Link Search Menu Expand Document
calendar_month 07-Mar-24

Reference Customer

To fully illustrate the application of the Aruba ESP architecture, the Validated Solution Guide (VSG) series describes a fictional customer named Orange Widget Logistics (OWL).

This section provides an overview of OWL, the network topologies used within the organization, and how specific business requirements are addressed using the Aruba ESP.

Table of contents


OWL is a supplier of best-in-class widgets and is growing at a break-neck pace. OWL started in Roseville, CA, and has a headquarters campus location there. Attached to this campus is a data center that hosts on-premise applications needed across the organization. OWL has a newer, second campus in the Seattle, WA, area. As widget popularity spread across the US, remote branch locations were opened to serve more customers locally.

The following topology depicts this site plan and connectivity. These sites are referenced throughout the VSG when describing the design and implementation of ESP solutions.

High Level Topology

Note: For illustration purposes, a small subset of branches is shown. Aruba SD-WAN solutions scale to thousands of branch locations.


This section describes OWL’s defined business and technical requirements at the architectural level. More specific engineering level requirements are described in the Design and Deploy volumes of the VSG.

OWL is experiencing 10% annual growth in business, creating the need to continue to expand and innovate the network architecture. Business and technical requirements guiding the decision making process are outlined below.

Business Requirements

  • Reduce WAN costs.
  • Provide secure and efficient access to cloud resources.
  • Increase the pace at which small campuses and branches can be deployed.
  • Extract business insights from the network.
  • Bolster security across the entire network to prevent breaches.
  • Remediate network issues faster to ensure a great customer experience.

Technical Requirements

  • An SD-WAN solution to take advantage of commodity internet circuits and enhance the performance of SaaS and IaaS applications.
  • A zero-touch/one-touch deployment method for LAN, WLAN, and SD-WAN infrastructure that reliably provides “day two” visibility.
  • Robust and granular identity-based network segmentation that provides a Zero Trust solution across the organization.
  • Network management tools providing AI-derived insights to expedite the identification and correlation of operational issues within the network.

High Level Design

This section describes how the business and technical requirements are met by applying the ESP architecture to the OWL network. The Aruba VSG Design volumes provide additional detail regarding these designs.


The ESP campus is built on Aruba AOS-CX switches, AOS-10 APs and Gateways, and Aruba Central to provide a highly available and robust network infrastructure. The ESP Campus Design VSG provides a complete description of the solution.

OWL’s Roseville main headquarters campus is designed as a traditional 3-tier topology with most data traffic carried within VLANs. Select wireless and wired traffic is tunneled within GRE to a gateway cluster for centralized policy enforcement. Most wired traffic and some wireless traffic is bridged locally at the ingress switch port.

This design uses Layer 2 access with routed links between the aggregation and core switches.

VLANs, VRFs and ACLs are used to achieve segmentation of most traffic.

Roseville Campus

Traditional Campus

The Seattle campus is built using Aruba Central NetConductor (ACN), a group of workflow based configuration automation tools running on Aruba Central. ACN builds an all-routed underlay with an EVPN-XVLAN overlay fabric.

Wireless SSIDs are tunneled to a gateway cluster which connects into the fabric using VXLAN. Within the EVPN fabric, Aruba enforces Group Based Policy (GBP) based on a field value in the VXLAN header. This role-based enforcement mechanism enables accurate propagation and enforcement of policy across the campus and over the WAN.

The network configured using ACN enables true “business intent” communication without relying on traditional networking constructs such as manually provisioned VLANs and IP-based ACLs.

Seattle Campus

Modern Campus

Data Center

The OWL on-premise data center is attached to the Roseville headquarters campus. It is designed as a spine-and-leaf topology built using Aruba AOS-CX switches and Aruba Fabric Composer (AFC), an automation tool that configures an EVPN-XVLAN overlay fabric on top of an all Layer 3 underlay.

AFC also provides integrations with host virtualization tools for extended network configuration and visibility.

The OWL data center includes Aruba CX 10000 switches configured by both AFC and the Pensando Policy and Services Manager (PSM) to provide hardware-based firewall services within the data center racks.

For more detail on the data center design, refer to the ESP Data Center Design guide.

Modern Data Center

Branch and WAN

Branch expansion is a key goal for OWL to grow its business. The Aruba EdgeConnect Enterprise solution is composed of EdgeConnect appliances and Aruba Orchestrator to enable business intelligence in the WAN transport layer. The Aruba EdgeConnect SD- Branch solution uses the same Aruba AOS-10 Gateway, AP, and CX switching products used at the OWL headquarters, managed by Aruba Central to provide a consistent user experience from headquarters to the branch.

Details of the Branch and WAN design are covered in the ESP SD-WAN & Branch Design guide.

Edge Connect SD-WAN


To ensure a consistent user experience while preserving the security of digital infrastructure and information, OWL is moving toward a Zero Trust network access model.

Aruba ESP delivers Zero Trust by enabling consistent policy enforcement anywhere in the network. Aruba ClearPass provides sophisticated policy creation and management tools as well as user database integrations to enable streamlined development of consistent policy that aligns with business requirements.

Aruba Gateways, APs, and switches employ advanced policy enforcement capabilities employing multiple layers of authentication, profiling, and additional sources of policy information to provide the same user experience anywhere in the organization.

Role Based Segmentation

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.