design and deployment best practices

8/4/2019 Design and Deployment Best Practices

1/6

Design and Deployment Best PracticesWireless LANs are fast becoming popular in the enterprise because of their significant

advantages over wired LANs. According to latest industry surveys, over 60% of the

enterprises are planning to purchase a wireless LAN solution in 2005.

The reason for this widespread adoption is that Wireless LANs bring multiple benefits

to the enterprise;

1. Significant savings in the costs of adding, moving and changing network users

2. Consolidation in number of wired physical ports that must be deployed and

maintained

3. Improved workflow through user mobility4. Improved productivity through innovative new applications such as location

tracking, point of sale, voice over wireless LAN etc.

Wireless LANs also secure the air. Low cost access points brought in to the office by

employees to create private wireless networks single handedly defeat the purpose of

perimeter firewalls and are a stealth threat that must be stopped.

Choosing a WLAN design

Wireless LANs will ultimately be part of any successful enterprise. Secure mobility

provides a definitive competitive edge and the case for ROI is clear.

When an enterprise is starting to deploy wireless LANs, the deployment will typically

be for a select group of users and primarily for data only. At this stage, the traffic is

relatively low and users are not being added or removed everyday so most of the

products available on the market will fit the bill.

However, as new users are added and mission critical information systems are

connected to wireless LANs, providing always-on connectivity and managing a users

identity, access rights on the network becomes very important.

New applications such as Voice over WiFi, providing access to guests and enablingWiFi for remote offices further stresses the WLAN infrastructure

Therefore, network design and planning is very important and can make the

difference between a successful or wasted WLAN deployment effort. Successfully

designing the solution and picking a product requires anticipating future needs as well

as satisfying initial requirements. This paper examines previous generation WLAN

design and contrasts this with the advantages to an overlay design from Aruba.

Copyright 2005 Aruba Wireless Networks. All rights reserved. 1


2/6


3/6

5) Upgrade OS for inter-VLAN mobility: All distribution switches must be

upgraded to support inter-VLAN mobility as users move about the building

and associate with different APs. The Aruba switch centrally handles these

requests by using proxy DHCP to retain the original IP address of a mobile

node as it moves in the network.

6) New blades for firewall and VPN: Expensive new software and hardware mustbe purchased to secure the wireless traffic with former architectures. The

Aruba WLAN switch has a integrated ICSA certified LAN-speed firewall and

VPN built-in to the system and applies policies per-flow.

7) Third party IDS and wireless sensors: It is still common practice to deploy yet

another platform for wireless intrusion detection and prevention. These

piecemeal solutions do not provide an integration defense for detection,

location tracking, blacklisting and containment in both RF and firewalls.



4/6

Designing and deploying high performance and secure WLANs

Aruba provides industry leading QoS, roaming, security and performance for data,

voice and video while reducing complexity, cost and management hassle.Centralized Deployment with ArubaCentralized Deployment with Aruba

1

2

3

COREDISTRIBUTIONACCESS DATA CENTER

33

22

11

4 4

5 5

101

102

103

E

E

E

E

E

E

EMPLOYEE

EMPLOYEE

EMPLOYEE

FLOOR 1

FLOOR 2

FLOOR 3

G

G

G

G

G

G

GUEST

GUEST

GUEST

202

203

201

1

1

2

2

3

3

GRE TUNNELS

ACTIVE

STANDBY

Arubas recommend design includes:

1) Deploy the APs by plugging them into the existing wired infrastructure and

give them IP addresses in the existing wired VLANs. Wireless users get IP

addresses in wireless VLANs created on the Aruba switch. There is no need

to configure new VLANs on the access switches.

2) In most environments it is easier and cheaper to deploy the APs in user

space where existing Ethernet jacks already exist. Arubas adaptive RFmanagement eliminates the need for site surveys while providing optimal

capacity and avoids interference. See Aruba white papers on the wireless grid

for more information.

3) Avoid SSID and VLAN explosion by utilizing the ICSA-certified stateful

firewall to compartmentalize users and devices. VOWLAN users may have

dedicated handsets or use soft phones on PDAs and laptops. A dedicated

voice SSID and VLAN to provide QoS and security is useless to a device that

does both voice and data. Aruba can detect and prioritize voice traffic present

on the same SSID as data traffic.

4) Rely on Arubas remote packet capture to enable debugging andtroubleshooting of WLAN connection and performance issues from anywhere.

No need to send IT staff to remote floors and buildings just to sniff the air.

5) Aruba switches/controllers can be deployed where ever appropriate based on

network traffic but it is most common to deploy them in the data center

attached to the core routers/switches. While 802.1q trunking is possible to

provide connectivity to the wireless VLANs created on the switch it is also

possible and recommended to use a much simpler approach with a single static

route. The wireless VLANs can be super-netted with the core router given a

static route to the single super-net. This simplifies any routing table updates

and also protects the core routers/switches from maintaining a massive MAC

address table of user traffic it would otherwise see on the trunked VLANs.



5/6

Keep the wired no-touch zone

Aruba Networks provides a solution that has been proven to be easier to install and

manage, more secure, and less costly than the piecemeal solution required by other

vendors. Customers such as Microsoft, AT&T, Yahoo, NTT DoCoMo, RolandGarros, Dartmouth College, Alliance Capital, and Sharp Healthcare have all chosen to

partner with Aruba Networks. These and other customers have found that Arubas

solution is easier to deploy in a Cisco wired network than even Ciscos own wireless

equipment while providing superior functionality, security, and manageability.

The deployment of wireless LAN introduces new concerns about security, mobility,

and support. To adequately address these concerns a new wireless LAN deployment

should:

Protect highly mobile users, devices, and applications from threats both inside

and outside the network Ensure security throughout the network with centralized policy management

and monitoring

Secure the network from attacks and intruders with a complete intrusion

detection, classification, and containment system

Automatically optimize the initial and ongoing RF environment

Provide flexible deployment options with minimal impact on the

configuration, security, and manageability of the wired network

Ensure high availability using enterprise-class hardware, redundant

components, and monitoring tools built specifically for wireless networks

Deployments based on traditional APs require a collection of 3rd party point solutionsresulting in a piecemeal approach that tries to fix the deficiencies in security,

manageability, and support inherent in such a model. The ultimate result of this

approach is more CAPEX, more OPEX, and less security.

Adding basic security and mobility alone results in an explosion in the number

of VLANs, ongoing IOS upgrades, expensive new blades in switches, and

additional network elements .

ACLs and other security policies are created and managed in each network

element (each AP and each Ethernet switch) which leads to errors that create

security holes and/or outages and prove difficult to manage. Individual configuration and management of APs is time consuming, error

prone, and risky because critical passwords and keys are stored in devices

which can be easily stolen and cracked.

Expensive RF site surveys are required and cannot take into account the

dynamic nature of wireless networks and the overall RF environment

Many of the components are not enterprise class platforms (often they are

repackaged rack mountable PCs - including hard disk drives which could be a

single point of failure, non-redundant power supplies, and lack of integration

with network management systems).

Each platform has separate installation, management, and troubleshooting

interfaces and procedures. Individual point solutions cannot work together to help you identify and



6/6

prevent attacks and intruders, monitor and manage network availability or

coverage issues, troubleshoot and solve user connectivity problems and IT

staff must login and use each one separately. Some solutions even require

installation of additional client software on all devices.

The Aruba Networks wireless networking solution delivers superior security withlower CAPEX and OPEX. The customer can realize these benefits by deploying

Aruba Networks because the solution provides:

Security policies for access control and QoS which are customizable for each

user, group, device, or application regardless of where a user connects to the

network and everywhere a user roams

A single point of configuration and monitoring for these security policies that

can automatically protect users from threats inside the network and outside

network, including potential attacks from users on the same AP or other parts

of the network who may be infected with computer viruses or worms

Advanced intrusion detection, classification, and protection including

automatic rogue AP and ad-hoc containment

Fewer points of vulnerability because the APs do not store sensitive data such

as passwords or keys

Wireless deployment without any changes to the wired network including

auto-configuration of APs and the addition of new types of users, devices, or

security and QoS policies without requiring the addition of new VLANs

Flexible deployment options that can utilize existing SSIDs/VLANs if desired

for separation of user data and network performance

Enterprise class solution with redundant and field replaceable modules

Provide high availability based on a redundant network design and dynamic

RF management One interface for managing the entire wireless network including network and

client health monitoring, intrusion and security monitoring, and client

troubleshooting while also providing alerts, statistics and audit data to an NMS


design and deployment best practices

Documents