confidential © copyright 2012. aruba networks, inc. all rights
TRANSCRIPT
![Page 1: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/1.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 1
![Page 2: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/2.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 2
REMOTE NETWORKING DEPLOYMENTS
Anupam Upadhyaya Aruba Networks March 2012
![Page 3: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/3.jpg)
3 3 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Agenda
1. Remote Networking Deployments 2. Remote AP deployments 3. Aruba Instant overview 4. Deployment guidelines
![Page 4: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/4.jpg)
4 4 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Remote Networking Solutions
![Page 5: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/5.jpg)
5 5 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
What is a Remote AP?
• Aruba Access Point (AP) deployed at remote site • Plugged directly into the LAN side of a router
connected to a DSL or cable modem • Extends secure role-based wired and wireless
from corporate network into home
![Page 6: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/6.jpg)
6 6 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Aruba Mobility Controller Centralized Administration
In the Box: • Wired and wireless connectivity
• Firewall and VPN
• Application specific QoS
• Per-user access control
Branch Office Data Center/Private Cloud
In the Data Center: • Configuration and management
• User-based policies
• Reporting and visibility
Internet
![Page 7: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/7.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 7
RAP in Tunnel Mode
• All traffic is forwarded through the tunnel to the controller • In Tunnel Mode, the RAP creates the following to the controller
• One IPsec tunnel, different GRE (over IPsec) per SSID/PORT (not per client) • Since the tunnel carries control and data traffic, bandwidth requirements have
to be calculated accordingly
Home Office Corporate HQ Internet
Services
DSL Router
VOICE
CORP DMZ
Firewall/NAT INTERNET
CORP
VOICE
Remote AP
Mobility Controller
![Page 8: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/8.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 8
RAP in Split-Tunnel Mode
• Corporate and control traffic is forwarded through the tunnel • Local internet traffic is forwarded to the gateway router • Local traffic is bridged locally for local servers/printers • Split-‐Tunnel Mode, the RAP creates the following to the controller
• one IPsec-‐encrypted GRE tunnel shared across all SSIDs and wired ports
Home Office Corporate HQ Internet
Services
DSL Router
VOICE
CORP DMZ
Firewall/NAT INTERNET
CORP
VOICE
Remote AP
Mobility Controller
Internet Services
Split Tunnel
Local Printer
![Page 9: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/9.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 9
RAP in Bridge Mode
• Only control traffic is forwarded through the tunnel to the controller • In Bridge Mode, the RAP creates the following to the controller
• One IPsec tunnel for control traffic shared across all SSIDs and wired ports • Mainly useful for guest access/SSIDs • No access to corporate resources
Home Office CorporateHQ
Internet Services
DSL Router DMZ
Firewall/NAT INTERNET
GUEST
Remote AP
Mobility Controller
GUEST VLAN
Control Traffic
Local Printer
![Page 10: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/10.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 10
ARUBA INSTANT OVERVIEW
![Page 11: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/11.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 11
Wiring Closet
Voice VLAN
WLAN with Instant APs
W
W G
G B
B H
H W
W
G
G
B
B
H
H
Guest VLAN
BYOD VLAN
Handheld VLAN
D V
D V
Wireless VLAN
Data Center
AAA Services Data VLAN
• Add guest and BYOD services • Manage multi-site deployments
• Setup in 3 minutes or less • Integrate with edge access VLANs • Control access with built-in firewall • Optimize performance with ARM
Instant
Policy Enforcement
![Page 12: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/12.jpg)
12 12 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Instant Architecture
Instant Architecture
Data Plane
Control Plane
Management Plane Virtual controller or AirWave and slave IAPs
AdministraPve traffic for iniPal provisioning, monitoring, and image management
IAPs Discovery process, ElecPon process, Client informaPon
IAPs, switches, upstream routers
User data, wired to wireless LAN,
To the wired network
VC
Switch
To wired network
Instant Network Layer 2
![Page 13: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/13.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 13
ARUBA INSTANT DISTINGUISHING FEATURES
![Page 14: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/14.jpg)
14 14 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
‘instant’ SSID
‘instant’ SSID
instant.arubanetworks.com
Instant Network
IAP1
IAP2
IAP3
![Page 15: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/15.jpg)
15 15 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Dynamic RADIUS Proxy
VC static IP address: 10.169.241.150
RADIUS server for 802.1X
NAS client IP address 10.169.241.150
Client
EAP Authentication request
IAP1 : 10.169.241.2
IAP1 : 10.169.241.3 RADIUS requests
Src: 10.169.241.150
Dst : RADIUS server
EAP Authentication request Src: 10.169.241.2 Dst: 10.169.241.3
![Page 16: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/16.jpg)
16 16 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
VC
Guest Access
• External captive portal is implemented using transparent HTTP proxy – Walled Garden support to allow access to limited websites – Dynamic whitelist management based on corporate DNS – Blacklists to deny access to certain websites
Instant Network
IAP1 : IP address 10.169.241.2
IAP2 : IP address 10.169.241.3
IAP3 : IP address 10.169.241.4
VC IP address: 10.169.241.150
Internal captive portal or External captive portal
![Page 17: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/17.jpg)
17 17 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Magic VLAN
• No need to create a VLAN for guest users on the wired network • Virtual controller assigns non-conflicting IP for guests –
192.168.11.x or 172.16.0.x range • Proxy ARP and DHCP Relay operation per IAP • All traffic is automatically source-NAT’ed
![Page 18: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/18.jpg)
18 18 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Instant Mesh
• Mesh can be configured either of the two ways • Automatically assign roles based on ENET link status
– mesh portal or mesh point • Over-the-wire – configure WLAN network before
converting to mesh point
Instant Network
Over-the-wire provisioning
Instant Network
Over-the-air provisioning
Unplug Ethernet
Wired IAPs are Mesh Portals
Mesh Portal
Mesh Point
Mesh Point
![Page 19: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/19.jpg)
19 19 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
IAP IP Assignment
• IAP tries DHCP option during boot-up sequence • If DHCP is not available, it assigns itself a default IP
address in the 169.254.x.x range • User can configure a static IP on each IAP
IAP IP addresses from DHCP
IAP
Network device
DHCP server
IAP
User assigns static IP addresses
IAP
Network device
IAP
IAP assigns default IP addresses
IAP
Network device
IAP
VC
![Page 20: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/20.jpg)
20 20 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
User Interface
HTML 5: Works on all devices, no flash required
Language customiza>on. Addi>on of new languages is simple.
Inline search Intui>ve help
Focus on Monitoring and alerts
![Page 21: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/21.jpg)
21 21 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Setting up Aruba Instant
![Page 22: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/22.jpg)
22 22 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
1. Create Network
![Page 23: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/23.jpg)
23 23 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
2. Assign SSID and Usage Type
![Page 24: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/24.jpg)
24 24 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
3. Set Security Level
![Page 25: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/25.jpg)
25 25 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
4. Advanced Access Rules (SSID firewall)
![Page 26: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/26.jpg)
26 26 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
5. Connect to the New Network
![Page 27: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/27.jpg)
27 27 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Network Management
• SNMP v1, v2c, and v3 are supported for reporting only
• Trap receivers can be added for v1, v2c, or v3
Trap OID : 1.3.6.1.4.1.14823.2.3.3.1.200.2.X
![Page 28: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/28.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 28
DEPLOYMENT GUIDELINES
![Page 29: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/29.jpg)
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 29
Feature Aruba Instant WLAN
Aruba WLAN with Controller
Func7ons without Central Manager ✓ ✓ Scalability: Max APs in network Unlimited Unlimited
Instant Setup & Deployment: • Can setup without central or cloud manager • Can troubleshoot without a central manager • Guest Access without VLANs or Tunnels
✓ ✓
Security & Mul7media Services: • Built-‐in Wireless Intrusion DetecPon • Support for MS Lync, Apple FacePme & Citrix
✓ ✓
Advanced Network Services • Simple overlay design e.g.: no edge VLANs • Roam across buildings/floors without performance
impact • Same experience for Wired, Wi-‐Fi & Remote
✗ ✓
Investment Protec7on: Can add Mobility Controller hardware for scale & security ✓ ✓
Controller Vs Instant
![Page 30: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/30.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 30
Challenges with an Edge Anchor Point
Wireless VLAN 1
Wireless VLAN 2
Data Center
1
2
1 2
1. Device associates with “home” AP
2. User moves across VLAN boundary
4. Network links process the same packet three times due to L3 mobility
3. AP overload due to forwarding traffic for devices unassociated with this AP
![Page 31: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/31.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 31
Scaling for Layer 3 Mobility
Wiring Closet
Wiring Closet
Campus AP
1
2
1 2
VLAN Pool
1. Device associates with AP
3. User moves across VLAN boundary
2. Centralized policy definition and enforcement
4. Controller serves as mobility anchor reducing AP and network load
Data Center
Mobility Controller
![Page 32: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/32.jpg)
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 32
Where Is A Mobility Controller Needed?
Boost WLAN Performance when devices roam across subnets and for policy control. Traffic not forced to route through the “lobby AP”
Instant APs Controller + APs
Distributed Crypto Centralized Crypto
Consistent Mobility Experience with common policy enforcement & management across wired, Wi-Fi, branch and VPN
Simplify Networks by eliminating VLANs at the edge
Central Management
![Page 33: CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights](https://reader031.vdocuments.us/reader031/viewer/2022020922/61fb488a2e268c58cd5c5686/html5/thumbnails/33.jpg)
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 33