Breakout - Airheads Macau 2013 - Unified Access: Deploying Mobility Access Switches & Instant
-
Upload
aruba-networks-an-hp-company -
Category
Technology
-
view
578 -
download
2
Transcript of Breakout - Airheads Macau 2013 - Unified Access: Deploying Mobility Access Switches & Instant
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved1 #airheadsconf#airheadsconf
Unified Access: Deploying
Mobility Access Switches & Instant
Madani Adjali
November 14th
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved2 #airheadsconf
Platform Overview
Software Defined Networking
Aruba AP Interworking
Role Based User Access
ClearPass Policy Manager Integration
Agenda
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved3 #airheadsconf#airheadsconf3
Platform Overview
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved4 #airheadsconf
Introducing the Aruba Mobility Access Switch Family
• Security to wired access– Flexible role-based access
– Policy moves from wireless to wired
• Operational simplicity– Low-touch installation and configuration
– Dynamic configuration of user policies
– Integration with Aruba APs
• Simplify the network– Reduce VLANs in the closet
– Extend logical configurations
• 802.11ac Ready– Scaled to support high-density
deployments
– PoE+ on every switch port
– 10GbE uplinks (S2500/S3500)
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved5 #airheadsconf
Mobility Access Switch Capabilities
A. Ethernet Switch
• Layer 2/3 forwarding
• Native Role-based policy enforcement
B. Integration with ClearPass
• Downloadable Role/ACL
• Captive Portal
C. Wired Access Point
• Tunneled Node
• Role-based policy enforcement at Mobility Controller
• Single policy for WLAN and LAN
A. L2/L3
Forwarding
C. Wired AP
Mobility Access
Switch
Access Point
LAN Core
Mobility
Controller
AirWave
Management
Platform
ClearPass Policy
Manager
B. User-Role
Download
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved6 #airheadsconf
S3500 Mobility Access Switch
• Designed for Wired Access
– 24/48 Port Models
– Wire-rate and non-blocking performance
– Role-based access with user visibility
– Per port PoE/PoE+
• ArubaStack
– Stack up to 8 devices
– Up to 384x GbE and 16x 10GbE
– Single management IP address
– Single configuration file
• Flexible Forwarding Options
– Traditional L2/L3 Switching
– Tunnel traffic to Mobility Controller
• Modular Components
– Field replaceable AC power supplies
• Optional redundant power supply
– Field replaceable fan tray
– Optional 4-port uplink module
• 1000BASE/10GBASE-x SFP/SFP+
PoE budget values are provided for single PSU and dual PSU configurations
SKU Ports PoE Budget
S3500-24F 24x1000BASE-x Not Applicable
S3500-24T 24x10/100/1000BASE-T Not Applicable
S3500-24P 24x10/100/1000BASE-T 400W | 689W
S3500-48T 48x10/100/1000BASE-T Not Applicable
S3500-48P 48x10/100/1000BASE-T 400W | 689W
S3500-48PF 48x10/100/1000BASE-T 850W | 1465W
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved7 #airheadsconf
S3500: Front and Rear Views
• Modular Components
– Power Supplies
– Fan Tray
– Uplink Module
• Management
– Console (RJ45 Serial)
– Out-of-band Ethernet
– USB Storage
– LCD Display
• Dimensions & Airflow
– 1RU
– 1.75˝ (H) x 17.5˝ (W) x 17.5˝ (D)
– Front/Side to Rear Airflow
• Mounting Options
– 2 Post Rack (front & mid-mount)
– 4 Post Rack
– Wall Mount
• Limited Lifetime Warranty
Optional
Uplink Module
S3500 Rear View
USB
Console
Field-Replaceable
Fan Tray
Hot-Swappable Power Supplies
Ethernet
Out-of-Band
S3500-24F Front View
24x1000BASE-X SFP Ports
LCD
S3500-48P Front View
Fixed 10/100/1000BASE-T Ports
LCD
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved8 #airheadsconf
S2500 Mobility Access Switch
• Designed for Wired Access
