SmartZone 3.5 - Feature Review - Infinigate Schweiz · troubleshooting using AP radio ... • Throttle uplink and downlink throughput. o QoS Action (new) • Uplink – AP rewrites

SmartZone 3.5 - Feature ReviewJune 2017

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

2

New Features in 3.5 … 1

RUCKUS PROPRIETARY AND CONFIDENTIAL

New Dashboard Maps Connectivity

AnalysisAP Health

Quickly assess network status, narrow your focus, and resolve problems.

Visually check on your sites and floor plans along with AP health and usage.

Walk through the client’s connection flow to find hang-ups and root causes.

Flag APs, easily find the worst performing APs, and compare with others.

✔

✗

✔✔✔

Cluster Health

Client Health

Monitor and flag cluster node status. Keep critical alerts up front and center.

Check on real-time client performance metrics, connectivity, and traffic.

✔

✔

✔

Traffic AnalysisFind your top users, APs, WLANs, apps, and OS types.

Topology HealthAssess AP health by domain, zone, or group to assess localized problems.

3



Bonjour FencingPrevent unwanted Bonjour service discovery outside the desired range.

Role-Based PolicyAssign users to roles, then apply the VLAN, OS, and L3-7 policies you desire.

ZD ParityAdds many more critical features previously available only on ZoneDirector.

Isolation WhitelistManually control the network destinations that clients can access.

✓✓✓✓✓✓

ChannelFlyMonitor channel changes and capacity, adapt to client capabilities, and more.

1 6 11

Spectrum Analysis

L7 AppControl

Use the AP’s integrated spectrum visibility to troubleshoot RF interference.

Gain control over usage with policies to deny, limit, or reprioritize apps.

ZD-to-SZ MigrationEasily migrate from ZD to SmartZone with built-in step-by-step tools.

4



SmartZone300

MSP OAM CALEA

Introducing the newest carrier-grade, high-scale controller appliance

Enhanced management segmentation and object control for MSPs

Improvements to APIs, SNMP, and reporting granularity

Maintain compliance with lawful intercept functionality for public or govt networks

DHCP/NAT in APKeep small sites small and low cost with built-in DHCP, NAT in the AP.

DPSK Phase2Improvements to scale, function, and flexibility of our patented Dynamic PSK.

vSZ-D UpdatesIncreased scale and control for your virtual data plane implementation.

5

Added ZoneDirector Features


Mark Rogues as KnownView a list of detected rogue APs that are not managed by the controller and manually identify the trusted APs as “known”

Manually Block ClientMonitor connected clients and easily block a specific device if suspicious behavior is detected or a device is stolen

Block UE After Repeat Auth FailureAPs will temporarily block client devices that have failed authentication multiple times within a short period of time; this prevents some DoSattacks

LDAP over SSL

Allows the SmartZone’sconnection to use the non-standard LDAPS, which initiates a TLS session before LDAP messages are transferred

Test AAA with Role AttributeTest authentication services, usernames and passwords, and user role assignment, all at the same time

Introducing SZ-300

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION6

Back

Front

Front Fan

AC PS

HDD

No cover

AC PS

6x Fans, 2x 10 Gbps data cards, 6x 1 GigE ports

SZ300 Roadmap

RUCKUS PROPRIETARY AND CONFIDENTIAL7

3.5.0 GA(Q1 of 2017)

3.6.0 GA(2H2017)

Supported in phase-2:• 3GPP tunneling (RMNO),• MAP-Gateway (RMAP),• 3d party AP aggregation (RWAG)• Scale: 600K Clients,• Up to 10 external vDP support,• Access: Q-in-Q, SoftGRE• Secure Inter-WAC communications.

Not supported in phase-2:• No PMIPv6,• No Mixed cluster with SCG200.

Supported in phase-1:• Feature parity with SCG200,• Scale parity with SCG200 (same # AP, # Clients etc),• 4x Node Cluster supported,• Tunneling and Local Breakout support:

Core: Local Breakout (VLAN/Q-in-Q), SoftGREAccess: RuckusGRE, LB,

• Config Migration from SCG200 to SZ-300.

Not supported in phase-1:• No RMNO (3GPP-tunneling),• No RMAP (MAP-Gateway),• No 3d party AP aggregation,• No Mixed cluster with SCG200.

SZ-300 / Phase-1 (3.5.0) SZ-300 / Phase-2 (3.6.0)

Roadmap is subject to change

3.5.0 Beta(End of 2016)

8

New UI – Look and Feel


Completely redesigneddashboard

experience.

New menu structure with

simplified navigation.

Global filter preserves admin context throughout menus and pages

Fresh layout, user interaction, and styling throughout.

9

New UI – Contextual Enhancements


Manage the network

hierarchy from most menus.

Quickly change scope and

easily manage profiles.

Monitor and configuration

workflows are fully integrated.

Simplified and enhanced search functionality.

Easier creation of profiles while linking into other objects.

