Link Search Menu Expand Document
calendar_month 07-Mar-24

Aruba SD-Branch Network Deployment Overview

This section provides details for the SD-Branch deployment used in subsequent sections.

It is best practice to standardize the branch design for all sites to reap the full benefits of Aruba Central configuration. OWL Corp., however, has a requirement for two branch designs.

A pair of VPNCs (VPN concentrators) is configured to facilitate connectivity between the campus network and branch sites using IPsec tunnels and route sharing. VPNCs summarize the campus subnets to a single route of 10.0.X.X/13 and prevent advertising point-to-point links to the branches.

Each remote site has redundant branch gateways, and each gateway is connected to a single WAN transport. Switches at branch provide L2 connectivity for the APs and other client devices. Each branch site is assigned a /21 subnet from the superset address space of 10.14.X.X/16. Within the 10.14.X.X/16 address space, the 10.14.254.X/24 is reserved for Microbranch system IPs.

Network_Overview

Hub Site Configuration

  • Gateways will be connected to the services aggregation block in the OWL campus network.
  • Gateways will use OSPF to peer with the campus service aggregation.
  • Gateways will have redundant connections to each aggregation block.
  • Gateways will have redundant Internet and MPLS connections.
  • Gateways will use eBGP for MPLS connectivity.
  • The standby EdgeConnect appliance will have a lower metric than the primary to ensure route symmetry.
  • EdgeConnect SD-WAN appliances will summarize campus routes before redistribution into the SD-WAN Fabric.
  • Gateways will use the summary address 10.0.X.X/13 to advertise the Campus network to branch sites
  • Gateways will summarize all branch sites to 10.14.X.X/16 to advertise to the Campus network.
RSVDC-VPNC1-1VLANLocal IP addressPortPeer IP addressPeer Device
OSPF Uplink 14001172.18.106.22/30GE0/0/0172.18.106.21/30RSVCP-CR1-SS2-1
OSPF Uplink 24002172.18.106.30/30GE0/0/1172.18.106.29/30RSVCP-CR1-SS2-2
MPLS Uplink2086100.100.7.6GE0/0/2100.100.7.1——-
Internet Uplink2084Static IPGE0/0/3——-——-
Microbranch (CL2)10110.8.0.2 - VRRP (10.8.0.1 )——-——-——-
Gateway System IP208510.0.6.111/32——-——-——-
RSVDC-VPNC1-2VLANLocal IP addressPortPeer IP addressPeer Device
OSPF Uplink 14001172.18.106.18/30GE0/0/0172.18.106.17/30RSVCP-CR1-SS2-1
OSPF Uplink 24002172.18.106.26/30GE0/0/1172.18.106.25/30RSVCP-CR1-SS2-2
MPLS Uplink2086100.100.7.5GE0/0/2100.100.7.1——-
Internet Uplink2084Static IPGE0/0/3——-——-
Microbranch (CL2)10110.8.0.2 - VRRP (10.8.0.1 )——-——-——-
Gateway System IP208510.0.6.111/32——-——-——-
QuantitySKUDescription
29012RJ45 console port
12 x 10/100/1000BASE-T ports
6 x PoE+ ports
USB Type A Host port 1x
RJ45 console port
Micro USB console port

Note: The equipment listed may not be the same equipment used in the guide; however, the configuration steps are alike.

Branch Site Requirements

  • Wi-Fi should be the main connection used by employees. Ethernet connections should be available for use as needed. Ensure that switchport count is available for all users
  • Access points should be mounted to the ceiling, not above the ceiling tile in plenum space or behind any barrier that may cause signal reflection or attenuation.
  • Wireless coverage is required.
  • Employees use Office 365 and Microsoft Teams for communications, along with other business productivity apps (Salesforce, SAP, etc.).
  • Sites use IoT devices such as smart thermostats, smart access control, and meeting room kiosk.
  • Sites must be able to upgrade with hitless failover.
  • Sites have a single MPLS 10 Mbps download 5Mbps upload and Internet connection 100 Mbps download 25Mbps upload. Both are RJ-45 drops.
  • Employee and guest SSIDs must be provided.

Low Traffic Site Requirements

OWL’s low traffic site have the logical topology shown below.

Low Traffic Site Characteristics

  • 3750 square feet, closed office space
  • Low-traffic sites to support up to 30 employees, each with a docking station and a laptop.
  • 10 large workspace
  • 12 small workspace
  • 18 open workspaces
  • 4 conference rooms
  • 1 IDFs
  • 1 MDF/Computer Room

Low Traffic Branch Site Configuration

  • Gateway 1 will use GE0/0/0 Port for INET connectivity.
  • Gateway 2 will use GE0/0/1 eBGP for MPLS connectivity.
  • Gateway will use GE0/0/2 to trunk listed VLANs down to the access switches’ highest ethernet port.
  • Gateway will be the default gateway for the site.
  • Gateway will enable RADIUS snooping.
  • Gateway should be version 10.4 or higher.
  • Gateway will use DHCP relay for addressing devices.
  • Access switches will use the standard feature template (MOTD, RADIUS, TACACS, User-Roles, STP, etc.).
  • The first 12 Ports on access switching will be reserved for the access points.
  • All IOT devices will be reserved for the next 24 ports.
  • Workstations will be revered for the last 12 ports (special case ports).
  • Access points should have two SSIDs for Guest and Corporate access

Required Equipment

QuantitySKUDescription
290044 x 100/1000BASE-T ports
1 x USB 3.0 port
RJ45 console port
Micro USB console port
26300F (JL663A)48x ports 10/100/1000
BaseT ports 4x 1G/10G/25G/50G1
SFP ports 1x
USB-C Console Port 1x
OOBM port 1x
USB Type A Host port 1x
Bluetooth dongle to be used with CX Mobile App
6Aruba 505 (R2H29A)1.49 Gbps maximum real-world speed (HE80/HE20)
WPA3 and Enhanced Open security
Built-in technology that resolves sticky client issues for Wi-Fi 6 and Wi-Fi 5 devices OFDMA for enhanced multi-user efficiency IoT-ready Bluetooth 5 and Zigbee support

Note: The equipment listed may not be the same equipment used in the guide; however, the configuration steps are alike.

Miami Branch Details

VLAN IDDescriptionNetworkDefault Gateway (VRRP)MIABR-ECB1-1 IP AddressMIABR-ECB1-2 IP Address
100MGMT (Gateway System IP)10.14.0.0/2410.14.0.110.14.0.210.14.0.3
101Employee10.14.1.0/2410.14.1.110.14.1.210.14.1.3
102PRINTER10.14.2.0/2410.14.2.110.14.2.210.14.2.3
103IoT (smart thermostats, smart access control, and meeting room kiosk.)10.14.3.0/2410.14.3.110.14.3.210.14.3.3
104Guest10.14.4.0/2410.14.4.110.14.4.210.14.4.3
105Reject10.14.5.0/2410.14.5.110.14.5.210.14.5.3
106Critical10.14.6.0/2410.14.6.110.14.6.210.14.6.3
107Quarantine10.14.7.0/2410.14.7.110.14.7.210.14.7.3
Summary 10.14.0.0/21——–——–——–
MIABR-ECB1-1Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/3——–MIABR-ECB1-CR1(STK)
MPLS Uplink——–GE0/0/1——–——–
Internet UplinkDHCP (VLAN 4085)GE0/0/0——–——–
MIABR-ECB1-2Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/3——–MIABR-ECB1-CR1(STK)
MPLS UplinkMPLS (VLAN 4085)GE0/0/1——–——–
Internet Uplink——–GE0/0/0——–——–
MIABR-ECB1-CR1Local IP addressPortPeer portPeer Device
MGMT VLANDHCP——–——–——–
Gateway Uplink 1Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/23GE0/0/3MIABR-ECB1-1
Gateway Uplink 2Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/24GE0/0/3MIABR-ECB1-2

Huston Branch Details

VLAN IDDescriptionNetworkDefault Gateway (VRRP)HOUBR-ECB1-1 IP AddressHOUBR-ECB1-2 IP Address
100MGMT (Gateway System IP)10.14.8.0/2410.14.8.110.14.8.210.14.8.3
101Employee10.14.9.0/2410.14.9.110.14.9.210.14.9.3
102Printer10.14.10.0/2410.14.10.110.14.10.210.14.10.3
103IoT (smart thermostats, smart access control, and meeting room kiosk.)10.14.11.0/2410.14.11.110.14.11.210.14.11.3
104Guest10.14.12.0/2410.14.12.110.14.12.210.14.12.3
105Reject10.14.13.0/2410.14.13.110.14.13.210.14.13.3
106Critical10.14.14.0/2410.14.14.110.14.14.210.14.14.3
107Quarantine10.14.15.0/2410.14.15.110.14.15.210.14.15.3
Summary 10.14.8.0/21——–——–——–
HOUBR-ECB1-1Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/21/1/23HOUBR-ECB1-CR1(STK)
MPLS Uplink——–GE0/0/1——–——–
Internet UplinkDHCP (VLAN 4085)GE0/0/0——–——–
HOUBR-ECB1-2Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/21/1/24HOUBR-ECB1-CR1(STK)
MPLS UplinkMPLS (VLAN 4085)GE0/0/1——–——–
Internet Uplink——–GE0/0/0——–——–
HOUBR-ECB1-CR1Local IP addressPortPeer portPeer Device
MGMT VLANDHCP——–——–——–
Gateway Uplink 1Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/23GE0/0/2HOUBR-ECB1-1
Gateway Uplink 2Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/24GE0/0/2HOUBR-ECB1-2

High Traffic Site Requirements

OWL’s High traffic site have the logical topology shown below.

HIGH TRAFFIC BRANCH SITE CONFIGURATION

  • All network infrastructure should use ZTP for provisioning.
  • Gateway 1 will use WAN0 Port for INET connectivity.
  • Gateway 2 will use WAN1 eBGP for MPLS connectivity.
  • Gateways will be connected using LAN0 to enable WAN HA.
  • Gateways will use LAN 1 to trunk listed VLANs down to the access switches’ highest ethernet port.
  • Gateways will use VRRP and be the default gateway for the site.
  • Gateways will enable RADIUS snooping.
  • Gateways should be version 9.2 or higher.
  • Gateways will use DHCP relay for addressing devices.
  • Access switches will use the standard feature template (MOTD, RADIUS, TACACS, User-Roles, STP, etc.).
  • The first 12 ports on access switching will be reserved for the access points.
  • All IoT devices will be reserved for the next 24 ports.
  • Workstations will be reserved for the last 12 ports (special case ports).
  • Access points should have two SSIDs for Guest and Corporate access
QuantitySKUDescription
290044 x 100/1000BASE-T ports
1 x USB 3.0 port
RJ45 console port
Micro USB console port
26300F (JL663A)48x ports 10/100/1000 BaseT ports
4x 1G/10G/25G/50G1 SFP ports
1x USB-C Console Port
1x OOBM port
1x USB Type A Host port
1x Bluetooth dongle to be used with CX Mobile App
46200F (JL725A)48x ports 10/100/1000 BaseT ports
4x 1G/10G SFP ports
1x USB-C Console Port
1x OOBM port
1x USB Type A Host port
1x Bluetooth dongle to be used with CX Mobile App
11Aruba 505 (R2H29A)1.49 Gbps maximum real-world speed (HE80/HE20)
WPA3 and Enhanced Open security
Built-in technology that resolves sticky client issues for Wi-Fi 6 and Wi-Fi 5 devices
OFDMA for enhanced multi-user efficiency
IoT-ready Bluetooth 5 and Zigbee support

Note: The equipment listed may not be the same equipment used in the guide; however, the configuration steps are alike.

San Diego Branch Details

VLAN IDDescriptionNetworkDefault Gateway (VRRP)SANBR-ECB1-1 IP AddressSANBR-ECB1-2 IP Address
100MGMT (Gateway System IP)10.14.16.0/2410.14.16.110.14.16.210.14.16.3
101Employee10.14.17.0/2410.14.17.110.14.17.210.14.17.3
102PRINTER10.14.18.0/2410.14.18.110.14.18.210.14.18.3
103IoT (smart thermostats, smart access control, and meeting room kiosk.)10.14.19.0/2410.14.19.110.14.19.210.14.19.3
104Guest10.14.20.0/2410.14.20.110.14.20.210.14.20.3
105Reject10.14.21.0/2410.14.21.110.14.21.210.14.21.3
106Critical10.14.22.0/2410.14.22.110.14.22.210.14.22.3
107Quarantine10.14.23.0/2410.14.23.110.14.23.210.14.23.3
Summary 10.14.16.0/21——–——–——–
SANBR-ECB1-1Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/21/1/23SANBR-ECB1-CR1(STK)
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/31/1/24SANBR-ECB1-CR1(STK)
MPLS Uplink——–WAN1——–——–
Internet UplinkDHCP (VLAN 4085)WAN0——–——–
SANBR-ECB1-2Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/22/1/23SANBR-ECB1-CR1(STK)
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/32/1/24SANBR-ECB1-CR1(STK)
MPLS UplinkMPLS (VLAN 4085)WAN1——–——–
Internet Uplink——–WAN0——–—-

San Francisco Branch Details

VLAN IDDescriptionNetworkDefault Gateway (VRRP)SFOBR-ECB1-1 IP AddressSFOBR-ECB1-2 IP Address
100MGMT (Gateway System IP)10.14.24.0/2410.14.24.110.14.24.210.14.24.3
101Employee10.14.25.0/2410.14.25.110.14.25.210.14.25.3
102PRINTER10.14.26.0/2410.14.26.110.14.26.210.14.26.3
103IoT (smart thermostats, smart access control, and meeting room kiosk.)10.14.27.0/2410.14.27.110.14.27.210.14.27.3
104Guest10.14.28.0/2410.14.28.110.14.28.210.14.28.3
105Reject10.14.29.0/2410.14.29.110.14.29.210.14.29.3
106Critical10.14.30.0/2410.14.30.110.14.30.210.14.30.3
107Quarantine10.14.31.0/2410.14.31.110.14.31.210.14.31.3
Summary 10.14.24.0/21——–——–——–
SFOBR-ECB1-1Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/21/1/23SFOBR-ECB1-CR1(STK)
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/31/1/24SFOBR-ECB1-CR1(STK)
MPLS Uplink——–WAN1——–——–
Internet UplinkDHCP (VLAN 4085)WAN0——–——–
SFOBR-ECB1-2Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/22/1/23SFOBR-ECB1-CR1(STK)
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107GE0/0/32/1/24SFOBR-ECB1-CR1(STK)
MPLS UplinkMPLS (VLAN 4085)WAN1——–——–
Internet Uplink——–WAN0——–—-

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.