Aruba’s SD-Branch Part #1: Solution Components

Edit: You should also check out Ed Horley’s excellent take on Aruba’s SD-Branch presentation at


I saw a great presentation about Aruba’s SD-Branch offering as part of being a delegate for Network Field Day #21. I’m going to spend two posts covering SD-Branch as I am not extremely familiar with Aruba’s product line and I suspect I am not alone in that regard. In this first one I’ll go through the parts that form the solution and include a lot of links to help in finding additional information on the topic. In the next one, I’ll cover the needed licensing and some thoughts on the overall offering. For those that prefer graphics to a text-wall here you go:

The Formula for SD-Branch = SD-WAN + SD-LAN

Aruba defined SD-Branch as SD-WAN + SD-LAN – but that simply splits the question into two separate questions. For my understanding, SD-Branch is really about leveraging Aruba Central as a single-pane-of-glass for deployment, configuration, monitoring and troubleshooting. SD-Branch is a sum of bunch of things and customers can consume portions of Aruba’s product line without going “all-in” on SD-Branch…but I don’t see how you are SD-Branch without using Central.

SD-WAN, at this point, has a general working definition and can be recognized when an engineer sees it. The WAN features are implemented using Aruba’s gateway hardware running SD-Branch code/features. The solution uses three of the most common and then adds something new:

It’s this easy!
  • Transport Independence – like all solutions this is achieved via tunnels to form an overlay network and “pave” over the underlay/transport. This provides the ability to handle the features outlined below via routing.
  • Dynamic Path Selection – uses SLAs and monitoring to determine when traffic is seeing degradation and can move the traffic to the next-best, available path. Solution can take into account user specified preferences as well.
  • Policy-Based Routing – ability of the user to specify specific paths with preference to meet business, performance or other needs.
  • Reverse Path Pinning – this is a newer one I’ve not seen touted in other solutions. It ensures all traffic is symmetrically routed between locations.

SD-LAN on the other hand is not a term in common parlance. SD-LAN is defined by Aruba as Identity, Role and Destination Reputation being added into the mix to make forwarding decisions on the LAN side. These same attributes can be leveraged for path selection in the WAN. ClearPass is the product used for much of the underlying SD-LAN logic for security functions and ID. ClearPass is a powerful identity product and commenting too much about it is outside the scope of this particular posting… but I encourage folks to read more on it via Aruba’s site. Finally, much of the detail work in the policies for SD-Branch are configured back in ClearPass and then consumed in Central. This is common theme in using Central – you can pull pre-built pieces of configurations from other parts together but you cannot directly configure them in Central. Using Central plus Arubas’ branch gateways, switches and access points provide the following features:

  • Wired and Wireless Access – this provides standard access along with PoE(+) features to end point devices. Access is permitted, denied or filtered based on policy.
  • Traffic Analysis – the gateways and APs leverage DPI to understand traffic flows and can also use DNS look-ups for additional information. This analysis allows for fine-grained policy controllers and can be directed into third-party solutions for additional capabilities. These 3rd parties include Zscalar, Palo Alto Networks, Checkpoint and UCC applications. This feature is especially nice for DIA with breakout for cloud applications.
  • Internal Segmentation – policy is consumed on the hardware as defined in Central, leveraging ClearPass and features from Central. This allows for segmentation of internal traffic flows between users in the same subnet/vlan and between subnet/vlans. It also allows standard, stateful firewall inspection for flows exiting the branch.

So that covers the major parts of the solution, along with the features/benefits I see as key in the offering. Here are some links to help in finding additional reading on Aruba’s SD-Branch:

  • SD-Branch Midsized Design Guide – This is the best link for engineers looking to understand the components and features of the solution, along with how to deploy it.
  • SD-Branch Overview – Provides a more compact version of the above information and leaves out the deployment and design explanations. Good if you are looking to learn more without diving too deeply.
  • SD-Branch Simplification with Central – YouTube video from NFD21 presentation covering Central.
  • SD-Branch Overview, Video – YouTube video from NFD21 presentation covering the offering at a high-level.
  • SD-WAN Data Sheet – Covers the hardware and virtual parts of the SD-WAN portion and their features. This is a good next read or a standalone if you won’t be deploying all of the SD-Branch features.
  • Aruba Central Data Sheet – Covers Central with a few screenshots and its key features.
  • Dynamic Segmentation – Covers how ClearPass works with the rest of an Aruba stack to provide segmentation and security.
  • Dynamic Segmentation, Video – Demonstration and Overview of Segmentation in SD-LAN.
  • Aruba Saas Express – YouTube video from the NFD21 presentation showing SaaS connectivity/optimization.
  • Cloud Security Overview – YouTube video covering cloud integration and security.
  • Aruba SD-WAN Policies, Video – Demonstration of the features configuration and in action.
  • Orchestration Demo – YouTube video covering the orchestration of features inside the SD-Branch product bundle.

Disclosure: I was invited to participate in NFD21, and my participation is voluntary. Gestalt IT hosts the event and my transportation, accommodations, food and beverage is paid for by Gestalt IT for the duration of NFD21. I am not required to produce this post, and it was not reviewed or edited by Gestalt IT, other delegates or the sponsors of the event. I’ve edited this post a few times for typographic and similar issues and to add more links.