Branch Mesh Topology in SD-Branch
Branch Mesh configuration is supported from SD-Branch version ArubaOS 188.8.131.52-184.108.40.206 and later.
The Aruba SD-Branch branch mesh topology configuration allows Branch Gateways to establish secure overlay tunnels with Branch Gateways those are part of a same group or different group. When a branch mesh topology is configured between two or more Branch Gateways, a branch mesh link is established to securely transport traffic between the Branch Gateways. The branch mesh link is a point-to-point link that allows traffic to flow from one Branch Gateway to another based on the subnets Subnet is the logical division of an IP network. advertised by the destination Branch Gateway to the cloud orchestrator. Note that a destination Branch Gateway in a branch mesh topology never acts as a transit gateway. It is not necessary for Branch Gateways to be part of a same group to form a branch mesh tunnel. The Branch Gateways can be part of a same group or different group, and each Branch Gateway establishes a point-to-point secure tunnel with the other Branch Gateways which are part of the same branch mesh topology. The branch mesh links are displayed in the SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. overlay map view of Overlay Tunnel Orchestrator. For more information, see Route and Tunnel pages. To form a branch mesh topology, following mechanisms are involved:
- The Overlay Tunnel Orchestrator (OTO) provides the tunnel specifications to the selected branch gateways based on the topology. When two branch gateways are selected, the OTO picks one branch gateway as the tunnel initiator and the other branch gateway as the tunnel responder and forms an IPsec tunnel between them over their uplinks. Initiator and responder role depends on the serial number of the device. The device with lower serial number from a pair of devices is picked as the initiator. The device with higher serial number becomes the responder.
There are multiple ways in which tunnels can be formed between two branches.
- The Overlay Route Orchestrator (ORO) sends the routes to selected branch gateways. ORO advertises originating branch gateway with lowest cost and data center VPNC with higher cost. Branch-to-branch path is preferred when the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel is up.
- To establish branch mesh tunnels between the two branch gateways, the Branch Gateways at both ends of the tunnel query the STUN server through their uplinks to learn the public IP and external facing post-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. port.
If both the initiator and the responder in a single branch have one INET-1, one INET-2, and one MPLS Multiprotocol Label Switching. The MPLS protocol speeds up and shapes network traffic flows. port, then the tunnels can be created as described in the diagram below:
Figure 1 Single-gateway branch, scenario 1
If the initiator has one INET-1 and one MPLS ports, while the responder has INET-1, INET-2, and MPLS ports, then the tunnels can be created as described in the diagram below:
Figure 2 Single-gateway branch, scenario 2
If the initiator has one INET-1, INET-2, and MPLS port each, while the responder has only one INET-1 and an MPLS port, then the tunnels are created as described in the diagram below:
Figure 3 Single-gateway branch, scenario 3
For branches with two gateways in each branch that have only INET-1 and INET-2 ports, the tunnels are created as described in the diagram below:
Figure 4 Double-gateway branch
The STUN server's response to each message contains the post-NATed public IP information as seen by the STUN server. This IP could be different on all uplinks. The STUN protocol keeps the external-facing post-NAT port open and maintains the current mapping until the branch mesh tunnels using this port come up, ensuring that the port mapping does not expire on the NAT devices.
The following uplink data for the branch gateways is exchanged with OTO through the uplink AMON Advanced Monitoring. AMON is used in Aruba WLAN deployments for improved network management, monitoring and diagnostic capabilities. message so that OTO can bring up branch mesh tunnels:
- Private Uplink IP
- Source Port used by STUN for public IP discovery
- Public IP
- External facing post-NAT port discovered by STUN
When Branch-HA and branch mesh topologies intersect, the Branch Gateway is restricted from mistaking a branch mesh tunnel with a Branch-HA peer and does not set up IPsec tunnels between the Branch-HA peers.
The following figure illustrates a branch mesh topology between two Branch Groups:
Figure 5 Branch Mesh Topology
The Aruba SD-WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. branch mesh topology requires to manage the Branch Gateways through Aruba Central.
- Branch mesh supports branches with HA and uplink sharing (virtual uplinks).
- To establish a branch mesh, a branch group does not require to be connected to a hub or data center VPNC.
- You can configure up to 128 Branch Gateways in a branch mesh topology.
- You can configure up to 256 branch mesh topologies.
- You can include a Branch Gateway in multiple branch mesh topologies.
For more information, see the following sections: