45
Central 101 Deep Dive into network Architectures with SD-Branch
Central 101Deep Dive into network
Architectures with SD-Branch
2
Agenda
Public CloudSingle VPC/VNET
Multi-VPC
Orchestration
SD-WAN 1.5Underlay routing
Tunnel Orchestration
Route Orchestration
Transition
SD-WAN 1.2Solution components
Reminder…
3
SD-Branch Solution components
Cloud Management Platform1
Cloud managed branch Infrastructure**2
(optional) Headend gateways3
1
2
Dyn Segmentation!!
(optional) Virtual Gateways (cloud)4
3
4
(optional) ClearPass5
(optional) Cape Service Assurance6
6
5
** Subset of network infrastructure is completely supported
4
Setting up the overlay
IPsec
Corp Data Traff ic
Internet Traff ic
Branch subnets
advertised as part of IKE negotiation
Subnet A Subnet BSubnet A Subnet B
Corp routes
pointing to the tunnel
Redistribute
branch Subnets
Establish VPN tunnels1
Advertise branch routes2
Start sending traffic3
5
WAN Policies
Specify ‘Interesting’ Traffic
Choose SLA parameters to measure WAN performance
Configure path preference parameters1 2 3
6
Load Balancing (split-tunnel)
Branch
Data Center
ADSL MPLS
Equal cost
routes pointing to both
interfaces
Same
Cost
7
Full-Tunnel
Branch
Data Center
ADSL MPLS
Next-Hop
list with both tunnels
Same
Priority
8
Multiple hubs
Redistribute into OSPFCost 10
Corp routes
to DC A –Cost 10
Subnet A Subnet B
Redistribute into OSPFCost 20
Subnet A Subnet B
Corp routes
to DC B –Cost 20
Branch subnets
advertised upstream to both DCs
9
SD-Branch Architectures (1.2)
Transport-Independent WAN
Secure-first Branch Network
Cloud-based Management & Services
Micro-Branch with IAP-VPN
On the road (VIA)
10
Agenda
Public CloudSingle VPC/VNET
Multi-VPC
Orchestration
SD-WAN 1.5Underlay routing
Tunnel Orchestration
Route Orchestration
Transition
SD-WAN 1.2Solution components
Reminder…
11
Branch to Cloud ConnectivityAWS managed VPN service - Why do we need a vGW?
– Restrictive – 10 VPN connections per VGW, one SA per tunnel
– Charged per hour - $72 per month for a pair of tunnels
– Hard to manage at Scale, no policy based routing
– Inconsistent architecture for different types –Direct connect underlay and overlay based VPN
12
Aruba Virtual Gateway with Full Orchestration
Internet
MPLS
Branch
Branch
Headquarter
VPC subnet
Aruba Virtual GW
VPC subnet
VPC subnet
VGW
IGW
Direct connect
SD-WAN
– Increased VPN scale (1600 tunnels on VGW-500 SKU)
– Supports Reverse Path Pinning – Allowing LB/DPS in the Branch
– Dynamic Routing
– BGP to routers in AWS
– Integrates with RO/TO for SDWAN communications
13
Networking with single VPC
– Region: Oregon
– VPC: aruba-sdbranch
– AZ: ¡3 per region
– Internet GW – Resource to connect to Internet
– VPN GW – Resource to establish DirectConnect with your DC
– Route table attached subnets (same route table can be re-used)
– Elastic IP – Maps a public IP address to an internal resource
– …
– NAT GW, Peering connections, security groups, encryption keys…
DC
VPC
Branches
Subnet Subnet
Internet
MPLS
14
Networking with multiple VPCs (i)
– Region: Oregon
– Transit VPC: aruba-sdbranch
– Peering with CSRs/VSRs
VPC VPC VPC
Transit VPC!!!
Branches
Internet
MPLS
15
Networking with multiple VPCs (ii)
– Region: Oregon
– Transit Gateway: aruba-sdbranch
– Advertise routes via BGP to theTransit Gateway
VPC VPC VPC
Edge VPC!!!
