Aruba Networks has announced SD-Branch, a platform that offers SD-WAN capabilities plus the ability to manage branch switches and APs—presuming you have the right gear.
However, to get the platform’s full capability, you need to be all-in on Aruba products, including ClearPass, Aruba Central, Aruba APs, Aruba switches (depending on branch size), and the branch and headend SD-WAN boxes.
Here’s how all the pieces and parts fit together. Let’s start with the SD-WAN features.
SD-Branch has table-stakes features for SD-WAN, including dynamic path selection that supports any combination of MPLS, broadband and LTE links at each branch.
Traffic can be directed to the appropriate link based on business policy, application, user role, device, and even link performance. Aruba says it can identify up to 2,600 applications against which it can enforce policies.
As for performance, administrators can set requirements around delay, jitter and loss. The gateway devices regularly monitor link performance and can, even in mid-flow, shift application traffic from one link to another if performance on one link drops below the application’s assigned threshold.
An IPSec overlay connects branch SD-WAN gateways to a headend gateway at the customer’s main site. The branch gateways also support direct Internet breakout for SaaS applications, eliminating the need to send traffic from a branch to HQ and then to its destination.
The branch gateway includes security capabilities such as firewalling and URL filtering, and can integrate with third-party security devices and Web-based services such as zScaler.
The branch and headend gateways are managed via Aruba Central, Aruba’s cloud-based portal that’s also used to manage Aruba APs and switches.
Administrators can set and deploy policies in Aruba Central and monitor ongoing operations from the portal.
Aruba’s SD-WAN capabilities align with what’s expected from products in this category. But Aruba knows that it’s coming late to the SD-WAN market, so the company is trying to position SD-Branch as a more comprehensive solution for managing your branch infrastructure.
Aruba highlights a couple of ways it sees SD-Branch as more comprehensive, including dynamic segregation, more unified branch deployments, and reduced branch infrastructure.
1. Dynamic Segmentation
With dynamic segmentation, security and access policies can be managed by device type and role, rather than by ports.
For instance, instead of carving out one VLAN and a set of ACLs for Point of Sale devices, and another VLAN and set of ACLs for IoT devices such as security cameras, you can define roles and policies by device within ClearPass.
For instance, you could define a set of rules and policies for PCI, and a separate set for IoT. Then, when you plug a PoS device into the network, ClearPass will fingerprint the device and add it to the PCI segment, while a security camera is automatically assigned to the IoT segment.
2. Unified Branch Deployments
Dynamic segmentation feeds directly into the second benefit, which is a more unified deployment of branches. Aruba is targeting retail and other sectors where it’s crucial to bring branches online as quickly as possible.
By having more centralized mechanisms for policy definition and enforcement, the idea is that customers can template their branch deployments, which should lead to speedier rollouts on day one, and more simplified management for day two and onward.
If your branches also use Aruba switches and Aruba APs, you can now manage all of that, as well as SD-WAN, from Aruba Central.
3. Reduced Infrastructure
Aruba also highlights the opportunity to collapse the number of discrete functions (for instance, router, firewall, WAN optimization, Web filter, VPN, etc.) into a single branch gateway.
You might also not need an access switch for the APs, because the branch gateway device can come with up to 24 ports, meaning the gateway also serves as the access switch.
This is a compelling opportunity, but it’s not unique to Aruba. Most SD-WAN vendors go to market with a similar story. For instance, Viptela is happy to serve as your branch’s router and firewall as well as SD-WAN gateway, and Silver Peak offers a WAN optimization option in its gateways.
That said, by collapsing multiple functions into one device, you reduce the number of overall devices you have to configure, manage, update, and power. When you multiply that by x number of branches, the benefits are clear.
The Big Ask
If you’ve already bought into Aruba, particularly ClearPass, then SD-Branch seems like a strong candidate for customers on the market for an SD-WAN option.
However, if you’re just looking for pure-play SD-WAN, I think Aruba is asking a lot of potential customers. That’s because key capabilities such as dynamic segmentation are only possible with ClearPass and Aruba-brand switches.
And while ClearPass can be used to set access policies for third-party switches, those switches can’t be managed from Aruba Central, which is a strike against Aruba’s positioning around unified management.
Aruba says you can buy SD-Branch gateways and get a full-featured SD-WAN with multi-path selection and the like, but if you want the whole enchilada, you’ll need one of everything on Aruba’s menu.