Deployment Plan
After further discussion, reference company OWL revealed additional details about the SD-WAN deployment project. OWL has a requirement for two branch sizes: a high-traffic site and a low-traffic site.
Table of contents
The implementation addresses both site designs and their individual requirements, as listed below.
Branch Requirements:
Wi-Fi should be the main connection used by employees. Ethernet connections should be available for use used as needed. Ensure that switchport count is available for all users
Access points should be mounted to the ceiling, not above the ceiling tile in plenum space or behind any barrier that may cause signal reflection or attenuation.
Wireless coverage is required.
Employees use Office 365 and Microsoft Teams for communications, along with other business productivity apps (Salesforce, SAP, etc.).
Sites use IoT devices such as smart thermostats, smart access control, and meeting room kiosk.
Sites must be able to upgrade with hitless failover.
Sites have a single MPLS 10 Mbps download 5Mbps upload and Internet connection 100 Mbps download 25Mbps upload. Both are RJ-45 drops.
Employee and guest SSIDs must be provided.
High Traffic Site Characteristics
- 15,000 square feet, closed office space
- High traffic sites support up to 200 employees, each with a docking station and a laptop.
- 50 large workspace
- 40 small workspace
- 30-50 open workspaces
- 13 conference rooms
- 3 IDFs
- 1 MDF/Computer Room
Required Equipment
Quantity | SKU | Description |
---|---|---|
1 | xxxxx | EdgeConnect SD-WAN Cloud Orchestrator |
2 | EC-XS | Bandwidth: 2 - 1000Mpbs Connections: 256,000 Interfaces: 4 port RJ-45, 10/100/1000 BasedT |
2 | 6300F (JL663A) | 48x ports 10/100/1000 BaseT ports 4x 1G/10G/25G/50G1 SFP ports 1x USB-C Console Port 1x OOBM port 1x USB Type A Host port 1x Bluetooth dongle to be used with CX Mobile App |
4 | 6200F (JL725A) | 48x ports 10/100/1000 BaseT ports 4x 1G/10G SFP ports 1x USB-C Console Port 1x OOBM port 1x USB Type A Host port 1x Bluetooth dongle to be used with CX Mobile App |
11 | Aruba 505 (R2H29A) | 1.49 Gbps maximum real-world speed (HE80/HE20) WPA3 and Enhanced Open security Built-in technology that resolves sticky client issues for Wi-Fi 6 and Wi-Fi 5 devices OFDMA for enhanced multi-user efficiency IoT-ready Bluetooth 5 and Zigbee support |
Note: Equipment listed may not be the same equipment used in the guide; however, the configuration is similar.
Low Traffic Site Characteristics
- 3750 square feet, closed office space
- Low-traffic sites support up to 30 employees, each with a docking station and a laptop.
- 10 large workspace
- 12 small workspace
- 18 open workspaces
- 4 conference rooms
- 1 IDFs
- 1 MDF/Computer Room
Required Equipment
Quantity | SKU | Description |
---|---|---|
2 | EC-XS | Bandwidth: 2 - 1000Mpbs Connections: 256,000 Interfaces: 4 port RJ-45, 10/100/1000 BasedT |
2 | 6300F (JL663A) | 48x ports 10/100/1000 BaseT ports 4x 1G/10G/25G/50G1 SFP ports 1x USB-C Console Port 1x OOBM port 1x USB Type A Host port 1x Bluetooth dongle to be used with CX Mobile App |
6 | Aruba 505 (R2H29A) | 1.49 Gbps maximum real-world speed (HE80/HE20) WPA3 and Enhanced Open security Built-in technology that resolves sticky client issues for Wi-Fi 6 and Wi-Fi 5 devices OFDMA for enhanced multi-user efficiency IoT-ready Bluetooth 5 and Zigbee support |
Note: Equipment listed may not be the same equipment used in the guide; however, the configuration is similar.
