Software Defined Local Area Network

Software Defined Local Area Network (SD-LAN) is a service provided on RUCKUS One that is implemented on RUCKUS Edge devices.

Overview

The SD-LAN service provides centralized forwarding for RUCKUS access points (APs), enabling the APs to tunnel User Equipment (UE) traffic to an Edge device. All intermediate network hops are hidden from the end user’s traffic.

The SD-LAN service works as follows:
  • A Generic Protocol Extension for Virtual Extensible LAN (VxLAN-GPE) tunnel is established between the access point (AP) and the Edge device to facilitate the forwarding of UE traffic.
  • The AP associates the VLAN with the corresponding Virtual Network Identifier (VNI) (both having the same ID). For example, VLAN 10 maps to VNI 10, and vice-versa.
  • Layer 2 (L2) bridging allows UE traffic to be forwarded into the core network.

SD-LAN also provides the capability to forward Captive Portal guest WLAN traffic between a Data Center (DC) Edge and an Edge device located in the DMZ portion of network. In the context of Wi-Fi networks, the DMZ is a logical network segment that adds an extra layer of security for the Local Area Network (LAN) by providing a safe zone, separating the LAN from untrusted networks (such as public internet).

Functionality of SD-LAN:
  • Centralized Forwarding: SD-LAN provides centralized forwarding for RUCKUS APs, allowing for efficient management and control of network traffic.
  • VxLAN Tunneling: Supports Virtual Extensible LAN (VxLAN) tunnels between APs and RUCKUS Edge devices to facilitate the forwarding of UE traffic.
  • Guest Traffic Management: Enables the forwarding of guest WLAN traffic from the Data Center RUCKUS Edge to the RUCKUS Edge device located in the DMZ, enhancing security and isolation.
  • Layer 2 (L2) Bridging: Allows UE traffic to be forwarded into the core network, supporting seamless integration of wired and wireless networks.
  • Upstream L2GRE Tunneling: In Active-Active Cluster deployments, L2GRE tunnels are supported between the DC Edge device and upstream devices (including another Edge device) to facilitate the forwarding of UE traffic to the Core network.
  • Access-Core Separation: A network design centered on the RUCKUS Edge cluster, decoupling the Access layer (where APs connect) from the Core layer (where upstream services reside). Decoupling is achieved using an SD-LAN, a VxLAN-GPE tunnel from APs to the Edge cluster, L2GRE tunnel and DMZ tunnel from the Edge cluster to upstream devices. The two-leg deployment clearly defines the role of each port:
    • Core port: Connects to the service provider or upstream network via an L2GRE tunnel. The uplink port is responsible for forwarding UE traffic to the upstream network after VxLAN-GPE tunnel termination.
    • Access port: Connects to the local LAN or client devices. This port terminates VxLAN-GPE tunnels from RUCKUS APs and serves as the default gateway for the APs. The Access port also serves as a route to reach RUCKUS One and is used for management access.

    RUCKUS Edge clusters support enabling Core and Access in both Active-Active and Active-Backup deployments. In an Active-Active cluster, interfaces can be configured as either tagged or untagged for both Access and Core roles. In contrast, the Active-Backup cluster supports only untagged interfaces for Access and Core port configuration.

    Geo-redundancy Support for Edge Cluster

    Each Edge cluster node can be configured with Access and Core interfaces, including Sub-interfaces, mapped to different VLANs and IP subnets. However, the cluster communication interface between Edge nodes must reside within the same VLAN and IP subnet to maintain stable and consistent cluster connectivity.

Requirements

The SD-LAN service requires the following:
  • An onboarded Edge device with a LAN port enabled and configured as a Core port.
  • A configured venue with associated APs and a Wi-Fi network.
  • An Edge cluster configured and associated with the venue.
  • APs running firmware version 7.x or later.
  • A Tunnel profile. For more information on creating a tunnel profile, refer to topic Creating a Tunnel Profile.
  • The Core/Access Ports Separation functionality is supported on RUCKUS Edge devices running release 2.4.0.1 or later.

Limitations

The SD-LAN service has the following limitations:
  • Network types supported:
    • Traffic tunneling between an AP and a Data Center Edge device: Supports all types of WLANs.
    • Traffic tunneling between a Data Center Edge device and a DMZ Edge device: Supports Captive Portal WLANs only.
  • Captive Portal WLAN support:
    • Captive portal terminating to Data Center Edge support: Supports SSID-VLAN and VLAN pooling.
    • Captive portal terminating to DMZ Edge support (redirected through Data Center Edge): Supports only SSID-VLAN.
  • Tunnelling support:
    • Is not available for RUCKUS switches.
    • Tunnelling is supported only for RUCKUS AP wireless clients and not AP wired ports.
  • Path MTU Discovery (PMTUD) is not supported for tunnels between two Edge devices. PMTU should be manually configured for these tunnels.
  • VNI-1 forwarding is not supported for DC or DMZ peer destinations. VLAN-1 is supported only when traffic is forwarded via an L2GRE tunnel.
  • Only one Core port and one Access port can be configured per Edge device.
  • All the Edge devices in the cluster must have both a Core port and an Access port configured to enable SD-LAN services.

Best Practices

When configuring a VxLAN-GPE tunnel profile between a Data Center Edge device and a DMZ Edge device, the Gateway Path MTU mode should be configured as Manual (because automatic path MTU Discovery (PMTUD) is not supported between two Edge devices) and the maximum transmission unit (MTU) defined (select from 576 to 1450 bytes).

When configuring a VxLAN-GPE tunnel profile between an Access Point and a Data Center Edge device, the Gateway Path MTU mode can be configured as Auto or Manual.

Prerequisites

Ensure your RUCKUS One tenant account has the following configurations prior to configuring an SD-LAN service:
  • A configured venue with associated APs and a Wi-Fi network.
  • A configured Edge Cluster associated with the venue.
  • The LAN port must be configured as the Core port on the Edge devices that are associated with the cluster participating in the SD-LAN service.