Link Search Menu Expand Document
calendar_month 07-Mar-24

Traffic Forwarding through Aruba SSE

Once the Branch Gateway tunnels are established, the next step is to make sure that the relevant traffic is forwarded through these tunnels to the SWG service. This is done using Policy Based Routing and the PBR policies will vary when forwarding traffic through a Microbranch AP as compared to . This action can be performed at the group and/or overridden

Traffic Forwarding with a Branch Gateway

The next step would then be to organize tunnels in a “next-hop-list” so they can be used by WAN and routing policies.

To better understand how routing and WAN policies interact with each other. Routing/PBR determines next-hop(s); It provides up to 4 active (best cost/priority) paths to the WAN engine. WAN Policies (SaaS/DPS) then determine which path should be taken for each traffic flow. The diagram below explains how PBR and global routing coexist with WAN policies defined in DPS or SaaS Express:

To manually create the nexthop configuration and PBR policies, follow the steps below. To use the simplified workflow, follow the steps here :link to basic config steps:

Navigate to your Branch Gateway group level config and then Routing>NextHop Configuration. Click the ‘+’ sign under Nexthop table.

Provide a Nexthop-list name and scroll below to click the ‘+’ next to IPsec name map.

Create a new IPsec map with the following parameters and then click OK and later click Save Settings:

Forward Settings: Using Site-to-Site IPSec

Using site-to-site IPSec: Primary IPSec map

Uplink: Select your uplink

Priority: 128

Click OK and then Save Settings.

Tunnel Service Level Agreements

Optionally, you can create/define an SLA (service level agreement) for each IPsec map as well. Setting an SLA will send out either ICMP or HTTPS probes to the check whether the Tunnel is up and responsive.

Next, you can choose between what type of probing mode of operation to use: Liveness mode or Performance mode.

Liveness checks will verify that the communication with the Probe Destination is possible through the tunnel.

Performance Mode allows the administrator to manually configure the thresholds for both Delay and Packet Loss that is unacceptable for a tunnel path to be utilized.These performance thresholds are designed to steer traffic away from under-performing SSE Nodes and not for Tunnel failover purposes. The thresholds used should be less aggressive than what you would configure in your Dynamic Path Steering policy.

It is recommended to measure the probe destination through every IPSec map to prevent a tunnel failover to an equal or worse tunnel path.

Repeat this step for each additional IPsec map as required.

Note: IP-SLA Profiles can also be configured under the group configuration in Advanced mode by navigating to Gateway>WAN>Health Check>IP-SLA Profiles.

Policy-Based Routing for Branch Gateway Traffic

Once the NextHop list is created, the next step is to create a policy that will send only web traffic (http and https) through tunnels to the Secure Web Gateway. Everything else should be configured to be forwarded regularly.

Navigate to your device level config and then Routing>Policy-Based Routing and then click ‘+’ under Policies.

Provide a name and click Save.

Click on the newly created policy, scroll towards the bottom and click ‘+’ to add Rules under this policy.

Add the 1st rule as shown below:

Add the 2nd rule as shown below:

Add the 3rd rule as shown below:

Policies and rules should look like this:

Applying the PBR policy to relevant VLANs

Next step is to assign the previously created policies to the relevant VLANs. In the below example, the policy is applied to a user VLAN.

Navigate to your device level config and then Security>Apply Policy >VLANs. Select the previously created ‘axis-sse-pbr’ policy under Route ACL for the user VLAN.

Using the Basic configuration workflow for Policy-Based Routing

To apply the PBR Policy to a user role, use the Basic configuration workflow for simplicity. Navigate to the Policies and then select the PBR tab to begin the configuration.

Next, configure the Internet egress. If egressing to the Internet through the Data Center, click the Pencil icon to configure the Primary and optionally, the Secondary Hub. Select the desired head end gateway from the dropdown box. You can also exclude Applications and Application Categories by selecting them from their respective dropdown boxes. Any exclusions that you make will be forwarded normally to the Internet.

When you configure the Internet through DC settings, Central will automatically create both the PBR policy named pbr-full-tunnel-basic and a new nexthop list named nexthop-full-tunnel-basic. This PBR policy and the new NHL will be added to each user role as you enable the internet path for them.

To use the custom HPE Aruba Networking Cloud Security option, click the Pencil icon next to Cloud Security. Here you will select the Cloud Security Partner and then the Cloud Security partner’s account name. You can also exclude Applications and Application Categories by selecting them from their respective dropdown boxes. Any exclusions that you make will be forwarded normally to the Internet.

Please note that you must have already configured and deployed the Group to Cloud Hub Connections for the group in order to select the Custom Cloud Security Partner and Account Name inside the workflow.

When you configure the Cloud Security settings, Central will automatically create both the PBR policy named pbr-cloud-security-basic and a new nexthop list named nexthop-cloud-security-basic. This PBR policy and the new NHL will be added to each user role as you enable the internet path for them.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.