10

Multi-Zone Support in “Essentials” (SZ100/vSZ-E)


o Multi-zone now supported on “Essentials” platforms• Supports up to 1,024 zones

o Allows the network to be segmented into independent organizational units

o Supports different firmware across zones• Starting in 3.5 and going forward• No backward compatibility, no 3.4 (or earlier) zones

o Supports different country codes across zoneso Note that some profiles/objects are global and some are

zone-specific. Plan accordingly.o Note some differences with “High-Scale” profile:

• Default Zone instead of Staging Zone• No Domain or Subdomain concept• Admin privileges are not segmented by zone• No MVNO concept

11

Maps


o Allows admin to import custom maps and place APs in proper location

o Quickly check status of APs across floorplan to find online, flagged, offline APs

o View health/traffic data for each AP to evaluate site performance/load

o Allows view of all sites and outdoor APs at the same timeo Sites are indoor mapso Outdoor APs are placed by GPS lat/long

o Quick check of AP status on a site-by-site basis

o Easily launch point into indoor maps

Google Maps Indoor Maps

12

Troubleshooting Workflows


o Easily troubleshoot client connection problems

o Pinpoint the failure stage and likely cause

o Assess AP environmental conditions and client RSSI

o Check on association, authentication, RADIUS, EAP, DHCP, and portal behavior

o Evaluate the flow for Open, PSK, 802.1X, and WISPrnetworks

13

Traffic Analysis


o Quickly find your highest points of AP and WLAN load as well as top network users and devices

o Check on domain, zone, APgroup, WLAN, and AP traffic and client load over time

o View client OS types and top applications

o Filter by band (2.4 GHz, 5 GHz, or both) and traffic direction (uplink, downlink, or both)

14

Health Stats


o Highlight APs with poorest performance, as determined by key performance indicators

o Flag AP status when APs cross performance/health thresholds

o Compare an AP with larger groups of APs

o Review recent KPI history to assess AP health trend

o Initiate a real-time steady flow of stat collection for an AP or client

New Admin and Object Model


o New “partner domain” concept• Allows admin to create domains that contain

profiles used by many zones

o Adjustments to object hierarchy provide more flexibility for MSPs• System, Domain, Zone

o Simplified approach to Admin RBAC• Pre-grouped admin permissions make common

roles easier to setup• Easier to set Read-Only or Modify permissions• Easily add new admins and set permission

o Create, Edit, Delete Zones & AP Groups, Zones

o Create, Edit, Delete services likeo AAA, Accounting services,

Hotspot, Profiles, Templates

o Advanced Stats & Reports, Logs & Alarms

o Create, Edit, Delete WLANo WLAN Attributes

management (WLAN Types, Hotspot 2.0)

o Custom Portals/URLso Statistics & Reportso AP Management

o AP firmware control

o Upload AP Firmware o Cluster managemento SZ System Upgrade/Rebooto Backupso Logs & SNMP management o User Management

o Create users and define roles

https://jira-wiki.ruckuswireless.com/display/prd/Multi-tenancy+for+3.5https://jira-wiki.ruckuswireless.com/display/Team/Managed+Services+%28Multi-tenancy%29+PRD>

Tiered Access & Privileges

Partner-Owned or MSP-Owned Domains

Global (MSP-Owned)

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 16

https://jira-wiki.ruckuswireless.com/display/prd/Multi-tenancy+for+3.5

https://jira-wiki.ruckuswireless.com/display/Team/Managed+Services+(Multi-tenancy)+PRD

New System/Domain/Zone Object Hierarchy


• SMTP• Node Affinity• AP Registration• Syslog• Critical AP tagging

• SCI• Certificates• Event

Management• SNMP

• WLAN• DPSK• Guest Access• WISPr• WebAuth• WeChat• UA Blacklist• OS Policy• VLAN Pool• L2 ACL• Blocked Clients• Client Isolation

Whitelist

• Time Schedules• Non-Proxy AAA• Bonjour Gateway• Bonjour Fencing• Ethernet Port

policies• DSCP policies• DHCP for APs• DHCP Pools

• User Traffic Profile• AVC• NBI• FTP• SMS• Zone Template• WLAN Template• Local Users• User Roles• Guest Pass• Guest Pass

Template• HS 2.0 > Operator• HS 2.0 > Identity

Provider• HS 2.0 > Signup

Portal• DNS Server• SCG Proxy AAA• Realm-Based

Proxy AAA• Core Network

Tunnel profiles• Tunnel profiles

(RuckusGRE, SoftGRE, IPSec)

• Location Svcs

System (Global) Domain (high-scale)Global (essentials)

Zone (high-scale and essentials)

Custom Admin Roles – Design Change


o Prior to 3.5• Custom admin roles are assigned by

selecting the permission level of each page or operation.

• This approach is very flexible, but time consuming to configure.

• The possible number of combinations is very large, creating a huge number of problems in implementation and testing because of interaction between operations/objects.

Custom Admin Roles – Design Change


o In 3.5• Admin can create custom permission, but

objects and operations are divided into 6 functional categories.

• Each category has 4 permissions (full, modify, read, none).

• The approach is intuitive to use, provides flexibility, and significantly reduces the development and testing burden of each release.

Because of these changes, custom roles cannot migrate perfectly. We will reduce permission to preserve security where there is a conflict.

