Aruba’s SD-Branch Addresses WAN and Branch Transformation

PRODUCT ANALYSIS: With SD-WANs no longer enough for most modern businesses, Aruba’s SD-Branch solution extends the value proposition being delivered by them to encompass the entire branch environment.


The software-defined wide area network (SD-WAN) market is red hot as most businesses have not rearchitected the WAN in over 30 years. The current hub and spoke model based on MPLS was put in place to handle client/server traffic where the majority of company applications and data lived in the company data center. Today, cloud and mobility have disrupted that model and apps, users and data are scattered everywhere, driving the need for a complete WAN rethink.

SD-WANs Are Necessary but Not Sufficient

SD-WANs have been positioned as a panacea to all WAN problems as they promise a more agile network that’s easier to manage and faster to deploy. While this is certainly true of SD-WAN, it’s not enough for most modern businesses. SD-WANs address network-related issues between the branch and where the workloads reside in cloud and data center, but the reality is that many network-related issues live inside the branch.  More users and internet of things (IoT) devices are connecting at the edge of the network. So IT professionals need to broaden their thinking around SD-WAN, as it’s now more of a feature than a solution, and evolve their branch approach holistically. This is the concept of the software-defined branch (SD-Branch). 

The branch discussion is about so much more than just using an SD-WAN to save a few shekels on MPLS. The branch is where business happens. In fact, for most organizations, the branch is the business. It’s also the place where many organizations are driving the growth of the business, demanding a richer digital experience and creating a need for a complete branch experience that considers the user, IoT and IT staff needs from the edge to the cloud to the core—all with strong security, simplified software operations and real-time performance data.

SD-Branch Extends to the LAN and WLAN

With this in mind, Aruba’s SD-Branch solution extends the value proposition being delivered by SD-WAN to encompass the entire branch environment. This includes the value of centrally managed and automated deployment features for the WAN, LAN and WLAN equipment, a single software-defined framework for managing and enforcing user and IoT policies, and providing IT with the needed visibility and orchestration tools to deliver fast and reliable services.

Three Pillars of Aruba’s SD-Branch

There are three pillars of Aruba’s SD-Branch:

1. Centralized management system with full provisioning, monitoring and troubleshooting capabilities for the entire branch—wired, wireless and WAN. IT professionals need a single pane of glass to reduce the complexity and lack of visibility related to using discrete systems to manage the LAN, WAN, WiFi network and security.  A single management tool also speeds up the learning curve for engineers and makes it easier to shift to a managed services model.

2. Unified policies for LAN and WAN using the roles-based firewall capabilities in the Aruba Gateway. Businesses need to simplify the processes of onboarding devices and segmenting their network by traffic type. Aruba’s Dynamic Segmentation feature uses granular user and device and connectivity information to enforce policies on the wired LAN and wireless network for traffic headed to the WAN. Aruba’s differentiator is the combination of the Branch Gateway and ClearPass Policy Manager. Most SD-WAN vendors don’t have control of the LAN and wireless network and are limited to enforcing policy-based rules on the WAN.

Dynamic Segmentation broadens the scope of policy enforcement. As a user connects a smartphone or IoT device at the edge, ClearPass uses context to define privileges and then extend this to the SD-WAN links.

Examples of where this might be useful are:

  • Provide the CEO a specific address within the network and route the traffic that has the highest priority over the WAN.
  • Secure point-of-sale terminals by limiting access to specific software-as-a-service (SaaS) applications and route all traffic over a prioritized link.
  • Isolate HVAC devices to a specific network segment, without going to each switch to configure dedicated ports.
  • Route all guest traffic on the least cost internet route with a simple way to set priority of traffic.

All of these use cases can be implemented without manual configuration of virtual LAN (VLAN) and access control lists (ACLs), and are managed from one place in the network using modern software-defined techniques.

3. The Branch Installer Application streamlines the provisioning of new branch locations or speeds up the expansion of existing environments. The app lets IT professionals centrally see what devices are being installed and their bootup progress across the entire enterprise. Devices are automatically populated into Aruba Central for management as well. This ensures uniform network and security settings across the LAN and WAN for all sites, while eliminating costly on-site visits. This is much more comprehensive than some zero touch provisioning systems that recognize a MAC address and downloads a configuration for each device. Also, there is no manual mapping of templates to serial numbers or MAC address or other identifiers. This allows businesses to cut over hundreds of branches outside of business hours in a single night with scale and uniformity.

SD-WANs are on the rise, and most business have started the process of investigating the various solutions.  It’s important to understand that the network doesn’t stop at the branch WAN edge. Transforming the network without transforming the branch local area networking is only solving part of the problem.   

Zeus Kerravala is the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.