![Page 1: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/1.jpg)
SD-BranchEvolution of the Branch & SD-WANStephan Lelleck, [email protected]
![Page 2: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/2.jpg)
2
Challenges with Current Branch Architectures
WAN Side Challenges
• Limited capacity & long setup times for MPLS
• Lack of control and visibility into WAN traffic
• Complex management of the WAN and routing policy
• More SaaS traffic (O365, Box, SFDC, …) directed over Internet.
• Lack security measures and control to safeguard the network
LAN Side Challenges
• Complexity caused by increasing number of devices, VLAN proliferation
• End points going mobile
• Poor visibility into clients/devices
• Lack of authentication of clients/devices
• Lack of common policy for users connecting to network via wired or wireless
Operation Challenges
• Multiple management platforms, Multiple operating models, Multiple vendors, Policy is distributed
![Page 3: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/3.jpg)
3
Goal: Solve the Branch problem, not just the WAN
SimpleDrive simplicity and fewer boxes in branch solution
Common Policy and Managementfor Wired, WLAN and WAN
Transport IndependencyOwn your WAN policy
![Page 4: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/4.jpg)
4
WLAN: VLAN, ACL, SUBNET
STATIC AND FRAGMENTED
SOFTWARE DEFINED DESIGN
UNIFIED POLICY ENFORCEMENT:
LAN, WLAN, WAN, SECURITY
ELIMINATE VLAN SPRAWL
CENTRALIZED DEFINITIONS FOR EVERY BRANCH
LAN: VLAN, ACL, SUBNET
FIREWALL: ZONE, TRUST, ACL
ROUTER: VRF, VPN, SUBNET, ACL
WAN OPT: THROTTLING, COMPRESSION
VLAN 103
VLAN 201
Traditional vs SD-Branch Policy
DISAGGREGATED POLICY DEFINITIONS
TUNNELED TRAFFIC
![Page 5: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/5.jpg)
5
MPLS
Data Center
Branch
Internet
Aruba 2930F WiredWireless
Branch Gateway (BG)
Role-based profiling
vlan50uplink1 uplink2
Headend Gateway(VPNC)
Customer Portal
Public/Private Cloud7200 series Appliance
7000 series Appliance
Virtual Gateway
Internet Destination
1
23
4
Wireless TunnelWired Tunnel
Aruba Solution Overview
![Page 6: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/6.jpg)
6
Aruba Solution Components
Hardware
Software
Branch Gateways:Aruba 7000 Series
Headend Gateways:Aruba 7200 Series
Virtual Gateways:Aruba vGateway
AOS: Aruba OS
Aruba Central
Centralized cloud managed networking for wireless, wired & WAN.
Available 2HCY18
![Page 7: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/7.jpg)
7
Branch Gateways: Aruba 7000 Series
LAN• L2 services, POE• LLDP• DHCP• NAT, 1:1 NAT • AAA survivability
WAN• Multiple WAN uplinks• Load balancing• IPSec VPN tunnels • LTE fallback• Policy Aware Application
Routing• Direct Internet Access• Dynamic Path Selection
Security• Stateful Firewall• User based Policies• Web Content Filtering• LAN Segmentation • Zscaler Integration
![Page 8: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/8.jpg)
8
Licenses
![Page 9: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/9.jpg)
9
SD-WAN Solution Capabilities
Secure ZTP, Aruba Central
DPI/ AppRF, WAN links
IPsec VPN tunnelsHub-and-spoke
Multiple WAN uplinks, QOS
Device, WAN, Tunnels, Routes, Alerts, DHCP
Stateful Firewall, ClearPass integration, Web CC, Zscaler
Zero Touch
Overlay Topology
Application Visibility
Gateway Monitoring
Secure Branch
WAN Flexibility
Policy aware application routing,Dynamic Path Selection
Application Path Steering
Group based configuration,Central firmware management
Ease of Management
Vlans, DHCP, NAT, QOS
LAN Services
![Page 10: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/10.jpg)
10
Aruba Distributed Architectures
On the road(VIA)
EnterpriseDC
SD-WAN
MicroBranch(IAP-VPN)
On the road(VIA)
![Page 11: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/11.jpg)
11
Onboarding and management
![Page 12: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/12.jpg)
12
ZTP for Secure and Fast Branch Deployments
Secure Onboarding with embedded TPM chip on all
Aruba devices
Ease of use, Zero touch to provision remote Branch
Create Bulk Policy Template to push to Branches plus
REST/API
Complete Trust Zero Touch Scale
![Page 13: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/13.jpg)
13
Mobile Installer App
• Installer selects site and scans devices
• Installer gets status of device on boarding
• Admin gains central visibility into on boarding
• Location awareness seeded into on boarding
![Page 14: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/14.jpg)
14
• Monitoring via two approaches• Metrics and stats that are
passively collected• Metrics and stats that are actively
collected from synthetic transactions
• Results Delivered in Three Ways• Via APIs and API based
notifications• Via exportable reports• Via the Central Dashboards
NOC Dashboard
![Page 15: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/15.jpg)
15
• Monitoring via two approaches• Metrics and stats that are
passively collected• Metrics and stats that are actively
collected from synthetic transactions
• Results Delivered in Three Ways• Via APIs and API based
notifications• Via exportable reports• Via the Central Dashboards
NOC Dashboard
![Page 16: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/16.jpg)
16
System Health Indicators• Devices Disconnected• CPU Utilization• Memory Utilization
RF Health Indicators• Channel Utilization (5/2.4Ghz)• Noise Floor (5/2.4Ghz)
Client Health Indicators• Client Health Score• Connectivity Health Score
WAN Health Indicators • Network Latency, Loss• Bandwidth
Site Health Dashboard
![Page 17: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/17.jpg)
17
Hierarchical Management
1 Apply configurations on a group basis
2 Overrides on a per-device basis (bulk-edit possible)
3 Monitoring based on labels
![Page 18: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/18.jpg)
18
Routing Policies
![Page 19: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/19.jpg)
19
Setting up the overlay
IPsec
Corp Data Traffic
Internet Traffic
Branch subnets advertised
upstream via cfgset (ike ext)
Subnet A Subnet BSubnet A Subnet B
Corp routes pointing to the tunnel
Redistribute branch Subnets
Establish VPN tunnels1
Advertise branch routes2
Start sending traffic3
![Page 20: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/20.jpg)
20
Multiple uplinks
Branch Branch
Data Center
xDSL MPLSxDSL MPLS
Equal cost routes via
both tunnels
![Page 21: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/21.jpg)
21
Hub & Spoke RoutingRedistribute into OSPF
Cost 10
Corp routes to DC A –Cost 10
Subnet A Subnet B
Redistribute into OSPFCost 20
Subnet A Subnet B
Corp routes to DC B –Cost 20
Branch subnets advertised upstream
via cfgset to both DCs
![Page 22: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/22.jpg)
22
Path Quality Monitoring
![Page 23: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/23.jpg)
23
Path Quality MonitoringHow it looks today…
– ICMP Probes measure latency and packet loss
– UDP Probes (UDP 4500) measure latency, packet loss and jitter – MOS is derived from these values
– Probes can be sent through the underlay or through the overlay
Branch
ADSL MPLS
IPsec
UDP Probes
ICMP Probes
![Page 24: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/24.jpg)
24
Evolution
Branch
ADSL MPLS
IPsec
UDP Probes
ICMP Probes
HTTPS Probes
– Global ICMP responder service in ACP (Aruba Central)
– HTTPS probes to SaaS
– Leverage FW capabilities for passive monitoring
Passive monitoring• Delay/Latency• Jitter, MOS
![Page 25: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/25.jpg)
25
Putting it all together…
![Page 26: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/26.jpg)
26
EnterpriseDC
Virtual Gateway
INET
MPL
S
LTE
INET
MPL
S
LTE
Headend Gateway
A day in the life of an SD-WAN packet
SD-WAN OverlayMPLSINETLTE
Path
Met
ric Link Latency Jitter Loss Util
MPLS 4ms 5 1% 30%
INET1 30ms 25 4% 60%
LTE 45ms 10 20% 5%
Name Policy
Voice Latency < 10ms & Jitter < 10 & Loss < 2% & Util < 70%
SAP Latency < 50ms & Loss < 50% & Util < 90%
Guest Util < 95%Path
Mon
Pol
icy
Path
Met
ric
![Page 27: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/27.jpg)
27
EnterpriseDC
Virtual Gateway
INET
MPL
S
LTE
INET
MPL
S
LTE
Headend Gateway
A day in the life of an SD-WAN packet
SD-WAN OverlayMPLSINETLTE Pa
th M
etri
c Link Latency Jitter Loss Util
MPLS 4ms 5 1% 30%
INET1 30ms 25 4% 60%
LTE 45ms 10 20% 5%Path
Met
ric
![Page 28: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/28.jpg)
28
EnterpriseDC
Virtual Gateway
INET
MPL
S
LTE
INET
MPL
S
LTE
Headend Gateway
A day in the life of an SD-WAN packet
Path
Met
ric Link Latency Jitter Loss Util
MPLS 4ms 5 1% 30%
INET1 30ms 25 4% 60%
LTE 45ms 10 20% 5%Path
Met
ric
![Page 29: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/29.jpg)
29
EnterpriseDC
Virtual Gateway
INET
MPL
S
LTE
INET
MPL
S
LTE
Headend Gateway
A day in the life of an SD-WAN packet
Path
Met
ric Link Latency Jitter Loss Util
MPLS 200ms 5 50% 30%
INET1 10ms 5 4% 60%
LTE 45ms 10 20% 5%Path
Met
ric
![Page 30: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/30.jpg)
30
Configure path preference and fall-back options per application
category
Path Preference
Dynamic Path Selection
Configure SLA parameters per user & application category
SLABasic WAN
Per user role, classify important applications for e.g. Employee Business Critical, Voice, Best-
Effort, Guest
Role + Application 21 3
Delay
Jitter
Loss
MPLS
Internet
4G/LTE
![Page 31: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/31.jpg)
31
Is the WAN link compliant to the application SLA?
• View compliance per WAN link• Highlight violations with specific
reasons
Is the policy honoring path preference?
• View session distribution across active links
Is DPS kicking in when there are WAN link SLA violations?
• Quickly identify session movement between WAN links
DPS Monitoring
![Page 32: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/32.jpg)
32
Topology
• Tree and Planetary View
• Health status• Hover info• VLAN Overlays
![Page 33: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/33.jpg)
33
Security
![Page 34: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/34.jpg)
34
Security and hardening
CC EAL4+ Integrated FirewallGuest traffic completely isolated from corporate networkDPI engine with 2500+ applications (plus custom apps)WebCC for content and reputation filtering
INTERNETMPLS Content and reputation filter
![Page 35: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/35.jpg)
35
User Centric Policies
1 Device associates to initial role
2 ClearPass profiles device
3 Clearpass places device in its role
4 Every frame goes through the firewall. Including inter-vlan traffic. Hence, only needs a single vlan.
![Page 36: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/36.jpg)
36
Integration with Cloud Security
INTERNETBranch Gateway
Enterprise DC Gateway
Customer Portal
“Internet Access”
Branch Gateway
“Internet Access”
Cloud Security
Tunnel Internet bound traffic to Cloud Security vendor
Role-based profiling with stateful Firewall on Branch Gateway. Only Internet flows are steered to Cloud security vendor.
Select Internet bound flows based on configured policy are tunneled to Cloud Security provider.
Branch Gateway
Cloud Gateway
![Page 37: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/37.jpg)
37
Role Based Polices for LAN, Security, WAN
Printer
Desktop
AccessSwitch
BRANCH OFFICE Camera
Access Point
LaptopSmartphone
Branch Gateway
MPLS
Internet
Users Devices WAN StateApp finger-
printing
LAN PoliciesWLAN and wired switching policies applied per role. E.g.: Guest SSID, QoS for PCI traffic
Security PoliciesFirewall and WebCC policies applied per role.E.g.: WebCC for Guest, PCI traffic isolation
WAN PoliciesPath steering policies applied per role. E.g.: Guest to Internet, PCI traffic to MPLS
![Page 38: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/38.jpg)
38
User / Entity Centric Design Advantages
vlan50
Role based access
Policy denies intra-vlan communication (micro-segmentation)
Continuous profiling
Role assigned based on AAA & Profiling
Faster new services deployment (ZTP)
All ports are secured
Single DHCP scope per branch
WAN policy is centrally defined by user, application and DPS
Traditional access
Intra-vlan communication is allowed
VLAN is assigned only once (manually)
VLAN assigned based on physical port
New services requires new VLAN deployment
Ports are default-open, accidental access is possible
DHCP scope fragmented per vlan
WAN policy is defined by distributed routing
![Page 39: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/39.jpg)
39
DYNAMIC SEGMENTATION, BRANCH-WIDE
PORT-BASED ROLE-BASED
StaticCamera port
Printer port
PoS port
Manual configuration of ACLs, VLANs, QoS
Automate configurations with context
PCI-compliant
Hard to scale for device type and quantity across multiple sites
Dynamic
Flatten configurations at high scale based on user, device, app
![Page 40: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/40.jpg)
40
Aruba SD-WAN solution components
Cloud management
Overlay SD-WAN fabric
Dynamic Path Selection
Role-based security and routing
Cloud Security Partners
![Page 41: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/41.jpg)
41
Aruba SolutionHardware
![Page 42: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/42.jpg)
42
7000 Series Branch Gateways
- L4-L7 Firewall CC EAL4+- Routing – Dynamic Path Selection- WAN compression- Web Filtering- WAN QoS- WAN PBR (Policy Based Routing)- AAA Survivability- Crypto Engine (IPsec VPN)- Application visibility and analytics
![Page 43: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/43.jpg)
43
Branch Gateway Portfolio
Features 7005 7008 7010 7024 7030
Firewall throughput
2Gbps 2Gbps 4Gbps 4Gbps 8Gbps
Encryption throughput
1.2Gbps 1.2Gbps 2.4Gbps 2.4Gbps 2.4Gbps
GE ports 4 8 16 24 8
PoE support Can be PoEpowered
8 Ports can provide POE
12 ports can provide PoE
24 ports can provide PoE
No
Concurrent IPSecTunnels
512 512 1024 1024 1024
Active Firewall sessions
16K 16K 32K 32K 64K
![Page 44: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/44.jpg)
44
Headend/ VPN Concentrator Portfolio
Features 7205 7210 7220 7240
IPSec Tunnels 4096 16384 24576 32768
Encryption throughput 4.5Gbps 5.9Gbps 20Gbps 30Gbps
Firewall throughput 12Gbps 20Gbps 40Gbps 40Gbps
GE ports 4 (1G Combo) 2 (1G Combo) 2 (1G Combo) 2 (1G Combo)
SFP/SFP+ 2 10G SFP+ 4 10G SFP+ 4 10G SFP+ 4 10G SFP+
Redundant Power Supply/Fan
No Yes Yes Yes
![Page 45: SD-Branch Evolution of the Branch & SD-WAN · Evolution of the Branch & SD-WAN Stephan Lelleck, CSE stephan.lelleck@hpe.com. 2 Challenges with Current Branch Architectures. WAN Side](https://reader030.vdocuments.mx/reader030/viewer/2022040410/5ec8d5e8f456ab20750c01e2/html5/thumbnails/45.jpg)
45
Thank you