Extreme WiNG

©2017 Extreme Networks, Inc. All rights reserved

Extreme Wireless WiNG

Паливода Александр

[email protected]

Системный инженер МУК

©2017 Extreme Networks, Inc. All rights reserved©2017 Extreme Networks, Inc. All rights reserved


ExtremeWireless WiNG Portfolio

PR

OD

UC

TS

INDOOR OUTDOOR

SERVICE

INTEGRATION

PLATFORMS

ACCESS POINTS

C

NX 5500

NX 9600

NX 7500

SO

LU

TIO

NS

ADVANCED SECURITYMANAGEMENT & VISIBILITYWIRELESS LAN

Network Visibility

Network Assurance

Analytics

Security and Compliance

Network Assurance

Locationing

©2017 Extreme Networks, Inc. All rights reserved©2017 Extreme Networks, Inc. All rights reserved4

ExtremeWireless WiNG внутренние ТД 802.11ac

7622 11ac Wave 1, 1x1:1 dual band

11ac Wave 1, 2x2:2 single band

WIPs/WIPs/LBS/BLE

Lowest cost enterprise 11AC

Retail / Hotels

Cost sensitive markets

7602 11ac Wave 1, 1x1:1 dual band

11ac Wave 1, 2x2:2 single band

WIPs/WIPs/LBS/BLE

Lowest cost enterprise 11AC

Snap-On installation

Lower DC power consumption

Designed for One-AP-Room

TW-522 11ac Wave 1, 2x2:2 dual radio

Auto tuning DSL

Self healing RF

Snap-on installation

Patented line power over

phone wire

Re-use existing phone wire

already in the wall

Hotels

Power over VDSL2

7502 11ac Wave 1, 2x2:2 dual radio

SmartRF on 2.4GHz

Snap-on installation

Smallest enterprise AP 11ac

L2/L3 stateful firewall

Small packet OS optimized

90mm x 95mm

Hotels / Dorms

Global installation

©2017 Extreme Networks, Inc. All rights reserved5

BT / BLE

Dual Band

WIPs

RF SA

GE

Dedicated Sensors

5G:4x4:4

MU-MIMO

2.4G: 3x3:3 Data Only

Data Only

AP-8533-68SB30-xx $1395 Internal Ant, 2xGE

AP-8533-68SB40-xx $1395 External Antenna, 2xGE

AP 8533 – Triple Sensor Technology

2.4GHz, 3x3:3 | 5GHz, 4x4:4:4; MIMO, MU-MIMO, 80MHz channel,

TurboQAM

Unlocked 2.4GHz / 5GHz fulltime 24x7 Sensor radio

Bluetooth 2.0 or Bluetooth Smart radio with external antenna option

RF Spectrum Analyzer

TxPWR 2.4GHz: 20dBm; 5GHz: 20dBm

256 clients per radio; 500 per AP

Services Integrated Deep Packet Inspection Engine, AirDefense integrated Sensor

Fulltime WIDS/WIPS Sensor, granular WiFi location services

Bluetooth beacon: iBeacon, Eddystone-URL

AP 8533

8.5” x 8.5”

No compromise performance and security

Retail EnterpriseT&L


Borrow Radio 1

Unlocked Radio

For

Fulltime Network Sensor

5G:4x4:4

MU-MIMO

2.4G/5G:

3x3:3

AP-8432-680B30-xx $1095 Internal Ant, 2xGE, PoE-out

AP 8432

8.5” x 8.5”

BT / BLE

Dual Band

WIPs

RF SA

GE + PoE out

GE

USB

Full 802.3af PoE

out

AP 8432 – Band Unlocked – IOT Expansion

RadiosUnlocked 2.4GHz/5GHz 3x3:35GHz, 4x4:4:4; MIMO, MU-MIMO, 80MHz channel, TurboQAMBluetooth 2.0 or Bluetooth Smart radio, internal antennaRF Spectrum AnalyzerTxPWR 2.4GHz: 20dBm; 5GHz: 20dBm200 clients per radio; 400 per AP

Advanced ServicesIntegrated Deep Packet Inspection Engine, AirDefense integrated SensorFulltime WIDS/WIPS Sensor, granular WiFi location servicesBluetooth beacon: iBeacon, Eddystone-URLIntegrated PoE-out on GE2 for 3rd party IOT devicesIntegrated USB port with 5W power

Wave 2 with IOT Expansion

Retail EnterpriseT&L


AP 8432 – PoE Out

Connect IOT devices or other AP to PoE-Out port

Removes additional cable cost

Easily expand services over existing infrastructure

802.3at

PoE Switch

2.4

5

2.4Ghz radio: 3x3, 11n

5Ghz radio: 4x4, 11n.AC, WAVE 2

BLE; Beacon, Management

RF spectrum Analysis

Fulltime Sensor: WIPs, Network Assurance

802.3at In

802.3af Out

5

52

52

802.3at In

802.3af Out

IP Camera

IOT gateway(Another AP, Shelf Label,

Temp sensors, etc)

Borrow Radio 1,

use as Fulltime Sensor


8432: Borrow Radio 1 as Fulltime WIPs sensorIdeal for larger sites with 4+ APs and extra 2.4GHz coverage

8533: Fulltime WIPs sensorIdeal for single AP sites

2.4 & 5GHz Data 2.4 & 5GHz Data 2.4 & 5GHz Data5GHz Data

Dual Band

Sensor

2.4 & 5GHz Data

Dual Band

Sensor

8533: Fulltime WIPs sensor for high capacity networksIdeal for sites with both high usage/capacity requirements and WIPs

2.4 & 5GHz DataNsight sensor^

2.4 & 5GHz Data

Dual Band WIPs

2.4 & 5GHz DataNsight sensor^

^ over time, Nsight will add capabilities to use the third radio e.g. location, network assurance


AP 7602 / 7622: Micro-cell Wireless and Mid-Market Expansion

802.11AC multi-mode single band (2.4GHz or 5GHz): 2x2 MIMO dual band (2.4GHz and 5GHz): 1x1

80MHz, 256QAM, 1024 TurboQAM

TxPWR 2.4GHz: 17dBm; 5GHz: 19dBm

Advanced Services

Client Bridge

WiFi Location Based Services

Bluetooth beacon: iBeacon, Eddystone-URL

SmartRF

WiNG Enterprise OS Highly scalable from 25 Virtual Controller to 10k+ APs per NOC

Distributed Intelligence WiNG OS

Small retail Hospitality SMB

AP 7602145mm x 102mm x 29mm

AP 7622150mm x 140mm x

39mm

AP-7602-68B30-xx $295 Wallplate wedge AP; 1x1 dual band, 2x2 single band, BLE. 2 x

GE

AP-7622-68B30-xx $495 802.11AC AP; 1x1 dual band, 2x2 single band, BLE. 1 x GE


7532/7522/7562:HIGHER capacityHIGHER performanceHIGHER PRICELOWER MARGIN

7622:LOWER capacityLOWER performanceLOWER PRICEHIGHER MARGIN

76XX vs 75XX

Radio 1

RADIO 12.4GHz

3x3

RADIO 25GHz3x3

Radio 2

HW RADIO2.4/5GHz

2x2

vRadio 12.4GHz

1x1

vRadio 25GHz1x1

HW RADIO2.4/5GHz

2x2

vRadio 12.4GHz OR 5GHz

2x2


AP-7502-67030-xx Internal Ant, 1xGE, 3xFE, Dual radio 11AC Wallplate, PoE-

out

AP 7502

90mm x 95mm

Ideal

for

Micro-cell WiFi in hospitality;

Provides 30 – 40dB SNR in each room; or up to 3

rooms;

Sized for NA/SA, Asia, European telecom wall

plates;

Specs802.11ac wave 1. 2X2:2, 80MHz;

1 x GE;

3 x FE; 1 with PoE out;

1 x GE uplink port on backside• GE port accepts 802.3af or 802.3at input power

1 x passthrough port• Pass secondary signals from back side to front side of AP

12VDC power

1 x FE port with PSE

2 x FE L2 / L3 ports

1 x pass-thru RJ45

WiNG Access Points AP7502 – Micro-Cell 11ac designed for Hotels


AP-7562 Outdoor 11ac

5G Radio

3x3:3

2.4G Radio

3x3:3

TurboQAM

AP 7562

IP67 rated, 3x3

802.11n.AC

2x GE

Network

components

Environment IP67 rated for harsh conditions

Extended Temp Range: -40c – 60C

802.3af power profile

Enhanced Features Transmit Beamforming

AirDefense Sensor / Location Aware

MESH Connex Backhaul detect and auto-route

MESH Visualization

MeshConnex ACS

Mobile MeshConnex

Rail MeshConnex

Key Features

RadioShare / Fulltime

Sensor


Контроллеры ExtremeWireless WiNG

1

3

NX 5500- 512 APs

- 16,000 Users

- 256 WLANs

- 6 x GE Interfaces

NX 9600- 10,240 APs

- 200,000 Users

- 1024 WLANs

- 2x 1GE Interface

- 4x 10GE Interface

VX 9000- > 10,000 APs

- 200,000 Users

- 1024 WLANs

- Support for:- VM ESXi

- Citrix Zen

- MS Hyper-V

- Amazon EC2

Entry-level Virtualized High-EndMid-level

NX 7500- 2048 APs

- 65,536 Users

- 256 WLANs

- 6x GE Interfaces

- NMC for 10GBE

13


When and What Controller?

14

AP 8432/8533/75xx

RFS 4010

NX 5500

NX 7500

NX 9600

Up to 24

AP’s

VX 9000

>10,240 AP’s

Up to 10,240 AP’s

Up to 2,048 AP’s

Up to 512 AP’s

Up to 144 AP’s

Up to 64 AP’s

AP 65xx/8xxx/7502

Stand Alone AP’s

Must all be the Same Model


Topologies


Supported Architectures Standalone Site Solutions – Overview

Scaling & Manageability

PoE Switch

AP

1 x Access Point

Single Site / Single Cell

Solution:

Independent WiNG 5 AP

Standalone Management

Embedded Services:

AAA / DHCP / Captive Portal

Enhanced WIPS

L2/L3 SPI Firewall

DPI

Enhanced Services:

ADSP

PoE Switch

AP

APAP

APAP

APAP

2 2,048 x Access Points

RFS / NX

RF Domain

RFDM

Solution:

RFS or NX Controllers

WiNG 5 APs

Single Site Management

Embedded Services:


Basic / Advanced WIPS

L2/L3 SPI Firewall / RBFW

DPI

Enhanced Services:

ADSP

NSight

PoE Switch

AP

APAP

APAP

APAP

2 64 x Access Points (Same Model)

VC

RF Domain

RFDM

Single Site / Multi Cell

Solution:

APs managed by a Virtual Controller

AP

Single Site Management

Embedded Services:


Enhanced WIPS

L2/L3 SPI Firewall

DPI

Enhanced Services:

ADSP

NSight

Note: Application requirements (RBFW, Tunneling etc.) will determine if you position a RFS / NX over

a Virtual Controller


Supported Architectures Centralized Model – Overview

Centralized Model

≤ 10,240 x Access Points / Cluster

Multi Site / Single Cell

AP AP

AP AP

RFDM RFDM

RFDM RFDM

RF Domain RF Domain

RF Domain RF Domain

AP AP

AP AP

RFDM RFDM

RFDM RFDM

RF Domain RF Domain

RF Domain RF Domain

AP AP

AP AP

RFDM RFDM

RFDM RFDM

RF Domain RF Domain

RF Domain RF Domain

AP AP

AP AP

RFDM RFDM

RFDM RFDM

RF Domain RF Domain

RF Domain RF Domain

NX / VX

Solution:

NX or VX Controllers

Independent APs

Centralized Management

Embedded Services:


WIPS

L2/L3 SPI Firewall / RBFW / DPI

Enhanced Services:

ADSP

Nsight

Proximity / Zoning

≤ 10,240 x WiNG 5 Devices / Cluster

RFS AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP NX

AP AP AP

AP AP AP

RF Domain RF Domain

RF Domain RF Domain

RFDM RFDM

RFDM RFDM

NX / VX

Multi Site / Multi Cell

Solution:


Independent APs


Embedded Services:


WIPS


Enhanced Services:

ADSP

NSight

Proximity / Zoning / Positioning

Solution:


WiNG 5 APs


Embedded Services:


WIPS


Enhanced Services:

ADSP

NSight

Proximity / Zoning / Positioning

≤ 10,240 x Access Points / Cluster

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

AP AP AP

RF Domain RF Domain

RF Domain RF Domain

RFDMVX / NX

Distributed Campuses


Access Points with a Virtual Controller AP

• No wireless controller needed

• Access points coordinating their actions

• One AP at the site configured as a Virtual Controller

• Virtual Controller performs many of the functions of a wireless controller


Virtual Controller Functions

• Pushes configuration and firmware updates to AP

peers

• Collects statistics from AP peers

Firmware and Configuration Updates

VC Statistics Peer

Peer

Firmware and Configuration Updates

Statistics


Virtual Controller Considerations

• For single-site deployments

• Can only manage APs of the same model type (this will change in 5.9)

• Virtual Controllers manage upto 64 peers for the majority of the portfolio.

• Cannot be deployed in redundant pairs (this will change in 5.9)

• Can manage exactly oneRF domain

• Can be deployed in franchise business model as multiple independent networks.

• Service Providers are starting to adore this model

AP 8533:2 AP 8533:64AP 8533

Virtual Controller

AP 7522:2 AP 7522:64

AP 7522


Virtual Controller Deployment Scenario

AP 752220 AP 7522 under management


CUSTOMER EXAMPLE: SMALL HOTEL

• 10 Room Boutique Hotel/B&B

• In room access only

• Ethernet already in room and in main office

Solution:

• 11 AP7602

– Office AP as VC

• Add 200 Series switch if needed

In Rooms

In Office

Virtual Controller


Remote Access Points with a RF Domain Manager

• WiNG access points

• Centralized wireless controller(s) managing multiple sites

• One AP auto-elected as an RF Domain Manager

• RF Domain Manager is an on-site coordinator


Extension of Corporate WLAN to Home Office

• AP 7532• Split Tunneling (corp traffic to

NOC, internet breaking out locally on the same SSID)


RF Domain Manager Scenario

AP 753220 AP 7532 devices

on site

VX or NX Controller


Medium Branch Office Deployment Scenario

NX5500 Redundant Pair

Voice and data in the network. Hundreds of APs on a site. AP7522 access points.


Headquarters Deployment Scenario

NX 7500

Voice and data in the network. AP7522 access points. Radio Share used for WIPs on all APs


Centrally Managed Mixed Solution Scenario

NX 9500 Services Platform

AP – RF Domain Manager Controller – RF Domain Manager

Controller-less

Site

Controller-less

Site

Local Site Controller

WAN


WING5 - FOUNDATION FOR DELIVERING OMNI

CHANNEL EXPERIENCES

HIGH PERFORMANCE WIFI & LOCATION SERVICES

Wireless Rapid

Deployment

WiNG Controller + Nsight + AirDefense

AP – Domain ManagerController – Domain Manager

FLEXIBLE DEPLOYMENT MODELS

WAN

UNMATCHED

SCALE

25,000 APs per

Controller

1

COMPREHENSIVE

LOCATION

1m – 5m Accuracy

2

LOWEST TCO

3x Faster Rollout, 6x

Faster MTTR

3

NOC Controller CloudVirtual

ControllerHierarchical

Local

Controller

Integrated

Capacity Controls

Network

Troubleshooting

Gap Free

Security


PORTS & YARDS: MeshConnex

AP-7562

Mesh

Data

WIPS

WiNG Controllers

Campus Network / LAN


WiNG5 Features Overview

•Every AP has Stateful Firewall

•Integrated sensor function for Advanced Security

• Packet Capture

• AP Test

• Spectrum Analyzer

•SMART-RF for ease of RF Management

•Load Balancing

•Roaming Assistance

• Profiles

• Zero touch Provisioning

Rapid Deploym

ent

Capacity Controls

Best in class

security

Network Assurance

& Troublesh

ooting


Zero Touch Provisioning

The APs can be directly plugged into the network without the need for any pre-staging

Layer 2 (Multicast) or Layer 3 (DHCP option or DNS) automatic discovery

The controller pushes the right configuration to the Access points based on the location at which the AP is deployed

WiNG5 provides plug-n-play Access Point adoption using intuitive Auto provisioning policies based on: IP Address or subnet

VLAN

Model Number

CDP / LLDP Snoop

DHCP option

DNS Suffix

MAC / Serial number

FQDN Wildcard

Auto-Provisioning Policy


Wireless LANs Overview

Wireless LAN configuration is done as a

separate WLAN object, which is assigned to an

individual AP or an AP Profile.

The WLAN policy contains the parameters for

client authentication, encryption, QoS, etc.

Each Access Point can support up to 32 WLANs

(16 BSSIDs per radio)

Context-sensitive configuration on Virtual

Controllers

Not recommended to use more than 4 WLANs per

radio due to the management overhead.

The user VLAN (or VLAN pool) is defined for the

wireless users

• Encryption

• Authentication

• VLAN

• QoS

• Client policies

Wireless LAN

Assignmen

t

Profile

Group of APs

Single AP

Device


Wireless LANs Wireless LANs – Security

The following authentication options are supported:

The encryption mechanisms supported are:

For 802.1X authentication, the radius server can be configured to be either

local on the AP or controller or an external radius server

MAC Authentication Pre Shared Key

802.1X (EAP) Captive portal

WEP-64 WEP-128

TKIP-CCMP WPA2-CCMP

Local Radius server hosted on the AP

Controller Radius server running on Site or Centralized

controller

External 3rd Party RADIUS Server


Wireless LANs

EAP method support depends on the capabilities of the 802.1X supplicant on the wireless client and the back-end RADIUS server

WiNG 5 can support any standard EAP method in pass-through mode

Authentication - EAP methods

EAP MethodWiNG 5

Onboard RADIUS

Cisco Secure

ACSFreeRADIUS Microsoft NPS

Steel Belted

RADIUS

LEAP No Yes Yes No Yes

EAP-TLS Yes Yes Yes Yes Yes

EAP-PSK No No Yes No No

EAP-TTLS Yes No Yes No Yes

EAP-FAST No Yes Yes No No

EAP-SIM No No Yes No No

EAP-AKA No No No No No

EAP-GTC Yes Yes Yes No Yes

PEAP Yes Yes Yes Yes Yes


Wireless LANs

Each WLAN can assign users to a single VLAN or

pool of VLANs:

Single VLAN – All devices are assigned to a Local or

Tunneled VLAN

VLAN Pool – Devices are load-balanced between 2 or

more Local or Tunneled VLANs

Dynamic VLAN assignment: The VLAN assignment

for 802.1x, MAC and Guest users can be done by the

RADIUS SERVER using the standard Tunnel-Private-

Group-ID RADIUS return attribute

VLAN Assignment

Single VLAN VLAN Pool

WLAN

VLAN 11

WLAN

VLAN 12VLAN 11 VLAN 13

Load Balanced

Username: Bob

VLAN: 11

Username: Sally

VLAN: 13

Username: Jim

VLAN: 12

WLAN

VLAN 12VLAN 11 VLAN 13

RADIUS

Server

Dynamic VLANs


Wireless LANs

AAA policy is needed to configure RADIUS parameters for 802.1X, MAC or Captive Portal authentication

Each AAA policy can include up to 6 RADIUS authentication and accounting servers definitions:

Each RADIUS server is assigned a unique ID (1 – 6)

Each server can be reached using an IP address or hostname

Each entry supports standard RADIUS configuration parameters such as Secret, Port, Timers , EAP parameters, MAC address formatting and Realms

The RADIUS servers may be internal (AP or Controller) and/or external

AAA Policies – RADIUS Server Pools

AAAUsersAAA

Primary Secondary

Example 1

UsersAAA

Primary

Secondary

Example 2

AAA

Users

Tertiary

AAA

Users


Wireless LANs AAA Policies – Proxy Modes

For flexibility each RADIUS server entry includes a proxy operating mode:

None – RADIUS authentication and accounting requests are forwarded directly from the

Access Point to a RADIUS server (Requires and IP Address to be assigned)

Through-Controller – RADIUS authentication and accounting requests are proxied through

the Wireless Controller managing the Access Point to a RADIUS server

Through-RF-Domain-Manager – RADIUS authentication and accounting requests are

proxied through the local RF Domain Manager (elected Wireless Controller or Access Point)

to a RADIUS server

Proxy Mode: None

AA

A

RADIUS Server Pool

WLANWLAN

Proxy Mode: Through-RF-Domain-

Manager

RADIUS Server Pool

WLANWLAN

AA

A

RADIUS Server Pool

AA

A

WLANWLAN

Proxy Mode: Through-Controller


Traffic Forwarding

The Access points bridge the traffic locally on their Ethernet ports

The Wireless Controller is completely removed from the data-path

The User VLAN should be allowed on the Ethernet port going to the Access Point

The user traffic forwarding has no dependency on the controller

– The controller may be down or unreachable

The Access point supports all the features to be able to enforce all policies on the user traffic before it is forwarded

Local Bridging

VLANVLAN

Bridge Bridge

Mgmt Mgmt


Traffic Forwarding

All user traffic is tunneled to the Wireless Controller

The controller will then bridge the traffic on the wired network.

– Client Core is tunneled back to the Controller

– Client Local resources is bridged locally via an AP-to-AP tunnel.

There is no need to assign User VLANs on the Access Points Ethernet port

– Easy to manage the wired port assignments

– Some companies want to route the traffic centrally for security policy

Tunnel Mode

VLAN VLANControll

er

Tunnel Tunnel


Traffic Forwarding

Wi-Fi user traffic is encapsulated and forwarded to the elected RF Domain Manager (RFDM) within the site using IP or VLAN based Level 1 MINT links

Wi-Fi user traffic is re-encapsulated and forwarded by the RFDM to the Active Centralized Controller in the datacenter using an IP based Level 2 MINT link

Adaptive Forwarding is used at the site

Cluster failover times may be ~ 1-2 minutes

Tunneling over MINT

Guest VLAN

Control VLAN

NX 9510

Data Center

Remote Site

AP 1

RFDM

AP 2 AP 3

AP 4

Level 2 MINT

Level 1 MINT

Le

ve

l 1

MIN

T

En

ca

ps

ula

tio

n

Le

ve

l 2

MIN

T

En

ca

ps

ula

tio

n

80

2.1

1

En

ca

ps

ula

tio

n

Eth

ern

et

En

ca

ps

ula

tio

n


Traffic Forwarding

Wi-Fi user traffic is encapsulated and forwarded to the elected RF Domain Manager (RFDM) within the site using IP or VLAN based Level 1 MINT links

Wi-Fi user traffic is re-encapsulated and forwarded by the RFDM to the Active Centralized Controller in the datacenter using an L2TPv3 tunnel

Tunnel failover can be very fast – <3 seconds with l2tpv3 fast-failover feature – suitable for Campus deployments

Does not require L2 connectivity between the controllers (user VLANs may not be shared)

Tunneling using L2TPv3

Guest VLAN

Control VLAN

NX 9500

Data Center

Remote Site

AP 1

RFDM

AP 2 AP 3

AP 4

RFS 7000

Level 2 MINTL2TPv3

Level 1 MINT

42

Le

ve

l 1

MIN

T

En

ca

ps

ula

tio

n

L2

TP

v3

En

ca

ps

ula

tio

n

80

2.1

1

En

ca

ps

ula

tio

n

Eth

ern

et

En

ca

ps

ula

tio

n


Traffic Forwarding Example with L2TPv3 termination at regional POP

CAPTIVE

PORTAL

RF DOMAINSTORE-1

RF DOMAINSTORE-2

RF DOMAINSTORE-3

RF DOMAINSTORE-4

RF DOMAINSTORE-5

RF DOMAINSTORE-6

RF DOMAINSTORE-X

Guest

Captive

Portal

INTERNET

INTERNET

INTERNET

INTERNET

M

RFDM

M

NX9600 ACTIVE-STANDBY

INTERNET

CAPTIVE

PORTALNX9610 ACTIVE-

STANDBY

L2TPv3 TERMINATION

NX9610 ACTIVE-STANDBY

L2TPv3 TERMINATION

REGIONAL POP

M

RFDM

M

RFDM

MIN

T

Main

DC

REGIONAL POP

M

RFDM

M

RFDM

M

RFDM


Smart-RF Off-Channel Scanning

Radio’s periodically go off-

channel (Frequency / Duration)1

They scan a single channel2

Each channel can be scanned

multiple times (sample count)3

The entire band is only

scanned at define intervals

(extended-frequency-scan)

4


Smart-RF Neighbour Recovery

Neighbor radios monitor the

Air1

Neighbor radios sense when

an Access Point or radio fails2

Neighboring Access Points

raise TX power to compensate3

12db

Normal

14db

Normal

10db

Normal

14db

Normal

15db

Normal

17db

Normal

17db

Normal

15db

Rescue

17db

Rescue

17db

Rescue

Defends against Loss of Coverage due to Sudden AP Failure Access Points with faulty antennas

Access Points with bad Ethernet Connections

Access Points which are faulty

Access Points that are not visible anymore due to obstructions


Smart-RF Coverage Hole Recovery

Coverage SNR threshold set to

20db1

As the client moves away from

the AP, SNR will drop2

If SNR drops below set

threshold of 20db, the AP

raises its TX power

3

If the client SNR is maintained,

the AP will reduce its TX power 4

The AP will repeat step 4 until

the client SNR is maintained5

SNR:

30db

SNR: 18dbSNR: 20db

A typical use case for this feature: In a warehouse there was a vacant spot

During business hours new inventory was stacked high (changes the RF)

Mobile Units in the new aisle do not get adequate coverage

Access Points detects the fall in SNR (<threshold value) and raises power

Power returns to normal if no client present (dynamically adjusting to changes)


Smart-RF

Group by Floor or Area

Building 2Building 1

One RF-Domain &

Smart-RF Policy

One RF-Domain &

Smart-RF Policy

Building 4Building 3

By Floor By Area

Floor 1

Floor 2

Floor 3

What is a typical use case for these parameters?

By Floor – An office building with different tenants on every floor

By Area – A campus environment with multiple buildings


Smart Band Control

Overview

Smart Band Control detects dual radio clients and will distribute clients in

each radio band based on a configurable ratio or percentage

One part in our Client Load Balancing strategy, allowing us to distributes

clients:

Across Access Points

Across Bands (2.4 or 5 GHz)

Across Channels in a band

2:1 Ratio


Fast Roaming

Typical Authentication sequence during roaming is:

802.11 Authentication

802.11 Re-Association

Higher level authentication ( WPA/WPA2 PSK/802.1X)

Overview

Client AP AP


…Data READY

802.11 Association

4way Handshake

Client


…Data READY

802.11 Association

EAP Exchange (802.1X)

1 sec<50 ms

PSK Authentication EAP/802.1x Authentication

4way Handshake


Fast Roaming

Pre-Authentication

The wireless client performs full authentication with multiple APs, so when it roams, it already has the authentication completed

PMK Caching

The Client information is automatically distributed between Access Points

As Wireless Clients roam, they don’t need to go through the complete authentication. It works only when client roams back to the old AP

4-way handshake needed

OPMK Caching:

The Client Cred Cache information is available on the APs, which performs authentication

As clients roam amongst multiple Access points, RADIUS exchange is skipped, because we use cached keys. Works when client roams to any AP

4-way handshake needed

Supported Methods - Legacy


Fast Roaming

802.11r Fast Roaming

Standards Based Roaming

Handshakes are piggybacked with authentication and

re-association frames (FT-over-the-Air)

802.11r Fast Roaming

AP 1Client AP 2

Full Authentication with AP1

…Data Exchange…Client identifies Roam candidates

802.11 Authentication Request (Includes 802.11R FT exchange 1)

Re-Association Request (Includes 802.11R FT exchange 3)

Re-Association Response (Includes 802.11R FT exchange 4)

802.11 Authentication Response (Includes 802.11R FT exchange 2)

…802.1x SUCCESS. The client can resume data transmission<10 ms


Roaming Assist

WiFi Roaming:

As mobile devices roam, they move between Access Points– The wireless clients select the best AP in the vicinity

– This ensures seamless connectivity

Sticky Client Problem:

Some clients do not roam in spite of moving away from current AP

This impacts their wireless experience negatively

And also impacts clients nearby because they are wasting airtime– Lower data rates and higher retries

Roaming Assist :

The Access Points help the clients make better roaming decisions

The Access Point de-authenticate or perform bss transition (802.11v) clients having poor connectivity

This forces the clients to connect to a better Access Point close by

Overview


Integrated Services Wireless Firewall - Overview

Proxy ARP

DHCP Offer

ConversionNAT

Stateful

Inspection

Rogue

Detection

IP ACLs

Firewall

Policy

MAC ACLs

WiNG provides a Stateful Wireless

firewall.

The Firewall is Enabled by default

and supported on all the WiNG

devices – Controllers and Access

Points

The integrated firewall provides:

Stateful Packet Inspection (L2/L3)

IP Access Control Lists (ACL)

MAC Access Control Lists (ACL)

NAT

Proxy ARP


Integrated Services Wireless Firewall – SPI

Provides stateful inspection for all IP traffic being switched or routed by a

Wireless Controller or Access Point

Layer 2 inspection can be optionally disabled

Supports stateless packet filtering for non IP traffic such as AppleTalk, IPX

Inspects all 802.11 flows typically not visible to wired firewall appliances

including:

Wired to Wired Traffic

Wired to WLAN Traffic

WLAN to WLAN Traffic

Maintains state of TCP, UDP and ICMP flows as they traverse the

Wireless Controller or Access Points

Once an IPv4 flow is established, bidirectional communications between hosts

can occur (no reverse permit rule is required)

All flows are migrated as Wireless Clients roam between Access Points


Integrated Services Wireless Firewall – IP ACLs

IP Firewall Rules can be assigned to permit, deny or mark selected traffic

Traffic Selection: The traffic can be selected based on source and

destination IP addresses, Port and protocol number in the IP headers.

