SD-BranchEvolution of the Branch & SD-WANStephan Lelleck, CSEstephan.lelleck@hpe.com

2

Challenges with Current Branch Architectures

WAN Side Challenges

• Limited capacity & long setup times for MPLS

• Lack of control and visibility into WAN traffic

• Complex management of the WAN and routing policy

• More SaaS traffic (O365, Box, SFDC, …) directed over Internet.

• Lack security measures and control to safeguard the network

LAN Side Challenges

• Complexity caused by increasing number of devices, VLAN proliferation

• End points going mobile

• Poor visibility into clients/devices

• Lack of authentication of clients/devices

• Lack of common policy for users connecting to network via wired or wireless

Operation Challenges

• Multiple management platforms, Multiple operating models, Multiple vendors, Policy is distributed

3

Goal: Solve the Branch problem, not just the WAN

SimpleDrive simplicity and fewer boxes in branch solution

Common Policy and Managementfor Wired, WLAN and WAN

Transport IndependencyOwn your WAN policy

4

WLAN: VLAN, ACL, SUBNET

STATIC AND FRAGMENTED

SOFTWARE DEFINED DESIGN

UNIFIED POLICY ENFORCEMENT:

LAN, WLAN, WAN, SECURITY

ELIMINATE VLAN SPRAWL

CENTRALIZED DEFINITIONS FOR EVERY BRANCH

LAN: VLAN, ACL, SUBNET

FIREWALL: ZONE, TRUST, ACL

ROUTER: VRF, VPN, SUBNET, ACL

WAN OPT: THROTTLING, COMPRESSION

VLAN 103

VLAN 201

Traditional vs SD-Branch Policy

DISAGGREGATED POLICY DEFINITIONS

TUNNELED TRAFFIC

5

MPLS

Data Center

Branch

Internet

Aruba 2930F WiredWireless

Branch Gateway (BG)

Role-based profiling

vlan50uplink1 uplink2

Headend Gateway(VPNC)

Customer Portal

Public/Private Cloud7200 series Appliance

7000 series Appliance

Virtual Gateway

Internet Destination

1

23

4

Wireless TunnelWired Tunnel

Aruba Solution Overview

6

Aruba Solution Components

Hardware

Software

Branch Gateways:Aruba 7000 Series

Headend Gateways:Aruba 7200 Series

Virtual Gateways:Aruba vGateway

AOS: Aruba OS

Aruba Central

Centralized cloud managed networking for wireless, wired & WAN.

Available 2HCY18

7

Branch Gateways: Aruba 7000 Series

LAN• L2 services, POE• LLDP• DHCP• NAT, 1:1 NAT • AAA survivability

WAN• Multiple WAN uplinks• Load balancing• IPSec VPN tunnels • LTE fallback• Policy Aware Application

Routing• Direct Internet Access• Dynamic Path Selection

Security• Stateful Firewall• User based Policies• Web Content Filtering• LAN Segmentation • Zscaler Integration

8

Licenses

9

SD-WAN Solution Capabilities

Secure ZTP, Aruba Central

DPI/ AppRF, WAN links

IPsec VPN tunnelsHub-and-spoke

Multiple WAN uplinks, QOS

Device, WAN, Tunnels, Routes, Alerts, DHCP

Stateful Firewall, ClearPass integration, Web CC, Zscaler

Zero Touch

Overlay Topology

Application Visibility

Gateway Monitoring

Secure Branch

WAN Flexibility

Policy aware application routing,Dynamic Path Selection

Application Path Steering

Group based configuration,Central firmware management

Ease of Management

Vlans, DHCP, NAT, QOS

LAN Services

10

Aruba Distributed Architectures

On the road(VIA)

EnterpriseDC

SD-WAN

MicroBranch(IAP-VPN)

On the road(VIA)

11

Onboarding and management

12

ZTP for Secure and Fast Branch Deployments

Secure Onboarding with embedded TPM chip on all

Aruba devices

Ease of use, Zero touch to provision remote Branch

Create Bulk Policy Template to push to Branches plus

REST/API

Complete Trust Zero Touch Scale

13

Mobile Installer App

• Installer selects site and scans devices

• Installer gets status of device on boarding

• Admin gains central visibility into on boarding

• Location awareness seeded into on boarding

14

• Monitoring via two approaches• Metrics and stats that are

passively collected• Metrics and stats that are actively

collected from synthetic transactions

• Results Delivered in Three Ways• Via APIs and API based

notifications• Via exportable reports• Via the Central Dashboards

NOC Dashboard

15

• Monitoring via two approaches• Metrics and stats that are

passively collected• Metrics and stats that are actively

collected from synthetic transactions

• Results Delivered in Three Ways• Via APIs and API based

notifications• Via exportable reports• Via the Central Dashboards

NOC Dashboard

16

System Health Indicators• Devices Disconnected• CPU Utilization• Memory Utilization

RF Health Indicators• Channel Utilization (5/2.4Ghz)• Noise Floor (5/2.4Ghz)

Client Health Indicators• Client Health Score• Connectivity Health Score

WAN Health Indicators • Network Latency, Loss• Bandwidth

Site Health Dashboard

17

Hierarchical Management

1 Apply configurations on a group basis

2 Overrides on a per-device basis (bulk-edit possible)

3 Monitoring based on labels

18

Routing Policies

19

Setting up the overlay

IPsec

Corp Data Traffic

Internet Traffic

Branch subnets advertised

upstream via cfgset (ike ext)

Subnet A Subnet BSubnet A Subnet B

Corp routes pointing to the tunnel

Redistribute branch Subnets

Establish VPN tunnels1

Advertise branch routes2

Start sending traffic3

20

Multiple uplinks

Branch Branch

Data Center

xDSL MPLSxDSL MPLS

Equal cost routes via

both tunnels

21

Hub & Spoke RoutingRedistribute into OSPF

Cost 10

Corp routes to DC A –Cost 10

Subnet A Subnet B

Redistribute into OSPFCost 20

Subnet A Subnet B

Corp routes to DC B –Cost 20

Branch subnets advertised upstream

via cfgset to both DCs

22

Path Quality Monitoring

23

Path Quality MonitoringHow it looks today…

– ICMP Probes measure latency and packet loss

– UDP Probes (UDP 4500) measure latency, packet loss and jitter – MOS is derived from these values

– Probes can be sent through the underlay or through the overlay

Branch

ADSL MPLS

IPsec

UDP Probes

ICMP Probes

24

Evolution

Branch

ADSL MPLS

IPsec

UDP Probes

ICMP Probes

HTTPS Probes

– Global ICMP responder service in ACP (Aruba Central)

– HTTPS probes to SaaS

– Leverage FW capabilities for passive monitoring

Passive monitoring• Delay/Latency• Jitter, MOS

25

Putting it all together…

26

EnterpriseDC

Virtual Gateway

INET

MPL

S

LTE

INET

MPL

S

LTE

Headend Gateway

A day in the life of an SD-WAN packet

SD-WAN OverlayMPLSINETLTE

Path

Met

ric Link Latency Jitter Loss Util

MPLS 4ms 5 1% 30%

INET1 30ms 25 4% 60%

LTE 45ms 10 20% 5%

Name Policy

Voice Latency < 10ms & Jitter < 10 & Loss < 2% & Util < 70%

SAP Latency < 50ms & Loss < 50% & Util < 90%

Guest Util < 95%Path

Mon

Pol

icy

Path

Met

ric

27

EnterpriseDC

Virtual Gateway

INET

MPL

S

LTE

INET

MPL

S

LTE

Headend Gateway

A day in the life of an SD-WAN packet

SD-WAN OverlayMPLSINETLTE Pa

th M

etri

c Link Latency Jitter Loss Util

MPLS 4ms 5 1% 30%

INET1 30ms 25 4% 60%

LTE 45ms 10 20% 5%Path

Met

ric

28

EnterpriseDC

Virtual Gateway

INET

MPL

S

LTE

INET

MPL

S

LTE

Headend Gateway

A day in the life of an SD-WAN packet

Path

Met

ric Link Latency Jitter Loss Util

MPLS 4ms 5 1% 30%

INET1 30ms 25 4% 60%

LTE 45ms 10 20% 5%Path

Met

ric

29

EnterpriseDC

Virtual Gateway

INET

MPL

S

LTE

INET

MPL

S

LTE

Headend Gateway

A day in the life of an SD-WAN packet

Path

Met

ric Link Latency Jitter Loss Util

MPLS 200ms 5 50% 30%

INET1 10ms 5 4% 60%

LTE 45ms 10 20% 5%Path

Met

ric

30

Configure path preference and fall-back options per application

category

Path Preference

Dynamic Path Selection

Configure SLA parameters per user & application category

SLABasic WAN

Per user role, classify important applications for e.g. Employee Business Critical, Voice, Best-

Effort, Guest

Role + Application 21 3

Delay

Jitter

Loss

MPLS

Internet

4G/LTE

31

Is the WAN link compliant to the application SLA?

• View compliance per WAN link• Highlight violations with specific

reasons

Is the policy honoring path preference?

• View session distribution across active links

Is DPS kicking in when there are WAN link SLA violations?

• Quickly identify session movement between WAN links

DPS Monitoring

32

Topology

• Tree and Planetary View

• Health status• Hover info• VLAN Overlays

33

Security

34

Security and hardening

CC EAL4+ Integrated FirewallGuest traffic completely isolated from corporate networkDPI engine with 2500+ applications (plus custom apps)WebCC for content and reputation filtering

INTERNETMPLS Content and reputation filter

35

User Centric Policies

1 Device associates to initial role

2 ClearPass profiles device

3 Clearpass places device in its role

4 Every frame goes through the firewall. Including inter-vlan traffic. Hence, only needs a single vlan.

36

Integration with Cloud Security

INTERNETBranch Gateway

Enterprise DC Gateway

Customer Portal

“Internet Access”

Branch Gateway

“Internet Access”

Cloud Security

Tunnel Internet bound traffic to Cloud Security vendor

Role-based profiling with stateful Firewall on Branch Gateway. Only Internet flows are steered to Cloud security vendor.

Select Internet bound flows based on configured policy are tunneled to Cloud Security provider.

Branch Gateway

Cloud Gateway

37

Role Based Polices for LAN, Security, WAN

Printer

Desktop

AccessSwitch

BRANCH OFFICE Camera

Access Point

LaptopSmartphone

Branch Gateway

MPLS

Internet

Users Devices WAN StateApp finger-

printing

LAN PoliciesWLAN and wired switching policies applied per role. E.g.: Guest SSID, QoS for PCI traffic

Security PoliciesFirewall and WebCC policies applied per role.E.g.: WebCC for Guest, PCI traffic isolation

WAN PoliciesPath steering policies applied per role. E.g.: Guest to Internet, PCI traffic to MPLS

38

User / Entity Centric Design Advantages

vlan50

Role based access

Policy denies intra-vlan communication (micro-segmentation)

Continuous profiling

Role assigned based on AAA & Profiling

Faster new services deployment (ZTP)

All ports are secured

Single DHCP scope per branch

WAN policy is centrally defined by user, application and DPS

Traditional access

Intra-vlan communication is allowed

VLAN is assigned only once (manually)

VLAN assigned based on physical port

New services requires new VLAN deployment

Ports are default-open, accidental access is possible

DHCP scope fragmented per vlan

WAN policy is defined by distributed routing

39

DYNAMIC SEGMENTATION, BRANCH-WIDE

PORT-BASED ROLE-BASED

StaticCamera port

Printer port

PoS port

Manual configuration of ACLs, VLANs, QoS

Automate configurations with context

PCI-compliant

Hard to scale for device type and quantity across multiple sites

Dynamic

Flatten configurations at high scale based on user, device, app

40

Aruba SD-WAN solution components

Cloud management

Overlay SD-WAN fabric

Dynamic Path Selection

Role-based security and routing

Cloud Security Partners

41

Aruba SolutionHardware

42

7000 Series Branch Gateways

- L4-L7 Firewall CC EAL4+- Routing – Dynamic Path Selection- WAN compression- Web Filtering- WAN QoS- WAN PBR (Policy Based Routing)- AAA Survivability- Crypto Engine (IPsec VPN)- Application visibility and analytics

43

Branch Gateway Portfolio

Features 7005 7008 7010 7024 7030

Firewall throughput

2Gbps 2Gbps 4Gbps 4Gbps 8Gbps

Encryption throughput

1.2Gbps 1.2Gbps 2.4Gbps 2.4Gbps 2.4Gbps

GE ports 4 8 16 24 8

PoE support Can be PoEpowered

8 Ports can provide POE

12 ports can provide PoE

24 ports can provide PoE

No

Concurrent IPSecTunnels

512 512 1024 1024 1024

Active Firewall sessions

16K 16K 32K 32K 64K

44

Headend/ VPN Concentrator Portfolio

Features 7205 7210 7220 7240

IPSec Tunnels 4096 16384 24576 32768

Encryption throughput 4.5Gbps 5.9Gbps 20Gbps 30Gbps

Firewall throughput 12Gbps 20Gbps 40Gbps 40Gbps

GE ports 4 (1G Combo) 2 (1G Combo) 2 (1G Combo) 2 (1G Combo)

SFP/SFP+ 2 10G SFP+ 4 10G SFP+ 4 10G SFP+ 4 10G SFP+

Redundant Power Supply/Fan

No Yes Yes Yes

45

Thank you