#ATM16
WLAN Design 101: Fundamentals in the CampusIntroduction to WLAN designPeter Lane, Director Product Management @ArubaNetworks |
2#ATM16
Where to Look
3#ATM16
Aruba Solutions Exchange
4#ATM16
Airheads Community in Q1 16
• New Members: 2645, 103% YoY
• Page Views (Human): 1.45M, 23.5% YoY
• Accepted Solution Views: 335K, 62.6% YoY
• Knowledge Base Views: 275.7K, 124% YoY
• 41,000+ Members• 10,000+ New Members in 2015
• 7000+ Accepted Solutions• 30,000+ Kudos Given
• 6000+ Knowledge Base Articles• 115,000+ Total Forum Posts• 170+ Countries Represented
5#ATM16
Factors to Consider when choosing a network solution
– User Expectations– Voice/Roaming– Areas to cover (bathrooms, stairwells,
elevators, parking lots)– Video– Uptime– Speed
– Policy control– Block any traffic?– Throttle any traffic?– QOS– Posture assesment
– Locations– How many?– How large?– How many Users?– Backhaul to the DC?
– Operational– Lifetime of the deployment– Cost– Replacement/refresh cycle
6#ATM16
AP Decision Points
– AP Model– WiFi Standard
– 11ac wave 1 is the baseline– Wave 2 is coming but not many clients yet
– Scale (device count)– Number of concurrent users– Common use cases
– Backhaul– 1 gbps backhaul recommended– Dual backhauls to separate switches recommended for areas that need high availability (healthcare)– 10 gig uplinks from the edge switch
– Placement– Typically every 40-50 feet
– <40 feet requires special RF design work– >50 feet may not keep up with client density
7#ATM16
Broad Portfolio of WLAN Connectivity
Beacons
Hospitality Access Points
Remote Access Points
103H2 ports11n dual
205H3 ports11ac dualPSE
Indoor Access Points
200 SeriesLower density
2x2 11ac 1.2 Gbps
210 SeriesCarpeted space
3x3 11ac 1.9 Gbps
220 SeriesHighest Density
3x3 11ac 1.9 GbpsDual uplink
103 SeriesLower cost
2x2 11n 600 Mbps
320 SeriesHighest Density
4x4 MU-MIMO 11ac2.5 Gbps, Dual uplink
Aruba Beacons
Bludot Location
Outdoor Access Points
270 SeriesOutdoor3x3 11ac
RAP-32 ports, 2.4GHz, PSE
RAP-108/1091 port, 11n dual radio
RAP-1554 ports, 11n dual radio, PSE
Hardened Access Points
228 SeriesIndustrial grade
3x3 11ac
Broad Portfolio of WLAN Connectivity
8#ATM16
AP Modes
CAP IAPRAP
9#ATM16
Forwarding Modes and Traffic Processing
Campus RemoteDeployment Mode (per-VAP setting) Tunnel Decrypt-
Tunnel Bridge Tunnel Decrypt-Tunnel
Split-Tunnel Bridge
802.11 Mgmt Frame Processing AP AP AP AP AP AP AP
Encryption and Decryption (per-VAP setting)
Controller AP AP Controller AP AP AP
Client Traffic Forwarding done by Controller Controller AP Controller Controller AP AP
Firewall policies applied by Controller Controller AP Controller Controller AP AP
Note: Decrypt-Tunnel requires CPsec to be turned on
CampusDeployment Mode (per-VAP setting) Tunnel Decrypt-
TunnelInstantBridge
802.11 Mgmt Frame Processing AP AP AP
Encryption and Decryption (per-VAP setting)
Controller AP AP
Client Traffic Forwarding done by Controller Controller AP
Firewall policies applied by Controller Controller AP
10#ATM16
Radio Modes
WWAS16 | Confidential
Hybrid AP• Client Access• Scan 2.4 and 5 GHz• IDS detection• Rogue detection• Interference detection• Interference classification
Dedicated Air Monitor• Air monitor 2.4 and 5 GHz• Air monitor 4.9 GHz• IDS detection• Rogue detection• Rogue containment• Interference detection
Spectrum Monitor• Air monitor 2.4 and 5 GHz• IDS detection• Rogue detection• Interference detection• Interference classification
11#ATM16
Controller Decision Points
– AP Count– Current number of APs– Redundancy design (active+active, n+1, none)– Leave headroom to grow and evolve (AP count <80% of supported max)
– Client count– LPVs may require additional controllers for client support
– Throughput
– Redundancy
– Master/Local domains for large networks
12#ATM16
Branch and Campus Controller Portfolio
Performance
Scal
e
CAMPUS
BRANCH/REMOTE OFFICE
7005 16 AP/1K Devices, 2 Gbps
7010 32 AP/2K Devices, 12 PoE, 4 Gbps
7030 64 AP/4K Devices, 8 Gbps
7210 512 AP/16K Devices, 20 Gbps
7205 256 APs/8K Devices, 12 Gbps
7220 1024 AP/24K Devices, 40 Gbps
7024 32 AP/2K Devices, 24 PoE, 4 Gbps
VMC-TACT 32 AP/512 Devices, 0.4 Gbps
7240 2048 AP/32K Devices, 40 Gbps
13#ATM16
Role Based Security Architecture
CorporateServices
Signage
Voice
Data
PoS
Virtual-AP 2SSID: Corp
Virtual-AP 1SSID: GUEST
DMZ
ClearPass
GuestCaptive Portal
Role-Based Access Control
Access Rights
Secure TunnelTo DMZ
SSID-Based Access ControlPoS
Data
Voice
Signage
Guest
RADIUSLDAPAD
14#ATM16
Controller Roles– Master Controller’s primary responsibilities
– Global configuration– Global Monitoring– Processing IDS events and alerting– Initial AP Termination– Centralized license Server– Centralized whitelist – CPSec trust anchor– Can terminate APs but not recommended
– Local Controller’s primary responsibilities– Local Config– Adaptive Radio Management (ARM)– AP termination (GRE tunnel from AP to Controller)– User traffic– Apply firewall rules– VLAN tagging
– Branch Office Controller– ZTP– ARM– AP termination– User traffic– Apply Firewall rules (DPI, content
filtering)– PBR– WAN visibility
15#ATM16
Large Campus
WWAS16 | Confidential
– Definition– Large number of buildings (3 – 500+)– Large number of users (2,000+)– Good backhaul between buildings. 10 gig or higher depending on building type and device usage– Universities, Healthcare, Global HQs, etc.
– Typical Deployment– Centralized controllers.– Master/Local Architecture
– . Up to 15k APs, 150k users in one master local domain– If you need to have multiple master/locals, break it based on natural RF dead zones
– DHCP controller discovery– AP fast failover: Acitve:Active– VRRP for LMS IP, centralized licensing master/backup and Master controller Master/backup master
16#ATM16
CAP/RAP Boot Process
17#ATM16
Master Controller Discovery– Static Assignment (rare)
– Controller IP address is provisioned and saved in AP Flash
– Dynamic Assignment– DHCP request (Option 43)– AP multicasts Aruba Discovery Protocol (ADP) packets to group 239.0.82.11– AP broadcasts ADP packets to L2/L3 recipients – AP sends DNS query
– Who is “aruba-master.domain.com”– “domain.com” supplied by DHCP– “DNS server” supplied by DHCP
18#ATM16
AP Controller Discovery Process
DHCP
Gets IP Address
Option 43 ControllerYes
ADPYes
No
DNS
No
YesNo, Reboot and Start again
Firmware Match ?
Download Configuration
Update Firmware
No
Yes
Connected to LMS ?
Come up in Default Group
Yes
Go to LMSNo
19#ATM16
Master discovery packet capture
DHCP Process
ADP Process
DNS Process
20#ATM16
What is LMS Controller?
Master Controller
Local Controller Local ControllerAP Group = New York LMS = 20.20.1.1
10.10.1.1 20.20.1.1
AP Group = California LMS = 10.10.1.1
21#ATM16
High Availability roles A Controller can be configured one of 3 HA roles:-
– Active – Controller that serves APs, but cannot serve as failover standby for an AP except those it serves as a active controller.
– Standby – Controller acts as failover backup controller, but cannot be configured as primary controller for an AP.
– Dual – A dual controller can support both roles i.e. acting as active controller for one set of APs, and a standby controller for other set of APs
22#ATM16
AP Fast Failover Deployment ModelsController 1HA Role Dual
Controller 2HA Role Dual
Controller 1HA Role Active
Controller 1HA Role Dual
Controller 2HA Role Active
Controller 2HA Role Dual
Controller 3HA Role Standby
Active / Active
Active / Standby
N + 1 AP connection to its Active controllerAP connection to its Standby controller
23#ATM16
AP Fast Failover – AOS 6.4
– Inter Controller Heartbeat
– Client state sync
– N+1 Oversubscription
24#ATM16
Inter Controller Heartbeat - Introduction• Faster detection of Active controller failure
– Heartbeat from standby to active controller– Heartbeat interval - 100ms (Default)– Heartbeat threshold – 5 (Default)
• Failover time less than 1 sec• Supported on all controller platforms except 650/620• Active/ Active, Active/Standby and N+1 topology supported• Standby can heartbeat max 7 active controllers at a time• AP’s heartbeat mechanism (8 missed HB) will be used when there is connectivity issue on AP
side
NOTE: Make sure link latency between two controllers is less than 100 ms
28#ATM16
InterController Heartbeat Flow
Active Controller Standby Controller
LMS selects a Standby for AP from HA group
AP connects to LMS
LMS notifies Standby controller IP
Hello message with “standby” flag set
Hello Response
Heartbeat to controller every 100 ms
Heartbeat to controller every 100 ms
Heartbeat to controller every 100 ms
Heartbeat to controller every 100 ms
Heartbeat to controller every 100 msHeartbeat to controller every 100 ms
Heartbeat Response
AP Failover request message
AP Failover responseAP is Active on Standby
AP deauth all clients and failover to standby
Standby identifies Active controller IP from Hello message
AP UPHeartbeat sent count = 1
Heartbeat sent count = 1Heartbeat sent count = 2Heartbeat sent count = 3Heartbeat sent count = 4Heartbeat sent count = 5
Reset Heartbeat sent count = 0
29#ATM16
AP Fast Failover – AOS 6.4
– Inter Controller Heartbeat
– Client state sync
– N+1 Oversubscription
30#ATM16
Client State Sync - Introduction
• PMKID, Role and Vlan synced between controllers • Controllers sync keys through IPSec tunnel• Supported on 72xx, M3 and 3600 controllers• Supported on Active : Active, Active : Standby and Master : Standby Master topology• NOT supported for N+1 over subscription model
31#ATM16
Client State Sync – Failover Scenario
Active Controller Standby Controller IPSEC Tunnel
1. Client successfully authenticates to dot1x ssid; PMK-SA is generated
32#ATM16
Client State Sync – Failover Scenario
Active Controller Standby Controller IPSEC Tunnel
1. Client successfully authenticates to dot1x ssid; PMK-SA is generated
2. PMK-SASync
33#ATM16
Client State Sync – Failover Scenario
Active Controller Standby Controller IPSEC Tunnel
1. Client successfully authenticates to dot1x ssid; PMK-SA is generated
2. PMK-SASync
3. On failure of Active controller, AP deauths client and failovers to Standby
34#ATM16
Client State Sync – Failover Scenario
Active Controller Standby Controller IPSEC Tunnel
1. Client successfully authenticates to dot1x ssid; PMK-SA is generated
2. PMK-SASync
3. On failure of Active controller, AP deauths client and failovers to Standby
4. Client re-assoicates and performs 4-way key exchange only
35#ATM16
Supported Topologies
– Inter Controller Heartbeat and Client State Sync is not supported in Master-Standby Master topology because standby controller does not allow AP termination unless its VRRP state becomes active.
36#ATM16
AP Fast Failover – AOS 6.4– Inter Controller Heartbeat
– Client state sync
– N+1 Oversubscription
37#ATM16
N+1 Oversubscription - Introduction
• Allows backup controller to terminate standby AP tunnels above its platform limit • Supported for 72xx, M3 and 3600 controllers
– 72xx allows 4 times oversubscription– M3 & 3600 allows 2 times oversubscription
• Centralized licensing is recommended for this feature
Example Controller 1 (# of APs)
Controller 2 (# of APs)
Standby Controller (# of standby APs)
AOS 6.3
AOS 6.4
1 7210 (512) 7210 (512) 7210 (1024)
38#ATM16
N+1 Oversubscription
Active 7210 Controller Active 7210 Controller Standby 7210 ControllerActive 7210 Controller
512 AP’s 512 AP’s 512 AP’s 512 AP’s
Active 7210 Controller
39#ATM16
N+1 Oversubscription
Active 7210 Controller Active 7210 Controller Standby 7210 ControllerActive 7210 Controller
512 AP’s 512 AP’s 512 AP’s 512 AP’s
Active 7210 Controller
512 AP’s
40#ATM16
N+1 Oversubscription – Standby AP support
Platform Max # APs Max GRE Tunnels Ratio
7005 16 5127010 32 10247024 32 10247030 64 20483600 128 8192 2:1M3 512 16384 2:17205 256 8192 4:17210 512 16384 4:17220 1024 32768 4:17240 2048 65535 4:1
41#ATM16
N+1 Oversubscription – Caveats
• Client state sync is not supported for N+1 topology• Only standby AP limits are being extended
– User-table, station-table, IPSec tunnel limits remain as it is
42#ATM16
Large Campus
WWAS16 | Confidential
– Definition– Large number of buildings (3 – 500+)– Large number of users (2,000+)– Good backhaul between buildings. 10 gig or higher depending on building type and device usage– Universities, Healthcare, Global HQs, etc.
– Typical Deployment– Centralized controllers– Master/Local Architecture
– . Up to 15k APs, 150k users in one master local domain– If you need to have multiple master/locals, break it based on natural RF dead zones
– DHCP controller discovery– AP fast failover: Acitve:Active– VRRP for LMS IP, centralized licensing master/backup and Master controller Master/backup master
43#ATM16
What about putting a controller in each building?
– Supported deployment
– Rare due to increased controller cost
– Appropriate for large buildings with small backhauls between buildings
WWAS16 | Confidential
44#ATM16
K-12 Deployment Types– Central Controllers
– Architecture:– Master/Local centralized in DC– AP Fast Failover: N+1– DHCP discovery
– Common for schools with:– Fiber between them– Traffic typically heading through the
DC
– Benefits: – Leverage low cost large scale
controllers– Simple fail over solution– Single point of config for all
controllers– Single location for all controllers
– Controllers per school
– Architecture:– Local Controller per school– Master controller in DC– Optional
– Standby Failover controller in DC – AP FF Active Active per school
– Common for schools with:– Weak connections between schools
or back to DC– Traffic patterns that go straight to
the internet
– Benefits– All controller features– Single master configuration point for
all schools
– Instant
– Architecture:– IAPs– AirWave
– Common for schools:– Aerohive has talked with them– Not a fan of controllers– Comfortable with configuring
VLANs
– Benefits:– ZTP– Great redundancy– Low Cost (not as low as you
think)
WWAS16 | Confidential