The secret sauce behind rightsizing your branch network

By ozerdo posted Mar 03, 2015 03:49 AM


"Collapsing a large number of networking appliances into one zero-touch Aruba cloud services controller offers a tremendous cost savings." --- Mark Lussier, Special Projects Manager for Retail Applications, Home Hardware Stores, with 1,100 locations throughout Canada


After reading this quote from Mark Lussier, you are probably wondering what's so special about the Aruba Cloud Services Controller that will enable tangible time (hence money) savings for branch networks. I have the answer, but a small de-tour first. When I say de-tour, I am talking about the wired network. 


There was simply no concept of "context" within the wired network. In fact there was simply no need for it in order to manage access policy or traffic forwarding. Device type was mostly uniform and the devices themselves were almost always IT issued. Everyone was treated as an employee when connected to the internal wired network - physical security ruled them all. Application categories simply did not exist since there were no "apps powered by the cloud and the app stores" to speak of. And obviously none of the users or the devices moved... everyone and every device was identified by a port number. 


Against these outdated (and also quite boring) network design requirements, we have built campus and branch networks in similar look and feel. Campus had a router, a switch, a firewall - so we replicated that at the branch, at a smaller scale, perhaps within the confines of a dedicated services router. 


Campus is going through a transformation as we speak - we are literally unplugging every cord we can to enable pervasive mobility for any technology we touch at work. And accordingly, campus network designs are being reconsidered, wireless networks capturing most of the mindshare, at half the cost of wired access network infrastructure.


Your branch is no different. Mobility forces branch network designs to change as much as, and in some case more than, it does in the campus. It demands that you take "context" into consideration when defining access policy and traffic management: Who is going to access what apps and resources on which days using what type and category of mobile devices? Wow. My brain just hurt a little trying to write that sentence. 


So your old branch router that was designed for the wired-only access network is not going to cut it anymore. I love VLANs and ACLs as much as you do, but they are just not enough. You need to start moving to a different branch network architecture - that simply understands this rich context around users, devices, locations, time of day, wired ports, wireless networks and WAN links... all together, no exceptions. 


You will hear many in the networking industry prescribe "software defined WAN". Sounds similar to what we do here with the Aruba Cloud Services Controller but with one very important exception: none of the SD-WAN solutions out there do a good job of understanding the mobility context, and doing something with it. 




The Policy Enforcement Firewall (PEF) integrated within the Aruba Cloud Services Controller comes to the rescue. It is highly programmable, highly adaptive and can enforce policies based on rich context across wired ports, wireless networks and WAN links. Here is an example: 

  • Assume we are both employees of the same company and I am about to visit you at your branch office.
  • You are connected to the branch network with an iPad that's issued by IT and that's under Mobile Device Management (MDM).
  • I show up and connect to the same wireless network with my own personal iPad that is allowed access to the network under the company's BYOD policy and access rules.
  • My firewall access rules are automatically created at the branch location when I show up. I do not have to call IT to give me access to or punch-in a separate firewall rule for me. The firewall engine checks in with a centralized Aruba Mobility Controller, sets up my PEF policy within the Cloud Services Controller and voila.

In this example, PEF adapts to the presence of a different context, connecting to the same exact network and simply programs a different "path" for the BYOD policy. Sounds magical doesn't it?Not sure about magic but PEF definitely is our secret sauce. It is the only thing we have found in the enterprise networking market that can enforce context based policies on the LAN, WLAN and WAN, at the same time, within the same platform, in an integrated operating system. Now you can enforce new set of contextual policies, specifically suitable for the branch:

  • Content filtering on networked devices with contextual policies based on web site reputation.
  • Traffic and QoS management on the WAN for Microsoft Lync by automatically integrating with Lync Server 2013 SDN API and fingerprinting hosted Lync Online traffic.
  • Redirect business critical traffic flows to Palo Alto Firewalls based on context for malware, zero day attack and APT protection at every branch.
  • WAN compression and WAN bandwidth management for business-critical apps in the cloud. 
  • Context based routing across dual Ethernet WAN and LTE WAN links to preserve bandwidth and reduce risk. 

With PEF running inside the Cloud Services Controller, it takes less time to perform tasks: less time to get ready for new mobile users, less time to secure network access for different types of devices, and less time to manage traffic flows for new mobile apps. And less time translates to shorter cycles to light-up a branch which might be quite critical in the success of the overall business depending on what line of work you are in. 


Hope you like what you see with the Cloud Services Controller. We are very excited about the reaction so far and look forward to delivering new set of capabilities and technology partnerships in short order. 


If you have gotten this far (thank you!), I thought you might be wondering how to choose between Aruba's Instant access points for controllerless Wi-Fi deployments and the unified networking options available with the Cloud Services Controller. Here is a quick cheat sheet to help you answer your questions on the topic. If that's not enough, take a look at our solution overview



Don't be shy and leave me a comment with any questions or feedback you may have.


Until next time... stay mobile Airheads.