2012 ah vegas remote networking fundamentals


REMOTE NETWORKING DEPLOYMENTS

Anupam Upadhyaya Aruba Networks March 2012

3 3 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved

Agenda

1.  Remote Networking Deployments 2.  Remote AP deployments 3.  Aruba Instant overview 4.  Deployment guidelines


Remote Networking Solutions


What is a Remote AP?

•  Aruba Access Point (AP) deployed at remote site •  Plugged directly into the LAN side of a router

connected to a DSL or cable modem •  Extends secure role-based wired and wireless

from corporate network into home


Aruba Mobility Controller Centralized Administration

In the Box: •  Wired and wireless connectivity

•  Firewall and VPN

•  Application specific QoS

•  Per-user access control

Branch Office Data Center/Private Cloud

In the Data Center: •  Configuration and management

•  User-based policies

•  Reporting and visibility

Internet


RAP in Tunnel Mode

•  All traffic is forwarded through the tunnel to the controller •  In Tunnel Mode, the RAP creates the following to the controller

•  One IPsec tunnel, different GRE (over IPsec) per SSID/PORT (not per client) •  Since the tunnel carries control and data traffic, bandwidth requirements have

to be calculated accordingly

Home Office Corporate HQ Internet

Services

DSL Router

VOICE

CORP DMZ

Firewall/NAT INTERNET

CORP

VOICE

Remote AP

Mobility Controller


RAP in Split-Tunnel Mode

•  Corporate and control traffic is forwarded through the tunnel •  Local internet traffic is forwarded to the gateway router •  Local traffic is bridged locally for local servers/printers •  Split-‐Tunnel Mode, the RAP creates the following to the controller

•  one IPsec-‐encrypted GRE tunnel shared across all SSIDs and wired ports

Home Office Corporate HQ Internet

Services

DSL Router

VOICE

CORP DMZ


CORP

VOICE

Remote AP

Mobility Controller

Internet Services

Split Tunnel

Local Printer


RAP in Bridge Mode

•  Only control traffic is forwarded through the tunnel to the controller •  In Bridge Mode, the RAP creates the following to the controller

•  One IPsec tunnel for control traffic shared across all SSIDs and wired ports •  Mainly useful for guest access/SSIDs •  No access to corporate resources

Home Office CorporateHQ

Internet Services

DSL Router DMZ


GUEST

Remote AP

Mobility Controller

GUEST VLAN

Control Traffic

Local Printer


ARUBA INSTANT OVERVIEW


Wiring Closet

Voice VLAN

WLAN with Instant APs

W

W G

G B

B H

H W

W

G

G

B

B

H

H

Guest VLAN

BYOD VLAN

Handheld VLAN

D V

D V

Wireless VLAN

Data Center

AAA Services Data VLAN

•  Add guest and BYOD services •  Manage multi-site deployments

•  Setup in 3 minutes or less •  Integrate with edge access VLANs •  Control access with built-in firewall •  Optimize performance with ARM

Instant

Policy Enforcement


Instant Architecture

Instant Architecture

Data Plane

Control Plane

Management Plane Virtual controller or AirWave and slave IAPs

AdministraPve traffic for iniPal provisioning, monitoring, and image management

IAPs Discovery process, ElecPon process, Client informaPon

IAPs, switches, upstream routers

User data, wired to wireless LAN,

To the wired network

VC

Switch

To wired network

Instant Network Layer 2


ARUBA INSTANT DISTINGUISHING FEATURES


‘instant’ SSID

‘instant’ SSID

instant.arubanetworks.com

Instant Network

IAP1

IAP2

IAP3


Dynamic RADIUS Proxy

VC static IP address: 10.169.241.150

RADIUS server for 802.1X

NAS client IP address 10.169.241.150

Client

EAP Authentication request

IAP1 : 10.169.241.2

IAP1 : 10.169.241.3 RADIUS requests

Src: 10.169.241.150

Dst : RADIUS server

EAP Authentication request Src: 10.169.241.2 Dst: 10.169.241.3


VC

Guest Access

•  External captive portal is implemented using transparent HTTP proxy –  Walled Garden support to allow access to limited websites –  Dynamic whitelist management based on corporate DNS –  Blacklists to deny access to certain websites

