight (Open Standard), F5 Networks with its LineRate System™ (vLoad Balancer) and Arista joined in the field too (Arista CEO Ulal is Ex-Cisco Exec too, lol)


The Separation of Control and Data Plane

At first, Control and Data Plane is in one device, and the question is…how much further we can separate these two plane?

Centralized Control Plane or Distributed Control Plane?

Figure 2. Taken from virtualnetwork.com, link

Image we control MPLS TE via controller, or removing STP (Spanning Tree Protocol) via 802.1aq alias SPB (Shortest Path Bridging) by IEEE (IETF itself made equivalent technologies called TRILL – Transparent Interconnection of Lots of Links)

And then routing table…It’s been aggressively expanded over the years and will continue to grow following IPv6 adoption, especially Internet Routing Tables that ISPs have

With current addressing architectures, a device needs a new IP address every time it changes networks. Therefore, if a Smartphone user switches network connectivity from Wi-Fi to another connectivity (like 3G or 4G), or a virtual machine (VM) is migrated to another physical server in the data center, the device or object requires a new IP address.

In the data center use cases, assigning a migrated VM a new IP address means that all other services attached to the VM (Firewalls, Switch, Load Balancers, and so forth) won’t be able to “find” the VM until an administrator re-configures them with the new address (Cisco thought of this case and made OTV – Overlay Transport Virtualization for their DCI – Data Center Interconnect Technologies in Nexus Series Switch)

This is the right use case why we must separate the planes, Cisco Systems create protocol called LISP (Location Identifier Separation Protocol, link), an open standard routing and addressing architecture developed by Cisco Systems (now handled at IETF) that take a role of SDN today.

What LISP does is creating 2 addresses: EIDs (Endpoint Identifiers) and RLOC (Routing Locator), this EID can be attached to many RLOC, the LISP Protocol provide mapping between them

LISP allows a node (devices: Endpoint, Servers, VM, Smartphone, etc.) to keep the same IP address even when its location changes because it keeps its EID while mapping to multiple RLOCs. LISP-enabled edge routers can aggregate EID prefixes with closely aligned RLOCs, making it easier for a core router to quickly determine where to send data.

I’d like to say this is like “Enhanced DNS for IP addressing”, you can move wherever you wants, your IP is still the same (ex. because that IP is EID Attached, and the LISP Databases provide mapping the EID to RLOC

It’s like named address such as google.com (EID) mapping to “” IP address (RLOC) in DNS, you can type “google.com” wherever you want and it still redirect to that IP (and that IP can be somewhere around the globe that you don’t have to worry about), here the link of LISP Configuration in Cisco IOS XE

Figure 3. Taken from Vina Ermagan and Lori Jakab powerpoint presentation (Cisco System Summit 2014)

And according to SDN Book (O’Reilly, Page 29), MPLS Forwarding is one example of Distributed Control Model

So…SDN is an architectural approach to simplified and optimize network operation by binding the interaction between application and network devices, a Software-Driven Network


Push the Configuration

So we know that we can control the network using controller, where do we put the controller? Just like VMWare does, in the VM. Can we place it into actual hardware? Yes, as long as that hardware (ex. Router and Switch) is capable (read: have SDN technologies) in it, otherwise, it just legacy network devices

Basic Question…How we control the forwarding devices from controller? Or how do we push configuration from the controller to those devices? The answer is we make some kind of that “Push Configuration” software/program

In year 1992, there was some people who make network controlling software, but in the end it abandoned, why? Because at later time, network became mission critical, and no one wants to mess with it (according to Ivan Pepeljak #1354 in his SDN presentation video @blog.ipspace.net)

The problem with it is, every vendor has proprietary commands …you can’t type Cisco “show ip interface brief” CLI Commands in Juniper JunOS right (“show interface terse“)?, so why bother making something to push configuration to network device, because every vendor has different commands

And IETF made the open standard “Pushing Configuration” program called NETCONF (developed and published in 2006, RFC 6241 and RFC 6242)

Figure 4. Taken from Tail-f website (recently acquired by Cisco, look at the logo in the top left corner)

According to Thomas Nadeau and Ken Gray (the SDN Book Author), The origin of pushing configuration can be traced back when Juniper Engineer use an XML-based network management approach to communicate to their network remotely, this style of approach is brought into the IETF Table, therefore the birth of NETCONF

Figure 5. The 4 Layer of NETCONF, taken from SDN Book (O’Reilly, 2013)

Even though NETCONF is the protocol that made for these things, it’s not the only one…

Open-standard software like XMPP, Apache Thrift, Google Protocol Buffer, and JSON (JavaScript Object Notation, XML-Based) are somewhat capable of programming the network…and then…OpenStack

Figure 6.Basic configuration of NETCONF, taken from NETCONF wikipedia page

While NETCONF is pushing device configuration, there’s the new guy on the blocks that capable on modifying FORWARDING TABLE (how cool is that?!?) …OpenFlow (link)

NETCONF is a protocol that allows you to modify networking device’s configuration. OpenFlow is a protocol that allows you to modify its forwarding table (Ivan Pepeljak #1354 @blog.ipspace.net)

Figure 7. Taken from SDN book (O’Reilly, 2013)

OpenFlow is a set of protocols and an API (Application Protocol Interface, SDN book, O’Reilly-page 49),
not a product or even single feature of the product. It consist of 2 things

  • Wire Protocol: for establishing a control session, defining message structure for exchanging flow modifications and collecting statistics, and defining fundamental structure of a switch (port and tables)
  • Config and Management Protocol: OF-CONFIG (based on NETCONF), to allocate physical switchports to a particular controller, define high availability (active/standby), and behavior on controller connection fail

Figure 8.Taken from SDN book (O’Reilly,2013)

And what about OpenStack? This is an SDN software for building Cloud Networks (now you know why Cisco and other vendors moves to this software), a software based on OpenFlow, or you can take a look at its rival…CloudStack (link), or its alternative…OpenDayLight (link)

Open here Open there…Stack Here Stack There…its take a while for you (and me or course) to remember these new term haha :p

But it not going to harm you to read this article about CloudStack losing to OpenStack

Figure 9. OpenStack Architecture, taken from OpenStack.org

And with OpenFlow, we can virtualize IP Routing, purposely for building a hybrid network, it called RouteFlow (IGP and BGP on OpenFlow, link)

Figure 10. Taken from RouteFlow Website, http://cpqd.github.io/RouteFlow/

Well…Cisco, Juniper, Level3, and some other companies founded a group under IETF Supervision that called I2RS (Interface to the Routing System) to research those things (they’ve made their own NETCONF if I’m not wrong), with Cisco itself build something called OnePK (One Platform Kit), a toolkit for Cisco ONE (Open Network Environment), so developers can build their own OpenFlow/NETCONF

Figure 11. Taken from Ivan Pepeljak #1354 SDN powerpoint slide @blog.ipspace.net

So…how we can deep dive and get a hand at those thing *rub hand*? Can you do a programming? C? Phyton? Or Java Maybe?….

Are you telling me that this require some sort of programming skills? Yes… 😀

(To be honest…the reason I’m joining in the networking field is I’m not good at programming, and now that thing is back to haunting me)

And If you now about Cisco Nexus 1000v, that can be placed in the VMWare vSphere, that thing is programmable *sweeeet*!! (For inserting Firewall capabilities, WAN Optimization, or even the Load Balancers, using Cisco ONE though)

And also with VMWare NSX that capable for vSwitch, vRouter, vFirewall, and so on…, the SDN battle intensifies, even Cisco System…a former allies, build ACI (Application Centric Infrastructure) to match VMWare NSX

Figure 12. VMWare NSX, taken from networkworld.com


Network Function Virtualization

Figure 13.Taken from SDN Book (O’Reilly, 2013)

With the new paradigm, we view the network (infrastructure) as a service, we view the Platfom as a service (such as Software Framework), and we view Application as a service (shared software/application)

We call this sequentially IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service)

Figure 14. Network Virtualization, taken from Cisco.com

In the past, there was Router, a sole router (like Cisco 800 Series), and then came the Router that capable to integrate with something else (like ISR-Integrated Service Router such as 1800 or 1900 series router), insert Access Point module…it became Wireless Router, insert Switch Module…it became Router Switch, insert Firewall Module…it became Firewall Router, and so on…and then virtualization came…the beginning of vRouter (virtual Router), the beginning of vSwitch (Like Cisco N1Kv), vFirewall…and so on

In Cisco, they’ve been echoing the Nexus 9000 series with VDC (Virtual Device Context) and vPC (virtual Port Channel) in it in order to separate the function of network using virtualization

Another question may rise up…How we control BGP with SDN? What perfect use case for SDN to control MPLS? How its correlates with NFV?

In Data Center, there’s a draft that Petr Lapukhov #16379 came up with while at Microsoft…”instead using traditional IGP, why not we use BGP as better IGP”, and then put some controller as a Route Server (Router Server is the term of a Router that can centralize the peerings between BGP speakers, instead of full mesh) and then the controller insert BGP Route to individual routers (with iBGP Sessions) to influence routing decision…isn’t that sweet?!?

Figure 15. taken from Ivan Pepeljak #1354 powerpoint slide video @blog.ipspace.net

Figure 16. Route Server as a centralized peering, taken from Quagga (link)

And in MPLS use case…

If we want to setup 4 Gb LSP from R1 to R5, then it would fail, why? Because R3-R5 link only has 3 Gb available. However the sum of R3-R4-R5 bandwidth is 4 Gb (2+2), but due to the nature of RSVP Signaling, one cannot use that available bandwidth

And those smart guys (engineers and academies) came up with PCE (Path Computation Element), PCE allows a network operator to delegate control of MPLS LSP to an external controller (SDN Book, O’Reilly-Page 103). There are multiple components of PCE environment: Server, Client, and the PCE Protocol for data exchange between PCE Server and Client

In SDN, The PCE Server perform something called segment routing. “If all routing are using OSPF (or ISIS) then all routers have the same LSA, same Computation, and same Database, which is the path that should be taken is all same, and this Layer 3 computation is used by MPLS…but imagine if each node can choose his own path without having dependency to MPLS or IGP Computation”…this is what called Segment Routing – IETF Draft (march 2013)” (link)

These picture of segment routing configuration is taken from Clarence Filsfils (Cisco Distinguished Engineer) in Cisco Blogs Official Slide, link

Figure 17. Segment Routing example from IOS-XR

And I’ve taken a look at OpenFlow example from Juniper on MX80 Router running Junos 12.3I0 (note: running this configuration does require the use of the Juniper SDK), take a look at OpenFlow configuration (at the bottom)



I put a question mark here at the end of “Conclusion” word, to emphasize that maybe some of you doesn’t agree with me, feel free to correct me or add another (with the long page like this, very unlikely :P) of some important information

Do we REALLY must use Network Programming?? I say this with respect of open standard community, the Capitalist will rise… (haha), we will use PROPRIERTARY SDN (Controllers, Virtualization, or Programming Software)

Because of this duo…OPEX and CAPEX, who will risk their business with non-“branded” software? Engineer who can barely write the code will benefit much than Programmer who barely know the Networks World, so cheers ^_^

Things we do well:

  • Destination-only hop-by-hop L3 Forwarding

Things we difficult to do:

  • Large-scale provisioning or Orchestration
  • Sync of Distributed Policies, like security and QoS
  • Optimal traffic engineering, like MPLS TE

That’s 3 point is the mainly pushing factors why we move from legacy to SDN

And we could go on and on and on with the list…especially with the emerging Software-Driven Data Center, but its take a long time to explain that

What I can do is just explain some of beneficial advantages from applying SDN



Nadeau, Thomas D., Gray, Ken (2013). SDN: Software Defined Networks. O’Reilly Media, Inc. *the guys at Juniper Networks

