Juniper Networks Simply Connected Workshop

Juniper NetworksSimply Connected Workshop

Agenda

10h00 : Introduction Westcon Juniper Team10h15 : Juniper WLAN Solution in depth11h30 : WLAN technical

• Virtual WLAN controller• 802.11ac Developments

12h30 : Lunch13h30 : WLAN demo-time

• Ringmaster Demo• SmartPass Demo

15h00 : Break15h20 : Simply Connected Concept16h00 : Q&A16h15 : Network Drink - Closing Cocktail

En France :• 50 collaborateurs• Fondée en 1992, 5 agences• 80m $• ATC et centre de support

Our Company

3

Notre entreprise

Nantes

Paris

Marseille

Toulouse

Lyon

Our Company

4

• Partenariats avec les leaders du marché de la sécurité

• Des services innovants :• Prestations d’installation• Support téléphonique 24x7 et support matériel sous 4h• Centre de formation agréé

• Nous intervenons sur des problématiques de :• Sécurité (réseau, web, postes clients, nomadisme…)• Mobilité• Disponibilité et optimisation des applications• Conformité légale• Wifi

Notre entreprise

Produits ● Services ● Formations

Formations

Nouveaux clients Nouveaux Projets

ArgumentationArchitecture

Offre commerciale

Déploiement et support

Des équipes dédiées pour vous accompagnerà chaque étape du cycle de vente

Agenda






Juniper Wireless LAN Product Portfolio

Access PointsBest price performance, Mass

deployment ready

ControllerScalable, Flexible, Fastest, Highest

capacity

Mobility Mgmt & ServicesUnified Infrastructure and services

Wlan Life Cycle MngtGuest Access

Location Awareness

Mobility System SoftwareSecure, Reliable, Seamless Mobility Services

Juniper WLC Series controller family

4 12 16 32 128 192 256 51264

# of AP

4 AP

WLC2WLC8

12 AP

16 - 128 11n AP

WLC800

16 - 256 11n AP

WLC880

64 - 512 11n AP

WLC2800WLC SeriesHighlights

Simplest solution in the Industry Highest reliability in the industry Only vendor with in-service upgrades Full featured distributed deployment

Bra

nch

Cam

pus

Ente

rpris

e

WLC100

New

JunosV WLC

New4 - 32 11n AP

Juniper WLA Series Access PointNext Generation Family

Entry level 802.11n Indoor 11n/11ac Outdoor 11n/11ac

Single Radio Low Cost AP

Dual Radio Entry-level AP

WLA Series Highlights

Highest performance APs in the industry Most cost effective APs in the industry Full featured Intelligent switching Spectrum analysis across the portfolio Bridging and mesh

3 StreamMIMO

Dual RadioHigh

Performance

WLA532/E

Func

tiona

lity

11ac 3x3 MIMO

Dual RadioAll Weather

Firefox

11ac3x3 MIMO

Dual RadioGigabit

Performance

RAPTORNG Indoor

Q2/ 2014

WLA322

WLA321

NG Outdoor

Q3/ 2014

3x3 MIMODual RadioAll Weather

WLA632

WLA532: High Performance, Enterprise-Grade AP

• Interfaces• Concurrent 3-stream dual-radio operation• Up to 450Mbps link speed on 5GHz• Up to 195Mbps link speed on 2.4GHz• 10x better performance than 802.11a/g • 802.3af PoE power

• Security• Encryption at “air” rate 802.11i, WPA2/AES, WPA/TKIP, WEP• No stored configuration, no serial port, special tool lock screw on bracket•AP to MX data path encryption

Performance and Mobility• Local switching for low latency, high performance• Advanced AP VLAN tunneling

Features Management

AutoTune Dynamic RF management

Antenna Six Internal cross-polarized

antennas with 5 degree down-tilt for best signal strength

Usability & Ease-of-Installation Versatile mounting options for ceiling,

wall mount and wall plugs

Product Ordering WLA532-US: For US operation

WLA532-IL: For Israel operation

WLA532-WW: For Worldwide operation except US and IL

Indoor 11n AP Product Portfolio Comparison

WLA321 WLA322 WLA522 WLA532MIMO Technology 2x2 2x2 2x2 3x3No. of Radios 1 2 2 2Peak Antenna Gain (5GHz) 5dBi 4.5dBi 5dBi 5dBiPeak Antenna Gain (2.4GHz) 4dBi 4.8dBi 3dBi 3dBiMaximum Data Rate 300Mbps 300Mbps 300Mbps 450Mbps5GHz Downstream TCP Throughput at 30feet (w/Atheros Client) ~100Mbps ~110Mbps ~120Mbps ~200Mbps5GHz Downstream TCP Throughput at 100 feet (w/Atheros Client) ~20Mbps ~30Mbps ~60Mbps ~100Mbps

Client Density (Clients receiving downstream throughput at approx. 2Mbps per client, <30 feet from AP) ~40 ~40 ~60 ~100Simultaneous Spectrum Analysis and Wireless Access Services Y Y Y YHW Accelerated Wired Encrypted Tunnel N N Y YTransmit Beamforming N N N YList Price $395 $595 $725 $1,095

Planning and deployment 3D predictive planning tool Indoor and outdoor network plan

Configuration and Verification Complete offline configuration System and service wizards Pushes configuration to WLCs

Monitoring and reporting By user, radio, AP, WLC, SSID 30 day history aids compliance WIDS/WIPS integration

Location aware Search by location Roaming history Geo fencing

RingMaster

Plan

Config

MonitorTroubleshoot

Report

Juniper WLM Series Life Cycle Management

Juniper WLM Series Guest Management

Centralized Guest Access

Database

Web-based access control suite

Guest access module• Ease of use / Bulk user creation• API for 3rd part application integration• SMS / Email creation of guest coupons

with Self-Provisioning

Accounting database • Detailed client accounting history• Reporting available via RingMaster

Access control module • RFC 3576 (Dynamic Radius)• Location awareness for client sessions.

• Allow or deny access based on location

• Change any AAA attribute based on location

• Access Rules (location based, time based or a combination of both)

SmartPass

http://www.google.be/url?sa=i&rct=j&q=smartpass&source=images&cd=&cad=rja&docid=p6iHS8_9vOxS8M&tbnid=UbHEGbKKn0q5aM:&ved=0CAUQjRw&url=http://www.juniper.net/in/en/products-services/software/security/smartpass/&ei=RVJ1UeyUHcPHOcOvgdAJ&bvm=bv.45512109,d.ZWU&psig=AFQjCNHOLujUgCgrRtV0oejG3JwfPw2kig&ust=1366729664925616

Juniper WLM Series Device Onboarding

Automated, Self-Service Onboarding

Automatically provision client devices • Secure 802.1x or PSK access to the

wireless network• Secure 802.1x access to the

wired network

Authentication• Leverages built-in supplicants in

today’s modern OSs• Credentials (PEAP, TTLS) or

Certificates (TLS)

Automates certificate enrollment process• Self service client certificate

deployment from Microsoft CA• Devices

• iOS, Android, Windows, Mac

SmartPass Connect

Software Feature Highlights• Secure Client Mobility

• Roaming across APs, controllers• Identity-based networking

• Controller Virtualization (cluster)• 150 msec AP failover for controller

outages. No session losses• Single point of configuration• Many-to-many in-service resiliency• Dynamic AP load balancing across

controllers• In service maintenance - adds, moves,

changes, upgrades cluster• Distributed Forwarding

• Efficient and flexible data path forwarding

• AP to WLC, WLC to WLC tunneling• Voice application awareness

• Active call management (CAC)• SIP inspection / prioritization• Call details record, audit trail

• Device Profiling• Automatically detects client operation

system• Option to assign policies, depending

on operating system

• AP Load Balancing• APs dynamically assigned to least loaded

controllers• Eliminates management chore of AP-

Controller mapping• Scale capacity w/ zero config• Less waste of AP licenses

• Band Steering & Client Load Balancing• Preserves b/g bandwidth• Prevents “front door” problem• Maximizes per-user bandwidth

• QoS Management• L2/L3/L4 classification, bandwidth, QoS

controls• By user, SSID or application

• Wireless Security• WIDS/WIPS• AAA, guest services• Location Aware WLAN Access• Per session, port, VLAN, AP ACLs• Dynamic authentication (location, time,

bandwidth usage…)

Persistent AP Configuration

• Allows APs to survive reboot• Enhanced Branch Survivability• Enables deployments with periodic

WLC access

Feature Description

• AP boots without controller• Service using ‘last-known’ config • Seamless re-entry to WLC

• Needs APOS on the AP• Supported on WLA-532/322/321

X

Remote AP RADIUS Client

Overview

• Enhances Remote AP capabilities• Extends Branch Survivability• Enables longer latency WAN links

• Feature Description

• 802.1X/RADIUS authentication • RADIUS MAC authentication• RADIUS CoA • Device Fingerprinting• Failover/back session persistence

Campus

EX

WLC

Centralized RADIUS

WAN

Branch

SRX

SRX

Local RADIUS

Controller ClusteringWhy order the HA-license?

• The cluster/HA feature is always available• Why do I need the license?

• The cluster/HA license adds AP-count redundancy:• Scenario: redundant setup for 250 AP’s

• Without the license:– Each controller needs 256 AP licenses

• With the license:– Each controller needs 128 AP licenses + HA license

– During a fail situation, the remaining controller will support 256 AP’s– On WLC-880: HA license = $ 3895 // 128 AP licenses = $ 18580

Juniper WirelessDesinged to scale

• Vlan Pooling• Ability to setup a pool of 32 VLANs per pool and 16 pools per

Cluster• Users connecting to that pool will be balanced across the member

VLANs• Vlan assignment is done using Round Robin mechanism

MICROSOFT LYNC WIFI PARTNER PROGRAM

Set of certifications intended to ensure compatibility between Lync software and WiFi infrastructure networks

3 levels of certification requirements• Fixed data: IM, web-conference, file-sharing• Fixed RealTime Multimedia: audio or video conferencing from desk/conference

room• Mobile RealTime Multimedia: audio/video while on the move

Juniper and a few other vendors have completed certification for wired networking products

Agenda






Virtualized Environment

What is JunosV Wireless LAN Controller?

Hypervisor

VM1 VM2 VM3

JunosV WLC

Juniper is delivering its industry-leading Mobility System Software as a software appliance for deployment in virtualized environments

X86 server platform

JunosV Wireless LAN Controller Overview

Virtual WLAN Appliance WLC delivered as a virtual appliance on

VMware-based hypervisors Runs on standard x86 hardware Maintains features and functionalities of

appliance based WLCs Supports mix-and-match deployment with

physical WLCs

Performance and capacities dependent on host hardware

APs, data plane throughput, session counts scale with host resources

Supports Hypervisor VM functionality vMotion, snapshots, cloning, templates

VMWare vCenter

VM

VM

VM

VM

Virtual Distributed Switch

WLC

Hypervisor on x86 HW

JunosV WLC

EX Series

WLA Access Points

JunosV Wireless LAN Controller Specifications

• Supports up to 256 APs (cluster up to 2048 APs)• Supports 6400 users sessions• 100% SW feature Parity with Appliance WLC• Managed via RingMaster or Network Director 1.5• Requirements:

• VMware ESXi 5.0 (or higher)• Minimum 320 MB RAM• Recommended 2G RAM (for 256 APs/6400 user sessions)• Minimum 16GB disk space• Minimum 1 Ethernet Adapter, recommended 2

– E1000 Network Adapter

JunosV WLCJSA Licensing

• 2 License options:• Perpetual licenses one time charge.

– Maintenance must be purchased separately

• Subscription licensees include maintenance service– Renewed annually

• Voice, Mesh and High-Availability included in AP license• no separate license required

• You still need a Spectrum Analysis license

JunosV WLCImplementation

• Single vCPU / VM instance = 630Mbit/s throughput

• Not enough for .11n / .11ac implementations• Your proposal/design should advise local switching

– Remember you can mix & match local & central switching per SSID

• Practical remark:• Don’t setup all the interfaces in the same vlan

– The virtual controller doesn’t support STP (unlike physical WLC’s)– Change the default config before you start your newly installed

virtual appliance!

JunosV WLCLimitations

• No Webview interface in FRS (will return in MR1)• No support for port groups• No Spanning Tree • No LLDP support

JunosV WLCWhy?

• JunosV WLC is another step towards virtualisation of the control plane

• What will be next?• Sooner

– CAPWAP tunnel termination on EX9200– New control-plane controller (used with EX9200)

• Later – Tunnel termination on the access layer– Embedded WLAN service on the access layer

Agenda






802.11n RecapMIMO Antenna’s

Access Point technology evolution

802.11ac Base

802.11ac Multi-user MIMO

Gigabit Gigabit

802.11n 2 Spatial Streams

802.11n 3 Spatial Streams

450Mbps

300 Mbps

802.11b 802.11g

54 Mbps

11 Mbps

Per R

adio

Spe

ed

Time

802.11ac High Speed WLAN

• Up to 7 gbps (aggregate)• Wider channel bandwidth (80 MHz or 160 MHz)

– Be aware: wider channels leaes less overlapping free channel sets – we have a max of 18 5 GHz channels

• 5 GHz Band• High speed modulation (256 QAM)• Up to 8 spatial streams (= up to 8 Antennas)

– Up to 4 per client

802.11ac Daterates with one spatial stream

6.933,6Mbit/s with 8 Spatial Streams!

Agenda






Wireless Management & Access ControlWLM – Management and Access Control

RingMaster WLM - Appliance SmartPass

WLM – RMTSSoftware Licenses

With 8.0: 64 bit SW5 – 1,000 APs -> 3500

Optimized Linux Server Platform

250 – 5,000 APs

WLM1200 – RMTS WLM – SPSoftware Licenses

WLAN Access Control Guest Provisioning

Plan - Configure - Monitor - Troubleshoot - Report

RingMaster Architecture

Controllers

Controllers

Controller

CAMPUS 2

CAMPUS 1

CAMPUS 3

LAN / WAN

Unified Management

Console

RingMasterServer

Guest Server

3D RF Planning

RingMaster Lifecycle Management

Configuration Management

Monitoring and Troubleshooting

Reporting

RingMaster 9.0Demo

Management: Next StepJuniper Network Director 1.5

• Module for Junos Space• Common Management for WLAN and LAN• Configuration and Monitoring for WLAN and LAN devices• Ringmaster feature parity in version 2.0

SmartPass, Controller and RingMaster

WLAN Controller

SOAP/XML

Location Appliance

RADIUS

RingMaster

Guest User

REST API for Mngt Integration

Login Page: from Controller or SmartPass

Capture Function: Controller

BYOD Issues to solveProvisioning

• How to configure high number of personal devices for access to secure SSID? SmartPass Connect

• Automated self-service onboarding of (mobile) devices:• Windows, Linux, MAC, iOS, Andoid

• Vanishing Agent • downloads from web server, performs configuration tasks, then deletes itself

• Java, ActiveX or html based • depending on platform and capabilities (SPC server automatically figures

out the best vehicle for a given platform)

• Credentials (PEAP) or Certificates (TLS)• Install Client Certificates & Trusted Root CAs• Handle Additional Dependencies (Software, Proxies, etc.)• Cloud based service with local configuration server

IT Admin configures network parameters IT Admin deploys the configuration files to local web server User connects to local web server downloads configuration SPC’s (dissolvable) client runs through configuration on device User device connects to secure network After successfully accessing the network, SPC Client dissolves

How does SmartPass Connect Work?

Admin Console (Cloud Service)

Web Server(locally

deployed=AAA Server

Open SSID Secure SSID

1 2

3 5

4

1

SPC allows agent-less network provisioning:

2

3

4

5

6

6

Network Management

Integration module for Microsoft CAThe CA Integration Module allows the Configuration Wizard to request certificates from a MS PKI infrastructure

• Extends TLS (certificate based authentication) to Non-Domain Devices

• Plug & Play Integration with Microsoft Certificate Services• Module requires that wizard package be installed on Windows

IIS server (domain membership required) • Works with MS CA only

Web Server

MS CASPC Config Wizard

WLC

Corporate Data

Center

Unknown device connects to open captive portal SSID

1

User session is captured and redirected to SmartPass

2

SmartPass web portal presents captive portal and redirects client to provisioning portal

3

Provisioning portal gets user credentials from wizard; validates against AD; and requests user cert for end user

5

Provisioning portal pushes native supplicant config wizard to client device

4

SmartPass

EX SeriesAP

UAC

Employee Owned Device On Corporate Network Employee Self Provisioning

AD/Certificate Authority

User selects secure wireless network and device authenticates to RADIUS without requiring user to enter credentials

7

Wireless UserTablet/smartphone

Provisioning wizard gets EAP-TLS configuration profile (and cert) from provisioning portal; agent dissolves

6

EX Series

SmartPass connect

SmartPass ConnectDemo

Agenda






Simply ConnectedThe Concept

Automated,uninterrupted service

Scalability without complicating the network

Holistic approach to enterprise mobility and BYOD access

HighlyResilient

Safe and simple mobility while protecting assets

Coordinated Security

Performance at Scale

Switching Wireless

Security Routing

EX With UAC Enforce Security Policy

3rd Party Supplicants

Juniper Client

MAG/UAC

Allows automatic and dynamic policy enforcement at the edge of the network including role based dynamic

ACLs without any manual intervention

EX

Protected Resources

SRX… With User Role Firewall

MarketingDepartment

SalesDepartment

CEO(Individual)

No apps blocked Anti-virus applied

WF profile C

P2P apps blocked

Youtube allowed

Anti-virus applied

WF profile A

P2P, Youtube blocked

Anti-virus applied WF profile B

Branch SRX

MAG/UAC

Allows different users to have different applicationpolicies based on their role and group, simply for IT

Security Threat Response Manager (STRM)

STRM supports SRX SeriesIntrusion Prevention System (IPS) and AppSecure220+ out-of-the box report templatesFully customizable reporting engine:

creating, branding and scheduling delivery of reportsCompliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAAReports based on control frameworks: NIST, ISO and CoBIT

Wireless Device on Corp NetworkApplication Restrict Done with the SRX

Device authenticated on wireless network

1Smart Pass Connect

communicates User and IP information to UAC

via IF-MAP

2

UAC pushes role based ACL and FW policies to

EX, WLC and SRX

3SRX AppSecure

Polices block non-work related

applications like Hulu and Netflix

5SRX enforces user

policies allowing user basic access to all

servers except finance

4Apps

Data

Finance

Video

Active Directory /LDAP

Corporate Data Center

WLC


UAC

SRX

AP

Smart Pass Connect

SRX AppTrack feature combined with MAG

data collects per user application information

providing detailed reports in STRM

Internet

EX Series

End To End Security Host Checking and Application Restrict

Mobile User

Corporate Data CenterApps

Data

Finance

Video

Active Directory/LDAP

Patch Remediation

WLCs

Junos Pulse detects device is on corporate network andper user policy disables any active VPN sessions

1During 802.1x authentication. MAG verifies PC meets company software and security policy requirements

2Compliance check fails. Antivirus signatures are out of date and useris quarantined to remediation VLAN. Patch server updates signatures.User is now in compliance and granted network access

3

EX4500 VC and EX4200 VC

SRX

EX4200 VC

SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM

SRX AppSecure Polices block non-work related applications (based on user’s role in UAC)

6SRX enforces user policies allowing user basic access to all servers except finance

5MAG pushes role based FW policies to EX ,WLC and SRX

4

Virus signatures outdated

Internet

MAG Series(UAC)


Apps

Data

Video

Active Directory/LDAP

MAG with Radius,SSLVPN and UAC

modules

WLCs

User needs to access company intranet overnon-corporate network using iPad

1

User starts Junos Pulse and initiates a secure VPN session with MAG appliance

2

MAG verifies user login, establishes VPN and the device is allowed on the network.

3

EX4500 VC and EX4200 VCs

SRX with IDP/AppSecure

Finance

Mobile Device Remote Network Access Policy and Access Control

Internet

Corporate Data Center

Juniper Wireless LANTechnical Education


Westcon Academy courses:

Introduction to Juniper Wireless LANs (IJWL)• 3 days• Understand the requirements for a secure,

Enterprise-grade Wireless LAN system and configure secure services.

• Use RingMaster management to plan, deploy, configure,manage, monitor and report on a WLS.

• Effectively troubleshoot a WLS system deployment and user connectivity


Westcon Academy courses:

Advanced Juniper Wireless LANs (AJWL)• 4 days• Configure secure WLAN services using digital

certificate-based authentications and machine authentication.

• Configure voice optimized services• Deploy and manage remote APs • Troubleshoot all aspects of a deployed WLS system

Agenda






Juniper Networks Simply Connected Workshop

Documents

Transcript of Juniper Networks Simply Connected Workshop