juniper networks simply connected workshop. agenda 10h00 : introduction westcon juniper team 10h15 :...
TRANSCRIPT
Juniper NetworksSimply Connected Workshop
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail
En France :• 50 collaborateurs
• Fondée en 1992, 5 agences
• 80m $
• ATC et centre de support
Our Company
3
Notre entreprise
Nantes
Paris
Marseille
Toulouse
Lyon
Our Company
4
• Partenariats avec les leaders du marché de la sécurité
• Des services innovants :• Prestations d’installation• Support téléphonique 24x7 et support matériel sous 4h• Centre de formation agréé
• Nous intervenons sur des problématiques de :• Sécurité (réseau, web, postes clients, nomadisme…)• Mobilité• Disponibilité et optimisation des applications• Conformité légale• Wifi
Notre entreprise
Produits ● Services ● Formations
Formations
Nouveaux clients Nouveaux Projets
ArgumentationArchitecture
Offre commerciale
Déploiement et support
Des équipes dédiées pour vous accompagnerà chaque étape du cycle de vente
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail
Juniper Wireless LAN Product Portfolio
Access PointsBest price performance, Mass
deployment ready
ControllerScalable, Flexible, Fastest, Highest
capacity
Mobility Mgmt & ServicesUnified Infrastructure and services
Wlan Life Cycle Mngt
Guest Access
Location Awareness
Mobility System SoftwareSecure, Reliable, Seamless Mobility Services
Juniper WLC Series controller family
4 12 16 32 128 192 256 51264
# of AP
4 AP
WLC2
WLC8
12 AP
16 - 128 11n AP
WLC800
16 - 256 11n AP
WLC880
64 - 512 11n AP
WLC2800
WLC SeriesHighlights
Simplest solution in the Industry Highest reliability in the industry Only vendor with in-service upgrades Full featured distributed deployment
Bra
nch
Cam
pu
sE
nte
rpri
se
WLC100
New
JunosV WLC
New4 - 32 11n AP
Juniper WLA Series Access PointNext Generation Family
Entry level 802.11n Indoor 11n/11ac Outdoor 11n/11ac
Single Radio Low Cost AP
Dual Radio Entry-level AP
WLA Series Highlights
Highest performance APs in the industry Most cost effective APs in the industry Full featured Intelligent switching Spectrum analysis across the portfolio Bridging and mesh
3 StreamMIMO
Dual RadioHigh
Performance
WLA532/E
Fu
nct
ion
alit
y
11ac 3x3 MIMO
Dual RadioAll Weather
Firefox
11ac3x3 MIMO
Dual RadioGigabit
Performance
RAPTORNG Indoor
Q2/ 2014
WLA322
WLA321
NG Outdoor
Q3/ 2014
3x3 MIMODual RadioAll Weather
WLA632
WLA532: High Performance, Enterprise-Grade AP
• Interfaces• Concurrent 3-stream dual-radio operation
• Up to 450Mbps link speed on 5GHz
• Up to 195Mbps link speed on 2.4GHz
• 10x better performance than 802.11a/g
• 802.3af PoE power
• Security• Encryption at “air” rate 802.11i, WPA2/AES, WPA/TKIP, WEP
• No stored configuration, no serial port, special tool lock screw on bracket
•AP to MX data path encryption
Performance and Mobility
• Local switching for low latency, high performance
• Advanced AP VLAN tunneling
Features Management
AutoTune Dynamic RF management
Antenna
Six Internal cross-polarized antennas with 5 degree down-tilt for best signal strength
Usability & Ease-of-Installation
Versatile mounting options for ceiling, wall mount and wall plugs
Product Ordering WLA532-US: For US operation
WLA532-IL: For Israel operation
WLA532-WW: For Worldwide operation except US and IL
Indoor 11n AP Product Portfolio Comparison
WLA321 WLA322 WLA522 WLA532MIMO Technology 2x2 2x2 2x2 3x3No. of Radios 1 2 2 2Peak Antenna Gain (5GHz) 5dBi 4.5dBi 5dBi 5dBiPeak Antenna Gain (2.4GHz) 4dBi 4.8dBi 3dBi 3dBiMaximum Data Rate 300Mbps 300Mbps 300Mbps 450Mbps
5GHz Downstream TCP Throughput at 30feet (w/Atheros Client) ~100Mbps ~110Mbps ~120Mbps ~200Mbps5GHz Downstream TCP Throughput at 100 feet (w/Atheros Client) ~20Mbps ~30Mbps ~60Mbps ~100Mbps
Client Density (Clients receiving downstream throughput at approx. 2Mbps per client, <30 feet from AP) ~40 ~40 ~60 ~100Simultaneous Spectrum Analysis and Wireless Access Services Y Y Y YHW Accelerated Wired Encrypted Tunnel N N Y YTransmit Beamforming N N N YList Price $395 $595 $725 $1,095
Planning and deployment 3D predictive planning tool Indoor and outdoor network plan
Configuration and Verification Complete offline configuration System and service wizards Pushes configuration to WLCs
Monitoring and reporting By user, radio, AP, WLC, SSID 30 day history aids compliance WIDS/WIPS integration
Location aware Search by location Roaming history Geo fencing
RingMaster
Plan
Config
MonitorTroubleshoot
Report
Juniper WLM Series Life Cycle Management
Juniper WLM Series Guest Management
Centralized Guest Access
Database
Web-based access control suite
Guest access module• Ease of use / Bulk user creation• API for 3rd part application integration• SMS / Email creation of guest coupons
with Self-Provisioning
Accounting database • Detailed client accounting history• Reporting available via RingMaster
Access control module • RFC 3576 (Dynamic Radius)• Location awareness for client sessions.
• Allow or deny access based on location
• Change any AAA attribute based on location
• Access Rules (location based, time based or a combination of both)
SmartPass
Juniper WLM Series Device Onboarding
Automated, Self-Service Onboarding
Automatically provision client devices • Secure 802.1x or PSK access to the
wireless network• Secure 802.1x access to the
wired network
Authentication• Leverages built-in supplicants in
today’s modern OSs• Credentials (PEAP, TTLS) or
Certificates (TLS)
Automates certificate enrollment process• Self service client certificate
deployment from Microsoft CA• Devices
• iOS, Android, Windows, Mac
SmartPass Connect
Software Feature Highlights• Secure Client Mobility
• Roaming across APs, controllers• Identity-based networking
• Controller Virtualization (cluster)• 150 msec AP failover for controller
outages. No session losses• Single point of configuration• Many-to-many in-service resiliency• Dynamic AP load balancing across
controllers• In service maintenance - adds, moves,
changes, upgrades cluster• Distributed Forwarding
• Efficient and flexible data path forwarding
• AP to WLC, WLC to WLC tunneling• Voice application awareness
• Active call management (CAC)• SIP inspection / prioritization• Call details record, audit trail
• Device Profiling• Automatically detects client operation
system• Option to assign policies, depending
on operating system
• AP Load Balancing• APs dynamically assigned to least loaded
controllers• Eliminates management chore of AP-
Controller mapping• Scale capacity w/ zero config• Less waste of AP licenses
• Band Steering & Client Load Balancing• Preserves b/g bandwidth• Prevents “front door” problem• Maximizes per-user bandwidth
• QoS Management• L2/L3/L4 classification, bandwidth, QoS
controls• By user, SSID or application
• Wireless Security• WIDS/WIPS• AAA, guest services• Location Aware WLAN Access• Per session, port, VLAN, AP ACLs• Dynamic authentication (location, time,
bandwidth usage…)
Persistent AP Configuration
• Allows APs to survive reboot• Enhanced Branch Survivability• Enables deployments with periodic
WLC access
Feature Description
• AP boots without controller• Service using ‘last-known’ config • Seamless re-entry to WLC
• Needs APOS on the AP• Supported on WLA-532/322/321
X
Remote AP RADIUS Client
Overview
• Enhances Remote AP capabilities• Extends Branch Survivability• Enables longer latency WAN links
• Feature Description
• 802.1X/RADIUS authentication • RADIUS MAC authentication• RADIUS CoA • Device Fingerprinting• Failover/back session persistence
Campus
EX
WLC
Centralized RADIUS
WAN
Branch
SRX
SRX
Local RADIUS
Controller ClusteringWhy order the HA-license?
• The cluster/HA feature is always available• Why do I need the license?
• The cluster/HA license adds AP-count redundancy:• Scenario: redundant setup for 250 AP’s
• Without the license:– Each controller needs 256 AP licenses
• With the license:– Each controller needs 128 AP licenses + HA license
– During a fail situation, the remaining controller will support 256 AP’s– On WLC-880: HA license = $ 3895 // 128 AP licenses = $ 18580
Juniper WirelessDesinged to scale
• Vlan Pooling• Ability to setup a pool of 32 VLANs per pool and 16 pools per
Cluster• Users connecting to that pool will be balanced across the member
VLANs
• Vlan assignment is done using Round Robin mechanism
MICROSOFT LYNC WIFI PARTNER PROGRAM
Set of certifications intended to ensure compatibility between Lync software and WiFi infrastructure networks
3 levels of certification requirements• Fixed data: IM, web-conference, file-sharing• Fixed RealTime Multimedia: audio or video conferencing from desk/conference
room• Mobile RealTime Multimedia: audio/video while on the move
Juniper and a few other vendors have completed certification for wired networking products
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail
Virtualized Environment
What is JunosV Wireless LAN Controller?
Hypervisor
VM1 VM2 VM3
JunosV WLC
Juniper is delivering its industry-leading Mobility System Software as a software appliance for deployment in virtualized environments
X86 server platform
JunosV Wireless LAN Controller Overview
Virtual WLAN Appliance WLC delivered as a virtual appliance on
VMware-based hypervisors Runs on standard x86 hardware Maintains features and functionalities of
appliance based WLCs Supports mix-and-match deployment with
physical WLCs
Performance and capacities dependent on host hardware
APs, data plane throughput, session counts scale with host resources
Supports Hypervisor VM functionality vMotion, snapshots, cloning, templates
VMWare vCenter
VM
VM
VM
VM
Virtual Distributed Switch
WLC
Hypervisor on x86 HW
JunosV WLC
EX Series
WLA Access Points
JunosV Wireless LAN Controller Specifications
• Supports up to 256 APs (cluster up to 2048 APs)• Supports 6400 users sessions• 100% SW feature Parity with Appliance WLC• Managed via RingMaster or Network Director 1.5• Requirements:
• VMware ESXi 5.0 (or higher)• Minimum 320 MB RAM• Recommended 2G RAM (for 256 APs/6400 user sessions)• Minimum 16GB disk space• Minimum 1 Ethernet Adapter, recommended 2
– E1000 Network Adapter
JunosV WLCJSA Licensing
• 2 License options:• Perpetual licenses one time charge.
– Maintenance must be purchased separately
• Subscription licensees include maintenance service– Renewed annually
• Voice, Mesh and High-Availability included in AP license• no separate license required
• You still need a Spectrum Analysis license
JunosV WLCImplementation
• Single vCPU / VM instance = 630Mbit/s throughput
• Not enough for .11n / .11ac implementations• Your proposal/design should advise local switching
– Remember you can mix & match local & central switching per SSID
• Practical remark:• Don’t setup all the interfaces in the same vlan
– The virtual controller doesn’t support STP (unlike physical WLC’s)– Change the default config before you start your newly installed
virtual appliance!
JunosV WLCLimitations
• No Webview interface in FRS (will return in MR1)• No support for port groups• No Spanning Tree • No LLDP support
JunosV WLCWhy?
• JunosV WLC is another step towards virtualisation of the control plane
• What will be next?• Sooner
– CAPWAP tunnel termination on EX9200– New control-plane controller (used with EX9200)
• Later – Tunnel termination on the access layer– Embedded WLAN service on the access layer
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail
802.11n RecapMIMO Antenna’s
Access Point technology evolution
802.11ac Base
802.11ac Multi-user MIMO
Gigabit Gigabit
802.11n 2 Spatial Streams
802.11n 3 Spatial Streams
450Mbps
300 Mbps
802.11b 802.11g
54 Mbps
11 Mbps
Per
Rad
io S
pee
d
Time
802.11ac High Speed WLAN
• Up to 7 gbps (aggregate)• Wider channel bandwidth (80 MHz or 160 MHz)
– Be aware: wider channels leaes less overlapping free channel sets – we have a max of 18 5 GHz channels
• 5 GHz Band• High speed modulation (256 QAM)• Up to 8 spatial streams (= up to 8 Antennas)
– Up to 4 per client
802.11ac Daterates with one spatial stream
6.933,6Mbit/s with 8 Spatial Streams!
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail
Wireless Management & Access Control
WLM – Management and Access Control
RingMaster WLM - Appliance SmartPass
WLM – RMTS
Software Licenses
With 8.0: 64 bit SW
5 – 1,000 APs -> 3500
Optimized Linux Server Platform
250 – 5,000 APs
WLM1200 – RMTS WLM – SP
Software Licenses
WLAN Access Control Guest Provisioning
Plan - Configure - Monitor - Troubleshoot - Report
RingMaster Architecture
Controllers
Controllers
Controller
CAMPUS 2
CAMPUS 1
CAMPUS 3
LAN / WAN
Unified Management
Console
RingMasterServer
Guest Server
3D RF Planning
RingMaster Lifecycle Management
Configuration Management
Monitoring and Troubleshooting
Reporting
RingMaster 9.0Demo
Management: Next StepJuniper Network Director 1.5
• Module for Junos Space• Common Management for WLAN and LAN• Configuration and Monitoring for WLAN and LAN devices• Ringmaster feature parity in version 2.0
SmartPass, Controller and RingMaster
WLAN Controller
SOAP/XML
Location Appliance
RADIUS
RingMaster
Guest User
REST API for
Mngt Integration
Login Page: from Controller or SmartPass
Capture Function: Controller
BYOD Issues to solveProvisioning
• How to configure high number of personal devices for access to secure SSID? SmartPass Connect
• Automated self-service onboarding of (mobile) devices:• Windows, Linux, MAC, iOS, Andoid
• Vanishing Agent • downloads from web server, performs configuration tasks, then deletes itself
• Java, ActiveX or html based • depending on platform and capabilities (SPC server automatically figures
out the best vehicle for a given platform)
• Credentials (PEAP) or Certificates (TLS)• Install Client Certificates & Trusted Root CAs• Handle Additional Dependencies (Software, Proxies, etc.)
• Cloud based service with local configuration server
IT Admin configures network parameters
IT Admin deploys the configuration files to local web server
User connects to local web server downloads configuration
SPC’s (dissolvable) client runs through configuration on device
User device connects to secure network
After successfully accessing the network, SPC Client dissolves
How does SmartPass Connect Work?
Admin Console (Cloud Service)
Web Server(locally
deployed=
AAA Server
Open SSID Secure SSID
1 2
3 5
4
1
SPC allows agent-less network provisioning:
2
3
4
5
6
6
Network Management
Integration module for Microsoft CA
The CA Integration Module allows the Configuration Wizard to request certificates from a MS PKI infrastructure
• Extends TLS (certificate based authentication) to Non-Domain Devices
• Plug & Play Integration with Microsoft Certificate Services• Module requires that wizard package be installed on Windows
IIS server (domain membership required) • Works with MS CA only
Web Server
MS CASPC Config Wizard
WLC
Corporate Data
Center
Unknown device connects to open captive portal SSID
1
User session is captured and redirected to SmartPass
2
SmartPass web portal presents captive portal and redirects client to provisioning portal
3
Provisioning portal gets user credentials from wizard; validates against AD; and requests user cert for end user
5
Provisioning portal pushes native supplicant config wizard to client device
4
SmartPass
EX SeriesAP
UAC
Employee Owned Device On Corporate Network Employee Self Provisioning
AD/Certificate Authority
User selects secure wireless network and device authenticates to RADIUS without requiring user to enter credentials
7
Wireless UserTablet/smartphone
Provisioning wizard gets EAP-TLS configuration profile (and cert) from provisioning portal; agent dissolves
6
EX Series
SmartPass connect
SmartPass ConnectDemo
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail
Simply ConnectedThe Concept
Automated,uninterrupted service
Scalability without complicating the network
Holistic approach to enterprise mobility and BYOD access
HighlyResilient
Safe and simple mobility while protecting assets
Coordinated Security
Performance at Scale
Switching Wireless
Security Routing
EX With UAC Enforce Security Policy
3rd Party Supplicants
Juniper Client
MAG/UAC
Allows automatic and dynamic policy enforcement at the edge of the network including role based dynamic
ACLs without any manual intervention
EX
Protected Resources
SRX… With User Role Firewall
MarketingDepartment
SalesDepartment
CEO(Individual)
No apps blocked
Anti-virus applied
WF profile C
P2P apps blocked
Youtube allowed
Anti-virus applied
WF profile A
P2P, Youtube blocked
Anti-virus applied
WF profile B
Branch SRX
MAG/UAC
Allows different users to have different applicationpolicies based on their role and group, simply for IT
Security Threat Response Manager (STRM)
STRM supports SRX SeriesIntrusion Prevention System (IPS) and AppSecure220+ out-of-the box report templatesFully customizable reporting engine:
creating, branding and scheduling delivery of reportsCompliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAAReports based on control frameworks: NIST, ISO and CoBIT
Wireless Device on Corp NetworkApplication Restrict Done with the SRX
Device authenticated on wireless network
1Smart Pass Connect
communicates User and IP information to UAC
via IF-MAP
2
UAC pushes role based ACL and FW policies to
EX, WLC and SRX
3SRX AppSecure
Polices block non-work related
applications like Hulu and Netflix
5SRX enforces user
policies allowing user basic access to all
servers except finance
4Apps
Data
Finance
Video
Active Directory /LDAP
Corporate Data Center
WLC
Wireless UserTablet/smartphone
UAC
SRX
AP
Smart Pass Connect
SRX AppTrack feature combined with MAG
data collects per user application information
providing detailed reports in STRM
Internet
EX Series
End To End Security Host Checking and Application Restrict
Mobile User
Corporate Data Center
Apps
Data
Finance
Video
Active Directory/LDAP
Patch Remediation
WLCs
Junos Pulse detects device is on corporate network andper user policy disables any active VPN sessions
1During 802.1x authentication. MAG verifies PC meets company software and security policy requirements
2Compliance check fails. Antivirus signatures are out of date and useris quarantined to remediation VLAN. Patch server updates signatures.User is now in compliance and granted network access
3
EX4500 VC and EX4200 VC
SRX
EX4200 VC
SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM
SRX AppSecure Polices block non-work related applications (based on user’s role in UAC)
6SRX enforces user policies allowing user basic access to all servers except finance
5
MAG pushes role based FW policies to EX ,WLC and SRX
4
Virus signatures outdated
Internet
MAG Series(UAC)
Wireless UserTablet/smartphone
Apps
Data
Video
Active Directory/LDAP
MAG with Radius,SSLVPN and UAC
modules
WLCs
User needs to access company intranet overnon-corporate network using iPad
1
User starts Junos Pulse and initiates a secure VPN session with MAG appliance
2
MAG verifies user login, establishes VPN and the device is allowed on the network.
3
EX4500 VC and EX4200 VCs
SRX with IDP/AppSecure
Finance
Mobile Device Remote Network Access Policy and Access Control
Internet
Corporate Data Center
Juniper Wireless LANTechnical Education
Juniper Wireless LANTechnical Education
Westcon Academy courses:
Introduction to Juniper Wireless LANs (IJWL)• 3 days• Understand the requirements for a secure,
Enterprise-grade Wireless LAN system and configure secure services.
• Use RingMaster management to plan, deploy, configure,manage, monitor and report on a WLS.
• Effectively troubleshoot a WLS system deployment and user connectivity
Juniper Wireless LANTechnical Education
Westcon Academy courses:
Advanced Juniper Wireless LANs (AJWL)• 4 days• Configure secure WLAN services using digital
certificate-based authentications and machine authentication.
• Configure voice optimized services• Deploy and manage remote APs • Troubleshoot all aspects of a deployed WLS system
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail
Agenda
10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical
• Virtual WLAN controller• 802.11ac Developments
12h30 : Lunch13h30 : WLAN demo-time
• Ringmaster Demo• SmartPass Demo
15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail