design and deployment best practices
TRANSCRIPT
-
8/4/2019 Design and Deployment Best Practices
1/6
Design and Deployment Best PracticesWireless LANs are fast becoming popular in the enterprise because of their significant
advantages over wired LANs. According to latest industry surveys, over 60% of the
enterprises are planning to purchase a wireless LAN solution in 2005.
The reason for this widespread adoption is that Wireless LANs bring multiple benefits
to the enterprise;
1. Significant savings in the costs of adding, moving and changing network users
2. Consolidation in number of wired physical ports that must be deployed and
maintained
3. Improved workflow through user mobility4. Improved productivity through innovative new applications such as location
tracking, point of sale, voice over wireless LAN etc.
Wireless LANs also secure the air. Low cost access points brought in to the office by
employees to create private wireless networks single handedly defeat the purpose of
perimeter firewalls and are a stealth threat that must be stopped.
Choosing a WLAN design
Wireless LANs will ultimately be part of any successful enterprise. Secure mobility
provides a definitive competitive edge and the case for ROI is clear.
When an enterprise is starting to deploy wireless LANs, the deployment will typically
be for a select group of users and primarily for data only. At this stage, the traffic is
relatively low and users are not being added or removed everyday so most of the
products available on the market will fit the bill.
However, as new users are added and mission critical information systems are
connected to wireless LANs, providing always-on connectivity and managing a users
identity, access rights on the network becomes very important.
New applications such as Voice over WiFi, providing access to guests and enablingWiFi for remote offices further stresses the WLAN infrastructure
Therefore, network design and planning is very important and can make the
difference between a successful or wasted WLAN deployment effort. Successfully
designing the solution and picking a product requires anticipating future needs as well
as satisfying initial requirements. This paper examines previous generation WLAN
design and contrasts this with the advantages to an overlay design from Aruba.
Copyright 2005 Aruba Wireless Networks. All rights reserved. 1
-
8/4/2019 Design and Deployment Best Practices
2/6
-
8/4/2019 Design and Deployment Best Practices
3/6
5) Upgrade OS for inter-VLAN mobility: All distribution switches must be
upgraded to support inter-VLAN mobility as users move about the building
and associate with different APs. The Aruba switch centrally handles these
requests by using proxy DHCP to retain the original IP address of a mobile
node as it moves in the network.
6) New blades for firewall and VPN: Expensive new software and hardware mustbe purchased to secure the wireless traffic with former architectures. The
Aruba WLAN switch has a integrated ICSA certified LAN-speed firewall and
VPN built-in to the system and applies policies per-flow.
7) Third party IDS and wireless sensors: It is still common practice to deploy yet
another platform for wireless intrusion detection and prevention. These
piecemeal solutions do not provide an integration defense for detection,
location tracking, blacklisting and containment in both RF and firewalls.
Copyright 2005 Aruba Wireless Networks. All rights reserved. 3
-
8/4/2019 Design and Deployment Best Practices
4/6
Designing and deploying high performance and secure WLANs
Aruba provides industry leading QoS, roaming, security and performance for data,
voice and video while reducing complexity, cost and management hassle.Centralized Deployment with ArubaCentralized Deployment with Aruba
1
2
3
COREDISTRIBUTIONACCESS DATA CENTER
33
22
11
4 4
5 5
101
102
103
E
E
E
E
E
E
EMPLOYEE
EMPLOYEE
EMPLOYEE
FLOOR 1
FLOOR 2
FLOOR 3
G
G
G
G
G
G
GUEST
GUEST
GUEST
202
203
201
1
1
2
2
3
3
GRE TUNNELS
ACTIVE
STANDBY
Arubas recommend design includes:
1) Deploy the APs by plugging them into the existing wired infrastructure and
give them IP addresses in the existing wired VLANs. Wireless users get IP
addresses in wireless VLANs created on the Aruba switch. There is no need
to configure new VLANs on the access switches.
2) In most environments it is easier and cheaper to deploy the APs in user
space where existing Ethernet jacks already exist. Arubas adaptive RFmanagement eliminates the need for site surveys while providing optimal
capacity and avoids interference. See Aruba white papers on the wireless grid
for more information.
3) Avoid SSID and VLAN explosion by utilizing the ICSA-certified stateful
firewall to compartmentalize users and devices. VOWLAN users may have
dedicated handsets or use soft phones on PDAs and laptops. A dedicated
voice SSID and VLAN to provide QoS and security is useless to a device that
does both voice and data. Aruba can detect and prioritize voice traffic present
on the same SSID as data traffic.
4) Rely on Arubas remote packet capture to enable debugging andtroubleshooting of WLAN connection and performance issues from anywhere.
No need to send IT staff to remote floors and buildings just to sniff the air.
5) Aruba switches/controllers can be deployed where ever appropriate based on
network traffic but it is most common to deploy them in the data center
attached to the core routers/switches. While 802.1q trunking is possible to
provide connectivity to the wireless VLANs created on the switch it is also
possible and recommended to use a much simpler approach with a single static
route. The wireless VLANs can be super-netted with the core router given a
static route to the single super-net. This simplifies any routing table updates
and also protects the core routers/switches from maintaining a massive MAC
address table of user traffic it would otherwise see on the trunked VLANs.
Copyright 2005 Aruba Wireless Networks. All rights reserved. 4
-
8/4/2019 Design and Deployment Best Practices
5/6
Keep the wired no-touch zone
Aruba Networks provides a solution that has been proven to be easier to install and
manage, more secure, and less costly than the piecemeal solution required by other
vendors. Customers such as Microsoft, AT&T, Yahoo, NTT DoCoMo, RolandGarros, Dartmouth College, Alliance Capital, and Sharp Healthcare have all chosen to
partner with Aruba Networks. These and other customers have found that Arubas
solution is easier to deploy in a Cisco wired network than even Ciscos own wireless
equipment while providing superior functionality, security, and manageability.
The deployment of wireless LAN introduces new concerns about security, mobility,
and support. To adequately address these concerns a new wireless LAN deployment
should:
Protect highly mobile users, devices, and applications from threats both inside
and outside the network Ensure security throughout the network with centralized policy management
and monitoring
Secure the network from attacks and intruders with a complete intrusion
detection, classification, and containment system
Automatically optimize the initial and ongoing RF environment
Provide flexible deployment options with minimal impact on the
configuration, security, and manageability of the wired network
Ensure high availability using enterprise-class hardware, redundant
components, and monitoring tools built specifically for wireless networks
Deployments based on traditional APs require a collection of 3rd party point solutionsresulting in a piecemeal approach that tries to fix the deficiencies in security,
manageability, and support inherent in such a model. The ultimate result of this
approach is more CAPEX, more OPEX, and less security.
Adding basic security and mobility alone results in an explosion in the number
of VLANs, ongoing IOS upgrades, expensive new blades in switches, and
additional network elements .
ACLs and other security policies are created and managed in each network
element (each AP and each Ethernet switch) which leads to errors that create
security holes and/or outages and prove difficult to manage. Individual configuration and management of APs is time consuming, error
prone, and risky because critical passwords and keys are stored in devices
which can be easily stolen and cracked.
Expensive RF site surveys are required and cannot take into account the
dynamic nature of wireless networks and the overall RF environment
Many of the components are not enterprise class platforms (often they are
repackaged rack mountable PCs - including hard disk drives which could be a
single point of failure, non-redundant power supplies, and lack of integration
with network management systems).
Each platform has separate installation, management, and troubleshooting
interfaces and procedures. Individual point solutions cannot work together to help you identify and
Copyright 2005 Aruba Wireless Networks. All rights reserved. 5
-
8/4/2019 Design and Deployment Best Practices
6/6
prevent attacks and intruders, monitor and manage network availability or
coverage issues, troubleshoot and solve user connectivity problems and IT
staff must login and use each one separately. Some solutions even require
installation of additional client software on all devices.
The Aruba Networks wireless networking solution delivers superior security withlower CAPEX and OPEX. The customer can realize these benefits by deploying
Aruba Networks because the solution provides:
Security policies for access control and QoS which are customizable for each
user, group, device, or application regardless of where a user connects to the
network and everywhere a user roams
A single point of configuration and monitoring for these security policies that
can automatically protect users from threats inside the network and outside
network, including potential attacks from users on the same AP or other parts
of the network who may be infected with computer viruses or worms
Advanced intrusion detection, classification, and protection including
automatic rogue AP and ad-hoc containment
Fewer points of vulnerability because the APs do not store sensitive data such
as passwords or keys
Wireless deployment without any changes to the wired network including
auto-configuration of APs and the addition of new types of users, devices, or
security and QoS policies without requiring the addition of new VLANs
Flexible deployment options that can utilize existing SSIDs/VLANs if desired
for separation of user data and network performance
Enterprise class solution with redundant and field replaceable modules
Provide high availability based on a redundant network design and dynamic
RF management One interface for managing the entire wireless network including network and
client health monitoring, intrusion and security monitoring, and client
troubleshooting while also providing alerts, statistics and audit data to an NMS
Copyright 2005 Aruba Wireless Networks. All rights reserved. 6