NetConductor

With an ever-growing focus on security and scale, the enterprise network is becoming more and more complex in terms of design, deployment, and operations. There is an increasing reliance on BYOD Bring Your Own Device. BYOD refers to the use of personal mobile devices within an enterprise network infrastructure. (Bring Your Own Device) and IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet. (Internet of Things) for business efficiency and digital transformation initiatives. This increases the risk of security threats to the enterprise due to a sharp increase in the unknown or rogue clients and an ever-expanding threat front. Defining policy manually for these clients using the complex policy constructs available today can prove to be a challenging task for security and network administrators. Furthermore, intent-based networking has become an increasingly popular paradigm that many customers are looking to adopt and implement. The goal of intent-based networking is not only to abstract the underlying complexities of network but instead allow users to design, implement, and operate their networks based on their business intents. Automated network provisioning and orchestration has been identified to achieve this level of abstraction by many network vendors. Thus, the focus has shifted to the security, scalability, and simplification of these networks.

NetConductor is an edge-to-cloud network and security framework designed to tackle these problems for the modern enterprise network. It is tied directly to the HPE Aruba Networking ESP Encapsulating Security Payload. The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). (Edge Edge is a device persona that connects endpoints to the fabric. Services Platform) vision of an edge-to-cloud network. Intelligent overlays are built on highly available underlays and are tied to a full policy-based micro-segmentation model, based on global roles, across the entire network infrastructure of the customer. Role-based policies abstract policy from the underlying network and enable flexible and simplified policy definition and enforcement. This is enhanced by the full automation of the underlay, orchestration of the overlay, a single pane of glass for management and monitoring, and a rich array of complementary services. The NetConductor framework has evolved to enhance the policy and orchestration components to deliver true intent-based network evolution and optimization.

The following are the main pillars of NetConductor:

• Role-based Segmentation—NetConductor provides the ability to deploy a zero-trust enforcement model using role-based segmentation. Traditional policies use location specific entities like IP addresses or subnets Subnet is the logical division of an IP network. to define security policies. Role-based policies abstract policy from the underlying network by assigning roles to endpoints or users and using roles to enforce policies. Role-based policies can be enforced in a distributed manner at different parts of the network. NetConductor also provides the ability to automate and simplify policy definition for IoT devices with behavior-based profiling using AI Artificial intelligence (AI) is the simulation of human intelligence processes by machines, especially computer systems. AI reduces trouble tickets by identifying the network entity that is facing problems through event correlation and root cause analysis. or ML based classification. This greatly simplifies policy definition and ensures consistent policy enforcement across wired and wireless campus networks, the datacenter, and across the WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance..

• Intelligent Overlays—Overlay networks provide the ability to deploy flexible services based on ever-changing demands of the endpoints and applications. Decoupling of overlay network from the physical topology enables on-demand deployment of layer 2 and layer 3 services irrespective of underlay physical topology. Overlay networks also enable the ability to carry endpoint or user role information across the network without requiring all devices in the path to understand or manage the roles. NetConductor provides customers the flexibility to choose between centralized overlays or distributed overlays to address their unique requirements. The centralized overlay provides simplified operations and advanced security features for distributed enterprise and smaller campus deployments. For large enterprise campus deployments, NetConductor provides the ability to use distributed overlays for wired and wireless endpoints. This enables large enterprises to deploy a standards-based and scalable overlay network. Both overlay models support the Colorless Ports feature, which enables automated client on-boarding and access control for ease of operations.

• Automation and AI Ops—One of the primary requirements for enterprise campus network is simplicity of deployment, maintenance, and troubleshooting. With cloud-based management provided by HPE Aruba Networking Central, enterprise devices can be on-boarded and managed in a matter of minutes. Intent-based workflows enable architects to deploy and provision the network without the need for technical expertise in the networking protocols and the command line interface. HPE Aruba Networking Central also provides unified policy orchestration for the global network across wired, wireless, and SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations.. NetConductor also enhances end user experience and reduces help desk calls with real time problem identification and AI or ML driven actionable insights.

Benefits of NetConductor

The following are some of the key benefits of the NetConductor solution. The objective of this guide is to highlight these capabilities to the customer.

• Simplified and Consistent Security Policies

  • Simplified policy definition based on customer identity
  • Security policies agnostic of location, network, and devices
  • Policy follows the endpoint, user, or application across wired and wireless networks
  • Consistent policies across Campus, Branch, and Datacenter
  • Increase scale by eliminating the need for enforcement nodes to maintain endpoint to role mappings to enforce polices

• Flexible Overlays Agnostic of Underlay Architecture

  • Flexible choice of centralized or distributed NetConductor fabrics on any underlay physical network architecture
  • Automated stich-up and tear-down of layer 2 and layer 3 services based on customer on-boarding
  • Address requirements of small, distributed enterprise to a large campus network

• Simplified Network Deployments and Operations with Intent-Driven Workflows

  • Abstract complexity of the underlying protocols from network architects or operators
  • Enables global orchestration of roles and role-based policies from HPE Aruba Networking Central
  • Unified monitoring and troubleshooting across all device types and network locations
  • Actionable insights enable ease of troubleshooting for network issues

Features for NetConductor

The following features are available in NetConductor:

1. Global Client Roles
2. Network Wizard Overview
3. Fabric Wizard Overview
4. Static VXLAN Tunnels on AOS-10 Gateways

NetConductor Vocabulary

The following table provides a brief description of the technical terms used in this guide.

