Software-Defined Networking Explained

Understand how SDN will change everything in 10 easy steps.

SDN: Embracing change

The very heart of networking is about change. Your current network infrastructure is a platform on which the entire IT portfolio depends for communication and services. Although the network is made of many physical elements, such as routers, switches, and firewalls, it is for all practical purposes a single system. A change in any part of the network can cause a failure of the whole. This wholesale interdependence has led to a fear of change among network operators that prevents new services, new features, and even good operational practices.

SDN is a network architecture that changes how we design, manage, and operate the entire network so that changes to the network become practical and reliable.

Planes of operation

The internal architecture of a network device has three planes of operation. The management plane handles external user interaction and administrative tasks like authentication, logging, and configuration via a Web interface or CLI. The control plane administers the internal device operations, providing the instructions used by the silicon engines to direct the packets. The control plane runs the routing and switching protocols and feeds operational data back to the management plane. The data plane is the engine room that moves packets through the device, using the forwarding table supplied by the control plane to determine the output port. 

Planes of operation, continued

In networking today, the control plane on each device communicates with the control planes on all other devices in the network using protocols like OSPF or Spanning Tree. As a result, networking is a system of distributed computing in which all of the system elements must be coherent for the network to function as a whole. Although network protocols are well proven, networking remains less than perfect because 1) distributed computing systems are limited by "eventual consistency" (for networks, that means outage during reconvergence), and 2) we’re constrained by poor features like destination-based routing (when source/destination would be better). 

Controller networking

The major difference between SDN and traditional networking lies in the concept of controller-based networking. In a software-defined network, a centralized controller has a complete end-to-end view of the entire network, and knowledge of all network paths and device capabilities resides in a single application. As a result, the controller can 1) calculate paths based on both source and destination addresses, 2) use different network paths for different traffic types, and 3) react quickly to changing networking conditions. 

In addition to delivering these features, the controller serves as a single point of configuration. This full programmability of the entire network from a single location, which finally enables network automation, is the most valuable aspect of SDN.

Hypervisor connectivity

The most useful applications of controller-based networking today are being implemented in hypervisors such VMware vSphere, Microsoft Hyper-V, and the open source KVM project. From a networking perspective, a hypervisor usually hosts several VMs (virtual machines), which are connected to a virtual switch, which in turn is connected to the physical network. Today, the virtual switch is not a network device but a robot patch panel for connecting a VM to the physical network.

Hypervisors and the network

In today's virtual infrastructures, virtual servers use virtual switches in the host hypervisor to share the physical NIC with other guest VMs. Each virtual switch acts like a smart patch panel to connect to the entire data center network. This succeeds in networking the guest VMs to all other servers in the network. However, because the underlying physical networks are complex and change-resistant, the data between VMs flows across the network on a hop-by-hop basis. 

Tunnel networking

New tunneling protocols like VXLAN and NVGRE allow for new networks -- called "overlay networks" -- to be abstracted from the physical network and configured in the virtual switch. These tunneling protocols encapsulate the Ethernet data inside an IP packet and traverse the physical network, allowing two VMs on different Layer 3 subnets to communicate on the same Layer 2 network. Tunnels do not need to know about the underlying physical network configuration and vice versa. As a result, virtual network connections between hypervisors can be configured without any dependency on the physical network.

Tunnel fabric

A virtual switch, aka "vSwitch," will create tunnels to build a full mesh of connectivity to other vSwitches in the network. In this type of design, the physical network is often known as a tunnel fabric to highlight the relationship between the tunnel mesh and physical network. More generally, the use of tunnels is known as overlay networking.

Today, a modern x86-based server can easily handle the load of tunnel encapsulation at more than 10Gbps, and Intel tests show up to 40Gbps performance (under optimal conditions) with CPU consumption at about 20 percent of a single core. Planned technology from Intel promises higher server-based networking performance in the next three years.


The vSwitch can support multiple tunnels to provide multi-tenancy. As shown here, the creation of tunnels for each tenant in a virtual infrastructure keeps the network traffic isolated at the source of the traffic. Instead of attempting to secure the traffic in the physical network, we can use a hypervisor management tool, such as VMware vCenter, to configure the VM and the tunnel network according to security policy. This reduces the likelihood of operational misconfiguration and makes for reliable process and simple auditing.

Products like VMware vCloud Director are using overlay networks to enable the use of software-based networking appliances to replace physical firewalls, routers, and load balancers.

Network agents

Software-defined networking will be further enhanced in the next year as the role of the vSwitch will be usurped by network agents. Network agents will provide more flexibility in connecting VMs to the physical network or tunnel fabric because they will be able to change network traffic flows according to configuration in a similar way that routers or switches select the output interface for a given packet or frame.  In the near future, a network controller will configure network agents to provide routing, switching, and firewall services.

Network agent as router

A network agent can act as a router simply by selecting the outbound tunnel interface that passes traffic to the destination. In this diagram, VM1 is on a separate VLAN from VM2. To achieve Layer 3 routing between the two VMs, the network agent simply forwards the traffic from VM1 into the tunnel for the VLAN on which VM2 resides. Because the forwarding occurs at the edge of the network in each server, scalability is high. Adding more servers increases routing capacity.

The bigger picture

SDN makes networking more dynamic and flexible by creating logical overlay networks in software without impacting the underlying physical network. The abstraction of overlay networks from the underlying physical network provides for relatively risk-free changes. Because the network controller and network agents are software only, they support faster innovation and more frequent updates than traditional networking gear.

Furthermore, the hypervisor manager and the network controller will exchange data about the systems they administer. For the first time, network engineers will have visibility into the servers and applications on their networks, providing for better operation and troubleshooting.