Close

HPE Aruba Networking Blogs

Aruba’s Vision Delivers on the WAN Edge

By Ramanan Subramanian, Senior Director of Product Management for Aruba SD-WAN and SD-Branch

This blog is coauthored by Kishore Seshadri, Vice President and General Manager for SD-WAN, SD-Branch and User Experience Insights at Aruba. 

The Gartner 2020 WAN Edge Infrastructure Magic Quadrant was released recently and it is fascinating to see how the WAN Edge market has evolved over the last few years. The WAN market segment, which prior to 2015 was dominated by a single vendor, has changed dramatically over the last few years and the landscape continues to evolve rapidly.

HPE Aruba’s SD-Branch solution was featured for the first time in the Gartner 2019 WAN Edge Infrastructure Magic Quadrant as a Niche solution, and it has since moved into the Visionary Quadrant in the recently published Gartner 2020 WAN Edge Infrastructure Magic Quadrant.

It has been an incredible journey, starting with a launch in July 2018. The Aruba SD-Branch solution is now in production at over 450 customers across 70 countries, including several service providers and Fortune 500 companies. Our largest customers have networks with thousands of sites across tens of countries.

HPE Aruba recently doubled down on our investment in this space with the acquisition of Silver Peak, a Gartner WAN Edge Infrastructure Magic Quadrant Leader in its own right. With good momentum behind both the SD-Branch solution and the Silver Peak solution, this is a good juncture to reflect back on Aruba’s journey, explore the distinctions between Branch transformation and WAN transformation, and look ahead to the shifts in the market due to the COVID-19 pandemic and the entrance of the cloud security vendors into the SD-WAN space.

Early SD-WAN Motivators

We started looking at the SD-WAN market in late 2016. It was still early days for the SD-WAN industry, and while many customers had heard about SD-WAN, there was still anxiety about moving away from a time-tested albeit expensive solution (MPLS), to using the Internet as their primary WAN interconnect with equipment and services from a set of new entrants to the industry. Many customers had also outsourced the management of the WAN to a service provider and were nervous about either taking on the management of the WAN themselves (the DIY, Do It Yourself, model), or buying a new SD-WAN solution from their existing service provider (the managed service model).

Enterprise cited the following reasons as motivations for adopting SD-WAN:

  1. Save transport costs by moving from MPLS to the internet as macro trends indicated the need for increased WAN bandwidth to access SaaS and cloud-hosted services.
  2. Save operational costs by leveraging the automation and simplicity delivered by SD-WAN and move away from complex-to-manage networks with onerous router and service provider support contracts.
  3. Achieve better end-user experiences by utilizing SD-WAN application-based policies to prioritize and perform path conditioning using techniques such as Dynamic Path Steering (DPS) and Forward Error Correction (FEC) for businesses-critical applications.

At the onset of the journey, we spoke with more than 60 customers to understand the challenges they faced with their networks. Many of these customers managed large distributed networks with small centralized teams. Across these conversations, we observed a common set of issues plaguing network administrators.

Common Challenges

What become evident is that while the WAN was a source of concern and SD-WAN was perceived as a potential solution to those concerns, there were other serious challenges that were not being addressed by SD-WAN solutions:

  1. The proliferation of IoT devices, such as cameras, badge readers, HVAC systems, digital signage, and multitude of sensors, was becoming challenging to segment and isolate using VLANs.
  2. There was a proliferation of VLANs, often to deal with the desire to segment IoT devices. Each VLAN came with a tax in the form of ACLs, DHCP scope and firewall rules that resulted in a fragmentation of how policy and security were configured and enforced. This distribution of policy and security across different elements in the network resulting in the network becoming more brittle and breaking in hard-to-diagnose ways.
  3. With additional user devices (BYOD) and increasing adoption of Wi-Fi connectivity, the ability to securely onboard client devices was becoming vital. Although network access control (NAC) solutions were widely deployed in campus locations, this was seldom the case for branch locations.
  4. There was a rapid shift underway to SaaS and cloud. Many customers we talked to used terms like “NDC 2020” (No Data Center by 2020). It became clear that there would be an increasing demand to migrate workloads to public clouds and SaaS with the consequent need to optimize connectivity to these services.
  5. It was also becoming clear that connectivity and security were more tightly coupled and identity-centric (or user-centric) policies would become more important for both east-west and north-south access policies.
  6. The network overall, while often not large in terms of the number of network elements, had become complex and was challenging to troubleshoot across multiple management platforms.
  7. Most customers we talked to have no way of consistently measuring themselves and their teams’ performance with few defined KPIs to measure actual end-user experience.
  8. Last, but not least, with the proliferation of devices from a variety of vendors (best-in-class for wired, wireless and wide area, each with their own management platforms), came the problems of troubleshooting and monitoring across multiple panes of management glass.

Aruba Took a Different  Approach

Rather than take a siloed approach to solving these problems by building separate WAN gateways and security appliances, we decided to build a single gateway that would tightly integrate SD-WAN, security (UTM) and dynamic user-centric access control policies (SD-LAN). We named the solution Software Defined Branch (SD-Branch) and represented it with a simple equation where SD-Branch consists of SD-WAN and SD-LAN in a wrapper of security:

SD-Branch = SD-WAN + SD-LAN + Security

Given the speed at which the industry was transforming, we decided to offer only a cloud-managed solution built on Aruba Central. We recognized that there were customers averse to cloud management and who would prefer an on-premise management solution. However, the fact that the large cloud providers could offer better SLAs, higher levels of security, quicker turnups, elastic scale and richer connectivity heavily influenced our decision.

We were also introducing new technology that would require frequent upgrades and fixes, both of which are simpler to deliver in a cloud-managed model. These factors in addition to the macro shift to cloud convinced us that focusing on a cloud-only solution was the best option both for customers and for Aruba.

Our cloud solution, Aruba Central, allowed us to give our customers a true zero-touch experience for a spectrum of issues: from account sign-up to device onboarding to license management. It also obviated the need for the administrator to spin up VMs and deploy redundant management infrastructure in their data centers. Integrating with cloud providers and cloud hosted security vendors via APIs also allowed us to provide for a much simpler administrator experience while preserving the security model.

With Aruba’s industry leading wireless (Wi-Fi) and wired (switches) portfolio, the introduction of the security gateway enabled customers to manage the full-stack solution (Wired, Wireless, WAN, and Security) from a single pane-of-glass, namely Aruba Central. With such a solution, a network administrator could locate a problem client and trace the packet path from the client to the access element and across the SD-WAN fabric all the way to their workloads in the data center or cloud – an extremely difficult proposition when using multiple traditional management platforms. This allowed for end-to-end monitoring of user experience and for quick remediation of issues.

An added advantage of a cloud-managed solution was that analytics came built in with the solution and administrators could view time-series dashboards, get baseline trends, cluster events in the network and measure application performance across sites. The availability of elastic compute in the cloud combined with the ability to do cross-customer analytics allowed us to train AI/ML tools with large datasets.

Overcoming Scale Challenges

There were significant technology hurdles to overcome to deliver such a solution. The highest hurdle to cross was building a centralized cloud-native control plane. One of our largest customers at the time was looking to deploy over 15,000 gateways in a single network, and there were several others in the scale of thousands of sites. We also had service providers that planned to deploy tens of thousands of gateways across multiple tenants.

To compound the difficulty, an SD-Branch solution required the management platform to store not just WAN gateway state but also AP, switch and client state—two to three orders of magnitude larger than state-of-the-art SD-WAN solutions then prevalent in the industry. This required a completely rearchitecting of IPSec/DMVPN and BGP for the cloud, making these subsystems horizontally scalable and multitenant (for service provider customers) while maintaining the resiliency and leveraging the elasticity offered by the cloud.

The clear goal given to the engineering team was that our customers needed to be able to expand their footprint of gateways to thousands of locations overnight if needed, without any coordination with Aruba, and without worrying about the ability of the control plane to scale to their needs. This could either be a single customer turning up hundreds of sites per night (as a few of our customers did) or it could be hundreds of customers turning up tens of sites concurrently (subtly different engineering problems). It was equally important to make it trivial for someone to configure a WAN topology with a few clicks and realize that topology in their network.

We introduced the cloud control plane in mid-2019 and we haven’t looked back since. Existing customers migrated over and new customers easily adopted it from the start. Since its introduction we have expanded the cloud control plane’s capabilities to build automatic meshes with the necessary dynamic routing constructs with built-in loop prevention. Customers now run SD-WAN across thousands of sites with fully orchestrated tunnels and routes.

Cloud as the Network Center of Gravity

We partnered with the public cloud providers who were adding considerably to their networking capabilities (AWS Transit Gateway, Azure vWAN), and realized that the network inside the public cloud was becoming the network center-of-gravity for many of our customers. The cloud world relied heavily on programable constructs for a high degree of automation.

One example of this is a scenario where a virtual private cloud fails to a second availability zone. In the cloud provider world, such a failure is discovered not by routing protocols but using APIs. Rather than forcing network admins to learn these new public cloud constructs, we decided it was important to hide this complexity by automating the many steps it would require for the network admin to deploy a Virtual Gateway in AWS, Azure or GCP to extend their SD-WAN fabric to their public cloud.

With increasing SaaS adoption, our customers were asking for greater visibility into SaaS traffic performance and the ability to optimize SaaS traffic. With native Microsoft Office 365 API integration and with the ability to perform first-packet classification for key SaaS applications, we sought to provide greater visibility into SaaS traffic performance and improve end-user experiences by optimizing SaaS traffic across multiple WAN paths.

Solving Unique Challenges of SD-Branch

While a lot of heavy lifting was needed to solve the WAN problems, the LAN side of the network posed a unique set of problems that remained to be solved. A key differentiation of the SD-Branch solution is that it allows the administrator to define user-centric polices. This required the gateways to learn the identity and roles assigned to clients on the network.

We took the approach of having the gateways learn the user-role by eavesdropping on RADIUS interactions with NAC policy engine such as the Aruba ClearPass Policy Manager or even Cisco ISE. User-roles such as “employee” or “guest” for real end users, or roles such as “cameras” or “printers” for headless devices can easily be assigned at authentication time to a variety of end points. The roles themselves are derived by the policy engine which authenticates and profiles the devices that join the network. User-roles enable the administrator to define simple user-centric policies in near English language terms, for instance:

  • “Security” role can talk to “Camera” role to allow the physical security team to monitor cameras, but not allow camera malware to access any other part of the network
  • “Employee” role can talk to “Printer” role
  • “Employee” role voice traffic should be prioritized with an SD-WAN application SLA policy
  • “Guest” role traffic should bandwidth limited and split-tunneled directly out to the internet

The policies don’t need the specification of IP addresses or VLANs, but are completely dynamic in that they can simply refer to user-roles and can be defined once with a global network scope. This liberates the IT team from the old-world constraints of specifying static IP addresses, pinning devices to specific VLANs, and defining ACLs and firewall rules that refer to these static attributes. Roles are defined in a single place – the NAC system – and referenced and enforced everywhere near instantaneously. This also eliminates VLANs as the means for accomplishing segmentation and implementing security and policy and can result in a flattening of the network.

This capability results in a magical transformation in the way networks are managed and operated. We are convinced that such user-centric principles are the cornerstone of Zero Trust Networking and are essential in realizing a secure architecture. To further enhance both north-south security and east-west security, we added the IDS/IPS capability into the gateway, combining the telemetry from the IDS/IPS with endpoint identity information, again simplifying network and security operations. Each of these capabilities is managed entirely from Aruba Central.

On the gateway front, we realized that we had to deliver a range of hardware and software gateway appliances for different locations in the enterprise network. The SD-Branch gateway portfolio extends from 40 Gbps appliances, which are generally deployed in data center headends, to 4Gbps appliances with integrated 4G/LTE, that are deployed at branch locations. With internet speeds doubling roughly every three years, it was clear to us that deployed gateways had to have a long lifespan in the network.

Consequently we built even our lowest end branch gateways with 4 Gbps of firewall throughput with all key capabilities enabled (such as application classification and IPSec encryption). For very small sites where cost is a major factor (such as pop-up locations and teleworkers), we built a micro-branch solution that offers an integrated AP + Gateway appliance with virtual gateway capabilities embedded in the access point. These locations while small, still require the same enterprise-class experience by allowing the user to securely connect to the corporate SSID and access applications via a dedicated VPN.

During the pandemic, the micro-branch solution has proven to be crucial for many of our customers who have extensively deployed the solution and effectively transformed the work environment in the home to closely resemble the office environment. We also built a variety of form factors for virtual headends in public clouds with virtual gateways starting at 500 Mbps and extending all the way to 4 Gbps.

Continued WAN Transformation

The WAN Edge market is large and varied. While we have achieved a lot with Aruba SD-Branch in a very short period, we also recognized that it would take us considerable time and effort to meet all the needs of this wide market. While a segment of the market is seeking to transform their entire branch network, there is a significant portion of the customer base who are focused purely on WAN transformation with deep requirements in SD-WAN and WAN optimization. Our recent acquisition of Silver Peak helps meet the needs of such WAN transformation customers and gives us a comprehensive portfolio.

We have made a huge amount of progress in a very short time but feel like we are just getting started on the journey. Our customer conversations today are no longer about “should I do SD-WAN?” but rather about “how should I do SD-WAN?” or “how can I simplify the branch?” With the Silver Peak and SD-Branch solutions in our portfolio, we see many exciting opportunities to cross fertilize the two solutions and deliver exciting new innovations in the years ahead. The Gartner WAN Magic Quadrant placements for Silver Peak and SD-Branch are just a hint of things to come from Aruba!

Go Deeper

For an executive viewpoint on SD-Branch, download Software-Defined Branch for Dummies, published by Wiley.