Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring the SD-Branch Overlay Network
The HPE Aruba Networking SD-Branch solution supports the hub and spoke topology and uses IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels between the branch and the hub sites to build an SD-Branch overlay network. Hub sites are typically the corporate headquarters or data centers that include one or more Gateways operating as VPNCs, while branch sites or spokes include one or more Branch Gateways. The overlay network securely transports traffic forwarded between the hub and branch sites.
An overlay network is a logical network built on top of an existing physical network. The overlay creates a new layer where traffic can be directed through new virtual network routes or paths instead of physical links. This enables administrators to define and manage traffic flows, irrespective of the underlying physical infrastructure.
The SD-Branch deployment includes at least one hub site with one or more VPNCs that terminate IPsec-based VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels initiated from the Branch Gateways. Based on the deployment size and redundancy requirements, you can deploy one or more VPNCs at each hub site.
Overriding port-based tunnel client VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on the controller is supported only for untagged VLANs configured on the port-based tunneling switch port. It is not supported when both untagged and tagged VLANs are configured on the port-based tunneling switch port.
The following figure illustrates the hub and spoke topology with a single hub site:
Figure 1 Hub and Spoke Topology: Single Hub Site
Large deployments may include additional hub sites to provide redundancy in the event of a primary hub site failure. The most common deployment consists of a primary and secondary hub, each with two redundant VPNCs, as shown in the following figure:
Figure 2 Hub and Spoke Topology: Dual Hub Sites
Configuration Recommendations
The HPE Aruba Networking SD-Branch overlay network based on the hub and spoke architecture requires the administrators to configure Gateways using the HPE Aruba Networking Central management interface. Administrators can either manually set up the Gateways for establishing VPN tunnels or use the tunnel orchestrator service in HPE Aruba Networking Central to enable Gateways to automatically establish VPN tunnels. When the VPN hub is set and the Branch Gateways are configured as spokes, HPE Aruba Networking Gateways authenticate using the built-in TPM Trusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. certificates and automatically establish an overlay tunnel. Administrators can also upload custom certificates for authentication.
Important Points to Note
- The overlay IPsec VPN tunnels are initiated by Branch Gateways and terminated on a VPNC in a hub site using NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. traversal. For NAT traversal, the UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 4500 port must be enabled.
- The VPN tunnels over MPLS Multiprotocol Label Switching. The MPLS protocol speeds up and shapes network traffic flows. based WANs typically terminate on a VPNC using a VLAN interface assigned a private IPv4 address.
- Internet-based WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. services can either be directly terminated on a VPNC using a public IPv4 or private IPv4 address assigned by the VLAN interface.
- Using the HPE Aruba Networking Central management interface, you can enable automatic allowlisting of Branch Gateways or manually add the list of hub sites on Branch Gateways.
Configuring Overlay Tunnels Automatically
The HPE Aruba Networking SD-Branch Solution supports the SD-Branch overlay orchestration service that automates the overlay tunnel and route configuration process. For more information on SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Overlay orchestration service, see SD-WAN Overlay Tunnel and Route Orchestration .
Manually Configuring Hub and Spoke VPN
To configure a hub and spoke topology for the SD-Branch overlay network, complete the following steps:
Enabling Automatic Allowlisting of Gateways
In a hub and spoke VPN topology, where remote branches connect to the VPNC, newer branches are added in a staggered way. Each time a Branch Gateway is added, the branch information needs to be populated in the VPNC to allowlist the branch device. With large-scale deployments, this method can be error prone and cumbersome. The automatic allowlisting feature automates the process of allowing branch devices to connect to VPNCs and thus eliminates the need for configuring each device at the headend.
Using HPE Aruba Networking Central as a single management entity for Gateways, administrators can enable automatic allowlisting and define a passphrase for secure transmission of VPN traffic. The automatic allowlisting serves as a global configuration that enables all VPNCs to terminate tunnels initiated by the Branch Gateways provisioned in HPE Aruba Networking Central.
Automatic allowlisting configuration is required on both Branch Gateways and VPNC. Ensure that you enable this feature on both Branch Gateway and VPNC groups.
For more information, see the following sections: