Configuring the SD-Branch Overlay Network

The Aruba SD-Branch solution supports the hub and spoke topology and uses IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels between the branch and the hub sites to build an SD-Branch overlay network. Hub sites are typically the corporate headquarters or data centers that include one or more Gateways operating as VPNCs, while branch sites or spokes include one or more Branch Gateways. The overlay network securely transports traffic forwarded between the hub and branch sites.

An overlay network is a logical network built on top of an existing physical network. The overlay creates a new layer where traffic can be directed through new virtual network routes or paths instead of physical links. This enables administrators to define and manage traffic flows, irrespective of the underlying physical infrastructure.

The SD-Branch deployment includes at least one hub site with one or more VPNCs that terminate IPsec-based VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels initiated from the Branch Gateways. Based on the deployment size and redundancy requirements, you can deploy one or more VPNCs at each hub site.

Overriding port-based tunnel client VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on the controller is supported only for untagged VLANs configured on the port-based tunneling switch port. It is not supported when both untagged and tagged VLANs are configured on the port-based tunneling switch port.

The following figure illustrates the hub and spoke topology with a single hub site:

Figure 1  Hub and Spoke Topology: Single Hub Site

Large deployments may include additional hub sites to provide redundancy in the event of a primary hub site failure. The most common deployment consists of a primary and secondary hub, each with two redundant VPNCs, as shown in the following figure:

Figure 2  Hub and Spoke Topology: Dual Hub Sites

Configuration Recommendations

The Aruba SD-Branch overlay network based on the hub and spoke architecture requires the administrators to configure Gateways using the Aruba Central management interface. Administrators can either manually set up the Gateways for establishing VPN tunnels or use the tunnel orchestrator service in Aruba Central to enable Gateways to automatically establish VPN tunnels. When the VPN hub is set and the Branch Gateways are configured as spokes, Aruba Gateways authenticate using the built-in TPM Trusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. certificates and automatically establish an overlay tunnel. Administrators can also upload custom certificates for authentication.

Important Points to Note

Configuring Overlay Tunnels Automatically

The Aruba SD-Branch Solution supports the SD-Branch overlay orchestration service that automates the overlay tunnel and route configuration process. For more information on SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Overlay orchestration service, see SD-WAN Overlay Tunnel and Route Orchestration .

Manually Configuring Hub and Spoke VPN

To configure a hub and spoke topology for the SD-Branch overlay network, complete the following steps:

Enabling Automatic Allowlisting of Gateways

In a hub and spoke VPN topology, where remote branches connect to the VPNC, newer branches are added in a staggered way. Each time a Branch Gateway is added, the branch information needs to be populated in the VPNC to allowlist the branch device. With large-scale deployments, this method can be error prone and cumbersome. The automatic allowlisting feature automates the process of allowing branch devices to connect to VPNCs and thus eliminates the need for configuring each device at the headend.

Using Aruba Central as a single management entity for Gateways, administrators can enable automatic allowlisting and define a passphrase for secure transmission of VPN traffic. The automatic allowlisting serves as a global configuration that enables all VPNCs to terminate tunnels initiated by the Branch Gateways provisioned in Aruba Central.

Automatic allowlisting configuration is required on both Branch Gateways and VPNC. Ensure that you enable this feature on both Branch Gateway and VPNC groups.

For more information, see the following sections: