Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Frequent Contributor II

SD for data centre and campus layer with CX range

Hi,

Looking at some work to introduce Software defined networking in the data Center and the campus.

I understand there’s a new CX range of switching; but am unclear about how you can implement and manage a multi tenanted network. What software is used to manage the entire fabric / network of switches?

I’ve done a lot of reading into the Cisco products - ACI for the data centre, DNA Centre for the campus layer with something like Firepower for policy enforcement and ISE for end user enforcement.

I understand Aruba has Clearpass and there are controllers that perform similar functions to firewalls?

Could someone help me understand if Aruba is trying to take on this area of the market? Is their solution similar to the previously mentioned Cisco products?

I have hundreds of standalone networks I want to connect up at the campus to a single fabric and will be building a data centre which is want to micro segment down for individual tenant access from this new campus fabric.

Pretty broad requirements I appreciate ...

Thanks

Accepted Solutions
Highlighted

Re: SD for data centre and campus layer with CX range

As you mentioned ACI and DNA we don't have to worry too much about "one nice GUI to handle everything without any CLI stuff". As those Cisco thingies require you to do lot's of stuff with CLI and then a lot's of stuff between different GUIs to get to that "yes it's just a single click" level.

 

Aruba version of GUI would be Aruba Central, but as I haven't used that myself I can't say anything about that. Except that it's a web thingie to handle all the APs, switches, SD-branch routers (SD-WAN) etc. Waiting to get some gear to try that out too, would probably be good for our remote branches.

 

And I think some Aruba presentation said that they are planning to do on-prem central, which would be great for us.

 

We ended up choosing Aruba's dynamic segmentation and Aruba wireless. Even though there's no "single pane of glass" management and monitoring for enterprise networks, the different management softwares etc. still amount to less work than what it is to deal with that "some other vendors".

 

With Aruba you tunnel everything from the switches to controllers. Then you assign users to different roles, and it doesn't matter if the user is wired or wireless client you still assign the same role. And you do your fw rules based on those roles. And the firewall rules are stateful, unlike that "some other vendor" that uses just switch ACLs. Also there are upper level stuff available like web site categorizations and VoIP/(Skype/Teams) recognition.

 

When you tunnel everything to the controller, you can assign every single user (authenticated either based on MAC address or preferably with 802.1X) to a role that you can assign fw rules to. Yes, you tunnel everything and it might eat some bandwidth etc. but in our network most of the traffic is towards the DC anyways. We could do some split-tunneling at the remote sites if we decided to. And tunneling everything towards the controller is better than just being able to do ACLs on the switches.

 

Of course with the new CX-series you can do VXLAN tunneling between endpoints at the access layer, controller by BGP EVPN.

View solution in original post


All Replies
Frequent Contributor II

Re: SD for data centre and campus layer with CX range

Any pre sales architects what to take a stab at the above? :-)
Highlighted
MVP Guru Elite

Re: SD for data centre and campus layer with CX range

Ask your Local SE...



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
MVP Guru

Re: SD for data centre and campus layer with CX range


@redford1980 wrote: I understand there’s a new CX range of switching; but am unclear about how you can implement and manage a multi tenanted network. What software is used to manage the entire fabric / network of switches?

Hi! I just chime in with regards to the switching part (I'm interested too, especially about how to deal with a multi-tenant network where "tenants" should be segmented and segregated at Switch layer...see here a thread about a possible approach with VRF and VRF route leaking using ArubaOS-CX): If you are planning an ArubaOS-CX only environment there is Aruba NetEdit for configuration orchestration but as NMS you need Aruba AirWave or HPE IMC (just to stay on the same vendor of your network switches), both AirWave and IMC aren't able to configure (SNMP write) ArubaOS-CX driven switches but for gathering some data they should be quite good (otherwise you can use other free/non-free NMS with less or more drawbacks). If you instead are planning a mixed environment where ArubaOS-Switch are used along ArubaOS-CX ones then probably the couple Aruba AirWave + Aruba NetEdit would be of help; if your network has also 3rd party switches or 3rd party WiFi controllers HPE IMC could support them (check) and would be potentially a better solution (eventually HPE IMC is capable of backing up ArubaOS-CX running configuration with a minimal customization, see here).

Highlighted
Frequent Contributor II

Re: SD for data centre and campus layer with CX range

Thanks for the response - it is appreciated
Highlighted

Re: SD for data centre and campus layer with CX range

As you mentioned ACI and DNA we don't have to worry too much about "one nice GUI to handle everything without any CLI stuff". As those Cisco thingies require you to do lot's of stuff with CLI and then a lot's of stuff between different GUIs to get to that "yes it's just a single click" level.

 

Aruba version of GUI would be Aruba Central, but as I haven't used that myself I can't say anything about that. Except that it's a web thingie to handle all the APs, switches, SD-branch routers (SD-WAN) etc. Waiting to get some gear to try that out too, would probably be good for our remote branches.

 

And I think some Aruba presentation said that they are planning to do on-prem central, which would be great for us.

 

We ended up choosing Aruba's dynamic segmentation and Aruba wireless. Even though there's no "single pane of glass" management and monitoring for enterprise networks, the different management softwares etc. still amount to less work than what it is to deal with that "some other vendors".

 

With Aruba you tunnel everything from the switches to controllers. Then you assign users to different roles, and it doesn't matter if the user is wired or wireless client you still assign the same role. And you do your fw rules based on those roles. And the firewall rules are stateful, unlike that "some other vendor" that uses just switch ACLs. Also there are upper level stuff available like web site categorizations and VoIP/(Skype/Teams) recognition.

 

When you tunnel everything to the controller, you can assign every single user (authenticated either based on MAC address or preferably with 802.1X) to a role that you can assign fw rules to. Yes, you tunnel everything and it might eat some bandwidth etc. but in our network most of the traffic is towards the DC anyways. We could do some split-tunneling at the remote sites if we decided to. And tunneling everything towards the controller is better than just being able to do ACLs on the switches.

 

Of course with the new CX-series you can do VXLAN tunneling between endpoints at the access layer, controller by BGP EVPN.

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: