SURF.net news

Tag: network

  • SURF network continues to innovate: intelligent, independent and flexible

    SURF network continues to innovate: intelligent, independent and flexible

    SURF network continues to innovate: intelligent, independent and flexible

    SURF is building a new generation of the SURF network. We are doing this with a new network architecture and the further development of the network automation stack into an intelligent network. The network is based on open standards and procurement of network equipment goes through an intermediary.

    With this further development of SURF’s network, we can respond more flexibly and faster to technological innovations and reduce dependence on suppliers. With the new network architecture and a smart, flexible replacement strategy, we are also working towards a more sustainable network.

    Digital highway in the Netherlands

    With the SURF network, Dutch education and research have their own autonomous network infrastructure. In line with our public values, we determine accessibility, freedom of choice and privacy on our network ourselves. Since 1988, based on these principles, we have been building this own digital highway, intended for independent and reliable research and knowledge sharing.

    The SURF network has several features that allow students, teachers and researchers to collaborate safely, reliably and at lightning speed worldwide.This is due to the high continuity and reliability of the SURF network, which simply must always be available.The SURF network also has high bandwidth for moving large amounts of data. Low latency ensures minimal travel time between sending and receiving data within the network. Moreover, all network services are integrated with each other, and we are working to ensure proper integration with other SURF services.

    Growth in network traffic

    Ever since SURF was founded, Internet traffic has been growing by around 29% annually. For research projects, this percentage is sometimes even higher. This growth is one of the reasons why network technology continues to evolve so rapidly and why SURF’s network has to be renewed every 5 to 8 years. Equipment is ageing rapidly and the demand for capacity continues to grow rapidly.

    New approach for the SURF network

    In 2024, we started the project to set up a new generation of the network after SURFnet8.In previous generations of the SURF network, from SURFnet1 to SURFnet8, the architecture was strongly determined by the choice of a network equipment supplier. With the latest generation of the network, SURF aims to be a supplier of independent architecture. Based on open standards, new technologies can be applied where they are needed and the network can continue to develop indefinitely. Hence this new generation is not called SURFnet9, but SURFnet Infinity.

    Workflow Orchestrator

    The first step for this new network architecture was already taken in 2018. With the Workflow Orchestrator developed by SURF based on open source software, various technology domains within the network can be centrally controlled. The Orchestrator ensures that tasks are performed in the right order and data is passed on correctly so that bottlenecks are prevented and reliability increases. This lays a solid foundation for the next step: further development towards an intelligent network in SURFnet Infinity.

    Purchase of network equipment via intermediary

    The purchase of network equipment is organised via an intermediary. In this way, SURF has greater freedom to make technology choices and can respond more flexibly and efficiently to the network needs of educational and research institutions when purchasing network equipment, without being tied to a single supplier.

    New SURFnet Infinity network architecture

    SURF’s new network architecture has established a clear hierarchy and separation of functions between the transport of network traffic, the provision of services to end users and connectivity to the Internet. This will facilitate capacity management, make the network more predictable, make it easier to detect and solve problems and provide more targeted security.It also moves a significant part of the network core from a commercial data centre to Nikhef’s data centre. The four core locations of SURF’s network are thus located within its own cooperative.

    First equipment purchased

    After an extensive selection process, SURF recently purchased the equipment to build the new core and border functionality. This directly realises the new architecture of the SURFnetwork.

    For the SURFnet Infinity network infrastructure, SURF has chosen the Juniper PTX series, which is even more powerful, compact and energy-efficient than the outdated MX series used by SURF. In addition, SURF is working with Salumanus as an independent supplier of transceivers based on OpenZR+ technology. This combination allows routers to connect directly to DWDM infrastructure, without the use of separate optical equipment. This not only reduces costs and energy consumption, but also increases network flexibility and future-proofing. Moreover, by choosing an independent supplier, the lifetime of the transceivers is not linked to that of the router hardware.

    Start of further development of SURFnet Infinity

    The further development of the SURF network starts with the renewal of the heart of our network: the core and border routers.Together with our management partner Quanza, we started preparations in the summer of 2025 .

    At 55 locations throughout the Netherlands, we will replace SURFnet8 equipment with new equipment.Most of the institutions connected to the SURF network will not be affected. For the work, we will contact our contact persons directly.This migration will run until early 2027.

    For international connections, in this phase we also replace the NetherLight equipment and optimise our Cross Border Fiber infrastructure. In the years after 2027, we plan to replace the optical equipment that facilitates high capacity between network components, as well as the access layer to which all institutions are connected.

    Want to know more about SURFnet Infinity?

    Follow this project on this page.
    We also post regular project updates on the network dashboard.
    Are you a network specialist?Then subscribe to the updates on the SURFnetwork Infinity project.

  • Highlights from Internet2 TechEx 2025

    Highlights from Internet2 TechEx 2025

    At Internet2 TechEx 2025, global developments in research and education (R&E) network infrastructure were high on the agenda. In a well-attended update, Brenna Meade (International Networks, Indiana University) shared an overview of key steps being taken worldwide to scale capacity, resilience, and automation in federated network services.

    Major capacity upgrades, including transoceanic links

    Meade outlined a broad range of ongoing and planned upgrades across international backbone and exchange infrastructures. This included new 400 Gbps transoceanic links—critical for data-intensive research and collaboration across continents. She also highlighted activity and continued evolution across multiple Global Exchange Points (GXPs), including FUJI-XP, SOE, GOREX, MANLAN, MOXY, NetherLight, and Pacific Wave. Together, these hubs form an important foundation for high-performance global connectivity between R&E networks.

    NSI reaches production readiness

    A key milestone highlighted in the session: NSI (Network Service Interface) has reached production readiness. NSI enables interoperable, automated service provisioning across network domains. In practice, this supports standardized ways for organizations and networks to request, set up, and manage end-to-end services across multiple administrative boundaries.

    For NRENs, this aligns closely with the push toward scalable, federated connectivity: less manual coordination, faster delivery of services, and more reusable interfaces and operational agreements between domains. Reaching production readiness is therefore a concrete step toward more automated and dependable international network service ecosystems.

    Technology—and the community behind it

    Beyond the technical program, TechEx continues to stand out as a strong community meeting point. Informal conversations between sessions, sharing experiences across very different operating contexts, and social traditions such as the 5K fun run all reinforce the trust and relationships that are essential to building and operating resilient infrastructure.

    In summary: TechEx 2025 underscored how global R&E networks are moving forward on both capacity and automation—with NSI marking a notable step toward interoperable, federated service delivery.

    Screenshot

  • Education Championship patching

    The first Education Championship patching at the SURF Network and cloud event 2025 was a great success!

    Over Ten participants competed for the title of patchmaster. There was serious competition and a finishing time that got tighter and tighter with Dimitry Schoenmakers from Tilburg University as the eventual winner!

    Dimitry many congratulations on the challenge cup!

    Are you also a SURF member and would you like to show off your patching skills and run away with the challenge cup next time? Then join the sign community! https://communities.surf.nl/sign/about

    De Beeldredaktie / Sander Koning t.b.v SURF Hilversum d.d. 30.09.2025 SURF Netwerk & Cloud Event 2025 in Gooiland Hilversum Foto copyright – Sander Koning
    De Beeldredaktie / Sander Koning t.b.v SURF Hilversum d.d. 30.09.2025 SURF Netwerk & Cloud Event 2025 in Gooiland Hilversum Foto copyright – Sander Koning

    De Beeldredaktie / Sander Koning t.b.v SURF Hilversum d.d. 30.09.2025 SURF Netwerk & Cloud Event 2025 in Gooiland Hilversum Foto copyright – Sander Koning
    De Beeldredaktie / Sander Koning t.b.v SURF Hilversum d.d. 30.09.2025 SURF Netwerk & Cloud Event 2025 in Gooiland Hilversum Foto copyright – Sander Koning
  • SURF at the 6th Global Research Platform: Building the Future of International Research Networking

    SURF at the 6th Global Research Platform: Building the Future of International Research Networking

    Chicago, September – At the 6th Global Research Platform (GRP), SURF joined peers from around the world to share progress, exchange insights, and strengthen collaboration in global research networking.

    In my presentation, I highlighted SURF’s next steps:

    • Updates on SURFnet Infinity and NetherLight
    • Terabit trials with CERN and the LUMI supercomputer
    • Explorations in quantum-secure networking and fiber sensing

    A recurring theme at GRP was the importance of the federated approach: each NREN serves its own members, but together we form a global infrastructure that supports research at scale. This balance of local autonomy and international collaboration is vital to the community’s success.

    Many thanks to Joe Mambretti, Maxine Brown, and the GRP community for fostering an open, collaborative environment. SURF looks forward to continuing this work and helping shape the future of international research & education networking.

  • Field trip to visit our colleagues at DFN-Verein

    Field trip to visit our colleagues at DFN-Verein

    What an insightful day in Berlin! A big thank you to Stefan Piger and Leonie Schäfer from DFN-Verein for the engaging discussions and valuable learnings. It was a pleasure to exchange ideas and explore opportunities for collaboration together. Looking forward to continuing this conversation!

  • Network dashboard goes electric!

    Network dashboard goes electric!

    Last summer, a huge transition was implemented under the hood of the Network Dashboard. At first glance, little seems to have changed, but especially if you click around, you will now notice that it works much faster. The major overhaul of the network dashboard had been on our wish list for a long time, because the complex authorization rules made the Network Dashboard feel like an old diesel at times (or even slower!).

    The architecture of the Network Dashboard has been completely overhauled by no longer collecting all data from different systems (orchestrator/ipam/CMDB/CRM/jira) in real time, but by preparing all static data in advance in a document in the replica set. As a result, we only have to make a few very fast calls instead of 500 separate API calls. Only the traffic graphs and health status of the services are now retrieved live from the influx database.

    How quickly is such a replica set updated?

    The preparation of these documents in the replica set is triggered with every change to a subscription that the Workflow Orchestrator (see workfloworchestrator.org) executes on a service. The replica is also refreshed every night. This allows us to guarantee the data integrity between the orchestrator and the replica set. Only in the case of real-time changes on the network or due to self-service actions will the replica set briefly lag behind the actual state as recorded in the Workflow Orchestrator. For example, adjusting a customer alias is not immediately visible in the network dashboard, but must be processed in the replica set. Simple changes take ~4 seconds, while larger changes can take many times longer on average. At the moment we are still working on improving the automatic refresh of the pages after self-service actions, until then you will have to manually refresh a page after a change to see the latest up-to-date information.

    SURFdomeinen will be available in the network dashboard early next year. Due to the complex migration of domain names and zones, this will be carried out in phases. The product manager of SURFdomeinen will communicate about this in due time.

    Finally, we have introduced a new look-and-feel with a renewed landing page, on which all network services of the standard network portfolio are clearly presented in one tile.

  • Lightpaths 2.0

    Lightpaths 2.0

    We have been providing SURFlichtpaden for a long time. Up until now, these were always ethernet services with two endpoints. We had SURFlichtpaden in roughly four flavors; protected or redundant and on a Single Service Port (SSP, untagged) or Multi Service Port (MSP, tagged). Now, with the new SURF network, we can add new possibilities to the SURFlichtpaden. For example, we now offer a multipoint variant (or L2VPN) and there are more possibilities in the field of redundancy and resiliency. Read here what we have done so far and what we plan to do.

    SURF light paths have always met a need to connect institutions, or dislocations of an institution, with each other. SURF light paths are therefore often used for research purposes or for internal business operations. In recent years, connections with cloud providers of all shapes and sizes have also been added, such as IaaS, SaaS, CaaS, DaaS; in short, *aaS. Business operations with *aaS providers often require a high degree of service availability. That is why light paths have become quite popular for that purpose.

    However, light paths have a number of limitations. Firstly, they are Point-2-Point. That provides control, but can also become complex if you want to connect many locations or networks with each other, because many individual light paths are required. In addition, it is difficult if you want to extend redundant VLANs to a cloud provider via such light paths. That causes a major risk of Ethernet loops, which can cause network instability. We could not offer a good solution for this in SURFnet7.

    With the migration of SURFnet7 to the new SURF network, we have switched from PBB-TE to EVPN over MPLS. EVPN is a technology that is fully based on IP and Ethernet networks. This also provides new opportunities to evolve our light path services to the current times and needs of the connected institutions.

    So what’s new?

    The migration to the new SURF network is now almost complete. If you have MSPs (Multi Service Ports) that have already migrated to the new SURF network, we can now offer multipoint light paths (L2VPNs) there. Suppose you have a VLAN running over the light path between two locations, you can now easily add a third location. This way you have three locations connected to each other without having to build a whole tangle of light paths. Within the new SURF network, traffic always takes the most optimal route through the network.

    To visualize the whole thing, we show in the example below how we want to connect three networks to each other over a VLAN with the MSPs. Each network (or location) is connected to one MSP. This means that no Ethernet loops can be created, because each location has one connection. But unfortunately there is no redundancy for business-critical applications. If something happens in this scenario, one or more locations can become isolated in the event of a malfunction or work.

    Figuur 1: niet redundant L2VPN
    Figuur 1: niet redundant L2VPN

    Ideally, we would of course be able to connect each network/location to 2 MSPs, for more redundancy. But if we just do this, Ethernet loops are guaranteed to occur, resulting in disruptions. See the example below. Ethernet does not have a loop prevention mechanism by itself. As a result, when a loop occurs, packets continue to circulate endlessly until the loop is interrupted. In SURFnet7, we could therefore not offer such a scenario.

    Figuur 2 Ethernet loops in een redundant L2VPN
    Figuur 2 Ethernet loops in een redundant L2VPN

    Within EVPN (the protocol used in the new SURF network for light paths and L2VPNs) there are a number of mechanisms that ensure that Ethernet loops can no longer occur. We can now offer one of these on the new SURF network: ‘Single-Active multihoming’ on a VLAN service. This allows us to configure a VLAN service on multiple MSPs at the same location. These MSPs are grouped in an ESI (Ethernet Segment Identifier) ​​and in this ESI only 1 port is active at any given time. When the active port goes down, the other port immediately becomes active and this new port will forward the traffic. During the setup, MAC learning will ensure that all MAC addresses move to the new active port. This happens in just 1-2 seconds. The figure below shows what that would look like. There you can see that 1 port in an ESI group is always active and there is a loop-free topology.

    Figuur 3 Loop preventie mbv single-active multihoming in L2VPN
    Figuur 3 Loop preventie mbv single-active multihoming in L2VPN

    Possible use cases

    The above is quite a technical story. It may come to life more if we explain some possible use cases.

    EduVPN scenario

    eduVPN is a VPN service from SURF to allow employees and students of an institution to work safely at home or remotely. We are currently testing whether we can make the eduVPN service more reliable using multihomed L2VPN, which adds more resilience to the eduVPN service. This scenario looks like this:

    The eduVPN servers run in two data centers in Amsterdam and are connected to the institution with a light path. The eduVPN service can currently only exchange traffic between the institution and eduVPN using static routes. This makes it impossible to create a redundant scenario of this service using traditional light paths. This is possible using the ESI mechanism in the L2VPN.

    Figuur 4 Usecase EduVPN
    Figuur 4 Usecase EduVPN

    The above scenario shows the eduVPN service at the top. The eduVPN server can be moved between data centers in the event of outages. In the eduVPN setting, resilience is achieved by using VRRP (or a variant of this, such as HSRP).

    Twin data center plus cloud IaaS provider

    When an institution has multiple data centers and also wants to use an IaaS provider, the use of an L2VPN can provide redundancy. This can be used to, for example, migrate services to the cloud provider or to outsource certain matters. This may create the need to be able to extend the VLANs in the data centers to the IaaS provider. This allows systems to be moved without having to be renumbered. Such a scenario could look like this:

    Each data center is doubly connected and has 2 ports in an ESI group. This prevents loops and provides sufficient redundancy. The L2VPN can contain a bundle of VLANs.

    You then get the scenario in figure 3. Where 1 of the locations can be a cloud provider

    Future

    With this functionality, we believe we have taken a step in the right direction to add functions to our lightpath services that can help institutions.

    EVPN has even more possibilities that we can use to, hopefully, even better meet the needs of institutions.

    Within the lightpath services, we also hope to be able to do link bundling based on LACP over multiple chassis (MC-LAG) in the future. Many institutions already use a form of Virtual Chassis or VSS for redundancy. MC-LAG could tie in nicely with this. This allows both interfaces that form an ESI to be active at the same time.

    Figuur 5 Multi-chassis link aggregation
    Figuur 5 Multi-chassis link aggregation

    In addition, we are developing an L3VPN service. L3VPN is a virtual router that can be configured on SN8. This virtual router can be used, for example, to efficiently connect multiple cloud providers (MS Azure or Amazon AWS) to a setup network.

    Figuur 6 L3VPN multicloud voorbeeld
    Figuur 6 L3VPN multicloud voorbeeld

    Do you have any ideas or questions about these new features and functionalities? Or do you have suggestions that can help us further develop the service? Then please contact me!