SD-WAN

Hi all,

Sorry for newbie questions; but I’m trying to understand capability of Aruba’s SD Branch capability.

I have nearly a 1000 x 3810 switches. I have Clearpass doing wired and wireless access control.

This supplies connections for my main corporate network; but I have hundreds of smaller (dev style) networks running in isolation at the moment. I’d like to link them into this switching so they can share certain services. Importantly though, I don’t want these networks to speak to each other. Important we keep separation.

This software defined architect needs to be controlled on site? Worst case, I’ll use a cloud based application to do it but I would prefer on perm to do it.

In summary; give all networks (or tenants) access to some shared services, don’t let them talk to each other. Prefer on prem application to do this?

Have you looked at dynamic segmentation?

No I’ve not. Is this a feature of Aruba central?

Does it achieve the above requirements and how does it know which tenant you fall into?

Basic idea is to tunnel traffic in a GRE tunnel from a port to Mobility Controller. You don't configure tunnels manually but send VSAs back from ClearPass that trigger the tunneling.

 

Then on the mobility controller the easiest way would be to give each devnet the same role called "devnet". Then do rules

1. from "devnet" to "devnet" deny
2. from "devnet" to shared services allow

And that's about it. That prevents different development networks to talk to each other but allows them to access shared services.

Sounds perfect

So you manually select a switchport and make that a “devnet” member?

Can it be done via a dot 1x request? So a certificate signed in a certain devnet would give you access only to that devnet?

Do I need anything other than Clearpass and some controllers for this?

You need supported switches which you already have, ClearPass which you have, and the mobility controllers. AP/PEF licenses too for each switch (stack) you have.

 

You can choose to create tunnels from a single port manually, or use ClearPass to select which user-roles client gets on a mobility controller. I think you could do also a per port tunneled with ClearPass.

You return "tunneled-node-server-redirect secondary-role" from ClearPass, and that role can be for example "devnet-site1" or if you put them all in the same role just "devnet". You need to have this role on the controller.

 

We're thinking of doing just tunnels from each port (depenging on the user role returned from clearpass) to mobility controller, and all the traffic between users even in the same switch would traverse the controller. If you want local traffic to stay local, you could probably do some sort of "jump cable" from VLAN to another and tunnel just that, so the whole site would be considered a single tunneled entity.

Thanks for your help - that’s great

There's also a playlist for this on Airhead Broadcastin Channel, check that out:

 

https://www.youtube.com/playlist?list=PLsYGHuNuBZcbIABr03oV4Q4EU57VPdkDM

Do you see any benefit in using Aruba central over the above?

Does SD networking provide an even more elegant solution?

Thanks

SD-Branch is good if you have multiple WAN links and need to do smart load balancing etc.

Fair enough - and just to clarify; can I tie tenant membership to a certificate based service in Clearpass?

So use different domains to sign each tenant, you plug in your laptop, it dynamically learns from your cert which tenant you belong to and gives you access as required?

Or, can I set a port to be the external link to shared services / other tenants and do it more manually?

Just thinking of the best / smoothest way to build this tenant segmentation across hundreds of switches