Hub Required Equipment
Quantity | SKU | Description |
---|---|---|
2 | EC-S | Bandwidth: 2 - 1000Mpbs Connections: 256,000 Interfaces: 4 port RJ-45, 10/100/1000 BasedT |
Note: Equipment listed may not be the same equipment used in the guide, however the configuration will be similar
Configuration Standard
The following standards serve as a guide for the deployment of the SD-WAN solution. Different configuration standards are used for the hub and for the branch sites.
Policy Configuration
- A LAN Zone should be created for devices that can communicate with one another. This includes cameras, employee devices, and critical VLANs.
- A Reject Zone should be created for devices to attempt to onboard again, devices in this zone should be able to communicate only with on boarding services.
- An IoT Zone should be created to group IoT devices (building management, smart thermostat and meeting room kiosk). This zone should be able to communicate only with the WAN Zone
- A quarantine segment for an infected device must use the default zone and allow only WAN to access the Internet and Honeypot network.
- A guest traffic segment muse use the default zone allow access only to reach onboarding services such as captive portal, DHCP, and DNS.
- Switches use the following Local User Roles: Guest, Employee, Camera, Badge Access, Meeting Room, Thermostat, Reject, Critical Auth, Quarantine.
Note: This deployment does not require additional BIOs since they are not required for segmentation.
Hub Site Configuration
- Gateways will be connected to the services aggregation block in the OWL campus network.
- Gateways will use OSPF to peer with the campus service aggregation.
- Gateways will have redundant connections to each aggregation block.
- Gateways will have redundant Internet and MPLS connections.
- Gateways will use eBGP for MPLS connectivity.
- The standby EdgeConnect appliance will have a lower metric than the primary to ensure route symmetry.
- EdgeConnect SD-WAN appliances will summarize campus routes before redistribution into the SD-WAN Fabric.
RSVDC-ECE-1 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
OSPF Uplink 1 | 172.18.106.50/31 | LAN0 | 172.18.106.51/31 | RSVCP-CR1-SS2-1 |
OSPF Uplink 2 | 172.18.106.54/31 | LAN1 | 172.18.106.55/31 | RSVCP-CR1-SS2-2 |
MPLS Uplink | 100.100.7.2/28 (BGP AS 65200) | WAN1 | 100.100.7.1 | (BGP AS 65534) |
Internet Uplink | Static IP | WAN0 | ——- | ——- |
Loopback | 10.14.254.113/32 | ——- | ——- | ——- |
RSVDC-ECE-2 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
OSPF Uplink 1 | 172.18.106.52/31 | LAN0 | 172.18.106.53/31 | RSVCP-CR1-SS2-1 |
OSPF Uplink 2 | 172.18.106.56/31 | LAN1 | 172.18.106.57/31 | RSVCP-CR1-SS2-2 |
MPLS Uplink | 100.100.7.3/28 (BGP AS 65200) | WAN1 | 100.100.7.1 | (BGP AS 65534) |
Internet Uplink | Static IP | WAN0 | ——- | ——- |
Loopback | 10.14.254.114/32 | ——- | ——- | ——- |
Branch Site End-to-End ZTP
High-traffic and low-traffic sites both require end-to-end ZTP for provisioning network devices. The below section describes how to execute this process. These steps will be further illustrated in the configuration.
Note: If the collapsed core switches are VSX, basic pre-configuration would need to be applied.
Step 1 Complete cabling between switch stack members.
Step 2 Use auto-stacking to stack switches before onboarding to Central.
Step 3 Interconnect all APs and switches.
Step 4 Connect Gateway 1 to uplinks.
Step 5 Gateway 1 receives DHCP from the INET ISP and reaches out to Orchestrator to receives its configuration.
Step 6 Temporarily connect Gateway 2 to the INET uplink.
Step 7 The gateway receives DHCP from the INET ISP and reaches out to Orchestrator to obtain configuration.
Step 8 After configuration, move Gateway 2 back to MPLS.
Step 9 Ensure that Gateway 1 is reconnected to INET, if needed.
Note: DHCP server is configured on the MGMT VLAN interface of SD-WAN gateways and LAN ports on SD-WAN gateways are configured as trunks, with a native VLAN serving as the MGMT.VLAN.
Step 10 Core 1 and 2 receive DHCP from the Gateway and reaches out to Central.
Step 11 Collapsed core switches obtain their configuration. Their uplinks become trunk with the MGMT.VLAN as native and the VSX pair is formed.
Step 12 Access switches and APs onboard. They receive DHCP from the SD-WAN Gateways.
High Traffic Branch Site Configuration
- All network infastructure should use ZTP for provisioning.
- Gateway 1 will use WAN0 Port for INET connectivity.
- Gateway 2 will use WAN1 eBGP for MPLS connectivity.
- Gateways will be connected using LAN0 to enable WAN HA.
- Gateways will use LAN 1 to trunk listed VLANs down to the access switches’ highest ethernet port.
- Gateways will use VRRP and be the default gateway for the site.
- Gateways will enable RADIUS snooping.
- Gateways should be version 9.2 or higher.
- Gateways will use DHCP relay for addressing devices.
- Access switches will use the standard feature template (MOTD, RADIUS, TACACS, User-Roles, STP, etc.).
- The first 12 ports on access switching will be reserved for the access points.
- All IoT devices will be reserved for the next 24 ports.
- Workstations will be reserved for the last 12 ports (special case ports).
- Access points should have two SSIDs for Guest and Corporate access
Chicago Branch Details
VLAN ID | Description | Network | Default Gateway (VRRP) | CHIBR-ECE-1 IP Address | CHIBR-ECE-2 IP Address |
---|---|---|---|---|---|
100 | MGMT VLAN | 10.14.32.0/24 | 10.14.32.1 | 10.14.32.2 | 10.14.32.3 |
101 | Employee | 10.14.33.0/24 | 10.14.33.1 | 10.14.33.2 | 10.14.33.3 |
102 | Camera | 10.14.34.0/24 | 10.14.34.1 | 10.14.34.2 | 10.14.34.3 |
103 | IoT (smart thermostats, smart access control, and meeting room kiosk.) | 10.14.35.0/24 | 10.14.35.1 | 10.14.35.2 | 10.14.35.3 |
104 | Guest | 10.14.36.0/24 | 10.14.36.1 | 10.14.36.2 | 10.14.36.3 |
105 | Reject | 10.14.37.0/24 | 10.14.37.1 | 10.14.37.2 | 10.14.37.3 |
106 | Critical | 10.14.38.0/24 | 10.14.38.1 | 10.14.38.2 | 10.14.38.3 |
107 | Quarantine | 10.14.39.0/24 | 10.14.39.1 | 10.14.39.2 | 10.14.39.3 |
Loopback0 | Loopback | 10.14.254.0/24 | ——- | 10.14.254.115 | 10.14.254.116 |
Note: The first 20 IP addresses in each Subnet will be reserved.
Site summary Address: 10.14.32.0/21
CHI-ECE-1 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
WAN HA | ——- | LAN0 | ——- | CHI-ECE-2 |
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | LAN1 | ——- | CHI-ECE1-CR-1 |
MPLS Uplink | ——- | WAN1 | ——- | ——- |
Internet Uplink | DHCP | WAN0 | ——- | ——- |
CHI-ECE-2 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
WAN HA | ——- | LAN0 | ——- | CHI-ECE-1 |
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | LAN1 | ——- | CHI-ECE-CR-2 |
MPLS Uplink | 100.100.7.50/28 (BGP AS 65201) | WAN1 | 100.100.7.51/28 | (BGP AS 65534) |
Internet Uplink | ——- | WAN0 | ——- | ——- |
CHI-ECE-CR-1 | Local IP address | Port | Peer port | Peer Device |
---|---|---|---|---|
MGMT IP | 10.14.32.4 | ——- | ——- | ——- |
Gateway Uplink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/24 | LAN0 | CHI-ECE-CR-1 |
Access downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/21 | 1/1/23 | CHI-CR1-ACC-1 |
Access downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/22 | 1/1/24 | CHI-CR1-ACC-2 |
CHI-ECE-CR-2 | Local IP address | Port | Peer port | Peer Device |
---|---|---|---|---|
MGMT IP | 10.14.32.5 | ——- | ——- | ——- |
Gateway Uplink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/24 | LAN0 | CHI-ECE-CR-2 |
Access downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/21 | 1/1/23 | CHI-CR1-ACC-1 |
Access downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | 1/1/22 | 1/1/24 | CHI-CR1-ACC-2 |
Low Traffic Branch Site Configuration
- All network infastructure should use ZTP for provisioning.
