Aruba Central NetConductor Overview

With an ever-growing focus on security and scale, the enterprise network is becoming more and more complex in terms of design, deployment, and operations. There is an increasing reliance on BYOD Bring Your Own Device. BYOD refers to the use of personal mobile devices within an enterprise network infrastructure. (Bring Your Own Device) and IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet. (Internet of Things) for business efficiency and digital transformation initiatives. This increases the risk of security threats to the enterprise due to a sharp increase in the unknown or rogue clients and an ever-expanding threat front. Defining policy manually for these clients using the complex policy constructs available today can prove to be a challenging task for security and network administrators. Furthermore, intent-based networking has become an increasingly popular paradigm that many customers are looking to adopt and implement. The goal of intent-based networking is not only to abstract the underlying complexities of network but instead allow users to design, implement, and operate their networks based on their business intents. Automated network provisioning and orchestration has been identified to achieve this level of abstraction by many network vendors. Thus, the focus has shifted to the security, scalability, and simplification of these networks.

Aruba Central NetConductor is a security framework designed to tackle these problems for the modern enterprise network. Intelligent overlays are built on highly available underlays and are tied to a full policy-based micro-segmentation model, based on global roles, across the entire network infrastructure of the customer. Role-based policies abstract policy from the underlying network and enable flexible and simplified policy definition and enforcement. This is enhanced by the full automation of the underlay, orchestration of the overlay, a single pane of glass for management and monitoring, and a rich array of complementary services. The Aruba Central NetConductor framework has evolved to enhance the policy and orchestration components to deliver true intent-based network evolution and optimization.

The following are the main pillars of Aruba Central NetConductor:

  • Role-based SegmentationAruba Central NetConductor provides the ability to deploy a zero-trust enforcement model using role-based segmentation. Traditional policies use location specific entities like IP addresses or subnets Subnet is the logical division of an IP network. to define security policies. Role-based policies abstract policy from the underlying network by assigning roles to endpoints or users and using roles to enforce policies. Role-based policies can be enforced in a distributed manner at different parts of the network. also provides the ability to automate and simplify policy definition for IoT devices with behavior-based profiling using AI or ML based classification. This greatly simplifies policy definition and ensures consistent policy enforcement across wired and wireless campus networks, the datacenter, and across the WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance..

  • Intelligent Overlays—Overlay networks provide the ability to deploy flexible services based on ever-changing demands of the endpoints and applications. Decoupling of overlay network from the physical topology enables on-demand deployment of layer 2 and layer 3 services irrespective of underlay physical topology. Overlay networks also enable the ability to carry endpoint or user role information across the network without requiring all devices in the path to understand or manage the roles. Aruba Central NetConductor provides customers the flexibility to choose between centralized overlays or distributed overlays to address their unique requirements. The centralized overlay provides simplified operations and advanced security features for distributed enterprise and smaller campus deployments. For large enterprise campus deployments, Aruba Central NetConductor provides the ability to use distributed overlays for wired and wireless endpoints. This enables large enterprises to deploy a standards-based and scalable overlay network. Both overlay models support the Colorless Ports feature, which enables automated client on-boarding and access control for ease of operations.

Benefits of Aruba Central NetConductor

The following are some of the key benefits of the Aruba Central NetConductor solution. The objective of this guide is to highlight these capabilities to the customer.

  • Simplified and Consistent Security Policies

    • Simplified policy definition based on customer identity
    • Security policies agnostic of location, network, and devices
    • Policy follows the endpoint, user, or application across wired and wireless networks
    • Consistent policies across Campus, Branch, and Datacenter
    • Increase scale by eliminating the need for enforcement nodes to maintain endpoint to role mappings to enforce polices
  • Flexible Overlays Agnostic of Underlay Architecture

    • Flexible choice of centralized or distributed Aruba Central NetConductor fabrics on any underlay physical network architecture
    • Automated stich-up and tear-down of layer 2 and layer 3 services based on customer on-boarding
    • Address requirements of small, distributed enterprise to a large campus network
  • Simplified Network Deployments and Operations with Intent-Driven Workflows

    • Abstract complexity of the underlying protocols from network architects or operators
    • Enables global orchestration of roles and role-based policies from Aruba Central On-Premises
    • Unified monitoring and troubleshooting across all device types and network locations
    • Actionable insights enable ease of troubleshooting for network issues

Supported AOS-CX Switch Platforms

Aruba Central NetConductor only supports AOS-CX Switches within Aruba Central On-Premises.

