Overlay Route Orchestrator (ORO)
The Overlay Route Orchestrator (ORO) in HPE Aruba Networking Central enables the distribution of routing information across all sites including the headend and branch locations. The ORO provides route distribution across sites in a dynamic way according to the topology and routing segmentation policy configurations. However, for EdgeConnect gateways there is no control over route filtering or redistribution for inbound and outbound routes. EdgeConnect automatically receives all routes from ORO and advertises all its routes to ORO without route-map filtering.
The main functions of the ORO include:
-
Learning routes from hub/branch sites.
-
Advertising routes across the SD-WAN network with appropriate costs.
-
Redistributing routes into the LAN side with appropriate costs.
Branch and headend devices connect to HPE Aruba Networking Central using the Control Connection — Overlay Agent Protocol (OAP). OAP interacts with the underlay routing stack to obtain route prefixes and advertise them to the Overlay Agent and ISAKMPD (Internet Security Association and Key Management Protocol) daemon services. ORO sends route updates to OAP, which then passes them to the underlay routing stack via a gRPC-based control channel. This channel supports multiple streams over a single TCP connection, allowing different applications to share the connection while maintaining separate streams. This communication is prioritized over the management channel. The ORO dynamically distributes routing information across all sites, enabling seamless interconnection and traffic redistribution across the SD-WAN overlay.
The ORO assigns costs to routes based on DC preference, with the primary VPNC automatically receiving a lower cost (10) than the secondary VPNC (20). These costs apply to subnets redistributed into the overlay and the data center, affecting how routes are advertised between the data center and branch.
EdgeConnect Route Redistribution
The following sections describe route distribution with EdgeConnect gateways and its significance. An EdgeConnect gateway can redistribute all its routes from the SD-WAN Fabric. The following two sections illustrate route propagation for inbound and outbound routes without ORO, while the next two sections illustrate inbound and outbound route propagation with ORO and the involvement of EdgeConnect gateways, SD-Branch/MB, and HPE Aruba Networking Central OAP.
Inbound Route Redistribution Without ORO
The following diagram illustrates how inbound route redistribution is managed within the EdgeConnect gateway. The EdgeConnect box represents the EdgeConnect Forwarding Information Base (FIB) and the Routing Information Base (RIB) where all incoming routes are processed. These routes include OSPF and BGP routes from the SD-Branch or MB gateways.
Inbound Routes (without ORO)
-
To OSPF Neighbors: When sending routes to OSPF Neighbors, an EdgeConnect can redistribute routes from its RIB that it learned from BGP, local/static routes, or directly connected routes to its OSPF neighbors. The routes an EdgeConnect redistributes to OSPF neighbors are selected for advertisement via OSPF based on its route redistribution policies.
-
To BGP Peers: When sending routes to BGP Peers, an EdgeConnect can redistribute routes from its RIB that it learned from OSPF, local/static routes, sent or directly connected routes to its BGP peers. The routes an EdgeConnect sends to BGP peers are advertised using BGP based on the configured route maps.
NOTE: Route maps on EC filter the route updates to OSPF or BGP outbound per-peer route map.
EdgeConnect Inbound Route Redistribution
Outbound Route Redistribution Without ORO
The following diagram illustrates how outbound route redistribution is managed within the EdgeConnect gateway. All routes processed through the EdgeConnect FIB/RIB from OSPF, BGP, and local/static sources are redistributed into the SD-WAN fabric based on predefined route maps. The redistribution process ensures only selected routes are advertised by the SD-WAN fabric, enabling optimized routing and policy-based traffic management across the network.
Outbound Routes (without ORO)
-
From OSPF Neighbors: Routes coming from OSPF neighbors are learned and received by EdgeConnect. These routes are then added to the EC RIB and can be redistributed into BGP or the SD-WAN fabric based on configured route maps or policies.
-
From BGP Peers: Routes coming from BGP peers are learned and received by EdgeConnect and added to the EC RIB. These BGP-learned routes can also be redistributed into OSPF, local/static routes, or directly connected routes to its OSPF neighbors. The routes an EdgeConnect sends to BGP peers are advertised using BGP based on the configured route maps.
EdgeConnect Outbound Route Redistribution
Inbound Route Redistribution With ORO
The following section describes how route redistribution works with ORO and the SD-WAN fabric when EC gateways are configured as VPNCs. There are two inbound routes to the EdgeConnect gateway: the SD-WAN fabric routes (subnet sharing) and the HPE Aruba Networking Central ORO route. The ORO route updates are handled by OAP. The inbound routes from the SD-WAN fabric to the EdgeConnect gateway are propagated through the EdgeConnect external route map. The ORO service in HPE Aruba Networking Central is not part of the route redistribution. All routes are advertised to ORO from the EdgeConnect gateway.
Inbound Routes (with ORO)
-
From ORO to the EdgeConnect: EdgeConnect receives all routes from ORO and currently this cannot be filtered. These routes are directly propagated into the EdgeConnect Route Table (RIB) and can be advertised to the LAN side (OSPF or BGP neighbors) optionally.
-
From ORO to the SDB/MB: The ORO ignores any default routes (0.0.0.0/0) advertised by EdgeConnect and does not redistribute them to SDB/MB. However, all other routes advertised by EdgeConnect are received by the SDB/MB without any route map or filtering mechanism on the SDB/MB side. The route limits for SDB gateways vary based on the hardware model, while the MB route limit is capped at 500 routes. To avoid exceeding route limits, it is recommended to use the DC Aggregate/Branch Aggregate feature in HPE Aruba Networking Central, which advertises only aggregated routes to SDB/MB.
Inbound (from SD-WAN Fabric) Route Redistribution with ORO
Outbound Route Redistribution With ORO
The outbound EdgeConnect redistributes all its routes, including static, local, OSPF, BGP, and subnet sharing, to the ORO and the SD-WAN fabric. However, there is no route map or filtering mechanism to control which routes are redistributed to the ORO. The OAP route limit is subject to the ECOS system limits of 60K IPv4 routes and 30K IPv6 routes. EdgeConnect does not directly share routes with SDB/MB; all routes are passed through the ORO before reaching those components.
Outbound Routes (with ORO)
-
From Edgeconnect To ORO: EdgeConnect advertises all routes learned from OSPF, BGP, static, or directly connected routes to ORO. No route-map or filter control is applied when sending routes to ORO. This includes routes learned from the LAN side (OSPF or BGP peers) that are now propagated into the SD-WAN fabric through ORO.
-
From SDB/MB To ORO: Routes can be controlled using a route map. By default, SDB does not redistribute any routes to the ORO; route redistribution must be explicitly configured. Routes advertised by MB cannot be controlled by route maps. MB automatically advertises its system IP address and any Layer 3 subnets present in its route table.
Outbound (to SD-WAN Fabric) Route Redistribution with ORO
SD-Branch and Microbranch Route Redistribution
In the context of SD-Branch (SDB) and Microbranch (MB) route redistribution to the Overlay Route Orchestrator (ORO), several mechanisms manage how routes are advertised and processed.
When ORO advertises SDB/MB routes to EdgeConnect, the ORO forwards all routes received from SDB/MB to EC. EdgeConnect then installs these OAP routes into its route table with an administrative distance of 25. Each OAP route comes with a DC Preference metric, starting from a value of 10, which indicates the preferred VPNC by the SDB/MB. The preferred (first) VPNC has a metric of 10 and subsequent preferences increment by 10 (e.g., 20 for the second preferred VPNC). This metric helps SDB/MB select the optimal path based on the preferred hub.
Scalability and the Need for Branch Aggregation
To prevent exceeding route limits at branch locations, branch aggregation is necessary to ensure scalability. To prevent route overload, use Branch Aggregation and Data Center (DC) Aggregation in HPE Aruba Networking Central to minimize and optimize the number of routes.
-
Branch Aggregation: Aggregates multiple branch routes into a single or a few summarized routes, which reduces the number of individual routes that need to be propagated to branch devices, like Microbranch. This is important when the total number of routes exceeds the hardware limits of the branch device.
-
DC Aggregation: Aggregates routes advertised by the VPNC hubs (EC), ensuring that the branch devices only receive the summary or aggregated routes from the data center hubs.
For example, if the EdgeConnect hub is connected to multiple subnets and the total number of routes exceeds the 500-route limit for Microbranch devices, DC aggregation can be used to combine the subnets into fewer, larger summarized routes. For instance, if two subnets are used, they can be aggregated, reducing the overall number of routes that need to be advertised to Microbranch.
For information on configuring branch aggregate routes, see the Configuring Branch Aggregate Routes and Aggregating Routes from VPNCs in the Data Center sections in the HPE Aruba Networking Central Online Help.
View the Route Metric in Orchestrator
-
Log in to EdgeConnect SD-WAN Orchestrator with administrative rights.
-
Navigate to Configuration > Networking > Routing > Routes.
-
Click SD-WAN Fabric. In the Metric column, you can see the metrics of 10 and 20 that apply to the SDB/MB routes, as shown in the following figure. The metrics are applied to the routes based on the DC Preferences configured for the HPE Aruba Networking Central SDB/MB group.
NOTE: Starting with Orchestrator 9.5, the Routes tab includes a filter for OAP.
-
Click OAP to see all routes managed by HPE Aruba Network Central OAP. In the following figure, the OAP route type is OAP - Direct.
The following table describes the OAP route types that can appear on the Routes tab.
Name Descripton OAP<device id>(DIRECT) Bridge Gateway connected routes that EdgeConnect (EC) learns over ORO. OAP<device id>(STATIC) BGW static routes that EC learns over ORO. OAP<device id>(OSPF) BGW OSPF-learned routes that BGW advertises to EC over ORO. OAP<device id>(BGP) BGW BGP-learned routes that BGW advertises to EC over ORO.
View the Data Center (DC) Preference in HPE Aruba Networking Central
-
In HPE Aruba Networking Central, select the SD Branch group, and then navigate to Devices > Gateways > Config > VPN > SD-WAN Overlay.
-
Under DC Preference, select Hubs. In the following figure, the group is SEWAN-EC-Hub and there are two VPNCs. VPNC1 (Andover-EC1) has a cost of 10 and VPNC2 (Andover-EC2) increments by 10 for a cost of 20. The same VPNCs are shown in the previous figures of the Routes tab in Orchestrator.
View the Preferred Routes for SD-Branch
-
In HPE Aruba Networking Central, select the SD Branch group, and then navigate to Device > Overview > Routing > Overlay.
-
From the Overlay Details menu, select ROUTES LEARNED. In the following figure, the route with the star is preferred, as it has the lowest cost of 10. The cost comes from the DC preference set for the VPNC.
View the Preferred Routes for Microbranch
-
In HPE Aruba Networking Central, select the Microbranch group, and then select a device in the Access Point table.
-
Go to Routing > Overlay and from the OVERLAY DETAILS menu select ROUTES LEARNED. In the following figure, the route with the star is preferred, as it has the lowest cost of 10. The cost comes from the DC preference set for the VPNC.