May 22, 2020
SD-BranchEvolution of the Branch & SD-WANStephan Lelleck, [email protected]
2
Challenges with Current Branch Architectures
WAN Side Challenges
• Limited capacity & long setup times for MPLS
• Lack of control and visibility into WAN traffic
• Complex management of the WAN and routing policy
• More SaaS traffic (O365, Box, SFDC, …) directed over Internet.
• Lack security measures and control to safeguard the network
LAN Side Challenges
• Complexity caused by increasing number of devices, VLAN proliferation
• End points going mobile
• Poor visibility into clients/devices
• Lack of authentication of clients/devices
• Lack of common policy for users connecting to network via wired or wireless
Operation Challenges
• Multiple management platforms, Multiple operating models, Multiple vendors, Policy is distributed
3
Goal: Solve the Branch problem, not just the WAN
SimpleDrive simplicity and fewer boxes in branch solution
Common Policy and Managementfor Wired, WLAN and WAN
Transport IndependencyOwn your WAN policy
4
WLAN: VLAN, ACL, SUBNET
STATIC AND FRAGMENTED
SOFTWARE DEFINED DESIGN
UNIFIED POLICY ENFORCEMENT:
LAN, WLAN, WAN, SECURITY
ELIMINATE VLAN SPRAWL
CENTRALIZED DEFINITIONS FOR EVERY BRANCH
LAN: VLAN, ACL, SUBNET
FIREWALL: ZONE, TRUST, ACL
ROUTER: VRF, VPN, SUBNET, ACL
WAN OPT: THROTTLING, COMPRESSION
VLAN 103
VLAN 201
Traditional vs SD-Branch Policy
DISAGGREGATED POLICY DEFINITIONS
TUNNELED TRAFFIC
5
MPLS
Data Center
Branch
Internet
Aruba 2930F WiredWireless
Branch Gateway (BG)
Role-based profiling
vlan50uplink1 uplink2
Headend Gateway(VPNC)
Customer Portal
Public/Private Cloud7200 series Appliance
7000 series Appliance
Virtual Gateway
Internet Destination
1
23
4
Wireless TunnelWired Tunnel
Aruba Solution Overview
6
Aruba Solution Components
Hardware
Software
Branch Gateways:Aruba 7000 Series
Headend Gateways:Aruba 7200 Series
Virtual Gateways:Aruba vGateway
AOS: Aruba OS
Aruba Central
Centralized cloud managed networking for wireless, wired & WAN.
Available 2HCY18
7
Branch Gateways: Aruba 7000 Series
LAN• L2 services, POE• LLDP• DHCP• NAT, 1:1 NAT • AAA survivability
WAN• Multiple WAN uplinks• Load balancing• IPSec VPN tunnels • LTE fallback• Policy Aware Application
Routing• Direct Internet Access• Dynamic Path Selection
Security• Stateful Firewall• User based Policies• Web Content Filtering• LAN Segmentation • Zscaler Integration
8
Licenses
9
SD-WAN Solution Capabilities
Secure ZTP, Aruba Central
DPI/ AppRF, WAN links
IPsec VPN tunnelsHub-and-spoke
Multiple WAN uplinks, QOS
Device, WAN, Tunnels, Routes, Alerts, DHCP
Stateful Firewall, ClearPass integration, Web CC, Zscaler
Zero Touch
Overlay Topology
Application Visibility
Gateway Monitoring
Secure Branch
WAN Flexibility
Policy aware application routing,Dynamic Path Selection
Application Path Steering
Group based configuration,Central firmware management
Ease of Management
Vlans, DHCP, NAT, QOS
LAN Services
10
Aruba Distributed Architectures
On the road(VIA)
EnterpriseDC
SD-WAN
MicroBranch(IAP-VPN)
On the road(VIA)
11
Onboarding and management
12
ZTP for Secure and Fast Branch Deployments
Secure Onboarding with embedded TPM chip on all
Aruba devices
Ease of use, Zero touch to provision remote Branch
Create Bulk Policy Template to push to Branches plus
REST/API
Complete Trust Zero Touch Scale
13
Mobile Installer App
• Installer selects site and scans devices
• Installer gets status of device on boarding
• Admin gains central visibility into on boarding
• Location awareness seeded into on boarding
14
• Monitoring via two approaches• Metrics and stats that are
passively collected• Metrics and stats that are actively
collected from synthetic transactions
