Overview

An introduction to AOS 10 components covering deployment environments, hardware, software, and personas.

An introduction to AOS 10 components covering deployment environments, hardware, software, licensing, and personas.

HPE GreenLake

The HPE GreenLake edge-to-cloud platform is a secure, cloud-based platform that allows you to view and control your hybrid cloud estate. The platform unifies and simplifies IT operations by providing an intuitive, self-service dashboard where you can deploy and run cloud services used to provision and manage networking, compute, and storage infrastructure and perform day to day operations.

The HPE GreenLake platform provides the following:

  • Workspaces – Create, manage, and monitor workspaces that contain devices, applications, and services.

  • User Management – Manage users, roles, and access permissions to workspaces.

  • Applications – Deploy and access applications used to configure, manage, and monitor your infrastructure and operations.

  • Subscriptions – Manage device and service subscriptions for each workspace.

  • Devices – Manage device inventory and subscription assignments.

Whereas Aruba Activate and Aruba Central used to be independent cloud services, both are fully integrated into the HPE GreenLake platform. To support an AOS 10 deployment, each organization requires one workspace with a Central application deployed for your specific region. For large organizations, a workspace can support multiple Central applications each within a different region if required.

HPE Greenlake Platform

APs and Gateways are automatically or manually added to a workspace. When new APs and Gateways are purchased and a workspace for your organization exists, the APs and Gateways will automatically be added to your inventory for your workspace. This is similar to how devices were added to Activate in the past. Each AP and Gateway is assigned to a Central application and a subscription is automatically or manually assigned.

When a new or provisioned AP or Gateway boots, it will automatically communicate with device.arubanetworks.com which re-directs the device to the HPE GreenLake platform. Based on the application and subscription assignment, the device is redirected to the Central application it is assigned. Devices with no Central application or subscription assignment will not be managed by Central.

Aruba Central

HPE Aruba Networking Central is an application under the HPE GreenLake platform that simplifies the deployment, management, and optimization of WLAN, LAN, VPN, and SD-WAN. The Central application is deployed within a workspace in the HPE GreenLake platform. Each AOS 10 deployment requires one instance of the Central application to be deployed. Workspaces for larger organizations may include multiple Central applications if required where each Central application instance supports devices deployed within a specific geographical region such as North America and EMEA.

Aruba Central eliminates the time-consuming manual process of moving information from one management platform to another or trying to correlate troubleshooting information across multiple views. The use of integrated AI-based ML, IoT device profiling for security, and Unified Infrastructure management accelerates the edge-to-cloud transformation for today’s Intelligent Edge.

Aruba Central is a cloud-native microservices-based platform that provides the scalability and resilience needed for critical environments. Compared to an on-premise solution, Central is more adaptive, predictable, and horizontally scalable with built-in redundancy. Central also provides seamless access to Aruba ClearPass Device Insight, Aruba User Experience Insight (UXI), and Aruba Meridian to furnish significant capabilities to leverage AI/ML and location-based services for network visibility and insight.

Aruba Central has the following key features:

  • Cloud-native enterprise campus WLAN software

  • AI Insights for WLAN, switching, and SD-WAN

  • Advanced IPS/IDS threat defense management

  • Mobile application-based network installation

  • Unified management for access and WAN edge

  • Live chat and an AI-based search engine

  • Cloud, on-premises and as-a-Service (aaS) options

ArubaOS 10

ArubaOS 10 (AOS 10) is the distributed network operating system working with Aruba Central that controls Aruba Access Points (APs) and Gateways. With its flexible architecture, network teams can deliver reliable and secure wired and wireless connectivity for small offices, mid-sized branches, campuses, and remote workers. Working in tandem with cloud-native Aruba Central, AOS 10 provides the management and control to deliver greater scalability, enhanced security, AI-powered optimizations for faster problem resolution and unified management of all APs and gateways.

AOS 10 is different from AOS 8 in many ways. As the AOS 10 operating system is now unified, the same firmware version can now be implemented for all AP and Gateway deployment types. IT organizations no longer have to manage and maintain different AOS 8 versions and device modes to support campus, SD-Branch and Microbranch deployments. APs and Gateways running AOS 10 can support multiple personas.

The following is a summary of key architectural differences in AOS 10 from previous AOS releases:

  • The management / control plane for APs and Gateways resides within the cloud platform. APs no longer rely on Controllers for management, configuration, and operation.

  • Gateways for WLAN deployments are completely optional. AOS 10 APs can locally bridge user traffic, or tunnel user traffic to resilient Gateway cluster based on business and scaling needs.

  • The AOS version and AP mode no-longer determines the forwarding architecture. For each WLAN profile, customers can select the forwarding mode.

  • Merges SD-Branch and Microbranch functionality into a single release.

  • APs and Gateways may implement different AOS 10 versions (multi version support).

AOS 10 is designed to support networks of all sizes and can easily scale to accommodate growing network requirements. It helps streamline operations, device, user, or application policy enforcement, and AI-powered troubleshooting and optimization. As part of Aruba’s Edge Services Platform (ESP) architecture, Aruba Central along with AOS 10 delivers cloud-native management and control services across wired and Wireless Local Area Network (WLAN), and WAN through a single console. AOS 10 offers a fully cloud managed SD-WAN solution. Organizations can adopt the benefits of SD-WAN capabilities, coupled with identity-based and role-based traffic segmentation, enforced with a built-in firewall, and supported by IDS or IPS and other security functions.

AOS 10 Architecture

Supported Devices

AOS 10 is supported on specific models of APs and Gateways for new deployments or migrations. As the list of supported AP and Gateway models for each AOS 10 release will evolve over time, the current list of supported APs and Gateways can be referenced at the HPE Aruba Networking Documentation Center.

All AP models ship with either AOS 8 or AOS 10 that supports connectivity to the cloud. All models of Gateways currently ship with a version of AOS 8 that can communicate with the cloud platform, with the exception being the 9114 and the 9106 models that ship with AOS 10. A new Gateway that is deployed using one touch provisioning (OTP), zero touch provisioning (ZTP) or full setup that is assigned to a Central instance and is licensed will be automatically upgraded to a SD-WAN image by the cloud platform. The Gateway can then be automatically upgraded to AOS 10 using the version compliance feature in Central.

Deployments with supported APs and Gateways running AOS 8 can also be migrated to AOS 10. The exact migration procedure that you follow to upgrade your APs and Gateways to AOS 10 will vary by deployment and is covered in the AOS 10 Adoption guide.

Network Roles

APs and Gateways running AOS 10 can adopt network roles based on the Central configuration group they are assigned. The network role that is assigned to a configuration group determines the configuration and monitoring options that are exposed for devices within each configuration group. For example, APs assigned to a configuration group with a Campus / Branch network role will have different configuration and monitoring options exposed than APs assigned to a configuration group with a Microbranch network role.

A configuration group can contain APs only, Gateways only or both depending on the assigned network roles. Not all network roles are compatible and require dedicated configuration groups. For example, AP configuration groups with a Microbranch network role do not support Gateways and Gateway configuration groups with a VPN Concentrator network role do not support APs.

AP Network Role Gateway Network Role Can be Mixed
Campus / Branch Mobility Yes
Branch Yes
VPN Concentrator No
Microbranch Mobility No
Branch No
VPN Concentrator No

Each configuration group can support one network role for APs and Gateways. The number of configuration groups you deploy will vary based on preference for how your configuration is organized, the type of AP and Gateway network roles that are required and the complexity of your deployment. As a general rule of thumb, a configuration group is required for each group of devices that share the same network role and common configuration.

When a configuration group is created for APs or Gateways, a network role must be selected. The network role cannot be changed once the configuration group has been created and saved. If an AP or Gateway network role needs to be changed, the device must be moved to a new configuration group with the new network role. An example of a network role assignment for APs and Gateways is depicted below.

Existing configuration groups can also be edited, and a new device type assigned. The device type and network role that can be added will be dependent on the AP or Gateway network role configured in the group. For example, you may edit an existing mobility Gateway configuration group and add APs with a campus / branch network role or vice versa.

Access Points

The configuration of AOS 10 APs is determined by the configuration group they are assigned. The network role assigned to a configuration group is selected based on how the AP will be used and influences the configuration and monitoring options that are exposed. For example, configuration groups for Microbranch APs include additional configuration and monitoring options that are not applicable or exposed in configuration groups supporting campus / branch APs.

The following network roles can be assigned to a configuration group supporting AOS 10 APs:

  • Campus / Branch – Used to configure groups of APs deployed in a campus or branches that are connected via uplink ports to a local area network. APs can bridge or tunnel user traffic and may also be deployed as Mesh Portals or Mesh Points.

  • Microbranch – Used to configure individual APs deployed in remote small offices or home offices that securely connect to a private network over the public internet. Microbranch APs can support a number of different forwarding modes, support routing and may also connect to multiple Internet services.

Configuration groups with a Campus / Branch network role include Gateways with a Mobility or Branch network role. Configuration groups with a Microbranch network role cannot include Gateways but may include switches.

AP Network Roles

Gateways

The configuration of AOS 10 Gateways is determined by the configuration group they are assigned. The network role assigned to a configuration group is selected based on how the Gateways will be used and influences the configuration and monitoring options that are exposed. For example, configuration groups for branch Gateways and VPN concentrators include additional VPN, WAN and routing configuration which are not applicable or exposed for configuration groups supporting mobility Gateways.

The following network roles can be assigned to a configuration group supporting AOS 10 Gateways:

  • Mobility – Used to configure Gateways that terminates tunneled user traffic from APs and/or UBT switches in large offices and campuses.

  • Branch – Used to configure Gateways deployed in remote branch offices. Branch Gateways support mobility functions and can terminate tunneled user traffic from APs and/or UBT switches. Branch Gateways also offer advanced routing, WAN connectivity and WAN path optimization and can be deployed at the edge of a branch network in place of a traditional WAN router or firewall.

  • VPN Concentrator – Used to configure Gateways that terminate secure orchestrated overlay tunnels established from branch Gateways and/or microbranch APs.

Configuration groups with a Mobility or Branch network role may include APs with a Campus / Branch network role and optionally switches but not APs with a Microbranch network role. Configuration groups with a VPN Concentrator role cannot include APs but may optionally include switches.

Gateway Group Network Roles


Last modified: August 15, 2024 (1d1eb16)