Table 1: List of Technical Terms used in this Guide

Term	Description
Border	Border device persona connects the fabric to external networks. For example, connect fabric to WAN or Internet or firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network..
Border Gateway Protocol (BGP Border Gateway Protocol. BGP is a routing protocol for exchanging data and information between different host gateways or autonomous systems on the Internet. )	BGP is a standardized routing method that enables the internet to exchange routing information between autonomous systems (AS Autonomous System An autonomous system is a single network or a collection of networks that is under a single administrative control. The routing devices in an Autonomous System generally use a single interior gateway protocol (IGP) for routing information. Routing between two Autonomous Systems is handled by the Exterior Gateway Protocols like BGP.).
Ethernet Ethernet is a network protocol for data transmission over LAN. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. (EVPN)	EVPN is an extension of the BGP protocol for layer 2 (bridging) and layer 3 (routing) VPNs.
Edge	Edge is a device persona that connects endpoints to the fabric.
External BGP (eBGP External BGP refers to BGP connection between external peers.)	Refers to BGP connection between external peers.
Fabric Fabric is a group of AOS-CX Switches that are part of the BGP-EVPN VXLAN overlay. The overlay fabric is created by configuring VXLAN tunnels between stub and edge Switches. This is in context to Aruba Central NetConductor.	Fabric is a group of AOS-CX Switches that are part of the BGP-EVPN VXLAN Virtual Extensible LAN creates virtual networks overlaid on a physical network. overlay. The overlay fabric is created by configuring VXLAN tunnels between stub and edge Switches.
Group-based Policy (GBP Group-based Policy is used to segment user traffic in a network by grouping the users into roles based on user authentication at the source or VTEP. Source-based roles will remain effective even if a device authenticates at a different location, or if the device is assigned a different IP address.)	GBP is used to segment user traffic in a network by grouping the users into roles based on user authentication at the source or VTEP VXLAN Tunnel End Point is an entity that originates and/or terminates VXLAN tunnels.. Source-based roles will remain effective even if a device authenticates at a different location, or if the device is assigned a different IP address.
Internal BGP (iBGP)	Refers to BGP connection between internal peers.
Inter-Switch Link (ISL Inter-Switch Link. ISL is a layer 2 interface between two VSX peer switches.)	ISL is a layer 2 interface between two VSX Virtual Switching Extension. VSX is a virtualization technology for aggregation/core switches running the AOS-CX operating system. This solution lets the switches present as one virtualized switch in critical areas. peer Switches. Each VSX Switch must be configured with an ISL link connected to its peer VSX Switch.
Open Shortest Path First (OSPF Open Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS).)	OSPF refers to an Interior Gateway Protocol (IGP Interior Gateway Protocol. IGP is used for exchanging routing information between gateways within an autonomous system (for example, a system of corporate local area networks). ). OSPF distributes routing information between routers belonging to a single Autonomous System (AS).
Multi-Fabric EVPN	Refers to the Multi-Fabric, where by combining multiple EVPN fabrics into a single overlay, allows sharing Layer 2 and Layer 3 reachability between data center pods at the same site as well as more distant data center locations. Multiple data center fabrics and locations can be combined into a single overlay topology.
Policy Identifier	Policy Identifier is a unique identification number mapped to a client role.
Route Reflector	Route Reflector refers to a concept that is specific to BGP which is used to optimize route propagation.
Stub Stub is a device persona that supports both static VXLAN tunnels and EVPN VXLAN tunnels.	Stub is a device persona that supports both static VXLAN tunnels and EVPN VXLAN tunnels.
Switch Virtual Interface (SVI Switch Virtual Interface refers to a logical layer 3 interface on a switch.)	An SVI (also known as VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface) refers to a logical layer 3 interface on a Switch.
Virtual Extensible LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. (VXLAN)	VXLAN is an Overlay Technology which address the scalability problems associated with large cloud computing deployments.
Virtual Routing and Forwarding (VRF Virtual Routing and Forwarding. VRF is a technology that allows multiple instances of a routing table to co-exist within the same router.)	VRF is a technology that allows multiple instances of a routing table to co-exist within the same router simultaneously in an IP-based computer network.
VXLAN Network Identifier (VNI VXLAN Network Identifier refers to VXLAN network identifier or VXLAN segment ID.)	Refers to VXLAN network identifier or VXLAN segment ID.
VXLAN Tunnel End Point (VTEP)	An entity that originates and/or terminates VXLAN tunnels.