Re: SD WAN
10-19-2018 10:34 AM
I'm not sure if I'm the best person to answer this (check my linkedin for the reasons). But I have indeed implemented this.
Our recenlty launched SD-WAN (or I should say, SD-Branch) offering gravitates around 3 main ideas:
- Simplify branch depoyments. We do that by collapsing several services (firewall, line-load balancer, router,...) into a single box (aruba 70xx mobility gateways/controllers). We also do it by providing very streamlined provisioning, management, and generally lifecycle management.
- Provide transport-independency to your branches by leveraging SD-WAN. Our branch gateways set up a secure overlay by automatically bringing up tunnels through every uplink (the very high crypto performance of the 70xx really helps in this case) to ensure reachability regardless of the circuit being used. We then constantly monitor all uplink interfaces and steer traffic (in real time) to the best path for that role/application/destionation.
- Provide end-to-end security by leveraging the L3-7 stateful firewall in ArubaOS (with enhancements to streamline the rollout across 100s or 1000s of branches) as well as other key aruba differentiators such as role-based security policies and dynamic segmentation. We can also integrate with the market leaders (Zscaler, Palo Alto and (soon) Checkpoint) to augment the service with cloud-based security offerings.
So after this "elevator pitch", how does it work? You'll find several things as soon as you start testing it (get in touch with your local SE to request access):
- As it happens with IAPs or switches, the config lives in Central, so ZTP, hierarchical config (group vs device) are a given. We're working really hard to streamline deployments as much as possible.
- Bringing up tunnels between your branches and your DC or your HQ is now a piece of cake (tunnels can be negotiated using the TPM in every device). WAN configuration is even simpler. Just name your uplinks, set the health check ip/fqdn and start pointing traffic based on roles/apps/destinations to use one or other circuit.
- Role-based security, dynamic segmentation and so on is no different from what you've already experienced with Aruba. We're just streamlining the config as much as we can (as well as adding integrations with said vendors).
I hope this helps!
ACMP, ACCP, ACDX#100
If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)