Instant Network

IAP1 : IP address 10.169.241.2



VC IP address: 10.169.241.150

Internal captive portal or External captive portal


Magic VLAN

•  No need to create a VLAN for guest users on the wired network •  Virtual controller assigns non-conflicting IP for guests –

192.168.11.x or 172.16.0.x range •  Proxy ARP and DHCP Relay operation per IAP •  All traffic is automatically source-NAT’ed


Instant Mesh

•  Mesh can be configured either of the two ways •  Automatically assign roles based on ENET link status

– mesh portal or mesh point •  Over-the-wire – configure WLAN network before

converting to mesh point

Instant Network

Over-the-wire provisioning

Instant Network

Over-the-air provisioning

Unplug Ethernet

Wired IAPs are Mesh Portals

Mesh Portal

Mesh Point

Mesh Point


IAP IP Assignment

•  IAP tries DHCP option during boot-up sequence •  If DHCP is not available, it assigns itself a default IP

address in the 169.254.x.x range •  User can configure a static IP on each IAP

IAP IP addresses from DHCP

IAP

Network device

DHCP server

IAP

User assigns static IP addresses

IAP

Network device

IAP

IAP assigns default IP addresses

IAP

Network device

IAP

VC


User Interface

HTML 5: Works on all devices, no flash required

Language customiza>on. Addi>on of new languages is simple.

Inline search Intui>ve help

Focus on Monitoring and alerts


Setting up Aruba Instant


1. Create Network


2. Assign SSID and Usage Type


3. Set Security Level


4. Advanced Access Rules (SSID firewall)


5. Connect to the New Network


Network Management

•  SNMP v1, v2c, and v3 are supported for reporting only

•  Trap receivers can be added for v1, v2c, or v3

Trap OID : 1.3.6.1.4.1.14823.2.3.3.1.200.2.X


DEPLOYMENT GUIDELINES


Feature Aruba Instant WLAN

Aruba WLAN with Controller

Func7ons without Central Manager ✓ ✓ Scalability: Max APs in network Unlimited Unlimited

Instant Setup & Deployment: •  Can setup without central or cloud manager •  Can troubleshoot without a central manager •  Guest Access without VLANs or Tunnels

✓ ✓

Security & Mul7media Services: •  Built-‐in Wireless Intrusion DetecPon •  Support for MS Lync, Apple FacePme & Citrix

✓ ✓

Advanced Network Services •  Simple overlay design e.g.: no edge VLANs •  Roam across buildings/floors without performance

impact •  Same experience for Wired, Wi-‐Fi & Remote

✗ ✓

Investment Protec7on: Can add Mobility Controller hardware for scale & security ✓ ✓

Controller Vs Instant


Challenges with an Edge Anchor Point

Wireless VLAN 1

Wireless VLAN 2

Data Center

1

2

1 2

1. Device associates with “home” AP

2. User moves across VLAN boundary

4. Network links process the same packet three times due to L3 mobility

3. AP overload due to forwarding traffic for devices unassociated with this AP


Scaling for Layer 3 Mobility

Wiring Closet

Wiring Closet

Campus AP

1

2

1 2

VLAN Pool

1. Device associates with AP

3. User moves across VLAN boundary

2. Centralized policy definition and enforcement

4. Controller serves as mobility anchor reducing AP and network load

Data Center

Mobility Controller


Where Is A Mobility Controller Needed?

Boost WLAN Performance when devices roam across subnets and for policy control. Traffic not forced to route through the “lobby AP”

Instant APs Controller + APs

Distributed Crypto Centralized Crypto

Consistent Mobility Experience with common policy enforcement & management across wired, Wi-Fi, branch and VPN

Simplify Networks by eliminating VLANs at the edge

Central Management

2012 ah vegas remote networking fundamentals

Technology

confidential copyright

rights reserved agenda

aruba instant overview

aruba access point ap

remote ap deployments

remote site

remote networking solutions

byod services