Embed Size (px)
Citation preview
#ATM16
Extending mobility to remote branch networks
@ArubaNetworks |
2#ATM16
Agenda
– Branch Solutions Overview
– Branch Disruptions, Cost Savings
– Centralized WLAN in Branch– Cloud Services Controllers Positioning– Branch AOS Features & New Opportunities– Branch WAN Services
– Decentralized WLAN in Branch– Aruba Instant with VPN
– Choosing the right solution for your business
@ArubaNetworks |
3#ATM16
Branch Solution Overview
@ArubaNetworks |
CSC
IAP RAP
INTERNET
4
Branch Disruptions, Cost Savings
5#ATM16
Disruptive Changes for Branch IT
@ArubaNetworks |
ETHERNET/3G/4G
LEGACY WANCONNECTIVITY
CLOUD APPSLOCAL APP SERVERS
T3T1 E3E1MPLS
By 2016, 30% of the advanced attacks will enter organizations via branch networks.
Public cloud IaaS will grow to over $34B worldwide by 2018.
CLOUD SECURITY ARCHITECTURES
DEDICATED SECURITY APPLIANCES
6#ATM16
New Requirements for the Branch Network
@ArubaNetworks |
Unified role-based policies and network rightsizing
WIRELESS + WIRED
Threat management and secure guest access
SECURITY
WAN optimization, WAN health monitoring, and availability during failures
WAN INTELLIGENCE
Visibility and quality of services for business critical applications
CLOUD PERFORMANCE
7#ATM16
Cost Savings By Rightsizing The Branch
@ArubaNetworks |
Eliminate the need for separate WAN service router, firewall...
One platform for wireless and wired clients with common policy enforcement
Unified wireless architecture across campus and branch
Deliver the all-wireless branch office with unified communications
8
Cloud Services Controller Positioning
9#ATM16
Branch Cloud Services Controller Positioning
@ArubaNetworks |
10#ATM16
Controller Portfolio
@ArubaNetworks |
72402048 APs32K Users
40Gbps FW72201024 APs24K Users
40Gbps FW
CAMPUSBRANCH
703064 APs
4K Users8Gbps FW
702432 APs
2K Users24 POE Ports
4Gbps FW
7210512 APs
16K Users20 Gbps FW
7205256 APs8K Users
12 Gbps FW
700516 APs
1K Users2Gbps FW
701032 APs
2K Users12 POE Ports
4Gbps FW
11
Branch AOS Features & New opportunities
12#ATM16
Cost Savings By Rightsizing The Branch
@ArubaNetworks |
Zero-touch provisioning
WAN optimization
WAN survivability
WAN health checks
Secured ports wired access
Policy-based WAN routing
Context based firewall
(user, app, device, location, content,
reputation)
Architected to dramatically reduce the time it takes to deploy branch networks
13#ATM16
Branch AOS Features & New opportunities
@ArubaNetworks |
Software and Cloud Services driving to Rightsized Branch IT
• Branch device and services consolidation
• Cloud security services. By 2016, 30% of advanced threats will enter via branches (Source – Gartner Branch Office Security)
• Cloud and guest services drive the need for hybrid WAN architectures
Branch Infrastructure Refresh Trends / Opportunities
ARUBA 7005 ARUBA 7010
ARUBA 7024
14
Branch WAN Services
15#ATM16
Intelligent WAN / PBR
– Policy based routing to multiple WAN links (MPLS, Internet, 3G/4G) for cost savings and improved WAN usage, performance
– WAN health check monitors loss and latency on WAN links, Redundancy with multiple next hops on WAN health or performance issues
– Selective traffic routing to Active-Active HQ/DC (DC1, DC2 etc.) IKE IPSEC tunnels (Cellular is Standby)
– Routing inside tunnels, L3 GRE over IPSEC – Corporate (IPSEC) Vs. Guest (L3 GRE)
@ArubaNetworks |
Public Cloud
HQ / DC7240 7240
MAS
Internet`
Aruba 7000 CSC
CSC
16#ATM16
WAN Optimization (Compression)
– WAN compression (hardware enabled) between CSC (70xx) and 72xx Campus Controllers
– 15-25% average payload compression expected on traffic between branch and HQ/DC
– The Master to Branch Cloud Services Controller traffic over IPSEC will be compressed and decompressed, Encrypted traffic has NO compression
@ArubaNetworks |
HQ / DC
7240 7240
MAS
Aruba 7000 CSC
CSC
17#ATM16
Intelligent WAN / Bandwidth Contracts
– Application or App Category bandwidth contracts on WAN Uplinks
– Limit App or App category bandwidth on non-critical applications (E.g. Social Media, Entertainment etc.)
– AppRF / DPI and Advanced QoS to prioritize app/app categories on WAN uplinks
@ArubaNetworks |
Public Cloud
HQ / DC
7240 7240
MAS
Internet`
Aruba 7000 CSC
CSC
Business Low
Business Critical
18#ATM16
Aruba / Palo Alto Integration
Data Center
Aruba CSC w/ PA Global Protect
PA Gateway / Portal
Branch (US)
Aruba CSC w/ PA Global Protect
• Aruba CSC gets cloud provisioned via Activate and downloads configurations (including PA) via ZTP
• Aruba CSC Initiates a HTTPS connection to PA portal and downloads list of PA FW’s and FW priorities.
Branch (Shanghai)
1
1
Aruba CSC w/ PA Global Protect
2
Aruba CSC w/ PA Global Protect
2
2
• Branch offices establish secure IPSEC tunnels to all PA Gateways
• Branch routing policies (PBR) selectively routes traffic to the highest priority Gateway
Private Cloud
On Firewall failure or de-commission, traffic will get re-routed to FW with the next highest priority
3
PA Gateway
Aruba 72xx MC
Internet, SAAS or selective traffic can get inspected via PA Cloud SAAS
Advanced security threats (ATP/APT, Zero Day, DLP etc.) to distributed enterprise enabled via Wild Fire integration
4
SAAS
Pre-Provisioning:-- Install PA certificates at 72xx (MC)- Configure PA portal IP under PAN options in the MC under
Configuration -> Branch -> Smart Config -> WAN
19
Aruba Instant WLAN
20#ATM16
ARUBA INSTANT WI-FI
EASY DEPLOYMENTLess hardware, faster set-up
BUILT-IN RF MANAGEMENT
Adaptive Radio Management™
ClientMatch™
BUILT-IN SECURITY
Firewall/Role-based Access
Intrusion Prevention/Detection
App Visibility, Compliance
BUILT-IN RESILIENCY
Site Survivability
Uplink Redundancy
ENTERPRISE-GRADE &ALL INCLUSIVE
SIMPLE POWERFUL COST EFFECTIVE
21#ATM16
HOW IT WORKS• First AP configured through built-in UI use Activate for zero-
touch provisioning–READY…• It becomes the “master” & performs firewall and controller
functions–SET…• New APs in the same VLAN automatically connect to the
“master” & download config–GO!!• New APs in different locations can also use Activate or import
configuration from the first AP
• Data center connectivity can be established with VPN tunnel between the master AP and Aruba controllers as needed
–EXPAND!!
Instant APs
NO ONSITE IT NEEDED NETWORK SURVIVABILITY
22#ATM16
WI-FI THAT CAN EVOLVE WITH BUSINESS
Internet
Mobility Controller
AD / RADIUS
Enterprise HQ
Instant UI
Instant
Aruba Central Aruba AirwaveMULTIPLE MANAGEMENT OPTIONS - MULTIPLE DEPLOYMENT OPTIONS
23#ATM16
Easily transition from simple…
24#ATM16
… To Complex
25
Choosing the right solution for your business
26#ATM16
Decision Criteria for Wireless in a Branch
Branch Network
Size and complexity of the branch
Type of branch: Greenfield or Brownfield
Backhaul and Wired Infrastructure Choices
Services Requirements
Existing campus Network in place?
27#ATM16
Benefits of a Centralized WLAN in BranchesBranch in a Box
Intelligent WAN - PBR, Bandwidth ContractsWAN Optimization – acceleration, cachingSecure WAN – URL filtering, web reputation, PEFIntegrated wired ports for a greenfield branch with wireless services Architectural parity with Campus NetworkEarlier Access to Advanced services – Lync SDN, Full Palo Alto Firewall Integration, etc
28#ATM16
Benefits of a de-centralized WLAN in a BranchAdd WLAN and VPN to wired inftrastructure
Cost-effective, especially for smaller branches or when wired/backhaul infrastructure is already in place or well- plannedLess redundant hardware required for local WLAN survivabilityEasier to understand and set-up (No master-local architecture required in data center)Great value in the form of AppRF, ClientMatch, Cloud guest, Basic Palo Alto Firewall Integration
29#ATM16
Guidance for a Branch
– Consider Service Requirements– Centralized architecture for branch in a box services
– Decentralized architecture for wireless and VPN services
– Consider Type of branch (Greenfield, Brownfield)– For greenfield branches lead with centralized architecture
– Consider Existing Campus Wireless Architecture – Customers might prefer architectural uniformity, especially if master-local architecture is already present in the data center
– Consider Local WLAN Survivability and Simplicity– Customers that primarily use local branch services with occasional data center access may prefer the simplicity
and local survivability of a de-centralized solution
30#ATM16
Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.
Share your results with friends and receive a free superpower t-shirt.
www.arubatitans.com
Thank you