Rule Assignment: IP Firewall Rules can be assigned to WLANs, User

Roles, Physical Ports and Virtual IP Interfaces:

WLANs: Assigned per WLAN for inbound and outbound traffic

Physical Ports: Assigned per Port for inbound traffic

Virtual IP Interfaces: Assigned to a Virtual IP Interface for inbound traffic

Role Based Firewall: Assigned to a user Role for inbound and outbound traffic

IP Firewall Rules can be assigned to individual devices or multiple

devices using profiles

IP Firewall Rules assigned to individual devices will override IP Firewall Rules

inherited from a profile


Integrated Services

Each Firewall policy can detect 32 different DoS violations

– Each violation can be individually enabled or disabled, supports and action that can drop and/or log traffic and provides a

user defined log level

All events are enabled by default with default log level

Wireless Firewall – DoS Detection

DoS Attacks

ASCEND DoS Check LAND DoS Attack Check TCP Intercept DoS Check

Broadcast/Multicast Icmp traffic

as attack IP Option Route DoS Check

Maximum incomplete TCP

connections

CHARGEN DoS Check

ICMP Router Advertisement DoS

Check

TCP NULL SCAN DoS Attack

Check

FRAGGLE DoS Check ICMP Router Solicit DoS Check

TCP Post Syn DoS Attack

Check

FTP Bounce DoS Check SMURF DoS Attack Check

TCP XMAS SCAN DoS Attack

Check

Invalid IP Protocol DoS Check ASCEND DoS Check

TCP Header Fragment DoS

Attack Check

TCP IP TTL ZERO DoS Attack

Check

TCP BAD SEQUENCE DoS Attack

Check TWINGE DoS Attack Check

IPSPOOF DoS Attack Check TCP FIN SCAN DoS Attack Check

UDP Short Header DoS Attack

Check

SNORK DoS Check WINNUKE DoS Attack Check


Integrated Services Wireless Firewall – Storm Control

Storm Controls provides as mechanism to protect the network infrastructure

from flooding attacks or high-rates of traffic forwarded though Wireless

Controllers and Access Points

Storm Controls are defined in firewall policies and may limit:

Broadcast packets / second forwarded through ports and WLANs

Multicast packets / second forwarded through ports and WLANs

Unknown Unicast packets / second forwarded through ports and WLANs

ARP packets / second forwarded through ports and WLANs

Traffic that exceeds the defined threshold will be dropped by the Wireless

Controllers and Access Points and an event log message will be generated

Storm Controls are disabled by default in the default firewall policy or user

defined firewall policies


Integrated Services

RBAC allows Firewall Rules to be assigned to Wireless Clients based on their Identity

– For example, employees from the Engineering department can be given separate access compared to the HR employees.

– Supports device fingerprinting for BYOD access control.

Role Definition: Roles can be defined based on one or more match conditions

– The wireless clients are assigned a role if any condition is matched

Access Rules: Access Rules are assigned to User Roles

– The client access will be controlled by the Access Policies attached to the User Role

Role Policy Assignment: The Client Role Policy is assigned to the specific AP or profiles to assign it to a group of APs

License: The feature requires an Advanced Security License on each Wireless Controller (VX9000, NX5500, RFS4000 comes with built in ADSEC license)

Role Based Access Control (RBAC)


Integrated Services

Match conditions: Roles can be defined based on one or more match conditions : – Location – AP or Group of APs the Wireless Client is connected to

– Authentication & Encryption Type

– Group Membership – The local Group the Wireless Client is assigned obtained from AAA

– Client Identity: Based on Device Type, OS, OS Version

– MAC Address (or range) of the Wireless Clients

– SSID – The SSID the Wireless Client is associated to

Access Rules: The User Access can be controlled by attaching one or more of the following to the User Role Policies.

– IP ACL Rule: The user traffic is bound by the IP ACL

– MAC ACL Rule: The user traffic is bound by the MAC ACL

– WEB Filtering: The user traffic is bound by the WEB Filtering rules

– Application Control: The user traffic is subjected to the Application Visibility and Control Policies

Role Based Access Control (RBAC)


Integrated Services

Standards based IPsec VPN on Zebra Access Points & Controllers

– Site-to-Site VPN: Connect Different sites

– Remote VPN: to connect wireless clients using IPSec

– Auto-tunnel mode: Automatic encryption between AP and Controller

Can be used to secure traffic between remote WING devices

Can also be used to secure traffic between WiNG devices and third-party

routers, VPN gateways and firewalls

Can be used when Management or user traffic needs to be secured

over an IPv4 network

Supports NAT traversal

IPSec VPN


Integrated Services

The organizations want to get the best out of their investments by Giving a higher priority to the business apps.

Control access to the network by the consumer applications.

Detect and enforce policies for dynamic apps, e.g. Bittorrent

Application Visibility and Control provides a way to: Identify applications with dynamic signatures

Fine tune the applications’ access to the wireless network

Create custom application signatures

Monitor Voice/Video quality

Monitor application level performance

Provides Service differentiation and network capacity planning

Enforce the control right at the edge

Application Visibility & Control


Captive Portals

Captive portals are a means of authenticating users on the wireless or wired network,

without adding any configuration on the devices

WiNG 5 supports Captive Portal authentication for guest users:

– A Captive Portal can be hosted directly on a Access Point providing the same identical Captive

Portal functionality that’s available on the Wireless Controller

– A Captive Portal can be hosted on a Wireless Controller deployed in a DMZ or isolated network

Captive Portal Deployment Options

Centralized Hotspot

Captive Portal

AP Adoption

Distributed Hotspot

Captive Portal Captive Portal Captive Portal

AP Adoption

Tunneled Hotspot

Captive Portal AP Adoption

DMZ


Captive Portals Captive Portal Authentication Types

Access can be granted after:

Authentication based on Vouchers, SMS validation,

Email validation or Social Media credentials

Users agree to the Terms and Conditions (No

authentication)

User registers himself using an HTML Form or Social

Media Accounts

Guest User Onboarding: Users can self register

themselves the first time they connect to the wireless

network

Captive portal can be hosted on the Controllers or the

Access Points

Options to host web pages:

Default pages Pages hosted on the Access Points or Controller

Upload pages Customized pages can be uploaded

External Pages hosted on external web server

WLAN

or

VLAN

Captive

Portal

Policy

Profile

or

Device

Captive portal

enforced on

Device

hosting

captive portal


Captive Portals

The captive portal authentication can be combined with other authentication mechanisms.

Each WLAN supports three Captive Portal enforcement modes:

Captive Portal authentication can be performed after primary authentication or as a fall-back authentication if MAC or EAP authentication fails

Captive Portal Enforcement Options

Off Captive Portal is disabled on the WLAN

On Captive Portal is enforcement is enabled for all Wireless Clients even if primary

authentication succeeds

Fall-Back Captive Portal is enabled for all Wireless Clients if MAC and/or EAP

authentication fails

Off

‘Optional’

Primary

Authentication

On

‘Optional’

Primary

Authentication

Captive

Portal

Fall-Back

EAP / MAC

Authentication

Captive

Portal


Captive Portals

The repeat visitors are authenticated against the MAC database without

the need to re-login.

For analytics purposes additional information can be captured about the

guest, like email, mobile number, age, address.

Alternatively Social Media profile can be used to login (OAuth)

Functionality included without any additional licensing.

The following platforms are supported:

Guest Registration

Controller Platforms # Users supported

NX 95X0/NX 96X0 2 Million

VX 9000 2 Million

NX 7510 1 Million


Captive Portals

Device Registration (No Authentication) The device details are stored after Registration.

The guest client doesn’t require authentication on sub sequent visits

Additional registration fields have been added

User Registration with Email or SMS validation On registration, Captive Portal sends a passcode to validate the user Email or Mobile number

Guest User can use his email or phone number along wiith the passcode to login on the guest network. He can use them on multiple devices

Device Registration with One-Time-Password (OTP) On registration, Captive Portal sends an OTP to the client.

Guest User will use the unique passcode to register one device

Device Registration via Social Media Authentication (Facebook / Google+) Self registration via social media profile, like Facebook or Google+

The guest client device doesn’t require authentication on sub sequent visits

Registration Methods


Captive Portals

Notification Methods

The passcode is sent to the user via email or SMS Notification.

The following notification methods are supported currently:

– Email: Requires integration with the SMTP ServerConfigure the SMTP server, credentials, email subject and content

– SMS (via Clickatell API): Requires integration with an SMS gatewayClickatel is used as the SMS Gateway.

Configure Clickatel account details and the SMS message Body

– SMS via SMTP:Some SMS gateways allow the passcode to be sent in an email to the SMS gateway.

The SMS gateway then forwards the passcode to the user via SMS.

SMS over SMTP method can be used for customer’s on-premises SMS gateways

Notification Methods


Captive Portals

This functionality allows the guest users to registers themselves using their public Facebook or Google+ profiles

The user’s Social Media credentials are used to validate the user

OAUTH 2.0 support is introduced to implement this functionality.

Access Points or Controllers hosting Captive Portal service will be acting as intermediary and will send OAUTH requests on behalf of the user to either Facebook or Google.

On successful authentication, the user is granted access to the wireless network

Social Media Registration (OAuth)


Remote Diagnostics

Each WiNG 5 device includes a sophisticated integrated packet capture facility that can

capture wired and wireless traffic at any point within the device

Allows administrators to initiate packet captures on one or more remote WiNG 5 devices

or RF Domains and centrally view the packet captures in real-time:

– Real-time on a Centralized Controller Console

– Real-time on a host running Wireshark

Allows administrators to initiate packet captures on one or more remote devices or RF

Domains and centrally view the packet captures offline:

– Capture file streamed to a centralized FTP server

Provides administrators with full visibility into wired and wireless traffic at a remote site

– Eliminates the need for deploying standalone distributed sniffers to remotely troubleshoot

connectivity, wireless client or application issues at a site

Live Packet Capture


WWW.EXTREMENETWORKS.COM

Thank You