EdgeConnect SD-WAN Reference Design
This section of the guide demonstrates how to design an EdgeConnect SD-WAN deployment based on the customer profile.
Table of contents
Component Selection
This section describes the components of a reference architecture using HPE Aruba’s EdgeConnect SD-WAN solution.
Note: This reference architecture is based on the 9.4 release of Aruba Orchestrator and EdgeConnect SD-WAN gateways.
EdgeConnect Gateways
Follow the steps below to determine which gateway is appropriate at each location:
- Determine bandwidth requirements.
- If asymmetric circuits are in place, use the higher number for bandwidth calculations.
- Determine fiber port, power supply, and HA requirements.
- Identify if advanced features are required, such as Dynamic Threat Defense (DTD) or WAN Optimization.
- Select the appliance that supports the requirements:
| EdgeConnect SD-WAN 10104 | EdgeConnect SD-WAN 10106 | EdgeConnect SD-WAN 10108 | EdgeConnect SD-WAN S-P | EdgeConnect SD-WAN M-H | EdgeConnect SD-WAN 10150 | |
|---|---|---|---|---|---|---|
| Model | EC-10104 | EC-10106 | EC-10108 | EC-S-P | EC-M-H | EC-10150 |
| Typical Deployment | Small Branch / Home Office | Small Branch | Medium Branch | Large Branch | Head Office/DC Large Hub | Data Center Large Hub |
| Typical WAN Bandwidth | Up to 500 Mbps | Up to 1000 Mbps | Up to 2000 Mbps | Up to 3000 Mbps | Up to 5000 Mbps | Up to 12 Gbps |
| Simultaneous Connections | 256,000 | 256,000 | 256,000 | 256,000 | 2,000,000 | 2,000,000 |
| Recommended WAN Optimization up to | 200 Mbps | 250 Mbps | 500 Mbps | 500 Mbps | 1 Gbps | 8 Gbps with the EC-10010 Network Memory Drive kit. 1 Gbps without the EC-10010 Network Memory Drive kit. |
| Redundant / FRUs | No | No | No | SSD and Power (AC or DC) | SSD and Power | NVMe Disk for WAN Optimization and Power |
| Data Path Interfaces | 4 x RJ45 10/100/1000 | 2 x RJ45 2 x Combo 2 x 1/10G SFP+ | 2 x 10M/100M/1000M RJ45 ports with POE Support 2 x Combo ports (RJ45 or SFP) 2 x 1G/10G SFP+ Ports | 8 x RJ45 4 x 1/10G Optical | 8 x RJ45 4 x 1/10G Optical | 8x 1/10 Gbps SFP+ or 10/25 Gbps SFP28 2 x 10M/100M/1000M RJ45. |
Note: WAN bandwidth assumes bidirectional traffic (symmetric up-link and down-link). For total WAN throughput (Rx+Tx), multiple these numbers by 2.
For the most up-to-date SKU information, refer to the EdgeConnect SD-WAN SD-WAN Data Sheet.
Virtual Appliances
EdgeConnect SD-WAN appliances can be deployed in a virtual form factor on-prem and in cloud environments. Requirements for virtual deployments can be found here.
Transceivers
EdgeConnect SD-WAN gateways have been certified to operate with the following transceivers. The EC-10xxx series gateways leverage HPE Aruba Networking transceivers, while the earlier models leverage legacy EdgeConnect branded transceivers.
Full transceiver support information can be found in the HPE Aruba Networking EdgeConnect Hardware Reference Guide.
Use the table to verify that the selected transceiver(s) supports physical connectivity.
| SKU | Description | EC-S-P EC-M-H | EC-M-P |
|---|---|---|---|
| EC-SFP-SR | 1/10G SFP+, SR | Yes | Yes |
| EC-SFP-LR | 1/10G SFP+, LR | Yes | Yes |
| EC-SFP28-25G-SR | 10/25 SFP28, SR | No | No |
| EC-SFP28-25G-LR | 10/25 SFP28, LR | No | No |
| EC-SFP-1000BT | 1G SFP, copper 1000BaseT | No | Yes |
| SKU | Description | EC-10106 | EC-10108 | EC-10150 |
|---|---|---|---|---|
| J9150D | Aruba 10G SFP+ LC SR 300m MMF XCVR | Yes | Yes | Yes |
| J9151E | Aruba 10G SFP+ LC LR 10km SMF XCVR | Yes | Yes | Yes |
| J9153D | Aruba 10G SFP+ LC ER 40km SMF XCVR | Yes | No | No |
| J4858D | Aruba 1G SFP LC SX 500m MMF XCVR | Yes | No | No |
| J4859D | Aruba 1G SFP LC LX 10km SMF XCVR | Yes | No | No |
| JL745A | Aruba 1G SFP LC SX 500m MMF TAA XCVR | Yes | No | No |
| JL746A | Aruba 1G SFP LC LX 10km SMF TAA XCVR | Yes | No | No |
| S3R03A | HPE ANW EC 1G SFP RJ45 100m XCVR | Yes | No | No |
| JL563C | Aruba 10G Base-T SFP+ RJ45 30m Cat6A XCV (I Temp) | No | Yes | Yes |
| JL484A | Aruba 25G SFP28 LC SR 100m MMF XCVR | No | Yes | Yes |
| JL486A | Aruba 25G SFP28 LC LR 10km SMF XCVR | No | Yes | Yes |
| JL489A | Aruba 25G SFP28 to SFP28 5m DAC Cable | No | Yes | Yes |
Licensing
Follow these steps to license an EdgeConnect SD-WAN deployment. Licensing is purchased on a per-gateway basis.
Step 1 Select a Term based subscription license in intervals of 1, 3, 5, or 7 years. Choose Foundation, Advanced, or On-Premise. Choose the same tier for all gateways in the environment. More information on tiers is provided below.
Step 2 Choose the EdgeConnect gateway (physical or virtual) software bandwidth. The license is based on the aggregate WAN-side bandwidth of the given node and has options up to 8 bandwidth tiers, depending on the subscription tier. More information on these tiers ir provided below.
Step 3 (Optional) Add WAN Optimization. licensed in units of 100 Mbps and 10Gbps of WAN optimization, can be deployed flexibly to sites that require application acceleration.
Step 4 (Optional) With the Add Dynamic Threat Defense (DTD) license, the EdgeConnect Platform supports IDS/IPS. In the future, additional security-related features may be tied to the DTD License.
Tiered Subscription Licensing Model
HPE Aruba provides three licensing tiers for EdgeConnect SD-WAN deployment: Foundation, Advanced, and On-Premise.
- Foundation provides a value-centric option including essential SD-WAN features and advanced NGFW features. It includes Cloud Orchestrator.
- Advanced provides maximum performance with advanced SD-WAN features and advanced NGFW features. It includes Cloud Orchestrator.
- On-Premise provides maximum performance for on-premise deployment with advanced SD-WAN features and advanced NGFW features.
Advanced is the recommended tier for most customers because it supports all the SD-WAN features and provides the most flexibility,
The table below outlines the differences in the tiers
| Foundation (AAS) | Advanced (AAS) | On-Prem | |
|---|---|---|---|
| Bandwidth Tiers | 3 tiers (100M, 1G, 10G) | 20M/50M/100M/200M/500M/1G/2G/Unlimited | 20M/50M/100M/200M/500M/1G/2G/ Unlimited |
| BIOs | 3 (RealTime, Critical & Default) | 7 | 7 |
| Network Segments/VRF | 2 (auto-enabled, default & guest only) | 64 | 64 |
| Routing | BGP, OSPF, Subnet Sharing | BGP, OSPF, SS | BGP, OSPF, SS |
| Mesh Networking | No | Yes | Yes |
| Multi-region Topology | Max 4 regions, 4 hubs/region | Yes | Yes |
| AppExpress | No (Monitor only) | Yes (Monitor and Steer) | Yes (Monitor and Steer) |
| Orchestrator | Cloud Orchestrator Foundation | Cloud Orchestrator Advanced | On-premises |
| Orchestrator Stats Retention | 24h/7d/1mo (m/h/d) | 72h/14d/3mo | Custom |
Common features in all licensing tiers include:
- Unconstrained site count
- Path Conditioning
- NGFW
- Firewall protection profiles
- AVC/1st packet iQ
- Zero Trust Segmentation (Roles)
- DDOS detection/mitigation
- EC SD-WAN Fabric Orchestration
- Advanced Crypto
- EdgeHA
- ZTP / Templates.
Bandwidth License
Each site must be licensed for the appropriate bandwidth.
To calculate the throughput licenses required for a given gateway, determine the total WAN bandwidth the gateway will use. For example, for a 100 mbps Internet circuit and a 20 mbps MPLS circuit, the total is 120 mbps. For asymmetric circuits, such as a 50 mbps download and 5 mbps upload Internet circuit, use the largest number for the calculation. Since cellular back-up is used as path-of-last-resort only, it is not used for throughput license calculation.
WAN Optimization Licensing
WAN Optimization, though not currently used in this design, is sold in blocks of 100 mbps and allocated to the gateways in 1kbps increments. To determine the amount of WAN Optimization licensing required, follow these steps:
- Determine the applications to accelerate.
- Determine the number of sites needed to accelerate the applications.
- Determine how much bandwidth the specific applications require to work optimally at each site.
- Purchase the total amount of WAN Optimization to apply at the sites.
Dynamic Threat Defense
The advanced security license provides IDS capabilities in EdgeConnect. The example design does not include this feature. To determine the advanced security licensing required, use the guidance below.
Example Hub Design
The illustration below shows an example hub.
Key elements of the design include:
- Gateways are placed inline.
- WAN connections plug into the upstream WAN side switch and are then connected to gateways to allow for traditional high availability. This requires additional IP space on the WAN transports.
- Gateways connect via L3 to the LAN, into a WAN aggregation block and peer OSPF.
- BGP adjacency is maintained with the MPLS provider to facilitate migration.
- A hub summary route and default route are advertised with Subnet Sharing.
- All branches use a template with peer priority to select a hub when the same route is presented from multiple hub gateways.
- High OSPF can be set when redistributing from Subnet Sharing (WAN) to OSPF (LAN).
- The design ensures that traffic between the data centers uses the Data Center Interconnect (DCI). The OSPF can be adjusted as needed.
- When redistributing from Subnet Sharing (WAN) to OSPF (LAN), assign a higher value to one gateway to ensure flow symmetry.
The following components are selected to meet the hub requirements. Hubs are purchased in five-year terms.
Hardware
| Quantity | SKU | Consideration |
|---|---|---|
| 4 | EC 10150 with EC-10010 Network Memory Drive kit (Recommended) | Two per hub. Provides high levels of hardware HA. |
| EC-M-H (Alternative) | Use if lower throughput is acceptable. | |
| 12 | Aruba 10G SFP+ LC SR 300m MMF XCVR (Recommended) | Plan for the correct number of fiber connections based on LAN and WAN connectivity requirements. This example assumes each EC requires two fiber LAN connections and one fiber WAN connection. Ensure the gateway has required number of fiber interfaces. |
| EC-SFP-SR (Alternate) | Use with EC-M-H or non-EC-10xxx models. EC-10xxx gateways require HPE Aruba Networking optics; others use EdgeConnect optics. |
Licenses
If planning to replace MPLS circuits with higher-speed internet circuits in the future, consider buying licensing based on future needs or purchasing licenses with shorter terms.
| Quantity | SKU | Consideration |
|---|---|---|
| 4 | HPE ANW EC Adv UL 5yr Sub SaaS | Customer bandwidth above 2 Gbps at the hubs |
| HPE ANW EC Adv 2Gb 5yr Sub SaaS (Alternate) | Can be used when customer has lower bandwidth needs | |
| HPE ANW EC Adv 1Gb 5yr Sub SaaS (Alternate) | Can be used when customer has lower bandwidth needs | |
| HPE ANW EC Adv 500mb 5yr Sub SaaS (Alternate) | Can be used when customer has lower bandwidth needs |
Example Branch Design
Small Site Design
The illustration below shows an example hub for a small site.
Key elements include:
- The gateway is placed inline.
- The gateway is connected to the switch via a single L2 connection.
- The gateway acts as default gateway for any subnnet at the branch.
The following components were selected to meet small site requirements, purchased in five-year terms.
Hardware
| Quantity | SKU | Consideration |
|---|---|---|
| 1 | EC-10104 (Recommended) | Cost efficent for low bandwidth / user count |
| EC-10106 (Recommended) | Use for higher bandwidth applications or SFP+ is required |
Licenses
If planning to replace MPLS circuits with higher speed internet circuits in the future, consider buying licensing based on future needs or purchasing licenses with shorter terms.
| Quantity | SKU | Consideration |
|---|---|---|
| 1 | HPE ANW EC Adv 500mb 5yr Sub SaaS (Recommended) | Based on customers current needs, with room for growth |
| HPE ANW EC Adv 200mb 5yr Sub SaaS (Alternate) | Can be used when customer has different bandwidth needs | |
| HPE ANW EC Adv 100mb 5yr Sub SaaS (Alternate) | Can be used when customer has different bandwidth needs | |
| HPE ANW EC Adv 50mb 5yr Sub SaaS(Alternate) | Can be used when customer has different bandwidth needs |
Medium Site Design
The illustration below shows an example hub for a medium site.
Key elements include:
- The gateway is placed inline.
- EdgeHA is used for high availability.
- The gateway is connected to a collapsed core using an L3 link and peer OSPF.
- When redistributing from Subnet Sharing (WAN) to OSPF (LAN), assign one gateway a better metric to ensure flow symmetry.
- When redistributing from OSPF to Subnet Sharing, assign one gateway a better metric to ensure flow symmetry.
The following components are selected to meet medium site requirements, purchased in five-year terms.
Hardware
| Quantity | SKU | Consideration |
|---|---|---|
| 2 | EC-10108 (Recommended) | |
| EC-S-P (Alternative) | Use for higher bandwidths and more hardware HA |
Licenses
If planning to replace MPLS circuits with higher speed internet circuits in the future, consider buying licensing based on future needs or purchasing licenses with shorter terms.
| Quantity | SKU | Consideration |
|---|---|---|
| 1 | HPE ANW EC Adv 1gbps 5yr Sub SaaS (Recommended) | Based on customers current needs, with room for growth |
| HPE ANW EC Adv 500mb 5yr Sub SaaS (Recommended) | Can be used when customer has different bandwidth needs | |
| HPE ANW EC Adv 200mb 5yr Sub SaaS (Alternate) | Can be used when customer has different bandwidth needs | |
| HPE ANW EC Adv 100mb 5yr Sub SaaS (Alternate) | Can be used when customer has different bandwidth needs | |
| 1 | HPE ANW EC Adv HA | HA license for the second gateway at the site. Be sure to match tier, bandwidth, and term. |
| 1 | HPE ANW EC DTD 5yr Sub SaaS | Optional DTD license |
| 1 | HPE ANW EC DTD HA 5yr Sub SaaS | Optional DTD HA license |
Large Site Design
The illustration below shows an example hub for a large site.
Key features include:
- The gateway is placed inline.
- EdgeHA is used for high availability.
- The gateway is connected to a collapsed core via L3 link and peer OSPF.
- When redistributing from Subnet Sharing (WAN) to OSPF (LAN), assign one gateway a better metric to ensure flow symmetry.
- When redistributing from OSPF to Subnet Sharing, assign one gateway a better metric to ensure flow symmetry.
- LTE connection, which requires a third-party device to terminate the LTE with an ethernet handoff, is used as a path-of-last resort, forwarding traffic only if both circuits are down.
The following components are selected to meet large site requirements, purchased in five-year terms. The large site has the highest bandwidth, serving a large amount of users, with HA implemented.
Hardware
| Quantity | SKU | Consideration |
|---|---|---|
| 2 | EC-S-P (Recommended) | Cost efficent for low bandwith / user count |
| EC-M-P (Alternative) | Use for higher bandwidths |
Licenses
If planning to replace MPLS circuits with higher speed internet circuits in the future, consider buying licensing based on future needs or purchasing licenses with shorter terms.
| Quantity | SKU | Consideration |
|---|---|---|
| 1 | HPE ANW EC Adv 2gbps 5yr Sub SaaS (Recommended) | Based on current needs, with room for growth |
| HPE ANW EC Adv 1gbps 5yr Sub SaaS (Recommended) | Based on customers current needs, with room for growth | |
| HPE ANW EC Adv 500mb 5yr Sub SaaS (Alternative) | Can be used when customer has different bandwidth needs | |
| 1 | HPE ANW EC Adv HA | HA License for second Gateway at site, ensure to match tier, bandwidth, and term |
| 1 | HPE ANW EC DTD 5yr Sub SaaS | Optional DTD license |
| 1 | HPE ANW EC DTD HA 5yr Sub SaaS | Optional DTD HA license |
Example Overlay Design
The illustration below shows an example overlay.
Features include:
- Cloud firewall integration is used to tunnel specific to-cloud filtering.
- EC-V is deployed in IaaS providers to facilitate better access to the services hosted there.
- Zone-Based Firewalling is configured on the gateways to provide basic filtering of Internet traffic when cloud firewalling is not used.
The table below illustrates the BIO design elements. All traffic matches start with the default overlay ACL and are modified as necessary.
| BIO Name | Traffic Match | Topology | Link Bonding | Internet Egress |
|---|---|---|---|---|
| Real Time | Real-time communication applications | Mesh topology provides optimal traffic flows between branches | The High Availability link bonding policy should provide 1:1 FEC to ensure no loss of voice / video traffic | Direct-to-net is primary, with hub fallback |
| Critical Apps | Business-critical internal apps, such as the inventory system, and SaaS apps such as Salesforce | Hub and spoke | High Quality | Cloud firewall is primary, with a fallback to the hubs which host a backup security stack |
| BulkApps | Large internal traffic flows, such as FTP and cloud-hosted file repositories | Hub and spoke | High Quality. Within the QOS policy ,this BIO is allotted only a certain percent of WAN bandwidth during times of congestion, ensuring that large flows do not saturate the WAN transports. | Direct-to-net is primary, with hub fallback, as these flows are large and must go direct to their destinations |
| Default | Match all other traffic, including guest | Hub and spoke | High Quality | Direct-to-net with a fallback of the data center, since guest traffic is critical to the business |
Note: If the Foundation licenses are used, only three BIOs are possible: real-time, critical, and default.