Introduction
Did you know that by 2026, over 60% of enterprises are expected to have adopted software-defined wide area networking (SD-WAN), a leap from just 20% in 2020?[1] In this rapidly evolving era of network technology, the transformation brought about by SD-WAN is not just a trend but a fundamental shift in enterprise networking. Unlike traditional WAN architectures, SD-WAN offers unparalleled flexibility, scalability, and control over network resources.
But what's driving this significant change? The answer lies in the increasingly complex demands of today's digital landscape. Consider a global enterprise with branches across multiple continents. In the past, managing network traffic and ensuring security across such a vast expanse was a complex task, often resulting in inefficiencies and vulnerabilities. SD-WAN, with its intelligent path control and centralized management, revolutionizes this scenario. It seamlessly integrates cloud computing, mobile connectivity, and a distributed workforce, creating networks that are not only robust and secure but also agile and adaptable to ever-changing business needs.
However, the enterprise networking landscape is evolving beyond WAN, with the rise of software-defined local area network (SD-LAN), representing an advanced approach to local area network management. This outcome offers automated and centralized control over access points (APs), switches, and gateways within the LAN. It facilitates an automated user-role assignment across the LAN, ensuring efficient and secure network access and orchestrating the creation of tunnels from APs and switches to gateways. Doing so streamlines network connectivity and enhances overall network security. This shift reflects the market's trajectory, but it also brings to light a significant challenge: a gap in perception and understanding among potential users about the vital role and benefits of SD-LAN within an integrated network environment.
A contributing factor to this misperception is caused by the way some SD-WAN vendors characterize SD-LAN. SD-LAN is not merely the inclusion of access control lists (ACL’s) in LAN policy. It can be a powerful framework for a unified overlay fabric. In the context of the EdgeConnect SD-Branch solution, which features seamless SD-WAN and SD-LAN integration, addressing this disparity is critical. Often, the advantages of SD-LAN, like enhanced local network control and improved security, are overshadowed by the broader focus on network solutions. In the upcoming sections, we will explore how bridging this knowledge gap is crucial for unlocking the full potential of SD-Branch as an integrated networking solution. We will also explore how this aligns with the broader context of SASE (Secure Access Services Edge), enhancing network and security convergence.
The evolution of HPE Aruba Networking EdgeConnect SD-Branch
The HPE Aruba Networking EdgeConnect SD-Branch solution was born in 2018 to address complexities within traditional network architectures such as inefficient traffic management, inflexible network configurations, and high-security risks across large and diverse environments.
Our vision for SD-Branch was to create a unified, user-centric network solution that seamlessly combines the strengths of both SD-WAN and SD-LAN. This vision was propelled by increasing demands for greater network agility, enhanced security, and simplified management across both WAN and LAN environments.
Since its introduction, EdgeConnect SD-Branch has offered unprecedented benefits by pioneering a new approach to the convergence of SD-WAN and SD-LAN into a single elegant solution. This solution does not only improve network performance but also transforms the entire approach to enterprise networking and security, providing end-to-end network visibility, enabling network administrators to monitor and manage the entire network from a single pane of glass, and fully automating network and security management across the entire fabric, from the LAN, across the WAN, greatly simplifying IT operations.
Moreover, advanced security features are embedded within the solution, moving beyond the perimeter-based defenses of the past to a more holistic Zero Trust Security model that is critical in the age of cloud computing and hybrid work. With EdgeConnect SD-Branch, every network segment, from the core to the edge, is securely isolated, ensuring that both data and users are protected regardless of their location or device.
Fully Orchestrated Combined SD-LAN and SD-WAN
From its inception, the EdgeConnect SD-Branch solution has been driven by a vision that extends beyond merely simplifying WAN and routing operations. Its core objective is to streamline the entire branch network environment. This goal is realized through the innovative integration of SD-WAN and SD-LAN into a unified platform complementing the SASE model by combining network and security functionality into a single solution. This not only simplifies communications but also significantly enhances security and the user experience.
The SD-Branch Orchestrator, powered by HPE Aruba Networking Central, plays a pivotal role in this integration. It simplifies WAN operations by automatically building an overlay network of IPsec tunnels across various WAN circuits, automating the distribution of routes. Additionally, the Orchestrator extends its efficiency to the LAN within branch locations by creating a network of GRE or IPsec tunnels from APs to gateways. This dual approach ensures seamless communication and operational efficiency across both WAN and LAN spectrums, laying the groundwork for a SASE-based architecture.
With the introduction of HPE Aruba Networking AOS 10 architecture, the SD-Branch Orchestrator, integral to Central, now orchestrates secure IPsec and GRE tunnels, connecting every AP and switch port to the branch gateway within the cluster. This architecture is crucial for achieving high availability in branch deployments, with a pair of branch gateways handling the termination of WAN uplinks. The automatic tunnel orchestration process enhances network resilience, and site-based clustering facilitates the creation of tunnels among devices within each cluster, ensuring seamless connectivity and smooth operation.
Automatic tunnels to cluster leader
Centralized security with role-based policies
Centralized user management and security enforcement in the AOS 10 architecture involves clustering users within gateway clusters, thereby providing a unified management structure. A gateway cluster is a combination of two HPE Aruba Networking gateways operating as a single entity. This configuration provides high availability and service continuity for both wireless and wired clients in the network. Gateway clusters are essential for ensuring full redundancy to access points and switches and for maintaining consistent service to wireless and wired clients in case of a failover.
HPE Aruba Networking gateways enforce consistent policies for both wired and wireless connections, utilizing dynamic segmentation to ensure comprehensive access control. Moreover, gateways are equipped with an application-aware firewall and threat management capabilities, including IDS/IPS, extending protection to all east-west traffic. This multifaceted security approach creates a network environment that is not only secure but also adaptable to the evolving needs of users.
This setup is about more than just centralization; it enhances user mobility and security. It supports fast roaming capabilities across L3 domains behind the gateway cluster, thereby ensuring that users experience seamless connectivity as they move across the network.
The EdgeConnect SD-Branch solution maintains user-role context across LAN, WLAN, and the SD-Branch gateway, addressing the challenge of implementing user-centric security policies by integrating advanced SD-LAN capabilities that go beyond merely establishing tunnels. This approach involves a sophisticated coordination of authentication processes, ensuring that when a user is authenticated on an AP or Switch, their associated role is automatically learned and enforced by the gateway.
The role assigned to a user upon authentication at the network edge is instantly and reliably propagated to the gateway. This automatic synchronization of user roles across LAN, WLAN, and the SD-Branch gateway contrasts with legacy systems which rely on user-role snooping approaches or API-driven user-role learning that can introduce delays and inconsistencies. The branch gateway cluster acts as a RADIUS proxy server for tunneled SSIDs, a method that not only secures but also streamlines the user experience by maintaining a consistent user-role context throughout the network. This proactive role management is a clear differentiator, offering dynamic, role-based security policies that are applied with the immediacy that modern network environments demand.
By automating this process, EdgeConnect SD-Branch enables a user-centric security model that is both responsive and resilient, ensuring that security measures keep pace with the dynamic nature of user access and network traffic patterns, thereby facilitating a seamless and secure network experience.
Centralized security
The benefits of the fusion between SD-WAN and SD-LAN
The integration of SD-WAN and SD-LAN within EdgeConnect SD-Branch represents a significant advancement in enterprise networking, exemplifying both technological innovation and a commitment to addressing modern network challenges. This fusion ensures efficient utilization of network resources, delivering consistent, high-quality service and greater agility in network management. By quickly adapting to changing network usage patterns and requirements, and optimizing operations and security, this unified approach allows organizations to manage LAN and WAN networks from a single platform to enable security-first networking. Additionally, EdgeConnect SD-Branch is tightly integrated with HPE Aruba Networking SSE (Security Service Edge) to form a unified SASE platform, adding advanced cloud-delivered security functions such as ZTNA (Zero Trust Network Access), SWG (Secure Web Gateway) and CASB (Cloud Access Security Broker).
Ease of implementation and management
One of the key benefits of EdgeConnect SD-Branch is its simplicity in implementation and management. The solution's design focuses on reducing the complexity traditionally associated with network setups, especially in environments that require both WAN and LAN capabilities. This streamlined approach not only reduces the time and resources needed for deployment but also simplifies ongoing network management. It empowers organizations to manage their networks more effectively, with less reliance on specialized IT skills for everyday operations. and paves the way for the integration of SSE, which further streamlines network security management.
Looking ahead
As we look towards the future of enterprise networking, the challenges and demands will continue to evolve. In this ever-changing landscape, EdgeConnect SD-Branch stands not just as a product of today's innovation, but as a platform equipped for tomorrow's advancements. Our pioneering role in integrating SD-WAN and SD-LAN, coupled with a proven track record in security, underscores our commitment to delivering a common foundation for network and security. The principles of SASE are deeply embedded in our roadmap, ensuring that EdgeConnect SD-Branch will continue to evolve and meet the needs of a secure, cloud-centric networking future.
To learn more about the capabilities and details of SD-Branch orchestration, please refer to the SD-Branch Orchestrator Tech Note. For broader insights into our network architecture and solutions, explore the AOS 10 architecture overview, EdgeConnect SD-Branch web page, and Unified SASE webpage.
[1] Strategic roadmap for enterprise networking, Gartner 2023
