#ArubaAirheads

Aruba SD-Branch DesignDesign Fundamentals John Schaap, Consulting Systems Engineer, EMEA

September 26, 2019

2#ArubaAirheads

Agenda & Design GoalsAgendaSD-WAN Design• Headend Gateway Configuration• Branch Deployment Models• Branch Gateway Configuration• Dynamic Path Selection• Policy-Based Routing• Quality of Service

SD-LAN Wired Design• Branch Switch Configuration• Template Groups

SD-LAN Wireless Design• Branch Wireless Configuration• Wireless Authentication

3#ArubaAirheads

SD-Branch OverviewCloud-based Services– Aruba Activate for device onboarding– Aruba Central for management

– Hub Site– Headend gateway (VPNC)– WAN aggregation– Internet firewall

– Branch Sites– ZTP to deploy and configure– Single or dual branch gateways (BGW)– Single or dual WAN interfaces on BGW– Single or stacked access switches– Instant APs for employee and guest

Services Aggregation

VPNC

Private

LTE

Single Gateway

Dual Gateway

Dual Gateway 2-INET

WANAggregation

MPLSWAN Paths

INETLTE

Cloud Services

Branch Sites

Hub Site

SwitchAPBGW

Internet

4#ArubaAirheads

Cloud-based Management

– Aruba Central– Global Settings

– Device inventory– Subscription key management– Group management– Site management

– Gateway management– Wired management– Wireless management– Monitoring and reporting– Maintenance

Internet

Private

LTE

Cloud Services

Hub SiteBranch Site

SwitchAPVPNC

Dual Gateway

SD-LANSD-WAN

SD-Branch

BGW

Gateway ManagementWired Management

Wireless Management

5#ArubaAirheads

Aruba Activate and Central Interaction

– Aruba Activate• Devices are added to Activate at the time of purchase

• Activate credentials are added to Central

• Devices use ZTP to contact Activate servers, which redirect to the correct Central account

– Aruba Central• Central device inventory comes from Activate synchronization

• Devices can be manually added to Central with serial number and MAC address

• If devices are added to Central manually, your Activate account is automatically updated with their details

Cloud Services

ZTP

6#ArubaAirheads

Central Groups

– Groups are the primary configuration container for all devices managed in Central

– VPNC Groups• VPNC Gateways

– Branch Gateway Groups• Branch Gateways• Switches (optional)• IAP VCs

– Template Groups• Switches• Switch Stacks

7#ArubaAirheads

SD-WAN Design

8#ArubaAirheads

Headend (Hub) SiteDual-Gateway (VPNCs)– Terminate IPsec tunnels– VRRP for high availability with active/active tunnels– OSPF or BGP routing on LAN– Single interface and VLAN– Separate LAN and WAN interfaces supported– LACP for uplink port redundancy

• Central UI groups (type: VPNC)

– WAN Aggregation– Terminate private cloud– Private IP addressing

– Internet Firewall– Terminate INET cloud– Static NAT for public to private IP addressing

Internet

ServicesAggregation

VPNC-1

PrivateWANAggregation

OSPFArea 0

Hub Site

VPNC-2

VRRP .100

.10

.20

LACP

Private IP Addresses

Static NAT

Core

9#ArubaAirheads

Branch Deployment Models–Private and Internet• Private and Internet transports

• Optional LTE for backup

• IPsec tunnels on all paths

–Dual Internet• Two Internet transports

• Optional LTE for backup

• IPsec tunnels on all paths

–Uplinks Shared • Dual gateways peered to share their WAN

uplinks at a branch

• WAN ports must have different VLANs

• Virtual links forward traffic between themNOTE: Four active uplinks and one backup link are supported per branch

Private

Private

Single Gateway

Dual Gateway

Internet 1

Internet 1

Private and Internet Dual Internet

Internet 2

Internet 2

Internet

Internet

LTELTE

10#ArubaAirheads

Branch Gateway Topology & Configuration

LTE

– Virtual LANs• System IP with VLAN status on (always up)

• Management (infrastructure devices only)

