Link Search Menu Expand Document
calendar_month 30-Sep-24

Traffic Forwarding through SSE

Once the IPsec tunnels are established, the next step is to make sure that the relevant traffic is forwarded through these tunnels to be inspected by the SSE. This is done using Policy Based Routing. The configurations to define such PBR policies are the same for fully orchestrated or semi-automated tunnels, but will vary depending on the type of edge device (Branch Gateway, Microbranch AP or VPNC).

Table of contents

Traffic Forwarding with a Branch Gateway

The next step would then be to organize tunnels in a “next-hop-list” so they can be used by WAN and routing policies.

To better understand how routing and WAN policies interact with each other. Routing/PBR determines next-hop(s); It provides up to 4 active (best cost/priority) paths to the WAN engine. WAN Policies (SaaS/DPS) then determine which path should be taken for each traffic flow. The diagram below explains how PBR and global routing coexist with WAN policies defined in DPS or SaaS Express:

PBR policies can be defined using the “advanced” and “basic” configuration workflows. Given the significant difference between these modes, both will be described below.

Advanced Configuration Workflow

Navigate to your Branch Gateway group level config and then Routing>NextHop Configuration. Click the ‘+’ sign under Nexthop table.

Provide a Nexthop-list name and scroll below to click the ‘+’ next to IPsec name map.

Create a new IPsec map with the following parameters and then click OK and later click Save Settings:

Forward Settings: Using Site-to-Site IPSec

Using site-to-site IPSec: Primary IPSec map

Uplink: Select your uplink

Priority: Select a value from 1 to 255. Remember that tunnels to the same SSE node should have the same priority.

Click OK and then Save Settings.

Tunnel Service Level Agreements

Optionally, you can create/define an SLA (service level agreement) for each IPsec map as well. Setting an SLA will send out either ICMP or HTTPS probes to the check whether the Tunnel is up and responsive.

Next, you can choose between what type of probing mode of operation to use: Liveness mode or Performance mode.

Liveness checks will verify that the communication with the Probe Destination is possible through the tunnel.

Performance Mode allows the administrator to manually configure the thresholds for both Delay and Packet Loss that is unacceptable for a tunnel path to be utilized. These performance thresholds are designed to steer traffic away from under-performing SSE Nodes and not for Tunnel failover purposes. The thresholds used should be less aggressive than what you would configure in your Dynamic Path Steering policy.

It is recommended to measure the probe destination through every IPSec map to prevent a tunnel failover to an equal or worse tunnel path.

Repeat this step for each additional IPsec map as required.

Note: IP-SLA Profiles can also be configured under the group configuration in Advanced mode by navigating to Gateway>WAN>Health Check>IP-SLA Profiles.

Policy-Based Routing for Branch Gateway Traffic

Once the NextHop list is created, the next step is to create a policy that will send only web traffic (http and https) through tunnels to the Secure Web Gateway. Everything else should be configured to be forwarded regularly.

Navigate to your device level config and then Routing>Policy-Based Routing and then click ‘+’ under Policies.

Provide a name and click Save.

Click on the newly created policy, scroll towards the bottom and click ‘+’ to add Rules under this policy.

Add the 1st rule as shown below:

Add the 2nd rule as shown below:

Add the 3rd rule as shown below:

Policies and rules should look like this:

Applying the PBR policy to relevant VLANs

Next step is to assign the previously created policies to the relevant VLANs. In the below example, the policy is applied to a user VLAN.

Navigate to your device level config and then Security>Apply Policy >VLANs. Select the previously created ‘axis-sse-pbr’ policy under Route ACL for the user VLAN.

Basic Configuration Workflow

To apply the PBR Policy to a user role, use the Basic configuration workflow for simplicity. Navigate to the Policies and then select the PBR tab to begin the configuration.

Next, configure the Internet egress. If egressing to the Internet through the Data Center, click the Pencil icon to configure the Primary and optionally, the Secondary Hub. Select the desired head end gateway from the dropdown box. You can also exclude Applications and Application Categories by selecting them from their respective dropdown boxes. Any exclusions that you make will be forwarded normally to the Internet.

When you configure the Internet through DC settings, Central will automatically create both the PBR policy named pbr-full-tunnel-basic and a new nexthop list named nexthop-full-tunnel-basic. This PBR policy and the new NHL will be added to each user role as you enable the internet path for them.

To use the custom HPE Aruba Networking Cloud Security option, click the Pencil icon next to Cloud Security. Here you will select the Cloud Security Partner and then the Cloud Security partner’s account name. You can also exclude Applications and Application Categories by selecting them from their respective dropdown boxes. Any exclusions that you make will be forwarded normally to the Internet.

Please note that you must have already configured and deployed the Group to Cloud Hub Connections for the group in order to select the Custom Cloud Security Partner and Account Name inside the workflow.

When you configure the Cloud Security settings, Central will automatically create both the PBR policy named pbr-cloud-security-basic and a new nexthop list named nexthop-cloud-security-basic. This PBR policy and the new NHL will be added to each user role as you enable the internet path for them.

Traffic Forwarding with a Microbranch AP

The process with Microbranch will be similar as to the one described above; Create a next-hop list grouping the SSE tunnels, use it in a PBR policy, and apply said policy to the corresponding user roles.

Create NextHop List

Navigate to your Microbranch Group config and then go to Tunnels & Routing>NextHop List. Click the ‘+’ sign under Nexthop table.

Microbranch Nexthop List

Provide a Nexthop-list name and select IPsec Map. Then under the IPsec Map dropdown, select your primary SSE tunnel and set the priority to 128.

NextHop Config

Now select the NextHop List again and add the secondary IPsec tunnel with a priority of 100.

NextHop Config

Configure Policy-Based Routing (PBR)

Once the NextHop list is created, the next step is to create a policy that will send only web traffic(http and https) through tunnels to the SSE. Everything else should be forwarded regularly.

Navigate to your Microbranch Group config and then Tunnels & Routing>Policy-Based Routing and then click ‘+’ under Policies.

Microbranch PBR

Create a new Policy and name the policy and then click OK. Now click the pencil icon to edit the policy. Click the ‘+ Plus’ sign to create a new policy rule. Create and order your rules as required for your deployment.

Microbranch PBR

Applying the PBR policy to relevant Roles or VLANs

Next step is to assign the previously created policies to the relevant Roles or VLANs. With all AOS10 WLAN’s, a default role is created at the same time as the SSID and shares the same name. Additional configuration can be performed and additional roles and policies can be applied to users. For the sake of simplicity, this document covers the basic user role assignment and configuration.

To apply the PBR policy to the user role, navigate to the Microbranch group configuration page and then click on Security>Policies & Access Control.

Microbranch Roles & Policies

From the Roles table, select the role you wish to utilize the PBR policy. Next in the Rules table, click the ‘+ Plus’ sign to select the policy to add.

Role configuration

From the dropdown menu under Rule Type, select Policy-Based Routing and then select your Existing Policy ‘axis-mb-pbr’.

Add PBR policy to Role

There is no need to reorder the rules. You can simply save the policy and then proceed to testing it out in action.

Traffic Forwarding with a Headend Gateway (VPNC)

In certain scenarios it may be interesting to forward traffic to the SSE directly from headend gateways or VPNCs. This process is similar to the workflow for Branch Gateways as well as Microbranch APs. Policies can be applied to Roles and VLANs, as it happens with the Branch Gateways. However, VPNCs present an additional use-case, where the PBR policy can be applied to traffic coming from the SD-WAN Overlay. This is commonly used to direct traffic coming into the VPNCs through private circuits into the SSE.

The next step would then be to organize tunnels into a “next-hop-list” so they can be used by WAN and routing policies. This can be achieved by navigating to Routing > NextHop Configuration and creating a new Nexthop-List in the device-level configuration. Click the + Plus sign in the Nexthop table to create the new list.

Name the NHL and then assign the IPsec Maps to it. You can also assign SLAs to each IPsec map if desired.

Once the Nexthop-List is created, you can use this together with a PBR policy to direct traffic into the HPE Aruba Networking SSE.

Click on the Policy-Based Routing tab to continue the configuration. Click the + Plus sign to create a new PBR Policy. Below is a sample policy to redirect traffic into the SSE.

Applying the PBR policy

The last step is to assign the previously created policies. From the Group configuration, go to VPN > SD-WAN Overlay > Advanced and select the recently created PBR policy under Route ACL, as in the image below:

Forward Overlay via SSE


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.