Link Search Menu Expand Document
calendar_month 22-Aug-24

Campus Overlay Fabrics

Centralized Campus Fabrics

User-Based Tunneling (UBT) is a Centralized overlay fabric tunneling some or all user traffic to a centralized gateway cluster where policy is enforced using services such as firewalling, DPI, application visibility, and bandwidth control. UBT selectively tunnels traffic based on user or device roles. Tunnels may originate from APs and/or switches. Policy enforcement then occurs at the gateway cluster.

Centralized Fabric with UBT

Centralized campus fabric is easy to deploy; it provides a consistent experience for both wired and wireless users; and it can implement a wide variety of routing and security functions at the gateways. A centralized fabric using UBT works just like an Aruba WLAN: all client traffic is centralized at the gateway cluster for policy enforcement.

The centralized fabric works best for small- to medium-size branch/campus locations where most traffic is North-South, destined to an external data center or the Internet. This model also enables migration strategies for customers to adopt fabrics and role-based segmentation in a phased manner while using existing third-party and legacy switch infrastructure at the core and aggregation layers. This model is not recommended when there is a high degree of East-West, originating and terminating between endpoints within the campus, since traffic to the gateway cluster can become bottlenecked.

Wired and wireless authentication traffic to the NAC service all originates from the same gateway cluster. Therefore, consider the load placed on the cluster when supporting large WLAN and UBT deployments.

Advanced Central subscriptions are not required for this design.

Distributed Campus Fabrics

Aruba Central NetConductor provides workflows to deploy distributed fabrics, enabling policy enforcement anywhere in the network as an alternative to a centralized approach. The Distributed Fabric is a standards-based BGP-EVPN VXLAN solution that enables provisioning consistent loop-free Layer 2, Layer 3 overlay networks with multiple levels of segmentation: VRF and User-Role based.

A fabric is composed of an underlay network and one or more overlay networks. The underlay network represents the physical network infrastructure of the fabric. In the NetConductor solution, all inter-switch links in the underlay are configured as routed and routes are distributed using an interior gateway protocol enabling Equal Cost Multipath (ECMP) routing. The NetConductor underlay wizard configures point-to-point routed links, using OSPF for the routing protocol. One or more overlay networks, each of which corresponds to a separate VRF, can be layered on top of the underlay network.

BGP EVPN enables a control plane database across the entire campus to provide segmentation and seamless roaming across the network, with advertisement of MAC addresses, MAC/IP bindings, IP Prefixes. The solution uses symmetric IRB with distributed anycast gateway to discover and advertise remote fabric devices and advertise MAC addresses, and MAC/IP bindings with EVPN type 2 & 5 routing. With the help of Route Distinguisher (RD), a unique number prepended to the advertised address within the VRF, the campus fabric can support overlapping IP addresses and MACs across different tenants.

Wireless infrastructure in the distributed campus fabric uses AOS 10 gateways and access points (AP) provisioned with Tunneled WLAN SSID. Wireless client traffic is GRE/IPsec encapsulated from the access points to the gateway to accommodate large roaming campus domains. The gateway encapsulates data traffic in VXLAN, inserts a role ID into the header, and forwards the packet into the EVPN fabric.

VXLAN tunneled SSID

Authentication and role assignment for the wireless clients occur on the APs; however, authentication traffic to ClearPass or other authentication providers is proxied by the gateway cluster for wireless clients. Wired client authentication is sourced directly from switches to which wired clients are attached. ClearPass Policy Manager assigns the User-Role based on the results of authentication. This role assignment can enable dynamic VLAN assignment and role-based policy enforcement across wired and wireless infrastructure.

The solution allows enterprise-level definition of universal user roles and role-based policies that can be applied for both wired and wireless clients. User Roles and policies are defined in Aruba Central one time; there is no need to create separate policies for different types of network devices. Policies are provisioned to fabric devices and enforced at destination egress point for role-to-role polices and at source ingress point for all other policies.

A key advantage of the distributed fabric design compared to a centralized fabric is distributed policy enforcement capability at any point within the campus. In addition, user traffic does require forwarding to a centralized cluster for policy enforcement, so inter-VLAN routing can be handled at the aggregation switches for more efficient traffic flows. In addition, using a distributed fabric works well with a Layer 3 underlay network for highly efficient ECMP-based routing with load distribution across links.

All devices in a NetConductor distributed campus fabric require Advanced Central subscriptions.


Table of contents


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.