• Employee wired and wireless (employee SSID)

• Guest wireless (guest SSID)

• WAN VLANs for each transport path

– IP Addressing• System IP address assigned from pool

• DHCP server on branch gateway for LAN VLAN

• VRRP w/ dual branch gateways for LAN VLAN

• DHCP client on Public WAN

• Static address w/ default gateway on Private WAN

– Power• External power adapter (7005) to avoid reboots on switch updates• PoE on LAN port for redundancy (7005)

– Central Configuration• UI groups (type: BG)

Management

Wired VLANs

EmployeeGuest Wireless

System IP (Pool)

Sys-IP

VRRP .1.3

Private (Static)

LTE (DHCP)INET (DHCP)

WAN VLANs

DHCP Server

Dual Gateway

Branch Site

VLAN Trunk

Private

Internet.2

Sys-IPDHCP Server

11#ArubaAirheads

Underlay Routing– Hub Site• MPLS: OSPF or BGP Private IP

• INET: OSPF or BGP Default Route

– Branch Site• MPLS: Static default route in underlay

with a cost of 15 (prevent Internet underlay traffic from using MPLS)

• INET: Dynamic default route in underlay with a cost of 10

• LTE: Dynamic default route in underlay with a cost of 50 (do not use unless other default routes are gone)

Internet

MPLS

LTE

INET Route Dynamic: 0.0.0.0/0

Cost: 10

MPLS Route Static: 0.0.0.0/0

Cost: 15

LTE Route Dynamic: 0.0.0.0/0

Cost: 50

Hub Site Branch SiteDual Gateway

INET Route OSPF: 0.0.0.0/0

MPLS Route OSPF: Private IP

WANAggregation

OSPFArea 0

12#ArubaAirheads

VPN Overlay*– Establish VPN Tunnels– MPLS tunnels use private VRRP address– INET and LTE tunnels use public NATed address

– Advertise Select Branch Subnets• Advertise management and employee branch subnets

with route summarization• IKE extension –OR–• SD-WAN Orchestrator

• Redistribute learned subnets into OSPF or BGP for use throughout the network

– Traffic Path• Send traffic destined for corporate into the overlay

tunnels• Reverse Path Pinning locks the return traffic to the same

overlay tunnel • Send traffic destined for Internet into the INET underlay

Advertise select branch subnets

Management

Wired VLANs

EmployeeGuest Wireless

System IP

Redistribute advertised branch routes

Internet

IPsec Tunnel

Corp Traffic

Internet Traffic

Branch SiteDual Gateway

Hub Site

VPNC

OSPFArea 0

* Automated with SD-WAN Orchestrator

13#ArubaAirheads

Overlay Routing*

Internet

MPLS

LTE

Hub Site10.2.0.0/16

Branch Site10.8.4.0/23

– Hub Site• LAN routes: OSPF or BGP• WAN routes

• IKE learned –OR–• SD-WAN Orchestrator

– Branch Site• Corporate summary routes which include all

HQ and branch network ranges• Set the same cost for ALL routes to let DPS

pick the preferred path• Static –OR–• SD-WAN Orchestrator

Learned Routes MPLS: 10.8.4.0/23

MPLS: 10.0.0.0/8Cost: 10

OSPFArea 0

* Automated with SD-WAN Orchestrator

INET: 10.0.0.0/8Cost: 10

LTE: 10.0.0.0/8Cost: 10

INET: 10.8.4.0/23

14#ArubaAirheads

SD–WAN Orchestrator*

* See AB222: Aruba SD-WAN Orchestrator Deep Dive for more information

INET

AcmeMPLS

Headend Gateways

LTE

MPLSInternet LTEMPLS

AcmeMPLS

AcmeMPLS

Turbo MPLS

Turbo MPLS

INET

Turbo MPLS

INET

Branch 1 Branch 2

Hub

GW Network

DC-1 10.0.0.0/8

BG-1 10.1.1.0/24

BG-1 10.1.2.0/24

BG-2 10.2.1.0/24

BG-2 10.3.1.0/24

SD-WAN overlay management using centralized control planeWAN links are auto-discovered and SD-WAN tunnels are orchestrated based on topologyNo legacy routing protocols on overlay SD-WAN FabricRoute distribution is based on centralized policy

Advantages• Centralized key management for tunnels• Centralized routing policies• Scalable and resilient• Supports flexible overlay topologies

15#ArubaAirheads

Dynamic Path Selection– Role and Application• Per user role (employee, guest, etc.)

• Classify important applications (Office, Skype, Salesforce, etc.)

• Voice, Video, Business Critical, Bulk, Best Effort, Scavenger

– Service Level Agreement• Configure SLA parameters per user and application category

– Delay, Jitter and Loss calculations

– Path Preference• Path preference

– MPLS, INET and LTE

• Fallback options per category

• Load balance selections when needed

Role + Application

SLA

Delay, Jitter and Loss

Path Preference

InternetMPLS LTE

Employee Guest

16#ArubaAirheads

Dynamic Path Selection (DPS) vs Policy-Based Routing (PBR)Administrator Decision Tree

WANRoutingTable

WANNext-Hop ListPBR

Add preferred paths to next-hop list

WANRoutingTable

Simple Routing?

Preferred Paths in Routing Table?

Yes

Yes

No

No

DPSChoose preferred paths

from routing table

DPSChoose preferred paths

from next-hop list

PrimarySecondaryTertiary

Preferred Paths

– Simple Routing• If no special treatment is needed,

follow the routing table

– DPS• If special treatment and preferred

paths are in the routing table, use DPS to choose based on SLAs

– PBR (Overrides Routing Table)

• If preferred paths are not in the routing table or if only specific paths are desired

• Add paths to Next-Hop List and allow DPS to choose based on SLAs

17#ArubaAirheads

Dynamic Path SelectionTraffic Flow

DPS Policy

MPLS INET LTE

Load balance equal cost paths

(7005-RS11) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static, B - Bgw peer uplinkM - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/BranchI - crypto-cfgset, N - not redistributed

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 50S* 0.0.0.0/0 [0/10] via 192.168.2.1*

[0/10] via 192.168.10.1S 10.0.0.0/8 [0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp2_inet

[0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp1_inetI 10.2.255.2/32 [0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp2_inet

[0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp1_inetI 66.60.164.115/32 [0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp2_inet

[0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp1_inetC 10.8.255.200/32 is directly connected, VLAN5C 10.8.40.0/24 is directly connected, VLAN1C 10.8.41.0/24 is directly connected, VLAN20C 192.168.99.0/24 is directly connected, VLAN999C 192.168.10.0/24 is directly connected, VLAN4094C 66.60.164.115/32 is an ipsec map data-vpnc-00:0b:86:bb:bb:a7C 10.2.255.2/32 is an ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp1_inetC 10.2.255.2/32 is an ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp2_inetB 192.168.2.1 is Bgw peer uplink, Tunnel 15

Traffic Rule

Match

No

Yes Yes

No

Path Selection

PrimarySecondary

Tertiary

Routing Table

SLA profiles determine path choices

Uplinks

Dynamic Path Selection

Select equal cost paths from routing table

WAN

Paths

– Is there a DPS Policy?• No: Follow the routing table

• Yes: Check for user role traffic rule match

– Traffic Rule Match• No: Follow the routing table

• Yes: Use SLAs to determine the best path

– Path Selection• Primary, secondary, tertiary

– WAN Uplinks• Load balance equal cost paths

• Round Robin, Session Count, Bandwidth Utilization

• Backup path when all others are not available

18#ArubaAirheads

Policy-Based Routing (Overrides Routing Table)Traffic Flow

No

Yes Traffic Rule

Match

No

Action

Forward Regularly

YesNext Hop

List

DPS

Select equal priority paths from Next Hop List

((7005-RS11) #show ip access-list tunnel-employee

ip access-list route tunnel-employeetunnel-employee---------------Priority Source Destination Service Application DSCP Action NextHopListIpsecMap Tunnel TunnelGroup IPv4/6-------- ------ ----------- ------- ----------- ---- ------ ----------- -------- ------ ----------- ------1 any 10.0.0.0 255.0.0.0 any forward 42 any any any route corp-inet4

(7005-RS11) #show ip nexthop-list corp-inet

Nexthop-List Entries--------------------Name Dest Preemptive Failover Nexthop Nexthop DestNexthop Priority---- ---- ------------------- ------- ------------ ----------------corp-inet 0x4402 Enabled *data-vpnc-00:0b:86:bb:bb:a7-isp1_inet 0x4421 200

*data-vpnc-00:0b:86:bb:bb:a7-isp2_inet 0x4422 200

WAN

(7005-RS11) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static, B - Bgw peer uplinkM - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/BranchI - crypto-cfgset, N - not redistributed

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 50S* 0.0.0.0/0 [0/10] via 192.168.2.1*

[0/10] via 192.168.10.1S 10.0.0.0/8 [0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp2_inet

[0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp1_inetI 10.2.255.2/32 [0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp2_inet

[0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp1_inetI 66.60.164.115/32 [0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp2_inet

[0/10] ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp1_inetC 10.8.255.200/32 is directly connected, VLAN5C 10.8.40.0/24 is directly connected, VLAN1C 10.8.41.0/24 is directly connected, VLAN20C 192.168.99.0/24 is directly connected, VLAN999C 192.168.10.0/24 is directly connected, VLAN4094C 66.60.164.115/32 is an ipsec map data-vpnc-00:0b:86:bb:bb:a7C 10.2.255.2/32 is an ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp1_inetC 10.2.255.2/32 is an ipsec map data-vpnc-00:0b:86:bb:bb:a7-isp2_inetB 192.168.2.1 is Bgw peer uplink, Tunnel 15

Policy Based Routing

Routing Table

PBR Policy

Next Hop List

PrimarySecondaryTertiary

Preferred Paths

– Is there a PBR Policy?• No: Follow the routing table

• Yes: Check for a user role traffic rule match

– Traffic Rule Match• No: Follow the routing table

• Yes: Choose from list of actions• Forward Regularly: Follow the routing table

• Next-Hop List: Add preferred paths

– Path Selection• Primary, secondary, tertiary

– DPS / WAN• Follow the traffic flow for DPS using Next-Hop

List instead of the routing table

19#ArubaAirheads

Quality of Service– Role-based Marking on Ingress• 802.1p CoS for queuing (0-7)

• Optional: DSCP for SP (0-63)

• Role assigned on incoming LAN VLAN

• DPI engine application categories

– WAN Scheduler on Egress• Four queues based on CoS

• Strict priority for real-time applications like Voice

• Deficit round robin (DRR) with bandwidth percentages for business-critical applications

• Remaining applications get DRR best-effort

– SD-WAN QoS Supplemental Guide http://bit.ly/Aruba-AB221

Application Marking WAN Scheduler

Applications CoS(required)

DSCP (optional)

WAN Scheduler

Interface Queue

Real-time / Voice Apps 5 EF (46) Strict PQ 0

Enterprise Apps 4 AF31 (26) DRR –50%

1

Collaboration Apps 3 AF21 (18) DRR –20%

2

All Remaining Apps 0 DF (0) DRR –30%

3

Gateway Ingress Egress

4-ClassQueuingModel

20#ArubaAirheads

Headend Gateway Platforms (VPNC)

Platform Max tunnels

Max IKE learned routes

Max routes in the routing table (RIB)

Max routes in the forwarding table (FIB)

WAN compression

Crypto throughput

7240XM 6144 30000 131072 32768 10 Gbps 28 Gbps

7220 4096 20000 65536 16384 10 Gbps 21 Gbps

7210 1024 6000 32768 8192 10 Gbps 8 Gbps

7030 512 3000 4096 2048 2.5 Gbps 2.6 Gbps

7010/7024 512 1500 2048 1024 2.5 Gbps 2.6 Gbps

http://help.central.arubanetworks.com/2.4.8/documentation/online_help/content/public_cloud/get_started/supported_gateways.htmCentral Supported Gateways:

21#ArubaAirheads

Branch Gateway Platforms

Platform Client devices

Firewall throughput

Crypto throughput

Active firewall sessions

Firewall sessions per second

Tunneled node ports

7030 4096 8 Gbps 2.6 Gbps 65,536 65K 2048

7010/7024 2048 4 Gbps 2.6 Gbps 32,768 64K 1024

7005/7008 1024 2 Gbps 1.2 Gbps 16,384 63K 512

http://help.central.arubanetworks.com/2.4.8/documentation/online_help/content/public_cloud/get_started/supported_gateways.htmCentral Supported Gateways:

22#ArubaAirheads

SD-LAN Wired Design

23#ArubaAirheads

Wired Design Overview– Access Switches• Single or stacked

• Power over Ethernet

• Employee wired ports

• IoT wired ports

• AP ports for wireless access

• Layer-2 or layer-3 (Orchestrator)

Branch Site

Stack

Dual Gateway

24#ArubaAirheads

Branch Switch Configuration– Virtual LANs• Management (infrastructure devices only)

• Employee LAN and WLAN (employee SSID)

• Guest Wireless (guest SSID)

• VLAN Trunk to branch gateway over single port or LACP

– IP Addressing• DHCP client in Mgmt VLAN on switch

• Employee and guests get DHCP address from BGW

– Central Configuration• Template groups for the most flexibility

• UI groups for basic switch configuration

Branch SiteDual Gateway

Management (DHCP) Wired VLANs

EmployeeGuest Wireless

Employee

Employee

VLAN Trunks

25#ArubaAirheads

Template Groups– Templates• Create “golden” switch template

• Best practice features

• Common configuration across branches

• Create template group and template name• Template group per switch family• Template name per switch type

• Import golden template• Add golden template switch to group

• Import template (creates system variables)

– Variables• Update or add unique variables

• Switch name, static IPs, etc.

interface vlan 5ip address 10.8.255.200 255.255.255.255operstate updescription "System IP"

!

interface vlan 1ip address 10.8.40.2 255.255.255.0ip nat insidedescription "Management"

!

interface vlan 20ip address 10.8.41.2 255.255.255.0ip nat insidedescription "Employee"

!

interface vlan 999ip address 192.168.99.2 255.255.255.0ip nat insidedescription "Guest WiFi"

!!

Golden Template

interface vlan 5ip address 10.8.255.200 255.255.255.255operstate updescription "System IP"

!

interface vlan 1ip address 10.8.40.2 255.255.255.0ip nat insidedescription "Management"

!

interface vlan 20ip address 10.8.41.2 255.255.255.0ip nat insidedescription "Employee"

!

interface vlan 999ip address 192.168.99.2 255.255.255.0ip nat insidedescription "Guest WiFi"

!!

Final Configuration

26#ArubaAirheads

Branch Switch Forwarding

–Access Switches• Operational access in Mgmt VLAN

• Default gateway comes from DHCP for management and user VLANs

• Corporate traffic in overlay tunnels

• Internet traffic in INET underlay

Corp Summary Route

10.0.0.0/8

INET Route 0.0.0.0/0

Default Gateway 0.0.0.0/0

Branch SiteDual Gateway

DHCP Client

Management (DHCP)Wired VLANs

EmployeeGuest Wireless

27#ArubaAirheads

Branch Switch Platforms–Access Switches– 5400R: Modular, redundant management, hot swappable power supplies,

advanced layer-2/3, up to two switches with VSF stacking, up to 96 HP Smart Rate Multi-Gigabit or 288 1-GbE ports with PoE+

– 3810M: Advanced layer-2/3, up to ten switches with backplane stacking, 2-power supply, smart rate multi-GbE, 10 and 40GbE modular uplinks, 24 and 48-ports 10/100/1000 PoE+

– 2930M: Layer-2/3, up to ten switches with backplane stacking, 2-power supply, smart rate multi-GbE, 10 and 40GbE modular uplinks, 24 and 48-ports 10/100/1000 PoE+

