Exclusives Featured

Building a Software Defined Branch with Aruba

WAN architectures are complex. A significant amount of engineering time is spent building a WAN configuration that is fast, resilient, and reliable. Traditional WAN architectures addressed the needs of an organization that wanted to connect a few large sites together to share data back and forth for internal operations.

Today’s WAN looks radically different. Cloud adoption is on the rise, with almost 85% of IT organizations committed to delivering some kind of cloud presence by the end of 2018. Part of that cloud strategy is driven by Software-as-a-Service applications like Microsoft Office365. In a traditional WAN architecture, the data path for these cloud-based apps must be sent back through the main hub before going to the Internet, which is very inefficient. In addition, the number of devices being brought online in the branches that fall under the “Internet of Things” (IoT) umbrella keeps growing exponentially, with estimates placing them at close to 20 billion devices by the end of 2020.

With traditional WAN architectures unable to service cloud workloads efficiently and unable to secure the growing category of devices that most users will come to depend on in the future, how can an organization make a safe bet on a technology that will help them evolve their needs?

Defining The Branch

The most common answer for WAN complexity the last two years has been to adopt SD-WAN as a technology. A dozen startups and traditional networking vendors have adopted simplified WAN architecture that delivers a lot of functionality that organizations need. These solutions help with some of the security concerns between sites and have begun to address the multicloud issues that organizations are seeing today.

SD-WAN focuses on replacing the complexity of configuring traditional WAN with a streamlined approach. It can address the issues with the old WAN architecture but it was not built for things like IoT security or for a unified management system for devices. And if you throw in policy-driven networking to help simplify all aspects of configuration you’re going to see a lot of deficits in existing solutions.

Enter Aruba, a Hewlett Packard Enterprise Company. Aruba has been quietly working on an SD-WAN solution for the past two years. While other companies have been focused on solving complexity in the underlay, Aruba has been building their Software Defined Branch solution to solve bigger issues.

Leveraging capabilities found in Aruba ClearPass allows for Aruba Software Defined Branch to identify IoT devices as they are connected and provide a security profile for them so they are protected from the moment they begin sending data. ClearPass integration also allows for simple policy assignment to users and non-IoT devices as they connect to ensure that users have safe, secure, and fast connections.

This ability to identify devices and users also extends to applications. With Aruba Software Defined Branch, no only can you identify applications like SalesForce or Office365, but you can also build per-user policies around them to ensure that bandwidth is always available for critical knowledge workers when necessary. You can also ensure that mission-critical application traffic has priority routing over bulk Internet traffic as well.

Build Versus Buy

How was Aruba able to get their Software Defined Branch solution running so quickly with almost zero experience in SD-WAN? As it turns out, Aruba already had most of the pieces in place already. They had built the secure overlay with the help of ClearPass years ago to simplify the way that wireless and wired networking policies can co-exist and make life easier for network administrators.

With the user-facing security pieces in place, it was simply a matter of building a device that can operate with traditional MPLS, broadband, and 4G/LTE connections. That device is the Aruba 7000 Series Cloud Managed Branch Gateway.

The 7000 Series has support for up to 5 different WAN paths, including support for an external 4G/LTE USB modem. The 7000 Series can dynamically select a new path to ensure that applications don’t fail in the branch during the workday and have support for active/active high availability. It also has an on-board crypto engine to ensure IPSec tunnels can be created and maintained quickly and easily for secure communications between branches. The 7000 series can be centrally managed to ensure that policy enforcement across the enterprise is consistent no matter how far apart your offices may be. And with a list price of $1,495 per gateway it’s a very inexpensive way to start building out your branch offices.

Putting It All Together

I remember having conversations with Keerti Melkote a couple of years ago and hearing him talk about SD-WAN. At the time, I advised him not to build their own solution. But I didn’t have the foresight that he and his team did. They didn’t want to build a more simple underlay network. Instead, they wanted to build on the security and policy enforcement they already developed with ClearPass. The Aruba team has delivered the promise of software defined simplicity in a package that makes sense to businesses that want to support their branch offices. It’s a huge value that has tremendous upside for all kinds of organizations.

About the author

Tom Hollingsworth

Tom Hollingsworth is a networking professional, blogger, and speaker on advanced technology topics. He is also an organizer for networking and wireless for Tech Field Day.  His blog can be found at https://networkingnerd.net/

1 Comment

  • As a long time Aruba customer, we can’t wait to deploy the solution for our branch offices. The unified LAN + Wifi + WAN architecture for the branch will simplify our team’s day to day lives several folds – we have 4 different tools today to manage our branch offices.

Leave a Comment