Glossary

Control plane

The control part of the network that controls the transmission of traffic packets through CPE devices. Performs functions such as network discovery, route calculation, traffic prioritisation, and security policy enforcement. The control plane allows centrally managing the network by providing a full-scale view of all performed operations. Consists of an orchestrator and an SD-WAN controller.

Customer Premise Equipment (CPE)

Telecommunication equipment, including virtual machines, located at the client premises. Used to connect the client location to the SD-WAN network, establish tunnels and transfer traffic between client locations. Traffic can be sent to a data center to provide network functions such as routing protocols, intrusion prevention, or anti-virus protection.

Data plane

The part of the network that processes and transmits traffic between different locations and devices. The data plane uses network protocols and algorithms to efficiently route and deliver traffic over the network. Consists of CPE devices.

DSCP values

6-bit values that define the priority of traffic packets and the type of service required. They are used in combination with traffic classes to provide appropriate priority and bandwidth to critical network traffic, such as traffic from audio and video streaming applications.

Orchestrator

Controls the solution infrastructure, functions as an NFV orchestrator (NFVO), and manages network services and distributed VNFMs. Can be managed via the web interface or REST API when using external northbound systems.

Physical Network Function (PNF)

Pre-deployed ready-to-use network functions that are uploaded to the orchestrator web interface. The orchestrator can then handle additional configuration of the PNF.

PNF package

A package, in TAR or ZIP format, that contains the data necessary for deploying and managing the PNF.

Port security

This function improves network security at the level of Ethernet ports of switches and prevents unauthorized access to the network by limiting the number of MAC addresses that can be associated with a single physical port. When enabled, only trusted devices with predefined MAC addresses can connect to the network.

SD-WAN Controller

Centrally manages the overlay network and network devices in accordance with the service chain topology via the OpenFlow protocol. Deployed as a virtual or physical network function.

SD-WAN Gateway

CPE device that has the SD-WAN gateway role. Gateways establish tunnels with all devices on the network, including other gateways, thus providing connectivity between all devices and the SD-WAN Controller. You can install multiple gateways for fault tolerance.

SD-WAN instance

A deployed Kaspersky SD-WAN solution for one of the tenants of your organization. It is an isolated entity and has its own network services, CPE devices, and quality of service parameters.

Software-Defined Networking (SDN)

Technology for building communication networks in which the control plane is separated from the data plane and is implemented in software using a centralized SDN controller.

Software-Defined Wide Area Network (SD-WAN)

Approach to building software-defined networks using a global computer network. SD-WAN networks allow connecting local area networks and users in geographically dispersed locations.

Tenant

A logical entity within which an individual SD-WAN instance is deployed. Solution components such as network service components, users, and CPE devices are assigned to a tenant, and subsequently, tenant administrators can manage the assigned components. For example, you can create a separate tenant for a customer of your organization.

Transport strategy

A transport service encapsulation mechanism that includes the algorithm for adding a stack of traffic packet header tags and the type of these tags. Kaspersky SD-WAN temporarily supports one transport strategy, Generic VNI Swapping Transport.

Universal CPE (uCPE)

CPEs with additional support for Virtual Network Function deployment. Note that the device must have sufficient hardware resources to avoid involving the data center or the cloud when providing the VNF.

Virtual Deployment Unit (VDU)

A virtual machine that acts as a VNF host and aggregates virtual computing resources, such as CPU and memory, required to run the VNF software, and also contains certain implementations of the network function, such as routing algorithms or load balancing logic.

Multiple VDUs can be combined into a single VNF to provide scalability and/or high availability. VDUs can be distributed across multiple physical servers; you can still manage them as a single VNF. VDUs interact with each other and other VNFs to perform their functions within a network service.

Virtual Infrastructure Manager (VIM)

Manages computational, networking, and storage resources within the NFV infrastructure. Serves to connect network functions with virtual links, subnets, and ports.

Can be deployed in the data center or on a uCPE device. Deploying the VIM in the data center implies centralized management of the VNF lifecycle, while a VIM deployed on a uCPE device allows delivering VNFs to remote locations and managing these VNFs locally. The deployed VIM must be added in the orchestrator web interface.

The OpenStack cloud platform is used as the VIM.

Virtual Network Function (VNF)

Network functions implemented as virtual machines on Commercial Off The Shelf (COTS) computer platforms.

Virtual Network Function Manager (VNFM)

Manages the lifecycle of virtual network functions using SSH, Ansible playbooks, scripts, and Cloud-init attributes.

VNF Package

A package, in TAR or ZIP format, that contains the data necessary for deploying and managing a VNF.