MEF New Standards for SD-WAN Services; SASE Work Program

The Metro Ethernet Forum (MEF) [1.] has published new SD-WAN standards that add critical enhancements, including new service capabilities for underlay connectivity, important application performance metrics, and security zones for service providers deploying SD-WAN managed services.

Note 1. The MEF is an industry forum empowering enterprises to transform digitally with standard services and APIs for network, cloud, and technology providers.  While initially focused on Carrier Ethernet, the MEF scope has broadened to encompass overlay services like SD-WAN.  The ITU-T does not have an active SD-WAN standardization program so the industry must look to the MEF for service definitions and standards for that subject.


The new MEF standards include:

  • MEF 70.1 updates MEF 70, the industry’s first global SD-WAN standard, to include new service attributes for underlay connectivity services, new measurable performance metrics that provide visibility into an application’s performance within the provider network and across multiple service providers, and the infrastructure to support application-based security defined in MEF 88 (see below).
  • MEF 88, MEF’s first security standard, enhances an SD-WAN service to add security functions. These include defining threats, malware protections, security policy terminology and attributes, and describing what actions a policy should take in response to certain threats.
  • MEF 95 provides a unified policy framework for MEF’s SD-WAN (MEF 70.1), Network Slicing (MEF 84), and SASE (MEF W117) and Zero Trust (MEF W118) standards coming in 2022.

“We’re seeing a healthy uptick in SD-WAN deployments driven by work from anywhere, as more users are connecting to the cloud and cloud-based applications. We estimate the global SD-WAN service market will grow from $2.85B in 2020 to $14.5B in 2025 (CAGR of 38%),” said Roopa Honnachari, vice president of research & global program leader – network & edge services, Frost & Sullivan.

“MEF’s work in standardizing and certifying SD-WAN managed services is helping to drive that adoption, and we believe certified services and professionals will continue to play an important role in moving the market forward.”

“MEF develops standards and certifications to provide clarity and assurance and remove complexity for SD-WAN managed services.

The new standards define the service behavior and associated policy language needed to deliver high-performance, secure SD-WAN managed services,” said Pascal Menezes, CTO, MEF.

Source:  MEF


“These standards, and the forthcoming SASE and Zero Trust standards, benefit both customers and providers—customers know what to expect when purchasing SD-WAN managed services from a provider, and providers have the tools needed to deliver secure SD-WAN services that drive customer satisfaction,” Pascal added.

Both service providers and vendors can attain certification for MEF’s SD-WAN standards in the MEF 3.0 SD-WAN certification program which validates compliance with MEF standards for delivering managed SD-WAN services and the underlying technology.  The objective is to eliminate market confusion, and enable faster SD-WAN market adoption.

In 2022, secure SD-WAN requirements will be added to the MEF 3.0 certification program. Currently, 17 companies have achieved MEF 3.0 SD-WAN certification. In addition, the MEF-SDCP Professional Certification training and certification provides an opportunity for the engineers, architects, product managers, and others deploying SD-WAN solutions to demonstrate their expertise in MEF 3.0 service standards.

  • Worldwide, there are over 700 MEF-SDCP professionals employed by more than 120 companies.
  • Over 60 service providers have either the Carrier Ethernet or SD-WAN certification within the MEF 3.0 framework, and a handful have both.
  • AT&T, Verizon, Comcast Business and Windstream are among the service providers with MEF 3.0 SD-WAN Certification.  Those companies also rank within the top five of Vertical Systems Group’s 2020 US Carrier Managed SD-WAN Leaderboard.


MEF will also be releasing SASE (MEF W117) and Zero Trust (MEF W118) standards in 2022. MEF started developing its secure access service edge (SASE) framework last fall to clarify the service attributes and definitions for SASE.

The SD WAN market has already become bogged down by different SASE definitions, which has led to confusion among enterprise customers and frustration for service providers.

MEF defines SASE as a “service connecting users (machine or human) with their applications in the cloud while providing connectivity performance and security assurance determined by policies set by the Subscriber.” The networking and security functions within a SASE service include routing, VPN, path selection, traffic shaping, firewall, threat prevention and more.

Yet finding one vendor that meets all those requirements, and delivers a SASE service that is simple to deploy, is proving challenging for service providers that want to provide SASE as a managed service to enterprise customers.

“The ideal is one vendor, right? That’s the ideal, we all agree with it. But at least for enterprise customers, we’d haven’t found a single vendor solution that meets their needs yet from a SASE perspective,” said Verizon’s Vincent Lee.

MEF Media Contact: Melissa Power [email protected]



MEF Introduces New Standards for High-Performance, Secure SD-WAN Services


2 thoughts on “MEF New Standards for SD-WAN Services; SASE Work Program

  1. SD-WAN provides a secure path from siloed enterprise networks to the public, private and hybrid cloud
    SD-WAN is a reset in thinking about how a Wide Area Network (WAN) should work. It’s a virtual WAN architecture, an overlay that can work with different network transport services, including broadband. SD-WAN enables organizations to centrally manage traffic using the principles of Software Defined Networking (SDN), without the limitations imposed by physical network infrastructure.

    SD-WAN centralizes network control, management, provisioning and security, despite the continued decentralization of data, as businesses move to the cloud. A few companies stand apart from the rest when it comes to offering SD-WAN solutions. Cisco is the market leader, followed by Fortinet and VMware, according to a report from Dell’Oro Group.

    Enterprise spend on SD-WAN has accelerated in recent times. Businesses are upgrading network infrastructure to accommodate changing objectives and shifting workforce demands, as well. Sales of SD-WAN solutions rose 45% year-over-year for the third calendar quarter of 2021, according to Dell’Oro. The research firm noted that Cisco’s quarterly SD-WAN revenue nearly doubled in the quarter, with especially strong growth in North America.

    The State of the WAN
    For years, the literal backbone of enterprise WAN connectivity has been Multi-Protocol Label Switching (MPLS). MPLS is a routing technique which directs data based on short path labels rather than long network addresses. Those paths labels speed network traffic by identifying virtual links between distant network nodes, eliminating routing delays.

    MPLS supports a range of network transport services. And as the acronym implies, it supports multiple networking protocols: Internet Protocol (IP), Asynchronous Transport Mode (ATM) and Frame Relay, for example.

    Regardless of protocol, MPLS connections all have one thing in common: They’re dedicated circuits, and require specialized routing hardware at both ends. This complicates provisioning and limits scale. What’s more, traditional WAN topologies typically backhaul all network traffic for security. This creates bottlenecks and complicates network traffic management.

    A WAN topology that restricts the flow of network traffic to the cloud is at direct odds with enterprise digitalization strategies. Enterprises depend on more cloud-based services than ever to manage essential business functions. SaaS platforms like Customer Relationship Management (CRM) and Enterprise Resource Planning (ERP) are examples. These platforms provide organizations with agility, flexibility, and scale, but being cloud-native demands a new approach when it comes to practical network management.

    SD-WAN modernizes network operations for the cloud
    As enterprises and users turn to the cloud, the difference between data center cloud and public cloud can get nebulous. Increasing public cloud-dependence and adjacency introduces complications to network security and compliance. Data sovereignty, compliance and security is top of mind for every IT professional.

    Many enterprises leaning into to the cloud are implementing Software-Defined Wide Area Networking (SD-WAN) to manage their networks. SD-WAN abstracts the networks’ transport service altogether. It’s a virtual WAN architecture which enables organizations to leverage whatever transport service they need — broadband, MLPS, 4G LTE, 5G.

    By separating the network’s control plane altogether, SD-WAN enables businesses to centralize network management, security, and provisioning. SD-WAN replaces dedicated network hardware with Virtual Network Functions (VNFs) in place of physical networking hardware.

    VNFs specifically replace devices like network routers and firewalls. VNFs are implemented as Virtual Machines (VMs) which run as software in the IT cloud, operating on commercial off-the-shelf (COTS) server hardware. Accompanied by Cloud-native Network Functions (CNFs), they provide IT departments with the ability to scale services instantly to meet demand. As software rather than hardware, VNFs and CNFs can be continuous updated and optimized.

    While VNFs are nothing new to enterprise IT, what’s new here in the SD-WAN equation is how SDN itself helps IT operations manage network operations and data security for branch and remote locations. There are some key differences, too.

    “SDN advocates a central controller to dictate network behaviors. In contrast, SD-WAN generally manages based on central policy control, but decisions may also be made locally while taking into consideration the corporate policies. Or decisions can be made centrally while incorporating knowledge of local conditions reported by remote network nodes,” said VMware.

    SD-WAN in the wild
    SD-WAN has emerged as an opportunity for carriers and hyperscalers, Over-the-Top (OTT) service providers, and edge services. In December, Amazon introduced AWS Cloud WAN as a way to replace what it called a “patchwork” of services needed to handle private network control and management. AWS Cloud WAN connects on-prem data centers, branch offices and cloud resources together on AWS’ global backbone, consolidating management through a central dashboard.

    Verizon features SD-WAN managed by Cisco as an option for its Network as a Service (NaaS). It comprises Cisco Umbrella security framework, manages zero trust application access and provides managed services through Cisco products including Pluggable Interface Modules and Catalyst Cellular Gateways.

  2. SD-WAN technology is a true WAN transformation from conventional inflexible WAN to next gen cloud ready WAN environment which are really easy to deploy, manage and scale in global environment. Dynamically sharing the load across the links adds great advantage to get both the links used in optimum way, not sitting idle as backup though it can be configured based on the need of the customer. SD-WAN has brought huge cost saving opportunity if Internet links are used replacing high cost MPLS services.

    Since Internet is uncontrolled, Business grade premium internet link with good SLA must be considered to get desired application throughput. To balance cost vs technology, combination of Business Grade and Low SLA internet can be used. Redundant infrastructure can be easily deployed with low cost compared to dual MPLS services to ensure business continuity and disaster recovery.

    Internet and O365 or other Cloud specific applications can be securely offloaded locally using Cloud Service brokers to have faster access compared to backhauling or express route in the central office in other region.

    Since the SD-WAN service is cloud ready and majorly over Internet which is not secured enough, Security is always key and high focus from all the layers, management plane, control plane and data plane. Traffic are encrypted as per industry standard with TLS 1.2 or IPSC with higher encryption or proprietary protocols to ensure CIA. Built in basic firewall function can have policy enforcement which is application aware, on top of that Network Based Firewall function can be deployed if stateful packet filter firewall is required with Anti X function.

    Based on the requirement of the customer, segmentation will add value to have completely isolated segment and associated routing in the same box, like business user’s traffic and guest user’s internet traffic can be completely separated and traversed on same internet links.

    Journey begins with this with the key focus how to secure end user’s behavior which may lead to opening up vulnerabilities. SASE solution now being added on top of SD-WAN where security for end to end traffic flow can be ensured. DLP can be integrated with role based access control along with malware protection such that only trusted source will have desired access to designated application and attempt to unauthorized access can be blocked. Same policy can be harmonized across the region for users who can connect from office LAN, Home VPN or Office Wi-Fi segments. SASE POP, gateways will have integration with real time scanning engine, sandboxing to minimize the threat landscape.

    Thank you MEF, Gartner to define SD-WAN and SASE standard that Solution providers are complying to ensure solution is meeting security guideline.

    SD-WAN Architecture Design plays a pivotal role to create a concrete standard solution framework. Number of Hubs (Interconnect point of MPLS and SD-WAN Internet) should be minimum to simplify WAN infrastructure. Combination of MPLS and Internet as underlying transport can create routing complexity of the hybrid site. BGP routing must be managed with right attributes to prevent asymmetric routing or routing loop. Redundancy must be considered based on business requirement, Single router dual link or dual router dual link etc.

    SASE readiness analysis will be interested study for organizations. It will be essential to identify the applications, type of users, connectivity methods and 3rd party support partner’s access requirement to define SASE business policy to provide right security posture across the organize to protect the communication from Internal and External threats.

    Thank you !
    Dr. Sudip Sinha
    MEF SDCP SD-WAN Specialist
    VMWare SD-WAN Master Specialist
    Member IEEE
    [email protected]

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>