– 24/48 Port 10/100/1000BASE-T
– Wire-rate and non-blocking performance
– Role-based access with user visibility
– Per port PoE/PoE+
• ArubaStack
– Stack up to 8 devices
– Up to 384x GbE and 16x 10GbE
– Single management IP address
– Single configuration file
– Stackable with S3500
• Flexible Forwarding Options
– Traditional L2/L3 Switching
– Tunnel traffic to Mobility Controller
• Integrated Components
– Built in fans for quiet operation
– Fixed 4-port uplinks
• 1000BASE/10GBASE-x SFP/SFP+
SKU Ports PoE Budget
S2500-24T 24x 10/100/1000BASE-T Not Applicable
S2500-24P 24x 10/100/1000BASE-T 400W
S2500-48T 48x 10/100/1000BASE-T Not Applicable
S2500-48P 48x 10/100/1000BASE-T 400W
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved9 #airheadsconf
S2500: Front and Rear Views
S2500 Front View
S2500 Rear View
LCD
Display
USB Integrated
Power Supply
Fixed 10/100/1000BASE-T Ports
Ethernet
Out-of-Band
RJ-45 & Mini-USB
Console
• Fixed Components
– Built-in 4xSFP/SFP+ Uplinks
– Integrated Power Supply
• PoE Budget
– 400W
– PoE Priority Available
• Management
– Console (RJ45 & mUSB Serial)
– Out-of-band Ethernet
– USB Storage
– LCD Display
• Dimensions & Airflow
– 1RU
– 1.75˝ (H) x 17.5˝ (W) x 12˝ (D)
– Side to side airflow
• Mounting Options
– 2 Post Rack (Front)
– Wall & 2-Post Mid Mount
• Limited Lifetime Warranty
Fixed
4x 1000BASE-x/10GBASE-x
(SFP/SFP+) Ports
Fixed Fans
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved10 #airheadsconf
S1500 Mobility Access Switch
• Designed for Wired Access
– 12/24/48 Port 10/100/1000BASE-T
– Wire-rate and non-blocking performance
– Role-based access with user visibility
– Per port PoE/PoE+
• ArubaStack
– Stack up to 8 devices
– Single management IP address
– Single configuration file
• Flexible Forwarding Options
– Traditional L2/L3 Switching
– Tunnel traffic to Mobility Controller
• Integrated Components
– Built in fans for quiet operation (24P/48P)
– Fanless (12P)
– Fixed 2-port (12P) & 4-port (24P/48P) uplinks
• 1000BASE-x SFP
SKU Ports PoE Budget
S1500-12P 12x 10/100/1000BASE-T 120W
S1500-24P 24x 10/100/1000BASE-T 400W
S1500-48P 48x 10/100/1000BASE-T 400W
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved11 #airheadsconf
S1500-24P/48P: Front and Rear Views
S1500-48P Front View
S1500-24/48P Rear View
Console
USB Integrated Power Supply
Fixed
4x 1000BASE-X
(SFP) Ports
48x 10/100/1000 (RJ45) Ports
Mode LEDs and
Selector
• Fixed Components
– Built-in 4xSFP Uplinks
– Integrated Power Supply
• PoE Budget
– 400W
– PoE Priority Available
• Features & Scaling
– Same features as S2500/S3500
– Reduced scaling vs. S2500/S3500
• Management
– Console (RJ45)
– USB Storage
• Dimensions & Airflow
– 1RU
– 1.75˝ (H) x 17.5˝ (W) x 12˝ (D)
– Side to side airflow
• Mounting Options
– 2 Post Rack (Front)
– Wall & 2-Post Mid Mount
• Limited Lifetime Warranty
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved12 #airheadsconf
S1500-12P: Front and Rear Views
S1500-12P - Front View
USB
Console
RJ-45
12x 10/100/1000Base-T
With 8x PoE/PoE+)
2x 1000BASE-x
(SFP)
Mode LEDs and
Selector
Cooling Vents on
Top and Bottom for
Fanless Design
• Fixed Components
– Built-in 2xSFP Uplinks
– Integrated Power Supply
• PoE Budget
– 8x PoE/PoE+ with 120W Budget
– PoE Priority Available
• Features & Scaling
– Same features as S2500/S3500
– Reduced scaling vs. S2500/S3500
• Management
– Console (RJ45)
– USB Storage
• Dimensions & Airflow
- 1.72" (H) x 13" (W) x 8.9" (D)
– Fanless
• Mounting Options
– Desktop (Rubber feet included)
– Rack & Wall Mount (Included)
– Magnet Mount (Optional)
• Limited Lifetime Warranty
S1500-12P - Rear View
Integrated
Power Supply
Security Lock Slot
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved13 #airheadsconf
• All “P” models support PoE on all ports– Both IEEE 802.3af (PoE), IEEE 802.3at (PoE+) & Pre-Standard
– Ready for PoE+ devices today (e.g. 11ac APs)
• Share PoE budget across ports– PoE draw automatically negotiated by connected device
– Minimize design and configuration effort
• Ability to limit PoE output per port
– Helps manage PoE usage with limited PoE budgets
• Prioritize PoE availability during a power loss– Ensure critical devices remain available
– Ports set to low (default), high or critical
– Aruba APs automatically recognized and set to “high”
• Efficient use by defining PoE time-of-day profiles– Shut-off PoE during non-use hours and/or days
– Power cost savings and physical security
Power over Ethernet Support
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved14 #airheadsconf
S1500/S2500 PoE Budget
S1500-12P
150W PSU with
120W budget
S1500/S2500-24P/48P
580W PSU with
400W budget
Class/APMax Power
at Device (W)
Max Power at
Switch (W)
Number of Devices
Supported
Number of Devices
Supported
802.3af 12.95 15.4 7 25
802.3at 25.5 30 4 13
AP-92/93 8 8.35 8 47
AP-93H 9 9.45 8 42
AP-104/105 12.5 13.4 8 29
AP-114/115 13 13.98 8 28
AP-124/125 16 17.5 6 22
AP-134/135 12.5 13.4 8 29
AP-224/225 15 16.3 7 24
AP-175 18 20 6 20
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved15 #airheadsconf
S3500 PoE Budget with 600W P/S
PSU 0 (600W)
(standalone)
400W budget
PSU 1 (600W)
(redundant)
400W budget
PSU 1 (600W)
(load sharing)
689W budget
Class/APMax Power at
Device (W)
Max Power
at Switch (W)Number of Devices Supported
802.3af 12.95 15.4 25 25 44
802.3at 25.5 30 13 13 22
AP-92/93 8 8.35 47 47 48
AP-93H 9 9.45 42 42 48
AP-104/105 12.5 13.4 29 29 48
AP-114/115 13 13.98 28 28 48
AP-124/125 16 17.5 22 22 39
AP-134/135 12.5 13.4 29 29 48
AP-224/225 15 16.3 24 24 42
AP-175 18 20 20 20 34
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved16 #airheadsconf
S3500 PoE Budget with 1050W P/S
PSU 0 (1050W)
(standalone)
850W budget
PSU 1 (1050W)
(redundant)
850W budget
PSU 1 (1050W)
(load sharing)
1465W budget
Class/APMax Power at
Device (W)
Max Power
at Switch (W)Number of Devices Supported
802.3af 12.95 15.4 48 48 48
802.3at 25.5 30 28 28 48
AP-92/93 8 8.35 48 48 48
AP-93H 9 9.45 48 48 48
AP-104/105 12.5 13.4 48 48 48
AP-114/115 13 13.98 48 48 48
AP-124/125 16 17.5 48 48 48
AP-134/135 12.5 13.4 48 48 48
AP-224/225 15 16.3 48 48 48
AP-175 18 20 42 42 48
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved17 #airheadsconf
Features & Capabilities Overview
• Spanning Tree
- Multiple Spanning Tree (MSTP)
- Rapid PVST+
• Link Aggregation Group
• Hot Standby Link
• L2 Generic Router Encapsulation
• Voice VLAN
- LLDP-MED
- CDP Fingerprinting
• Port Security
- DHCP Snooping, DAI & IPSG
• Quality of Service
- Strict Priority Queuing
- 1 Rate Tri-Color Policing
• Ethernet OAM 802.3ah
Platform / Layer 2 Features Routing / Branch Features
• Routed Virtual Interfaces (RVI)
• Static Routing
• OSPFv2
- MD5 Authentication
- Route Filtering
• Policy Based Routing
• Virtual Router Redundancy Protocol
• L3 Generic Router Encapsulation
• Multicast
- PIM-SM
- IGMP Snooping/MLDv1
• Network Address Translation
• Stateful Firewall
• Site to Site VPN
- Includes OSPF over VPN
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved18 #airheadsconf
Features & Capabilities Overview
• Role Based User Access
• User Derived Roles
- MAC Address Variable Match
- DHCP Signature Match
- LLDP/CDP Phone Match
• AAA Authentication
- 802.1x
- MAC Auth
- Captive Portal (Internal/External)
• External Authentication Servers
- Radius
- TACACS+
- LDAP
• Radius Fail-Open
Authentication & Security Aruba Portfolio Integration
• Aruba Activate
• Mobility Controller
- Tunneled Node
