Aruba Wlans and Advanced Design Fundamentals: #Atm15Anz - @arubaanz

ARUBA WLANS AND ADVANCED
DESIGN FUNDAMENTALS
#ATM15ANZ | @ArubaANZ
Agenda
•  Mobility controller architecture

•  Aruba Instant architecture
•  IAP-VPN
•  Management platforms
–  Aruba Central
–  AirWave
•  Discussion & Questions
#ATM15ANZ | @ArubaANZ 2 CONFIDENTIAL © Copyright 2015. Aruba, a Hewlett Packard Enterprise company. All rights reserved.
Deployment types
•  Mobility Controller: Master-local

•  Mobility Controller: All masters
•  Instant
•  Instant: IAP-VPN
•  Hybrid! (all of the above, mix and match)
Mobility Controller Architecture
Mobility Controller Family
7200 SERIES
256 APs
4,096 IPSec
Transition Content
512 APs
16,384 IPSec
1,024 APs
24,576 IPSec
2,048 APs
32,768 IPSec
#ATM15ANZ | @ ArubaANZ 5 CONFIDENTIAL © Copyright 2015. Aruba, a Hewlett Packard Enterprise company. All rights reserved.
CLOUD SERVICES CONTROLLERS
16 APs
Transition Content
Can be powered via PoE
64 APs
32 APs
10 PoE+
CLOUD SERVICES CONTROLLERS
32 APs, 24 PoE+, 2x10G Transition Content
Campus physical topology
Datacenter Datacenter
Master Master
active backup
Local Controller Local Controller
EDGE EDGE EDGE
Campus logical topology
Master Master
active standby
IPSEC
Local Controller Local Controller
GRE
STANDBY
GRE
PRIMARY
L2 Deployment
MGMT 30 10.200.30.1 ER
IP HELP DNS / DHCP
CORP CLIENTS 31 10.200.31.1

Core/Distribution Switch
BYOD CLIENTS 32 10.200.32.1
GUEST 33 10.200.33.1
Tagged link
30 10.200.30.5
31
Controller
32
33 10.200.33.5
BYOD Client
IP 10.200.32.51
GW 10.200.32.1
L3 Deployment
DNS / DHCP
WAN/Core/Distribution Router
10.200.254.1/30
Transit link
TRANSIT 254 10.200.254.2/30
LOOPBACK lo 10.200.30.1
Controller
CORP CLIENTS 31 10.200.31.1
BYOD CLIENTS 32 10.200.32.1
GUEST 33 10.200.33.1
BYOD Client
IP 10.200.32.51
GW 10.200.32.1
Master controller responsibilities
•  Policy configuration
•  Wireless security (WIPS / RFProtect)
•  AP white lists (CAPs w/ CPsec and RAPs)
•  Initial AP configuration
•  Authentication and roles
Local controller responsibilities
•  AP and session termination

–  Terminates AP tunnels
–  User traffic processed and forwarded
•  RFProtect enforcement and blacklisting
•  ARM
•  Mobility
•  QoS
Controller scaling
•  Controller scaling table (VRD)

•  The important numbers
–  AP capacity
–  User/device capacity << important!
–  Tunnel capacity
•  WMS scaling for master controller
–  Master controller may need to be larger than the locals depending
on the environment
Controller scaling
•  Platform
–  7000 series (7005/7010/7024/7030) should only be used as local
controllers*
–  7200 series should be master for multiple 7000 locals
•  Failover capacity
Campus Forwarding Modes
•  Tunnel
•  Decrypt-tunnel
•  Bridge
•  Configured per virtual-ap

