aruba - remote branch-networking-fundamentals-2014
DESCRIPTION
A clear description of the technical opportunities offered by ARUBA ClearPass, AirWave, Activate and Instant. Another "pearl" from Airheads blog:TRANSCRIPT
Remote and Branch Networking Fundamentals June 9-14, 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
2 #AirheadsConf
Agenda
• Challenges of Deploying Remote networks • Aruba Solution • Aruba Instant • Aruba Instant for Private WAN based Deployments • Aruba Instant-VPN • Management and Zero-Touch Deployment
Challenges of Deploying Remote Networks
4 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Who should care?
Branch office / Remote teleworker
Retail
Healthcare
5 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Challenges
Aruba Solution
7 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Aruba Solution
Home Office On The Road Branch
Datacenter
AirWave Aruba Mobility Controller ClearPass Access Management
Instant-VPN
Mobility Switch
Instant Cluster
Virtual Intranet Access (VIA) Client
Internet / WAN
Instant Cluster
Management and Zero-Touch Deployment
9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Internet
Airwave and Aruba Central
Campus Network
Aruba Central Aruba AirWave
Data Center
• Advanced guest services
• Mobile device onboarding
• Unified wired/wireless policy
Airwave
ClearPass
Mobility Switch
10 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Aruba Activate: Zero-touch Deployment
Aruba Instant
12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Aruba Instant
• Redundancy for internal failure
• Redundancy for external failure
• Organic growth • Mobility-ready
• RF optimization • Master AP
selection
• Over-the-air provisioning
• WiFi oriented configuration
Simple to deploy
Self-optimizing
Self-healing Scalable
13 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Aruba Instant Architecture
• Distributed data-plane – Wireless encryption / decryption, firewall
• Distributed control-plane – Authentication, DHCP, ARM, WIPS
• Centralized (local) management-plane – Configuration, firmware management, GUI, SNMP
14 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Automatic RF Management
Infrastructure control
• Automatic RF optimization for coverage & capacity
• Real-time spectrum analysis and interference avoidance
• Load / Application awareness
• Self-healing
Channel 11
Channel 6
Channel 1
Client Control
• Moves clients towards less congested frequency band
• Distributes clients across available spectrum*
• Bandwidth controls
15 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Security tailored for Mobility
Context Aware
On-boarding
Role-based access
Policy Enforcement
• Aruba RFProtect + AirWave RAPIDS • RF Scanning, Rogue AP detection / containment, Valid-station protection
• Encryption • Over-the-air AES encryption, IPSec VPN to datacenter (where applicable)
• Role-based Access • Per-user, per-device access
• Policy Enforcement Firewall • Segregation of business traffic from guest traffic. • Blacklisting for session violation
• Centralized Monitoring and Alerting
16 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
• No need for separate SSID for QoS.
• Session based DSCP tagging & prioritization
• Multicast-to-unicast conversion for video
• Media-classification for encrypted voice –Apple Facetime
• AirGroup* to manage Apple AirPlay, AirPrint, etc
Mobility Services: Real-time Applications
ClearPass
IAP
IAP IAP
17 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Mobility Services: Guest Access
• Securely Manage Visitor Access – Streamlined workflow; No IT • Sponsored-based, Visitor Self-Registration, Pre-registration,
Anonymous Guest Access • 3rd Party Integrations
• APIs for integration with existing applications / CRM tools – Assignable roles, expiration times, user names, passwords
• Highest Customization – Skin technology, software plugins, APIs – Targeted advertising and content delivery
Private WAN based Deployments
19 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Private-WAN based Deployments
20 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Private-WAN based Deployments
21 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Auto-GRE for Guest
Branch office
Datacenter
AirWave ClearPass
Instant Cluster
VRRP Link
Master Standby
Guest Anchor
Master Active Servers
MPLS
Employee Traffic
Guest Traffic
Aruba Instant-VPN
23 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Datacenter
AirWave/Aruba Central Aruba Mobility Controller ClearPass solution
Internet / WAN
VRRP Link
Master Standby
DMZ
Master Active
Home Office
Instant
Home office Solution
Home Office
Instant
24 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Branch Office Solution
Branch office
Datacenter
AirWave/Aruba Central Aruba Mobility Controller ClearPass solution
Instant Cluster
Internet / WAN
VRRP Link
Master Standby
DMZ
Master Active
Branch office
Instant Cluster
25 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
DHCP - How does Distributed L3 work ?
Network 10.0.0.0/8 VLANs 10 to 99
Data Center
Remote Branch
Internet / WAN
Active VPN Tunnel
Client A Browsing to Intranet
Browsing to Youtube
Route on IAP – For 10.0.0.0/8 network, next hop is VPN terminating controller’s IP address
Master IAP Memeber IAP
Client B Browsing to Intranet
Browsing to Youtube
VLAN 250 IAP-VC is the DHCP Server
DHCP Request
VC SRC NATs traffic using IAPs local IP VC routes the traffic to the tunnel
Intranet
26 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
DHCP - How does Centralized L2 work ?
Network 10.0.0.0/8 VLANs 10 to 99
Data Center
Remote Branch
Internet / WAN
Active VPN Tunnel
Client A Browsing to Intranet
Browsing to Youtube
Route on IAP – For 10.0.0.0/8 network, next hop is VPN terminating controller’s IP address
Master IAP Member IAP
Client B Browsing to Intranet
Browsing to Youtube
VLAN 50
DHCP Request
VC SRC NATs traffic using IAPs local IP VC bridges traffic in the tunnel
VLAN 50 DHCP Server and Default Gateway
Intranet
27 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
DHCP - How does Local Subnet work ?
Intranet
Network 10.0.0.0/8 VLANs 10 to 99
Data Center
Remote Branch
Internet / WAN
Active VPN Tunnel
Client A Browsing to Intranet
Browsing to Youtube
Route on IAP – For 10.0.0.0/8 network, next hop is VPN terminating controller’s IP address
Master IAP Slave IAP
Client B Browsing to Intranet
Browsing to Youtube
VLAN 200 IAP-VC is the DHCP Server
DHCP Request
VC SRC NATs traffic using IAPs local IP VC SRC NATs traffic using inner IP
28 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Recommendations
IAP-VPN Modes
Usage Recommendations
Distributed L3 Recommended for all deployments.
Local Recommended for Guest networks with centralized captive portal servers.
Centralized L2 Recommended only if Multicast to branch is a requirement. If Multicast to branch networks is not required, use L3 modes.
29 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Branch ID Algorithm
Aruba Instant-VPN Design Options
31 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Single AP deployments
32 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Single AP deployments
33 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Multi-AP deployments
34 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Multi-AP deployments
35 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Thank You
#AirheadsConf
36 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Distributed-L2
37 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Central-L2
38 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Central-L3
39 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Dist-L3
40 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Local Mode
41 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
DOWNLOAD: Airheads Mobile
JOIN: community.arubanetworks.com
FOLLOW: @arubanetworks
DISCUSS: #AirheadsConf
ATMOSPHERE 2014AIRHEADS@
42 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Thank You
#AirheadsConf