Kaspersky SD-WAN
2.1
English

Contents

About Kaspersky SD-WAN

Kaspersky SD-WAN is used to build Software-Defined Wide Area Networks (SD-WAN) for routing traffic over communication channels using Software Defined Networking (SDN) technology. The main advantage of such networks is the ability to automatically determine the most efficient routes for the traffic.

The SDN technology implies the separation of the control plane and the data plane. The control plane comprises an

SD-WAN Controller
and an
orchestrator
. The control plane controls the transmission of traffic packets over the network through
Customer Premise Equipment
devices (hereinafter referred to as CPE devices or CPEs) that are installed at client locations and together form the data plane. Alternatively, the network can be controlled via the API.

Network Function Virtualization (NFV) is performed in accordance with the standards set out in the NFV MANO (NFV Management and Network Orchestration) specification of the European Telecommunications Standards Institute (ETSI).

The solution is intended for service providers, as well as organizations with a large branch network, and replaces standard routers in wide area networks. The deployment procedure is independent of particular transport technologies used on your network. The solution also supports sending traffic over multiple links based on application requirements regarding bandwidth and quality of service.

Kaspersky SD-WAN lets you do the following:

  • Smart traffic control.
  • Automatic configuration of CPE devices. This functionality makes deployment of devices on location less personnel-intensive.
  • Centralized management of the network infrastructure through the orchestrator web interface. For example, you can use the orchestrator web interface to configure CPE devices and links.
  • Continuous monitoring of the network topology and automatically responding to any changes. For example, you can configure the traffic to be switched to a backup link in case the main link fails.
  • Automatic response of the network to changes in the quality of service of communication channels to meet the requirements of various applications used on the network.

The figure below shows a diagram of an SD-WAN network built using the Kaspersky SD-WAN solution.

The figure shows an SD-WAN network with two remote offices and one central office, as well as a data center and a service provider.

SD-WAN network diagram

In this Help section

Distribution kit

Hardware and software requirements

Shared storage requirements

What's new
Page top
[Topic 237477]

Distribution kit

To learn more about purchasing the solution, please visit the Kaspersky website (https://www.kaspersky.com) or contact partner companies.

The distribution kit includes the following components:

  • Docker containers for solution deployment:
    • knaas-ctl
    • knaas-orc
    • knaas-www
    • knass-vnfm
    • knaas-vnfm-proxy
  • Firmware for installing and managing CPE devices.
  • A file with the text of the End User License Agreement, which stipulates the terms and conditions that you must accept to use the solution.
  • Kaspersky SD-WAN Online Help files that let you read documentation without an internet connection.

The content of the distribution kit may differ depending on the region in which the solution is distributed.

Page top
[Topic 249139]

Hardware and software requirements

The solution includes the following software modules:

  • Orchestrator, which is part of the backend of the solution.
  • Orchestrator web interface, which is part of the frontend of the solution.
  • Orchestrator database (MongoDB version 5.0.7).
  • VNFM
    .
  • NGINX web server for balancing HTTP and HTTPS requests to VNFMs and providing web proxies to CPE devices and VNFs.
  • Redis 6.2.7 resident database.
  • SD-WAN Controller.

Modules are deployed as Docker containers for stand-alone installation and scaling. If necessary, you can provision additional resources (CPU cores, RAM) to each module and distribute them among multiple servers to increase the overall performance of the solution.

Kaspersky SD-WAN components can be deployed on multiple physical servers or virtual machines (VMs). KVM and VMware virtualization platforms are supported. You must ensure the availability of servers or virtual machines for installing Kaspersky SD-WAN, an external Zabbix 5.0.26 monitoring system, and an SD-WAN Controller.

The controller can be deployed in two ways:

  • As a VNF in the OpenStack cloud platform (Xena release). Controller nodes are hosted on compute nodes.
  • As a
    PNF
    on separate virtual machines.

Before deploying Kaspersky SD-WAN, make sure that your network infrastructure meets the following hardware and software requirements.

Hardware requirements

Hardware requirements are listed in the following tables. Note that these requirements depend on the number of managed CPE devices used in the SD-WAN instance. The tables provide typical values, so if you need to calculate the exact requirements for your deployment scheme, please contact Kaspersky technical support.

Hardware requirements for servers or virtual machines for orchestrator deployment

CPE devices

CPU cores

RAM, GB

Disk space, GB

Network adapters

Virtual machines

up to 50

8

8

105

2

3

up to 100

8

10

110

2

3

up to 250

8

12

125

2

3

up to 500

8

16

150

2

3

up to 1,000

10

24

200

2

3

up to 5,000

12

32

600

2

3

up to 10,000

16

64

1100

2

5

Hardware requirements for servers or virtual machines for deployment of other components of the solution

CPE devices

CPU cores

RAM, GB

Disk space, GB

Network adapters

Containers

SD-WAN Controller

up to 50

4

8

64

2

3

up to 100

6

8

64

2

3

up to 250

8

16

64

2

3

up to 500

8

16

64

2

6

up to 1,000

8

16

64

2

12

up to 5000

8

16

64

2

60

up to 10,000

8

16

64

2

120

VNFM

up to 50

4

8

20

2

3

up to 100

4

8

20

2

3

up to 250

4

8

20

2

3

up to 500

4

8

20

2

3

up to 1000

4

10

20

2

3

up to 5000

4

12

20

2

3

up to 10000

4

16

20

2

3

Zabbix monitoring system

up to 50

4

8

100

2

3

up to 100

4

10

200

2

3

up to 250

6

12

350

2

3

up to 500

8

24

600

2

3

up to 1,000

10

32

1100

2

3

up to 5,000

12

64

5100

2

3

up to 10,000

16

128

10100

2

3

If you need to connect more than 250 CPE devices, deploy additional SD-WAN Controller clusters.

For detailed information about the hardware requirements of the Zabbix monitoring system, see the official documentation of the Zabbix solution.

When deploying the solution, an offline map is configured. Consider the following disk space requirements:

  • The offline map (central-fed-district-latest.osm.pbf) takes up approximately 100 GB.
  • Geocoding data takes up approximately 10 GB.

We recommend considering the possibility of overcommitment at the resource planning stage for your SD-WAN instance deployment. The maximum overcommitment ratio available when deploying containers is 3. The ratio is determined by the following characteristics of the SD-WAN instance:

  • Number of CPE devices in use
  • Frequency of network state changes
  • Traffic bandwidth
  • Size of transmitted traffic packets

Channel requirements

The following channels are supported:

  • MPLS transport networks
  • Broadband links for connecting to the Internet
  • Leased communication lines
  • Wireless connections including 3G, 4G, LTE, and 5G
  • Satellite communication channels

Software requirements

Docker 1.5 or later is required. The following 64-bit operating systems are supported:

  • Ubuntu 20 LTS or later
  • Astra Linux 1.7 or later (security level: "Orel").

Supported browsers

You can use the following browsers to manage the orchestrator web interface:

  • Google Chrome 100 or later
  • Firefox 100 or later
  • Microsoft Edge 100 or later
  • Opera 90 or later
  • Safari 15 or later

CPE device requirements

Kaspersky SD-WAN supports the following devices:

  • KESR-M1-R-5G-2L-W
  • KESR-M2-K-5G-1L-W
  • KESR-M2-K-5G-1S
  • KESR-M3-K-4G-4S
  • KESR-M4-K-2X-1CPU
  • KESR-M4-K-8G-4X-1CPU
  • KESR-M5-K-8G-4X-2CPU
  • KESR-M5-K-8X-2CPU

Kaspersky experts carried out tests to confirm the functionality of CPE devices when providing the L3 VPN service (see the table below). DPI (Deep Packet Inspection) was not used on the tested devices, and traffic encryption was disabled.

Tested CPE device models (L3 VPN Service)

Model

Packet size, bytes

Bandwidth (Mbps)

KESR-M1

 

IMIX (417)

30

Large (1300)

115

KESR-M2

 

IMIX (417)

165

Large (1300)

241

KESR-M3

 

IMIX (417)

805

Large (1300)

1150

KESR-M4

IMIX (417)

1430

Large (1300)

2870

KESR-M5

 

IMIX (417)

2875

Large (1300)

5750

For more details about the specifications of CPE devices that you can use in Kaspersky SD-WAN, see the website of the solution.

Page top
[Topic 239105]

Shared storage requirements

Kaspersky SD-WAN uses shared storage (hereinafter also referred to as storage) to ensure fault tolerance. This storage contains the following directories with data that the orchestrator needs:

  • backups — backup copies of VNF and PNF configurations
  • firmware — CPE device firmware
  • images — VNF images
  • vnf_configs — files that can be used by scripts when configuring VNFs
  • vnf_descriptions — VNF descriptors

We recommend using your own shared storage. The requirements for deploying the shared storage are as follows:

  • Support for simultaneous read and write from multiple hosts.
  • The recommended size depends on the size of the files being stored, but at least 40 GB of available protected space that supports further expansion.
  • Bandwidth of the communication channel between the storage and the orchestrator must be at least 1 Gbps; 10-Gigabit Ethernet or 8-Gigabit FC (Fiber Channel) is recommended.
  • The supported IOPS (input/output operations per second) value must be at least 250, at least 400 IOPS is recommended.
  • Storage type:
    • NFS
    • iSCSI
    • FC
    • CephFS
  • The storage must be mounted.
  • Must stay available if the host restarts.
Page top
[Topic 251413]

What's new

Kaspersky SD-WAN 2.1 has the following new and improved functionality:

Page top
[Topic 248911]