•  Choose based on network topology and requirements
Tunnel
Tunnel-Mode
Mobility
Controller
•  All traffic is tunneled back to controller
•  User VLANs live in controller
•  Wired network is a high-speed overlay
network
GRE Tunnel:
Encrypted •  User traffic passes through stateful
firewall and deep packet inspection
engine (*on 7 series controllers)
Access
Point
Decrypt-tunnel (d-tunnel)
Decrypt-Tunnel-Mode
Mobility
Controller
•  User VLANs live in controller
•  AP decrypts traffic and strips 802.11
headers
•  AP adds 802.3 headers and frame is
GRE Tunnel:
Unencrypted
encapsulated in GRE tunnel to
controller
•  Controller applies firewall policies to
traffic
Access
Point
Bridge
Bridge Mode
Access
Switch
•  User traffic bridged out to local network
•  User VLANs live in edge network
•  Authentication traffic tunneled to
controller
•  Control plane security (cpsec) required
•  Captive portal authentication is not
supported
Access
Point
Campus Redundancy
Master-Local Redundancy
Master Standby
Master Local 1 Local n
Local 2
Fully
Redundant
Master
Local 1 Local n
Local 2
Redundant Aggregation
Master
Local
Hot Standby
Master
Local
No Redundancy
VRRP Failover (L2)
172.16.100.5
VIRTUAL IP
172.16.100.2 172.16.100.3
VRRP MASTER VRRP BACKUP
GRE TUNNEL
SRC-IP <AP>
DST-IP: 172.16.100.5
LMS-IP: 172.16.100.5
VRRP Failover (L2)
172.16.100.5
VIRTUAL IP
172.16.100.3
VRRP MASTER
GRE TUNNEL
SRC-IP <AP>
DST-IP: 172.16.100.5
LMS-IP: 172.16.100.5
AP RE-BOOTSTRAPS
Backup-LMS (L3)
172.16.100.2 10.50.20.2
GRE TUNNEL
SRC-IP <AP>
DST-IP: 172.16.100.2
LMS-IP: 172.16.100.2
BACKUP LMS-IP: 10.50.20.2
Backup-LMS (L3)
172.16.100.2 10.50.20.2
GRE TUNNEL
SRC-IP <AP>
DST-IP: 10.50.20.2
LMS-IP: 172.16.100.2
BACKUP LMS-IP: 10.50.20.2
AP REBOOTS
HA: AP Fast Failover
GRE
GRE STANDBY
ACTIVE
AOS 6.3+
HA: AP Fast Failover
GRE
ACTIVE
AOS 6.3+
AP FF: Controller Roles
•  DUAL: Primary for some APs, standby for others
Transition
•  ACTIVE: Controller does notContent
terminate standby
tunnels for other controllers
•  STANDBY: Controller only terminates standby

tunnels
AP FF: N+1 Oversubscription
Controller Platform Ratio Max GRE tunnels

7000-series
(70-05/10/24/30) Transition
1:1
Content --
7210 4:1 16K

7220 4:1 32K
7240 4:1 64K
M3 & 3600 2:1 16K
AOS 6.4+
Licensing
•  Per-AP
–  AP
–  Policy Enforcement Firewall (PEF)
–  RFProtect
•  Per-Controller
–  Policy Enforcement Firewall VPN (PEFV)
•  For traffic entering through a VPN tunnel
•  Required for VIA
Remote AP (RAP)
Remote AP (RAP)
•  Purpose-built RAPs and campus APs

•  Certificate-based provisioning
Transition
•  Secure wired and wirelessContent
remote access
•  RAPs are Instant out of the box
•  Aruba Activate
Remote AP
INTERNET
Remote AP - Logical
MAC-ETH0 24:DE:C6:CB:4A:F0 SERIAL BZ0030536
ACTIVATE PROVISIONING TYPE IAP TO RAP
Boston-RAP
536
AP GROUP
030
| BZ0
A:F0
CONTROLLER rap.arubanetworks.com
B:4
:D E :C6:C
24
IPSEC TUNNEL INTERNET
rap.arubanetworks.com
RAP Forwarding Modes
•  Tunnel
•  Bridge
•  Decrypt-tunnel
•  Split-tunnel
Split-tunnel
•  Tunnels certain traffic back to controller via IPSec

tunnel (defined in user roles)
•  Allows non-corporate traffic to be bridged out locally
saving bandwidth.
•  RAP handles encryption, decryption and firewall
enforcement locally
Limitations
•  Roaming
•  ARM features
Transition
•  Requires controller Content
licenses
•  Limited visibility
Aruba Instant Architecture
Aruba Instant Overview
•  AP model begins with the letter I

–  IAP-225, IAP-215, IAP-205, etc
•  Instant APs can be converted to controller-based
APs
•  No feature licensing with local management
•  Manage locally, via AirWave, or Aruba Central
(cloud)
•  Dynamic provisioning via Aruba Activate (free)
Aruba Instant Overview - Technical
•  Cooperate locally at L2
•  Multiple uplink options (Ethernet, 4G/LTE, WiFi)
•  ARM, ClientMatch, AppRF, AirGroup, L3 Mobility
•  IAP-VPN for distributed environments
Instant topology
INTERNET
VC
Instant traffic flow
•  Traffic destined for tunnels goes through VC

•  NAT’d traffic (guest) goes through VC
Transition
•  Regular user traffic Content
firewalled, processed and
switched out at AP
Instant traffic flow
INTERNET
VC IP: 172.16.10.5
AP IP: 172.16.10.10 AP IP: 172.16.10.11
[10] 20,30 [10] 20,30
VC
www.google.com Client IP: 172.16.20.10
Instant traffic flow – Guest/NAT
INTERNET
VC IP: 172.16.10.5
AP IP: 172.16.10.10 AP IP: 172.16.10.11
[10] 20,30 [10] 20,30
VC
Internal IAP Guest Network

