EdgeConnect SD-Branch Reference Design
This section of the guide demonstrates how to design an EdgeConnect SD-Branch deployment based on the customer profile.
Table of contents
Component Selection
This section describes how to select the correct devices to use for any deployment. Use this guidance to select devices appropriate for the customer profiles presented below.
Selecting a Hub Device — There are four aspects to consider: maximum number of tunnels, the number of routes to be learned from the data center, interface count, and interface type.
Selecting a Branch Device — There are three aspects to consider when deciding the branch gateway to use: firewall sessions, interface count, and interface type.
See the DataSheet for SD-WAN gateway devices and scale numbers.
Licensing Options
Foundation - This license provides all features required for SD-Branch functionality in branch or headend deployments.
Foundation Base - This license provides all features included in a Foundation License, but can support only up to 75 client devices per branch site.
Foundation with Security - This license provides all features required for SD-WAN functionality in branch or headend deployments with additional security features.
Foundation Base with Security - This license provides all the features included in a Foundation with Security License, but can support only up to 75 client devices per branch.
Advanced - This license provides all the features included in a Foundation License, with additional features related to SaaS Express Net Conductor and AI Insights.
Advanced with Security - This license provides all the features of an Advanced License, with additional security features related to IPS and IDS, security dashboard, and anti-malware.*
Virtual Gateway (VGW) License - This license is available for AWS, Azure, and ESXi platforms and is licensed based on the bandwidth required. The license types available for VGW are VGW-500M, VGW-2G, and VGW-4G.
See the Ordering Guide for more detail.
Overlay Design
For each of the customer profiles below, the following general requirements and considerations apply:
- Improve the experience for users with IaaS (Infrastructure-as-a-Service) and SaaS (Software-as-a-Service) applications as the business migrates to the cloud.
- Protect certain sensitive corporate data going to a SaaS service by traversing IPS/DLP.
- Use Zoom and Microsoft Teams for real-time communications.
- Perform real-time inventory data queries on in-house SQL systems, hosted at data centers.
- Use bulk FTP file transfers to process transactions hosted at data centers throughout the environment.
- Use SaaS applications, such as Sales Force, to provide optimal Internet egress.
To address these requirements:
Hub-and-spoke overlay is used.
To improve SaaS performance, SaaS express is used to break out Sales Force, Zoom and Teams traffic locally.
A high-priority DPS policy is used for inventory queries. Other applications use separate DPS policy.
To ensure application security, stateful application-aware firewall is enabled along with IPS, Web Content filtering, and IP Reputation.
Hub Design
The customer profile includes the following requirements and considerations:
- Accommodate 100 branch sites with an expected 10% growth over five years.
- Improve the experience for users with IaaS (Infrastructure-as-a-Service) and SaaS (Software-as-a-Service) applications as the business migrates to the cloud.
- Decrease reliance on MPLS to reduce operational expense, with the goal to phase it out completely over time.
Design Summary
Model Selection | Max IP Sec tunnels | Considerations |
---|---|---|
9012 (Recommended) | 512 | Redundant pair of gateways for 8+ year growth. In a failure scenario, one box can handle all sites. |
9106 (Alternative) | 8k | Redundant pair of gateways for 10+ year growth. In a failure scenario, one box can handle all sites. |
vGW-2G (Future) | 4096 | Future consideration for IaaS/SaaS migration |
The following list summarizes the hub design elements:
- Gateways are placed inline.
- Both WAN transports (INET, MPLS) are connected to each gateway.
- Gateways connect via L3 to the LAN, into a WAN aggregation block and peer OSPF.
- DC routes are summarized when redistributing into the SD-WAN overlay.
Branch Design
Based on the customer profile, there are three different branch site designs, requiring three different template groups for each site size. Medium and large sites are standardized at branch gateways; the small site is standardized on Microbranch.
Large Site
Based on the customer profile, large sites have the following requirements:
- The business has no tolerance for unscheduled downtime.
- Uptime is provided by the gateway HA and cellular backup.
- Certain sensitive corporate data going to a SaaS service by traversing IPS/DLP must be protected.
- The site has up to 200 users.
- The site uses an existing 40 mbps connection and plans to add 200/50 mbps commodity Internet circuits with a 5G LTE backup
To address these requirements:
- Dual gateways will be placed inline.
- MPLS will connect to one gateway, with INET connected to the second gateway.
- WAN Uplink sharing will be enabled.
- LTE connection will be used as a backup.
- Gateways connect via L3 to the LAN and peer OSPF to a collapsed core.
- Branch routes are summarized when redistributing into the SD-WAN overlay.
- Collapsed Core should be in a VSF stack.
- Collapsed Core to access switch connectivity should be LACP trunks.
- Tunneling is enabled for switching (UBT) and wireless.
Model Selection | Firewall Sessions | Considerations |
---|---|---|
9004 LTE (Recommended) | 64k | Redundant pair of gateways, LTE built into gateways No SFP/SFP+ ports |
6300 (Recommended) | — | Collapsed Core |
6200 (Recommended) | — | Access switch |
6100, 6300 (Alternative) | — | Access switch |
Medium Site
Based on the customer profile, medium sites have the following requirements:
- The business has less tolerance for downtime.
- More uptime is provided by the gateway HA, but with no cellular backup.
- The site has up to 100 users.
- The site uses an existing 30 mbps MPLS connection and plans to add a 100/10 commodity internet circuit.
To address these requirements:
- Dual gateways will be placed inline.
- MPLS will be connected to one gateway, with INET connected to the second gateway.
- WAN uplink sharing will be enabled.
- Gateways connect via L3 to the LAN and peer OSPF to a collapsed core.
- Branch routes are summarized when redistributing into the SD-WAN overlay.
- Collapsed Core should be in a VSF stack.
- Collapsed Core to access switch connectivity should be LACP trunks.
- Tunneling will be enabled for switching (UBT) and wireless.
Model Selection | Firewall Sessions | Considerations |
---|---|---|
9004 (Recommended) | 64K | Redundant pair of gateways No SFP/SFP+ ports |
6300 (Recommended) | — | Collapsed Core |
6200 (Recommended) | — | Access switch |
6100, 6300 (Alternative) | — | Access switch |
Small Site
Based on the customer profile, the small sites have the following requirements:
- The business can tolerate downtime.
- The site has up to 10 users.
- The site requires only a single gateway, with no device-level HA or cellular backup.
- The site uses existing 5 mbps MPLS connections and plans to add 50/10 mbps commodity Internet circuits.
To address these requirements:
- Single gateways will be placed inline.
- MPLS and INET will be connected to gateway.
- Gateway will act as Default gateway for all VLANs.
- The Guest network will use internet breakout.
- Branch routes will be summarized when redistributing into the SD-WAN overlay.
Model | Firewall Sessions | Considerations |
---|---|---|
9004 (Recommended) | 64k | No SFP/SFP+ Ports |
6100 (Recommended) | — | Extra ports for local devices. |
Alternative Small Site
To address these requirements:
- Single remote access point will be placed inline.
- INET will connect to AP.
- AP will act as that default gateway for all SSIDs.
- L3 will be routed for internal users.
- L3 will be NATed SSID for the Guest network.
- Branch routes will be redistributed into the SD-WAN overlay.
Model | Considerations |
---|---|
500H Series (Recommended) | Wi-Fi 6 ready |
303H Series (Alternative) | Will not support next-generation Wi-Fi |
6100 (Recommended) | Extra ports for local devices. |