Every year I look forward to itnog, as an opportunity to share new ideas and experiences on new technologies, and how I’ve found ways to use them, and this year was no different.
In my presentation “Group Based Policy - How to integrate security functions in EVPN/VxLAN” at ITNOG-10, I demonstrated how to distribute the networking and secuity (up to layer 4) functions directly into the fabric, transforming the entire EVPN/VxLAN fabric into a single, highly scalable and flexible distributed system that integrates all switching, routing, and security features.
This is possible using a very simple technology and idea: bring security group membership information into the EVPN/VxLAN announcements via Group-Based Policy and combine the fabric’s security policies with those of the firewalls. My starting point was to move beyond the “firewall-centric” model we’re used to, which doesn’t scale and can’t guarantee the continuity of service delivery now required for every service.
The architecture I’ve arrived at is nothing more than the transposition of what we’re used to building in cloud environments into something that can be implemented in our own datacenter, or better yet, in a single fabric that encompasses the entire infrastructure.
From the many conversations and questions I received, I realized this was the element that most highlighted the solution’s enormous potential.
The presentation is available in my GitHub repository and, ideally, serves as a continuation of last year’s, in which I proposed extending the use of EVPN/VXLAN in campus and WAN environments, available at https://blog.modena.to/2025/05/evpnvxlan-outside-dc
I thank the ITNOG - Italian Network Operators Group staff for allowing me to present again this year at this wonderful event, and my presentation reviewers: Ivan Pepelnjak, Christian Biasibetti, and Alessandro De Prato.