20

Spectrum Analysis


o On-demand real-time spectrum troubleshooting using AP radio

o AP radio must stop serving clients during spectrum scan

o Visualize spectrum by• Real-Time Energy

• Real-Time Utilization

• Density

• Waterfall of energy

• Waterfall of utilization

https://jira-wiki.ruckuswireless.com/display/Team/Spectrum+Analysis+PRD

https://jira-wiki.ruckuswireless.com/display/Team/Spectrum+Analysis+PRD

Client Isolation + Whitelist


https://jira-wiki.ruckuswireless.com/pages/viewpage.action?pageId=38798974

o Adds ZD-like feature to manually identify L2 whitelist

o Admin can specify MAC destinations that users will be able to reach

o SZ will still support auto whitelist• Admin able to use manual, auto, or

both

https://jira-wiki.ruckuswireless.com/pages/viewpage.action?pageId=38798974

o User workflow• Migrate the configuration from ZD

(separate)• Enter ZD IP and login credentials• Connect to ZD from SZ (note, they

must be able to communicate with each other)

• Select APs to be migrated and click migrate

• SZ then converts APs and migrates them to SZ, keeping AP connectivity configs (mesh, mgmtVLAN, etc) during reset

o https://jira-wiki.ruckuswireless.com/display/Team/ZD+to+SZ+migration

Enhanced ZD to SZ Migration


https://jira-wiki.ruckuswireless.com/display/Team/ZD+to+SZ+migration

23

Enhanced Application Control

o Users can deny, rate limit, and change QoS of applications

o Rate Limit Action (new)• Throttle uplink and downlink

throughputo QoS Action (new)

• Uplink – AP rewrites 802.1p and DSCP settings

• Downlink – AP uses designated queue for wireless transmission

o Supported in both “Essentials” and “High-Scale” platforms


24

Enhanced Application Reporting

o Essentials platforms focus on short-term in-product app visibility• Top apps• Top users per app• Top apps per user

o High-Scale platforms focus on forwarding application data to SCI

o SCI serves long-term data for Essentials and High-Scale platforms

o SZ app signatures can be updated without SZ upgrade


Role-Based Policies


o Apply policies to users based on their role• Assign roles during authentication• Perfect use case for Cloudpath

o New policy elements• Role-based VLAN and VLAN pool• Role-based L3/4 policy• L3/4 rate limiting• Configurable precedence policy

Supported only with Proxy Authentication (not non-proxy)

L7 role policy deferred to 3.5.1 or 3.6

Bonjour Fencing


AppleTV

wireless devices

wired devices

AppleTV

o Limits discovery range for Bonjour advertisements

o Prevents unwanted and irrelevant lists of mDNSservices

o Supports wireless or wired Bonjour devices

o Can limit discovery range to “same AP” or “1-hop neighbors”

o Group DPSK – Creates a DPSK that can be shared by multiple different devices.

o User-Specified Passphrase – Allows the user to specify a specific passphrase for a DPSK or Group DPSK.

o ZD DPSK Migration – Export DPSK list from ZD (10.0) and import CSV into SmartZone

o Number-Only DPSK – System will auto-generate DPSKs with numbers only

o Scalability• 50K DPSK on High-Scale Platforms (10K / zone)• 20K DPSK on Essentials Platforms (10K / zone)

DPSK Phase-2 Enhancements


https://jira-wiki.ruckuswireless.com/display/Team/DPSK+Phase2+PRD

https://jira-wiki.ruckuswireless.com/display/Team/DPSK+Phase2+PRD

28

DHCP/NAT in AP (3.5)


3rd Party Router for Campus WAN Services

Campus Site 3rd Party Router

WAN RoutingNAT

DHCP

AP as Router for SMB WAN Services

Smaller/Remote Sites

WAN RoutingNAT

DHCP

WAN RoutingNAT

DHCP

WAN RoutingNAT

DHCP

WAN RoutingNAT

DHCP

WAN RoutingNAT

DHCP

WAN RoutingNAT

DHCP

o Allows AP to serve as router for remote sites, SMB, and home users

o APs are still centrally managed by SZ

Centralized Control Channel

o Zone Affinity Supporto Upto 10 instances per vSZ nodeo Upto 40 instances per vSZ clustero Support for northbound tunnels (L2oGRE)o DHCP Server and NAT Supporto CALEA Mirroring Supporto L3 Roaming using Flexi Ruckus GRE Tunnels

vSZ-D Enhancements


vSZ-D – Zone Affinity

Schools Hotels Managed Enterprises

StadiumsGuest

Staff

Public Access

Switch

Local AD/RADIUSAuthenticationServer

Mesh APsvSZ-D

vSZ-DvSZ-DvSZ-D vSZ-D

Switch

Switch

Guest

Staff Student

Centralized AD/RADIUSAuthenticationServer

Virtual SmartZoneController

Datacenter

Documents

SmartZone 3.5 - Feature Review - Infinigate Schweiz · troubleshooting using AP radio ... • Throttle uplink and downlink throughput. o QoS Action (new) • Uplink – AP rewrites