Aruba SD-Branch Network Deployment Overview
This section provides details for the SD-Branch deployment used in subsequent sections.
It is best practice to standardize the branch design for all sites to reap the full benefits of Aruba Central configuration. OWL Corp., however, has a requirement for two branch designs.
A pair of VPNCs (VPN concentrators) is configured to facilitate connectivity between the campus network and branch sites using IPsec tunnels and route sharing. VPNCs summarize the campus subnets to a single route of 10.0.X.X/13 and prevent advertising point-to-point links to the branches.
Each remote site has redundant branch gateways, and each gateway is connected to a single WAN transport. Switches at branch provide L2 connectivity for the APs and other client devices. Each branch site is assigned a /21 subnet from the superset address space of 10.14.X.X/16. Within the 10.14.X.X/16 address space, the 10.14.254.X/24 is reserved for Microbranch system IPs.
Hub Site Configuration
- Gateways will be connected to the services aggregation block in the OWL campus network.
- Gateways will use OSPF to peer with the campus service aggregation.
- Gateways will have redundant connections to each aggregation block.
- Gateways will have redundant Internet and MPLS connections.
- Gateways will use eBGP for MPLS connectivity.
- The standby EdgeConnect appliance will have a lower metric than the primary to ensure route symmetry.
- EdgeConnect SD-WAN appliances will summarize campus routes before redistribution into the SD-WAN Fabric.
- Gateways will use the summary address 10.0.X.X/13 to advertise the Campus network to branch sites
- Gateways will summarize all branch sites to 10.14.X.X/16 to advertise to the Campus network.
RSVDC-VPNC1-1 | VLAN | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|---|
OSPF Uplink 1 | 4001 | 172.18.106.22/30 | GE0/0/0 | 172.18.106.21/30 | RSVCP-CR1-SS2-1 |
OSPF Uplink 2 | 4002 | 172.18.106.30/30 | GE0/0/1 | 172.18.106.29/30 | RSVCP-CR1-SS2-2 |
MPLS Uplink | 2086 | 100.100.7.6 | GE0/0/2 | 100.100.7.1 | ——- |
Internet Uplink | 2084 | Static IP | GE0/0/3 | ——- | ——- |
Microbranch (CL2) | 101 | 10.8.0.2 - VRRP (10.8.0.1 ) | ——- | ——- | ——- |
Gateway System IP | 2085 | 10.0.6.111/32 | ——- | ——- | ——- |
RSVDC-VPNC1-2 | VLAN | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|---|
OSPF Uplink 1 | 4001 | 172.18.106.18/30 | GE0/0/0 | 172.18.106.17/30 | RSVCP-CR1-SS2-1 |
OSPF Uplink 2 | 4002 | 172.18.106.26/30 | GE0/0/1 | 172.18.106.25/30 | RSVCP-CR1-SS2-2 |
MPLS Uplink | 2086 | 100.100.7.5 | GE0/0/2 | 100.100.7.1 | ——- |
Internet Uplink | 2084 | Static IP | GE0/0/3 | ——- | ——- |
Microbranch (CL2) | 101 | 10.8.0.2 - VRRP (10.8.0.1 ) | ——- | ——- | ——- |
Gateway System IP | 2085 | 10.0.6.111/32 | ——- | ——- | ——- |
Quantity | SKU | Description |
---|---|---|
2 | 9012 | RJ45 console port 12 x 10/100/1000BASE-T ports 6 x PoE+ ports USB Type A Host port 1x RJ45 console port Micro USB console port |
Note: The equipment listed may not be the same equipment used in the guide; however, the configuration steps are alike.
Branch Site Requirements
- Wi-Fi should be the main connection used by employees. Ethernet connections should be available for use as needed. Ensure that switchport count is available for all users
- Access points should be mounted to the ceiling, not above the ceiling tile in plenum space or behind any barrier that may cause signal reflection or attenuation.
- Wireless coverage is required.
- Employees use Office 365 and Microsoft Teams for communications, along with other business productivity apps (Salesforce, SAP, etc.).
- Sites use IoT devices such as smart thermostats, smart access control, and meeting room kiosk.
- Sites must be able to upgrade with hitless failover.
- Sites have a single MPLS 10 Mbps download 5Mbps upload and Internet connection 100 Mbps download 25Mbps upload. Both are RJ-45 drops.
- Employee and guest SSIDs must be provided.
Low Traffic Site Requirements
OWL’s low traffic site have the logical topology shown below.
Low Traffic Site Characteristics
- 3750 square feet, closed office space
- Low-traffic sites to support up to 30 employees, each with a docking station and a laptop.
- 10 large workspace
- 12 small workspace
- 18 open workspaces
- 4 conference rooms
- 1 IDFs
- 1 MDF/Computer Room
Low Traffic Branch Site Configuration
- Gateway 1 will use GE0/0/0 Port for INET connectivity.
- Gateway 2 will use GE0/0/1 eBGP for MPLS connectivity.
- Gateway will use GE0/0/2 to trunk listed VLANs down to the access switches’ highest ethernet port.
- Gateway will be the default gateway for the site.
- Gateway will enable RADIUS snooping.
- Gateway should be version 10.4 or higher.
- Gateway will use DHCP relay for addressing devices.
- Access switches will use the standard feature template (MOTD, RADIUS, TACACS, User-Roles, STP, etc.).
- The first 12 Ports on access switching will be reserved for the access points.
- All IOT devices will be reserved for the next 24 ports.
- Workstations will be revered for the last 12 ports (special case ports).
- Access points should have two SSIDs for Guest and Corporate access
Required Equipment
Quantity | SKU | Description |
---|---|---|
2 | 9004 | 4 x 100/1000BASE-T ports 1 x USB 3.0 port RJ45 console port Micro USB console port |
2 | 6300F (JL663A) | 48x ports 10/100/1000 BaseT ports 4x 1G/10G/25G/50G1 SFP ports 1x USB-C Console Port 1x OOBM port 1x USB Type A Host port 1x Bluetooth dongle to be used with CX Mobile App |
6 | Aruba 505 (R2H29A) | 1.49 Gbps maximum real-world speed (HE80/HE20) WPA3 and Enhanced Open security Built-in technology that resolves sticky client issues for Wi-Fi 6 and Wi-Fi 5 devices OFDMA for enhanced multi-user efficiency IoT-ready Bluetooth 5 and Zigbee support |
Note: The equipment listed may not be the same equipment used in the guide; however, the configuration steps are alike.
Miami Branch Details
VLAN ID | Description | Network | Default Gateway (VRRP) | MIABR-ECB1-1 IP Address | MIABR-ECB1-2 IP Address |
---|---|---|---|---|---|
100 | MGMT (Gateway System IP) | 10.14.0.0/24 | 10.14.0.1 | 10.14.0.2 | 10.14.0.3 |
101 | Employee | 10.14.1.0/24 | 10.14.1.1 | 10.14.1.2 | 10.14.1.3 |
102 | PRINTER | 10.14.2.0/24 | 10.14.2.1 | 10.14.2.2 | 10.14.2.3 |
103 | IoT (smart thermostats, smart access control, and meeting room kiosk.) | 10.14.3.0/24 | 10.14.3.1 | 10.14.3.2 | 10.14.3.3 |
104 | Guest | 10.14.4.0/24 | 10.14.4.1 | 10.14.4.2 | 10.14.4.3 |
105 | Reject | 10.14.5.0/24 | 10.14.5.1 | 10.14.5.2 | 10.14.5.3 |
106 | Critical | 10.14.6.0/24 | 10.14.6.1 | 10.14.6.2 | 10.14.6.3 |
107 | Quarantine | 10.14.7.0/24 | 10.14.7.1 | 10.14.7.2 | 10.14.7.3 |
Summary | 10.14.0.0/21 | ——– | ——– | ——– |
MIABR-ECB1-1 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/3 | ——– | MIABR-ECB1-CR1(STK) |
MPLS Uplink | ——– | GE0/0/1 | ——– | ——– |
Internet Uplink | DHCP (VLAN 4085) | GE0/0/0 | ——– | ——– |
MIABR-ECB1-2 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/3 | ——– | MIABR-ECB1-CR1(STK) |
MPLS Uplink | MPLS (VLAN 4085) | GE0/0/1 | ——– | ——– |
Internet Uplink | ——– | GE0/0/0 | ——– | ——– |
MIABR-ECB1-CR1 | Local IP address | Port | Peer port | Peer Device |
---|---|---|---|---|
MGMT VLAN | DHCP | ——– | ——– | ——– |
Gateway Uplink 1 | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/23 | GE0/0/3 | MIABR-ECB1-1 |
Gateway Uplink 2 | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/24 | GE0/0/3 | MIABR-ECB1-2 |
Huston Branch Details
VLAN ID | Description | Network | Default Gateway (VRRP) | HOUBR-ECB1-1 IP Address | HOUBR-ECB1-2 IP Address |
---|---|---|---|---|---|
100 | MGMT (Gateway System IP) | 10.14.8.0/24 | 10.14.8.1 | 10.14.8.2 | 10.14.8.3 |
101 | Employee | 10.14.9.0/24 | 10.14.9.1 | 10.14.9.2 | 10.14.9.3 |
102 | Printer | 10.14.10.0/24 | 10.14.10.1 | 10.14.10.2 | 10.14.10.3 |
103 | IoT (smart thermostats, smart access control, and meeting room kiosk.) | 10.14.11.0/24 | 10.14.11.1 | 10.14.11.2 | 10.14.11.3 |
104 | Guest | 10.14.12.0/24 | 10.14.12.1 | 10.14.12.2 | 10.14.12.3 |
105 | Reject | 10.14.13.0/24 | 10.14.13.1 | 10.14.13.2 | 10.14.13.3 |
106 | Critical | 10.14.14.0/24 | 10.14.14.1 | 10.14.14.2 | 10.14.14.3 |
107 | Quarantine | 10.14.15.0/24 | 10.14.15.1 | 10.14.15.2 | 10.14.15.3 |
Summary | 10.14.8.0/21 | ——– | ——– | ——– |
HOUBR-ECB1-1 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/2 | 1/1/23 | HOUBR-ECB1-CR1(STK) |
MPLS Uplink | ——– | GE0/0/1 | ——– | ——– |
Internet Uplink | DHCP (VLAN 4085) | GE0/0/0 | ——– | ——– |
HOUBR-ECB1-2 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/2 | 1/1/24 | HOUBR-ECB1-CR1(STK) |
MPLS Uplink | MPLS (VLAN 4085) | GE0/0/1 | ——– | ——– |
Internet Uplink | ——– | GE0/0/0 | ——– | ——– |
HOUBR-ECB1-CR1 | Local IP address | Port | Peer port | Peer Device |
---|---|---|---|---|
MGMT VLAN | DHCP | ——– | ——– | ——– |
Gateway Uplink 1 | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/23 | GE0/0/2 | HOUBR-ECB1-1 |
Gateway Uplink 2 | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/24 | GE0/0/2 | HOUBR-ECB1-2 |
High Traffic Site Requirements
OWL’s High traffic site have the logical topology shown below.
HIGH TRAFFIC BRANCH SITE CONFIGURATION
- All network infrastructure should use ZTP for provisioning.
- Gateway 1 will use WAN0 Port for INET connectivity.
- Gateway 2 will use WAN1 eBGP for MPLS connectivity.
- Gateways will be connected using LAN0 to enable WAN HA.
- Gateways will use LAN 1 to trunk listed VLANs down to the access switches’ highest ethernet port.
- Gateways will use VRRP and be the default gateway for the site.
- Gateways will enable RADIUS snooping.
- Gateways should be version 9.2 or higher.
- Gateways will use DHCP relay for addressing devices.
- Access switches will use the standard feature template (MOTD, RADIUS, TACACS, User-Roles, STP, etc.).
- The first 12 ports on access switching will be reserved for the access points.
- All IoT devices will be reserved for the next 24 ports.
- Workstations will be reserved for the last 12 ports (special case ports).
- Access points should have two SSIDs for Guest and Corporate access
Quantity | SKU | Description |
---|---|---|
2 | 9004 | 4 x 100/1000BASE-T ports 1 x USB 3.0 port RJ45 console port Micro USB console port |
2 | 6300F (JL663A) | 48x ports 10/100/1000 BaseT ports 4x 1G/10G/25G/50G1 SFP ports 1x USB-C Console Port 1x OOBM port 1x USB Type A Host port 1x Bluetooth dongle to be used with CX Mobile App |
4 | 6200F (JL725A) | 48x ports 10/100/1000 BaseT ports 4x 1G/10G SFP ports 1x USB-C Console Port 1x OOBM port 1x USB Type A Host port 1x Bluetooth dongle to be used with CX Mobile App |
11 | Aruba 505 (R2H29A) | 1.49 Gbps maximum real-world speed (HE80/HE20) WPA3 and Enhanced Open security Built-in technology that resolves sticky client issues for Wi-Fi 6 and Wi-Fi 5 devices OFDMA for enhanced multi-user efficiency IoT-ready Bluetooth 5 and Zigbee support |
Note: The equipment listed may not be the same equipment used in the guide; however, the configuration steps are alike.
San Diego Branch Details
VLAN ID | Description | Network | Default Gateway (VRRP) | SANBR-ECB1-1 IP Address | SANBR-ECB1-2 IP Address |
---|---|---|---|---|---|
100 | MGMT (Gateway System IP) | 10.14.16.0/24 | 10.14.16.1 | 10.14.16.2 | 10.14.16.3 |
101 | Employee | 10.14.17.0/24 | 10.14.17.1 | 10.14.17.2 | 10.14.17.3 |
102 | PRINTER | 10.14.18.0/24 | 10.14.18.1 | 10.14.18.2 | 10.14.18.3 |
103 | IoT (smart thermostats, smart access control, and meeting room kiosk.) | 10.14.19.0/24 | 10.14.19.1 | 10.14.19.2 | 10.14.19.3 |
104 | Guest | 10.14.20.0/24 | 10.14.20.1 | 10.14.20.2 | 10.14.20.3 |
105 | Reject | 10.14.21.0/24 | 10.14.21.1 | 10.14.21.2 | 10.14.21.3 |
106 | Critical | 10.14.22.0/24 | 10.14.22.1 | 10.14.22.2 | 10.14.22.3 |
107 | Quarantine | 10.14.23.0/24 | 10.14.23.1 | 10.14.23.2 | 10.14.23.3 |
Summary | 10.14.16.0/21 | ——– | ——– | ——– |
SANBR-ECB1-1 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/2 | 1/1/23 | SANBR-ECB1-CR1(STK) |
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/3 | 1/1/24 | SANBR-ECB1-CR1(STK) |
MPLS Uplink | ——– | WAN1 | ——– | ——– |
Internet Uplink | DHCP (VLAN 4085) | WAN0 | ——– | ——– |
SANBR-ECB1-2 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/2 | 2/1/23 | SANBR-ECB1-CR1(STK) |
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/3 | 2/1/24 | SANBR-ECB1-CR1(STK) |
MPLS Uplink | MPLS (VLAN 4085) | WAN1 | ——– | ——– |
Internet Uplink | ——– | WAN0 | ——– | —- |
San Francisco Branch Details
VLAN ID | Description | Network | Default Gateway (VRRP) | SFOBR-ECB1-1 IP Address | SFOBR-ECB1-2 IP Address |
---|---|---|---|---|---|
100 | MGMT (Gateway System IP) | 10.14.24.0/24 | 10.14.24.1 | 10.14.24.2 | 10.14.24.3 |
101 | Employee | 10.14.25.0/24 | 10.14.25.1 | 10.14.25.2 | 10.14.25.3 |
102 | PRINTER | 10.14.26.0/24 | 10.14.26.1 | 10.14.26.2 | 10.14.26.3 |
103 | IoT (smart thermostats, smart access control, and meeting room kiosk.) | 10.14.27.0/24 | 10.14.27.1 | 10.14.27.2 | 10.14.27.3 |
104 | Guest | 10.14.28.0/24 | 10.14.28.1 | 10.14.28.2 | 10.14.28.3 |
105 | Reject | 10.14.29.0/24 | 10.14.29.1 | 10.14.29.2 | 10.14.29.3 |
106 | Critical | 10.14.30.0/24 | 10.14.30.1 | 10.14.30.2 | 10.14.30.3 |
107 | Quarantine | 10.14.31.0/24 | 10.14.31.1 | 10.14.31.2 | 10.14.31.3 |
Summary | 10.14.24.0/21 | ——– | ——– | ——– |
SFOBR-ECB1-1 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/2 | 1/1/23 | SFOBR-ECB1-CR1(STK) |
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/3 | 1/1/24 | SFOBR-ECB1-CR1(STK) |
MPLS Uplink | ——– | WAN1 | ——– | ——– |
Internet Uplink | DHCP (VLAN 4085) | WAN0 | ——– | ——– |
SFOBR-ECB1-2 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/2 | 2/1/23 | SFOBR-ECB1-CR1(STK) |
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | GE0/0/3 | 2/1/24 | SFOBR-ECB1-CR1(STK) |
MPLS Uplink | MPLS (VLAN 4085) | WAN1 | ——– | ——– |
Internet Uplink | ——– | WAN0 | ——– | —- |