– 2930F: Layer-2/3, up to eight switches with VSF stacking, 1 and 10GbE uplinks; 8, 24 and 48-ports 10/100/1000 PoE+

http://help.central.arubanetworks.com/2.4.8/documentation/online_help/content/public_cloud/get_started/supported_switches.htmCentral Supported Switches:

28#ArubaAirheads

SD-LAN Wireless Design

29#ArubaAirheads

Wireless Design Overview– Site Survey*• Recommended for all wireless installations

– Instant (same hardware as campus APs)

• Layer-2 adjacent APs form a cluster

• One AP elected as a virtual controller (VC)

• Some services are distributed, some are run on the VC

• Clusters can scale to 128 APs– We recommend wireless expert help for clusters over 50 APs– If AP models are mixed use highest performance for VC

Branch SiteDual Gateway

Layer-2 IAP Cluster

VC

Stack

*Required by law to mention site surveys

30#ArubaAirheads

Branch Wireless Topology– Physical• Stagger APs into different switches in stack

– Virtual LANs• Management (infrastructure devices only)

• Employee (employee SSID)• Guest (guest SSID)• Dynamic trunk ports to switches with device profiles

– IP Addressing• DHCP client in Mgmt VLAN for APs• DHCP address from BGW for Employee and Guest• Guest Wireless network is isolated in branch and only

used to access HTTP/HTTPS/DNS on Internet

– Central Configuration• UI groups (Type: BG)

ManagementGuestEmployee

Wired VLANs

EmployeeGuest Wireless

Wireless SSIDs

Branch SiteDual Gateway

Employee

Guest

Employee

Guest

Guest

Employee

Dynamic Trunks

Stack

DHCP Client

31#ArubaAirheads

Branch Wireless Platforms

310 Series (AP/IAP-31x)802.11ac 4x4:4SS*, MU-MIMO, VHT160

1x GE, USB, BLE, 802.3af POEBaseline 4x4 11ac W2 platform

300 Series (AP/IAP-30x)802.11ac 3x3:3SS*, MU-MIMO

1x GE, USB, BLE, 802.3af POEEntry-level 3x3 11ac W2 platform

340 Series (AP-34x)802.11ac 4x4:4SS, MU-MIMO, VHT160

1x 2.5GE + 1x 1GE, USB, BLE, dual 5GHz, 802.3at POE11ac W2 Flagship

303 Series (AP-303/303P)Dual radio, 802.11ac 2x2:2SS, MU-MIMO

1xGE, BLE, 802.3af/at/bt POE, PSE*Low-cost 2x2 11ac W2 platform

802.11ac Wave 2 802.11ax Wave 1

510 Series (AP-51x)802.11ax 4x4:4SS / 2x2:2SS

1x 2.5GE + 1x 1GE, USB, BLE / 15.4, 16RU, VHT16011ax Baseline / mid-range, 802.3at POE

530 Series (AP-53x)802.11ax 4x4:4SS / 4x4:4SS

2x 5GE, USB, BLE / 15.4, 37RU, VHT16011ax High-end, 802.3bt POE

AP 555802.11ax 8x8:8SS / 4x4:4SS (Tri-Radio mode)

2x 5GE, USB, BLE / 15.4, 37RU, VHT16011ax Flagship, 802.3bt POE

32#ArubaAirheads

Aruba Validated Designs– Mobile First Campus for Midsize Networks (March 2018)– Design and Deployment Guide– Two-tier wired– Instant AP wireless

– Mobile First Campus for Large Networks (July 2018)– Design and Deployment Guide– Three-tier wired– Controller-based wireless

– SD-Branch for Midsize Networks (March 2019)– Design and Deployment Guide– Cloud-based onboarding and management– Single hub site location– Single and dual gateway deployment models

– SD-WAN Quality of Service (June 2019)

• Supplemental Guide

– https://www.arubanetworks.com/resources/technical-guidance/

– Filter by Type: Aruba Validated Design

http://bit.ly/Aruba-AB221

Thank You