EdgeConnect SD-WAN Reference Design
This section of the guide demonstrates how to design an EdgeConnect SD-WAN deployment based on the customer profile.
Table of contents
Component Selection
This section describes the components of a reference architecture using Aruba’s EdgeConnect SD-WAN solution.
Note: This reference architecture is based on the 9.1 release of Aruba Orchestrator and EdgeConnect SD-WAN gateways.
EdgeConnect Gateways
Follow the steps below to determine which gateway is appropriate at each location.
- Determine bandwidth requirements
- If asymmetric circuits are in place, use the higher number for bandwidth calculations.
- Determine fiber port, power supply, and HA requirements.
- Identify if advanced features are required, such as advanced security or Boost.
- Select the appliance that supports the requirements:
| Model | EC-10104 | EC-XS | EC-S-P | EC-M-H | EC-L-H | EC-XL-H |
|---|---|---|---|---|---|---|
| Typical Deployment | Small Branch / Home Office | Small Branch | Large Branch | Head Office/DC Large Hub | Data Center Large Hub | Data Center Large Hub |
| Typical WAN Bandwidth | 2-500 mbps | 2-1000 mbps | 10-3000 mbps | 50-5000 mbps | 2-10 gbps | 2-10 gbps |
| Simultaneous Connections | 256,000 | 256,000 | 256,000 | 2,000,000 | 2,000,000 | 2,000,000 |
| Recommended WAN Boost up to | 200 mbps | 250 mbps | 500 mbps | 1 gbps | 1 gbps | 5 gbps |
| Redundant / FRUs | No | No | SSD and Power (AC or DC) | SSD and Power | SSD and Power | SSD, NVMe, Power |
| Data Path Interfaces | 4 x RJ45 10/100/1000 | 4 x RJ45 10/100/1000 | 8 x RJ45 4 x 1/10G Optical | 8 x RJ45 4 x 1/10G Opitical | 6 x 1/10G Optical | 6 x 1/10/25G Optical |
Note: WAN bandwidth assumes bidirectional traffic (symmetric uplink and downlink). For total WAN throughput (Rx+Tx), multiple these numbers by 2.
Transceivers
EdgeConnect SD-WAN gateways have been certified to operate with the following transceivers. Use the table below to verify selected transceivers support physical connectivity.
| Transceiver SKU | Description |
|---|---|
| EC-SFP-SR | SFP+,1/10G, SR |
| EC-SFP-LR | SFP+,1/10G, LR |
| EC-SFP28-25G-SR | SFR28 Transceiver, 10/25G, SR |
| EC-SFP28-25G-LR | SFR28 Transceiver, 10/25G, LR |
Orchestrator Selection
The table below lists Orchestrator as a Service options.
| Orchestrator License - Term (n) is 1,2,3,4 or 5 years | Supported Number of Nodes |
|---|---|
| EC-ORCH-AAS-S-nY | Up to 50 Nodes |
| EC-ORCH-AAS-M-nY | 25-250 Nodes |
| EC-ORCH-AAS-L-nY | More than 200 Nodes |
Throughput Licensing
Each site must be licensed for the appropriate bandwidth.
To calculate the throughput licenses required for a given gateway, determine the total WAN bandwidth the gateway will use. For example, for a 100 mbps Internet circuit and a 20 mbps MPLS circuit, the total is 120 mbps. For asymmetric circuits, such as a 50 mbps download and 5 mbps upload Internet circuit, use the largest number for this calculation. Since cellular back-up is used as path-of-last-resort only, it is not used for throughput license calculation.
Note: When using EdgeHA or Traditional HA, devices must be licensed for all circuits.
The table below shows bandwidth tiers.
| EdgeConnect License | EdgeConnect Aggregate WAN Provisioned Bandwidth (mbps) | Description: Per EC Instance, Term (n) is 1,2,3,4 or 5 years |
|---|---|---|
| EC-BW-20-nY | 20 mbps | EC BW License, 20 mbps Bandwidth, n Years |
| EC-BW-50-nY | 50 mbps | EC BW License, 50 mbps Bandwidth, n Years |
| EC-BW-100-nY | 100 mbps | EC BW License, 100 mbps Bandwidth, n Years |
| EC-BW-200-nY | 200 mbps | EC BW License, 200 mbps Bandwidth, n Years |
| EC-BW-500-nY | 500 mbps | EC BW License, 500 mbps Bandwidth, n Years |
| EC-BW-1G-nY | 1 Gbps | EC BW License, 1 Gbps Bandwidth, n Years |
| EC-BW-2G-nY | 2 Gbps | EC BW License, 2 Gbps Bandwidth, n Years |
| EC-BW-UL-nY | Unlimited Bandwidth | EC BW License, Unlimited Bandwidth, n Years |
The table below summarizes which bandwidth tiers are supported on each device.
| EC-10104 (500 mbps) | EC-XS (1 gbps) | EC-S (2 gbps) | EC-M (5 gbps) | EC-L (5 gbps) | EC-XL (10 gbps) | EC-V (5 gbps) | |
|---|---|---|---|---|---|---|---|
| 20 mbps | X | X | X | X | X | X | X |
| 50 mbps | X | X | X | X | X | X | X |
| 100 mbps | X | X | X | X | X | X | X |
| 200 mbps | X | X | X | X | X | X | X |
| 500 mbps | X | X | X | X | X | X | X |
| 1 Gbps | X | X | X | X | X | X | |
| 2 Gbps | X | X | X | X | X | ||
| Unlimited | X | X | X | X | |||
| Boost | 200 mbps | 250 mbps | 500 mbps | 1 gbps | 1 gbps | 5 gbps | 1 gbps |
Boost Licensing
Boost, though not currently used in this design, is sold in blocks of 100 mbps and allocated to the gateways in 1kbps increments. To determine the amount of boost licensing required, follow the below steps:
- Determine the applications to accelerate.
- Determine the number of sites needed to accelerate the applications.
- Determine how much bandwidth the specific applications require to work optimally at each site.
- Purchase the total amount of boost to apply at the sites.
Advanced Security Licensing
The advanced security license provides IDS capabilities in EdgeConnect. The example design does not include this feature. To determine the advanced security licensing required, use the guidance below.
| License | (250 mbps) | (1 Gbps) | (2 Gbps) | (5 Gbps) | (5 Gbps) | (10 Gbps) | (5 Gbps) |
|---|---|---|---|---|---|---|---|
| Standard | X | X | X | X | |||
| Unlimited | X | X | X | X | X |
Note: Locations serving as a Data Center, Large Campus, Hub, or Network Gateway that require the Advanced Security License must have an Unlimited license.
Hub Design
The following components are selected to meet the hub requirements. Hubs are purchased in five-year terms.
Hardware
| Quantity | SKU | Consideration |
|---|---|---|
| 4 | EC-L-H (Recommended) | Two per hub. Provides high levels of hardware HA |
| EC-XL-H (Alternative) | Use if high levels of Boost are required or 25G connectivity to the LAN / WAN | |
| EC-M-H (Alternative) | Use if less bandwidth is needed | |
| 1 | EC-ORCH-AAS-L-5Y | Large is required for the future scaling |
| 12 | EC-SFP-SR (Recommended) | Customer currently has SR fiber plant |
| EC-SFP-LR (Alternate) |
Licenses
If planning to replace MPLS circuits with higher-speed internet circuits in the future, consider buying licensing based on future needs or purchasing licenses with shorter terms.
| Quantity | SKU | Consideration |
|---|---|---|
| 4 | EC-BW-100-5Y (Recommended) | Customer bandwidth above 2 Gbps at the hubs |
| EC-BW-2G-5Y (Alternate) | Can be used when customer has lower bandwidth needs | |
| EC-BW-1G-5Y (Alternate) | Can be used when customer has lower bandwidth needs | |
| EC-BW-500-5Y (Alternate) | Can be used when customer has lower bandwidth needs |
The following list summarizes the recommend hub design elements.
- Gateways are placed inline.
- WAN connections plug into the upstream WAN side switch and are then connected to gateways to allow for traditional HA. This requires additional IP space on the WAN transports.
- Gateways connect via L3 to the LAN, into a WAN aggregation block and peer OSPF.
- BGP adjacency is maintained with the MPLS provider to facilitate migration.
- Advertise a hub summary route and default route into the Subnet Sharing.
- All branches will leverage a template with peer priority to select a hub when the same route is presented from multiple hub gateways.
- Set high OSPF metric when redistributing from Subnet Sharing (WAN) to OSPF (LAN).
- Ensure traffic between the data centers uses the Data Center Interconnect (DCI). Adjust OSPF metric as needed to achieve this.
- When redistributing from Subnet Sharing (WAN) to OSPF (LAN), assign one gateway a higher metric to ensure flow symmetry.
Branch Design
Small Site Design
The following components were selected to meet small site requirements, purchased in five-year terms.
Hardware
| Quantity | SKU | Consideration |
|---|---|---|
| 1 | EC-10104 (Recommended) | Cost efficent for low bandwith / user count |
| EC-XS (Alternative) | Use if Advanced Security Featureset is desired or higher bandwidth |
Licenses
If planning to replace MPLS circuits with higher speed internet circuits in the future, consider buying licensing based on future needs or purchasing licenses with shorter terms.
| Quantity | SKU | Consideration |
|---|---|---|
| 1 | EC-BW-100-5Y (Recommended) | Based on customers current needs, with room for growth |
| EC-BW-200-5Y (Alternate) | Can be used when customer has different bandwidth needs | |
| EC-BW-50-5Y (Alternate) | Can be used when customer has different bandwidth needs | |
| EC-BW-20-5Y (Alternate) | Can be used when customer has different bandwidth needs |
The following list summarizes the recommend small site elements.
- Gateway is placed inline.
- Gateway is connected to switch via single L2 connection.
- Gateway acts as default gateway for any subnnets at branch.
Medium Site Design
The following components are selected to meet medium site requirements, purchased in five-year terms.
Hardware
| Quantity | SKU | Consideration |
|---|---|---|
| 2 | EC-10104 (Recommended) | Cost efficent for low bandwith / user count |
| EC-S-P (Alternative) | Use for higher bandwidths and more hardware HA |
Licenses
If planning to replace MPLS circuits with higher speed internet circuits in the future, consider buying licensing based on future needs or purchasing licenses with shorter terms.
| Quantity | SKU | Consideration |
|---|---|---|
| 1 | EC-BW-200-5Y (Recommended) | Based on customers current needs, with room for growth |
| EC-BW-100-5Y (Alternate) | Can be used when customer has different bandwidth needs | |
| EC-BW-500-5Y (Alternate) | Can be used when customer has different bandwidth needs | |
| EC-BW-1G-5Y (Alternate) | Can be used when customer has different bandwidth needs |
The following list summarizes the recommend medium site elements.
- Gateway is placed inline.
- EdgeHA is used for high availability.
- Gateway is connected to collapsed core via L3 link and peer OSPF.
- When redistributing from Subnet Sharing (WAN) to OSPF (LAN), assign one gateway a better metric to ensure flow symmetry.
- When redistributing from OSPF to Subnet Sharing, assign one gateway a better metric to ensure flow symmetry.
Large Site Design
The following components are selected to meet large site requirements, purchased in five-year terms.
Hardware
| Quantity | SKU | Consideration |
|---|---|---|
| 2 | EC-S-P (Recommended) | Cost efficent for low bandwith / user count |
| EC-M-P (Alternative) | Use for higher bandwidths |
Licenses
If planning to replace MPLS circuits with higher speed internet circuits in the future, consider buying licensing based on future needs or purchasing licenses with shorter terms.
| Quantity | SKU | Consideration |
|---|---|---|
| 1 | EC-BW-500-5Y (Recommended) | Based on current needs, with room for growth |
| EC-BW-200-5Y (Alternate) | Can be used when customer has different bandwidth needs | |
| EC-BW-1G-5Y (Alternate) | Can be used when customer has different bandwidth needs | |
| EC-BW-2G-5Y (Alternate) | Can be used when customer has different bandwidth needs |
The following list summarizes the recommend large site elements.
- Gateway is placed inline.
- EdgeHA is used for high availability.
- Gateway is connected to collapsed core via L3 link and peer OSPF.
- When redistributing from Subnet Sharing (WAN) to OSPF (LAN), assign one gateway a better metric to ensure flow symmetry.
- When redistributing from OSPF to Subnet Sharing, assign one gateway a better metric to ensure flow symmetry.
- LTE connection, which requires a third-party device to terminate the LTE with an ethernet handoff, is used as a path-of-last resort, forwarding traffic only if both circuits are down.
Overlay Design
The following list summarizes the recommend overlay design elements.
- Cloud firewall integration are used to tunnel specific to cloud filtering.
- EC-V is deployed in IaaS providers to facilitate better access to services hosted there.
- Zone-Based Firewalling is configured on the gateways to provide basic filtering of Internet traffic when cloud firewalling is not used.
The table below illustrates the BIO design elements. All traffic matches start with the default overlay ACL and are modified as necessary.
| BIO Name | Traffic Match | Topology | Link Bonding | Internet Egress |
|---|---|---|---|---|
| Real Time | Real-time communication applications | Mesh topology provides optimal traffic flows between branches | High Availability link bonding policy to provide 1:1 FEC to ensure no loss of voice / video traffic | Direct-to-net is primary, with hub fallback |
| Critical Apps | Business Critical internal apps, such as the inventory system, and SaaS apps such as Salesforce | Hub and spoke | High Quality | Cloud firewall is primary, with a fallback to the hubs which host a backup security stack |
| BulkApps | Large internal traffic flows, such as FTP and cloud-hosted file repositories | Hub and spoke | High Quality. Within the QOS policy ,this BIO is allowed only a certain percent of WAN bandwidth during times of congestion, ensuring that large flows do not saturate the WAN transports. | Direct-to-net is primary, with hub fallback, as these flows are large and must go direct to their destinations |
| Default | Match all other traffic, including guest | Hub and spoke | High Quality | Direct-to-net with a fallback of the data center, since guest traffic is critical to the business |