Upload
aruba-networks-an-hp-company
View
6.905
Download
0
Tags:
Embed Size (px)
Citation preview
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 2
REMOTE NETWORKING DEPLOYMENTS
Anupam Upadhyaya Aruba Networks March 2012
3 3 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Agenda
1. Remote Networking Deployments 2. Remote AP deployments 3. Aruba Instant overview 4. Deployment guidelines
4 4 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Remote Networking Solutions
5 5 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
What is a Remote AP?
• Aruba Access Point (AP) deployed at remote site • Plugged directly into the LAN side of a router
connected to a DSL or cable modem • Extends secure role-based wired and wireless
from corporate network into home
6 6 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Aruba Mobility Controller Centralized Administration
In the Box: • Wired and wireless connectivity
• Firewall and VPN
• Application specific QoS
• Per-user access control
Branch Office Data Center/Private Cloud
In the Data Center: • Configuration and management
• User-based policies
• Reporting and visibility
Internet
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 7
RAP in Tunnel Mode
• All traffic is forwarded through the tunnel to the controller • In Tunnel Mode, the RAP creates the following to the controller
• One IPsec tunnel, different GRE (over IPsec) per SSID/PORT (not per client) • Since the tunnel carries control and data traffic, bandwidth requirements have
to be calculated accordingly
Home Office Corporate HQ Internet
Services
DSL Router
VOICE
CORP DMZ
Firewall/NAT INTERNET
CORP
VOICE
Remote AP
Mobility Controller
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 8
RAP in Split-Tunnel Mode
• Corporate and control traffic is forwarded through the tunnel • Local internet traffic is forwarded to the gateway router • Local traffic is bridged locally for local servers/printers • Split-‐Tunnel Mode, the RAP creates the following to the controller
• one IPsec-‐encrypted GRE tunnel shared across all SSIDs and wired ports
Home Office Corporate HQ Internet
Services
DSL Router
VOICE
CORP DMZ
Firewall/NAT INTERNET
CORP
VOICE
Remote AP
Mobility Controller
Internet Services
Split Tunnel
Local Printer
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 9
RAP in Bridge Mode
• Only control traffic is forwarded through the tunnel to the controller • In Bridge Mode, the RAP creates the following to the controller
• One IPsec tunnel for control traffic shared across all SSIDs and wired ports • Mainly useful for guest access/SSIDs • No access to corporate resources
Home Office CorporateHQ
Internet Services
DSL Router DMZ
Firewall/NAT INTERNET
GUEST
Remote AP
Mobility Controller
GUEST VLAN
Control Traffic
Local Printer
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 11
Wiring Closet
Voice VLAN
WLAN with Instant APs
W
W G
G B
B H
H W
W
G
G
B
B
H
H
Guest VLAN
BYOD VLAN
Handheld VLAN
D V
D V
Wireless VLAN
Data Center
AAA Services Data VLAN
• Add guest and BYOD services • Manage multi-site deployments
• Setup in 3 minutes or less • Integrate with edge access VLANs • Control access with built-in firewall • Optimize performance with ARM
Instant
Policy Enforcement
12 12 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Instant Architecture
Instant Architecture
Data Plane
Control Plane
Management Plane Virtual controller or AirWave and slave IAPs
AdministraPve traffic for iniPal provisioning, monitoring, and image management
IAPs Discovery process, ElecPon process, Client informaPon
IAPs, switches, upstream routers
User data, wired to wireless LAN,
To the wired network
VC
Switch
To wired network
Instant Network Layer 2
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 13
ARUBA INSTANT DISTINGUISHING FEATURES
14 14 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
‘instant’ SSID
‘instant’ SSID
instant.arubanetworks.com
Instant Network
IAP1
IAP2
IAP3
15 15 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Dynamic RADIUS Proxy
VC static IP address: 10.169.241.150
RADIUS server for 802.1X
NAS client IP address 10.169.241.150
Client
EAP Authentication request
IAP1 : 10.169.241.2
IAP1 : 10.169.241.3 RADIUS requests
Src: 10.169.241.150
Dst : RADIUS server
EAP Authentication request Src: 10.169.241.2 Dst: 10.169.241.3
16 16 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
VC
Guest Access
• External captive portal is implemented using transparent HTTP proxy – Walled Garden support to allow access to limited websites – Dynamic whitelist management based on corporate DNS – Blacklists to deny access to certain websites
Instant Network
IAP1 : IP address 10.169.241.2
IAP2 : IP address 10.169.241.3
IAP3 : IP address 10.169.241.4
VC IP address: 10.169.241.150
Internal captive portal or External captive portal
17 17 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Magic VLAN
• No need to create a VLAN for guest users on the wired network • Virtual controller assigns non-conflicting IP for guests –
192.168.11.x or 172.16.0.x range • Proxy ARP and DHCP Relay operation per IAP • All traffic is automatically source-NAT’ed
18 18 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Instant Mesh
• Mesh can be configured either of the two ways • Automatically assign roles based on ENET link status
– mesh portal or mesh point • Over-the-wire – configure WLAN network before
converting to mesh point
Instant Network
Over-the-wire provisioning
Instant Network
Over-the-air provisioning
Unplug Ethernet
Wired IAPs are Mesh Portals
Mesh Portal
Mesh Point
Mesh Point
19 19 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
IAP IP Assignment
• IAP tries DHCP option during boot-up sequence • If DHCP is not available, it assigns itself a default IP
address in the 169.254.x.x range • User can configure a static IP on each IAP
IAP IP addresses from DHCP
IAP
Network device
DHCP server
IAP
User assigns static IP addresses
IAP
Network device
IAP
IAP assigns default IP addresses
IAP
Network device
IAP
VC
20 20 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
User Interface
HTML 5: Works on all devices, no flash required
Language customiza>on. Addi>on of new languages is simple.
Inline search Intui>ve help
Focus on Monitoring and alerts
21 21 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Setting up Aruba Instant
23 23 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
2. Assign SSID and Usage Type
25 25 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
4. Advanced Access Rules (SSID firewall)
26 26 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
5. Connect to the New Network
27 27 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Network Management
• SNMP v1, v2c, and v3 are supported for reporting only
• Trap receivers can be added for v1, v2c, or v3
Trap OID : 1.3.6.1.4.1.14823.2.3.3.1.200.2.X
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 29
Feature Aruba Instant WLAN
Aruba WLAN with Controller
Func7ons without Central Manager ✓ ✓ Scalability: Max APs in network Unlimited Unlimited
Instant Setup & Deployment: • Can setup without central or cloud manager • Can troubleshoot without a central manager • Guest Access without VLANs or Tunnels
✓ ✓
Security & Mul7media Services: • Built-‐in Wireless Intrusion DetecPon • Support for MS Lync, Apple FacePme & Citrix
✓ ✓
Advanced Network Services • Simple overlay design e.g.: no edge VLANs • Roam across buildings/floors without performance
impact • Same experience for Wired, Wi-‐Fi & Remote
✗ ✓
Investment Protec7on: Can add Mobility Controller hardware for scale & security ✓ ✓
Controller Vs Instant
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 30
Challenges with an Edge Anchor Point
Wireless VLAN 1
Wireless VLAN 2
Data Center
1
2
1 2
1. Device associates with “home” AP
2. User moves across VLAN boundary
4. Network links process the same packet three times due to L3 mobility
3. AP overload due to forwarding traffic for devices unassociated with this AP
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 31
Scaling for Layer 3 Mobility
Wiring Closet
Wiring Closet
Campus AP
1
2
1 2
VLAN Pool
1. Device associates with AP
3. User moves across VLAN boundary
2. Centralized policy definition and enforcement
4. Controller serves as mobility anchor reducing AP and network load
Data Center
Mobility Controller
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 32
Where Is A Mobility Controller Needed?
Boost WLAN Performance when devices roam across subnets and for policy control. Traffic not forced to route through the “lobby AP”
Instant APs Controller + APs
Distributed Crypto Centralized Crypto
Consistent Mobility Experience with common policy enforcement & management across wired, Wi-Fi, branch and VPN
Simplify Networks by eliminating VLANs at the edge
Central Management