Branches
Internet
MPLS
16
What does the Orchestration App do?New to the SD-WAN product family
Aruba Central Orchestration App
Licensing
Dual Gateway (across AZ)
Deployment
Health Monitoring
ZTP
Orchestration of Virtual Gateways
17
Orchestrated vGW bringup
VPC
Subnet
Subnet
VPN Gateway Internet
gateway
Aruba vGW
INET (vlan 4094)VPN (vlan 4093)
LAN (vlan 4092)
Ge 0/0/2
Ge 0/0/0Ge 0/0/1
API
Needs:• 3rd party ARN token• /24 subnet for interconnects (8* /27s)
Provides:• AMI bringup• 8* ENIs• Elastic IP• Subnet routing table pointing to vGW• HA (cont…)
18
Orchestrated HA
VPC
Subnet
Availability zone Availability zone
Subnet Subnet Subnet
Internet
gateway
VPN Gateway
API
OrchestrationControl Channel
19
Orchestrated HA
VPC
Subnet
Availability zone Availability zone
Subnet Subnet Subnet
Internet
gateway
VPN Gateway
API
OrchestrationControl Channel
20
Agenda
Public CloudSingle VPC/VNET
Multi-VPC
Orchestration
SD-WAN 1.5Underlay routing
Tunnel Orchestration
Route Orchestration
Transition
SD-WAN 1.2Solution components
Reminder…
21
Underlay only branchBGW as managed Gateway/firewall
Underlay Only!!! Session view coming in 2.4.9 (May/June)
BG
OSPF/BGP
MPLS Internet
SrcNAT
23
SaaS ExpressSD-WAN doesn’t necessarily require traffic to be tunneled…
Best path for dual ISP at branch
RegionalHub
Branch officeMPLS
SD-WAN
INET
4G
ISP1 ISP2
Loss/Latency
Best
Performing
Best path between local exit and hub exit
RegionalHub
Remote Site
ISP1
ISP2
MPLS
SD-WAN
INET
4G
Loss/Latency
Best
Performing
24
Underlay RoutingHeadend
Mechanisms
– OSPF
– Auto-Cost
– E1/E2 Routes
– BGP (use with caution)
– Local-Pref
– Auto-Cost (MED)
– AS-Prep
– Route Maps
– Communities
DC-2
BGP Options
DC-1
Somewhere else
BGP Options
BGP Options BGP Options
SD-WAN
25
SD-WAN Orchestration
26
Tunnel Orchestration
Application
TopologyPolicy
Overlay Tunnel OrchestratorPrivate circuits
TURBO_MPLSACME_MPLS ACME_MPLS
ACME_MPLS ACME_MPLS
TURBO_MPLS
TURBO_MPLS TURBO_MPLS
DC-1 DC-2
SRC DST TYPE Tag Cost
BG-1 DC-1-VPNC-1 MPLS ACME 10
BG-1 DC-1-VPNC-2 MPLS ACME 20
BG-1 DC-2-VPNC-1 MPLS TURBO 30
…
27
Overlay Tunnel OrchestratorConfiguration
Headend Gateways – Configure WAN Branch Gateways – Set DC Preference
28
Overlay Tunnel OrchestratorTunnel Monitoring (i)
29
Overlay Tunnel OrchestratorTunnel Monitoring (ii)
30
Overlay Route OrchestratorBuilding blocks
Overlay Agent Communication Orchestration Service Architecture
BGPOSPFOverlay Routing
Control Channel
31
Route Orchestration
ApplicationRoutePolicy
Overlay Route OrchestratorHow does it work?
OSPF
DC
BGP
Regional DC
OSPFRouting
32
Route Orchestration
ApplicationRoutePolicy
Overlay Route OrchestratorHow does it work?
OSPF
Regional DC DC
BGP
GW Network
R-DC 10.96.0.0/16
DC-1 10.10.0.0/16
10.20.0.0/12
…
C-DC 10.127.0.0/16
BG-1 10.1.1.0/24
10.1.2.0/24
BG-2 10.2.1.0/24
BG-3 10.3.1.0/24
Routing
33
Overlay Route OrchestratorConfiguration
Redistribute from Overlay Redistribute into Overlay
34
Overlay Route OrchestratorRoute Monitoring (i)
35
Overlay Route OrchestratorRoute Monitoring (ii)
36
How to use it?
37
Multiple Active HubsOSPF
DC-2
Cost Auto
BG-1 Prefers DC-11
BG-2 Prefers DC-22
Auto-Propagate OSPF Cost3
DC-1
Somewhere else
Cost 10 Cost 20Cost 20 Cost 10
Cost Auto
BG-1 BG-2
38
Multiple Active HubsBGP (i)
DC-2
BG-1 Prefers DC-11
BG-2 Prefers DC-22
Auto-Propagate cost (MED)3
DC-1
Somewhere else
Cost 10 Cost 20Cost 20 Cost 10
Cost Auto Cost Auto
BG-1 BG-2
39
Multiple Active HubsBGP (ii)
DC-2
BGP Options
BG-1 Prefers DC-11
BG-2 Prefers DC-22
Route Maps + ASPrep/MED/Community3
DC-1
Somewhere else
Cost 10 Cost 20Cost 20 Cost 10
BGP Options
BGP Options BGP Options
BG-1 BG-2
40
Branch to branch trafficHub&Spoke… Which hub?
OSPF
Regional DC DC
BGPRegional DC Primary for its region1
Aggregate routes in the DC (recommended anyway)2
Allow Branch 2 branch?3
BG-1 BG-2
41
Transition
42
Hybrid SD-WANUnderlay + Overlay DC
BGP Options
InternetMPLS
BG-1 BG-2
OSPF/BGP OSPF/BGP
• This is NOT a supportedarchitecture.
• You’ll just get into trouble(routing loops). Do not do it
• If you do it, you’re on yourown.
OSPF/BGP
43
Correct transitionDC
BGP Options
InternetMPLS
BG-1 BG-2
OSPF/BGP
OSPF/BGP
Migrated branches - Overlay
Pending branches - Underlay
44
Summary…
45
SD-Branch Architectures (1.5)
Transport-Independent WAN Overlay
Route/Tunnel Orchestrator
Micro Branch
Uplink Backup
VC
Employ ee VLAN
Guest VLAN
Uplink Uplink
Employ ee VLAN
Guest VLAN
Small Branch
Uplink Uplink
Employ ee VLAN
Guest VLAN
Large Branch
Dynamic Routing
Uplink Uplink
Employ ee VLAN
Guest VLAN
Medium Branch
SD-WAN Overlay
Multiple active hubs
Manual Manual Manual/Orch Orch
Thank you
