of 30/30
SmartZone 3.5 - Feature Review June 2017 © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

SmartZone 3.5 - Feature Review - Infinigate Schweiz · troubleshooting using AP radio ... • Throttle uplink and downlink throughput. o QoS Action (new) • Uplink – AP rewrites

  • View
    218

  • Download
    0

Embed Size (px)

Text of SmartZone 3.5 - Feature Review - Infinigate Schweiz · troubleshooting using AP radio ... •...

  • SmartZone 3.5 - Feature ReviewJune 2017

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

  • 2

    New Features in 3.5 1

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    New Dashboard Maps

    Connectivity Analysis

    AP Health

    Quickly assess network status, narrow your focus, and resolve problems.

    Visually check on your sites and floor plans along with AP health and usage.

    Walk through the clients connection flow to find hang-ups and root causes.

    Flag APs, easily find the worst performing APs, and compare with others.

    Cluster Health

    Client Health

    Monitor and flag cluster node status. Keep critical alerts up front and center.

    Check on real-time client performance metrics, connectivity, and traffic.

    Traffic AnalysisFind your top users, APs, WLANs, apps, and OS types.

    Topology HealthAssess AP health by domain, zone, or group to assess localized problems.

  • 3

    New Features in 3.5 2

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    Bonjour FencingPrevent unwanted Bonjour service discovery outside the desired range.

    Role-Based PolicyAssign users to roles, then apply the VLAN, OS, and L3-7 policies you desire.

    ZD ParityAdds many more critical features previously available only on ZoneDirector.

    Isolation WhitelistManually control the network destinations that clients can access.

    ChannelFlyMonitor channel changes and capacity, adapt to client capabilities, and more.

    1 6 11

    Spectrum Analysis

    L7 AppControl

    Use the APs integrated spectrum visibility to troubleshoot RF interference.

    Gain control over usage with policies to deny, limit, or reprioritize apps.

    ZD-to-SZ MigrationEasily migrate from ZD to SmartZone with built-in step-by-step tools.

  • 4

    New Features in 3.5 3

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    SmartZone300

    MSP OAM CALEA

    Introducing the newest carrier-grade, high-scale controller appliance

    Enhanced management segmentation and object control for MSPs

    Improvements to APIs, SNMP, and reporting granularity

    Maintain compliance with lawful intercept functionality for public or govt networks

    DHCP/NAT in APKeep small sites small and low cost with built-in DHCP, NAT in the AP.

    DPSK Phase2Improvements to scale, function, and flexibility of our patented Dynamic PSK.

    vSZ-D UpdatesIncreased scale and control for your virtual data plane implementation.

  • 5

    Added ZoneDirector Features

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    Mark Rogues as KnownView a list of detected rogue APs that are not managed by the controller and manually identify the trusted APs as known

    Manually Block ClientMonitor connected clients and easily block a specific device if suspicious behavior is detected or a device is stolen

    Block UE After Repeat Auth FailureAPs will temporarily block client devices that have failed authentication multiple times within a short period of time; this prevents some DoSattacks

    LDAP over SSL

    Allows the SmartZonesconnection to use the non-standard LDAPS, which initiates a TLS session before LDAP messages are transferred

    Test AAA with Role AttributeTest authentication services, usernames and passwords, and user role assignment, all at the same time

  • Introducing SZ-300

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION6

    Back

    Front

    Front Fan

    AC PS

    HDD

    No cover

    AC PS

    6x Fans, 2x 10 Gbps data cards, 6x 1 GigE ports

  • SZ300 Roadmap

    RUCKUS PROPRIETARY AND CONFIDENTIAL7

    3.5.0 GA(Q1 of 2017)

    3.6.0 GA(2H2017)

    Supported in phase-2: 3GPP tunneling (RMNO), MAP-Gateway (RMAP), 3d party AP aggregation (RWAG) Scale: 600K Clients, Up to 10 external vDP support, Access: Q-in-Q, SoftGRE Secure Inter-WAC communications.

    Not supported in phase-2: No PMIPv6, No Mixed cluster with SCG200.

    Supported in phase-1: Feature parity with SCG200, Scale parity with SCG200 (same # AP, # Clients etc), 4x Node Cluster supported, Tunneling and Local Breakout support:

    Core: Local Breakout (VLAN/Q-in-Q), SoftGREAccess: RuckusGRE, LB,

    Config Migration from SCG200 to SZ-300.

    Not supported in phase-1: No RMNO (3GPP-tunneling), No RMAP (MAP-Gateway), No 3d party AP aggregation, No Mixed cluster with SCG200.

    SZ-300 / Phase-1 (3.5.0) SZ-300 / Phase-2 (3.6.0)

    Roadmap is subject to change

    3.5.0 Beta(End of 2016)

  • 8

    New UI Look and Feel

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    Completely redesigneddashboard

    experience.

    New menu structure with

    simplified navigation.

    Global filter preserves admin context throughout menus and pages

    Fresh layout, user interaction, and styling throughout.

  • 9

    New UI Contextual Enhancements

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    Manage the network

    hierarchy from most menus.

    Quickly change scope and

    easily manage profiles.

    Monitor and configuration

    workflows are fully integrated.

    Simplified and enhanced search functionality.

    Easier creation of profiles while linking into other objects.

  • 10

    Multi-Zone Support in Essentials (SZ100/vSZ-E)

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    o Multi-zone now supported on Essentials platforms Supports up to 1,024 zones

    o Allows the network to be segmented into independent organizational units

    o Supports different firmware across zones Starting in 3.5 and going forward No backward compatibility, no 3.4 (or earlier) zones

    o Supports different country codes across zoneso Note that some profiles/objects are global and some are

    zone-specific. Plan accordingly.o Note some differences with High-Scale profile:

    Default Zone instead of Staging Zone No Domain or Subdomain concept Admin privileges are not segmented by zone No MVNO concept

  • 11

    Maps

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    o Allows admin to import custom maps and place APs in proper location

    o Quickly check status of APs across floorplan to find online, flagged, offline APs

    o View health/traffic data for each AP to evaluate site performance/load

    o Allows view of all sites and outdoor APs at the same timeo Sites are indoor mapso Outdoor APs are placed by GPS lat/long

    o Quick check of AP status on a site-by-site basis

    o Easily launch point into indoor maps

    Google Maps Indoor Maps

  • 12

    Troubleshooting Workflows

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    o Easily troubleshoot client connection problems

    o Pinpoint the failure stage and likely cause

    o Assess AP environmental conditions and client RSSI

    o Check on association, authentication, RADIUS, EAP, DHCP, and portal behavior

    o Evaluate the flow for Open, PSK, 802.1X, and WISPrnetworks

  • 13

    Traffic Analysis

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    o Quickly find your highest points of AP and WLAN load as well as top network users and devices

    o Check on domain, zone, APgroup, WLAN, and AP traffic and client load over time

    o View client OS types and top applications

    o Filter by band (2.4 GHz, 5 GHz, or both) and traffic direction (uplink, downlink, or both)

  • 14

    Health Stats

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    o Highlight APs with poorest performance, as determined by key performance indicators

    o Flag AP status when APs cross performance/health thresholds

    o Compare an AP with larger groups of APs

    o Review recent KPI history to assess AP health trend

    o Initiate a real-time steady flow of stat collection for an AP or client

  • New Admin and Object Model

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION15

    o New partner domain concept Allows admin to create domains that contain

    profiles used by many zones

    o Adjustments to object hierarchy provide more flexibility for MSPs System, Domain, Zone

    o Simplified approach to Admin RBAC Pre-grouped admin permissions make common

    roles easier to setup Easier to set Read-Only or Modify permissions Easily add new admins and set permission

  • o Create, Edit, Delete Zones & AP Groups, Zones

    o Create, Edit, Delete services likeo AAA, Accounting services,

    Hotspot, Profiles, Templates

    o Advanced Stats & Reports, Logs & Alarms

    o Create, Edit, Delete WLANo WLAN Attributes

    management (WLAN Types, Hotspot 2.0)

    o Custom Portals/URLso Statistics & Reportso AP Management

    o AP firmware control

    o Upload AP Firmware o Cluster managemento SZ System Upgrade/Rebooto Backupso Logs & SNMP management o User Management

    o Create users and define roles

    https://jira-wiki.ruckuswireless.com/display/prd/Multi-tenancy+for+3.5https://jira-wiki.ruckuswireless.com/display/Team/Managed+Services+%28Multi-tenancy%29+PRD>