What is SDN video by Plixer – Network Analysis Company @https://www.youtube.com/watch?v=lPL_oQT9tmc

SDN Explained by Ivan Pepeljak #1354 @http://blog.ipspace.net/2014/01/what-exactly-is-sdn-and-does-it-make.html And the video @http://content.ipspace.net/get/2%20-%20SDN%20Explained.mp4

ONF Founded and Founder @https://www.opennetworking.org

I2RS at IETF @https://datatracker.ietf.org/wg/i2rs/charter/

SDN Controllers definition@https://www.sdxcentral.com/resources/sdn/sdn-controllers/

LISP Definition @http://searchnetworking.techtarget.com/definition/Cisco-LISP-Cisco-Locator-ID-Separation-Protocol or the video https://www.youtube.com/watch?v=AISUwPQPaLs

Route Server definition @http://www.nongnu.org/quagga/docs/docs-multi/Description-of-the-Route-Server-model.html#fig%3aroute%2dserver

What is Segment Routing @http://niau.org/?p=519, IETF Draft @https://tools.ietf.org/html/draft-previdi-isis-segment-routing-extensions-05#section-1, and Cisco SDN Segment Routing Slide @http://www.slideshare.net/getyourbuildon/segment-routing-network-enablement-for-application

RFC 6241 – IETF Standard for NETCONF @https://tools.ietf.org/html/rfc6241

RFC 4655 – PCE (Path Computational Elements) @https://tools.ietf.org/html/rfc4655

OpenDaylight @http://www.opendaylight.org/

Project Floodlight @http://www.projectfloodlight.org/floodlight/

Open vSwitch @http://openvswitch.org/ Or BigSwitch Network™ an Enterprise SDN Switch Company @http://www.bigswitch.com/

NFV and SDN terminology by Howard Baldwin@http://www.infoworld.com/article/2841882/networking/network-virtualization-vs-software-defined-networks-what-the-heck-is-the-difference.html

SDN Standards: from OpenFLow to OpenDayLight by Howard Baldwin @http://www.infoworld.com/article/2842423/making-heads-or-tails-of-sdn-standards-from-openflow-to-opendaylight-and-more.html

SDN for Cheaper Networking? By Greg Ferro #6920 @http://www.networkcomputing.com/networking/sdn-doesnt-mean-cheaper-networking/a/d-id/1234444

MPLS Configuration (Part 5 – AToM)


Backbone sudah…VPN udah…Route Leaking udah…Backup Route udah..

Sekarang klo ada L2 kek frame-relay, PPP, Ethernet masuk ke MPLS gimana???

Nah, MPLS bisa carry semua L2 transport…namanya AToM (Any Transport over MPLS)

Now Lets configure it…

Command pentingnya Cuma 1…xconnect, dengan ngetik itu berarti kita nyuruh router untuk mengencapsulasi semua protocol kedalam MPLS


VLAN Ethernet

Ok…kali ini kita akan membuat rainbow cake *ehm* maksudnya bikin L2 dengan tipe Ethernet bisa connect ke VPN (contoh diatas)

Wait…gw kok ngeliat CE1 dan CE2 pake IP satu subnet ya?? Mirip bridging yang kemarin yah?!?

Yuppp…kali ini “bridging” via MPLS

Bahan2 yang kita perlukan untuk membuat kue ini adalah *ehm* untuk bikin MPLS L2 VPN adalah:

  1. Router 3725
    (klo pake 3640, command xconnect untuk mpls kaga ada…mesti pake “pw-class“…bikin bete hahaha)
  2. OSPF
  3. MPLS (jelas laaah)
  4. Xconnect

Udah?? Ga perlu BGP??nope…kecuali klo ada banyak konsumen…nah baru dah tu pake (MP)-BGP

IP Addressing and MPLS activation per-interface

OSPF Configuration

MPLS AToM Configuration

Nah…sekarang kita menuju int fa0/1 di PE1 dan PE2 (interface ke arah masing2 CE)

Jadi masing2 Fa0/1 ga kita kasih IP sama sekali, lalu kita ketik command xconnect, trus point kearah ip loopback PE2 (klo dari PE1) dan sebaliknya

Command lengkapnya adalah xconnect [ip] [vc number] encapsulation [mpls or L3 encapsulation]

VC number berguna klo banyak “bridging” or “tunnel” yang mau kita create

Verifikasinya bisa pake show mpls l2transport [binding atau vc]

yuk coba kita ping dari CE1 ke CE2




Frame-Relay over MPLS

Di PE tinggal nambahin

Frame-relay switching

Connect [nama koneksi] serial0/0 [nomor DLCI dari frame-relay router yg kearah kita] l2transport

Interface serial0/0/0
Encapsulation frame-relay
Frame-relay intf-type dce
Xconnect …

klo PPP?? sama…tambahin aja xconnect


Multilayer Switching with MPLS

Vlan [nomor vlan]
State active

Interface fa0/1
Switchport access vlan [nomor vlan]
Switchport mode access

Interface vlan [nomor vlan]
Xconnect [ip] encapsulation mpls

Palingan yang perlu dijelasin adalah “state active

Ada 3 mode vlan…active, shutdown, dan suspend

Active = default…vlan up and operational

Shutdown = non-operational mode di switch itu

Suspend = non-operational mode di semua switch…

what…is it means… Yeaaah…ini yang dipake VTP, nyebarin yang suspend bukan yang shutdown

jadi klo pake VTP…klo kita ketik suspend untuk vlan 10 misalkan di switch VTP Server…makanya di server dan di semua switch2 client, itu vlan 10 jadi ga aktif


MPLS Trunking

Nah, klo ini mesti pake alat langsung…(sambil nunggu GNS3 yang ada switch keluar)

masalahnya kek gini…

Gw pengen kantor CE1 gw konek ke ISP pake trunk trus nyampe di CE2 pake trunk juga, ga ada bridging2an…bener2 Trunk-to-Trunk

Gambarnya kek gini:

Di PE1 dan PE2:

Interface fa0/1
Description ***to CE1 atau CE2***
Switchport access vlan 12
Switchport mode dot1q-tunnel
    L2protocol-tunnel cdp
L2protocol-tunnel vtp

Di CE1 dan CE2:

Interface fa0/1
Description ***to PE***
Switchport trunk encapsulation dot1q
Switchport mode trunk


Keywordnya adalah dot1q-tunnel

Karena di CE dijadiin trunk…trus vlan2 dari CE di PE di “trunking” lagi, maka MPLS Trunking ini biasa disebut Trunk-in-Trunk, bahasa kerennya QinQ (dot1q in dot1q)

Nah, karena fitur QinQ inilah setiap company bisa pake vlan yang sama…company A dan B pake vlan 10, tapi di interface PE yang kearah masing2 company akan dibedain vlannya

Kok bisa?? Bukannya ga nyambung?? Itu dia gunanya dot1q tunnel (tunneling)…

vlan 10 company A akan “ditempel” vlan 12 dari ISP…vlan 10 company B akan “ditempel” vlan 13 (misalkan) dari ISP, jadi toh di core ISP itu vlan uda dianggep beda…

kek RD RT nya MPLS VPN kemaren2…klo di QinQ jadi kek gini = Vlan 10:12 dan Vlan10:13

dan asiknya lagi…liat deh keyword l2protocol-tunnel cdp dan vtp, ini maksudnya…protocol VTP dan CDP itu dianterinnya dari ujung ke ujung !!

bayangin VTP bisa span lebih dari sekedar floor-to-floor atau building-to-building, tapi juga city-to-city


Yaks….habis sudah….saatnya nge-garap multicast…

Hurray….***\T_T/*** (nangis sambil ngeluarin kembang api)


Rene Molenaar

Irwan Piessesa (CCIE #20298)

Older Entries