Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

SD for data centre and campus layer with CX range

This thread has been viewed 2 times

  • 1.  SD for data centre and campus layer with CX range

    Posted Jan 18, 2020 04:22 PM
    Hi,

    Looking at some work to introduce Software defined networking in the data Center and the campus.

    I understand there’s a new CX range of switching; but am unclear about how you can implement and manage a multi tenanted network. What software is used to manage the entire fabric / network of switches?

    I’ve done a lot of reading into the Cisco products - ACI for the data centre, DNA Centre for the campus layer with something like Firepower for policy enforcement and ISE for end user enforcement.

    I understand Aruba has Clearpass and there are controllers that perform similar functions to firewalls?

    Could someone help me understand if Aruba is trying to take on this area of the market? Is their solution similar to the previously mentioned Cisco products?

    I have hundreds of standalone networks I want to connect up at the campus to a single fabric and will be building a data centre which is want to micro segment down for individual tenant access from this new campus fabric.

    Pretty broad requirements I appreciate ...

    Thanks


  • 2.  RE: SD for data centre and campus layer with CX range

    Posted Jan 21, 2020 02:42 PM
    Any pre sales architects what to take a stab at the above? :-)


  • 3.  RE: SD for data centre and campus layer with CX range

    MVP GURU
    Posted Jan 22, 2020 06:07 AM

    Ask your Local SE...



  • 4.  RE: SD for data centre and campus layer with CX range

    MVP GURU
    Posted Jan 22, 2020 10:03 AM
    @redford1980 wrote: I understand there’s a new CX range of switching; but am unclear about how you can implement and manage a multi tenanted network. What software is used to manage the entire fabric / network of switches?

    Hi! I just chime in with regards to the switching part (I'm interested too, especially about how to deal with a multi-tenant network where "tenants" should be segmented and segregated at Switch layer...see here a thread about a possible approach with VRF and VRF route leaking using ArubaOS-CX): If you are planning an ArubaOS-CX only environment there is Aruba NetEdit for configuration orchestration but as NMS you need Aruba AirWave or HPE IMC (just to stay on the same vendor of your network switches), both AirWave and IMC aren't able to configure (SNMP write) ArubaOS-CX driven switches but for gathering some data they should be quite good (otherwise you can use other free/non-free NMS with less or more drawbacks). If you instead are planning a mixed environment where ArubaOS-Switch are used along ArubaOS-CX ones then probably the couple Aruba AirWave + Aruba NetEdit would be of help; if your network has also 3rd party switches or 3rd party WiFi controllers HPE IMC could support them (check) and would be potentially a better solution (eventually HPE IMC is capable of backing up ArubaOS-CX running configuration with a minimal customization, see here).



  • 5.  RE: SD for data centre and campus layer with CX range

    Posted Jan 22, 2020 02:20 PM
    Thanks for the response - it is appreciated


  • 6.  RE: SD for data centre and campus layer with CX range
    Best Answer

    Posted Jan 22, 2020 05:43 PM

    As you mentioned ACI and DNA we don't have to worry too much about "one nice GUI to handle everything without any CLI stuff". As those Cisco thingies require you to do lot's of stuff with CLI and then a lot's of stuff between different GUIs to get to that "yes it's just a single click" level.

     

    Aruba version of GUI would be Aruba Central, but as I haven't used that myself I can't say anything about that. Except that it's a web thingie to handle all the APs, switches, SD-branch routers (SD-WAN) etc. Waiting to get some gear to try that out too, would probably be good for our remote branches.

     

    And I think some Aruba presentation said that they are planning to do on-prem central, which would be great for us.

     

    We ended up choosing Aruba's dynamic segmentation and Aruba wireless. Even though there's no "single pane of glass" management and monitoring for enterprise networks, the different management softwares etc. still amount to less work than what it is to deal with that "some other vendors".

     

    With Aruba you tunnel everything from the switches to controllers. Then you assign users to different roles, and it doesn't matter if the user is wired or wireless client you still assign the same role. And you do your fw rules based on those roles. And the firewall rules are stateful, unlike that "some other vendor" that uses just switch ACLs. Also there are upper level stuff available like web site categorizations and VoIP/(Skype/Teams) recognition.

     

    When you tunnel everything to the controller, you can assign every single user (authenticated either based on MAC address or preferably with 802.1X) to a role that you can assign fw rules to. Yes, you tunnel everything and it might eat some bandwidth etc. but in our network most of the traffic is towards the DC anyways. We could do some split-tunneling at the remote sites if we decided to. And tunneling everything towards the controller is better than just being able to do ACLs on the switches.

     

    Of course with the new CX-series you can do VXLAN tunneling between endpoints at the access layer, controller by BGP EVPN.