wireless lan design fundamentals in the campus

#ATM16

WLAN Design 101: Fundamentals in the CampusIntroduction to WLAN designPeter Lane, Director Product Management @ArubaNetworks |

2#ATM16

Where to Look

3#ATM16

Aruba Solutions Exchange

4#ATM16

Airheads Community in Q1 16

• New Members: 2645, 103% YoY

• Page Views (Human): 1.45M, 23.5% YoY

• Accepted Solution Views: 335K, 62.6% YoY

• Knowledge Base Views: 275.7K, 124% YoY

• 41,000+ Members• 10,000+ New Members in 2015

• 7000+ Accepted Solutions• 30,000+ Kudos Given

• 6000+ Knowledge Base Articles• 115,000+ Total Forum Posts• 170+ Countries Represented

5#ATM16

Factors to Consider when choosing a network solution

– User Expectations– Voice/Roaming– Areas to cover (bathrooms, stairwells,

elevators, parking lots)– Video– Uptime– Speed

– Policy control– Block any traffic?– Throttle any traffic?– QOS– Posture assesment

– Locations– How many?– How large?– How many Users?– Backhaul to the DC?

– Operational– Lifetime of the deployment– Cost– Replacement/refresh cycle

6#ATM16

AP Decision Points

– AP Model– WiFi Standard

– 11ac wave 1 is the baseline– Wave 2 is coming but not many clients yet

– Scale (device count)– Number of concurrent users– Common use cases

– Backhaul– 1 gbps backhaul recommended– Dual backhauls to separate switches recommended for areas that need high availability (healthcare)– 10 gig uplinks from the edge switch

– Placement– Typically every 40-50 feet

– <40 feet requires special RF design work– >50 feet may not keep up with client density

7#ATM16

Broad Portfolio of WLAN Connectivity

Beacons

Hospitality Access Points

Remote Access Points

103H2 ports11n dual

205H3 ports11ac dualPSE

Indoor Access Points

200 SeriesLower density

2x2 11ac 1.2 Gbps

210 SeriesCarpeted space

3x3 11ac 1.9 Gbps

220 SeriesHighest Density

3x3 11ac 1.9 GbpsDual uplink

103 SeriesLower cost

2x2 11n 600 Mbps

320 SeriesHighest Density

4x4 MU-MIMO 11ac2.5 Gbps, Dual uplink

Aruba Beacons

Bludot Location

Outdoor Access Points

270 SeriesOutdoor3x3 11ac

RAP-32 ports, 2.4GHz, PSE

RAP-108/1091 port, 11n dual radio

RAP-1554 ports, 11n dual radio, PSE

Hardened Access Points

228 SeriesIndustrial grade

3x3 11ac

Broad Portfolio of WLAN Connectivity

8#ATM16

AP Modes

CAP IAPRAP

9#ATM16

Forwarding Modes and Traffic Processing

Campus RemoteDeployment Mode (per-VAP setting) Tunnel Decrypt-

Tunnel Bridge Tunnel Decrypt-Tunnel

Split-Tunnel Bridge

802.11 Mgmt Frame Processing AP AP AP AP AP AP AP

Encryption and Decryption (per-VAP setting)

Controller AP AP Controller AP AP AP

Client Traffic Forwarding done by Controller Controller AP Controller Controller AP AP

Firewall policies applied by Controller Controller AP Controller Controller AP AP

Note: Decrypt-Tunnel requires CPsec to be turned on

CampusDeployment Mode (per-VAP setting) Tunnel Decrypt-

TunnelInstantBridge

802.11 Mgmt Frame Processing AP AP AP

Encryption and Decryption (per-VAP setting)

Controller AP AP

Client Traffic Forwarding done by Controller Controller AP

Firewall policies applied by Controller Controller AP

10#ATM16

Radio Modes

WWAS16 | Confidential

Hybrid AP• Client Access• Scan 2.4 and 5 GHz• IDS detection• Rogue detection• Interference detection• Interference classification

Dedicated Air Monitor• Air monitor 2.4 and 5 GHz• Air monitor 4.9 GHz• IDS detection• Rogue detection• Rogue containment• Interference detection

Spectrum Monitor• Air monitor 2.4 and 5 GHz• IDS detection• Rogue detection• Interference detection• Interference classification

11#ATM16

Controller Decision Points

– AP Count– Current number of APs– Redundancy design (active+active, n+1, none)– Leave headroom to grow and evolve (AP count <80% of supported max)

– Client count– LPVs may require additional controllers for client support

– Throughput

– Redundancy

– Master/Local domains for large networks

12#ATM16

Branch and Campus Controller Portfolio

Performance

Scal

e

CAMPUS

BRANCH/REMOTE OFFICE

7005 16 AP/1K Devices, 2 Gbps

7010 32 AP/2K Devices, 12 PoE, 4 Gbps



7205 256 APs/8K Devices, 12 Gbps


7024 32 AP/2K Devices, 24 PoE, 4 Gbps

VMC-TACT 32 AP/512 Devices, 0.4 Gbps


13#ATM16

Role Based Security Architecture

CorporateServices

Signage

Voice

Data

PoS

Virtual-AP 2SSID: Corp

Virtual-AP 1SSID: GUEST

DMZ

ClearPass

GuestCaptive Portal

Role-Based Access Control

Access Rights

Secure TunnelTo DMZ

SSID-Based Access ControlPoS

Data

Voice

Signage

Guest

RADIUSLDAPAD

14#ATM16

Controller Roles– Master Controller’s primary responsibilities

– Global configuration– Global Monitoring– Processing IDS events and alerting– Initial AP Termination– Centralized license Server– Centralized whitelist – CPSec trust anchor– Can terminate APs but not recommended

– Local Controller’s primary responsibilities– Local Config– Adaptive Radio Management (ARM)– AP termination (GRE tunnel from AP to Controller)– User traffic– Apply firewall rules– VLAN tagging

– Branch Office Controller– ZTP– ARM– AP termination– User traffic– Apply Firewall rules (DPI, content

filtering)– PBR– WAN visibility

15#ATM16

Large Campus


– Definition– Large number of buildings (3 – 500+)– Large number of users (2,000+)– Good backhaul between buildings. 10 gig or higher depending on building type and device usage– Universities, Healthcare, Global HQs, etc.

– Typical Deployment– Centralized controllers.– Master/Local Architecture

– . Up to 15k APs, 150k users in one master local domain– If you need to have multiple master/locals, break it based on natural RF dead zones

– DHCP controller discovery– AP fast failover: Acitve:Active– VRRP for LMS IP, centralized licensing master/backup and Master controller Master/backup master

16#ATM16

CAP/RAP Boot Process

17#ATM16

Master Controller Discovery– Static Assignment (rare)

– Controller IP address is provisioned and saved in AP Flash

– Dynamic Assignment– DHCP request (Option 43)– AP multicasts Aruba Discovery Protocol (ADP) packets to group 239.0.82.11– AP broadcasts ADP packets to L2/L3 recipients – AP sends DNS query

– Who is “aruba-master.domain.com”– “domain.com” supplied by DHCP– “DNS server” supplied by DHCP

18#ATM16

AP Controller Discovery Process

DHCP

Gets IP Address

Option 43 ControllerYes

ADPYes

No

DNS

No

YesNo, Reboot and Start again

Firmware Match ?

Download Configuration

Update Firmware

No

Yes

Connected to LMS ?

Come up in Default Group

Yes

Go to LMSNo

19#ATM16

Master discovery packet capture

DHCP Process

ADP Process

DNS Process

20#ATM16

What is LMS Controller?

Master Controller

Local Controller Local ControllerAP Group = New York LMS = 20.20.1.1

10.10.1.1 20.20.1.1

AP Group = California LMS = 10.10.1.1

21#ATM16

High Availability roles A Controller can be configured one of 3 HA roles:-

– Active – Controller that serves APs, but cannot serve as failover standby for an AP except those it serves as a active controller.

– Standby – Controller acts as failover backup controller, but cannot be configured as primary controller for an AP.

– Dual – A dual controller can support both roles i.e. acting as active controller for one set of APs, and a standby controller for other set of APs

22#ATM16

AP Fast Failover Deployment ModelsController 1HA Role Dual

Controller 2HA Role Dual

Controller 1HA Role Active


Controller 2HA Role Active


Controller 3HA Role Standby

Active / Active

Active / Standby

N + 1 AP connection to its Active controllerAP connection to its Standby controller

23#ATM16

AP Fast Failover – AOS 6.4

– Inter Controller Heartbeat

– Client state sync

– N+1 Oversubscription

24#ATM16

Inter Controller Heartbeat - Introduction• Faster detection of Active controller failure

– Heartbeat from standby to active controller– Heartbeat interval - 100ms (Default)– Heartbeat threshold – 5 (Default)

• Failover time less than 1 sec• Supported on all controller platforms except 650/620• Active/ Active, Active/Standby and N+1 topology supported• Standby can heartbeat max 7 active controllers at a time• AP’s heartbeat mechanism (8 missed HB) will be used when there is connectivity issue on AP

side

NOTE: Make sure link latency between two controllers is less than 100 ms

28#ATM16

InterController Heartbeat Flow

Active Controller Standby Controller

LMS selects a Standby for AP from HA group

AP connects to LMS

LMS notifies Standby controller IP

Hello message with “standby” flag set

Hello Response

Heartbeat to controller every 100 ms




Heartbeat to controller every 100 msHeartbeat to controller every 100 ms

Heartbeat Response

AP Failover request message

AP Failover responseAP is Active on Standby

AP deauth all clients and failover to standby

Standby identifies Active controller IP from Hello message

AP UPHeartbeat sent count = 1

Heartbeat sent count = 1Heartbeat sent count = 2Heartbeat sent count = 3Heartbeat sent count = 4Heartbeat sent count = 5

Reset Heartbeat sent count = 0

29#ATM16

AP Fast Failover – AOS 6.4

– Inter Controller Heartbeat



30#ATM16

Client State Sync - Introduction

• PMKID, Role and Vlan synced between controllers • Controllers sync keys through IPSec tunnel• Supported on 72xx, M3 and 3600 controllers• Supported on Active : Active, Active : Standby and Master : Standby Master topology• NOT supported for N+1 over subscription model

31#ATM16

Client State Sync – Failover Scenario

Active Controller Standby Controller IPSEC Tunnel

1. Client successfully authenticates to dot1x ssid; PMK-SA is generated

32#ATM16




2. PMK-SASync

33#ATM16




2. PMK-SASync

3. On failure of Active controller, AP deauths client and failovers to Standby

34#ATM16




2. PMK-SASync

3. On failure of Active controller, AP deauths client and failovers to Standby

4. Client re-assoicates and performs 4-way key exchange only

35#ATM16

Supported Topologies

– Inter Controller Heartbeat and Client State Sync is not supported in Master-Standby Master topology because standby controller does not allow AP termination unless its VRRP state becomes active.

36#ATM16

AP Fast Failover – AOS 6.4– Inter Controller Heartbeat



37#ATM16

N+1 Oversubscription - Introduction

• Allows backup controller to terminate standby AP tunnels above its platform limit • Supported for 72xx, M3 and 3600 controllers

– 72xx allows 4 times oversubscription– M3 & 3600 allows 2 times oversubscription

• Centralized licensing is recommended for this feature

Example Controller 1 (# of APs)

Controller 2 (# of APs)

Standby Controller (# of standby APs)

AOS 6.3

AOS 6.4

1 7210 (512) 7210 (512) 7210 (1024)

38#ATM16

N+1 Oversubscription

Active 7210 Controller Active 7210 Controller Standby 7210 ControllerActive 7210 Controller

512 AP’s 512 AP’s 512 AP’s 512 AP’s

Active 7210 Controller

39#ATM16

N+1 Oversubscription

Active 7210 Controller Active 7210 Controller Standby 7210 ControllerActive 7210 Controller

512 AP’s 512 AP’s 512 AP’s 512 AP’s

Active 7210 Controller

512 AP’s

40#ATM16

N+1 Oversubscription – Standby AP support

Platform Max # APs Max GRE Tunnels Ratio

7005 16 5127010 32 10247024 32 10247030 64 20483600 128 8192 2:1M3 512 16384 2:17205 256 8192 4:17210 512 16384 4:17220 1024 32768 4:17240 2048 65535 4:1

41#ATM16

N+1 Oversubscription – Caveats

• Client state sync is not supported for N+1 topology• Only standby AP limits are being extended

– User-table, station-table, IPSec tunnel limits remain as it is

42#ATM16

Large Campus


– Definition– Large number of buildings (3 – 500+)– Large number of users (2,000+)– Good backhaul between buildings. 10 gig or higher depending on building type and device usage– Universities, Healthcare, Global HQs, etc.

– Typical Deployment– Centralized controllers– Master/Local Architecture

– . Up to 15k APs, 150k users in one master local domain– If you need to have multiple master/locals, break it based on natural RF dead zones

– DHCP controller discovery– AP fast failover: Acitve:Active– VRRP for LMS IP, centralized licensing master/backup and Master controller Master/backup master

43#ATM16

What about putting a controller in each building?

– Supported deployment

– Rare due to increased controller cost

– Appropriate for large buildings with small backhauls between buildings


44#ATM16

K-12 Deployment Types– Central Controllers

– Architecture:– Master/Local centralized in DC– AP Fast Failover: N+1– DHCP discovery

– Common for schools with:– Fiber between them– Traffic typically heading through the

DC

– Benefits: – Leverage low cost large scale

controllers– Simple fail over solution– Single point of config for all

controllers– Single location for all controllers

– Controllers per school

– Architecture:– Local Controller per school– Master controller in DC– Optional

– Standby Failover controller in DC – AP FF Active Active per school

– Common for schools with:– Weak connections between schools

or back to DC– Traffic patterns that go straight to

the internet

– Benefits– All controller features– Single master configuration point for

all schools

– Instant

– Architecture:– IAPs– AirWave

– Common for schools:– Aerohive has talked with them– Not a fan of controllers– Comfortable with configuring

VLANs

– Benefits:– ZTP– Great redundancy– Low Cost (not as low as you

think)


wireless lan design fundamentals in the campus

Technology