Link Search Menu Expand Document
calendar_month 07-Mar-24

Deployment Plan

After further discussion, reference company OWL revealed additional details about the SD-WAN deployment project. OWL has a requirement for two branch sizes: a high-traffic site and a low-traffic site.

Table of contents

The implementation addresses both site designs and their individual requirements, as listed below.

Branch Requirements:

  • Wi-Fi should be the main connection used by employees. Ethernet connections should be available for use used as needed. Ensure that switchport count is available for all users

  • Access points should be mounted to the ceiling, not above the ceiling tile in plenum space or behind any barrier that may cause signal reflection or attenuation.

  • Wireless coverage is required.

  • Employees use Office 365 and Microsoft Teams for communications, along with other business productivity apps (Salesforce, SAP, etc.).

  • Sites use IoT devices such as smart thermostats, smart access control, and meeting room kiosk.

  • Sites must be able to upgrade with hitless failover.

  • Sites have a single MPLS 10 Mbps download 5Mbps upload and Internet connection 100 Mbps download 25Mbps upload. Both are RJ-45 drops.

  • Employee and guest SSIDs must be provided.

High Traffic Site Characteristics

  • 15,000 square feet, closed office space
  • High traffic sites support up to 200 employees, each with a docking station and a laptop.
  • 50 large workspace
  • 40 small workspace
  • 30-50 open workspaces
  • 13 conference rooms
  • 3 IDFs
  • 1 MDF/Computer Room

Required Equipment

QuantitySKUDescription
1xxxxxEdgeConnect SD-WAN Cloud Orchestrator
2EC-XSBandwidth: 2 - 1000Mpbs
Connections: 256,000
Interfaces: 4 port RJ-45, 10/100/1000 BasedT
26300F (JL663A)48x ports 10/100/1000 BaseT ports
4x 1G/10G/25G/50G1 SFP ports
1x USB-C Console Port
1x OOBM port
1x USB Type A Host port
1x Bluetooth dongle to be used with CX Mobile App
46200F (JL725A)48x ports 10/100/1000 BaseT ports
4x 1G/10G SFP ports
1x USB-C Console Port
1x OOBM port
1x USB Type A Host port
1x Bluetooth dongle to be used with CX Mobile App
11Aruba 505 (R2H29A)1.49 Gbps maximum real-world speed (HE80/HE20)
WPA3 and Enhanced Open security
Built-in technology that resolves sticky client issues for Wi-Fi 6 and Wi-Fi 5 devices
OFDMA for enhanced multi-user efficiency
IoT-ready Bluetooth 5 and Zigbee support

Note: Equipment listed may not be the same equipment used in the guide; however, the configuration is similar.

Medium_branch

Low Traffic Site Characteristics

  • 3750 square feet, closed office space
  • Low-traffic sites support up to 30 employees, each with a docking station and a laptop.
  • 10 large workspace
  • 12 small workspace
  • 18 open workspaces
  • 4 conference rooms
  • 1 IDFs
  • 1 MDF/Computer Room

Required Equipment

QuantitySKUDescription
2EC-XSBandwidth: 2 - 1000Mpbs
Connections: 256,000
Interfaces: 4 port RJ-45, 10/100/1000 BasedT
26300F (JL663A)48x ports 10/100/1000 BaseT ports
4x 1G/10G/25G/50G1 SFP ports
1x USB-C Console Port
1x OOBM port
1x USB Type A Host port
1x Bluetooth dongle to be used with CX Mobile App
6Aruba 505 (R2H29A)1.49 Gbps maximum real-world speed (HE80/HE20)
WPA3 and Enhanced Open security
Built-in technology that resolves sticky client issues for Wi-Fi 6 and Wi-Fi 5 devices
OFDMA for enhanced multi-user efficiency
IoT-ready Bluetooth 5 and Zigbee support

Note: Equipment listed may not be the same equipment used in the guide; however, the configuration is similar.

Small_branch_setup

Hub Required Equipment

QuantitySKUDescription
2EC-SBandwidth: 2 - 1000Mpbs
Connections: 256,000
Interfaces: 4 port RJ-45, 10/100/1000 BasedT

Note: Equipment listed may not be the same equipment used in the guide, however the configuration will be similar

Full_deployment

Configuration Standard

The following standards serve as a guide for the deployment of the SD-WAN solution. Different configuration standards are used for the hub and for the branch sites.

Policy Configuration

  • A LAN Zone should be created for devices that can communicate with one another. This includes cameras, employee devices, and critical VLANs.
  • A Reject Zone should be created for devices to attempt to onboard again, devices in this zone should be able to communicate only with on boarding services.
  • An IoT Zone should be created to group IoT devices (building management, smart thermostat and meeting room kiosk). This zone should be able to communicate only with the WAN Zone
  • A quarantine segment for an infected device must use the default zone and allow only WAN to access the Internet and Honeypot network.
  • A guest traffic segment muse use the default zone allow access only to reach onboarding services such as captive portal, DHCP, and DNS.
  • Switches use the following Local User Roles: Guest, Employee, Camera, Badge Access, Meeting Room, Thermostat, Reject, Critical Auth, Quarantine.

Note: This deployment does not require additional BIOs since they are not required for segmentation.

Hub Site Configuration

  • Gateways will be connected to the services aggregation block in the OWL campus network.
  • Gateways will use OSPF to peer with the campus service aggregation.
  • Gateways will have redundant connections to each aggregation block.
  • Gateways will have redundant Internet and MPLS connections.
  • Gateways will use eBGP for MPLS connectivity.
  • The standby EdgeConnect appliance will have a lower metric than the primary to ensure route symmetry.
  • EdgeConnect SD-WAN appliances will summarize campus routes before redistribution into the SD-WAN Fabric.
RSVDC-ECE-1Local IP addressPortPeer IP addressPeer Device
OSPF Uplink 1172.18.106.50/31LAN0172.18.106.51/31RSVCP-CR1-SS2-1
OSPF Uplink 2172.18.106.54/31LAN1172.18.106.55/31RSVCP-CR1-SS2-2
MPLS Uplink100.100.7.2/28 (BGP AS 65200)WAN1100.100.7.1(BGP AS 65534)
Internet UplinkStatic IPWAN0——-——-
Loopback10.14.254.113/32——-——-——-
RSVDC-ECE-2Local IP addressPortPeer IP addressPeer Device
OSPF Uplink 1172.18.106.52/31LAN0172.18.106.53/31RSVCP-CR1-SS2-1
OSPF Uplink 2172.18.106.56/31LAN1172.18.106.57/31RSVCP-CR1-SS2-2
MPLS Uplink100.100.7.3/28 (BGP AS 65200)WAN1100.100.7.1(BGP AS 65534)
Internet UplinkStatic IPWAN0——-——-
Loopback10.14.254.114/32——-——-——-

Branch Site End-to-End ZTP

High-traffic and low-traffic sites both require end-to-end ZTP for provisioning network devices. The below section describes how to execute this process. These steps will be further illustrated in the configuration.

Note: If the collapsed core switches are VSX, basic pre-configuration would need to be applied.

Full Branch ZTP

Step 1 Complete cabling between switch stack members.

Step 2 Use auto-stacking to stack switches before onboarding to Central.

Step 3 Interconnect all APs and switches.

Step 4 Connect Gateway 1 to uplinks.

Step 5 Gateway 1 receives DHCP from the INET ISP and reaches out to Orchestrator to receives its configuration.

Step 6 Temporarily connect Gateway 2 to the INET uplink.

Step 7 The gateway receives DHCP from the INET ISP and reaches out to Orchestrator to obtain configuration.

Step 8 After configuration, move Gateway 2 back to MPLS.

Step 9 Ensure that Gateway 1 is reconnected to INET, if needed.

Note: DHCP server is configured on the MGMT VLAN interface of SD-WAN gateways and LAN ports on SD-WAN gateways are configured as trunks, with a native VLAN serving as the MGMT.VLAN.

Step 10 Core 1 and 2 receive DHCP from the Gateway and reaches out to Central.

Step 11 Collapsed core switches obtain their configuration. Their uplinks become trunk with the MGMT.VLAN as native and the VSX pair is formed.

Step 12 Access switches and APs onboard. They receive DHCP from the SD-WAN Gateways.

High Traffic Branch Site Configuration

  • All network infastructure should use ZTP for provisioning.
  • Gateway 1 will use WAN0 Port for INET connectivity.
  • Gateway 2 will use WAN1 eBGP for MPLS connectivity.
  • Gateways will be connected using LAN0 to enable WAN HA.
  • Gateways will use LAN 1 to trunk listed VLANs down to the access switches’ highest ethernet port.
  • Gateways will use VRRP and be the default gateway for the site.
  • Gateways will enable RADIUS snooping.
  • Gateways should be version 9.2 or higher.
  • Gateways will use DHCP relay for addressing devices.
  • Access switches will use the standard feature template (MOTD, RADIUS, TACACS, User-Roles, STP, etc.).
  • The first 12 ports on access switching will be reserved for the access points.
  • All IoT devices will be reserved for the next 24 ports.
  • Workstations will be reserved for the last 12 ports (special case ports).
  • Access points should have two SSIDs for Guest and Corporate access
Chicago Branch Details
VLAN IDDescriptionNetworkDefault Gateway (VRRP)CHIBR-ECE-1 IP AddressCHIBR-ECE-2 IP Address
100MGMT VLAN10.14.32.0/2410.14.32.110.14.32.210.14.32.3
101Employee10.14.33.0/2410.14.33.110.14.33.210.14.33.3
102Camera10.14.34.0/2410.14.34.110.14.34.210.14.34.3
103IoT (smart thermostats, smart access control, and meeting room kiosk.)10.14.35.0/2410.14.35.110.14.35.210.14.35.3
104Guest10.14.36.0/2410.14.36.110.14.36.210.14.36.3
105Reject10.14.37.0/2410.14.37.110.14.37.210.14.37.3
106Critical10.14.38.0/2410.14.38.110.14.38.210.14.38.3
107Quarantine10.14.39.0/2410.14.39.110.14.39.210.14.39.3
Loopback0Loopback10.14.254.0/24——-10.14.254.11510.14.254.116

Note: The first 20 IP addresses in each Subnet will be reserved.
Site summary Address: 10.14.32.0/21

CHI-ECE-1Local IP addressPortPeer IP addressPeer Device
WAN HA——-LAN0——-CHI-ECE-2
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107LAN1——-CHI-ECE1-CR-1
MPLS Uplink——-WAN1——-——-
Internet UplinkDHCPWAN0——-——-
CHI-ECE-2Local IP addressPortPeer IP addressPeer Device
WAN HA——-LAN0——-CHI-ECE-1
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107LAN1——-CHI-ECE-CR-2
MPLS Uplink100.100.7.50/28 (BGP AS 65201)WAN1100.100.7.51/28(BGP AS 65534)
Internet Uplink——-WAN0——-——-
CHI-ECE-CR-1Local IP addressPortPeer portPeer Device
MGMT IP10.14.32.4——-——-——-
Gateway UplinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/24LAN0CHI-ECE-CR-1
Access downlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/211/1/23CHI-CR1-ACC-1
Access downlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/221/1/24CHI-CR1-ACC-2
CHI-ECE-CR-2Local IP addressPortPeer portPeer Device
MGMT IP10.14.32.5——-——-——-
Gateway UplinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/24LAN0CHI-ECE-CR-2
Access downlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/211/1/23CHI-CR1-ACC-1
Access downlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,1071/1/221/1/24CHI-CR1-ACC-2

Low Traffic Branch Site Configuration

  • All network infastructure should use ZTP for provisioning.
  • Gateway will use WAN0 Port for INET connectivity.
  • Gateway will use WAN1 eBGP for MPLS connectivity.
  • Gateway will use LAN 0 to trunk listed VLANs down to the access switches’ highest ethernet port.
  • Gateway will be the default gateway for the site.
  • Gateway will enable RADIUS snooping.
  • Gateway should be version 9.2 or higher.
  • Gateway will use DHCP relay for addressing devices.
  • Access switches will use the standard feature template (MOTD, RADIUS, TACACS, User-Roles, STP, etc.).
  • The first 12 Ports on access switching will be reserved for the access points.
  • All IoT devices will be reserved for the next 24 ports.
  • Workstations will be revered for the last 12 ports (special case ports).
  • Access points should have two SSIDs for Guest and Corporate access
Portland Branch Details
VLAN IDDescriptionNetworkPORBR-ECE-1 IP Address
100MGMT VLAN10.14.40.0/2410.14.40.1
101Employee10.14.41.0/2410.14.41.1
102Camera10.14.42.0/2410.14.42.1
103IoT (smart thermostats,
smart access control ,
and meeting room kiosk.)
10.14.43.0/2410.14.43.1
104Guest10.14.44.0/2410.14.44.1
105Reject10.14.45.0/2410.14.45.1
106Critical10.14.46.0/2410.14.46.1
107Quarantine10.14.47.0/2410.14.47.1
Loopback0Loopback10.14.254.0/2410.14.254.117

Note: The first 20 IP addresses in each Subnet will be reserved.
Site summary Address: 10.14.40.0/21

PORBR-ECE1Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107LAN0TrunkPOR-ACC-1
MPLS Uplink100.100.7.58/29 (BGP AS 65202)WAN1100.100.7.58/29(BGP AS 65534)
Internet UplinkDHCPWAN0——-——-
Boise Branch Details
VLAN IDDescriptionNetworkBOIBR-ECE-1 IP Address
100MGMT VLAN10.14.48.0/2410.14.48.1
101Employee10.14.49.0/2410.14.49.1
102Camera10.14.50.0/2410.14.50.1
103IoT (smart thermostats,
smart access control ,
and meeting room kiosk.)
10.14.51.0/2410.14.51.1
104Guest10.14.52.0/2410.14.52.1
105Reject10.14.53.0/2410.14.53.1
106Critical10.14.54.0/2410.14.54.1
107Quarantine10.14.55.0/2410.14.55.1
Loopback0Loopback10.14.254.0/2410.14.254.118

Note: The first 20 IP addresses in each Subnet will be reserved.
Site summary Address: 10.14.48.0/21

BOI-ECE1Local IP addressPortPeer IP addressPeer Device
Access DownlinkNative VLAN: 100, Trunked VLAN: 101,102,103,104,105,106,107LAN0TrunkBOI-ACC-1
MPLS Uplink100.100.7.66/29 (BGP AS 65203)WAN1100.100.7.55/29(BGP AS 65534)
Internet UplinkDHCPWAN0——-——-

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.