these materials are © 2020 john wiley & sons, inc. …...for information about licensing the...

These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

www.arubanetworks.com

http://community.arubanetworks.com


Software-Defined Branch

Aruba Limited Edition

by Lawrence Miller


Software-Defined Branch For Dummies®, Aruba Limited Edition

Published byJohn Wiley & Sons, Inc.111 River St.Hoboken, NJ 07030-5774www.wiley.com

Copyright © 2020 by John Wiley & Sons, Inc., Hoboken, New Jersey

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact BrandedRights&[email protected].

ISBN 978-1-119-62403-5 (pbk); ISBN 978-1-119-62404-2 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

Publisher’s Acknowledgments

Some of the people who helped bring this book to market include the following:

Project Editor: Elizabeth Kuball

Acquisitions Editor: Katie Mohr

Editorial Manager: Rev Mengle

Business Development Representative: Karen Hattan

Production Editor: Siddique Shaik

Special Help: Jeff Olson, Trent Fierro, Mani Ganesan, Ed Chang, Larry Lunetta, Ron Stein, Alan Sardella, Ramanan Subramanian, Kishore Seshadri

http://www.wiley.com

http://www.wiley.com/go/permissions

mailto:[email protected]

http://www.wiley.com/go/custompub

http://www.wiley.com/go/custompub

mailto:BrandedRights&[email protected]

Introduction 1


Introduction

Software-defined wide area networks (SD-WANs) deliver a secure network with enterprise-level performance over dis-parate wide area network (WAN) technologies from different

service providers. However, SD-WANs only address part of the issue organizations face when dealing with distributed locations.

Organizations often roll out and operate distributed, heterogene-ous networks with centralized teams. These distributed networks offer many services besides just WAN connectivity. Branch net-works need wired and wireless local area networks (LANs), secu-rity and policy enforcement, and, of course, WAN interconnects, among other services.

SD-WAN is essentially just one component of the software-defined branch (SD-Branch); it represents a technology shift toward solutions that extend the concepts beyond SD-WAN to all elements in the branch, delivering a full-stack solution that addresses all the network connectivity needs of the branch.

About This BookSoftware-Defined Branch For Dummies consists of eight chapters that explore the following:

» Looking at IT challenges at the branch level (Chapter 1)

» Going beyond SD-WAN to solve challenges at the branch (Chapter 2)

» Maximizing your investment in SD-WAN (Chapter 3)

» Addressing challenges on the local area network (Chapter 4)

» Keeping the branch secure (Chapter 5)

» Understanding the Aruba SD-Branch solution (Chapter 6)

» Exploring SD-Branch use cases (Chapter 7)

» Doing back flips and other really cool stuff with SD-Branch (Chapter 8)

2 Software-Defined Branch For Dummies, Aruba Limited Edition


Each chapter is written to stand on its own, so if you see a par-ticular topic that piques your interest feel free to jump ahead to that chapter. You can read this book in any order that suits you (though I don’t recommend upside down or backward).

Foolish AssumptionsIt’s been said that most assumptions have outlived their useless-ness, but I assume a few things nonetheless!

Mainly, I assume that you’re a network architect or other IT pro-fessional working for a company that has multiple offices or loca-tions that are geographically dispersed across a city, state, region, or country — or around the world. As such, I assume that you have a working knowledge of networking fundamentals, includ-ing WANs, LANs, and wireless local area networks (WLANs). I also assume you have some knowledge of security, virtualization, and IT operations concepts and technologies. As such, this book is written primarily for technical readers, although I promise not to get too technical and I’ll be sure to explain any acronyms and “techie” stuff.

If any of these assumptions describes you, then this is the book for you! If none of these assumptions describes you, keep reading anyway! It’s a great book and when you finish reading it, you’ll know quite a bit about the software-defined branch.

Icons Used in This BookThroughout this book, I occasionally use special icons to call attention to important information. Here’s what to expect:

This icon flags important information you should commit to your nonvolatile memory, your gray matter, or your noggin — along with anniversaries and birthdays!

You won’t find a map of the human genome here, but if you seek to attain the seventh level of NERD-vana, perk up! This icon explains the jargon beneath the jargon!

Introduction 3


Tips are appreciated, never expected — and I sure hope you’ll appreciate these useful nuggets of information.

These alerts point out the stuff your mother warned you about. Well, probably not — but they do offer practical advice to help you avoid potentially costly or frustrating mistakes.

Beyond the BookThere’s only so much I can cover in 64 short pages, so if you find yourself at the end of this book, thinking, “Gosh, this was an amazing book, where can I learn more?,” just go to www.arubanetworks.com/solutions/sd-branch.

http://www.arubanetworks.com/solutions/sd-branch

CHAPTER 1 Taking Care of Business at the Branch Level 5


Chapter 1

IN THIS CHAPTER

» Recognizing the impact of cloud services

» Looking at the limitations of traditional network approaches

» Enabling digital transformation everywhere

» Doing more with less — the never-ending IT paradox

Taking Care of Business at the Branch Level

In this chapter, you explore the impact of the cloud on network traffic, modern business and IT challenges, and the need for robust digital services to extend to remote branches across your

entire organization to enable successful digital transformation.

Moving to the CloudWidespread adoption of cloud services such as Office 365 and the migration of enterprise workloads to public clouds have changed the traditional network traffic flows from the branch. Routing Internet-bound traffic via a central hub location is no longer a cost-effective or performance-friendly option and traditional wide area network (WAN) and branch approaches to network infrastructure don’t address the complexities, IT challenges, and digital transformation needs of an increasingly cloud-first world.

More and more, traffic is destined for services running on pub-lic clouds reachable directly via the Internet, rather than to an organization’s internal private data center. IT organizations must provide direct Internet access from the branch to enable direct user connectivity to cloud services and thereby minimize latency.



Be sure to include networking tools to identify and monitor the Software-as-a-Service (SaaS) applications being used by your business — including any and all “shadow IT” apps that aren’t officially sanctioned by the business. You need to understand the impact of these applications on your network and your service-level agreements (SLAs) to ensure optimal performance and the best possible user experience. At a minimum, you need to have a list of critical applications across sites and the SLAs needed for these applications to ensure a good customer experience. Otherwise, your branch users’ Skype calls and Zoom meetings will be, well, painful.

Recognizing Business ComplexitiesThe modern pace of business demands agility and flexibility across the entire organization. Traditional network approaches designed to extend basic IT services like file and print sharing, email, and Internet access, are no longer sufficient to address the needs of fast-growing businesses in a highly competitive market.

Today, businesses require reliable, high-bandwidth connectivity between headquarters offices, campus buildings, branch locations, and public cloud and SaaS providers to enable team collaboration and sharing via voice, video, and core business applications. They require robust, secure, and pervasive wired and wireless access to enable seamless connectivity everywhere for mobile workers and their devices, guest users and customers, and Internet of Things (IoT) devices. And they must also enable secure remote access for employees working from anywhere on any device accessing ser-vice either inside the enterprise data center or running in SaaS and public clouds.

Traditional WAN infrastructure is too complex and costly to sup-port these demands in a distributed business environment. Install-ing and maintaining hundreds of routers, switches, firewalls, and other specialized network and security equipment across the entire organization with limited IT staff resources is inefficient and slows business growth and innovation. Provisioning dedicated WAN links and procuring, installing, configuring, and maintaining routers with different circuit interfaces can take weeks or months. Sending IT staff to remote branch locations for installation and troubleshoot-ing is also time consuming and expensive. And manually imple-menting network or security changes across hundreds or thousands of locations is error prone, does not scale, and is unsustainable.

CHAPTER 1 Taking Care of Business at the Branch Level 7


Enabling Digital TransformationEnabling digital transformation for your organization means enabling digital services everywhere your business operates — from the main office to branch locations and remote workers. Branch employees and remote workers should have access to the same digital services — with the same level of quality and security — as their peers in the main office.

Oftentimes, digital services at the branch are even more critical to the business than at the main office. The retail shopping experi-ence, for example, happens in store locations at shopping centers and malls — not at your corporate offices. And the day-to-day healthcare needs of your patients are increasingly addressed at branch offices, clinics, or even over the phone or Internet. Thus, a robust network infrastructure must extend across your entire organization.

Understanding IT ChallengesBranch network requirements are changing rapidly. Today’s most pressing challenges include an increasing number of mobile and IoT devices, growing bandwidth needs of the business, and today’s users who expect connectivity for work and personal use — all while the teams that run these distributed networks stay the same size or even shrink. New network rollouts must be completed in the blink of an eye to support the ever-accelerating pace of busi-ness while IT organizations are expected to improve service levels, reduce costs, and shift spending from long-term capital expenses (CapEx) to short-term operating expenses (OpEx). At the same time, there are broader industry shifts under way, including the following:

» Shifting to the Internet as a business transport medium: Traditional WAN connectivity is expensive. Installations and upgrades require long lead times — it’s even more painful than waiting to renew your driver’s license at the local department of motor vehicles (DMV), uh, branch — and changes to networks are slow to implement. The architecture of the Internet has evolved considerably, with most large



SaaS and cloud providers peering at the edges of the Internet, enabling high-bandwidth, low-latency access to their services. In many places, the Internet is good enough to serve as the primary WAN transport, but traditional routing protocols are only able to make routing decisions based on the traffic destination rather than factors like packet loss, latency, jitter, or application identity, making it impossible for legacy solutions to take advantage of enhanced Internet services. Multiple low-cost links are often cheaper than single high-cost links, while offering equivalent bandwidth and SLAs across the links. Organizations need an intelligent way to customize and control traffic over diverse links to take advantage of lower-cost links such as high-speed Internet and highly available (albeit, expensive) cellular backup links.

» Increasing requirements for mobile and IoT devices: Mobile users and devices continue to consume applications such as video, voice, and storage that impact network performance and health. Rapidly growing numbers of IoT devices further expand mobile use cases and signify a shift of technology deployments away from traditional IT controls. This adds management and security pain points on top of visibility challenges.

» Branch policy and security complexity: Branch local area networks (LANs) can be surprisingly complex. With a proliferation of virtual LANs (VLANs) and access control mechanisms scattered across multiple network devices, deploying consistent policies is challenging. The way different network devices name features and are configured can lead to unpredictable or inconsistent results. The need for a variety of services in the branch — routing, switching, wireless LANs (WLANs), caching, web filtering, firewall protection, WAN compression and optimization, and more — has led to a proliferation of stand-alone, single-purpose devices, each with its own management platform and associated learning curve.

» Slow and complex onboarding: Branch locations often have no local technical resources to install hardware and perform troubleshooting. Today’s branch deployment models almost always require a technical installer on the ground, driving up both cost and complexity. Installing and onboarding traditional, large distributed networks with small teams often requires third-party installers, nonskilled installation personnel, and cookie-cutter configurations.

CHAPTER 2 SD-Branch Is More than SD-WAN 9


Chapter 2

IN THIS CHAPTER

» Exploring the development of SD-WAN 1.0

» Seeing how cloud and the Internet of Things create new challenges

» Recognizing the characteristics of SD-Branch

SD-Branch Is More than SD-WAN

In this chapter, you learn how software-defined wide area net-work (SD-WAN) solutions have evolved over their short history, how the rise of cloud and the Internet of Things (IoT)

have introduced new challenges in the enterprise WAN, and how software-defined branch (SD-Branch) has emerged as the solu-tion to these challenges.

Early SD-WAN SolutionsThe first SD-WAN companies emerged around 2012 when large enterprises were facing the growing cost and challenge of man-aging hundreds or thousands of routers deployed across large distributed geographic regions. In the traditional enterprise network, these routers had to be individually configured and managed. Configuring typical enterprise-class services like Mul-tiprotocol Label Switching (MPLS) and various routing protocols, like Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), was a complex task often requiring network engineers with advanced skill sets and certifications.



At the same time, enterprise use of Software as a Service (SaaS) and other cloud services was taking off. Broadband bandwidths were on the rise, and SaaS and cloud providers were investing heavily in high-speed peering connections close to the enterprise WAN edge. Direct Internet Access (DIA) services started to emerge as a viable alternative to more expensive MPLS services. Performance and cost were key factors driving the need to supplement or replace MPLS. MPLS was (and still is) typically used to create an enterprise WAN over which branch locations communicate with larger hub sites. Most traffic flowed back to these hub sites to interact with services that ran in the enterprise data center. Traffic destined for the Internet was also backhauled to these hub sites where it was passed through a security layer before being forwarded to the Internet. This form of backhauling Internet-destined traffic to a central site prior to forwarding it is often referred to as hairpinning or tromboning. SD-WAN 1.0 tackled the challenges posed by these types of traditional WANs in the following ways:

» By centralizing the control plane: Instead of configuring and running complex routing protocols on hundreds or thousands of routers, SD-WAN providers built centralized control planes with the “brains” deployed in a central location and simplified gateways deployed in branch locations.

» By using multiple broadband uplinks to collectively offer an enterprise-class service: Fingerprinting applica-tion flows, probing Internet paths, and mapping flows to determine the best path allowed SD-WAN providers to offer a lower-cost alternative to MPLS. The solution used multiple lower-quality and cheaper links with intelligent software to create the effect of having a high-quality, enterprise-class network.

Fingerprinting is a technique for identifying application flows by inspecting packet headers and payloads. This form of inspection can help identify thousands of application flows such as Microsoft Skype for Business, Slack, YouTube, Zoom, and others. After a flow is successfully fingerprinted, a policy can be applied, or it can be forwarded along a particular network path.

» By providing well-designed management software: An intuitive user interface with an emphasis on simplicity and ease-of-use enabled remote configuration and management.



As a result of these advantages, SD-WAN solutions were rapidly adopted and triggered a wave of transformations across enter-prise networks. However, these networks were still largely topo-logically similar to traditional WANs with most flows being routed to hub sites and some flows being directed to the Internet.

The Rise of Cloud and the Internet of Things

Fast-forward seven years after the introduction of SD-WAN, and a lot has changed. Changes in traffic patterns and broad adoption of SaaS applications now requires organizations to think beyond just SD-WAN, to include branch local area networks (LANs) as well.

The shift of enterprise workloads to the cloud has greatly accel-erated, with many organizations even kicking off ambitious No Data Center (NDC) programs as part of their cloud strategies. In many instances, a significant majority of traffic is now headed for destinations on the Internet. Organizations using Amazon Web Services (AWS) and Microsoft Azure have deployed tens to hun-dreds of virtual private clouds (VPCs) and virtual networks (VNets), respectively, with the need for complex networking inside their cloud provider environments. The use of Unified Communication as a Service (UCaaS) has accelerated, with most unified communi-cation traffic flowing to cloud destinations. IoT sensors are being rapidly deployed, introducing new types of devices from new ven-dors with networking stacks of uncertain provenance. Many of these IoT sensors need low-latency paths to cloud services and access to edge compute.

A VPC enables you to deploy resources in a virtual network that you define in AWS. This virtual network closely resembles a tradi-tional network that you’d operate in your own data center. Azure offers a similar construct called a VNet.

The traditional approach of segmenting and isolating these device types on their own virtual LANs (VLANs) with associated access control lists (ACLs) is adding to VLAN sprawl and network complexity. Network administrators use automation to help with this. However, given that network administration teams tend to



be relatively small and centralized, branch networks are too often being adapted to fit the automation software, rather than the other way around.

As an example, it is not uncommon for a new device type to be assigned its own VLAN and a fixed portion of the Internet Protocol (IP) subnet space to allow automation software to generate and program ACLs into switches, firewalls, and routers. Although this helps with automation, it leads to challenges with IP address management, VLAN sprawl, and ACL entry bloat.

A Call for SD-BranchThe solution to these requirements for cloud and IoT (discussed in the preceding section) came about in the form of major enhancements to SD-WAN, which effectively created a new class of product: SD-Branch (see Figure 2-1).

An SD-Branch solution has the following characteristics:

» A single-pane-of-glass management solution for wired and wireless LAN, WAN, and security solutions across all branches: It provides the ability to start with a global network view and drill down all the way to application flows belonging to an individual client on the network.

» Fusion of data across wired and wireless LAN, WAN, and security layers to provide new insights and help with rapid troubleshooting: An example of this would be displaying firewall logs with real user identity, role informa-tion, and so on, rather than IP addresses. Another example is to use role information learned in the access layer to carry out performance routing in the WAN layer. An administrator could specify that traffic originating on a device belonging to

SD-WAN + SD-LAN = SD-BRANCHSECURITY

FIGURE 2-1: SD-Branch combines SD-WAN, SD-LAN, and security capabilities in a single solution.



someone from the finance team be routed over a high- performance path to Salesforce while other Salesforce traffic is routed over other paths.

» Tight integration with security: With increasing amounts of traffic headed directly to Internet destinations, flows need to be subject to firewall inspection, Uniform Resource Locator (URL) filtering, intrusion detection system/intrusion prevention system (IDS/IPS), and so on, before forwarding. These security functions may be performed locally in the branch or via cloud security services. Often, the security team imposes strict requirements for how such traffic should be handled. Integration with cloud security services should be simple to enable the solution to work at scale.

» Performance routing to SaaS: With traffic to SaaS applica-tions continuing to increase, it’s critical to support perfor-mance routing to SaaS destinations. A growing percentage of enterprise traffic is now destined for SaaS providers.

» Full SD-WAN capabilities plus tight integration with multiple cloud service providers: This includes the ability to orchestrate deployment of virtual gateways in different cloud provider environments, exchange routes, and handle failures in different cloud provider data centers.

» Micro-segmentation and access control: Allow for micro-segmentation of the branch and manage access control for all intra-branch (east–west) traffic, in addition to security for traffic leaving the branch without the need for thousands of static ACLs.

» One place to configure policy both for routing and access control in a single central location and have them be enforced locally at each branch by simply pushing a button: It supports a dynamic “policy follows the endpoint” capability rather than one based on policies tied to ports and hardwired IP addresses.

Ultimately, SD-Branch gives network managers the simplicity they need, with the teams they have, without compromising end-user experience or security. For too long, network management tools have been rigid and siloed, and organizations have com-monly built their networks to best fit their management tools. Complexity, rigidity, and brittleness have ensued. Network man-agers are wary of making changes to the network, because of the



cascading consequences if something goes wrong. SD-Branch changes this paradigm by expanding SD-WAN into a more pow-erful and comprehensive solution.

What started out as a WAN transformation with SD-WAN has now evolved to become a complete branch transformation. SD-WAN is just one piece of the bigger enterprise networking puzzle, but its benefits stop at the WAN edge. A larger problem is to sim-plify and secure the branch network while automating many of the functions that are implemented using multiple management platforms and manual processes. The industry needed a compre-hensive treatment of the many branch problems in a simple and elegant manner. SD-Branch is this solution.

CHAPTER 3 Getting Everything You Can out of SD-WAN 15


Chapter 3

IN THIS CHAPTER

» Identifying the required features and capabilities of SD-WAN

» Leveraging automation and orchestration

» Optimizing network performance

» Going beyond SD-WAN

Getting Everything You Can out of SD-WAN

Software-defined wide area network (SD-WAN) is a major component of a software-defined branch (SD-Branch) solution. In this chapter, you learn how an SD-WAN allows

an organization to implement the most cost-effective and performance-optimal option at each branch location by providing alternatives and additions to traditional private WAN offerings. Remember: This is the WAN component of SD-Branch.

Reviewing SD-WAN BasicsWANs provide connectivity between data centers, cloud services, Software-as-a-Service (SaaS) applications, and branch locations. As applications have moved to centralized data centers and cloud-based providers, businesses have become increasingly dependent on WAN connectivity.

Many enterprises are turning to SD-WAN to reduce costs, aug-ment bandwidth, and increase flexibility in their large, distributed networks. SD-WAN enables enterprises to lower costs because they can use less costly broadband Internet, metro Ethernet,



and 4G Long-Term Evolution (LTE) — as well as 5G in the near future — to increase WAN capacity while reducing reliance on expensive, inflexible WAN connectivity methods like Multipro-tocol Label Switching (MPLS). They can augment existing MPLS bandwidth at branches by adding broadband connections and using policy-based routing (PBR) to map application flows to the best suited paths. These broadband paths also help with perfor-mance by directing Internet-destined application flows directly to the Internet rather than by “hairpinning” or “tromboning” these flows via centralized hub sites.

Many SD-WAN customers report savings of up to 40 percent by switching from traditional MPLS connections to broadband con-nections while at the same time increasing asynchronous band-width by up to 400 percent.

The software-defined approach centralizes all the routing and enables the use of simpler gateways at each location. To use a simple analogy, centralized routing constitutes the “brains” of the network, with the gateways at each site being the “muscle.” SD-WANs’ use of PBR over multiple, less-costly broadband con-nections can provide enterprise-class performance and reliability at a lower cost. SD-WAN solutions support sending Internet- destined traffic directly to those destinations over broadband links rather than routing back via a central data center (“hairpin-ning” or “tromboning”). Most SD-WAN solutions have also been built from the ground up with good user interfaces and an over-arching goal of operational simplicity to replace the cumbersome command-line interface (CLI)–driven management paradigm of traditional WANs.

Key capabilities and features of SD-WAN include

» Transport flexibility: A flexible transport design uses secure virtual private network (VPN) overlays to simplify the WAN deployment. The VPN overlay tunnels (usually Internet Protocol Security [IPsec]) for public and private WAN connections reduce complexity for your routing and security, regardless of the underlying networks. Overlay topologies abstract away the complexities of the underlay and allow for creation of simple topologies. The tunnels also provide flexibility by allowing an organization to choose different service provider options based on availability and cost for each location, while maintaining a common overlay network



and the ability to change topology and policy as needed without service provider intervention. The customers’ WAN topology is maintained as a simple overlay abstraction with the complex, service-provider underlay being completely hidden away. Security is provided by cloud authentication of all gateways and encryption of all traffic, regardless of underlay provider, with IPsec.

» Virtual private networks (VPNs): VPN tunnels are estab-lished between branch and hub gateways to create the overlay network. In some instances, tunnels can also be established between branch gateways and/or hub gateways (often referred to as meshing). The overlay network is used to securely transport traffic between sites that are connected by various underlay network technologies. Because such an overlay could involve thousands of tunnels with the associ-ated key management, tunnel establishment, and so on, an orchestration solution is needed to simplify management.

Orchestration is built to create flexible VPN topologies to support multiple hub sites, as traffic flows between hubs, between branches and hubs, and between branches. Hub sites are typically corporate headquarters or data centers that include one or more hub gateways (sometimes referred to as VPN concentrators [VPNCs]), while branch sites are remote locations that include one or more branch gateways (BGWs). Increasingly common are enterprises that have relocated their data centers to cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. These cloud environments look similar to physical data centers in that there are multiple virtual gateways deployed in place of physical VPN concentrators, but they involve additional nuances around availability zones, application programming interface (API)–driven cutovers in the event of a failure, transit virtual private clouds (VPCs) in AWS, Azure Virtual Networks (VNets), and so on. Larger deployments may include additional hub sites, providing redundancy in the event of a primary hub site failure.

» Dynamic path selection (DPS): DPS policies determine the WAN uplinks that are selected for specific users, applications, and destinations. Using health monitoring information, derived both by sending synthetic probes and passive



inspection of traffic, DPS can intelligently route traffic based on policy, ensuring that applications are sent over the paths most appropriate to their needs. DPS allows branch and headend gateways to select the best path for an application to take across the WAN based on administrator-defined criteria. The network administrator can define service-level agreements (SLAs) for an application based on values such as latency, jitter, packet loss, and uplink utilization, and the gateway will make a path selection based on which available link meets the SLA criteria. The selected forwarding path can be a single WAN uplink, or traffic can be load-balanced across a group of WAN uplinks. The destination IP address of the traffic in combination with policy will determine if the traffic is steered toward a VPN tunnel or forwarded directly to the Internet at the branch location (overlay versus underlay, in more technical terms). The DPS policy selects an uplink, and the gateway’s routing table or PBR rules determine the IP next-hop.

» SaaS prioritization: As more businesses are adopting SaaS applications such as Office 365, Box, and Slack as business-critical applications, SD-WAN business solutions must ensure that the users at a branch site can seamlessly and securely connect to their applications in the cloud via the most performant (meaning functioning well or as expected) path. These SaaS applications are deployed in the cloud and have servers and data centers across different geographical locations, so SD-WAN devices must have the capability to discover servers that are geographically or topologically closer, continuously monitor the health of these servers and application performance, and dynamically steer traffic to the best available servers. Vendors have different names for this capability (Aruba calls this feature SaaS Express).

» Load balancing: When DPS selects a group of WAN uplinks, the gateway performs a load-balancing action. The load-balancing algorithm determines how sessions are distrib-uted between the active WAN uplinks in the group. BGWs typically support the following load-balancing algorithms (see Figure 3-1):

• Round robin: Sequentially distributes outbound traffic between each active WAN uplink. This is the simplest algorithm to configure and implement but may result in uneven traffic distribution over time.



• Session count: Distributes outbound traffic between active WAN uplinks based on the number of sessions managed by each link. This algorithm attempts to ensure that the session count on each active WAN uplink is approxi-mately the same as the other active WAN uplinks.

• Uplink utilization: Distributes traffic between active WAN uplinks based on each uplink’s utilization percentage. Uplink utilization considers the link speed to calculate the utilization for a given link and allows a maximum bandwidth percentage threshold to be defined. After the bandwidth threshold percentage has been exceeded, that WAN uplink is no longer considered available.

» WAN health checks: Health checks determine the path availability of each WAN uplink and overlay tunnel. When health checks are enabled, the gateway sends User Datagram Protocol (UDP) or Internet Control Message Protocol (ICMP) probes to the IP address or fully qualified domain name (FQDN) of a host to determine if the underlay paths are available to accommodate traffic. The BGW also sends probes to all VPN connectors to determine if the overlay paths are available for traffic. The primary use case for health checks is to verify the WAN underlay and overlay networks are operational, which prevents black-holing of branch traffic. Probes are also used to build performance profiles of the different paths out of a branch, with through-put, loss, latency, and jitter being commonly tracked metrics.

FIGURE 3-1: Load-balancing algorithms.



Black-holing refers to sending traffic down paths where the traffic is dropped along the path or at the far end of the path.

» Policy-based routing (PBR): SD-WAN deployments leverage routing tables to forward underlay and overlay traffic. Some advanced deployments may require PBR to override destination-based routes when traffic must be forwarded over a specific WAN path. If needed, PBR policies override the routing table for both underlay and overlay traffic. For example, if you want all traffic from your corporate users to go through the hub site location, you apply a PBR rule pointing to the overlay tunnels. The gateway can use multiple paths by setting the same priority in a next-hop list and applying the PBR policy to the relevant user roles. If more than one active path is available, the selection is done using a combination of DPS and load balancing. Here are some common use cases where PBR policies are implemented:

• All employee Internet traffic must be routed to the hub site location to provide additional policy checks.

• Traffic from a specific subset of clients needs to be forwarded out a specific WAN path.

• Integration with third-party SaaS or unified threat management providers where certain traffic needs to be steered through an on-premises appliance.

» Reverse path pinning: When a path selection is made for sessions destined for the corporate network through a VPN tunnel, the reverse traffic must take the same WAN path to prevent connectivity problems that can arise from asymmet-ric routing (routing traffic along different paths in each direction). Reverse path pinning allows the hub gateway to choose the same WAN path for each active session to and from the branch. This is important because the BGW selects paths based on performance and SLAs. Reverse path pinning is performed for corporate sessions originating from the branch destined to the data center, as well as sessions originating from the hub toward the branches.

» Route and tunnel orchestration. Even moderate-sized networks can end up with a large number of overlay tunnels. Configuring, establishing, and maintaining these tunnels can involve a lot of work. Sophisticated SD-WAN offerings automate all of these processes and make managing these



tunnels a simple push-button operation. Similarly, distribut-ing routes across hundreds or thousands of sites, interacting with external routers, and configuring routing policy (for example, Branch A should not be allowed to talk to Branch B) can be complex and time-consuming. Route orchestration allows for all this work to be automated and simplified. Good tunnel and route orchestration solutions are built to be horizontally scalable with no manual intervention required as the number of network endpoints grows.

Configuring the correct SLAs and DPS policies across hundreds or thousands of sites with multiple service providers and across many geographical regions can be very challenging. This is an area where machine learning (ML) techniques come into play and can be used to crunch data across a large set of customers and make recommendations based on the applications that are criti-cal to a specific customer. These recommendations can further be automated to “close the loop” and have the artificial intelligence (AI) engine continuously set and refine policies. There are other such problems in the SD-WAN area that lend themselves to the use of AI/ML techniques.

Recognizing That Orchestration Is CriticalSome aspects of an SD-WAN can be very work-intensive. For example, many steps are involved in configuring, establishing, and maintaining secure tunnels between hundreds or thousands of sites, and in distributing routing information across these sites. Plus, as cloud data centers become more prevalent, many steps are involved in deploying and maintaining virtual gateways inside AWS and Azure. A good SD-WAN solution must provide compre-hensive orchestration and life-cycle management for routes, tun-nels, and virtual gateways. This is an area where many SD-WAN vendors fall short.

The route orchestrator in an SD-WAN solution automates the route distribution across branches, data centers, and public cloud endpoints based on centralized policy. It eliminates distributed “sources of truth” for routing from the network and any man-ual configuration of route policies from individual gateways. Every node in the fabric automatically advertises its routes to an SD-WAN orchestrator, which in turn computes the routes for the



nodes based on the routing policies configured centrally. The key functions of an SD-WAN route orchestrator are

» Establishing a secure control channel with every node

» Auto-learning of routes from the nodes

» Computing overlay paths based on centralized policy

» Distributing routes to every node in the fabric

» Monitoring availability of links, nodes, and routes

» Withdrawing and triggering failover for routes in case of route, link, or node failure

» Providing centralized visibility and control for all routing prefixes in the fabric in a logical fashion

The tunnel orchestrator in an SD-WAN solution automates the creation of the entire SD-WAN fabric by provisioning the IPsec VPN overlay connections between the BGWs, VPN concentrators, and virtual gateways running in a public cloud data center. It eliminates the need for manual VPN configuration of individual nodes and ongoing management of tunnels. The key functions of a tunnel orchestrator are

» Establishing a secure control channel with every node

» Auto-discovery of WAN uplinks

» Setting up tunnels based on centralized policy

» Centralized key management and rotation

» Monitoring real-time health of the tunnels

» Orchestrating tunnel failover across multiple sites and links

» Providing centralized visibility and control for all tunnels in the fabric in a logical fashion

Network administrators are unable to perform all the functions of the route and tunnel orchestrator manually because they would quickly get overwhelmed, even for a moderate-size network. Building horizontally scalable tunnel and route orchestration is a significant technical challenge that is currently met only by a small subset of SD-WAN vendors.



To tap the full potential of automation and orchestration, enter-prises should seriously consider a proven, reputable vendor that can provide end-to-end solutions from the orchestration layer all the way to the network and can support it in a reliable, scalable manner.

Ensuring an Optimized Experience Every Time

In traditional branch solutions, traffic is routed using informa-tion in the routing table. Traditional branches use a single active WAN path, and other paths are backup links that are only used when the active link becomes unavailable. SD-WAN sends traffic simultaneously over multiple active WAN paths. The paths can be different types with unequal bandwidths, and they can also span a second gateway device.

To further enhance SD-WAN, routing is manipulated using SLAs to ensure compliance with defined thresholds and preferred WAN paths are chosen on a dynamic basis. Here, for example, are the three subsystems in which path selection decisions are made in an Aruba SD-WAN gateway:

» Routing table: If special treatment is not required, traffic is forwarded from the routing table.

» DPS: If SLAs are required and the preferred paths are in the routing table, DPS dynamically selects the best available WAN path.

» PBR: If the preferred WAN paths are not available in the routing table or you want to specify a path for traffic, PBR overrides the available WAN paths using next hop lists.

If the traffic has a simple path without specific requirements, it can follow the routing table. However, most SD-WAN custom-ers want to use SLAs to provide a better user experience for their real-time traffic while pushing their background traffic to lower-performing WAN paths. If SLAs are needed and the preferred WAN paths are available in the routing table, a DPS policy is required. If the preferred WAN paths are not in the routing table or you want to steer to a specific equal cost path, a PBR policy with a next-hop list is required.



Extending SD-WAN to the “Full Stack”SD-WAN offerings have matured considerably over the last few years, but there is significant variability both in capabilities and maturity from one vendor to the next. At a high level, SD-WAN enables businesses to reduce costs by using the Internet to trans-port data and reduce their reliance on traditional WAN links like MPLS. But as discussed in Chapter 2, the WAN is only one piece of the enterprise network and the benefits of SD-WAN stop at the WAN entrance to the enterprise network. The same software-defined approach can be extended to address a number of criti-cal problems in the entire branch network. This is sometimes referred to as a full-stack solution.

The full stack here refers to the entire “stack” of wired and wireless networks, WANs, and the security solutions(s) that span the gamut of connectivity and security services in the branch. A full-stack solution provides a single-pane-of-glass solution to problems encompassing the WAN, the wired network, the wire-less network, and the security infrastructure needed to secure a branch.

The information gathered in the access layer of a branch network (client identity, device type, user or device role, location, applica-tion identity, reputation of the destination, and so on) can be used not only to make WAN forwarding decisions, but also to regulate east–west (inside the branch) access control for traffic inside the branch. I loosely use the term software-defined local area network (SD-LAN) to describe this component of an SD-Branch solution.

CHAPTER 4 Solving Local Area Network Challenges with SD-LAN 25


Chapter 4

IN THIS CHAPTER

» Addressing branch challenges

» Recognizing the need for a new dynamic policy association model

» Leveraging role-based access in the branch

» Defining Quality of Service and SD-WAN policies with roles

Solving Local Area Network Challenges with SD-LAN

In Chapter 3, I explain the software-defined wide area network (SD-WAN) aspect of the software-defined branch (SD-Branch) in depth. In this chapter, I address the local area network

(LAN) aspect of SD-Branch. I loosely label the set of capabilities associated with the LAN side of the branch network as software-defined LAN (SD-LAN). These capabilities include solutions for addressing problems of fine-grained access control, micro-segmentation, dynamic policies, and in-branch security.

Branch LAN ChallengesIn addition to challenges with the WAN, enterprise network administrators have to deal with a broad set of challenges in the LAN and security domains. The number and types of devices in the LAN is steadily increasing, making the challenges in the LAN ever more intimidating.



In many instances, the rise in the number and type of devices on the LAN is being driven by the Internet of Things (IoT). IoT devices tend to be headless (that is, not associated with a human user), come from a variety of vendors, and, in some instances, come with immature network stacks of uncertain provenance. Network administrators tend to not trust these devices and prefer to isolate them on separate virtual LANs (VLANs) and subnets. Furthermore, network administrators place Access Control Lists (ACLs) on switches, routers, and firewalls to ensure that these IoT devices are only allowed to talk to a selected set of hosts. In gen-eral, ACLs tend to be broadly applicable tools that control inter-VLAN access between groups of endpoints. They’re not meant to regulate fine-grained access between any two hosts in the branch network. They’re also static in that they use hard-wired IP addresses to create rules. Plus, many administrators recognize the risks in modifying rules created by another administrator. This makes the network and security infrastructure very brittle.

Enterprise network teams are also getting smaller or the same team is being asked to manage much larger networks, with a greater emphasis on the use of automation. These teams tend to be centralized and often have to manage large distributed net-works across wide geographies. They tend to make heavy use of automation to manage these networks. With the rollout of IoT devices and associated subnets, VLANs, and ACLs, automation scripts are often built to assume a static mapping between device types and IP subnet ranges (for instance, printers are assigned the same IP subnet range at each site). In an ironic reversal, the network is built to adapt to the automation scripts. The prolifera-tion of VLANs and the consequent fragmentation of the IP address space within the branch has resulted in a significant bloat in ACL entries on routers and firewalls and, in some cases, the exhaus-tion of private IP address space.

Finally, security teams are getting more rigorous about ensuring branch security. SD-WAN is enabling direct Internet access for many application flows, which means that securing the branch network is as important as securing campus networks. In many networks, an attacker who gains physical access to an Ethernet port in a branch (often much easier than gaining access to the network in a main campus) gains full access to the network. Cam-pus networks often implement Network Access Control (NAC) with a comprehensive authentication framework, but this is not



yet widely implemented as best practice in the branch. This is a loophole that fails security audits and is important to close.

A New Paradigm for Dynamic Policy Association

In the networks described in the previous section, policy is con-figured in hundreds or thousands of devices and takes the form of ACLs or firewall rules tied to static IP address ranges. Imagine, for example, discovering a new case of malware on a particular brand of security camera deployed across all your branches. Attempting to isolate these devices or modify the destinations to which they can communicate (say, to get a firmware upgrade only) would require configuration modifications on hundreds or thousands of devices. Policy in this instance is static and tied to a specific port on a specific device. What is needed is a new paradigm where policy is dynamic and follows the endpoint, regardless of its means of network access.

Introducing Role-Based AccessIt has long been best practice in the wireless LAN (WLAN) world to authenticate all devices joining the network and to assign them roles. For instance, employees who join the network are assigned an employee role, guest users are assigned a guest role, and simi-larly, devices such as cameras are assigned camera roles. Wi-Fi tends to be the most common way to join the network today, but a large number of devices and users are still connected to the wired network. A similar approach is required to authenticate and assign roles to wired clients. When all entities joining the network are authenticated and assigned a role, the role becomes the com-mon policy construct to provide unified treatment regardless of the means of access.

In order to achieve this goal, it helps to treat the access switch as conceptually similar to a WLAN access point (AP) and tunnel traffic from each access port of the switch to one or more gate-ways located at the branch. Effectively, both wired and wireless traffic flows are tunneled to the gateway, which becomes the cen-tral policy enforcement point at the branch. The gateway learns the



role assigned to the endpoint (that can be connected to the wired or wireless network) during the authentication process. After a role has been assigned to an endpoint and the gateway learns the role, all policies can be centrally configured in simple terms (essentially along the lines of “role camera can talk to role secu-rity team”) and enforced in every branch instantly. This approach is called role-based access.

With role-based access, there are no hard-coded IP addresses in an ACL, and the policy is not tied to a specific port on a switch or to an AP. In fact, a client that attaches using a wireless AP can later join the network on a wired port on an access switch and be subject to the same policy. In effect, policy follows the client/ endpoint. This model eliminates the need to segment a branch network into many VLANs. Every device is effectively micro-segmented into a segment of one (or the smallest desired policy domain), with role-based access rules dictating who can talk to whom. Role-based access dramatically simplifies the branch net-work by reducing VLAN sprawl, eliminating multiple points of policy configuration, and providing a simple way to enforce fine-grained access control. Figure 4-1 compares the traditional access model and role-based access in the SD-LAN model.

Traditional accessSegment using VLANs and hardwiredIP addresses

Little to no visibility of client devices

VLAN assigned based on physical port

Ports are default-open, accidental accessis possible

Micro-segmentation without VLANs andhardwired IP addresses

Deep visibility with continuous profiling

Role assigned based on AAA and Profiling

All ports are secured

Role-based access

Gateway

72

FIGURE 4-1: The SD-LAN model.



Extending Roles to SD-WANAfter the association between the endpoint and the role is learned by the gateway, roles can also subsequently be used to define SD-WAN and Quality of Service (QoS) policies. Most SD-WAN vendors offer application-centric policies, but not all application traffic is equal. The traffic from employees, guests, and contractors needs different treatment. YouTube traffic used for employee training may need to be treated very differently from YouTube traffic to guest devices. Even among employees, you may want to offer different treat-ment to your finance, marketing, engineering, human resources, and sales teams based on the applications they tend to access (for instance, prioritizing Salesforce access for sales, business intelli-gence apps for finance, Workday for human resources, and so on).

By using roles and applications to classify traffic, you have the power to provide differentiated treatment in the selection of WAN paths, setting QoS precedence, selecting different SD-WAN service-level agreement (SLA) policies, and segmenting the traffic into different business overlays — all this in addition to regulating intra-branch access.

SD-LAN is a key component of SD-Branch. The problems in the branch now extend beyond the WAN. The complexity of branch networks is growing while networking teams are shrinking and being asked to do more with automation and fewer people. In addition to providing a single pane of glass for WAN, LAN, and security, an SD-Branch solution has to address these critical LAN-side problems.

CHAPTER 5 Securing Software-Defined Branch 31


Chapter 5

IN THIS CHAPTER

» Identifying inside-out and outside-in security capabilities

» Ensuring visibility at the branch level

» Leveraging machine learning to identify anomalous behavior

» Exploring important SD-Branch security capabilities

Securing Software-Defined Branch

Chapters 3 and 4 cover the wide area network (WAN) and local area network (LAN) components, respectively, of a software-defined branch (SD-Branch) solution. In this

chapter, I examine security, which is a critical component of an SD-Branch solution for both the WAN and the LAN. This chapter explores modern security challenges in distributed enterprise networks and how SD-Branch enables robust security with visi-bility, context, and centralized management capabilities.

Reexamining Security at the BranchTo protect today’s distributed enterprise, security teams need to take a multipronged approach that broadly considers both inside-out security and outside-in security. Inside-out security includes capabilities such as

» Network authentication (required for all devices)

» Intelligent segmentation (balancing operational simplicity with security)



» Profiling (mapping users and their roles to network policies)

» Anomaly detection (rules to identify known misbehavior on the network)

» Uniform Resource Locator (URL) filtering (classifying and filtering employee access to selected websites)

» Outbound Layer 4 (Transport) to Layer 7 (Application) firewall policies (setting session access rules to selected applications)

Outside-in security includes capabilities such as

» Intrusion detection system/intrusion prevention system (IDS/IPS; identifying and protecting from outside attacks)

» Anti-malware (guarding against specific host attacks)

» Sandboxing (quarantining compromised users or devices)

» Secure Sockets Layer (SSL)/Transport Layer Security (TLS) decryption (handling communications security from the Internet or WAN to inside hosts)

Not all places in the network and not all flows are secured in the same manner. Some flows originating in the branch may be subject to a lower level of scrutiny than others. For exam-ple, employee traffic may be inspected less strictly than guest traffic. Others may need many layers of checks. Some security functions may be carried out in the branch gateway, others in a central location or regional colocation facility, and yet others in a cloud-hosted security service.

The fact that many security devices and cloud services charge on a per-flow basis is also a factor in considering which flows to route through which security services or devices. Internet of Things (IoT) devices may be subject to strict access control and may also be good candidates for anomalous behavior analysis. Administrators will find their jobs to be significantly easier with the use of unified tools that enable centralized policy control and real-time enforcement for a closed-loop approach to securing their networks.

Chapter 4 explains the need to segment and isolate certain devices in the branch network, as well as the need to strictly regulate



east–west (intra-branch) traffic at a fine level of granularity. The SD-Branch solution you choose must

» Support a rich set of security capabilities in the gateway, such as a stateful firewall, web content filter, and IDS/IPS solutions. Because an increasing amount of traffic involves direct interaction with Internet-hosted services, it’s important that these flows be subject to a sound level of scrutiny.

» Allow for securing east–west (intra-branch) communica-tion flows through the use of centralized policy and plain-language rules for managing access control.

» Include the processing horsepower to inspect and secure both intra-branch flows as well as flows to destinations external to the branch.

» Integrate simply with a centralized policy engine.

» Provide simple integration with cloud-hosted security services for those flows that may need SSL decryption, sandboxing, and so on.

» Be capable of fusing information across layers of the network to provide security insights. This is a key benefit of a single-pane-of-glass solution.

» Provide efficient key management and key rotation for the Internet Protocol Security (IPsec) virtual private network (VPN) fabric.

Knowing (and Controlling) What’s on Your Network

Enterprise security teams need granular access control and visi-bility that extends from the corporate headquarters and data cen-ter to branch offices and remote users. Combined with automated attack detection, this provides for a more proactive and timely security approach that enables

» Complete visibility of all connected devices on the network, regardless of type of device or whether it’s a wired or wireless connection



» Control to ensure only authenticated or authorized devices access the enterprise and that their access is restricted to only those assets needed for their business need

Gaining full visibility is easier said than done. Administrators need to institute a policy of requiring all devices that attach to their network to authenticate, regardless of how simple the means of authentication.

Profiling tools in the past were not very accurate and needed care and feeding. Fortunately, these tools have improved significantly over the last few years, and the use of machine learning (ML) techniques helps to improve profiling accuracy. When you know what is actually attaching to your network, you’ve taken the first and most significant step to controlling what those devices can do on your network.

Understanding What Your Users Are Doing on Your Network

Sadly, insider threats are becoming more common today. Whether it’s a disgruntled employee intentionally stealing sensitive infor-mation, or an honest employee who accidentally shares data with an external party, unwittingly accesses a malicious website, or is compromised through an email phishing campaign, the insider threat is real.

It’s no longer enough to simply ensure that your users safeguard their network credentials. You need to actively monitor network activity to understand what a user or an attacker using stolen user credentials is doing on the network. Of course, manually moni-toring and analyzing user behavior isn’t practical.

ML-based behavior analytics tools use a combination of super-vised and unsupervised ML to automatically baseline user and device behavior while actively looking for anomalous activity that may indicate a threat. An ML-based solution should be



» Multidimensional: It should apply a range of ML models to a broad cross section of IT activity sources — from the network to logs to alerts — to bridge the gap between “anomalous” behavior and “malicious” intent.

» Scalable: It should model many behavior patterns simulta-neously, enhancing detection accuracy and visibility into different data sets. An effective ML-based solution needs to process potentially billions of individual data points to automatically detect real threats.

» Human-driven, machine-assisted: A behavioral analytics solution also must integrate human and machine intelli-gence. Although more and more ML-based smarts are being utilized to solve challenging security problems, human intelligence — including knowledge of both local context and security heuristics — is still a very crucial component that determines the overall effectiveness of a solution.

Even if you’re only deploying SD-WAN initially, look for a future-proof solution that will enable you to eventually address the entire SD-Branch — a solution that collects network, device, and user data across your wired and wireless user and device connections, regardless of location, and integrates with an ML-based solution to provide visibility and context across your entire network.

Leveraging Managed Firewall CapabilitiesSD-Branch extends security functionality to branch locations with embedded security functions in the gateway that replace specialized equipment such as firewalls, web content filters, vir-tual private network (VPN) gateways, and other devices. Adminis-trators typically have had to deploy multiple devices in the branch to support these functions. In addition to the costs of a multiple-box solution, what makes the administrator’s life truly difficult is having to deal with multiple management platforms for each of these layers of security. Correlating data from across these dif-ferent management platforms is a near impossibility. The lack of correlated data across layers in the network to provide insights is a huge limitation of non-SD-Branch solutions.



SD-Branch enables centralized management of network and security functions via a unified management console. Important SD-Branch security capabilities include

» Internet Protocol Security (IPsec) VPN: Support for high-performance IPsec VPN connectivity between branch and headend gateways for secure overlay networking across the Internet or other untrusted networks.

» Client VPN: Support for VPN termination from client endpoints directly to branch (and headend) gateways. In a branch, this enables employees or contractors to access internal systems, such as security cameras or IoT sensors, based on their allowed role.

» Wired device micro-segmentation: Tunnel connections to the branch gateway and apply consistent policy to the user or device the same way you apply policy to wireless users. Dynamically segment traffic to individual users and devices based on centrally managed policies.

» Common access policy for wired, wireless, and WAN connections: Centrally define and manage policies and leverage a common policy framework based on user roles. Dynamically push role and security policies to the branch gateway to be applied to users or devices, enforce firewall rules, and integrate with other network access control (NAC) solutions.

» Stateful application-aware firewall: Control what users and devices are permitted to do, enabling application-layer security and providing separation between user roles. This gives network administrators insight into the applications running on the network and who is using them.

» IDS/IPS: Inspects traffic, looking for malicious signatures and patterns based on curated threat feeds. Inspection is policy-based and provides security dashboards with drill-down capabilities. IDS detects suspicious behaviors such as policy violations or malware, and IPS attempts to prevent threats by blocking or dropping suspicious traffic.

» Web content classification and reputation: Classify websites for content-based filtering; monitor the reputation of all public Internet Protocol (IP) address space to detect



and block threats such as spam, exploits, botnets, phishing, proxies, and mobile threats; and use geolocation informa-tion to block IP ranges based on country.

» Cloud security integration: When embedded security capabilities are not enough, the ability to route select traffic that is bound for the Internet to third-party cloud security services allows organizations with specific use cases that require cloud security services to have the same policy applied to user groups in the branch or at headquarters.

» Application fingerprinting: Identify applications and apply policy to block, permit, rate limit, and apply quality of service (QoS) based on application, user, and role to make sure business traffic is routed using the best available path and that low-priority applications are rate limited or blocked.

If you think network teams have limited resources, take a look at your security team! IT security skills are in short supply and high demand. To protect today’s distributed enterprise, security teams need unified tools that enable centralized policy control and real-time enforcement for a closed loop approach to securing user and IoT access, regardless of device or location. Built-in automation delivers device identification and inspection, dynamic segmenta-tion, and reduced IT interaction for continuous and multilayered security.

CHAPTER 6 Exploring the Aruba Software-Defined Branch Solution 39


Chapter 6

IN THIS CHAPTER

» Understanding the individual components of SD-Branch

» Realizing the benefits of SD-Branch

Exploring the Aruba Software-Defined Branch Solution

Earlier in this book, we discuss the wide area network (WAN), local area network (LAN), and security facets of software-defined branch (SD-Branch). In this chapter, we look at how

Aruba’s SD-Branch portfolio provides a comprehensive solution across all aspects of WAN and LAN performance and branch security.

Looking at the Components of the Aruba Solution

Using an architectural approach that simplifies the delivery of branch requirements, Aruba SD-Branch helps unify networks and services that were traditionally managed and designed as distinct



operational silos. This solution solves problems on several fronts, beginning with the following:

» Wide area network (WAN): Enables the use of SD-WAN technology to support the use of the Internet to replace or augment Multiprotocol Label Switching (MPLS) services.

» Local area network (LAN): Flattens the branch with wired and wireless role-based policies and eliminates dependence on static IP addressing schemes and hardwired access control lists (ACLs) across multiple devices.

» Security: Built-in integrated security provides stateful firewall, intrusion detection and prevention, deep packet inspection (DPI), web content filtering, and other policy-based security, privacy, and compliance controls.

The Aruba SD-Branch design consists of the following elements:

» Cloud management: Aruba Central is a cloud-based life-cycle orchestration and assurance platform that provides flexible management, configuration, control, and monitoring capabili-ties, allowing an organization to simplify network operations. Supported zero-touch provisioning and customizable templates quickly help deploy headend gateways, branch gateways (BGWs), switches, and access points (APs). Aruba Central can be used to automatically configure the SD-WAN overlay virtual private network (VPN) and provide topology views of the network. It also supports centralized historical data reports, Payment Card Industry Data Security Standards (PCI DSS) compliance monitoring, and regional and global location troubleshooting. The aggregation and correlation of diverse sets of information also provide key insights into network health, operations, and optimization to help IT determine the best link to send traffic to corporate data centers or to the Internet based on per-user, per-device, or per-application policies.

» Policy management: Aruba ClearPass allows network security policies to be automatically assigned based on user or device roles from a central location. This capability ensures that policies are consistent, eliminating the chance of devices using old policy or access privileges and minimizing



human-introduced errors. The solution helps identify, authenticate, and grant trust based on a user’s and/or device’s role.

» Headend gateway: The headend gateway acts as a VPN concentrator in hub-and-spoke and multi hub-and-spoke topologies, terminating IP security (IPsec) VPN tunnels and participating in the data center and campus routing. The headend gateway also participates in the SD-WAN fabric overlay topology. The headend gateway is a software function that runs on the Aruba 7200 and 9004 series appliances. The Aruba 9004 Series, Aruba 7200 Series, and certain Aruba 7000 Series platforms can act as headend gateways, or VPN concentrators (VPNCs), for SD-Branch designs. BGWs establish VPN tunnels to one or more VPNCs over trusted and untrusted networks. High-availability options support multiple VPNCs deployed at a single site or deployed in pairs at multiple sites for the highest availability. The VPNC supports active/standby or active/active uplinks from the branch locations.

» Branch gateways: Aruba appliances (such as the 7200 Series and 7000 Series) can operate as BGWs to optimize and control WAN, LAN, and cloud security services. The BGW provides routing, firewall, intrusion detection and preven-tion, web filtering, and WAN optimization. With support for multiple WAN connection types, the BGW routes traffic over the most efficient link based on availability, application, user, and link health. This enables organizations to take advantage of high-speed, low-cost broadband links to supplement or replace traditional WAN links such as MPLS.

» Virtual gateways: The Aruba virtual gateway software is used to extend the WAN to public cloud environments such as Amazon Web Services (AWS), Azure, and others. On-premises deployments are also supported running on VMware ESXi, Kernel-based Virtual Machine (KVM), and Hyper-V hypervisors.

» Access switches: The Aruba 2930F, 2930M, 3810M, and 5400R family of switches connect wired devices to the branch network, such as APs, workstations, multifunction printers, and other devices that don’t support Wi-Fi or that need



higher performance than a wireless connection can provide. The access layer also provides Power over Ethernet (PoE) to devices such as APs, IP phones, and IP cameras. You can use the switches in stand-alone or a stacked configuration, depending on the number of ports needed at each location.

» Access points: Aruba APs are available in Wi-Fi 5 (802.11ac) and Wi-Fi 6 (802.11ax) options that support different through-put and client loads. With Aruba’s APs in controllerless mode (called Instant), there is no physical, central controller, as the controller functions are distributed among the APs. Instant is typically used in smaller offices or branch sites and scales up to 128 APs per cluster. Using this design, you normally see fewer than 50 APs per cluster at each remote site.

» Network access control (NAC): ClearPass provides role- and device-based network access control for employees, contrac-tors, and guests across any multivendor wired, wireless, and VPN infrastructure. ClearPass includes a built-in context-based policy engine, Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS+), non-RADIUS enforcement options, device profiling, posture assessment, onboarding, and guest access options.

» User Experience Insight: The Aruba User Experience Insight product (optional) uses analytics from a user’s perspective to proactively identify mission-critical application and network service issues before they impact users or the business. An on-premises sensor connects to multivendor APs, performs configured tests, and highlights issues that can be viewed via a simple-to-use web dashboard. User Experience Insight supports internal and external tests to measure app and server responsiveness over Wi-Fi, wired, and WAN connections.

Figure 6-1 illustrates the overall SD-Branch design.



The overall goal is to create a simple, scalable network design that is easy to replicate across all sites. The solution components are lim-ited to a specific set of products to help with operations and main-tenance. Here are the key features addressed by Aruba SD-Branch:

» Secure WAN connectivity: Enable SD-WAN technology to support the use of the Internet to replace or augment private WAN services. Elements of the solution include path quality monitoring (PQM) to track the available paths, stateful firewall with application fingerprinting to identify traffic flows, dynamic path selection (DPS) to use the optimal path, and centralized routing to offload the BGWs from participating in the routing decisions. You can also use end-user identity information when selecting the available WAN paths.

» LAN automation with dynamic segmentation: Most branch wired and wireless networks are needlessly complex because designs are based on a proliferation of VLANs, complex IP addressing schemes, ACLs, and architectures that are tailored to the needs of automation software. The SD-Branch architec-ture with dynamic segmentation seeks to flatten the branch into fewer subnets, eliminating the dependence on static IP addressing schemes and hardwired ACLs across multiple devices. This is achieved by consolidating all policy enforcement into a single device in the branch.

FIGURE 6-1: SD-Branch design.



» Branch onboarding and life-cycle management: Aruba developed its architecture with zero-touch provisioning (ZTP), making it possible to bring up hundreds of locations quickly. ZTP is coupled with a scalable, cloud-based manage-ment platform, which allows an organization to set up, modify, and maintain networks in an agile and flexible manner.

» Less expensive and easier to deploy: ZTP at branch locations saves travel costs for your IT employees and contractor costs for hiring third-party companies to perform the work.

Differentiating the Aruba SolutionThe SD-Branch extends the software-defined aspect to all ele-ments of the branch, delivering a full-stack solution, including key features such as:

» Simplicity with automation

• Cloud management: Aruba Central provides centralized management, monitoring, and troubleshooting of Aruba gateways, instant access points, and wired switches, and it enables seamless integration with third-party, cloud-based security providers. Extensive use of templates allows for simple branch provisioning, and a dedicated Install Manager enables simple mobile-app-based onboarding for network devices.

• Real-time health monitoring: Cloud-managed sensors at each branch site monitor application performance from a centralized location, 24/7/365.

• Zero-touch provisioning (ZTP): All Aruba branch devices can be provisioned using the Aruba installer available on iPhone or Android, including the gateway, APs, and switches. The ZTP installer app leverages the hierarchical group policies defined within Aruba Central to automate the rollout of new branch locations. Scale-out cloud management enables rapid growth in the number of branch sites.



• Automatic VPN setup: The Aruba solution takes away the complexity of setting up secure VPN tunnels by automati-cally establishing the overlay topology and advertising routes available over the overlay.

» Security

• IPsec VPN: Aruba BGWs and headend gateways support high-performance IPsec VPN for secure overlay network-ing across the Internet or other untrusted networks.

• Client VPN: Aruba BGWs and headend gateways support VPN termination from client endpoints directly. In a branch, this enables employees or contractors to access internal systems, such as security cameras or Internet of Things (IoT) sensors, based on their allowed role.

• Zero-trust model: A zero-trust model for security removes policy from a physical port-based model to onsite device authentication and firewalling. Advanced security services are delivered by leveraging industry-leading Security-as-a-Service (SECaaS) offerings.

• Dynamic segmentation: You can tunnel connections on Aruba wired switch ports to the BGW and apply consis-tent policy to the user or device the same way you apply policy to wireless users.

• Stateful firewall: The Aruba Policy Enforcement Firewall (PEF) is a full, stateful firewall able to tightly control what users and devices are permitted to do, enabling application-layer security and providing separation between user roles. This gives network administrators insight into the applications running on the network and who is using them.

• Web content classification and reputation: The Aruba BGW uses Webroot cloud-based machine learning classifica-tion technology. Websites are classified for content-based filtering. The reputation of all public IP address space is monitored to detect and block threats such as spam, exploits, botnets, phishing, proxies, and mobile threats. Geolocation information allows you to block IP ranges based on country.

• Cloud security integration: If your security team has standardized secure web gateway requirements for specific use cases that cannot be met with the built-in Aruba branch gateway security capabilities, you can use



the branch gateway as a single control point to route select traffic that is bound for the Internet to cloud security services such as Zscaler or Palo Alto Networks GlobalProtect. This allows organizations that use cloud security services to have the same policy applied to user groups in the branch or at headquarters.

» Role-based policy

• Common policy for wired, wireless, and WAN: The Aruba solution provides a common policy framework for traffic segmentation, isolation, and path selection based on user role for wired and wireless LAN, WAN, and security policies. Aruba ClearPass can dynamically push role and security policies to the branch gateway to be applied to users or devices. Other network access control (NAC) solutions can be used as well.

• Application fingerprinting: The Aruba BGW can identify approximately 3,100 applications and apply policy to block, permit, rate limit, and apply quality of service (QoS) based on application, user, and role to make sure business traffic is routed using the best available path and that low-priority applications are rate-limited or blocked.

• Policy-based routing: You can route traffic based on roles (application or user), application and fully qualified domain name (FQDN), or IP destination. For example, you could route guest traffic directly to the Internet and employee traffic over the MPLS network.

» SD-WAN

• Visibility and control: SD-WAN and wireless LAN (WLAN)/LAN visibility and control through cloud-managed Software-as-a-Service (SaaS).

• Path quality monitoring: To reduce the load on WAN links and better gauge the performance of real applications, the BGW can actively and passively monitor connections for latency, jitter, packet loss, and throughput.

• Dynamic path selection (DPS): Link conditions change over time. Using health monitoring information, DPS can intelligently route traffic based on policy so that applica-tions are routed over the best available path. For example, you can route real-time voice and video on the



path with the lowest latency and jitter while you route bulk traffic on the path with the most bandwidth.

• Routing: Static and dynamic routing support allows the BGW to fully replace a traditional router for networks with MPLS by allowing the BGW to exchange IP routes with the service provider’s MPLS router.

• Compression: To improve throughput, the BGWs can compress IP traffic on the VPN overlay.

• Bandwidth contracts: This allows you to control the amount of bandwidth an application or group of applica-tions can use. The limits can be enforced based on user role or interface in the upstream and downstream directions. For example, if you don’t want to block access to an application for a user group, but you don’t want the application to negatively affect business-related traffic, you can limit the application’s network bandwidth.

The Aruba SD-Branch solution enables organizations to address many of the problems they’re facing today in the branch. The SD-WAN component of the solution includes a branch gateway (BGW) that combines the functions of many discrete devices such as firewall, WAN router, deep packet inspection (DPI) engine, and WAN optimization into a single device, reducing the number of devices to deploy and maintain.

Enabling more cost-effective WAN connection types and trans-port independence is the goal of SD-WAN. The Aruba SD-WAN feature allows you to use a combination of traditional WAN links and Internet links together with all links actively carrying traffic, instead of using some for backup purposes only. Combined with key components of SD-Branch, the solution delivers simple but powerful routing based on user role, device type, application, and path quality across a variety of WAN topologies.

The move away from a physical security model based on where a device connects to the network to a role-based model enables many benefits for branch operations. A policy follows the user model, allowing an administrator to configure policies that are access- and location-agnostic, delivering a single policy frame-work for wired, wireless, and WAN. Wired switches can act as “wired APs” tunneling all user traffic to the branch gateway



so a single consistent policy can be applied. Organizations get end-to-end segmentation of traffic enforced at the branch and maintained across the entire network.

The Aruba 7000 series BGW is an enterprise-class product with a small form factor and high performance. The Aruba 7005 provides 2 gigabits per second (Gbps) of firewall throughput and 1.2 Gbps and up of IPsec VPN throughput, and the Aruba 7030 provides 8 Gbps of firewall throughput and 2.4 Gbps of IPsec VPN throughput in a 1U appliance.

The Aruba 7200 series head-end gateway delivers 12 Gbps of fire-wall throughput and 4.5 Gbps of IPsec VPN throughput on the 7205 model, and up to 40 Gbps of firewall throughput and 30 Gbps of IPsec VPN throughput on the high-end 7280 model.

For customers seeking extended security (including intrusion detection and prevention) and built-in LTE support, the 9004 BGW is a preferred option.

Over the longer term, SD-Branch extends the campus experience across the distributed enterprise with rich SD-WAN capabilities, security that extends from users and devices to applications and WAN state, and management and onboarding with cloud scale. These features extend to locations, large and small, to improve deployment flexibility.

Aruba’s SD-Branch solution delivers a simple way to centrally automate the deployment, management, and operation of your wireless, wired, and WAN infrastructure. Extending SD-WAN, SD-Branch addresses the entire remote branch experience from SD-LAN to cloud to core, with strong security and performance benefits.

CHAPTER 7 Looking at Software-Defined Branch Use Cases 49


Chapter 7

IN THIS CHAPTER

» Checking out branch requirements in retail

» Serving up SD-Branch in the hospitality industry

» Taking care of healthcare industry needs

Looking at Software-Defined Branch Use Cases

Even if you have a deeper understanding of Aruba’s software-defined branch (SD-Branch) solution, you probably want to see some proof. So, in this chapter, we provide key examples

of customers using Aruba SD-Branch for a simplified, secure, high-performing distributed network.

RetailMove over Millennials, Gen Z is here and will soon represent the largest group of consumers worldwide. They’re true digital natives, having never known a world without the Internet and having grown up with a smartphone in their hands. They shop with a sharp eye and are redefining the retail experience.

For Gen Z, shopping is social. They model their new jackets in a smart mirror and share via Snapchat, and post selfies with their new handbags on Instagram. They’re brand conscious but also socially conscious. They have the time and wherewithal to hunt for the best prices. They prefer to shop in stores, but the



experience must be fun and easy. Gen Z likes convenience, too. They want the ability to self-checkout from their phones or to order food ahead from a mobile app.

Their expectations are changing the nature of retail. Stores are becoming showrooms. Gen Z may be fans of a brand long before they make their first purchase. Apple revolutionized the in-store experience, and Samsung is now taking it to the next level. Teens may drop by the Samsung store on a Friday night, and bask in “The Wall,” Samsung’s new MicroLED TV with an amazing 146-inch picture, or mess around with Samsung Gear VR (vir-tual reality) with their friends. Whether it’s cool technology or a fashionable scarf, fandom is aspirational for this generation.

The whole experience of the store is changing. At Bonobos, a “guide” (not a sales associate, of course) walks shoppers through their clothing choices, makes sure they get the right fit, and then the customer walks out empty-handed. The guide places the order, and the new clothes arrive at the customer’s home or office. Shopping is becoming frictionless.

Many retailers have already beefed up their networks to meet the expectations of Millennial shoppers and for smoother store operations, but for Gen Z it’s a whole new ballgame. For Gen Z, technology is infused in the shopping experience, and the network must be up to the job. Whether it’s an outlet, mall, kiosk, or popup store or other property, retailers need an ultra-fast, highly scalable network that will support retail experiences like smart mirrors, shoppable windows, and augmented reality. They need Bluetooth location beacons to execute on personalized marketing and wayfinding, and guest Wi-Fi needs to be easy for the shoppers — without creating tech support issues for store associates.

Retailers can engage shoppers in the store or via a mobile app. Shoppers can opt in for personalized incentives and notifica-tions. They can use the retailer’s app to find the products they’re looking for, with a direct path to the department or location. Proximity-based notifications can be used for incentives and offers as shoppers walk through the store or a mall.

The network can reveal business insight as well. Presence analyt-ics and heat maps can reveal information about how people move through the store, which can be used to optimize the store layout.



To support the next generation of shoppers, the retail branch net-work must

» Enable seamless and immersive, omni-channel shopper experiences, which is critical to attracting and retaining customers in this modern, mobile-first era.

» Be quick and easy to deploy, install, operate, and maintain with minimal or no on-site technical expertise, thereby eliminating the need for truck rolls to perform these functions.

» Optimize costs. Despite consumer expectations for innova-tive and immersive shopping experiences, they still want the best bargain for their dollars. Retailers must still operate on razor-thin margins and optimize costs to maximize profits. Retailers can eliminate the need for expensive Multiprotocol Label Switching (MPLS) wide area network (WAN) connec-tions and replace them with more cost-effective, direct Internet connections that can be provisioned and installed more quickly to get new stores up and running faster.

» Perform reliably and consistently in challenging environ-ments, including structural barriers (malls have lots of concrete), limited Internet connectivity options, harsh operating conditions (it’s not uncommon to find an access point jammed above a ceiling tile with lots of dust and heat, and limited ventilation), network congestion, and intermit-tent periods of peak or surge demand.

» Confidently secure users and Internet of Things (IoT) devices with robust, easy-to-manage policies and controls that support security and privacy requirements and regulations such as the Payment Card Industry Data Security Standards (PCI DSS) and California Consumer Privacy Act (CCPA).

Even with advanced capabilities, retailers need a network that’s easy to set up and centrally manage across stores — and with strong security and privacy. Ironically, although Gen Z shoppers share everything, they’re hypersensitive about the security and privacy of their personal information.

HospitalityWhether traveling for business or leisure, today’s hotel guests are more spontaneous and demanding than ever before. They typically book reservations days, rather than weeks or months, in advance



and expect the flexibility to cancel or change their plans at the last minute. They expect a personalized and seamless no-frills check-in and check-out process, and they expect secure, reliable, fast and easy Wi-Fi access for their laptops and mobile devices.

In much the same way that Gen Z (discussed in the preceding section) is redefining the retail shopping experience, both Millennials and Gen Z constitute a growing majority of travel-ers, and they’re demanding more personalized, memorable expe-riences when they’re away from home. They expect frictionless experiences and personalized service — when they want it and where they want it. For hotels, this means smartly designed guest rooms, reimagined public spaces, and creative updates around food and beverage. It means a mobile app that handles check-in and room access. It means streaming their favorite Netflix series to the in-room TV and being able to use their smartphones to unlock the door and control the temperature, lights, and shades in their rooms.

To support the modern traveler, the hospitality branch network must

» Enable amazing guest experiences with seamless, pervasive, reliable, and fast Wi-Fi network connectivity.

» Be quick and easy to deploy, install, operate, and centrally manage with little or no on-site IT staff.

» Reduce costs by eliminating the need for expensive MPLS WAN connections and replacing them with more cost-effective, direct Internet connections that can be provisioned and installed more quickly to get new properties up and running faster or add network capacity to existing properties.

» Provide local breakout of Software-as-a-Service (SaaS) traffic from hotel properties, instead of backhauling this traffic to a corporate hub location over costly MPLS links.

» Enable proactive management of the network, applications, and IoT devices before issues occur or are reported by guests.

Wi-Fi is more important today than a comfortable bed or a hot shower. Eight out of ten guests take the time to publicly share their bad Wi-Fi experiences. Don’t let bad Wi-Fi hurt your business.

Considering that most hotels have designed their guest expe-rience around what older generations, such as Baby Boomers,



wanted — familiarity, safety, and comfort — providing the same old experience just won’t cut it for today’s travelers. For Millen-nials and Gen Z, trips are great opportunities to generate social media likes and shares, and hotels and travel companies need to create experiences worth sharing on social. Remember: If it’s not on Instagram or Snapchat, it didn’t happen.

Today’s travelers need great connectivity. As more devices — from smartphones, tablets, and laptops to streaming media sticks and wearables — show up in guest rooms, ever-increasing per-formance demands are placed on hotel network and Internet access. Proper traffic prioritization with granular controls to pro-vide optimal performance while balancing costs from Wi-Fi to switch to wide area network (WAN) is essential to providing great guest experiences.

Today, hotel brands are judged by the quality of the experience across a broad variety of touchpoints. Brands need to infuse on-demand personalization and authenticity into these channels to attract and retain tech-savvy, discerning guests — and to gener-ate the positive reviews, social media buzz, and word-of-mouth recommendations that are so important today.

Personalize the guest experience through applications like way-finding to guest rooms, restaurants, and other points of interest. Give them the ability to order food and drink to where they are. And leverage push notifications based on their location and pref-erences to let them know about offers and upcoming events.

Delivering frictionless guest experiences requires a strong tech-nology foundation. Understanding how your WAN links are per-forming, as well as utilizing context about users and devices, is critical. An SD-Branch built on wireless, wired, and branch gateways with integrated software-defined WAN (SD-WAN) leverages context from the LAN and automatically enforces WAN changes via the gateway to enhance the experience for users and devices.

HealthcareAs the push toward personalized healthcare grows increasingly reliant on mobile devices and apps, clinics and hospitals are being forced to examine the health of their network infrastructure.



Old legacy infrastructures were not designed to handle the influx of mobile devices used by healthcare constituents — physicians, nurses, administrative staff, lab technicians, patients, and their families. Nor were they designed to handle high volumes of traffic or accommodate services that today’s mobile apps deliver.

Today’s mobility infrastructures can grant network access to anyone. The real challenge is ensuring that your mobility infra-structure is always on, enforces the highest level of security and patient privacy, and provides self-service workflows for guests and staff.

This is especially critical as the industry embraces a tougher competitive model of managed care where providers focus on the quality of patient care and preventive health maintenance to increase revenue and reduce costs.

One of the most effective ways to keep a population healthy is to provide convenient places for people to receive care. We are all used to the large hospital with emergency rooms, intensive care units, labor and delivery, and other specialties all housed in one building or campus. But large hospitals can be inconvenient to get to and difficult to navigate, and they generally consume a lot of resources for routine health procedures such as a flu shot or physical exam.

As a result, there has been a dramatic increase in the number of urgent-care centers and retail health clinics over the past several years. These are small operations, typically managed by a small staff that provides many routine services at reasonable costs. They solve a lot of issues around cost, convenience, and time sav-ings for many people.

An SD-Branch solution enables smaller clinics and urgent-care centers to cost-effectively provide patient care and access to medical records and equipment — improving the health and experience of patients and staff alike.

To address the healthcare needs of patients today and in the future, the healthcare branch network must

» Provide pervasive, reliable, and secure high-quality Wi-Fi throughout the hospital campus



» Improve patient satisfaction with seamless Wi-Fi access in waiting areas and fast, reliable access to healthcare services (such as patient portals)

» Enable secure, real-time access to electronic healthcare records (EHRs) and electronic medical records (EMRs) for doctors, nurses, and other staff constantly moving from room to room and device to device

» Connect specialized equipment and medical devices to the network securely and reliably to enable quality healthcare services

» Address security, privacy, and compliance requirements with granular visibility and control of the traffic on your network (see Chapter 5)

Downtime is unacceptable on any network, but even more so when lives may be on the line. You need the enterprise-class net-work capabilities of SD-Branch to ensure a secure, reliable, high-performance experience across your entire network.

What to read more about how Aruba customers have addressed their own digital transformation challenges with SD-Branch? Go to www.arubanetworks.com/resources/case-studies/ to read their customer success stories.

http://www.arubanetworks.com/resources/case-studies/

CHAPTER 8 Ten (Or So) Really Cool Things You Can Do with Software-Defined Branch 57


Chapter 8

IN THIS CHAPTER

» Being proactive

» Looking at the world from the perspective of your end users and customers

» Balancing the load across your network links

» Getting more done with less

» Spending less time traveling to branch locations

» Embracing shadow IT

» Bringing the Internet of Things to your branch offices

» Enabling “work from home” arrangements

Ten (Or So) Really Cool Things You Can Do with Software-Defined Branch

H ere are ten — okay, actually only eight — cool things that you can do with software-defined branch (SD-Branch).

Predict the FutureWell, maybe not the winning lottery numbers or next year’s Stanley Cup championship, but SD-Branch does help you proac-tively foresee and resolve potential issues in your network. With



integrated predictive analytics and machine learning, SD-Branch provides deep insights into wide area network (WAN), local area network (LAN), and wireless LAN (WLAN) performance and uti-lization, empowering you to proactively optimize, troubleshoot, and resolve branch network issues before your users even know there’s a problem.

See How the Other Half LivesEver wonder why we refer to the uber-wealthy as both the “other half” and the “1 percent”? Shouldn’t they either be the “other one-one-hundredth” or the “50 percent”? Well, you won’t find the answer here. Anyway, I’m not talking about the 1 percent. I’m talking about the 99 percent — your users.

If you work for a retailer, take a shopping trip to some of your stores to experience the customer experience for yourself. If you work for a healthcare provider, get a physical exam at one of your clinics to check up on the patient care services that SD-Branch enables your healthcare professional to provide. If you work in the hospitality industry, check in on one of your hotel properties.

With advanced SD-Branch capabilities rolled out, you’ll no doubt experience the “wow factor” and you’ll earn the praise of your branch users — at least long enough for them to butter you up while you’re there and ask you to fix anything and everything that plugs into a wall, has a blinking light, or has an on/off switch!

Restore Balance to the UniverseIt’s common (and prudent) to install redundant network connec-tions to all your branch locations. Typically, this consists of two different types of connectivity from two different service provid-ers to provide maximum resiliency. For example, you might have a high-speed Multiprotocol Label Switching (MPLS) WAN con-nection, provided by a national carrier, installed between your headquarters location and your branch offices as your primary connection. A separate broadband or cellular connection, provided by a local Internet service provider (ISP) and configured for vir-tual private network (VPN) access back to your headquarters, may also be installed as a backup connection. Unfortunately, you have



to pay for that backup connection every month — regardless of whether you actually use it.

With software-defined WAN (SD-WAN), you can use all your net-work connections — regardless of type or provider — and load-balance traffic across them. You can even prioritize certain types of traffic to use one connection over another. For example, you may want all your voice over IP (VoIP) traffic to go across your high-speed MPLS connection and all your Internet traffic to go over your local ISP connection (instead of backhauling it across the corporate network).

Recalibrate Your Scotty FactorAny successful network architect knows you’ve got to under-promise and over-deliver when it comes to performing engineering miracles for your organization. Connecting a new branch location to the corporate network and setting up network services typically takes several weeks, if not longer. Of course, you always manage to get it done a little faster than that, and everyone’s happy!

With SD-Branch, you can bring up hundreds of locations per week using nontechnical local staff resources to provide any “hands-on” work that’s needed, while you sit back and do the “hard work” of configuring everything with easy-to-use mobile applications and centralized cloud services that enable zero-touch provision-ing (ZTP) and a templated cookie-cutter approach for automating the rollout of new branch locations. But you can’t keep telling everyone it’ll take you weeks to set up a new branch location — they’ll soon catch on. So, be sure to update your “Scotty factor” and maybe just promise a few dozen locations per week!

Take the Road Less Traveled — Well, Travel the Road Less

Traveling for work can be fun, but it eventually gets old. So, if you’re ready to turn in your road warrior card, SD-Branch can help. With ZTP and powerful cloud-based management tools, you can configure and troubleshoot network services for your branch locations, all from the comfort of your cubicle. You don’t even



need to get your hands dirty! Nontechnical staff in your branch locations can be your hands for anything that requires a device to be plugged in, moved, or reset. In fact, do it in style — treat yourself to a manicure at a local spa as you talk your branch office employees through the physical stuff while you configure every-thing from your mobile device!

Put Your Users on Cloud NineShadow IT (a trend in which end users bypass their IT department to find, purchase, install, and run the software of their choice for work-related purposes) is a growing challenge for every organiza-tion today. But many businesses recognize that shadow IT, under the right conditions, can boost productivity and morale. Instead of attempting to prevent shadow IT with restrictive policies that are difficult, if not impossible, to enforce, these organizations have embraced shadow IT by implementing relatively easy policies and procedures to approve software purchases, thereby ensuring that the organization isn’t unknowingly exposed to security, privacy, or other potential risks and, in some cases, achieving economies of scale (for example, by purchasing a volume license for use by the entire team or department, rather than purchasing individual licenses).

Many Software-as-a-Service (SaaS) applications are popular with end users. Although these applications are generally designed to be easy to install, firewalls, virtual private networks (VPNs), and other specialized corporate network or security equipment can sometimes cause issues installing and/or running certain appli-cations. SD-Branch gives you visibility and control across your entire network, from the corporate office to branch locations and end-user devices, making it easy for you to create standard poli-cies that help your end users install and run their preferred cloud apps — after they’ve been properly approved.

Put a Nest in Your BranchThere’s lots of cool technology on the Internet of Things (IoT), like Nest thermostats, smoke detectors, security systems, smart locks, and more. With SD-Branch, you can install IoT devices in



your branch locations to improve security, safety, and energy efficiency, among other things.

Many IoT devices rely on connectivity to the cloud via a Wi-Fi network to do their magic. This means you need to have a secure and reliable Wi-Fi network in your branch locations. After all, you wouldn’t want a malicious foe (maybe, an unscrupulous compet-itor, a mischievous kid, or worse) cranking up the heat in your store or setting off the smoke alarms.

Put a Branch in Your NestMany businesses are now offering employees benefits such as flexible “work from home” arrangements. In addition to boost-ing employee morale, allowing employees to work from home can reduce costs for your company and your employees, for example, by requiring less office space and reducing or eliminating com-muting costs. A home office can enable an employee who might otherwise need to take a sick day to keep working — without risk-ing getting the rest of the office sick. And you can cancel snow days forever!

The key to enabling such arrangements is to ensure your employ-ees can be as productive at home as they are in the office. They should have access to the same applications and services as they do in the office, and your customers should never suspect that they’re talking to an employee in a home office. With SD-WAN, you can extend your corporate VPN to your employees’ home net-works to provide the security and access they need to be produc-tive wherever they work.

http://Dummies.com

WILEY END USER LICENSE AGREEMENTGo to www.wiley.com/go/eula to access Wiley’s ebook EULA.

http://www.wiley.com/go/eula

these materials are © 2020 john wiley & sons, inc. …...for information about licensing the...

Documents