- AirGroup
- Auto AP PoE Prioritization
- Auto AP QoS Trust
• Instant AP
- Auto AP PoE Prioritization
- Auto AP QoS Trust
- Rogue AP Enforcement
- VLAN Sharing
• ClearPass Policy Manager (CPPM)
- Downloadable Roles & ACLs
- Redirect to ClearPass Guest
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved19 #airheadsconf
• Supported on All Platforms
– S2500/S3500
• Includes mixed family ArubaStack support which creates cost optimized wiring closets
– S1500
• Join Up to 8 Mobility Access Switches
– 10GBase-X or DAC
– 1GBase-X
– Up to 10km Links
• Simplified & Cost Optimized
– Single management IP address
– Single configuration file
• Flexible Access Architecture
– Extend stack across wiring closets and& buildings
– Right-size number of uplinks to distribution/core
• Built-in Redundancy
– Automatic insertion/removal
– Optimized traffic forwarding
ArubaStack
Closet 2
10GBase-SR/LR/LRM
Closet 1ArubaStack
extends a single
managed stack
across wiring
closets
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved20 #airheadsconf
• Hardware Monitoring & User Visibility
– Inventory and Uptime
– Visibility Into Wired Network Usage
– SNMP Trap and Syslog Support
• Software Configuration & Firmware Management
– Configuration Changes
– Configuration Backups
– Firmware Upgrades
• Reporting
– Compliance Reporting
– Report and Track Wired Users
AirWave Management Platform &Mobility Access Switch
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved21 #airheadsconf
2. Mobility Access Switch first
attempts to download a configuration
via TFTP
Aruba
Activate
Simplify and enable rapid deployment
1. Connect device 2. Verify LEDs GREEN 3. Move to new location 4. Repeat steps 1 3
Branch Location
Mobility Access Switch
Airwave Management Platform
Headquarters Location
3. When TFTP fails, the Mobility
Access Switch attempts to
contact Activate. Mobility
Access Switch sends Serial
Number and system MAC
address.4. Airwave responds
with Airwave IP, Shared
Secret, Group Name
and Folder Name.
5. Mobility Access Switch contacts Airwave and
provides Shared Secret, Group Name and Folder
Name.
6. Airwave contacts Mobility Access
Switch and pushes down group
configuration
TFTP? Are
you there?
Help me Aruba
Activate, you’re my only
hope!Hi Airwave!
Configure
Me!
• Automates Product
Installation
• Automates Software
Updates
• Inventory Management
1. Customer Enables Service
& Inputs Provisioning Rules
Hi Mobility
Access Switch!
Yippie! All
Configured!
Hi Mobility
Access Switch!
Aruba Activate
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved22 #airheadsconf#airheadsconf22
Software Defined Networking
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved23 #airheadsconf
Software Defined Unified AccessP
erso
nal
ized
Exp
erie
nce
User
Sim
plif
y N
etw
ork
Op
s
IT
VPN
Access Policy Mobility State Performance
Management Location Content Network AppsAnalytics
Onboard New Apps, BYOD & Guests
Flow Awareness, App Services
Monitor Wi-Fi, Wired & WAN Controller AirWaveClearPass
SDN Control Plane
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved24 #airheadsconf
Airgroup Today
Airwave Management
Platform (Optional)
ClearPass Policy
Manager (Optional)
Mobility Controller
Core/Distribution
Registered
to: User X
Role Faculty
Guest
Registered
to: User C
Role Student
Guest
Registered
to: User C
Role StudentRegistered
to: User Y
Role Faculty
Registered
to: User B
Role Student
Registered
to: User X
Role Faculty
Campus-PSK VLAN: 100-104
Campus-802.1x VLAN: 200-204
VLAN 400
VLAN 500
Guest VLAN: 999
Guest
Registered
to: User A
Role Student
Multicast DNS traffic is forwarded via
GRE to Mobility Controller to provide
AirPlay/AirPrint services between
VLANs and between Wired/Wireless.
Registered
to: User B
Role Student
*New in AOS 7.2
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved25 #airheadsconf
Flow Steering Tomorrow
OF
OFOF
OF
OF
OFOF
OF
OF
OFOF
OF
• Virtual paths per
user/app
• Unified access on
multi-vendor network
• Stitching flows
across roles
OF
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved26 #airheadsconf#airheadsconf26
Aruba AP Interworking
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved27 #airheadsconf
Aruba AP Interworking
Auto PoE Prioritization (IAP/CAP)
Auto QoS Trust (IAP/CAP)
Rogue AP Enforcement (IAP)
VLAN Sharing (IAP)
Hi! You’re critical to the network
so I’m going to set your PoE
priority to high!
Hi! I’m an
Aruba AP!
Hi! You’re an extension of the
access layer so I’m going to
trust your QoS markings
Hi! I’m an
Aruba AP!
I’ll shut it down! I’ll block its
traffic if I find it on trunk or
shutdown the access port
ALERT! I’ve found a
Rogue AP!
Alright, I’ll automatically add
them to our trunk port. Thanks!
I’ve created 3 VLANs!
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved28 #airheadsconf
Begin Demo 1
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved29 #airheadsconf#airheadsconf29
Role Based User Access
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved30 #airheadsconf
Aruba AAA View Of The World
ManufacturersVia MAC OUI
Operating SystemsVia DHCP
Fingerprinting
Our Mobility Access Switches see…
And our security enforcement model uses…
MAC Addresses
Usernames/Passwords
IP PhonesVia Device-Type Fingerprinting
User-roles
…provisioned locally or dynamically
which simplifies AAA deployments
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved31 #airheadsconf
A user-role is a container that consists of:
• VLAN ID
• Access Control Lists
• QoS Profile
• Policer Profile
• Captive Portal Settings
• VoIP Profile
What is User-Role?
…A user-role can be referenced locally or passed
down via a Radius Vendor Specific Attribute
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved32 #airheadsconf
•User Derivation Rules
• Manufacturers by Vendor OUI– Instead of pre-populating a user database or a static MAC bypass list
with MAC addresses from the same vendor, create a UDR to match on the Vendor’s OUI (first 6 digits or 24 bits) and assign a VLAN or user-role.
• Operating Systems by DHCP Fingerprinting– Operating systems and some classes of devices utilize unique DHCP
messages (e.g. the options they request, the order of the options). A UDR can be created to match on that unique fingerprint or signature and assign a VLAN or user-role.
• IP Phone by Device-Type Fingerprinting– IP Phones and AAA don’t always get along. Device-Type fingerprinting
allows you to match on an IP Phone’s LLDP/CDP “phone” capability announcement so you can create a UDR to assign a VLAN or user-role.
How Do I Implement User-Roles?
No External Radius Required!
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved33 #airheadsconf
•Traditional AAA Services
• 802.1x
– For clients with 802.1x compatible supplicants, 802.1x provides secure access using usernames/passwords and/or certificates. Authenticated users can be assigned a default user-role or a specific user-role.
• MAC Authentication
– For network assets that do not support 802.1x, MAC authentication can be used to allow access to the network. Authenticated users can be assigned a default user-role or a specific user-role.
• Captive Portal
– For guest clients, a web page can be provided so that they can login and gain access. Guest users can then be assigned a specific user-role limiting their network access.
How Do I Implement User-Roles?
Supported with Internal and External Auth Servers!
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved34 #airheadsconf
Begin Demo 2
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved35 #airheadsconf#airheadsconf35
ClearPass Policy Manager Integration
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved36 #airheadsconf
802.11n AP ClearPass
ClearPass Policy Manager Integration
Mobility
Controller
1. User provides their
credentials and other
context to Authenticate
Context• User: Joe Smith
• Role: Guest
• Device: Apple iPad
• Date: M-F, 8am-5pm
• Access: Internet
Mobility Access
Switch
2. ClearPass Policy
Manager returns Role
& Policy for
User/Device
3. Role & Policy pushed
to the Mobility Controller
for Role & Policy
Enforcement**
3. Role & Policy pushed
to the Mobility Access
Switch for Role & Policy
Enforcement
Policy Enforcement Policy Definition
**Roadmap
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved37 #airheadsconf
Begin Demo 3
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved38 #airheadsconf#airheadsconf
Thank You