Aruba Central NetConductor

With an ever-growing focus on security and scale, the enterprise network is becoming more and more complex in terms of design, deployment, and operations. There is an increasing reliance on BYOD Bring Your Own Device. BYOD refers to the use of personal mobile devices within an enterprise network infrastructure. (Bring Your Own Device) and IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet. (Internet of Things) for business efficiency and digital transformation initiatives. This increases the risk of security threats to the enterprise due to a sharp increase in the unknown or rogue clients and an ever-expanding threat front. Defining policy manually for these clients using the complex policy constructs available today can prove to be a challenging task for security and network administrators. Furthermore, intent-based networking has become an increasingly popular paradigm that many customers are looking to adopt and implement. The goal of intent-based networking is not only to abstract the underlying complexities of network but instead allow users to design, implement, and operate their networks based on their business intents. Automated network provisioning and orchestration has been identified to achieve this level of abstraction by many network vendors. Thus, the focus has shifted to the security, scalability, and simplification of these networks.

Aruba Central NetConductor is an edge-to-cloud network and security framework designed to tackle these problems for the modern enterprise network. It is tied directly to the Aruba ESP Encapsulating Security Payload. The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). (Edge Edge is a device persona that connects endpoints to the fabric. Services Platform) vision of an edge-to-cloud network. Intelligent overlays are built on highly available underlays and are tied to a full policy-based micro-segmentation model, based on global roles, across the entire network infrastructure of the customer. Role-based policies abstract policy from the underlying network and enable flexible and simplified policy definition and enforcement. This is enhanced by the full automation of the underlay, orchestration of the overlay, a single pane of glass for management and monitoring, and a rich array of complementary services. The Aruba Central NetConductor framework has evolved to enhance the policy and orchestration components to deliver true intent-based network evolution and optimization.

The following are the main pillars of Aruba Central NetConductor:

  • Intelligent Overlays—Overlay networks provide the ability to deploy flexible services based on ever-changing demands of the endpoints and applications. Decoupling of overlay network from the physical topology enables on-demand deployment of layer 2 and layer 3 services irrespective of underlay physical topology. Overlay networks also enable the ability to carry endpoint or user role information across the network without requiring all devices in the path to understand or manage the roles. Aruba Central NetConductor provides customers the flexibility to choose between centralized overlays or distributed overlays to address their unique requirements. The centralized overlay provides simplified operations and advanced security features for distributed enterprise and smaller campus deployments. For large enterprise campus deployments, Aruba Central NetConductor provides the ability to use distributed overlays for wired and wireless endpoints. This enables large enterprises to deploy a standards-based and scalable overlay network. Both overlay models support the Colorless Ports feature, which enables automated client on-boarding and access control for ease of operations.

Benefits of Aruba Central NetConductor

The following are some of the key benefits of the Aruba Central NetConductor solution. The objective of this guide is to highlight these capabilities to the customer.

  • Simplified and Consistent Security Policies

    • Simplified policy definition based on customer identity
    • Security policies agnostic of location, network, and devices
    • Policy follows the endpoint, user, or application across wired and wireless networks
    • Consistent policies across Campus, Branch, and Datacenter
    • Increase scale by eliminating the need for enforcement nodes to maintain endpoint to role mappings to enforce polices
  • Flexible Overlays Agnostic of Underlay Architecture

    • Flexible choice of centralized or distributed Aruba Central NetConductor fabrics on any underlay physical network architecture
    • Automated stich-up and tear-down of layer 2 and layer 3 services based on customer on-boarding
    • Address requirements of small, distributed enterprise to a large campus network
  • Simplified Network Deployments and Operations with Intent-Driven Workflows

    • Abstract complexity of the underlying protocols from network architects or operators
    • Enables global orchestration of roles and role-based policies from Aruba Central
    • Unified monitoring and troubleshooting across all device types and network locations
    • Actionable insights enable ease of troubleshooting for network issues

Features for Aruba Central NetConductor

The following features are available in Aruba Central NetConductor:

  1. Global Client Roles
  2. Network Wizard Overview
  3. Fabric Wizard Overview
  4. Static VXLAN Tunnels on ArubaOS 10 Gateways

Aruba Central NetConductor Vocabulary

The following table provides a brief description of the technical terms used in this guide.

Table 1: List of Technical Terms used in this Guide

Term

Description

Border

Border device persona connects the fabric to external networks. For example, connect fabric to WAN or Internet or firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network..

Border Gateway Protocol (BGP Border Gateway Protocol. BGP is a routing protocol for exchanging data and information between different host gateways or autonomous systems on the Internet. )

BGP is a standardized routing method that enables the internet to exchange routing information between autonomous systems (AS Autonomous System An autonomous system is a single network or a collection of networks that is under a single administrative control. The routing devices in an Autonomous System generally use a single interior gateway protocol (IGP) for routing information. Routing between two Autonomous Systems is handled by the Exterior Gateway Protocols like BGP.).

Ethernet Ethernet is a network protocol for data transmission over LAN. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. (EVPN)

EVPN is an extension of the BGP protocol for layer 2 (bridging) and layer 3 (routing) VPNs.

Edge

Edge is a device persona that connects endpoints to the fabric.

External BGP (eBGP External BGP refers to BGP connection between external peers.)

Refers to BGP connection between external peers.

Fabric Fabric is a group of AOS-CX Switches that are part of the BGP-EVPN VXLAN overlay. The overlay fabric is created by configuring VXLAN tunnels between stub and edge Switches. This is in context to Aruba Central NetConductor.

Fabric is a group of AOS-CX Switches that are part of the BGP-EVPN VXLAN Virtual Extensible LAN creates virtual networks overlaid on a physical network. overlay. The overlay fabric is created by configuring VXLAN tunnels between stub and edge Switches.

Group-based Policy (GBP Group-based Policy is used to segment user traffic in a network by grouping the users into roles based on user authentication at the source or VTEP. Source-based roles will remain effective even if a device authenticates at a different location, or if the device is assigned a different IP address.)

GBP is used to segment user traffic in a network by grouping the users into roles based on user authentication at the source or VTEP VXLAN Tunnel End Point is an entity that originates and/or terminates VXLAN tunnels.. Source-based roles will remain effective even if a device authenticates at a different location, or if the device is assigned a different IP address.

Internal BGP (iBGP)

Refers to BGP connection between internal peers.

Inter-Switch Link (ISL Inter-Switch Link. ISL is a layer 2 interface between two VSX peer switches.)

ISL is a layer 2 interface between two VSX Virtual Switching Extension. VSX is a virtualization technology for aggregation/core switches running the AOS-CX operating system. This solution lets the switches present as one virtualized switch in critical areas. peer Switches. Each VSX Switch must be configured with an ISL link connected to its peer VSX Switch.

Open Shortest Path First (OSPF Open Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS).)

OSPF refers to an Interior Gateway Protocol (IGP Interior Gateway Protocol. IGP is used for exchanging routing information between gateways within an autonomous system (for example, a system of corporate local area networks). ). OSPF distributes routing information between routers belonging to a single Autonomous System (AS).

Multi-Fabric EVPN Refers to the Multi-Fabric, where by combining multiple EVPN fabrics into a single overlay, allows sharing Layer 2 and Layer 3 reachability between data center pods at the same site as well as more distant data center locations. Multiple data center fabrics and locations can be combined into a single overlay topology.

Policy Identifier

Policy Identifier is a unique identification number mapped to a client role.

Route Reflector

Route Reflector refers to a concept that is specific to BGP which is used to optimize route propagation.

Stub Stub is a device persona that supports both static VXLAN tunnels and EVPN VXLAN tunnels.

Stub is a device persona that supports both static VXLAN tunnels and EVPN VXLAN tunnels.

Switch Virtual Interface (SVI Switch Virtual Interface refers to a logical layer 3 interface on a switch.)

An SVI (also known as VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface) refers to a logical layer 3 interface on a Switch.

Virtual Extensible LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. (VXLAN)

VXLAN is an Overlay Technology which address the scalability problems associated with large cloud computing deployments.

Virtual Routing and Forwarding (VRF Virtual Routing and Forwarding. VRF is a technology that allows multiple instances of a routing table to co-exist within the same router.)

VRF is a technology that allows multiple instances of a routing table to co-exist within the same router simultaneously in an IP-based computer network.

VXLAN Network Identifier (VNI VXLAN Network Identifier refers to VXLAN network identifier or VXLAN segment ID.)

Refers to VXLAN network identifier or VXLAN segment ID.

VXLAN Tunnel End Point (VTEP)

An entity that originates and/or terminates VXLAN tunnels.