I have been reading on Netconductor and trying to understand where the product fits within the eco-system in comparison to ClearPass
1) Do I need ClearPass if I have NetConductor
2) Do I need NetConductor to have dynamic segmentation on Aruba EVPN-VXLAN Campus Fabirc
3) What features overlap, what features are unique to each product.
NetConductor - Policy-based automation, network provisioning, configuration management
ClearPass - Device profiling, user authentication, policy enforcement.
They are both quoted on the Aruba design portal.
1) No, but it's recommended.
2) No, but it's recommended.
3) ClearPass and NetConductor complement each other, your summary is pretty accurate of what each component does in the joint solution.
I am particularly interested in your response to the 2nd query above i.e.
2) Do I need NetConductor to have dynamic segmentation on Aruba EVPN-VXLAN Campus Fabirc.
to which the response was " no, but it is responded", could please expand a little on how to achieve the segmentation can be achieved without netconductor. Is it simply that Netconductor automates an implementation that could alternatively be deployed using more manual techniques.
Also, if I may and it not considered to be straying to far from the topic, could ask the following:
a) Regardless of how it is implemented, is accurate to state that CX access layer switches are mandatory for dynamic segmentation
b) In addition are CX distribution layer switches mandatory or can the non-CX Aruba 6300M range be used at distribution whilst still achieving dynamic segmentation provided the access layer is CX
c) Is VxLAN mandatory for dynamic segmentation and if so, what options are available if the WAN connecting a multisite environment does not support 50byte VxLAN header
Central, and NetConductor automate the setup of the GBP user roles, and the EVPN-VXLAN fabric. You can set that up yourself manually as well. So for that reason, I consider it optional, but for such a deployment having the automation through NetConductor, at least at scale is clearly a huge benefit.
One point of dynamic segmentation is that it can be multiple things, which include local break-out or tunnel to a gateway (dynamic part, and centralized overlay), as well sending to a VXLAN fabric (distributed overlay). Note that there may be different views on what exactly is dynamic segmentation, so this (and the following) is my personal view.
The gateway tunnel (centralized overlay) uses GRE beween the access-switch and the gateway, and anything in between needs to carry the GRE traffic and does not need to be Aruba for that reason. Centralized overlay is easy to setup and works great from small to medium-large networks.
The VXLAN decentralized overlay requires the access-switch and other VTEPs (where the enforcement/segmentation happens) to support VXLAN and GBP, which uses open standards but in practice for convenience is AOS-CX. Decentralized overlay works great in larger campus networks.
a) No, you can configure the centralized overlay (to a gateway) from and ArubaOS-Switch, and either centralized- or distributed overlay from a AOS-CX switch.
b) The Aruba 6300M switches are AOS-CX switches, but as long as the access-layer can built tunnels, and you either have a gateway (centralized overlay) it will work. What is in between the access switch and your gateway is less relevant. VXLAN is a UDP protocol and can cross intermediate switches as well (be aware of the MTU/jumbo support).
c) No, centralized overlay does not use VXLAN but GRE. For WAN/multi-site, it's best to work with your Aruba partner or local Aruba SE, as if your WAN does not support large MTU/Jumbo, you may need to change to role-propagation where Central propagates role information between the different sites.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.