Aruba Central, Central 2.5.2 SD-WAN Solution User guide

  • Hello, I have analyzed the content of this Aruba SD-WAN User Guide. This document contains detailed information on deploying and managing Aruba SD-WAN Gateways, including zero touch provisioning, VPN configuration, security policies, and application visibility. I am ready to answer any specific question you might have about the setup or any other aspect of the devices described here.
  • What is the main purpose of Aruba SD-WAN solution?
    What are the key features of SD-WAN solution?
    What is required to manage the SD-Branch components?
    What types of devices can be used as Branch Gateways?
Aruba
SD-WAN Solution
User Guide
Copyright Information
© Copyright 2020 Hewlett Packard Enterprise Development LP.
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General
Public License, and/or certain other open source licenses. A complete machine-readable copy of the
source code corresponding to such code is available upon request. This offer is valid to anyone in
receipt of this information and shall expire three years following the date of the final distribution of
this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a
check or money order in the amount of US $10.00 to:
Hewlett Packard Enterprise Company
6280 America Center Drive
San Jose, CA 95002
USA
Contents
Contents
Contents 3
About This Document 7
Intended Audience 7
Related Documents 7
Conventions 7
Terminology Change 8
Contacting Support 8
Aruba SD-Branch Solution 9
Why SD-WAN? 9
Key Features and Benefits 9
Understanding SD-WAN 10
What are the Solution Requirements? 11
Supported SD-Branch Components 12
Getting Started 15
Onboarding Devices to Aruba Central 15
Assigning Subscriptions to Aruba Gateways 16
Assigning Gateways to a Group 19
Assigning Gateways to Sites 20
Assigning Labels to Gateways 20
Assigning a Group Role to an Aruba Gateway Group 21
Connecting Aruba Gateways to Aruba Central 21
Recovering an Aruba Gateway 23
Configuring Communication Ports 24
Certificates 24
Provisioning Aruba Gateways in Aruba Central 27
Different Modes of Configuring Gateways and Gateway Groups 27
Configuring Branch Gateway Groups Using the Guided Setup 28
Configuring Branch Gateways Using the Guided Setup 41
Configuring VPN Concentrator Group Using the Guided Setup 48
Configuring VPN Concentrators Using the Guided Setup 58
Deploying Aruba Virtual Gateways 71
Features Supported by Virtual Gateway 71
Virtual Gateway Redundancy 71
Software Image for Virtual Gateways 71
Deploying Aruba Virtual Gateways in AWS 71
Deploying Aruba Virtual Gateways in Microsoft Azure 92
Deploying Aruba Virtual Gateways in VMware ESXi (Unmanaged Mode) 135
Provisioning Virtual Gateways to Groups 143
Troubleshooting Deployment Issues 144
High Availability Support for Aruba Virtual Gateways 144
Monitoring Virtual Gateways 151
Configuring an SD-Branch Network Using the Advanced Setup 152
Aruba SD-WAN Solution | User Guide 3
Contents | 4
Configuration Checklist 152
Configuring Address Pools for Aruba Gateways 152
Uploading Bulk Configuration Template 159
Configuring System Information on Aruba Gateways 159
Creating a New User with Certificate Authentication 169
Enabling Console Block 170
Configuring Servers for Management User Authentication 173
Configuring VLANs on Aruba Gateways 176
Configuring SLB using NAT 181
Configuring Ports 184
Configuring Uplinks 189
Managing 9004-LTE Branch Gateway 194
Configuring WAN Health Check 198
Configuring WAN Interface Bandwidth Priorities 200
Configuring the SD-WAN Overlay Network 202
Configuring the SD-WAN Hub Mesh Topology 209
Configuring Site-to-Site VPN 211
Configuring Site-to-Site VPN with GRE Tunnel 216
Configuring IKE Policies 223
Routing 228
Example of a Prefix List 235
Example of an OSPF Route Map 237
Example of a BGP Prefix List 247
Creating a Route Map 249
Configuration Example 251
Aggregating Routes 253
Configuring Policies for PBR 266
Configuring Policies for Dynamic Path Steering 269
SaaS Application Traffic Management with SaaS Express 273
Configuring Aruba Gateways for Application Visibility and Control 280
Enforcing a Common Security Policy for Wired and Wireless Users 289
Configuring Firewall Policies and ACLs 289
Configuring User Roles for Clients 302
Configuring Authentication Profiles 306
Applying Policies to Gateway Interfaces 332
SDBranch Redundancy 334
Configuring Aruba Gateways for Certificate-Based Authentication 340
Configuring Aruba Gateways for SNMP-Based Reporting 345
Viewing Gateway Configuration Status 346
Managing Configuration Overrides 346
Configuring Aruba Gateways for Syslog Message Collection 347
SD-WANOverlay Tunnel and Route Orchestration 351
Configuring Overlay Network Using SD-WANOrchestrator 351
Cloud Survivability 354
Advertising Overlay Routes 355
Monitoring SD-WAN Overlay Tunnels and Routes 362
Aruba SD-Branch Integration with Zscaler Cloud Security Service 385
Integrating SD-Branch with ZIA 386
Setting up Tunnels to ZIA 386
Additional References 390
Configuring Prisma Access 390
Aruba SD-WAN Solution | User Guide 5
Aruba SD-Branch Integration with Zscaler through Cloud Connect Service 397
Additional References 398
Configuring ZIA for API Access in Zscaler Admin Portal 398
Onboarding a Cloud Provider Account in Aruba Central 399
Orchestrating Tunnels to the Nearest ZIA Public Service Edge 400
Configuring Zscaler Nexthop List 401
Adding Nexthop List to PBR Policy 402
Verifying Tunnel Status 402
Aruba SD-Branch Integration with Prisma Access 403
Deployment Scenarios 403
Branch Gateways to Prisma Access 403
Regional Hub to Prisma Access 404
Supported IKE and IPSec Cryptographic Profiles 405
Aruba SD-Branch Integration with Check Point 407
Supported IKE and IPsec Cryptographic Profiles 407
Configuration Steps 407
Configuring Check Point for SD-Branch Integration 408
Configuring Aruba Gateways for Integration with Check Point 410
Aruba SD-Branch Integration with Symantec WSS 416
Integration Overview 416
Role-Based and Application-Based Routing 417
Supported IKE and IPSec Cryptographic Profiles 418
Configuring Symantec WSS 419
Micro Branch Redundancy Architectures 426
Supported Topologies 426
Configuring a Micro Branch with Instant APs 429
Configuring Support for Aruba VIA Service 434
Configuring VIA 434
Configuring VPN IP Pool 434
Defining IKEv1 Shared Secret 436
Configuring VIA User Role 436
Creating VIA Server Group for Authenticating VIA Users 436
Configuring VIA Authentication Parameters 437
Loading and Applying VIA Certificates 439
Configuring and Attaching VIA Connection Profile 439
Uploading VIA Installer to VPN Concentrator 444
Provisioning Gateways Using ConfigurationTemplates 446
Important Points to Note 446
Configuring Gateways Using a Template 446
Creating a Template Group 446
Assigning a Gateway to a Template Group 447
Creating a Configuration Template for Gateways 447
Customizing a Template Using Variable Definitions 449
Sample Template and Variables Files 451
Verifying Configuration Status 455
Backing up and Restoring Templates 455
Contents | 6
Monitoring SD-Branch 456
Monitoring Gateway 456
BGP Details >Neighbors 468
BGP Details >Routes 470
Device Info 482
WANSummary 484
WANAvailability 484
VPNAvailability 484
Usage 484
Throughput 484
Compression 484
Health Status 485
WAN Health—Global 508
WAN Health—Site 511
Monitoring Sites in the Topology Tab 512
Before You Begin 513
Grouping VPNCs 513
Viewing the Topology Tab 513
Monitoring SaaS Express 521
Gateway Alerts 524
Reports 526
Maintenance 537
Troubleshooting Devices 537
Enabling Gateway Logs 537
Gateway Diagnostic Tests 539
Updating Software Images on Aruba Gateways 545
Configuring Aruba Gateways for Syslog Message Collection 545
APIs 549
Chapter 1
About This Document
About This Document
This user guide describes the Aruba Software-Defined WAN (SD-WAN)Solution and provides detailed
instructions for setting up, configuring, and managing SD-WAN Gateways from Aruba Central.
Intended Audience
This guide is intended for network administrators who manage and monitor branch networks.
Related Documents
In addition to this document, see the following documents for more details on the SD Branch devices and
Aruba Central:
nAruba Central Help Center
nArubaOS User Guide
nHPE-ArubaOS Switch Management and Configuration Guide
nAruba ClearPass Policy Manager User Guide
Conventions
Table 1 lists the typographical conventions used throughout this guide to emphasize important concepts:
Type Style Description
Italics This style is used to emphasize important terms and to mark the titles of books.
System items This fixed-width font depicts the following:
nSample screen output
nSystem prompts
Bold nKeys that are pressed
nText typed into a GUI element
nGUI elements that are clicked or selected
Table 1: Typographical Conventions
The following informational icons are used throughout this guide:
nIndicates helpful suggestions, pertinent information, and important things to remember.
nIndicates a risk of damage to your hardware or loss of data.
nIndicates a risk of personal injury or death.
Aruba SD-WAN Solution | User Guide 7
About This Document | 8
Terminology Change
As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling
HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products
and publications may continue to include terminology that seemingly evokes bias against specific groups of
people. Such content is not representative of our HPE culture and moving forward, Aruba will replace
racially insensitive terms and instead use the following new language:
Usage Old Language New Language
Campus Access
Points +
Controllers
Master-Slave Conductor-Member
Instant Access
Points
Master-Slave Conductor-Member
Switch Stack Master-Slave Conductor-Member
Wireless LAN
Controller
Mobility Master Mobility Conductor
Firewall
Configuration
Blacklist, Whitelist Denylist, Allowlist
Types of
Hackers
Black Hat, White Hat Unethical, Ethical
Contacting Support
Main Site arubanetworks.com
Support Site support.arubanetworks.com
Airheads Social Forums and Knowledge
Base
community.arubanetworks.com
North American Telephone 1-800-943-4526 (Toll Free)
1-408-754-1200
International Telephone arubanetworks.com/support-services/contact-support/
Software Licensing Site lms.arubanetworks.com
End-of-life Information arubanetworks.com/support-services/end-of-life/
Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/
Email: aruba-sirt@hpe.com
Table 2: Contact Information
Chapter 2
Aruba SD-Branch Solution
Aruba SD-Branch Solution
The Aruba SD Branch solution offers the best-in-class wireless and wired infrastructure and management
orchestration features with the SD-WAN capabilities. The SD Branch solution extends the SD-WAN concept
to all elements in the branch to deliver a full stack solution that addresses the business challenges of
distributed enterprises. Coupled with Aruba Central, the solution provides a cloud-hosted environment for
simplified operations and improved agility.
Why SD-WAN?
A traditional branch setup supports client connectivity requirements across different geographical locations
for various types of business operations. The sites in remote geographical locations serve as branch offices,
while the headquarters or main office serves as a data center that hosts network resources to store, manage,
and distribute data. The main office also hosts a centralized Virtual Private Network(VPN) management
system to aggregate traffic from the remote branch sites. A Wide Area Network (WAN) —with Multiprotocol
Label Switching (MPLS), T1, T3, Broadband, or Cellular links—is used for connecting multiple local area
networks to a central corporate network or data centers separated by distance.
Due to an increase in the number of client devices at the remote sites and the new bandwidth requirements,
branch office networks are expected rapidly scale to provide uninterrupted user experience. A traditional
branch infrastructure with multiple appliances, different operating systems, and management tools only
adds to the cost, involves a maintenance overhead, and demands skilled IT personnel.
The Aruba SD-WANsolution simplifies your branch deployments with a single management interface for
administering, managing, and monitoring your branch networks. It also provides a unified policy
enforcement framework with operational ease.
Key Features and Benefits
The SD-WANsolution comes with the following key capabilities:
nZero Touch Provisioning of devices—Ability to self-provision without operator's intervention.
nCentralized overlay management and control—A single cloud-based network management interface for
managing and monitoring SDBranch devices. Aruba Central, the cloud based network management
system, supports unified management of SDbranch devices with ZTP and hierarchical configuration.
nIPsec based Automatic VPN Tunnels—Support for high-performance and automatic IPsec VPN for secure
overlay networking.
nUnified security policy for wired, wireless, and WAN—Support for a common security policy framework
based on user roles for WAN, WLAN, and LAN users.
nDynamic path selection—Support for dynamically steering traffic or a service request to the best available
path. For example, you can configure a policy to dynamically route the real-time voice and video traffic on
the link with the lowest latency and jitter, and the bulk file traffic on the link with the maximum bandwidth.
nDeep Packet Inspection and Web Content Classification—Support for monitoring and analyzing application
usage by clients.
Aruba SD-WAN Solution | User Guide 9
Aruba SD-Branch Solution | 10
nVisibility, analytics, and troubleshooting—Dashboards for monitoring branch health, device performance,
and client connectivity metrics. Alerts, reports, and audit trails for monitoring and troubleshooting network
performance issues.
nPolicy-based Routing—In addition to the traditional destination-based routing, the SD Branch devices
support routing client traffic based on user role or type of application, For example, traffic generated from
the guest devices can be routed directly to the internet, while traffic from the employees can be routed to
the MPLS network.
For more information about how SD-WAN works, see Understanding SD-WAN.
Understanding SD-WAN
The SD-WAN solution includes a new set of devices called Aruba Gateways that inter-operate Aruba Switches
and Instant APs to provide a full-fledged WAN architecture.
Based on the size of your branch setup, you can choose device combination that best suits your
requirement:
nMedium to large branches—For branches that require more than 24 ports, you can use a combination of
Branch Gateways and one or more Aruba switches at the branch site, with ArubaGateways as
VPNConcentrator at the data center.
nSmall to medium branches—For branches that require less than 24 ports (including all
WANandLANports), you can deploy Branch Gateways at the branch sites, with ArubaGateways as
VPNConcentrator at the data center.
nMicro branches—For micro branches, you can deploy an Instant AP cluster at the branch site, with
ArubaGateway as the VPNConcentrator at the data center.
See Supported SD-Branch Components for information on Aruba Gateways that can be deployed as
VPNCs.
Figure 1 shows a typical deployment topology of an SD Branch with Branch Gateways and a micro branch
with Instant APs:
Figure 1 SD Branch Topology
Figure 2 illustrates the communication flow between Aruba Central, branch sites, and data center.
Aruba SD-WAN Solution | User Guide 11
Figure 2 Aruba Central and Cloud Communication
Figure 3 shows all elements in an SD Branch and the SD-WANdata flow.
Figure 3 Aruba SD-WANData Flow
What are the Solution Requirements?
Aruba SD-Branch Solution | 12
The ArubaGateways are the most important components of the Aruba SD-Branch Solution. The SD-WAN
Gateway portfolio includes and Aruba Branch Gateways and VPN Concentrators.
At the Branch Site
The following are the components in a branch:
nBranch Gateways—Function at the branch to optimize and control WAN, LAN, and cloud security
services.
nSwitches—Function with Branch Gateways to detect and isolate rogue APs, and blacklist rogue devices.
nInstant APsFunction as VPNclients at branch sites. The client data traffic from these APs are aggregated
by the VPN Concentrator located at the data center
At the Data Center
At the data center, you can deploy ArubaGateways as VPNConcentrator. For data center redundancy, you
can deploy two VPNconcentrators in the active-standby or active-active mode.
The following are the components operational at the Data Center:
nVPNCA VPN Concentrator functions as a VPNmanagement system that aggregates data traffic from
the branches and terminates IPsec VPNtunnels.
nVirtual GatewayThe headend gateway at the enterprise data center can be hosted as a virtual
appliance. The virtualised instance enterprise data center gateway in public or private cloud is referred to
as Virtual Gateway. Aruba Virtual Gateways function as VPNConcentrators.
For a list of supported Gateways, Switches, and APs, see Supported SD-Branch Components.
In the Cloud
A valid Aruba Central subscription is required to avail cloud-based administration, management,
configuration and monitoring of SD branch components such as Branch Gateways, VPN Concentrators,
Instant APs, and Aruba Switches.
Supported SD-Branch Components
The Aruba SD-WAN Gateway portfolio includes Aruba Gateways that function as Branch Gateways and
VPNConcentrators.
The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as
Branch Gateways:
Platform Minimum Supported
Software Version
Latest Software
Version
Recommended
Software Version
Aruba 9004-LTE ArubaOS 8.5.0.0-2.1.0.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.5.0.0-2.1.0.0
Aruba 9012 ArubaOS 8.5.0.0-2.0.0.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.5.0.0-2.0.0.4
Table 3: Supported Aruba Gateways
Aruba SD-WAN Solution | User Guide 13
Platform Minimum Supported
Software Version
Latest Software
Version
Recommended
Software Version
Aruba 9004 ArubaOS 8.5.0.0-1.0.7.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.5.0.0-2.0.0.4
Aruba7210, 7220,
and 7240XM
ArubaOS 8.5.0.0-2.0.0.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.5.0.0-2.0.0.4
Aruba7030 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba7024 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba7010 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba7008 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba7005 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0 ArubaOS 8.4.0.0-2.0.0.4
The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as VPN
Concentrators:
Platform Minimum Supported
Software Version
Latest Software
Version
Recommended Software
Version
Aruba7280 ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba7240XM ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba7220 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba7210 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
vGW-4G ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
vGW-2G ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
vGW-500M ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba 7030 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Table 4: Supported Aruba VPN Concentrators
Aruba SD-Branch Solution | 14
Platform Minimum Supported
Software Version
Latest Software
Version
Recommended Software
Version
Aruba 7024 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba 7010 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.6.0.4-
2.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Table 4: Supported Aruba VPN Concentrators
Aruba Virtual Gateways also function as VPNConcentrators. The minimum supported software version
for Virtual Gateways is ArubaOS 8.1.0.0-1.0.4.1.
Data sheets and technical specifications for the supported Gateways are available at:
https://www.arubanetworks.com/products/networking/gateways-and-controllers/
The following table lists the hardware platforms and ArubaOS software versions for Aruba Switches and
Instant APs that can be deployed in the branch:
SD Branch Component Hardware Platforms Minimum Software
Version
Aruba Switches Aruba 3810 Switch Series KB.16.05.0007 or later
Aruba 5400R Switch
Series
KB.16.05.0007 or later
Aruba 2920 Switch Series WB.16.05.0007 or later
Aruba 2930F Switch
Series
WC.16.05.0007 or later
Instant APs Aruba310 Series and 300
SeriesInstant APs
ArubaInstant 6.5.3.x
ArubaInstant 8.3.0.0 or
later
Table 5: SD Branch Site Devices
Chapter 3
Getting Started
Getting Started
To start using the SD-WAN solution, ensure that you have a valid Aruba Central subscription and licenses for
the SD-Branch devices.
nIf you are an existing Aruba Central customer with a valid subscription key and device licenses, access the
Aruba Central UI and complete the provisioning tasks.
nIf you are an existing Aruba customer with valid device licenses, but not an Aruba Central customer, sign up
for Aruba Central. After a successful registration, Aruba sends a verification e-mail with a link to the Aruba
Central portal. For more information, see Aruba Central Help Center.
Aruba Central offers a 90 day evaluation subscription for customers who want to try the Aruba cloud
solution for managing their networks. When you sign up for Aruba Central, an evaluation subscription
is automatically assigned, unless you purchased a subscription. To purchase subscriptions, contact the
Aruba support team.
Gateway Provisioning Tasks
Complete the following provisioning tasks to bring up your devices in the Aruba Central management
interface:
nOnboard Devices
nAssign Subscriptions
nAssign Devices to Sites
nAssign Labels
nAssign Groups
nAssigning a Group Role or Persona
nProvision Gateways
nOpen Firewall Ports for Device Communication
Onboarding Devices to Aruba Central
If you are a registered Aruba Central portal user, Aruba Central automatically retrieves the devices associated
with your account and adds it to the device inventory. To verify, if the devices are added to Aruba Central's
device inventory, navigate to Global Settings >Device Inventory in the Aruba Central UI.
The users with the evaluation subscription may have to add the devices manually using their Aruba
Activate credentials.
nIf the devices are listed in the inventory, proceed to assign devices to groups, labels, and sites.
nIf the devices do not show up in the inventory, click Sync Now to synchronize the inventory with the
Activate database.
nIf the devices do not show up in the inventory even after the sync operation, manually add these devices.
Aruba SD-WAN Solution | User Guide 15
Getting Started | 16
Manually Adding Devices to Inventory
To manually add the devices, on the Device Inventory page, click one of the device addition options
described in the following table:
Device Addition
Method Description
Add by MAC
Address/Serial Number
Allows you to add devices based on MAC address and serial numbers. You can
add up to 32 devices.
Add with Cloud Activation
Key
Allows you to add multiple devices from a single purchase order by using the
cloud activation key. To add devices:
1. Enter the Cloud Activation Key and MAC address of the device.
2. Click Add. Aruba Central retrieves all devices that belong to the same
purchase order and displays the list.
Add Using Activate Allows you to retrieve the devices associated with an Activate user account.
To add devices:
1. Enter the username and password of the Activate user account.
2. Click Add. The devices associated with the Activate account are retrieved
and added to the list of devices displayed on the Device Inventory page.
NOTE: You can use this option only once. After the devices are added, Aruba
Central does not allow you to modify or re-import the devices using your Aruba
Activate credentials.
Table 6: Adding Devices
Assigning Subscriptions to Aruba Gateways
For Aruba gateways to start functioning, you must onboard them to the device inventory in Aruba Central
and ensure that a valid subscription is assigned to each gateway. A valid subscription allows the gateway to
be managed by Aruba Central.
This section includes the following topics:
nGateway Subscriptions
nGateway Subscriptions with Security License
nVirtual Gateway Subscriptions
Gateway Subscriptions
Aruba Central supports the following types of subscriptions for gateways:
nDM AssignedDisplays whether the device management subscription has been assigned.
nUnassignedSelect gateway(s) and select Unassigned from the drop-down list to unassign the
subscription.
nFoundationThis subscription can be assigned to these gateways:
oAruba 70xx series
oAruba 72xx series
oAruba 90xx series
Aruba SD-WAN Solution | User Guide 17
nFoundation-Base—This subscription can be assigned to Aruba70xx series and Aruba 90xx series
Gateways. Gateway devices with the Foundation-Base capacity subscription can support up to 75 client
devices per branch.
When the client capacity reaches the threshold:
oAruba Central triggers the Gateway base license capacity limit exceeded alert.
oIf the notification options for the Gateway base license capacity limit exceeded alert is configured,
Aruba Central sends an email notification with a list of Aruba gateways that exceed the client capacity
threshold. You can also configure alerts to trigger an incident using Webhook. .
nAdvancedThis subscription is available for all Aruba gateways. It allows users to use advanced features
and services such as SaaS Express. This subscription can be assigned to these gateways:
oAruba 70xx series
oAruba 72xx series
oAruba 90xx series
Gateway Subscriptions with Security License
The following gateway subscriptions are packaged along with security license that includes the Intrusion
Detection and Prevention System (IDPS) feature. These subscriptions can be assigned to Aruba IDPS
supported gateways:
nFoundation with Security—All features of a Foundation subscription along with security license.
nFoundation-Base with Security—All features of a Foundation-Base capacity subscription along with
security license.
nAdvanced with Security—All features of an Advanced subscription along with security license.
You can evaluate Aruba IDPS with Advanced with Security subscription for a period of 90 days.
Assigning Subscriptions to Gateways
To assign subscription to a gateway, complete the following steps:
1. In the Account Home page, under Global Settings, click Subscription Assignment.
The Subscription Management page is displayed.
2. Under Gateway Subscriptions, select the device to which you want to assign a subscription.
3. Expand the drop-down in the Assignment column for the selected device.
4. Select the subscription; for example, Foundation.
5. To assign subscription to multiple devices:
a. Select the devices in the table.
b. Click Batch Assignment.
c. Select the subscription to assign.
When a subscription assigned to a gateway expires, Aruba Central automatically assigns a valid subscription
from the same subscription category.
Getting Started | 18
When you assign a subscription with security license, the gateways reboot to enable the traffic
inspection engine for the first time. It is recommended that you apply the security license after
business hours, as this might result in a downtime in the network.
When assigning subscriptions, if you change a subscription with security license to a subscription
without a security license, you must reboot the gateway manually to release the CPU resources that
were assigned to the traffic inspection engine. It is recommended to reboot the gateway after
business hours, as this might result in a down time in the network.
Virtual Gateway Subscriptions
Aruba Virtual Gateway is a virtual instance of headend gateway for SD-WAN. Aruba Central supports
licenses based on the bandwidth capacity for virtual gateways. All license assignments are undertaken by
the virtual gateway orchestration app.
Aruba Central supports VGW licenses that cater to a variety of requirements. The options include one, three,
and five year periods and the bandwidth options are 500 Mbps, 2 Gbps, and 4 Gbps capacity licenses.
The base SKUs available are: VGW-500M, VGW-2G, and VGW-4G. The availability of SKUs is also dependent
on the installation consuming the license.
The account maintains a pool of VGW licenses, upon license expiry or if the license pool has no licenses left
(all consumed) the license is unassigned from the account. When deployed without valid or paid licenses,
four evaluation (90 day) licenses of each base SKU is allocated to every customer account.
License consumption can be tracked in the Key Management or Subscription Assignment pages.
The list of licenses available against consumed licenses are also displayed during the deployment of a virtual
gateway.
When the client capacity reaches the threshold:
nAruba Central triggers the Gateway base license capacity limit exceeded alert.
nIf the notification options for the Gateway base license capacity limit exceeded alert is configured,
Aruba Central sends an email notification with a list Aruba virtual gateways that exceed the client capacity
threshold. You can also configure alerts to trigger an incident using Webhook. .
For Paid licenses email notifications are sent out in 30 day intervals starting at 90th day before
expiration and the last notification a day before the expiry of the license.
For Evaluation licenses email notifications are sent out on the 30th day before expiration and a day
before the expiry of the license.
Assigning Subscriptions to Virtual Gateways
1. Under Virtual Gateway, select the device to which you want to assign a subscription.
2. Expand the drop-down in the Assignment column for the selected device.
3. Select the subscription SKU. For example, VGW-500MB.
4. To assign subscription to multiple devices:
Aruba Central automatically assigns a valid subscription to a virtual gateway. When a subscription
expires, Aruba Central automatically assigns a valid subscription from the same subscription
category.
For more information on available SKUs, contact yourArubaSalesSpecialist.
Aruba SD-WAN Solution | User Guide 19
Assigning Gateways to a Group
A group in Aruba Central is a primary configuration element that acts like a container. In other words, groups
are a subset of one or several devices that share common configuration settings. Aruba Central supports
assigning devices to groups for the ease of configuration and maintenance. For example, you can create a
common group for Branch Gateways that have similar configuration requirements.
Aruba Gateway Groups for SD-WAN Deployments
The device groups in Aruba Central support the following features:
nCombining Branch Gateways of identical characteristics and configuration requirements under a single
group.
nCreating groups according to your branch requirements.
oYou can create separate groups for the small, medium, and large sized branches.
oYou can also create separate groups for the branch sites in different geographical locations; for example,
East Coast and West Coast branch sites. If these groups have similar characteristics with minor
differences, you can create the first group and then clone it.
oYou can use either a single group for all the devices or deploy devices in multiple groups. For example,
you can deploy 7008controllers and Aruba 2930F Switch Series with 24 ports in a single group for every
branch.
oYou can also deploy 7005controller and Aruba 2930F Switch Series with 24 ports in one group and
provision 7008controller with Aruba 2930F Switch Series with 48 ports in another group.
nProvisioning Branch Gateways and VPN Concentrators in separate groups. As the configuration
requirements for Branch Gateways and VPNConcentrators are different, the Branch Gateways and
VPNConcentrators must be assigned to different groups.
nCombining different types of devices under a group. For example, a group can have Instant APs, switches,
and SD-WAN gateways. .
Important Points to Note
nThe groups in Aruba Central are not device-specific, so you can provision Branch Gateways, switches, and
Instant APs in a single group. However, VPNConcentrators and Branch Gateways must be assigned to
different groups.
nA device can be part of only one group at any given time.
nAfter assigning the SD-WAN gateways to groups, you must set the group persona or role as Branch
Gateway or VPN Concentrator.
To assign gateways to a group, complete the following steps:
1. In the Network Operations app, set the filter to Global.
The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization >Groups.
The Groups page is displayed. By default, the Groups page is displayed.
3. Under Manage Groups, from the devices table on the right, select the gateway that you want to
assign to a new group.
4. Drag and drop the device to the group to which you want to assign the device.
5. Click Yes in the confirmation dialog box.
Getting Started | 20
If the group is not available in the list, click New Group to create a new group, and then drag and drop
the gateways to the group that you just created.
Assigning Gateways to Sites
A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus,
branch, or a venue. You can create a branch or campus site; for example Branch A or Campus A, for a
specific geographical location and assign devices to it. You can use these sites as filters for viewing your
deployment topology, monitoring network and device health.
To assign gateways to a site, complete the following steps:
1. In the Network Operations app, set the filter to Global.
The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization >Sites and Labels.
The Sites and Labels page is displayed. By default, the Sites page is displayed.
3. Under Manage Sites, locate the site to which you want to assign a device.
You can also add a new site by clicking New Site and providing details, such as site name and
address.
4. Click Unassigned to view devices that are not assigned to any site.
5. Select one or several devices from the list of devices.
6. Drag and drop the devices to the site on the left.
7. Click Yes in the confirmation dialog box.
For more information, see Sites in Aruba Central documentation.
Assigning Labels to Gateways
In Aruba Central, labels refer to the tags attached to a device provisioned in the network. You can use labels
for tagging devices to a specific area in a physical location, to an owner or a specific branch, or a business
unit. You can use these labels as filters for monitoring branch and device health, and generating reports.
To assign a label to a gateway, complete the following steps:
1. In the Network Operations app, set the filter to Global.
The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization >Sites and Labels.
The Sites and Labels page is displayed. By default, the Sites page is displayed.
3. Use the toggle switch to access the Labels page.
4. Locate the label to which you want to assign a device. You can also create a new label by clicking
Add Label and providing a label name.
5. In the table that lists the labels, you can perform one of the following actions:
nClick All Devices to view all devices.
nClick Unassigned to view all the devices that are not assigned to any labels.
/