Architecture of the solution

Kaspersky SD-WAN includes the following main components:

The orchestrator controls the solution infrastructure, functions as an NFV orchestrator (NFVO), and manages network services and distributed VNFMs. You can manage the orchestrator via the web interface or REST API when using external northbound systems.
The Controller centrally manages the overlay network:
- Builds the network topology.
- Creates transport services.
- Manages CPE devices using the OpenFlow protocol.
- Balances traffic between links.
- Monitors link and automatically switches traffic to a backup link if the primary link fails.
To deploy the Controller, you need to deploy the physical network function of the Controller, which is contained in the installation archive. The Controller is managed by the orchestrator.
CPE devices are installed at remote locations to relay traffic and form an SDN fabric in the form of an overlay network. You can assign the SD-WAN Gateway role or the standard CPE device role o the CPE device. SD-WAN Gateways establish links with all standard CPE devices and other SD-WAN Gateways. Standard CPE devices establish connections only with SD-WAN Gateways. By default, all CPE devices have assigned the standard CPE device role.
If you want a link to be established between two standard CPEs, you need to assign the same topology tag to these standard CPEs. You can also make a standard CPE device a transit device to allow other CPE devices to make links through that CPE device.
The VNFM (Virtual Network Functiion Manager) manages the lifecycle of virtual network functions using SSH, Ansible playbooks, scripts, and Cloud-init attributes.

If virtual network functions are used, the architecture includes a Virtual Infrastructure Manager (VIM) that manages compute, network, and storage resources within the NFV infrastructure. A VIM connects VNFs using virtual links, subnets, and ports. The OpenStack cloud platform is used as the VIM.

Kaspersky SD-WAN has a distributed microservice architecture based on Docker containers (see the figure below). A Controller can include one, three, or five nodes. Controller nodes are deployed on separate virtual machines, which you can run on different physical servers for fault tolerance. When deploying the solution, you can specify virtual machines on which you want to deploy Controller nodes.

The figure shows a diagram of the solution: the orchestrator interacts with the controller, VNFM and VIM.

Architecture of Kaspersky SD-WAN

Page top