EdgeConnect SD-Branch Reference Design
This section of the guide demonstrates how to design an EdgeConnect SD-Branch deployment based on the customer profile.
Table of contents
Component Selection
This section provides key scaling values to guide the selection of Branch Gateways, Headend Gateways, and Microbranch platforms for a deployment. Use these values to ensure the selected device meets both current and projected requirements.
Branch Gateway Selection — Expected concurrent firewall sessions, required interface count, and interfact types are the most common criteria used to define Branch Gateway requirements. Additional considerations such as throughput capacity, VLAN scale, or features like PoE output are also included in scenarios where they are relevant to deployment.
Headend Gateway Selection — Maximum SD-WAN or VPN tunnels, routing table scale, and required interface count and types are the most common criteria for Headend Gateway sizing. Additional factors such as encrypted throughput and L2 table size are also included for deployments where these capabilities are important.
Microbranch Selection — Client scale, VLAN and DHCP capacity, ACL and role capacity, and active firewall sessions are the most common criteria when selecting a Microbranch platform. Other platform specifications are provided for cases where specific deployment requirements call for them.
Refer to the HPE Aruba Networking EdgeConnect SD-Branch data sheet (pages 9–11) for supported SD-WAN gateway platforms and associated scale limits. For Microbranch scale information and supported AP models, see pages 6–7 of the HPE Aruba Networking EdgeConnect Microbranch data sheet.
HPE Aruba Networking Branch Gateways
| Features | 9004 | 9012 | 9106 | 9114 | 9240 |
|---|---|---|---|---|---|
| Deployment mode | Small/Medium | Small/Medium | Large | Large | Large |
| Maximum clients | Up to 2048 | Up to 2048 | 8K | 10K | 32K |
| Maximum VLANs | 128 | 128 | 4096 | 4096 | 4096 |
| Firewall throughput | 4 Gbps | 6 Gbps | 10 Gbps | 20 Gbps | 20 Gbps |
| Encrypted throughput (AES-CBC) | 4 Gbps | 4 Gbps | 10 Gbps | 20 Gbps | 20 Gbps |
| Active firewall sessions | 128K | 128K | 2M | 2M | 4M |
| IDS/IPS throughput | Up to 1.1 Gbps | Up to 1.1 Gbps | 2.5 Gbps | 4 Gbps | 6 Gpbs |
| WAN/LAN Interfaces | 4 | 12 | 2 (combo); 2 x 10G SFP+; 2 x 1G (PoE 60W) | 4 (combo); 4 x 10G SFP+ | 4 x 25G SFP28 |
| PoE in/out | No | Out; 120W | No | No | No |
| USB (WAN) | Yes (1); USB 3.0 | Yes (1); USB 3.0 | Yes (1); USB 3.0 | Yes (2); USB 3.0 | Yes (2); USB 3.0 |
| Form factor / footprint | Desktop/1RU | Desktop/1RU | 1RU | 1RU | 1RU |
HPE Aruba Networking Headend Gateways
| Features | 7240XM | 7280 | 9012 | 9106 | 9114 | 9240 | vGW-500M | vGW-2G | vGW-4G |
|---|---|---|---|---|---|---|---|---|---|
| Deployment mode | VPNC | VPNC | VPNC | VPNC | VPNC | VPNC | VPNC | VPNC | VPNC |
| Encrypted throughput (AES-CBC) | 30 Gbps | 45 Gbps | 3.5 Gbps | 10 Gbps | 20 Gbps | 20 Gbps | 500Mbps | 2 Gbps | 4 Gbps |
| Maximum SD-WAN tunnels | 6144 | 8192 | 512 | 8000 | 16,000 | 32,000 | 1600 | 4096 | 8192 |
| Route scale | 32K | 32K | 12K | 12K | 12K | 32K | 2048 | 32K | 32K |
| ARP Table/User limit (L2 mode) | 32K | 32K | 2048 | 16K | 20K | 64K | N/A | N/A | N/A |
| Form factor / footprint | 1RU | 1RU | 1RU | 1RU | 1RU | 1RU | N/A | N/A | N/A |
HPE Aruba Networking Microbranch
Access Points
| Features | 50x Series | 51x Series | 53x/55x Series | 6xx Series |
|---|---|---|---|---|
| Maximum clients | 256 | 512 | 1024 | 1024 |
| Maximum VLANs | 4094 | 4094 | 4094 | 4094 |
| Max DHCP leases | 2048 | 2048 | 2048 | 2048 |
| ARP entries | 4096 | 4096 | 4096 | 4096 |
| MAC table | 16384 | 16384 | 16384 | 16384 |
| Number of roles | 32 | 32 | 32 | 32 |
| Max ACLs/role | 512 | 512 | 512 | 512 |
| Total ACLs | 2048 | 2048 | 2048 | 2048 |
| Active firewall sessions | 32767 | 32767 | 32767 | 32767 |
Headend
This table provides additional scaling information regarding Microbranch deployments and their aggregation points. Values for headend technical specifications per platform are analogous to the values above in the HPE Aruba Networking Headend Gateways chart.
