Cloud Managed Networks

Hi

I have been doing some reading up on sd wan and currently we use mobility master , 7005 7010 and 7030 controllers along side clearpass .(hosted in aws)

We also have Cisco ASA decided and Cisco switches at all sites 

With more and more growth across the world we are seeing problems managing and deploying our networks.  

My question is if say a new office arrived with ten users.  Is there a way to configure a 7005 as a gateway at the branch and terminate one or two aps here without the need for a switch and wireless clients only ?

Would management of this be over Aruba central separately initially with the goal to move everything over eventually?

Do the aps need to be instant for this model or can existing campus aps be converted ?

Any design ideas at this stage would be welcomed as this is new territory for me.

Thanks 

That is definitely doable and exactly what SD-Branch is all about:-) Converging all connectivity needs (LAN, WLAN, WAN) into a single architecture.

I can recommend you have a look at this guide: https://www.arubanetworks.com/assets/tg/AVD_SD-Branch-Midsize-Design.pdf

Now to summarize and hopefully answer your question, the Aruba SD-Branch architecture allows you to manage Aruba Gateways, Instant APs and Switches (should you still need one) from Aruba Central.

The only difference is that you don't "terminate" APs on the gateway, as you would do in a traditional controller-based wireless architecture. Instead you use the Instant AP capabilities. Unfortunately, you cannot convert CAP models to IAP unless you actually bought IAP and converted them to CAP at some point. Only native IAP or now the newer UAP models can be converted back into Instant.

There is an approach that is often referred to as "Branch in a Box" where you choose a GW model (i.e. the 7008, 7010, etc.) that provide PoE and switching from the same box: https://www.arubanetworks.com/products/networking/gateways-and-controllers/7000-series/

With this approach you can use the gateway to connect and power your IAPs + attach additional wired components without the need for an extra switch. The 7024 for example can give you up to 24 Ports, without the need for an extra switch. The gateway then does all your switching/routing/SD-WAN functionalities all from the same box.

These are just some thoughts to get you started, feel free to post any questions around this here.

Last point, we also have a new SD-WAN board now here on Airheads: https://community.arubanetworks.com/t5/Software-Defined-WAN-SD-WAN/bd-p/SD-WAN

Great reply and very informative.  I do have a few questions if you don't mind:

1. We have the 7005 controller in branches at the minute. One of the sites has 7 users and 2 APs.  Can we turn the 7005 into the gateway and then plug in the 2 instant APs into the other ports? I take it the DHCP is then handled by the instant ap mesh ? 

2. Can we slowly start the migration to Aruba Central as we have an hq and multiple mid sized branch spaces.  If we want to test it this would work for us can we set up one small site as I suggested above and then add on the rest as we go ?

3. Does Aruba Central easily integrate with AWS transit gateways ? We have a clearpass instance in AWS and can we still deploy 802.1x at say the small site with authentication through the clearpass server ?

Sorry for all the questions but just gathering info right now as really interested with the product

Thanks again

1. We have the 7005 controller in branches at the minute. One of the sites has 7 users and 2 APs.  Can we turn the 7005 into the gateway and then plug in the 2 instant APs into the other ports? I take it the DHCP is then handled by the instant ap mesh ? 

you can connect de AP’s to the other ports. However, the 7005 doesn’t provide POE. DHCP can be handled by the 7005 gateway

2. Can we slowly start the migration to Aruba Central as we have an hq and multiple mid sized branch spaces.  If we want to test it this would work for us can we set up one small site as I suggested above and then add on the rest as we go ?

sure. Keep in mind that the VPNC will be managed by Central and cannot terminate AP’s. You can migrate site by site 

3. Does Aruba Central easily integrate with AWS transit gateways ? We have a clearpass instance in AWS and can we still deploy 802.1x at say the small site with authentication through the clearpass server ?

Yes it does. In AWS you can even deploy a VPNC. 

I think this resources are useful.

https://community.arubanetworks.com/t5/Validated-Reference-Design/SD-Branch-Fundamentals-Guide/ta-p/482038

youtu.be/uF3Ba72e8WI

1. We have the 7005 controller in branches at the minute. One of the sites has 7 users and 2 APs.  Can we turn the 7005 into the gateway and then plug in the 2 instant APs into the other ports? I take it the DHCP is then handled by the instant ap mesh ? 

you can connect de AP’s to the other ports. However, the 7005 doesn’t provide POE. DHCP can be handled by the 7005 gateway

2. Can we slowly start the migration to Aruba Central as we have an hq and multiple mid sized branch spaces.  If we want to test it this would work for us can we set up one small site as I suggested above and then add on the rest as we go ?

sure. Keep in mind that the VPNC will be managed by Central and cannot terminate AP’s. You can migrate site by site 

3. Does Aruba Central easily integrate with AWS transit gateways ? We have a clearpass instance in AWS and can we still deploy 802.1x at say the small site with authentication through the clearpass server ?

Yes it does. In AWS you can even deploy a VPNC. 

I think this resources are useful.

https://community.arubanetworks.com/t5/Validated-Reference-Design/SD-Branch-Fundamentals-Guide/ta-p/482038

1. Yes you can convert a 7005 controller into a gateway managed by Central. It is a completely separate SW image though and you need to have the appropriate Central subscriptions to onboard the device.

Unfortunately, the 7005 doesn't provide PoE so you would have to use PoE injector or PSU to power the IAP.
You could even use the DHCP server on the gateway but this is up to you.

2. Yes you can gradually implement this. The counter piece of the 7005 acting as Branch Gateway (BGW) is usually a Headend Gateway in your DC to terminate the SD-WAN overlay IPSec tunnels coming from the branches. You can use the 7005 as standalone BGW of course if you only need to provide Internet access in your branch and manage the BGW using Central.

3. Yes we integrate very well with AWS. We have just announced the Cloud Connect capability, to integrate directly with AWS for smaller deployments. This will come in an upcoming release of Aruba Central: https://www.arubanetworks.com/assets/tg/DG_Using-Aruba-SD-WAN-with-AWS-Transit-Gateway-Network-Manager.pdf 

For larger deployments or where you would like to use more of the Aruba-native feature set, we also provide the possibility to deploy Virtual Gateways into AWS/Azure - fully orchestrated from Aruba Central:

https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/vgw/vgw.htm

You can then further integrate the Aruba vGW with the Transit GW by the means of BGP peering.

Thanks for all this info it is extremely helpful.

So I am now thinking of purchasing an Aruba 7008 and an Aruba AP 515 for a test deployment with potential to then send this out to a new site (small 10 user site).

My question is to get started would the Aruba Central 90 trial have the features required for me to test this?  I already have a full ClearPass AWS deployment so can I integrate this for testing?

Thanks

The Central 90-day trial gives you 10 device subscriptions (for IAP, switches) and two gateway subscriptions: https://help.central.arubanetworks.com/latest/documentation/online_help/content/nms/get-started/start_trial.htm

All features unlocked for the duration of the 90 days. If you are happy with the progress, you just add paid subscriptions and continue using what you already built.

As mentioned Cloud Connect is not yet released AFAIK.

 Thanks for this.

If I was going to look at adding a switch - given that I am used to working with Cisco switches.  What would be the recommended model of switch to work alongside the 7008 and the AP 515 ?

Thanks

Given the requirements in a branch, I would suggest you look at the Aruba 2930F series. They are supported in Aruba Central and have a variety of form-factors, ranging from 8-Port Fanless up to 48-Port:

https://www.arubanetworks.com/products/networking/switches/2930f-series/

Perfect given its a test environment for now with possible migration to small wireless branch I'll maybe go for the 8 port.

Last question as I've lots of info to go on now.

What happens to Aruba campus APs such as the 225 and 325.  Does Aruba central only work with IAP models ?  I believe before you could not convert a CAP to a IAP is this still the case ?

Precisely. CAP SKUs cannot be converted to IAP and are therefore not supported with Aruba Central

After all your info I have went away and ordered up 1 x Aruba 7008, 1 x Aruba AP 515 and 1 x Aruba 2930F 8G

Do you think this would be ok to test Aruba Central?

On a personal note the business currently uses Aruba Mobility Master/Airwave/ClearPass with Cisco ASA and Cisco switches.  We as a team manage and deploy sites manually.  We have various site to sites that link to AWS infrastructure.  Do you think a move to Aruba Central in your own perspective (any other thoughts welcome) would be a good move for future proofing and helping with the rapid growth and deployment of new sites? 

Thanks 

That is definitely a solid choice, and will allow you to test most SD-Branch scenarios

Makes sure you have a look at the design guide I shared earlier to get an understanding of how the components are best put together.

I would argue from an Aruba perspective there will be many additional use cases built around Aruba Central (such as Cloud Connect). Especially simplifying branch connectivity with all aspects from LAN/WLAN/SD-WAN will be best possible when you leverage Central.

As with any cloud approach, it will remove the need for a lot of on-prem infrastructure, since you are managing the network components from the cloud instead of your own DC. While I am personally a big fan of the Mobility Master architecture, especially when it is about large-scale wireless networks, with the SD-Branch you can focus on simplification, automation and standardization for an entire branch network.