• Results Delivered in Three Ways• Via APIs and API based
notifications• Via exportable reports• Via the Central Dashboards
NOC Dashboard
15
• Monitoring via two approaches• Metrics and stats that are
passively collected• Metrics and stats that are actively
collected from synthetic transactions
• Results Delivered in Three Ways• Via APIs and API based
notifications• Via exportable reports• Via the Central Dashboards
NOC Dashboard
16
System Health Indicators• Devices Disconnected• CPU Utilization• Memory Utilization
RF Health Indicators• Channel Utilization (5/2.4Ghz)• Noise Floor (5/2.4Ghz)
Client Health Indicators• Client Health Score• Connectivity Health Score
WAN Health Indicators • Network Latency, Loss• Bandwidth
Site Health Dashboard
17
Hierarchical Management
1 Apply configurations on a group basis
2 Overrides on a per-device basis (bulk-edit possible)
3 Monitoring based on labels
18
Routing Policies
19
Setting up the overlay
IPsec
Corp Data Traffic
Internet Traffic
Branch subnets advertised
upstream via cfgset (ike ext)
Subnet A Subnet BSubnet A Subnet B
Corp routes pointing to the tunnel
Redistribute branch Subnets
Establish VPN tunnels1
Advertise branch routes2
Start sending traffic3
20
Multiple uplinks
Branch Branch
Data Center
xDSL MPLSxDSL MPLS
Equal cost routes via
both tunnels
21
Hub & Spoke RoutingRedistribute into OSPF
Cost 10
Corp routes to DC A –Cost 10
Subnet A Subnet B
Redistribute into OSPFCost 20
Subnet A Subnet B
Corp routes to DC B –Cost 20
Branch subnets advertised upstream
via cfgset to both DCs
22
Path Quality Monitoring
23
Path Quality MonitoringHow it looks today…
– ICMP Probes measure latency and packet loss
– UDP Probes (UDP 4500) measure latency, packet loss and jitter – MOS is derived from these values
– Probes can be sent through the underlay or through the overlay
Branch
ADSL MPLS
IPsec
UDP Probes
ICMP Probes
24
Evolution
Branch
ADSL MPLS
IPsec
UDP Probes
ICMP Probes
HTTPS Probes
– Global ICMP responder service in ACP (Aruba Central)
– HTTPS probes to SaaS
– Leverage FW capabilities for passive monitoring
Passive monitoring• Delay/Latency• Jitter, MOS
25
Putting it all together…
26
EnterpriseDC
Virtual Gateway
INET
MPL
S
LTE
INET
MPL
S
LTE
Headend Gateway
A day in the life of an SD-WAN packet
SD-WAN OverlayMPLSINETLTE
Path
Met
ric Link Latency Jitter Loss Util
MPLS 4ms 5 1% 30%
INET1 30ms 25 4% 60%
LTE 45ms 10 20% 5%
Name Policy
Voice Latency < 10ms & Jitter < 10 & Loss < 2% & Util < 70%
SAP Latency < 50ms & Loss < 50% & Util < 90%
Guest Util < 95%Path
Mon
Pol
icy
Path
Met
ric
27
EnterpriseDC
Virtual Gateway
INET
MPL
S
LTE
INET
MPL
S
LTE
Headend Gateway
A day in the life of an SD-WAN packet
SD-WAN OverlayMPLSINETLTE Pa
th M
etri
c Link Latency Jitter Loss Util
MPLS 4ms 5 1% 30%
INET1 30ms 25 4% 60%
LTE 45ms 10 20% 5%Path
Met
ric
28
EnterpriseDC
Virtual Gateway
INET
MPL
S
LTE
INET
MPL
S
LTE
Headend Gateway
A day in the life of an SD-WAN packet
Path
Met
ric Link Latency Jitter Loss Util
MPLS 4ms 5 1% 30%
INET1 30ms 25 4% 60%
LTE 45ms 10 20% 5%Path
Met
ric
29
EnterpriseDC
Virtual Gateway
INET
MPL
S
LTE
INET
MPL
S
LTE
Headend Gateway
A day in the life of an SD-WAN packet
Path
Met
ric Link Latency Jitter Loss Util
MPLS 200ms 5 50% 30%
INET1 10ms 5 4% 60%
LTE 45ms 10 20% 5%Path
Met
ric
30
Configure path preference and fall-back options per application
category
Path Preference
Dynamic Path Selection
Configure SLA parameters per user & application category
SLABasic WAN
Per user role, classify important applications for e.g. Employee Business Critical, Voice, Best-
Effort, Guest
Role + Application 21 3
Delay
Jitter
Loss
MPLS
Internet
4G/LTE
31
Is the WAN link compliant to the application SLA?
• View compliance per WAN link• Highlight violations with specific
reasons
Is the policy honoring path preference?
• View session distribution across active links
Is DPS kicking in when there are WAN link SLA violations?
• Quickly identify session movement between WAN links
DPS Monitoring
32
Topology
• Tree and Planetary View
• Health status• Hover info• VLAN Overlays
33
Security
34
Security and hardening
CC EAL4+ Integrated FirewallGuest traffic completely isolated from corporate networkDPI engine with 2500+ applications (plus custom apps)WebCC for content and reputation filtering
INTERNETMPLS Content and reputation filter
35
User Centric Policies
1 Device associates to initial role
2 ClearPass profiles device
3 Clearpass places device in its role
4 Every frame goes through the firewall. Including inter-vlan traffic. Hence, only needs a single vlan.
36
Integration with Cloud Security
INTERNETBranch Gateway
Enterprise DC Gateway
Customer Portal
“Internet Access”
Branch Gateway
“Internet Access”
Cloud Security
Tunnel Internet bound traffic to Cloud Security vendor
Role-based profiling with stateful Firewall on Branch Gateway. Only Internet flows are steered to Cloud security vendor.
Select Internet bound flows based on configured policy are tunneled to Cloud Security provider.
Branch Gateway
Cloud Gateway
37
Role Based Polices for LAN, Security, WAN
Printer
Desktop
AccessSwitch
BRANCH OFFICE Camera
Access Point
LaptopSmartphone
Branch Gateway
MPLS
Internet
Users Devices WAN StateApp finger-
printing
LAN PoliciesWLAN and wired switching policies applied per role. E.g.: Guest SSID, QoS for PCI traffic
Security PoliciesFirewall and WebCC policies applied per role.E.g.: WebCC for Guest, PCI traffic isolation
WAN PoliciesPath steering policies applied per role. E.g.: Guest to Internet, PCI traffic to MPLS
38
User / Entity Centric Design Advantages
vlan50
Role based access
Policy denies intra-vlan communication (micro-segmentation)
Continuous profiling
Role assigned based on AAA & Profiling
Faster new services deployment (ZTP)
All ports are secured
Single DHCP scope per branch
WAN policy is centrally defined by user, application and DPS
Traditional access
Intra-vlan communication is allowed
VLAN is assigned only once (manually)
VLAN assigned based on physical port
New services requires new VLAN deployment
Ports are default-open, accidental access is possible
DHCP scope fragmented per vlan
WAN policy is defined by distributed routing
39
DYNAMIC SEGMENTATION, BRANCH-WIDE
PORT-BASED ROLE-BASED
StaticCamera port
Printer port
PoS port
Manual configuration of ACLs, VLANs, QoS
Automate configurations with context
PCI-compliant
Hard to scale for device type and quantity across multiple sites
Dynamic
Flatten configurations at high scale based on user, device, app
40
Aruba SD-WAN solution components
Cloud management
Overlay SD-WAN fabric
Dynamic Path Selection
Role-based security and routing
Cloud Security Partners
41
Aruba SolutionHardware
42
7000 Series Branch Gateways
- L4-L7 Firewall CC EAL4+- Routing – Dynamic Path Selection- WAN compression- Web Filtering- WAN QoS- WAN PBR (Policy Based Routing)- AAA Survivability- Crypto Engine (IPsec VPN)- Application visibility and analytics
43
Branch Gateway Portfolio
Features 7005 7008 7010 7024 7030
Firewall throughput
2Gbps 2Gbps 4Gbps 4Gbps 8Gbps
Encryption throughput
1.2Gbps 1.2Gbps 2.4Gbps 2.4Gbps 2.4Gbps
GE ports 4 8 16 24 8
PoE support Can be PoEpowered
8 Ports can provide POE
12 ports can provide PoE
24 ports can provide PoE
No
Concurrent IPSecTunnels
512 512 1024 1024 1024
Active Firewall sessions
16K 16K 32K 32K 64K
44
Headend/ VPN Concentrator Portfolio
Features 7205 7210 7220 7240
IPSec Tunnels 4096 16384 24576 32768
Encryption throughput 4.5Gbps 5.9Gbps 20Gbps 30Gbps
Firewall throughput 12Gbps 20Gbps 40Gbps 40Gbps
GE ports 4 (1G Combo) 2 (1G Combo) 2 (1G Combo) 2 (1G Combo)
SFP/SFP+ 2 10G SFP+ 4 10G SFP+ 4 10G SFP+ 4 10G SFP+
Redundant Power Supply/Fan
No Yes Yes Yes
45
Thank you