Multi-Site Design
Aruba Central NetConductor solution extends the ability to stretch segmentation – VRF, User Roles and policy across geographically distributed enterprise deployment with sites inter-connected via any WAN or SD-WAN environment. This allows enterprise-level definition of global User Roles, segmentation and policies simplifying and standardizing security construct and enforcement.
The solution supports Multi-Site deployments interconnected through:
Aruba EdgeConnect SD-Branch fabric
Aruba EdgeConnect SD-WAN fabric
Any third-party WAN or SD-WAN fabric
Aruba EdgeConnect SD-Branch Fabric
Aruba EdgeConnect SD-Branch combines Wireless, Wired and WAN infrastructure with unified management capabilities that include assurance, orchestration, and security to simplify the design, deployment, configuration along with management for a remote branch location.
Aruba Central provides the “single-pane-of-glass” for management, orchestration, AIOps, and security visibility for wired, wireless and SD-WAN networks. The cloud-based management platform offers Zero-Touch Provisioning (ZTP) to onboard network devices quickly and configure all access infrastructure at remote locations accurately. Aruba Central also hosts the SD-WAN Orchestrator that enables dynamic building and scaling of site-to-site IPsec tunnels and route propagation between SD-Branch Gateways.
The ArubaOS 10 SD-Branch Gateways at each site provide complete SD-LAN functionality. Depending on the size of the branch, an enterprise can deploy a Layer 2 or Layer 3 design to provide network connectivity and use centralized overlays, enabling the SD-Branch Gateway to host the WLAN gateway for wireless clients and user-based tunnel gateway for wired clients. With all traffic centralized at the SD-Branch Gateway, deployments can take advantage of centralized policy and consistent security enforcement for both wired and wireless clients within the site.
Multi-Site Fabric with Centralized EdgeConnect SD-Branch enables role propagation across the WAN. Role propagation between the SD-Branch gateway across sites is achieved by mapping user-role information to a VXLAN Group-Based Policy tag, then encapsulating the tag in IPSEC before traversing the traffic in the SD-Branch WAN environment.
ArubaOS 10 SD-Branch Gateways has built-in intelligence to manage fragmentation and reassembly of IPSEC encrypted packets with role information. This allows deployments to retain role information across the SD-WAN environment without mandating higher MTU requirements. EdgeConnect SD-Branch solution provides flexibility to selectively enable pole propagation on a per-subnet basis, as needed to meet network requirements.
Aruba EdgeConnect SD-WAN Fabric
Aruba EdgeConnect SD-WAN Edge platform can reside on a physical or virtual appliance deployed in remote branch locations or on any common hypervisors and public clouds, enabling customers to build business intent overlays, incorporate intelligent path conditioning, and provide secure connectivity across all WAN circuits.
Aruba EdgeConnect SD-WAN Fabric solution comprises three core components: EdgeConnect Edge platform, SD-WAN Orchestrator, and WAN optimization. Aruba SD-WAN Orchestrator provides centralized management, configuration and policy provisioning, monitoring, and alerting and reporting capabilities for the SD-WAN Edge platform.
Aruba EdgeConnect SD-WAN fabric integration with the NetConductor solution provides organizations ability to extend segmentation (VRF and User Roles) and leverage global polices in SD-WAN environment and at different sites across the enterprise.
The SD-WAN Orchestrator, version 9.4.1 and above, supports open standard BGP EVPN VXLAN capabilities, enabling deployments to define VXLAN Layer 3 VNIs, map routing segments to Layer 3 VNIs, roles, and establish BGP EVPN peering with the LAN Fabric.
If the LAN network does not support VXLAN, radius snooping enabled on the EdgeConnect Edge platform can derive the role directly from RADIUS transactions during authentication and authorization or record the login and logout events from Aruba ClearPass Policy Manager using API integration.
User-Roles learned either from VXLAN data packets or from RADIUS snooping. The EdgeConnect SD-WAN solution can use the roles to define and enforce fine-grained security policy. The EdgeConnect SD-WAN Edge platform inserts the user-role information in the IPSEC tunnel retaining the segmentation information, while still providing advanced network and application performance optimization across the SD-WAN environment.
As shown in the diagram above, Aruba CX switches establish iBGP EPVN VXLAN tunnels to stretch segments, provide segmentation, and enforce role-based policies within the LAN environment. Traffic destined to the Internet, or a remote site is sent to the border for external routing. EdgeConnect supports BGP EVPN VXLAN, so border devices can establish eBGP EVPN neighborship with the EdgeConnect SD-WAN Edge platform to extend the segmentation information within the data plane of the SD-WAN environment.
The EdgeConnect device maps the segmentation (VRF) and user-role information learned from VXLAN and carries the information natively in IPSEC packets across the SD-WAN fabric to remote sites. Data-plane integration between the Aruba CX switches and EdgeConnect WAN routers enables customers to define global-level segmentation, user roles, and role-based policies at scale across geographical sites. EdgeConnect devices can use the segmentation information and define role-based firewall, SASE, and WAN Optimization policies to optimize the traffic across the SD-WAN fabric.
Third-Party WAN or SD-WAN Fabric
The Centralized Multi-Site Fabric with Aruba SD-Branch deployment enables ArubaOS 10 Gateways to act as a WLAN, User-based tunnel gateway and enable connectivity and role propagation between sites over WAN or a third-party SD-WAN network.
The ArubaOS 10 gateways serve as the WLAN for wireless clients and as user-based tunnel gateways for wired clients, as well as a centralized policy enforcement point for wired and wireless clients within each site. To enforce role-based policies for traffic traversing the WAN or third-party SD-WAN fabric, the Aruba OS gateways encapsulate the client role information with the VXLAN header and IPSEC encryption before traversing the traffic into the WAN environment.
ArubaOS 10 Gateways has built-in intelligence to fragment and reassemble the IPSEC encrypted packet with role information. This enables ArubaOS 10 Gateway deployments to retain role information across any WAN environment without mandating higher MTU requirements and to enforce consistent location-independent, role-based policies in the environment. Role propagation can be enabled selectively on a per-subnet basis for third-party WAN deployments.
Network-Access Policies in Multi-Site Networks
By extending the VRF and User Roles across multiple fabrics, it is possible to implement Global User Roles and consistent Group-Based Policies throughout the entire network for both wired and wireless users and devices with authentication and authorization using the NAC solution.
Group-Based Policies are enforced as follows:
Traffic between wired clients is enforced at the destination egress switch interface.
Traffic between wireless clients is enforced at the Mobility Gateway Cluster within the site.
Traffic between wireless clients across sites is enforced at the destination Mobility Gateway cluster.
Traffic from wired to wireless clients is enforced at the Mobility Gateway cluster within the site.
Traffic from wired to wireless clients at different site is enforced at the destination Mobility Gateway cluster.
Traffic from wireless to wired clients is enforced at the destination egress switch interface.
Access policies with non-“User-Role” destination is enforced at the source ingress interface.