“Magic VLAN” 3333
172.31.98.x
Src-NAT’d with VC address www.google.com Client IP: 172.31.98.42
IAP-VPN
IAP-VPN Topology
Datacenter 1 Datacenter 2
Master Master Master Master

active backup active backup
INTERNET
Site 1 Site 2 Site 3
VC
VC VC
Benefits
•  Local RF coordination
•  Roaming
Transition
•  Isolated broadcast Content
domains for each cluster
•  Authentication survivability
DHCP modes
•  Local
•  Centralized L2
•  Distributed L2
•  Centralized L3
•  Distributed L3
DHCP modes
DHCP MODE SUBNET DHCP CLIENT GW CORP TRAFFIC LCL/INTERNET

Src-NAT Src-NAT
Local Local Master AP Master AP
IPSec tunnel Master AP IP
Centralized L2 CORP
Transition
Datacenter
Content
Datacenter
Tagged & switched to Src-NAT
datacenter via tunnel Master AP IP
Tagged & switched to Src-NAT
Distributed L2 CORP Master AP Datacenter
datacenter via tunnel Master AP IP
Routed to datacenter Src-NAT
Centralized L3 CORP Datacenter Master AP
inside IPSec tunnel Master AP IP
Routed to datacenter Src-NAT
Distributed L3 CORP Master AP Master AP
inside IPSec tunnel Master AP IP
IAP-VPN licensing
•  For basic VPN connectivity (single role), a

single PEFNG license is required
•  To use different roles for individual
Transition Content IAP
clusters, the PEFV license is required for each
controller
Aruba Activate
Aruba Activate
Transition Content
Aruba Activate
Transition Content
MANAGEMENT
Aruba Central
Aruba Central Overview
•  Cloud management for Instant and MAS

•  ZTP with Aruba Activate
Transition
•  Firmware management Content
•  Reporting
•  Responsive UI (adaptive to any display)
•  AppRF management and visibility
•  Cloud captive portal w/ social
Aruba Central
Aruba Central
Aruba Central
Aruba Central
AirWave
AirWave Overview
•  On-premise solution (VM or physical)

•  Management, monitoring and reporting of Aruba
controllers, Instant clusters,
Transition and MAS
Content
•  Multi-vendor
•  In a hybrid controller-Instant environment,
AirWave recommended
•  Single pane of glass
Single pane of glass
Transition Content
Instant GUI config
Transition Content
Discussion & Questions

Aruba Wlans and Advanced Design Fundamentals: #Atm15Anz - @arubaanz

Uploaded by

Copyright:

Available Formats

Aruba Wlans and Advanced Design Fundamentals: #Atm15Anz - @arubaanz

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aruba Wlans and Advanced Design Fundamentals: #Atm15Anz - @arubaanz

Uploaded by

Copyright:

Available Formats

ARUBA WLANS AND ADVANCED

• Mobility controller architecture

• Mobility Controller: Master-local

32 APs, 24 PoE+, 2x10G Transition Content

Local Controller Local Controller

EDGE EDGE EDGE

Local Controller Local Controller

CORP CLIENTS 31 10.200.31.1

• AP and session termination

• Controller scaling table (VRD)

• Configured per virtual-ap

• DUAL: Primary for some APs, standby for others

• STANDBY: Controller only terminates standby

Controller Platform Ratio Max GRE tunnels

7210 4:1 16K

• Purpose-built RAPs and campus APs

IPSEC TUNNEL INTERNET

• Tunnels certain traffic back to controller via IPSec

• AP model begins with the letter I

• Traffic destined for tunnels goes through VC

www.google.com Client IP: 172.16.20.10

Internal IAP Guest Network

Master Master Master Master

Site 1 Site 2 Site 3

DHCP MODE SUBNET DHCP CLIENT GW CORP TRAFFIC LCL/INTERNET

• For basic VPN connectivity (single role), a

• Cloud management for Instant and MAS

• On-premise solution (VM or physical)

You might also like

•  Mobility controller architecture

•  Mobility Controller: Master-local

•  AP and session termination

•  Controller scaling table (VRD)

•  Configured per virtual-ap

•  DUAL: Primary for some APs, standby for others

•  STANDBY: Controller only terminates standby

•  Purpose-built RAPs and campus APs

•  Tunnels certain traffic back to controller via IPSec

•  AP model begins with the letter I

•  Traffic destined for tunnels goes through VC

•  For basic VPN connectivity (single role), a

•  Cloud management for Instant and MAS

•  On-premise solution (VM or physical)