Aruba Branch Gateway Configuration
In this set of procedures, the branch gateway (BGW) is configured in two steps. The first step is the group level configuration, where the bulk of configuration is performed. This includes all common configurations, such as NTP, DNS, and VLANs.
After the group configuration is complete, each BGW’s device-specific configuration, such as hostname and IP addressing, is applied. This is applied before the device comes online with preprovisioning.
Table of contents
- Aruba Branch Gateway Configuration
- Create a Branch Gateway Group and Preprovision Gateways
- Configure the Branch Gateway Group
- Configure Model
- Configure System IP Pool
- Set the System Time Parameters
- Set DNS Servers
- Create a Management User Account
- Configure VLANs
- Configure LAN links
- Configure WAN Uplinks
- Configure the WAN Load Balancing Algorithm
- Configure the Overlay and Set the VPNC Preference
- Enable Overlay Routes
- Enable DPI and Application Visibility
- Configure Policies for Dynamic Path Steering
- Configure Policies for SAAS Express
- Configure Branch Gateway at the Device Level
Create a Branch Gateway Group and Preprovision Gateways
Refer to the “Preparing to Deploy” section to create the branch group and move the gateways to the group.
Configure the Branch Gateway Group
Step 1 In Global dropdown, search or select the BR-ECSDB created in the “Preparing to Deploy” section.
Step 2 In the left navigation pane, in the Manage section, select Devices.
Step 3 Select the Gateways tab, then click the gear icon in the upper right corner.
Step 4 Click Cancel, then click Exit.
Configure Model
Use this procedure to set the gateway model. Each group can contain only a single gateway model.
Step 1 On the Gateways tab, in the System section, select Platform.
Step 2 In the Model dropdown select the platform you are standardizing on. In this case, A9004 is selected.
Configure System IP Pool
Set the configuration approach to Specify static IP address later. This is done because the management VLAN will be used as the System IP address. Ensuring that the system IP is set to a VLAN that is trunked throughout the environment is critical for high availability and wired/wireless tunneling best practice.
Set the System Time Parameters
Use this procedure to set the network time protocol (NTP) parameters and time zone to keep the BGW clocks synchronized.
Step 1 On the Gateways tab, in the System section, select Time.
Step 2 In the Public NTP Servers table, click the + (plus sign) to add a public NTP server.
Step 3 In the IPv4 Address/FQDN column, enter pool.ntp.org or other NTP server address.
Step 4 Select Burst Mode if this feature is supported by the NTP server. Burst mode provides faster time synchronization.
Step 5 In the Timezone dropdown, select the time zone, then click Save Settings.
Set DNS Servers
Specify the DNS server(s) the BGW uses to communicate with Central.
Step 1 On the Gateways tab, in the System section, select DNS.
Step 2 Select Specify DNS servers.
Step 3 In the Domain name text box, enter a domain name (example: example.local).
Step 4 In the Public DNS Servers table, click the + (plus sign) to assign a public DNS server. For a virtual BGW, leave the default DNS provided by the cloud provider and go to Step 6.
Step 5 In the Provider dropdown, select one of the listed providers, or select Alternate DNS if the desired server is not in the list.
Step 6 Click Save Settings.
Note: The Gateway uses this DNS server for DNS lookups. Clients do not use this DNS server
Create a Management User Account
Create a management user account for CLI to access the gateways.
Step 1 On the Gateways tab, in the System section, select Management User.
Step 2 In the Local management users table, click the + (plus sign).
Step 3 In the Add Management User table, assign the following settings, then click Save.
- Name: admin
- Password: password
- Retype Password: password
- Role: Super user role
Note: Create additional users with other roles as needed.
Step 3 Click Save Settings in the bottom left corner.
Configure VLANs
In this section, the data VLANs are configured. This configuration is at the group level, so none of these VLANs have an IP address assigned.
Step 1 On the right side, click Basic Mode.
Step 2 Go to LAN and select VLANs.
Step 3 On the VLANs table, click the + (plus sign).
Step 4 In the New VLAN window, configure the below VLANs, then click Save Settings.
- Select Enable DHCP relay for VLANs
- 10.2.120.98
- 10.2.120.99
Step 5 Repeat steps for all VLANs
VLAN Name | VLAN ID |
---|---|
MGMT | 100 |
Employee | 101 |
Printer | 102 |
Camera | 103 |
Guest | 104 |
Reject | 105 |
Critical | 106 |
Quarantine | 107 |
Configure LAN links
In this section, the LAN links are configured.
Step 1 On the right side, click Basic Mode.
Step 2 Go to LAN and select LAN ports.
Step 3 On the LAN Ports/Port Channels table, click the + (plus sign).
Step 4 Configure the LAN ports with the information in the below table
Name | Port | Mode | Access VLAN | Native VLAN | Allowed VLANs |
---|---|---|---|---|---|
GE2 Trunk to LAN | GE-0/0/2 | trunk | blank | 100 | blank |
GE3 Trunk to LAN | GE-0/0/3 | trunk | blank | 100 | blank |
Configure WAN Uplinks
In this section, the WAN uplinks are configured. This configuration is at the group level, so none of these uplinks have an IP address assigned. Port 0/0/0 is used for the Internet connection and port 0/0/1 is used for MPLS. The Uplink field is generally the name of the service provider. For MPLS, ensure that the uplink field matches across all devices.
Step 1 On the right side, click Basic Mode.
Step 2 Go to WAN and select WAN Details.
Step 3 On the WAN Uplinks/Ports table, click the + (plus sign).
Step 4 In the New WAN Uplink / Port window configure the MPLS and INET uplinks.
MPLS:
Uplink: MPLS
WAN Type: MPLS
WAN Speed: 10
Source NAT: Unchecked
Use as Back: Unchecked
IP Addressing Method: Static
Port: GE 0/0/1
Secure with ACL: Unchecked
INET
Uplink: INET
WAN Type: INET
WAN Speed: 20
Source NAT: Checked
Use as Back: Unchecked
IP Addressing Method: DHCP
Port: GE 0/0/0
Secure with ACL: Checked
Configure the WAN Load Balancing Algorithm
Uplink utilization is recommended for use as the load balancing algorithm. This moves traffic from oversaturated links to a less used link if the bandwidth threshold is exceeded.
Step 1 On the configuration Gateways tab in Basic Mode, go to WAN and select Load Balancing.
Step 2 In the Load balancing mode list, select Uplink utilization.
Configure the Overlay and Set the VPNC Preference
Use this procedure to assign data center preferences for tunnel orchestration for the VPN concentrators (VPNCs).
Step 1 In basic mode select Tunnels & Routing, then DC Preference.
Step 2 In the DC Preference table, click the + (plus sign) to add a VPNC hub group.
Step 3 In the Hub Group dropdown, select a VPNC group to assign the preferred data center.
Step 4 In the Primary VPNC dropdown, select the primary VPNC.
Step 5 In the Secondary VPNC dropdown, select the secondary VPNC, then click Save Settings.
Note: VPNCs do not appear unless they have been configured. See the “Configuring VPNC” section to configure the VPNCs.
Step 6 Repeat steps 3 to 5 if a secondary data center is used. Groups higher in the list (with lower numbers) are treated as more preferred VPNC groups.
Note: The procedures in guide do not use a second DC; this is just an example.
Enable Overlay Routes
In this procedure, branch subnets are redistributed into the VPN overlay to ensure route reachability with other sites.
Step 1 In Basic mode, select Tunnels & Routing, then Overlay Routes.
Step 3 In Redistribute connected vlans, select all the user VLANs and system IP VLAN for overlay redistribution, then click Save Settings.
Enable DPI and Application Visibility
Deep packet inspection and Application Visibility must be enabled for Dynamic Path Steering and SAAS Express to function. This section describes how to enable these features.
Note: This procedure will cause the gateways to reboot to apply the configuration.
Step 1 Verify that the Gateway configuration mode is in Advanced Mode.
Step 2 Select the Security tab, then select Applications.
Step 3 Expand the Application Visibility section.
Step 4 Check the Deep packet inspection checkbox.
Step 5 Check the App performance monitoring checkbox.
Step 6 Click Save Settings.
Note: Deep packet inspection is enabled by default at the device level, but it is best practice to also enable it at the group level.
Configure Policies for Dynamic Path Steering
The dynamic path steering (DPS) feature allows traffic routing in real-time and traffic load balancing across available uplinks based on the performance of the uplinks. DPS policies and configurations are unique to each environment, based on the organization’s applications and performance needs. General guidance on developing a DPS policy can be found in the design section of the guide here. This section describes how to configure a DPS policy to select the optimal WAN path and apply forward error correction (FEC) for voice traffic.
Additional policies should be created based on application requirements.
Note: While this example deployment does not utilize LTE connections, LTE is included in the below policy to facilitate the future addition of LTE uplinks without the need to modify the policy.
Create Policy
Step 1 Verify that the Gateway configuration mode is in Basic Mode.
Step 2 Select the Policies tab, then select DPS.
Step 3 Click the + (plus sign) to create a new DPS policy.
Step 4 In the Create Policy window, assign the following settings and click Save.
- Policy Type: DPS
- Policy Name: Protect-Voice
Identify Traffic
Step 1 Select Protect-Voice.
Step 2 Click the edit (pencil) icon in the Traffic Rules section.
Step 3 Click the + (plus sign) to create a new traffic specification rule.
Step 4 In the Add Rules for Protect-Voice window, assign the following settings and click Save.
- Source: Any
- Destination: Any
- Application/Port: App Categories
- App Categories: unified-communications
Step 5 Click the back arrow.
Set WAN Paths
Step 1 Select Protect-Voice and click the pencil icon next to WAN Path.
Step 2 In the WAN Path for Protect-Voice window, assign the following settings and click Save.
- Primary path: ALL_MPLS
- Secondary path: ALL_INET
- Last resort path: ALL_LTE
Configure SLA
Step 1 Select Protect-Voice and click the edit (pencil) icon next to SLA.
Step 2 In the Select SLA for Protect-Voice window, assign the following settings and click Save.
SLA: BestforVoice
- Loss Correction (FEC): Checked
- Loss % with FEC: 5
- FEC Ratio: 1:4
Step 3 Review the configuration and click Save Settings.
Configure Policies for SAAS Express
The SAAS Express feature allows traffic routing from the best Internet egress point based on the performance of the Internet egress points for the given application. SAAS Express policies and configurations are unique to each environment, based on the organization’s applications and performance needs. General guidance developing a SAAS Express policy can be found in the design section of the guide here. This section describes how to configure a SAAS Express policy to optimize Office 365 traffic.
Note: While this example deployment does not utilize LTE connections, LTE is included in the below policy to facilitate the future addition of LTE uplinks without the need to modify the policy.
Additional policies should be created based on application requirements.
Create Policy
Step 1 Verify that the Gateway configuration mode is in Basic Mode.
Step 2 Select the Policies tab, then select DPS.
Step 3 Click the + (plus sign) to create a new SAAS Express policy.
Step 4 In the Create Policy window, assign the following settings and click Save.
- Policy Type: SAAS
- Application: office365
Configure SLA
Step 1 Select saas_office365_wp and click the edit (pencil) icon beside SLA.
Step 2 In the Select SLA for saas_office365_wp window, select the BestforSaaS SLA.
Step 3 Click Save.
Configure Exit Profile
Step 1 Select saas_office365_wp and click the edit (pencil) icon beside Exit Profile.
Step 2 In the Exit Profile for saas_office365_wp window, select the default profile BestForSaaS and click Save.
Step 3 Review the configuration and click Save Settings.
Configure Branch Gateway at the Device Level
In this section the primary Miami branch gateway is configured. This gateways can be preconfigured offline, and obtain their configuration when connected to Central. Ensure that the Branch Gateways are assigned to the group and site as demonstrated in the Preparing to Deploy section.
Start the Branch Gateway Configuration
Step 1 On the Aruba Central Account Home page, launch the Network Operations app.
Step 2 In the dropdown, select the branch gateway group containing the devices.
Step 3 In the left navigation pane, in the Manage section, select Devices and select the Gateways tab.
Step 4 In the Gateways table, select the device to configure as the primary branch gateway.
Step 5 In the Guided Setup window, click Cancel, then click Exit.
Assign a Hostname
Step 1 Go to the Gateway configuration and verify that Basic Mode is enabled.
Step 2 Select System and Hostname.
Step 3 Click the basic info dropdown and enter the Hostname.
Assign IP Addresses to the VLAN
Use this procedure to assign LAN VLAN IP addresses. The DHCP relay was preconfigured at the group level.
Step 1 Ensure that the Gateway configuration mode is in Basic Mode.
Step 2 Select the LAN tab and select VLANs.
Step 3 In the VLANs table, select one of the VLANs, and click the edit (pencil) icon.
Step 4 In the VLAN window, assign the following settings, then click Save. (These IP address are for the Miami site)
VLAN ID | Description | Network | Default Gateway (VRRP) | MIABR-ECB1-1 IP Address | MIABR-ECB1-2 IP Address |
---|---|---|---|---|---|
100 | MGMT (Gateway System IP) | 10.14.0.0/24 | 10.14.0.1 | 10.14.0.2 | 10.14.0.3 |
101 | Employee | 10.14.1.0/24 | 10.14.1.1 | 10.14.1.2 | 10.14.1.3 |
102 | PRINTER | 10.14.2.0/24 | 10.14.2.1 | 10.14.2.2 | 10.14.2.3 |
103 | IoT (smart thermostats, smart access control, and meeting room kiosk.) | 10.14.3.0/24 | 10.14.3.1 | 10.14.3.2 | 10.14.3.3 |
104 | Guest | 10.14.4.0/24 | 10.14.4.1 | 10.14.4.2 | 10.14.4.3. |
105 | Reject | 10.14.5.0/24 | 10.14.5.1 | 10.14.5/.2 | 10.14.5.3 |
106 | Critical | 10.14.6.0/24 | 10.14.6.1 | 10.14.6.2 | 10.14.6.3 |
107 | Quarantine | 10.14.7.0/24 | 10.14.7.1 | 10.14.7.2 | 10.14.7.3 |
Summary | 10.14.0.0/21 | ——– | ——– | ——– |
Step 5 Repeat step 3 and 4 for all VLANs in the table above.
Note: Clicking Save Settings after changing each VLAN IP is unnecessary. All VLAN IP changes can be saved at the same time.
Configure the MPLS VLAN
The MPLS VLAN must be configured statically with an IP address and gateway. The DNS is used for health checks on the interface.
Step 1 Ensure that the Gateway configuration mode is in Basic Mode.
Step 2 Go to WAN and select WAN Details.
Step 3 Scroll and select the MPLS VLAN. (Be sure the local gateway VLAN is selected.)
Step 4 Enter the IPv4 Address, Gateway IP, Netmask, and DNS Servers for the MPLS VLAN.
Step 5 Click Save.
Assign System IP Address
Use this procedure to select the Management VLAN as the system IP address.
Step 1 Ensure that the Gateway configuration mode is in Advanced Mode.
Step 2 In the System section, select General and expand System IP Address.
Step 3 In the dropdown, select VLAN 100.
Step 4 Click Save Settings.
Configure the LAN Redundancy
Step 1 Ensure that the Gateway configuration mode is in Basic Mode.
Step 2 In the Redundancy section, select Preferred Cluster Leader.
Step 3 Set the Preferred Cluster Leader to MIABR-ECB1-1.
Step 4 In the Cluster Virtual Router IPs table, click the + (plus sign).
Step 5 In the VLAN ID dropdown, select a LAN VLAN. The IP Address on Local and IP Address on Peer columns should autopopulate with the IP address values.
Step 6 In Virtual IP column, enter an IP address; for example, 10.14.0.1.
Step 7 Repeat steps 3 and 4 for all user VLANs.
Step 8 Click Save Settings.
Note: Ensure that Automatic Clustering and Auto Site are both enabled at the group level by selecting BR-ECSDB > Select Advanced mode High Availability > Clusters.
Configure WAN Redundancy for Specific Deployments (Optional)
If only one of each WAN transport is available at a site with redundant gateways, WAN transports can be shared over the LAN. For example, the INET circuit terminates on one gateway and the MPLS circuit terminates on another gateway. As long as the gateways are reachable over the LAN, they can share the respective WAN transports. This configuration is not used in this deployment because the sites have redundant connections for both INET and MPLS. In this example, site RS01 is shown, with VLAN 100 used for connectivity between the gateways. Follow these steps to configure WAN redundancy.
Step 1 Verify that the Gateway configuration mode is in Basic Mode.
Step 2 Select the WAN tab, then select WAN Details.
Step 3 Turn on Enable High Availability deployment.
Step 4 In the Peer Gateway section, select the gateway at each site.
Step 5 Ensure that all the WAN transports appear in the WAN Uplinks / Ports table.
Note: As long as both gateways have the same site-id the peer gateway and site ID are populated automatically and grayed out.