Link Search Menu Expand Document
calendar_month 22-Aug-24

General Terms

Aruba Central

Aruba Central, cloud/on-premises/as-a-service, is a delivery platform for customers to deploy, manage, monitor, and optimize WLAN, LAN, VPN and SD-WAN solutions using a Unified Management process.

Central is a cloud-native microservices-based platform that provides the scalability and resilience needed for critical environments along with AI Insights. Compared to an on-premise solution, Central is more adaptive, predictable, and horizontally scalable with built-in redundancy.

Central provides intelligent workflows to deploy the end-to-end Aruba Central NetConductor solution ñ BGP EVPN VXLAN fabric, AI-based ML for endpoint device profiling, and consistent network-wide role-based access policy.

BUM

Shorthand for Broadcast, Unknown Unicast, and Multicast traffic.

Network Access Control (NAC)

Network Access Control (also known as Network Admission Control) is used to authenticate users and devices before granting them access to a network and to control resources they can access when connected. Device and user profiling, as well as health checks, are often integrated into this process.

Aruba NetConductor integrates with Aruba ClearPass Policy Manager, Aruba CloudAuth, and third-party NAC solutions.

Fabric Terminology

Aruba Intelligent Forwarding(FIB Optimization)

In BGP EPVN VXLAN deployment, the host routes are shared across the switch VTEPs within the fabric site. Most hosts never communicate with each other, since traffic flows from the host to the core more frequently than from one host to another. To prevent the hardware table from filling up in large enterprise deployments, Aruba Intelligent Forwarding installs only the active EVPN host routes in the data plane, which age out periodically if not in use to ensure that Forwarding Information Base (FIB) is optimized.

VLAN Client Presence Detect

The feature is enabled on Fabric Edge devices to ensure that the VNI mapped to VLAN is active only when a client is detected on the switch. With VLANs configured on all access switches for configuration consistency, BGP EVPN advertises host entries to fabric devices that have VLAN-to-VNI mapping associated and status is up. Keeping the VLAN down until a client is present also keeps the VNI state down, reducing the number of entries learned on the fabric device.

Border Leader

In a multi-fabric deployment, a full mesh of VXLAN tunnel can be avoided using a border leader switch. This device establishes eBGP peering to all border switches within the same site or region and eBGP peering to other border leaders in different sites/regions. Border leader and border switches automatically establish VXLAN tunnels with other border leaders and borders using the BGP EVPN control plane to provide full-mesh tunnel-to-tunnel forwarding for Layer 2/3 traffic. The border leader switch also can function as a border switch for its own fabric, if needed.

Centralized L3 Gateway

VTEP that provides Layer 3 forwarding for VXLANs overlay network. The Fabric device connects to the external network and other VTEPs to provide Layer 2 functionality.

Centralized Overlay

User-Based Tunneling (UBT) is a centralized overlay that enables administrators to tunnel specified user traffic to a gateway cluster to enforce policy using services such as firewalling, DPI, application visibility, and bandwidth control. UBT selectively tunnels traffic based on a user or device role.

Distributed Overlay

Distributed overlays are built using EVPN-VXLAN on highly available underlays and are tied to a full policy-based micro-segmentation, based on global roles, across the entire network infrastructure. Role-based policies abstract policy from the underlaying network and enable flexible and simplified policy definition and enforcement.

Distributed L3 Anycast Gateway

A common gateway IP and MAC address is configured on fabric switches to provide optimized Layer 3 forwarding for directly connected hosts. Layer 3 traffic is routed from the edge switch directly to the destination.

Downloadable User Role

The CPPM acts only as a RADIUS authenticator and points to the role name of client. The configuration for the role is downloaded by the switch using HTTP from the CPPM HTTP server.

Dynamic Segmentation

Dynamic Segmentation establishes least-privilege access users and devices by segmenting traffic based on identity and associating consistent role-based access and policies across wired, wireless, and WAN networks.

Dynamic VXLAN Tunnel encapsulation

To enforce role-based policies destined to sites across IP-network or third-Party SD-WAN fabric, the SD-Branch Gateways encapsulates the client traffic with VXLAN-GBP and IPSEC which contains the source role information in the Group Policy ID in the VXLAN header. The SD-Branch gateway at the source and destination sites natively takes care of fragmentation/reassembly without changing the MTU on the WAN circuits.

Fabric

Fabric is a BGP EVPN VXLAN overlay network built to provide secure Layer 2 and Layer 3 services with macro-segmentation and role-based segmentation. Distributed fabric sites consist of a control plane (Router-Reflector), access switches (Edge), Internet Edge (border), Mobility Gateway and access points, Wireless Service-Aggregation switch (stub) and optional intermediate switches. The fabric site in the Aruba Central NetConductor solution is an iBGP EVPN deployment across the fabric devices.

Group-Based Policy

The distributed policy architecture implemented in the Aruba Central NetConductor solution provides a method to define and enforce consistent and efficient policy across all network devices.

The policy is enforced at the egress switch. The destination switch determines the source role carried in the VXLAN Group Policy ID and the destination role of the client directly connected to it, then forwards or drops the traffic accordingly.

Local User Role

The roles and policies are configured locally on the switch. The CPPM acts only as a RADIUS authenticator and points to the role name of client or endpoint.

Role

Users and endpoints are grouped by their network functions and assigned a role. The NAC solution ensures that users and endpoints are authenticated before assigning a role using a Radius Aruba VSA Aruba-User-Role. Source-based roles remain effective even if a device authenticates at a different location, or if the device is assigned a different IP address. The role is mapped to a Group Policy ID at the source on the ingress VTEP.

Static VXLAN

Static VXLAN (also known as unicast VXLAN), is the easiest way to connect two VTEPs. In this method, the VXLAN uses a flood-and-learn technique in the VXLAN data plane to learn the hostsí addresses.

VTEP

VXLAN tunnel endpoint (VTEP) is a VXLAN capable device that encapsulates and de-encapsulates packets. Switches and gateways can function as a Layer 2 or Layer 3 VXLAN gateway acting as a VTEP.

VXLAN

Virtual eXtensible LAN (VXLAN) is a MAC-in-UDP encapsulation technology that provides Layer 2 connectivity across the IP network. Each VXLAN (8-byte) header is identified uniquely with a 24-bit VXLAN ID, called the VXLAN Network Identifier (VNI), to segment each Layer 2 subnet in the same manner as traditional VLAN IDs.

VXLAN Network

VXLAN network functions with the flood-and-learn method, requiring full-mesh connectivity between VTEPs to avoid loops. Every VTEP is enabled with a split horizon by default. Full mesh ensures that BUM traffic is delivered to all VTEPs for a specific bridged VLAN.

VXLAN-GPO

Virtual eXtensible LAN (VXLAN) Group Policy Option uses a reserved 16-bit identifier in the VXLAN header to carry the Group Identifier along with the VNI with the intent to extend the segmentation and apply consistent Group-Based Policy. Aruba implementation of VXLAN-GPO uses 13-bit tags instead of 16-bit tags, ignoring the upper three bits or setting the upper three bits to ì0î for interoperability purposes.

Switch Personas

Edge

Access switches that provide BGP EPVN, VXLAN tunnel ingress/egress functionality with authentication-based role-assignment for endpoints and group-based policy enforcement for network access.

Extended Edge

Layer 2 access switches that stitch Static-VXLAN tunnel ingress/egress to upstream Edge (no BGP EVPN) with authentication-based role-assignment for endpoints and Group-Based Policy enforcement for network access. Used to increase available network scale in the Scaled-Edge network design.

Access

Traditional Layer 2 access-switch that does not support BGP EVPN, VXLAN, role-assignment, or Group-Based Policy enforcement. Switches can authenticate endpoints, and support dynamic VLAN or port-access policies.

Border

Border switches provide connectivity between the fabric and services outside the fabric, including (but not limited to) Internet access.

Route Reflector

Core switches configured as BGP route reflectors to share EVPN reachability information and reduce the number of peering sessions within the fabric.

Stub

Stub switches connect to downstream switches using static VXLAN tunnels to the EVPN based fabric. Stub switches can be used for Service Aggregation, Access-Aggregation, or both.

  • Service Aggregation switch(es) hosting wireless client gateway functionality and extending group-based policy between wireless gateways and wired fabric with Static-VXLAN

  • Access-Aggregation switch(es) hosting gateway functionality for Extended-Edge switches and relaying static-VXLAN to BGP EVPN VXLAN Fabric

Intermediate Switch

Any switch within the data path that does not participate in BGP/EVPN/VXLAN routing. Deployments can use any capable switch or router as intermediate devices. Underlay orchestration supports only AOS-CX switches as intermediate devices. AOS-S, Comware, or third-party switches can be used, but this requires manual configuration of the underlay network.