- Gateway will use WAN0 Port for INET connectivity.
- Gateway will use WAN1 eBGP for MPLS connectivity.
- Gateway will use LAN 0 to trunk listed VLANs down to the access switches’ highest ethernet port.
- Gateway will be the default gateway for the site.
- Gateway will enable RADIUS snooping.
- Gateway should be version 9.2 or higher.
- Gateway will use DHCP relay for addressing devices.
- Access switches will use the standard feature template (MOTD, RADIUS, TACACS, User-Roles, STP, etc.).
- The first 12 Ports on access switching will be reserved for the access points.
- All IoT devices will be reserved for the next 24 ports.
- Workstations will be revered for the last 12 ports (special case ports).
- Access points should have two SSIDs for Guest and Corporate access
Portland Branch Details
VLAN ID | Description | Network | PORBR-ECE-1 IP Address |
---|---|---|---|
100 | MGMT VLAN | 10.14.40.0/24 | 10.14.40.1 |
101 | Employee | 10.14.41.0/24 | 10.14.41.1 |
102 | Camera | 10.14.42.0/24 | 10.14.42.1 |
103 | IoT (smart thermostats, smart access control , and meeting room kiosk.) | 10.14.43.0/24 | 10.14.43.1 |
104 | Guest | 10.14.44.0/24 | 10.14.44.1 |
105 | Reject | 10.14.45.0/24 | 10.14.45.1 |
106 | Critical | 10.14.46.0/24 | 10.14.46.1 |
107 | Quarantine | 10.14.47.0/24 | 10.14.47.1 |
Loopback0 | Loopback | 10.14.254.0/24 | 10.14.254.117 |
Note: The first 20 IP addresses in each Subnet will be reserved.
Site summary Address: 10.14.40.0/21
PORBR-ECE1 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | LAN0 | Trunk | POR-ACC-1 |
MPLS Uplink | 100.100.7.58/29 (BGP AS 65202) | WAN1 | 100.100.7.58/29 | (BGP AS 65534) |
Internet Uplink | DHCP | WAN0 | ——- | ——- |
Boise Branch Details
VLAN ID | Description | Network | BOIBR-ECE-1 IP Address |
---|---|---|---|
100 | MGMT VLAN | 10.14.48.0/24 | 10.14.48.1 |
101 | Employee | 10.14.49.0/24 | 10.14.49.1 |
102 | Camera | 10.14.50.0/24 | 10.14.50.1 |
103 | IoT (smart thermostats, smart access control , and meeting room kiosk.) | 10.14.51.0/24 | 10.14.51.1 |
104 | Guest | 10.14.52.0/24 | 10.14.52.1 |
105 | Reject | 10.14.53.0/24 | 10.14.53.1 |
106 | Critical | 10.14.54.0/24 | 10.14.54.1 |
107 | Quarantine | 10.14.55.0/24 | 10.14.55.1 |
Loopback0 | Loopback | 10.14.254.0/24 | 10.14.254.118 |
Note: The first 20 IP addresses in each Subnet will be reserved.
Site summary Address: 10.14.48.0/21
BOI-ECE1 | Local IP address | Port | Peer IP address | Peer Device |
---|---|---|---|---|
Access Downlink | Native VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107 | LAN0 | Trunk | BOI-ACC-1 |
MPLS Uplink | 100.100.7.66/29 (BGP AS 65203) | WAN1 | 100.100.7.55/29 | (BGP AS 65534) |
Internet Uplink | DHCP | WAN0 | ——- | ——- |