Upload
muk-extreme
View
204
Download
1
Embed Size (px)
Citation preview
©2017 Extreme Networks, Inc. All rights reserved
Extreme Wireless WiNG
Паливода Александр
Системный инженер МУК
©2017 Extreme Networks, Inc. All rights reserved©2017 Extreme Networks, Inc. All rights reserved
©2017 Extreme Networks, Inc. All rights reserved
ExtremeWireless WiNG Portfolio
PR
OD
UC
TS
INDOOR OUTDOOR
SERVICE
INTEGRATION
PLATFORMS
ACCESS POINTS
C
NX 5500
NX 9600
NX 7500
SO
LU
TIO
NS
ADVANCED SECURITYMANAGEMENT & VISIBILITYWIRELESS LAN
Network Visibility
Network Assurance
Analytics
Security and Compliance
Network Assurance
Locationing
©2017 Extreme Networks, Inc. All rights reserved©2017 Extreme Networks, Inc. All rights reserved4
ExtremeWireless WiNG внутренние ТД 802.11ac
7622 11ac Wave 1, 1x1:1 dual band
11ac Wave 1, 2x2:2 single band
WIPs/WIPs/LBS/BLE
Lowest cost enterprise 11AC
Retail / Hotels
Cost sensitive markets
7602 11ac Wave 1, 1x1:1 dual band
11ac Wave 1, 2x2:2 single band
WIPs/WIPs/LBS/BLE
Lowest cost enterprise 11AC
Snap-On installation
Lower DC power consumption
Designed for One-AP-Room
TW-522 11ac Wave 1, 2x2:2 dual radio
Auto tuning DSL
Self healing RF
Snap-on installation
Patented line power over
phone wire
Re-use existing phone wire
already in the wall
Hotels
Power over VDSL2
7502 11ac Wave 1, 2x2:2 dual radio
SmartRF on 2.4GHz
Snap-on installation
Smallest enterprise AP 11ac
L2/L3 stateful firewall
Small packet OS optimized
90mm x 95mm
Hotels / Dorms
Global installation
©2017 Extreme Networks, Inc. All rights reserved5
BT / BLE
Dual Band
WIPs
RF SA
GE
Dedicated Sensors
5G:4x4:4
MU-MIMO
2.4G: 3x3:3 Data Only
Data Only
AP-8533-68SB30-xx $1395 Internal Ant, 2xGE
AP-8533-68SB40-xx $1395 External Antenna, 2xGE
AP 8533 – Triple Sensor Technology
2.4GHz, 3x3:3 | 5GHz, 4x4:4:4; MIMO, MU-MIMO, 80MHz channel,
TurboQAM
Unlocked 2.4GHz / 5GHz fulltime 24x7 Sensor radio
Bluetooth 2.0 or Bluetooth Smart radio with external antenna option
RF Spectrum Analyzer
TxPWR 2.4GHz: 20dBm; 5GHz: 20dBm
256 clients per radio; 500 per AP
Services Integrated Deep Packet Inspection Engine, AirDefense integrated Sensor
Fulltime WIDS/WIPS Sensor, granular WiFi location services
Bluetooth beacon: iBeacon, Eddystone-URL
AP 8533
8.5” x 8.5”
No compromise performance and security
Retail EnterpriseT&L
©2017 Extreme Networks, Inc. All rights reserved6
Borrow Radio 1
Unlocked Radio
For
Fulltime Network Sensor
5G:4x4:4
MU-MIMO
2.4G/5G:
3x3:3
AP-8432-680B30-xx $1095 Internal Ant, 2xGE, PoE-out
AP 8432
8.5” x 8.5”
BT / BLE
Dual Band
WIPs
RF SA
GE + PoE out
GE
USB
Full 802.3af PoE
out
AP 8432 – Band Unlocked – IOT Expansion
RadiosUnlocked 2.4GHz/5GHz 3x3:35GHz, 4x4:4:4; MIMO, MU-MIMO, 80MHz channel, TurboQAMBluetooth 2.0 or Bluetooth Smart radio, internal antennaRF Spectrum AnalyzerTxPWR 2.4GHz: 20dBm; 5GHz: 20dBm200 clients per radio; 400 per AP
Advanced ServicesIntegrated Deep Packet Inspection Engine, AirDefense integrated SensorFulltime WIDS/WIPS Sensor, granular WiFi location servicesBluetooth beacon: iBeacon, Eddystone-URLIntegrated PoE-out on GE2 for 3rd party IOT devicesIntegrated USB port with 5W power
Wave 2 with IOT Expansion
Retail EnterpriseT&L
©2017 Extreme Networks, Inc. All rights reserved7
AP 8432 – PoE Out
Connect IOT devices or other AP to PoE-Out port
Removes additional cable cost
Easily expand services over existing infrastructure
802.3at
PoE Switch
2.4
5
2.4Ghz radio: 3x3, 11n
5Ghz radio: 4x4, 11n.AC, WAVE 2
BLE; Beacon, Management
RF spectrum Analysis
Fulltime Sensor: WIPs, Network Assurance
802.3at In
802.3af Out
5
52
52
802.3at In
802.3af Out
IP Camera
IOT gateway(Another AP, Shelf Label,
Temp sensors, etc)
Borrow Radio 1,
use as Fulltime Sensor
©2017 Extreme Networks, Inc. All rights reserved8
8432: Borrow Radio 1 as Fulltime WIPs sensorIdeal for larger sites with 4+ APs and extra 2.4GHz coverage
8533: Fulltime WIPs sensorIdeal for single AP sites
2.4 & 5GHz Data 2.4 & 5GHz Data 2.4 & 5GHz Data5GHz Data
Dual Band
Sensor
2.4 & 5GHz Data
Dual Band
Sensor
8533: Fulltime WIPs sensor for high capacity networksIdeal for sites with both high usage/capacity requirements and WIPs
2.4 & 5GHz DataNsight sensor^
2.4 & 5GHz Data
Dual Band WIPs
2.4 & 5GHz DataNsight sensor^
^ over time, Nsight will add capabilities to use the third radio e.g. location, network assurance
©2017 Extreme Networks, Inc. All rights reserved9
AP 7602 / 7622: Micro-cell Wireless and Mid-Market Expansion
802.11AC multi-mode single band (2.4GHz or 5GHz): 2x2 MIMO dual band (2.4GHz and 5GHz): 1x1
80MHz, 256QAM, 1024 TurboQAM
TxPWR 2.4GHz: 17dBm; 5GHz: 19dBm
Advanced Services
Client Bridge
WiFi Location Based Services
Bluetooth beacon: iBeacon, Eddystone-URL
SmartRF
WiNG Enterprise OS Highly scalable from 25 Virtual Controller to 10k+ APs per NOC
Distributed Intelligence WiNG OS
Small retail Hospitality SMB
AP 7602145mm x 102mm x 29mm
AP 7622150mm x 140mm x
39mm
AP-7602-68B30-xx $295 Wallplate wedge AP; 1x1 dual band, 2x2 single band, BLE. 2 x
GE
AP-7622-68B30-xx $495 802.11AC AP; 1x1 dual band, 2x2 single band, BLE. 1 x GE
©2017 Extreme Networks, Inc. All rights reserved10
7532/7522/7562:HIGHER capacityHIGHER performanceHIGHER PRICELOWER MARGIN
7622:LOWER capacityLOWER performanceLOWER PRICEHIGHER MARGIN
76XX vs 75XX
Radio 1
RADIO 12.4GHz
3x3
RADIO 25GHz3x3
Radio 2
HW RADIO2.4/5GHz
2x2
vRadio 12.4GHz
1x1
vRadio 25GHz1x1
HW RADIO2.4/5GHz
2x2
vRadio 12.4GHz OR 5GHz
2x2
©2017 Extreme Networks, Inc. All rights reserved
AP-7502-67030-xx Internal Ant, 1xGE, 3xFE, Dual radio 11AC Wallplate, PoE-
out
AP 7502
90mm x 95mm
Ideal
for
Micro-cell WiFi in hospitality;
Provides 30 – 40dB SNR in each room; or up to 3
rooms;
Sized for NA/SA, Asia, European telecom wall
plates;
Specs802.11ac wave 1. 2X2:2, 80MHz;
1 x GE;
3 x FE; 1 with PoE out;
1 x GE uplink port on backside• GE port accepts 802.3af or 802.3at input power
1 x passthrough port• Pass secondary signals from back side to front side of AP
12VDC power
1 x FE port with PSE
2 x FE L2 / L3 ports
1 x pass-thru RJ45
WiNG Access Points AP7502 – Micro-Cell 11ac designed for Hotels
©2017 Extreme Networks, Inc. All rights reserved
AP-7562 Outdoor 11ac
5G Radio
3x3:3
2.4G Radio
3x3:3
TurboQAM
AP 7562
IP67 rated, 3x3
802.11n.AC
2x GE
Network
components
Environment IP67 rated for harsh conditions
Extended Temp Range: -40c – 60C
802.3af power profile
Enhanced Features Transmit Beamforming
AirDefense Sensor / Location Aware
MESH Connex Backhaul detect and auto-route
MESH Visualization
MeshConnex ACS
Mobile MeshConnex
Rail MeshConnex
Key Features
RadioShare / Fulltime
Sensor
©2017 Extreme Networks, Inc. All rights reserved©2017 Extreme Networks, Inc. All rights reserved
Контроллеры ExtremeWireless WiNG
1
3
NX 5500- 512 APs
- 16,000 Users
- 256 WLANs
- 6 x GE Interfaces
NX 9600- 10,240 APs
- 200,000 Users
- 1024 WLANs
- 2x 1GE Interface
- 4x 10GE Interface
VX 9000- > 10,000 APs
- 200,000 Users
- 1024 WLANs
- Support for:- VM ESXi
- Citrix Zen
- MS Hyper-V
- Amazon EC2
Entry-level Virtualized High-EndMid-level
NX 7500- 2048 APs
- 65,536 Users
- 256 WLANs
- 6x GE Interfaces
- NMC for 10GBE
13
©2017 Extreme Networks, Inc. All rights reserved
When and What Controller?
14
AP 8432/8533/75xx
RFS 4010
NX 5500
NX 7500
NX 9600
Up to 24
AP’s
VX 9000
>10,240 AP’s
Up to 10,240 AP’s
Up to 2,048 AP’s
Up to 512 AP’s
Up to 144 AP’s
Up to 64 AP’s
AP 65xx/8xxx/7502
Stand Alone AP’s
Must all be the Same Model
©2017 Extreme Networks, Inc. All rights reserved15
Topologies
©2017 Extreme Networks, Inc. All rights reserved
Supported Architectures Standalone Site Solutions – Overview
Scaling & Manageability
PoE Switch
AP
1 x Access Point
Single Site / Single Cell
Solution:
Independent WiNG 5 AP
Standalone Management
Embedded Services:
AAA / DHCP / Captive Portal
Enhanced WIPS
L2/L3 SPI Firewall
DPI
Enhanced Services:
ADSP
PoE Switch
AP
APAP
APAP
APAP
2 2,048 x Access Points
RFS / NX
RF Domain
RFDM
Solution:
RFS or NX Controllers
WiNG 5 APs
Single Site Management
Embedded Services:
AAA / DHCP / Captive Portal
Basic / Advanced WIPS
L2/L3 SPI Firewall / RBFW
DPI
Enhanced Services:
ADSP
NSight
PoE Switch
AP
APAP
APAP
APAP
2 64 x Access Points (Same Model)
VC
RF Domain
RFDM
Single Site / Multi Cell
Solution:
APs managed by a Virtual Controller
AP
Single Site Management
Embedded Services:
AAA / DHCP / Captive Portal
Enhanced WIPS
L2/L3 SPI Firewall
DPI
Enhanced Services:
ADSP
NSight
Note: Application requirements (RBFW, Tunneling etc.) will determine if you position a RFS / NX over
a Virtual Controller
©2017 Extreme Networks, Inc. All rights reserved
Supported Architectures Centralized Model – Overview
Centralized Model
≤ 10,240 x Access Points / Cluster
Multi Site / Single Cell
AP AP
AP AP
RFDM RFDM
RFDM RFDM
RF Domain RF Domain
RF Domain RF Domain
AP AP
AP AP
RFDM RFDM
RFDM RFDM
RF Domain RF Domain
RF Domain RF Domain
AP AP
AP AP
RFDM RFDM
RFDM RFDM
RF Domain RF Domain
RF Domain RF Domain
AP AP
AP AP
RFDM RFDM
RFDM RFDM
RF Domain RF Domain
RF Domain RF Domain
NX / VX
Solution:
NX or VX Controllers
Independent APs
Centralized Management
Embedded Services:
AAA / DHCP / Captive Portal
WIPS
L2/L3 SPI Firewall / RBFW / DPI
Enhanced Services:
ADSP
Nsight
Proximity / Zoning
≤ 10,240 x WiNG 5 Devices / Cluster
RFS AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP NX
AP AP AP
AP AP AP
RF Domain RF Domain
RF Domain RF Domain
RFDM RFDM
RFDM RFDM
NX / VX
Multi Site / Multi Cell
Solution:
NX or VX Controllers
Independent APs
Centralized Management
Embedded Services:
AAA / DHCP / Captive Portal
WIPS
L2/L3 SPI Firewall / RBFW / DPI
Enhanced Services:
ADSP
NSight
Proximity / Zoning / Positioning
Solution:
NX or VX Controllers
WiNG 5 APs
Centralized Management
Embedded Services:
AAA / DHCP / Captive Portal
WIPS
L2/L3 SPI Firewall / RBFW / DPI
Enhanced Services:
ADSP
NSight
Proximity / Zoning / Positioning
≤ 10,240 x Access Points / Cluster
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
AP AP AP
RF Domain RF Domain
RF Domain RF Domain
RFDMVX / NX
Distributed Campuses
©2017 Extreme Networks, Inc. All rights reserved
Access Points with a Virtual Controller AP
• No wireless controller needed
• Access points coordinating their actions
• One AP at the site configured as a Virtual Controller
• Virtual Controller performs many of the functions of a wireless controller
©2017 Extreme Networks, Inc. All rights reserved
Virtual Controller Functions
• Pushes configuration and firmware updates to AP
peers
• Collects statistics from AP peers
Firmware and Configuration Updates
VC Statistics Peer
Peer
Firmware and Configuration Updates
Statistics
©2017 Extreme Networks, Inc. All rights reserved
Virtual Controller Considerations
• For single-site deployments
• Can only manage APs of the same model type (this will change in 5.9)
• Virtual Controllers manage upto 64 peers for the majority of the portfolio.
• Cannot be deployed in redundant pairs (this will change in 5.9)
• Can manage exactly oneRF domain
• Can be deployed in franchise business model as multiple independent networks.
• Service Providers are starting to adore this model
AP 8533:2 AP 8533:64AP 8533
Virtual Controller
AP 7522:2 AP 7522:64
AP 7522
©2017 Extreme Networks, Inc. All rights reserved
Virtual Controller Deployment Scenario
AP 752220 AP 7522 under management
©2017 Extreme Networks, Inc. All rights reserved
CUSTOMER EXAMPLE: SMALL HOTEL
• 10 Room Boutique Hotel/B&B
• In room access only
• Ethernet already in room and in main office
Solution:
• 11 AP7602
– Office AP as VC
• Add 200 Series switch if needed
In Rooms
In Office
Virtual Controller
©2017 Extreme Networks, Inc. All rights reserved
Remote Access Points with a RF Domain Manager
• WiNG access points
• Centralized wireless controller(s) managing multiple sites
• One AP auto-elected as an RF Domain Manager
• RF Domain Manager is an on-site coordinator
©2017 Extreme Networks, Inc. All rights reserved
Extension of Corporate WLAN to Home Office
• AP 7532• Split Tunneling (corp traffic to
NOC, internet breaking out locally on the same SSID)
©2017 Extreme Networks, Inc. All rights reserved
RF Domain Manager Scenario
AP 753220 AP 7532 devices
on site
VX or NX Controller
©2017 Extreme Networks, Inc. All rights reserved
Medium Branch Office Deployment Scenario
NX5500 Redundant Pair
Voice and data in the network. Hundreds of APs on a site. AP7522 access points.
©2017 Extreme Networks, Inc. All rights reserved
Headquarters Deployment Scenario
NX 7500
Voice and data in the network. AP7522 access points. Radio Share used for WIPs on all APs
©2017 Extreme Networks, Inc. All rights reserved
Centrally Managed Mixed Solution Scenario
NX 9500 Services Platform
AP – RF Domain Manager Controller – RF Domain Manager
Controller-less
Site
Controller-less
Site
Local Site Controller
WAN
©2017 Extreme Networks, Inc. All rights reserved©2017 Extreme Networks, Inc. All rights reserved
WING5 - FOUNDATION FOR DELIVERING OMNI
CHANNEL EXPERIENCES
HIGH PERFORMANCE WIFI & LOCATION SERVICES
Wireless Rapid
Deployment
WiNG Controller + Nsight + AirDefense
AP – Domain ManagerController – Domain Manager
FLEXIBLE DEPLOYMENT MODELS
WAN
UNMATCHED
SCALE
25,000 APs per
Controller
1
COMPREHENSIVE
LOCATION
1m – 5m Accuracy
2
LOWEST TCO
3x Faster Rollout, 6x
Faster MTTR
3
NOC Controller CloudVirtual
ControllerHierarchical
Local
Controller
Integrated
Capacity Controls
Network
Troubleshooting
Gap Free
Security
©2017 Extreme Networks, Inc. All rights reserved
PORTS & YARDS: MeshConnex
AP-7562
Mesh
Data
WIPS
WiNG Controllers
Campus Network / LAN
©2017 Extreme Networks, Inc. All rights reserved
WiNG5 Features Overview
•Every AP has Stateful Firewall
•Integrated sensor function for Advanced Security
• Packet Capture
• AP Test
• Spectrum Analyzer
•SMART-RF for ease of RF Management
•Load Balancing
•Roaming Assistance
• Profiles
• Zero touch Provisioning
Rapid Deploym
ent
Capacity Controls
Best in class
security
Network Assurance
& Troublesh
ooting
©2017 Extreme Networks, Inc. All rights reserved
Zero Touch Provisioning
The APs can be directly plugged into the network without the need for any pre-staging
Layer 2 (Multicast) or Layer 3 (DHCP option or DNS) automatic discovery
The controller pushes the right configuration to the Access points based on the location at which the AP is deployed
WiNG5 provides plug-n-play Access Point adoption using intuitive Auto provisioning policies based on: IP Address or subnet
VLAN
Model Number
CDP / LLDP Snoop
DHCP option
DNS Suffix
MAC / Serial number
FQDN Wildcard
Auto-Provisioning Policy
©2017 Extreme Networks, Inc. All rights reserved
Wireless LANs Overview
Wireless LAN configuration is done as a
separate WLAN object, which is assigned to an
individual AP or an AP Profile.
The WLAN policy contains the parameters for
client authentication, encryption, QoS, etc.
Each Access Point can support up to 32 WLANs
(16 BSSIDs per radio)
Context-sensitive configuration on Virtual
Controllers
Not recommended to use more than 4 WLANs per
radio due to the management overhead.
The user VLAN (or VLAN pool) is defined for the
wireless users
• Encryption
• Authentication
• VLAN
• QoS
• Client policies
Wireless LAN
Assignmen
t
Profile
Group of APs
Single AP
Device
©2017 Extreme Networks, Inc. All rights reserved
Wireless LANs Wireless LANs – Security
The following authentication options are supported:
The encryption mechanisms supported are:
For 802.1X authentication, the radius server can be configured to be either
local on the AP or controller or an external radius server
MAC Authentication Pre Shared Key
802.1X (EAP) Captive portal
WEP-64 WEP-128
TKIP-CCMP WPA2-CCMP
Local Radius server hosted on the AP
Controller Radius server running on Site or Centralized
controller
External 3rd Party RADIUS Server
©2017 Extreme Networks, Inc. All rights reserved
Wireless LANs
EAP method support depends on the capabilities of the 802.1X supplicant on the wireless client and the back-end RADIUS server
WiNG 5 can support any standard EAP method in pass-through mode
Authentication - EAP methods
EAP MethodWiNG 5
Onboard RADIUS
Cisco Secure
ACSFreeRADIUS Microsoft NPS
Steel Belted
RADIUS
LEAP No Yes Yes No Yes
EAP-TLS Yes Yes Yes Yes Yes
EAP-PSK No No Yes No No
EAP-TTLS Yes No Yes No Yes
EAP-FAST No Yes Yes No No
EAP-SIM No No Yes No No
EAP-AKA No No No No No
EAP-GTC Yes Yes Yes No Yes
PEAP Yes Yes Yes Yes Yes
©2017 Extreme Networks, Inc. All rights reserved
Wireless LANs
Each WLAN can assign users to a single VLAN or
pool of VLANs:
Single VLAN – All devices are assigned to a Local or
Tunneled VLAN
VLAN Pool – Devices are load-balanced between 2 or
more Local or Tunneled VLANs
Dynamic VLAN assignment: The VLAN assignment
for 802.1x, MAC and Guest users can be done by the
RADIUS SERVER using the standard Tunnel-Private-
Group-ID RADIUS return attribute
VLAN Assignment
Single VLAN VLAN Pool
WLAN
VLAN 11
WLAN
VLAN 12VLAN 11 VLAN 13
Load Balanced
Username: Bob
VLAN: 11
Username: Sally
VLAN: 13
Username: Jim
VLAN: 12
WLAN
VLAN 12VLAN 11 VLAN 13
RADIUS
Server
Dynamic VLANs
©2017 Extreme Networks, Inc. All rights reserved
Wireless LANs
AAA policy is needed to configure RADIUS parameters for 802.1X, MAC or Captive Portal authentication
Each AAA policy can include up to 6 RADIUS authentication and accounting servers definitions:
Each RADIUS server is assigned a unique ID (1 – 6)
Each server can be reached using an IP address or hostname
Each entry supports standard RADIUS configuration parameters such as Secret, Port, Timers , EAP parameters, MAC address formatting and Realms
The RADIUS servers may be internal (AP or Controller) and/or external
AAA Policies – RADIUS Server Pools
AAAUsersAAA
Primary Secondary
Example 1
UsersAAA
Primary
Secondary
Example 2
AAA
Users
Tertiary
AAA
Users
©2017 Extreme Networks, Inc. All rights reserved
Wireless LANs AAA Policies – Proxy Modes
For flexibility each RADIUS server entry includes a proxy operating mode:
None – RADIUS authentication and accounting requests are forwarded directly from the
Access Point to a RADIUS server (Requires and IP Address to be assigned)
Through-Controller – RADIUS authentication and accounting requests are proxied through
the Wireless Controller managing the Access Point to a RADIUS server
Through-RF-Domain-Manager – RADIUS authentication and accounting requests are
proxied through the local RF Domain Manager (elected Wireless Controller or Access Point)
to a RADIUS server
Proxy Mode: None
AA
A
RADIUS Server Pool
WLANWLAN
Proxy Mode: Through-RF-Domain-
Manager
RADIUS Server Pool
WLANWLAN
AA
A
RADIUS Server Pool
AA
A
WLANWLAN
Proxy Mode: Through-Controller
©2017 Extreme Networks, Inc. All rights reserved
Traffic Forwarding
The Access points bridge the traffic locally on their Ethernet ports
The Wireless Controller is completely removed from the data-path
The User VLAN should be allowed on the Ethernet port going to the Access Point
The user traffic forwarding has no dependency on the controller
– The controller may be down or unreachable
The Access point supports all the features to be able to enforce all policies on the user traffic before it is forwarded
Local Bridging
VLANVLAN
Bridge Bridge
Mgmt Mgmt
©2017 Extreme Networks, Inc. All rights reserved
Traffic Forwarding
All user traffic is tunneled to the Wireless Controller
The controller will then bridge the traffic on the wired network.
– Client Core is tunneled back to the Controller
– Client Local resources is bridged locally via an AP-to-AP tunnel.
There is no need to assign User VLANs on the Access Points Ethernet port
– Easy to manage the wired port assignments
– Some companies want to route the traffic centrally for security policy
Tunnel Mode
VLAN VLANControll
er
Tunnel Tunnel
©2017 Extreme Networks, Inc. All rights reserved
Traffic Forwarding
Wi-Fi user traffic is encapsulated and forwarded to the elected RF Domain Manager (RFDM) within the site using IP or VLAN based Level 1 MINT links
Wi-Fi user traffic is re-encapsulated and forwarded by the RFDM to the Active Centralized Controller in the datacenter using an IP based Level 2 MINT link
Adaptive Forwarding is used at the site
Cluster failover times may be ~ 1-2 minutes
Tunneling over MINT
Guest VLAN
Control VLAN
NX 9510
Data Center
Remote Site
AP 1
RFDM
AP 2 AP 3
AP 4
Level 2 MINT
Level 1 MINT
Le
ve
l 1
MIN
T
En
ca
ps
ula
tio
n
Le
ve
l 2
MIN
T
En
ca
ps
ula
tio
n
80
2.1
1
En
ca
ps
ula
tio
n
Eth
ern
et
En
ca
ps
ula
tio
n
©2017 Extreme Networks, Inc. All rights reserved
Traffic Forwarding
Wi-Fi user traffic is encapsulated and forwarded to the elected RF Domain Manager (RFDM) within the site using IP or VLAN based Level 1 MINT links
Wi-Fi user traffic is re-encapsulated and forwarded by the RFDM to the Active Centralized Controller in the datacenter using an L2TPv3 tunnel
Tunnel failover can be very fast – <3 seconds with l2tpv3 fast-failover feature – suitable for Campus deployments
Does not require L2 connectivity between the controllers (user VLANs may not be shared)
Tunneling using L2TPv3
Guest VLAN
Control VLAN
NX 9500
Data Center
Remote Site
AP 1
RFDM
AP 2 AP 3
AP 4
RFS 7000
Level 2 MINTL2TPv3
Level 1 MINT
42
Le
ve
l 1
MIN
T
En
ca
ps
ula
tio
n
L2
TP
v3
En
ca
ps
ula
tio
n
80
2.1
1
En
ca
ps
ula
tio
n
Eth
ern
et
En
ca
ps
ula
tio
n
©2017 Extreme Networks, Inc. All rights reserved
Traffic Forwarding Example with L2TPv3 termination at regional POP
CAPTIVE
PORTAL
RF DOMAINSTORE-1
RF DOMAINSTORE-2
RF DOMAINSTORE-3
RF DOMAINSTORE-4
RF DOMAINSTORE-5
RF DOMAINSTORE-6
RF DOMAINSTORE-X
Guest
Captive
Portal
INTERNET
INTERNET
INTERNET
INTERNET
M
RFDM
M
NX9600 ACTIVE-STANDBY
INTERNET
CAPTIVE
PORTALNX9610 ACTIVE-
STANDBY
L2TPv3 TERMINATION
NX9610 ACTIVE-STANDBY
L2TPv3 TERMINATION
REGIONAL POP
M
RFDM
M
RFDM
MIN
T
Main
DC
REGIONAL POP
M
RFDM
M
RFDM
M
RFDM
©2017 Extreme Networks, Inc. All rights reserved
Smart-RF Off-Channel Scanning
Radio’s periodically go off-
channel (Frequency / Duration)1
They scan a single channel2
Each channel can be scanned
multiple times (sample count)3
The entire band is only
scanned at define intervals
(extended-frequency-scan)
4
©2017 Extreme Networks, Inc. All rights reserved
Smart-RF Neighbour Recovery
Neighbor radios monitor the
Air1
Neighbor radios sense when
an Access Point or radio fails2
Neighboring Access Points
raise TX power to compensate3
12db
Normal
14db
Normal
10db
Normal
14db
Normal
15db
Normal
17db
Normal
17db
Normal
15db
Rescue
17db
Rescue
17db
Rescue
Defends against Loss of Coverage due to Sudden AP Failure Access Points with faulty antennas
Access Points with bad Ethernet Connections
Access Points which are faulty
Access Points that are not visible anymore due to obstructions
©2017 Extreme Networks, Inc. All rights reserved
Smart-RF Coverage Hole Recovery
Coverage SNR threshold set to
20db1
As the client moves away from
the AP, SNR will drop2
If SNR drops below set
threshold of 20db, the AP
raises its TX power
3
If the client SNR is maintained,
the AP will reduce its TX power 4
The AP will repeat step 4 until
the client SNR is maintained5
SNR:
30db
SNR: 18dbSNR: 20db
A typical use case for this feature: In a warehouse there was a vacant spot
During business hours new inventory was stacked high (changes the RF)
Mobile Units in the new aisle do not get adequate coverage
Access Points detects the fall in SNR (<threshold value) and raises power
Power returns to normal if no client present (dynamically adjusting to changes)
©2017 Extreme Networks, Inc. All rights reserved
Smart-RF
Group by Floor or Area
Building 2Building 1
One RF-Domain &
Smart-RF Policy
One RF-Domain &
Smart-RF Policy
Building 4Building 3
By Floor By Area
Floor 1
Floor 2
Floor 3
What is a typical use case for these parameters?
By Floor – An office building with different tenants on every floor
By Area – A campus environment with multiple buildings
©2017 Extreme Networks, Inc. All rights reserved
Smart Band Control
Overview
Smart Band Control detects dual radio clients and will distribute clients in
each radio band based on a configurable ratio or percentage
One part in our Client Load Balancing strategy, allowing us to distributes
clients:
Across Access Points
Across Bands (2.4 or 5 GHz)
Across Channels in a band
2:1 Ratio
©2017 Extreme Networks, Inc. All rights reserved
Fast Roaming
Typical Authentication sequence during roaming is:
802.11 Authentication
802.11 Re-Association
Higher level authentication ( WPA/WPA2 PSK/802.1X)
Overview
Client AP AP
802.11 Authentication
…Data READY
802.11 Association
4way Handshake
Client
802.11 Authentication
…Data READY
802.11 Association
EAP Exchange (802.1X)
1 sec<50 ms
PSK Authentication EAP/802.1x Authentication
4way Handshake
©2017 Extreme Networks, Inc. All rights reserved
Fast Roaming
Pre-Authentication
The wireless client performs full authentication with multiple APs, so when it roams, it already has the authentication completed
PMK Caching
The Client information is automatically distributed between Access Points
As Wireless Clients roam, they don’t need to go through the complete authentication. It works only when client roams back to the old AP
4-way handshake needed
OPMK Caching:
The Client Cred Cache information is available on the APs, which performs authentication
As clients roam amongst multiple Access points, RADIUS exchange is skipped, because we use cached keys. Works when client roams to any AP
4-way handshake needed
Supported Methods - Legacy
©2017 Extreme Networks, Inc. All rights reserved
Fast Roaming
802.11r Fast Roaming
Standards Based Roaming
Handshakes are piggybacked with authentication and
re-association frames (FT-over-the-Air)
802.11r Fast Roaming
AP 1Client AP 2
Full Authentication with AP1
…Data Exchange…Client identifies Roam candidates
802.11 Authentication Request (Includes 802.11R FT exchange 1)
Re-Association Request (Includes 802.11R FT exchange 3)
Re-Association Response (Includes 802.11R FT exchange 4)
802.11 Authentication Response (Includes 802.11R FT exchange 2)
…802.1x SUCCESS. The client can resume data transmission<10 ms
©2017 Extreme Networks, Inc. All rights reserved
Roaming Assist
WiFi Roaming:
As mobile devices roam, they move between Access Points– The wireless clients select the best AP in the vicinity
– This ensures seamless connectivity
Sticky Client Problem:
Some clients do not roam in spite of moving away from current AP
This impacts their wireless experience negatively
And also impacts clients nearby because they are wasting airtime– Lower data rates and higher retries
Roaming Assist :
The Access Points help the clients make better roaming decisions
The Access Point de-authenticate or perform bss transition (802.11v) clients having poor connectivity
This forces the clients to connect to a better Access Point close by
Overview
©2017 Extreme Networks, Inc. All rights reserved
Integrated Services Wireless Firewall - Overview
Proxy ARP
DHCP Offer
ConversionNAT
Stateful
Inspection
Rogue
Detection
IP ACLs
Firewall
Policy
MAC ACLs
WiNG provides a Stateful Wireless
firewall.
The Firewall is Enabled by default
and supported on all the WiNG
devices – Controllers and Access
Points
The integrated firewall provides:
Stateful Packet Inspection (L2/L3)
IP Access Control Lists (ACL)
MAC Access Control Lists (ACL)
NAT
Proxy ARP
©2017 Extreme Networks, Inc. All rights reserved
Integrated Services Wireless Firewall – SPI
Provides stateful inspection for all IP traffic being switched or routed by a
Wireless Controller or Access Point
Layer 2 inspection can be optionally disabled
Supports stateless packet filtering for non IP traffic such as AppleTalk, IPX
Inspects all 802.11 flows typically not visible to wired firewall appliances
including:
Wired to Wired Traffic
Wired to WLAN Traffic
WLAN to WLAN Traffic
Maintains state of TCP, UDP and ICMP flows as they traverse the
Wireless Controller or Access Points
Once an IPv4 flow is established, bidirectional communications between hosts
can occur (no reverse permit rule is required)
All flows are migrated as Wireless Clients roam between Access Points
©2017 Extreme Networks, Inc. All rights reserved
Integrated Services Wireless Firewall – IP ACLs
IP Firewall Rules can be assigned to permit, deny or mark selected traffic
Traffic Selection: The traffic can be selected based on source and
destination IP addresses, Port and protocol number in the IP headers.
Rule Assignment: IP Firewall Rules can be assigned to WLANs, User
Roles, Physical Ports and Virtual IP Interfaces:
WLANs: Assigned per WLAN for inbound and outbound traffic
Physical Ports: Assigned per Port for inbound traffic
Virtual IP Interfaces: Assigned to a Virtual IP Interface for inbound traffic
Role Based Firewall: Assigned to a user Role for inbound and outbound traffic
IP Firewall Rules can be assigned to individual devices or multiple
devices using profiles
IP Firewall Rules assigned to individual devices will override IP Firewall Rules
inherited from a profile
©2017 Extreme Networks, Inc. All rights reserved
Integrated Services
Each Firewall policy can detect 32 different DoS violations
– Each violation can be individually enabled or disabled, supports and action that can drop and/or log traffic and provides a
user defined log level
All events are enabled by default with default log level
Wireless Firewall – DoS Detection
DoS Attacks
ASCEND DoS Check LAND DoS Attack Check TCP Intercept DoS Check
Broadcast/Multicast Icmp traffic
as attack IP Option Route DoS Check
Maximum incomplete TCP
connections
CHARGEN DoS Check
ICMP Router Advertisement DoS
Check
TCP NULL SCAN DoS Attack
Check
FRAGGLE DoS Check ICMP Router Solicit DoS Check
TCP Post Syn DoS Attack
Check
FTP Bounce DoS Check SMURF DoS Attack Check
TCP XMAS SCAN DoS Attack
Check
Invalid IP Protocol DoS Check ASCEND DoS Check
TCP Header Fragment DoS
Attack Check
TCP IP TTL ZERO DoS Attack
Check
TCP BAD SEQUENCE DoS Attack
Check TWINGE DoS Attack Check
IPSPOOF DoS Attack Check TCP FIN SCAN DoS Attack Check
UDP Short Header DoS Attack
Check
SNORK DoS Check WINNUKE DoS Attack Check
©2017 Extreme Networks, Inc. All rights reserved
Integrated Services Wireless Firewall – Storm Control
Storm Controls provides as mechanism to protect the network infrastructure
from flooding attacks or high-rates of traffic forwarded though Wireless
Controllers and Access Points
Storm Controls are defined in firewall policies and may limit:
Broadcast packets / second forwarded through ports and WLANs
Multicast packets / second forwarded through ports and WLANs
Unknown Unicast packets / second forwarded through ports and WLANs
ARP packets / second forwarded through ports and WLANs
Traffic that exceeds the defined threshold will be dropped by the Wireless
Controllers and Access Points and an event log message will be generated
Storm Controls are disabled by default in the default firewall policy or user
defined firewall policies
©2017 Extreme Networks, Inc. All rights reserved
Integrated Services
RBAC allows Firewall Rules to be assigned to Wireless Clients based on their Identity
– For example, employees from the Engineering department can be given separate access compared to the HR employees.
– Supports device fingerprinting for BYOD access control.
Role Definition: Roles can be defined based on one or more match conditions
– The wireless clients are assigned a role if any condition is matched
Access Rules: Access Rules are assigned to User Roles
– The client access will be controlled by the Access Policies attached to the User Role
Role Policy Assignment: The Client Role Policy is assigned to the specific AP or profiles to assign it to a group of APs
License: The feature requires an Advanced Security License on each Wireless Controller (VX9000, NX5500, RFS4000 comes with built in ADSEC license)
Role Based Access Control (RBAC)
©2017 Extreme Networks, Inc. All rights reserved
Integrated Services
Match conditions: Roles can be defined based on one or more match conditions : – Location – AP or Group of APs the Wireless Client is connected to
– Authentication & Encryption Type
– Group Membership – The local Group the Wireless Client is assigned obtained from AAA
– Client Identity: Based on Device Type, OS, OS Version
– MAC Address (or range) of the Wireless Clients
– SSID – The SSID the Wireless Client is associated to
Access Rules: The User Access can be controlled by attaching one or more of the following to the User Role Policies.
– IP ACL Rule: The user traffic is bound by the IP ACL
– MAC ACL Rule: The user traffic is bound by the MAC ACL
– WEB Filtering: The user traffic is bound by the WEB Filtering rules
– Application Control: The user traffic is subjected to the Application Visibility and Control Policies
Role Based Access Control (RBAC)
©2017 Extreme Networks, Inc. All rights reserved
Integrated Services
Standards based IPsec VPN on Zebra Access Points & Controllers
– Site-to-Site VPN: Connect Different sites
– Remote VPN: to connect wireless clients using IPSec
– Auto-tunnel mode: Automatic encryption between AP and Controller
Can be used to secure traffic between remote WING devices
Can also be used to secure traffic between WiNG devices and third-party
routers, VPN gateways and firewalls
Can be used when Management or user traffic needs to be secured
over an IPv4 network
Supports NAT traversal
IPSec VPN
©2017 Extreme Networks, Inc. All rights reserved
Integrated Services
The organizations want to get the best out of their investments by Giving a higher priority to the business apps.
Control access to the network by the consumer applications.
Detect and enforce policies for dynamic apps, e.g. Bittorrent
Application Visibility and Control provides a way to: Identify applications with dynamic signatures
Fine tune the applications’ access to the wireless network
Create custom application signatures
Monitor Voice/Video quality
Monitor application level performance
Provides Service differentiation and network capacity planning
Enforce the control right at the edge
Application Visibility & Control
©2017 Extreme Networks, Inc. All rights reserved
Captive Portals
Captive portals are a means of authenticating users on the wireless or wired network,
without adding any configuration on the devices
WiNG 5 supports Captive Portal authentication for guest users:
– A Captive Portal can be hosted directly on a Access Point providing the same identical Captive
Portal functionality that’s available on the Wireless Controller
– A Captive Portal can be hosted on a Wireless Controller deployed in a DMZ or isolated network
Captive Portal Deployment Options
Centralized Hotspot
Captive Portal
AP Adoption
Distributed Hotspot
Captive Portal Captive Portal Captive Portal
AP Adoption
Tunneled Hotspot
Captive Portal AP Adoption
DMZ
©2017 Extreme Networks, Inc. All rights reserved
Captive Portals Captive Portal Authentication Types
Access can be granted after:
Authentication based on Vouchers, SMS validation,
Email validation or Social Media credentials
Users agree to the Terms and Conditions (No
authentication)
User registers himself using an HTML Form or Social
Media Accounts
Guest User Onboarding: Users can self register
themselves the first time they connect to the wireless
network
Captive portal can be hosted on the Controllers or the
Access Points
Options to host web pages:
Default pages Pages hosted on the Access Points or Controller
Upload pages Customized pages can be uploaded
External Pages hosted on external web server
WLAN
or
VLAN
Captive
Portal
Policy
Profile
or
Device
Captive portal
enforced on
Device
hosting
captive portal
©2017 Extreme Networks, Inc. All rights reserved
Captive Portals
The captive portal authentication can be combined with other authentication mechanisms.
Each WLAN supports three Captive Portal enforcement modes:
Captive Portal authentication can be performed after primary authentication or as a fall-back authentication if MAC or EAP authentication fails
Captive Portal Enforcement Options
Off Captive Portal is disabled on the WLAN
On Captive Portal is enforcement is enabled for all Wireless Clients even if primary
authentication succeeds
Fall-Back Captive Portal is enabled for all Wireless Clients if MAC and/or EAP
authentication fails
Off
‘Optional’
Primary
Authentication
On
‘Optional’
Primary
Authentication
Captive
Portal
Fall-Back
EAP / MAC
Authentication
Captive
Portal
©2017 Extreme Networks, Inc. All rights reserved
Captive Portals
The repeat visitors are authenticated against the MAC database without
the need to re-login.
For analytics purposes additional information can be captured about the
guest, like email, mobile number, age, address.
Alternatively Social Media profile can be used to login (OAuth)
Functionality included without any additional licensing.
The following platforms are supported:
Guest Registration
Controller Platforms # Users supported
NX 95X0/NX 96X0 2 Million
VX 9000 2 Million
NX 7510 1 Million
©2017 Extreme Networks, Inc. All rights reserved
Captive Portals
Device Registration (No Authentication) The device details are stored after Registration.
The guest client doesn’t require authentication on sub sequent visits
Additional registration fields have been added
User Registration with Email or SMS validation On registration, Captive Portal sends a passcode to validate the user Email or Mobile number
Guest User can use his email or phone number along wiith the passcode to login on the guest network. He can use them on multiple devices
Device Registration with One-Time-Password (OTP) On registration, Captive Portal sends an OTP to the client.
Guest User will use the unique passcode to register one device
Device Registration via Social Media Authentication (Facebook / Google+) Self registration via social media profile, like Facebook or Google+
The guest client device doesn’t require authentication on sub sequent visits
Registration Methods
©2017 Extreme Networks, Inc. All rights reserved
Captive Portals
Notification Methods
The passcode is sent to the user via email or SMS Notification.
The following notification methods are supported currently:
– Email: Requires integration with the SMTP ServerConfigure the SMTP server, credentials, email subject and content
– SMS (via Clickatell API): Requires integration with an SMS gatewayClickatel is used as the SMS Gateway.
Configure Clickatel account details and the SMS message Body
– SMS via SMTP:Some SMS gateways allow the passcode to be sent in an email to the SMS gateway.
The SMS gateway then forwards the passcode to the user via SMS.
SMS over SMTP method can be used for customer’s on-premises SMS gateways
Notification Methods
©2017 Extreme Networks, Inc. All rights reserved
Captive Portals
This functionality allows the guest users to registers themselves using their public Facebook or Google+ profiles
The user’s Social Media credentials are used to validate the user
OAUTH 2.0 support is introduced to implement this functionality.
Access Points or Controllers hosting Captive Portal service will be acting as intermediary and will send OAUTH requests on behalf of the user to either Facebook or Google.
On successful authentication, the user is granted access to the wireless network
Social Media Registration (OAuth)
©2017 Extreme Networks, Inc. All rights reserved
Remote Diagnostics
Each WiNG 5 device includes a sophisticated integrated packet capture facility that can
capture wired and wireless traffic at any point within the device
Allows administrators to initiate packet captures on one or more remote WiNG 5 devices
or RF Domains and centrally view the packet captures in real-time:
– Real-time on a Centralized Controller Console
– Real-time on a host running Wireshark
Allows administrators to initiate packet captures on one or more remote devices or RF
Domains and centrally view the packet captures offline:
– Capture file streamed to a centralized FTP server
Provides administrators with full visibility into wired and wireless traffic at a remote site
– Eliminates the need for deploying standalone distributed sniffers to remotely troubleshoot
connectivity, wireless client or application issues at a site
Live Packet Capture
©2017 Extreme Networks, Inc. All rights reserved
WWW.EXTREMENETWORKS.COM
Thank You