    Tiered Access & Privileges

    Partner-Owned or MSP-Owned Domains

    Global (MSP-Owned)

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 16

    https://jira-wiki.ruckuswireless.com/display/prd/Multi-tenancy+for+3.5https://jira-wiki.ruckuswireless.com/display/Team/Managed+Services+(Multi-tenancy)+PRD

  • New System/Domain/Zone Object Hierarchy

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 17

    SMTP Node Affinity AP Registration Syslog Critical AP tagging

    SCI Certificates Event

    Management SNMP

    WLAN DPSK Guest Access WISPr WebAuth WeChat UA Blacklist OS Policy VLAN Pool L2 ACL Blocked Clients Client Isolation

    Whitelist

    Time Schedules Non-Proxy AAA Bonjour Gateway Bonjour Fencing Ethernet Port

    policies DSCP policies DHCP for APs DHCP Pools

    User Traffic Profile AVC NBI FTP SMS Zone Template WLAN Template Local Users User Roles Guest Pass Guest Pass

    Template HS 2.0 > Operator HS 2.0 > Identity

    Provider HS 2.0 > Signup

    Portal DNS Server SCG Proxy AAA Realm-Based

    Proxy AAA Core Network

    Tunnel profiles Tunnel profiles

    (RuckusGRE, SoftGRE, IPSec)

    Location Svcs

    System (Global) Domain (high-scale)Global (essentials)Zone (high-scale and

    essentials)

  • Custom Admin Roles Design Change

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 18

    o Prior to 3.5 Custom admin roles are assigned by

    selecting the permission level of each page or operation.

    This approach is very flexible, but time consuming to configure.

    The possible number of combinations is very large, creating a huge number of problems in implementation and testing because of interaction between operations/objects.

  • Custom Admin Roles Design Change

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 19

    o In 3.5 Admin can create custom permission, but

    objects and operations are divided into 6 functional categories.

    Each category has 4 permissions (full, modify, read, none).

    The approach is intuitive to use, provides flexibility, and significantly reduces the development and testing burden of each release.

    Because of these changes, custom roles cannot migrate perfectly. We will reduce permission to preserve security where there is a conflict.

  • 20

    Spectrum Analysis

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    o On-demand real-time spectrum troubleshooting using AP radio

    o AP radio must stop serving clients during spectrum scan

    o Visualize spectrum by Real-Time Energy

    Real-Time Utilization

    Density

    Waterfall of energy

    Waterfall of utilization

    https://jira-wiki.ruckuswireless.com/display/Team/Spectrum+Analysis+PRD

    https://jira-wiki.ruckuswireless.com/display/Team/Spectrum+Analysis+PRD

  • Client Isolation + Whitelist

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION21

    https://jira-wiki.ruckuswireless.com/pages/viewpage.action?pageId=38798974

    o Adds ZD-like feature to manually identify L2 whitelist

    o Admin can specify MAC destinations that users will be able to reach

    o SZ will still support auto whitelist Admin able to use manual, auto, or

    both

    https://jira-wiki.ruckuswireless.com/pages/viewpage.action?pageId=38798974

  • o User workflow Migrate the configuration from ZD

    (separate) Enter ZD IP and login credentials Connect to ZD from SZ (note, they

    must be able to communicate with each other)

    Select APs to be migrated and click migrate

    SZ then converts APs and migrates them to SZ, keeping AP connectivity configs (mesh, mgmtVLAN, etc) during reset

    o https://jira-wiki.ruckuswireless.com/display/Team/ZD+to+SZ+migration

    Enhanced ZD to SZ Migration

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION22

    https://jira-wiki.ruckuswireless.com/display/Team/ZD+to+SZ+migration

  • 23

    Enhanced Application Control

    o Users can deny, rate limit, and change QoS of applications

    o Rate Limit Action (new) Throttle uplink and downlink

    throughputo QoS Action (new)

    Uplink AP rewrites 802.1p and DSCP settings

    Downlink AP uses designated queue for wireless transmission

    o Supported in both Essentials and High-Scale platforms

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

  • 24

    Enhanced Application Reporting

    o Essentials platforms focus on short-term in-product app visibility Top apps Top users per app Top apps per user

    o High-Scale platforms focus on forwarding application data to SCI

    o SCI serves long-term data for Essentials and High-Scale platforms

    o SZ app signatures can be updated without SZ upgrade

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

  • Role-Based Policies

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION25

    o Apply policies to users based on their role Assign roles during authentication Perfect use case for Cloudpath

    o New policy elements Role-based VLAN and VLAN pool Role-based L3/4 policy L3/4 rate limiting Configurable precedence policy

    Supported only with Proxy Authentication (not non-proxy)

    L7 role policy deferred to 3.5.1 or 3.6

  • Bonjour Fencing

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION26

    AppleTV

    wireless devices

    wired devices

    AppleTV

    o Limits discovery range for Bonjour advertisements

    o Prevents unwanted and irrelevant lists of mDNSservices

    o Supports wireless or wired Bonjour devices

    o Can limit discovery range to same AP or 1-hop neighbors

  • o Group DPSK Creates a DPSK that can be shared by multiple different devices.

    o User-Specified Passphrase Allows the user to specify a specific passphrase for a DPSK or Group DPSK.

    o ZD DPSK Migration Export DPSK list from ZD (10.0) and import CSV into SmartZone

    o Number-Only DPSK System will auto-generate DPSKs with numbers only

    o Scalability 50K DPSK on High-Scale Platforms (10K / zone) 20K DPSK on Essentials Platforms (10K / zone)

    DPSK Phase-2 Enhancements

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION27

    https://jira-wiki.ruckuswireless.com/display/Team/DPSK+Phase2+PRD

    https://jira-wiki.ruckuswireless.com/display/Team/DPSK+Phase2+PRD

  • 28

    DHCP/NAT in AP (3.5)

    RUCKUS PROPRIETARY AND CONFIDENTIAL

    3rd Party Router for Campus WAN Services

    Campus Site 3rd Party Router

    WAN RoutingNAT

    DHCP

    AP as Router for SMB WAN Services

    Smaller/Remote Sites

    WAN RoutingNAT

    DHCP

    WAN RoutingNAT

    DHCP

    WAN RoutingNAT

    DHCP

    WAN RoutingNAT

    DHCP

    WAN RoutingNAT

    DHCP

    WAN RoutingNAT

    DHCP

    o Allows AP to serve as router for remote sites, SMB, and home users

    o APs are still centrally managed by SZ

    Centralized Control Channel

  • o Zone Affinity Supporto Upto 10 instances per vSZ nodeo Upto 40 instances per vSZ clustero Support for northbound tunnels (L2oGRE)o DHCP Server and NAT Supporto CALEA Mirroring Supporto L3 Roaming using Flexi Ruckus GRE Tunnels

    vSZ-D Enhancements

    2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION29

  • vSZ-D Zone Affinity

    Schools Hotels Managed Enterprises

    StadiumsGuest

    Staff

    Public Access

    Switch

    Local AD/RADIUSAuthenticationServer

    Mesh APsvSZ-D

    vSZ-DvSZ-DvSZ-D vSZ-D

    Switch

    Switch

    Guest

    Staff Student

    Centralized AD/RADIUSAuthenticationServer

    Virtual SmartZoneController

    Datacenter

    SmartZone 3.5 - Feature ReviewNew Features in 3.5 1New Features in 3.5 2New Features in 3.5 3Added ZoneDirector FeaturesIntroducing SZ-300SZ300 RoadmapNew UI Look and FeelNew UI Contextual EnhancementsMulti-Zone Support in Essentials (SZ100/vSZ-E)MapsTroubleshooting WorkflowsTraffic AnalysisHealth StatsNew Admin and Object ModelTiered Access & PrivilegesNew System/Domain/Zone Object HierarchyCustom Admin Roles Design ChangeCustom Admin Roles Design ChangeSpectrum AnalysisClient Isolation + WhitelistEnhanced ZD to SZ MigrationEnhanced Application ControlEnhanced Application ReportingRole-Based PoliciesBonjour FencingDPSK Phase-2 EnhancementsDHCP/NAT in AP (3.5)vSZ-D EnhancementsvSZ-D Zone Affinity