SD-WAN Topologies, Routing and Deployment Modes

Samuel Heinrich

Purpose

This note describes the conceptual structure of overlay/underlay, the available network topology models, VPN isolation, routing protocols, and CPE deployment modes in Huawei SD-WAN.

Overlay vs. Underlay

Underlay Network

The underlay network is the physical network infrastructure on which the overlay is built.

Underlay Network
  • Consists of physical devices: switches, routers, firewalls, load balancers
  • Responsible for IP connectivity between sites (L2 or L3)
  • Underlay routing protocols: OSPF, IS-IS within an AS; BGP between ASes
  • MPLS-based networks also belong to the underlay
  • WAN types in underlay: MPLS, Internet, LTE/5G

Limitations of traditional underlay networks:

  • Hardware-based forwarding strongly tied to transmission paths
  • Configuration changes required when services change
  • No security guarantee for Internet-based communication
  • No on-demand network slicing
  • Complex multi-path forwarding

Overlay Network

The overlay network is a logical network built on top of the underlay.

Overlay Network Topology
  • Devices are connected via logical links, independent of the physical path
  • Tunnels are established between overlay endpoints (e.g., IPsec or GRE over IPsec)
  • The tunnel encapsulates the original IP packet with a new IP header + tunnel header
  • The overlay network is transparent to the underlay

SD-WAN EVPN

EVPN (Ethernet VPN) is the core control-plane technology of the SD-WAN overlay.

  • Extension of BGP for distributing MAC and IP routing information on the control plane (not the data plane)
  • Resolves the limitations of DSVPN, which depended on VPN instances for tunnel establishment
  • NHRP protocol is no longer required
  • BGP peer relationships are based on endpoints, not links
  • Edge sites only need to establish IBGP peer relationships with their RRs — no full-mesh between all edges
  • Keys are distributed centrally (no per-tunnel IKE negotiation required)
  • Control node and data node are decoupled: routing policies control the topology
EVPN advantage over DSVPN Explanation
No NHRP dependency Tunnel establishment via BGP signaling
No per-tunnel IKE negotiation Keys centrally distributed by controller
Scalable Edge sites only communicate with RRs
Flexible topologies Hub-spoke, full-mesh, hybrid configurable via policy
Full Layer-2 reach Cross-region L2 possible via EVPN MAC distribution

Sites and the RR Concept

Site Types

Type Description
Branch Site Branch office — CPE acts as edge gateway
HQ Site Headquarters — often hub site
DC Site Data center — often hub site
Cloud Site Infrastructure on public cloud — vCPE (AR1000V / AR6700V-L)
SD-WAN Site Site using SD-WAN technology, managed by iMaster NCE-Campus
Samuel Heinrich
Senior Network Engineer at Selution AG (Switzerland)
Arbeitet in Raum Basel (Switzerland) als Senior Network Engineer mit über 15 Jahren Erfahrung im Bereich Netzwerk

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre, wie deine Kommentardaten verarbeitet werden.