Link Search Menu Expand Document
calendar_month 07-Mar-24

Reference Architectures

The integration of Aruba SD-WAN and ZIA allows for a wide variety of scenarios. This section describes the most common ones, which are validated by Aruba. As called out above, both IPSec as well as GRE are supported integrations. Different scenarios are supported for IPSec/GRE.

Table of contents

IPsec Based Integration

Headend Gateway (VPNC) to ZIA

Branch traffic is often aggregated at a local hub and then routed to the Internet or to other corporate resources. This case is especially common when using private WAN networks. In such scenarios, Aruba VPNCs can set up tunnels to the nearest ZIA Service Edge to have branch traffic go through additional security validations.

Tunnels to Regional DCs

Branch Gateway or Microbranch connecting to ZIA

Aruba Branch Gateways (BGWs) can establish IPSec tunnels to one (or ideally two) ZIA Public Service Edges nodes from as many as four uplink interfaces to secure user traffic going to public cloud services or to the Internet, thus providing high availability. The solution supports manually setting destination ZIA Public Service Edge for each BGW. It also provides the possibility of having the SD-WAN Orchestrator learn the closest two nodes for each branch location and automatically establish tunnels to them.

An equivalent solution is also available for Microbranch, although in this case only with support for orchestrated tunnels, and with a smaller number of active uplink interefaces.

ZIA Tunnel Orchestration

Branch Gateway Redundancy

When redundancy is required inside the branch, Branch Gateways can share uplink interfaces with their HA pairs. This is done by establishing a virtual uplink through the LAN to share such interfaces. The result, as shown in the image below, is that each Branch Gateway would have “physical” uplinks as well as “virtual” uplinks.

Branch Gateway HA

In a scenario like this, each Branch Gateway establishes tunnels to the ZIA service through all uplink interfaces (physical and virtual). Both BGWs can be defined in ZIA as a single “Location” and use the same VPN credentials, or as two “Locations” with different credentials for each Gateway. Both operating modes are supported.

ZIA tunnels with Uplink Sharing

Redundancy of ZIA Service Edges

As shown in the Branch to ZIA reference drawings, load-balancing and Dynamic Path Selection mechanisms would take care of WAN circuit redundancy. However, that may not be sufficient in the unlikely event that a ZIA Public Service Edge would become unavailable. In order to address that, the SD-Branch or Microbranch integration with ZIA makes use of L7 probes sent to ZIA nod es as well as Dead Peer Detection (DPD) protocol to ensure traffic doesn’t get blackholed.

ZIA Service Edge Redundancy

Moreover, when the orchestration is enabled, Aruba Central constantly monitors the availability of ZIA Service Edges to always have each Gateway or Microbranch connected to the closest nodes.

Note: Tunnels to redundant ZIA nodes are supported for all topologies displayed above; Branch Gateways to ZIA, Microbranch to ZIA, and Headend Gateways to ZIA.

GRE Based Integration

As described above, gateways would establish GRE tunnels to two ZIA Public Service Edges (ideally, for redundancy purposes). GRE tunnels would then be grouped into a GRE Tunnel Group to handle failover automatically.

When a GRE Tunnel group is established, Gateways send traffic over the active tunnel. GRE Tunnel Keepalives are needed to provide failover. Once the GRE tunnels are grouped together, if the active tunnel were to go down, traffic would be seamlessly forwarded through the next tunnel in the group. Aruba Gateways support up to 4 GRE tunnels in a tunnel group, with only one being active at a given time.

GRE Tunnel Group

Aruba Branch Gateways to ZIA

When GRE tunnels are used to integrate with the ZIA service, tunnels would be created to two ZIA Public Service Edges from a maximum of 2 uplink interfaces. This would add up to a total of 4 GRE tunnels inside the Tunnel Group. Once the Tunnel-Group is created, traffic would be selectively redirected to it using PBR policies.

Redirect GRE to Tunnel group

Headend Gateways to ZIA

In the same sense that Branch Gateways can use GRE tunnels to integrate with the ZIA service, VPNCs can also do so. Branch traffic is often aggregated at a local hub before being sent to the Internet, this use-case becomes especially relevant when private WAN circuits are in use.


Gateway Redundancy

To provide redundancy in a given location (branch or hub), Tunnel Groups would have to be created from every gateway. As a recommended best-practice, upstream traffic should only come from a single gateway at a time.

Note: Uplink sharing would require that both BGWs would share the same public IP address, which is not something that can be supported with GRE tunnels. It is therefore mandatory that, when using GRE tunnels, each gateway must be connected to all Internet-facing uplinks, with a unique publicly routable IP address in every uplink.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.