Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Deployment Scenarios
The following section explains the deployment scenarios of Aruba Central NetConductor:
Distributed Campus-wide Fabric
The Distributed Campus-Wide Fabric Fabric is a group of AOS-CX Switches that are part of the BGP-EVPN VXLAN overlay. The overlay fabric is created by configuring VXLAN tunnels between stub and edge Switches. This is in context to Aruba Central NetConductor. enables large enterprises to deploy a multi-vendor and scalable overlay across the wired, wireless and wide area network and enables role-based policy enforcement at the edge of the fabric. The fabric consists of a standards-based EVPN-VXLAN Ethernet VPN-Virtual Extensible LAN uses Layer 2 connectivity between virtual machines and switches. fabric on the AOS-CX Switches and is extended to the ArubaOS 10 Gateways using a static VXLAN Virtual Extensible LAN creates virtual networks overlaid on a physical network. tunnel. This fabric is based on BGP Border Gateway Protocol. BGP is a routing protocol for exchanging data and information between different host gateways or autonomous systems on the Internet. -EVPN and VXLAN protocols.
Figure 1 Distributed Campus-wide Fabric Deployment
The Distributed Campus-wide Fabric deployment has an IBGP EVPN-VXLAN overlay on the AOS-CX switches, over an OSPF Open Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS). or IBGP underlay network. The underlay routing protocol is enabled to exchange the loopback addresses of all the devices in the fabric. The IBGP fabric is then established by peering all the edge devices in the fabric to the route-reflector, creating a full-mesh VXLAN-EVPN fabric. This fabric is added to the ArubaOS 10 wireless overlay using a static VXLAN tunnel which enables role propagation from the wireless network to the wired network, and vice-versa.
Centralized Multi-site Fabric with Aruba SD-Branch
In the Centralized Multi-site Fabric with Aruba SD-Branch deployment, the ArubaOS 10 Aruba Gateways act as WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and user-based tunnel gateways, and enables connectivity and role propagation over the SD-Branch WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. network. The following example explains the Centralized Multi-site Fabric deployment using a ArubaOS 10 Aruba Gateways.
Figure 2 Centralized Multi-site Fabric with Aruba SD-Branch Deployment
In the Centralized Multi-site Fabric deployment, customers can propagate role information and enforce role-based policies for client traffic across multiple sites connected by an Aruba SD-Branch fabric. The ArubaOS 10 Gateways act as the WLAN and user-based tunnel Gateways for wired and wireless clients within each site, and act as the policy enforcement point for the clients within the site. To enforce role-based policies destined to clients across the fabric. The ArubaOS 10 Gateways encapsulates the client traffic information with VxLAN-BGP and IPSEC, which contain role information in the GPID field in the VXLAN header. The ArubaOS 10 Gateway in the destination site will then enforce the role-based policies for client traffic. Role propagation can also be selectively enabled on a per-group basis for SD-Branch deployments.
Centralized Multi-site Fabric with Third-Party Networks
In the Centralized Multi-site Fabric deployment with Third-Party SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations., the ArubaOS 10Aruba Gateway act as WLAN and user-based tunnel gateways and enables role propagation over a 3rd-party SD-WAN network. The following example explains Centralized Multi-site Fabric deployment using a third-party SD-WAN Gateway.
Figure 3 Centralized Multi-site with Third-Party SD-WAN Fabric Deployment
In the Centralized Multi-site Fabric deployment, customers can propagate role information and enforce role-based policies for client traffic across multiple sites connected by an Third-Party SD-WAN fabric. The ArubaOS 10 Gateways act as the WLAN and UBT User-Based Tunneling. UBT allows you to redirect specific wired users traffic from the switches to the Gateway to enforce DPI and firewall functionality, application visibility, and bandwidth control offered by Aruba Gateway. Gateways for wired and wireless clients within each site and act as the policy enforcement point for the clients within the site. To enforce role-based policies destined to sites across the Third-Party SD-WAN fabric, the ArubaOS 10 Gateways encapsulate the client traffic with VXLAN-GBP Group-based Policy is used to segment user traffic in a network by grouping the users into roles based on user authentication at the source or VTEP. Source-based roles will remain effective even if a device authenticates at a different location, or if the device is assigned a different IP address. and IPSEC which contains the source role information in the GPID field in the VXLAN header. The ArubaOS 10 Gateway in the destination site will then enforce the role-to-role policies for the client traffic. Role propagation can also be selectively enabled on a per subnet Subnet is the logical division of an IP network. basis for third-party WAN deployments.