The following table lists the AOS-CX switches, supported software versions, and the supported personas in Aruba Central On-Premises.

Table 1: Supported AOS-CX Switch Series and Software Versions

Switch Platform

Supported Software Versions

Supported Persona

AOS-CX 6300 Switch Series

10.10.1020 or later

Edge

AOS-CX 6400 Switch Series

10.10.1020 or later Edge

AOS-CX 8325 Switch Series

10.10.1020 or later Route Reflector

AOS-CX 8360 Switch Series

10.10.1020 or later

Edge

Stub

Border

Route Reflector

AOS-CX 8400 Switch Series

10.10.1020 or later

Route Reflector

Features for Aruba Central NetConductor

The following features are available as select features in Aruba Central On-Premises.

  1. Global Client Roles
  2. Fabric Provisioning Wizard

Aruba Central NetConductor Vocabulary

The following table provides a brief description of the technical terms used in this guide.

Table 2: List of Technical Terms used in Aruba Central NetConductor

Term

Description

Border

Border device persona connects the fabric to external networks. For example, connect fabric to WAN or Internet or firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network..

Border Gateway Gateway is a network node that allows traffic to flow in and out of the network. Protocol (BGP Border Gateway Protocol. BGP is a routing protocol for exchanging data and information between different host gateways or autonomous systems on the Internet. )

BGP is a standardized routing method that enables the internet to exchange routing information between autonomous systems (AS).

Ethernet Ethernet is a network protocol for data transmission over LAN. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. (EVPN)

EVPN is an extension of the BGP protocol for layer 2 (bridging) and layer 3 (routing) VPNs.

Edge

Edge is a device persona that connects endpoints to the fabric.

External BGP (eBGP)

Refers to BGP connection between external peers.

Fabric

Fabric is a group of AOS-CX Switches that are part of the BGP-EVPN VXLAN overlay. The overlay fabric is created by configuring VXLAN tunnels between stub and edge Switches.

Group-based Policy (GBP)

GBP is used to segment user traffic in a network by grouping the users into roles based on user authentication at the source or VTEP. Source-based roles will remain effective even if a device authenticates at a different location, or if the device is assigned a different IP address.

Internal BGP (iBGP)

Refers to BGP connection between internal peers.

Inter-Switch Link (ISL)

ISL is a layer 2 interface between two VSX peer Switches. Each VSX Switch must be configured with an ISL link connected to its peer VSX Switch.

Open Shortest Path First (OSPF Open Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS).)

OSPF refers to an Interior Gateway Protocol (IGP Interior Gateway Protocol. IGP is used for exchanging routing information between gateways within an autonomous system (for example, a system of corporate local area networks). ). OSPF distributes routing information between routers belonging to a single Autonomous System (AS).

Policy Identifier

Policy Identifier is a unique identification number mapped to a client role.

Route Reflector

Route Reflector refers to a concept that is specific to BGP which is used to optimize route propagation.

Stub

Stub is a device persona that supports both static VXLAN tunnels and EVPN VXLAN tunnels.

Switch Virtual Interface (SVI)

An SVI (also known as VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface) refers to a logical layer 3 interface on a Switch.

Virtual Extensible LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. (VXLAN)

VXLAN is an Overlay Technology which address the scalability problems associated with large cloud computing deployments.

Virtual Routing and Forwarding (VRF VisualRF. VRF is an AirWave Management Platform (AMP) module that provides a real-time, network-wide views of your entire Radio Frequency environment along with floor plan editing capabilities. VRF also includes overlays on client health to help diagnose issues related to clients, floor plan, or a specific location.)

VRF is a technology that allows multiple instances of a routing table to co-exist within the same router simultaneously in an IP-based computer network.

VXLAN Network Identifier (VNI)

Refers to VXLAN network identifier or VXLAN segment ID.

VXLAN Tunnel End Point (VTEP)

An entity that originates and/or terminates VXLAN tunnels.