| Designation | Value |
|---|---|
| Max Microbranch APs in a single account | 20,000 |
| Max Microbranch APs in a single cluster (2 nodes) | 8,000 |
| Max Microbranch APs in a single Central group | 1,000 |
| Max VPNCs in Microbranch datacenter | 4 node cluster |
| Max Microbranch to Zscaler | 200 |
| IPMS allocations | 100,000 |
Licensing Options
Foundation - This license provides all features required for SD-Branch functionality in Branch, Microbranch, or Headend deployments.
Foundation Base - This license provides all features included in a Foundation License, but can support only up to 75 client devices per branch site.
Foundation with Security - This license provides all features required for SD-WAN functionality in branch or headend deployments with additional security features.
Foundation Base with Security - This license provides all the features included in a Foundation with Security License, but can support only up to 75 client devices per branch.
Advanced - This license provides all the features included in a Foundation License, with additional features related to SaaS Express Net Conductor and AI Insights. WAN health visibility and Cloud Connect security for cloud inspection (e.g. Zscaler) is also included for Microbranch.
Advanced with Security - This license provides all the features of an Advanced License, with additional security features related to IPS and IDS, security dashboard, and anti-malware.*
Virtual Gateway (VGW) License - This license is available for AWS, Azure, and ESXi platforms and is licensed based on the bandwidth required. The license types available for VGW are VGW-500M, VGW-2G, and VGW-4G.
See the Ordering Guide for more detail.
Overlay Design
For each of the customer profiles below, the following general requirements and considerations apply:
- Improve the experience for users with IaaS (Infrastructure-as-a-Service) and SaaS (Software-as-a-Service) applications as the business migrates to the cloud.
- Protect certain sensitive corporate data going to a SaaS service by traversing IPS/DLP.
- Use Zoom and Microsoft Teams for real-time communications.
- Perform real-time inventory data queries on in-house SQL systems, hosted at data centers.
- Use bulk FTP file transfers to process transactions hosted at data centers throughout the environment.
- Use SaaS applications, such as Sales Force, to provide optimal Internet egress.
To address these requirements:
Hub-and-spoke overlay is used.
To improve SaaS performance, SaaS express is used to break out Sales Force, Zoom and Teams traffic locally.
A high-priority DPS policy is used for inventory queries. Other applications use separate DPS policy.
To ensure application security, stateful application-aware firewall is enabled along with IPS, Web Content filtering, and IP Reputation.
Hub Design
The customer profile includes the following requirements and considerations:
- Accommodate 100 branch sites with an expected 10% growth over five years.
- Improve the experience for users with IaaS (Infrastructure-as-a-Service) and SaaS (Software-as-a-Service) applications as the business migrates to the cloud.
- Decrease reliance on MPLS to reduce operational expense, with the goal to phase it out completely over time.
Design Summary
| Model Selection | Max IP Sec tunnels | Considerations |
|---|---|---|
| 9012 (Recommended) | 512 | Redundant pair of gateways for 8+ year growth. In a failure scenario, one box can handle all sites. |
| 9106 (Alternative) | 8k | Redundant pair of gateways for 10+ year growth. In a failure scenario, one box can handle all sites. |
| vGW-2G (Future) | 4096 | Future consideration for IaaS/SaaS migration |
The following list summarizes the hub design elements:
- Gateways are placed inline.
- Both WAN transports (INET, MPLS) are connected to each gateway.
- Gateways connect via L3 to the LAN, into a WAN aggregation block and peer OSPF.
- DC routes are summarized when redistributing into the SD-WAN overlay.
Branch Design
Based on the customer profile, there are three different branch site designs, requiring three different template groups for each site size. Medium and large sites are standardized at branch gateways; the small site is standardized on Microbranch.
Large Site
Based on the customer profile, large sites have the following requirements:
- The business has no tolerance for unscheduled downtime.
- Uptime is provided by the gateway HA and cellular backup.
- Certain sensitive corporate data going to a SaaS service by traversing IPS/DLP must be protected.
- The site has up to 200 users.
- The site uses an existing 40 mbps connection and plans to add 200/50 mbps commodity Internet circuits with a 5G LTE backup
To address these requirements:
- Dual gateways will be placed inline.
- MPLS will connect to one gateway, with INET connected to the second gateway.
- WAN Uplink sharing will be enabled.
- LTE connection will be used as a backup.
- Gateways connect via L3 to the LAN and peer OSPF to a collapsed core.
- Branch routes are summarized when redistributing into the SD-WAN overlay.
- Collapsed Core should be in a VSF stack.
- Collapsed Core to access switch connectivity should be LACP trunks.
- Tunneling is enabled for switching (UBT) and wireless.
| Model Selection | Firewall Sessions | Considerations |
|---|---|---|
| 9004 LTE (Recommended) | 64k | Redundant pair of gateways, LTE built into gateways No SFP/SFP+ ports |
| 6300 (Recommended) | — | Collapsed Core |
| 6200 (Recommended) | — | Access switch |
| 6100, 6300 (Alternative) | — | Access switch |
Medium Site
Based on the customer profile, medium sites have the following requirements:
- The business has less tolerance for downtime.
- More uptime is provided by the gateway HA, but with no cellular backup.
- The site has up to 100 users.
- The site uses an existing 30 mbps MPLS connection and plans to add a 100/10 commodity internet circuit.
To address these requirements:
- Dual gateways will be placed inline.
- MPLS will be connected to one gateway, with INET connected to the second gateway.
- WAN uplink sharing will be enabled.
- Gateways connect via L3 to the LAN and peer OSPF to a collapsed core.
- Branch routes are summarized when redistributing into the SD-WAN overlay.
- Collapsed Core should be in a VSF stack.
- Collapsed Core to access switch connectivity should be LACP trunks.
- Tunneling will be enabled for switching (UBT) and wireless.
| Model Selection | Firewall Sessions | Considerations |
|---|---|---|
| 9004 (Recommended) | 64K | Redundant pair of gateways No SFP/SFP+ ports |
| 6300 (Recommended) | — | Collapsed Core |
| 6200 (Recommended) | — | Access switch |
| 6100, 6300 (Alternative) | — | Access switch |
Small Site
Based on the customer profile, the small sites have the following requirements:
- The business can tolerate downtime.
- The site has up to 10 users.
- The site requires only a single gateway, with no device-level HA or cellular backup.
- The site uses existing 5 mbps MPLS connections and plans to add 50/10 mbps commodity Internet circuits.
To address these requirements:
- Single gateways will be placed inline.
- MPLS and INET will be connected to gateway.
- Gateway will act as Default gateway for all VLANs.
- The Guest network will use internet breakout.
- Branch routes will be summarized when redistributing into the SD-WAN overlay.
| Model | Firewall Sessions | Considerations |
|---|---|---|
| 9004 (Recommended) | 64k | No SFP/SFP+ Ports |
| 6100 (Recommended) | — | Extra ports for local devices. |
Alternative Small Site
To address these requirements:
- Single remote access point will be placed inline.
- INET will connect to AP.
- AP will act as that default gateway for all SSIDs.
- L3 will be routed for internal users.
- L3 will be NATed SSID for the Guest network.
- Branch routes will be redistributed into the SD-WAN overlay.
| Model | Considerations |
|---|---|
| 500H Series (Recommended) | Wi-Fi 6 ready |
| 303H Series (Alternative) | Will not support next-generation Wi-Fi |
| 6100 (Recommended) | Extra ports for local devices. |