remote & branch networking fundamentals #airheadsconf italy
TRANSCRIPT
Remote and Branch Networking Fundamentals
June 9-14, 2014
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved2 #AirheadsConf
Agenda
• Challenges of Deploying Remote networks
• Aruba Solution
• Aruba Instant
• Aruba Instant for Private WAN based Deployments
• Aruba Instant-VPN
• Management and Zero-Touch Deployment
Challenges of Deploying Remote Networks
4CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Who should care?
Branch office / Remote teleworker
Retail
Healthcare
5CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Challenges
Aruba Solution
7CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Aruba Solution
Home Office On The RoadBranch
Datacenter
AirWave Aruba Mobility Controller ClearPass Access Management
Instant-VPN
Mobility Switch
Instant Cluster
Virtual Intranet
Access (VIA) Client
Internet / WAN
Instant Cluster
Management and Zero-Touch Deployment
9CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Internet
Airwave and Aruba Central
Campus Network
Aruba Central Aruba AirWave
Data Center
• Advanced guest services
• Mobile device onboarding
• Unified wired/wireless policy
Airwave
ClearPas
s
Mobility
Switch
10CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Aruba Activate: Zero-touch Deployment
Aruba Instant
12CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Aruba Instant
• Redundancy for internal failure
• Redundancy for external failure
• Organic growth
• Mobility-ready
• RF optimization
• Master AP selection
• Over-the-air provisioning
• WiFi oriented configuration
Simple to deploy
Self-optimizing
Self-healing
Scalable
13CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Aruba Instant Architecture
• Distributed data-plane
– Wireless encryption / decryption, firewall
• Distributed control-plane
– Authentication, DHCP, ARM, WIPS
• Centralized (local) management-plane
– Configuration, firmware management, GUI, SNMP
14CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Automatic RF Management
Infrastructure control
• Automatic RF optimization for coverage & capacity
• Real-time spectrum analysis and interference avoidance
• Load / Application awareness
• Self-healing
Channel 11
Channel 6
Channel 1
Client Control
• Moves clients towards less congested frequency band
• Distributes clients across available spectrum*
• Bandwidth controls
15CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Security tailored for Mobility
Context Aware
On-boarding
Role-based access
Policy Enforcement
• Aruba RFProtect + AirWave RAPIDS• RF Scanning, Rogue AP detection / containment, Valid-station protection
• Encryption• Over-the-air AES encryption, IPSec VPN to datacenter (where applicable)
• Role-based Access• Per-user, per-device access
• Policy Enforcement Firewall• Segregation of business traffic from guest traffic.
• Blacklisting for session violation
• Centralized Monitoring and Alerting
16CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
• No need for separate SSID for QoS.
• Session based DSCP tagging & prioritization
• Multicast-to-unicast conversion for video
• Media-classification for encrypted voice –Apple Facetime
• AirGroup* to manage Apple AirPlay, AirPrint, etc
Mobility Services: Real-time Applications
Clear
Pass
IAP
IAP IAP
17CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Mobility Services: Guest Access
• Securely Manage Visitor Access
– Streamlined workflow; No IT
• Sponsored-based, Visitor Self-Registration, Pre-registration,
Anonymous Guest Access
• 3rd Party Integrations
• APIs for integration with existing applications / CRM tools
– Assignable roles, expiration times, user names, passwords
• Highest Customization
– Skin technology, software plugins, APIs
– Targeted advertising and content delivery
Private WAN based Deployments
19CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Private-WAN based Deployments
20CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Private-WAN based Deployments
21CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Auto-GRE for Guest
Branch office
Datacenter
AirWave ClearPass
Instant Cluster
VRRP Link
Master Standby
Guest Anchor
Master ActiveServers
MPLS
Employee Traffic
Guest Traffic
Aruba Instant-VPN
23CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Datacenter
AirWave/Aruba
Central Aruba Mobility ControllerClearPass solution
Internet / WAN
VRRP Link
Master Standby
DMZ
Master Active
Home Office
Instant
Home office Solution
Home Office
Instant
24CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Branch Office Solution
Branch office
Datacenter
AirWave/Aruba
Central Aruba Mobility ControllerClearPass solution
Instant Cluster
Internet / WAN
VRRP Link
Master Standby
DMZ
Master Active
Branch office
Instant Cluster
25CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
DHCP - How does Distributed L3 work ?
Network 10.0.0.0/8
VLANs 10 to 99
Data Center
Remote Branch
Internet /
WAN
Active
VPN
Tunnel
Client A
Browsing to
Intranet
Browsing to
Youtube
Route on IAP –
For 10.0.0.0/8 network, next
hop is VPN terminating
controller’s IP address
Master IAP Memeber IAP
Client B
Browsing to
Intranet
Browsing to
Youtube
VLAN 250
IAP-VC is the
DHCP Server
DHCP
Request
VC SRC NATs traffic using IAPs local IPVC routes the traffic to the
tunnel
Intranet
26CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
DHCP - How does Centralized L2 work ?
Network 10.0.0.0/8
VLANs 10 to 99
Data Center
Remote Branch
Internet /
WAN
Active
VPN
Tunnel
Client A
Browsing to
Intranet
Browsing to
Youtube
Route on IAP –
For 10.0.0.0/8 network, next
hop is VPN terminating
controller’s IP address
Master IAP Member IAP
Client B
Browsing to
Intranet
Browsing to
Youtube
VLAN 50
DHCP
Request
VC SRC NATs traffic using IAPs local IPVC bridges traffic in the
tunnel
VLAN 50
DHCP Server and
Default Gateway
Intranet
27CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
DHCP - How does Local Subnet work ?
Intranet
Network 10.0.0.0/8
VLANs 10 to 99
Data Center
Remote Branch
Internet /
WAN
Active
VPN
Tunnel
Client A
Browsing to
Intranet
Browsing to
Youtube
Route on IAP –
For 10.0.0.0/8 network, next
hop is VPN terminating
controller’s IP address
Master IAP Slave IAP
Client B
Browsing to
Intranet
Browsing to
Youtube
VLAN 200
IAP-VC is the
DHCP Server
DHCP
Request
VC SRC NATs traffic using IAPs local IPVC SRC NATs traffic using
inner IP
28CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Recommendations
IAP-VPN Modes Usage Recommendations
Distributed L3 Recommended for all deployments.
Local Recommended for Guest networks with centralized captive portal
servers.
Centralized L2 Recommended only if Multicast to branch is a requirement. If
Multicast to branch networks is not required, use L3 modes.
Aruba Instant-VPN Design Options
31CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Single AP deployments
32CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Single AP deployments
33CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Multi-AP deployments
34CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Multi-AP deployments
35CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
Thank You
#AirheadsConf
41CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
42CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
Thank You
#AirheadsConf