breakout - airheads macau 2013 - unified access: deploying mobility access switches & instant

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf#airheadsconf

Unified Access: Deploying Mobility Access Switches & Instant

Madani AdjaliNovember 14th

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf

Platform OverviewSoftware Defined NetworkingAruba AP InterworkingRole Based User AccessClearPass Policy Manager Integration

Agenda

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf#airheadsconf3

Platform Overview


Introducing the Aruba Mobility Access Switch Family

• Security to wired access– Flexible role-based access– Policy moves from wireless to wired

• Operational simplicity– Low-touch installation and configuration– Dynamic configuration of user policies– Integration with Aruba APs

• Simplify the network– Reduce VLANs in the closet – Extend logical configurations

• 802.11ac Ready– Scaled to support high-density

deployments– PoE+ on every switch port– 10GbE uplinks (S2500/S3500)


Mobility Access Switch Capabilities

Tunnel from wireless AP

A. Ethernet Switch• Layer 2/3 forwarding• Native Role-based policy

enforcement

B. Integration with ClearPass• Downloadable Role/ACL• Captive Portal

C. Wired Access Point• Tunneled Node • Role-based policy

enforcement at Mobility Controller

• Single policy for WLAN and LAN

A. L2/L3 Forwarding

C. Wired APMobility Access

Switch

Access Point

LAN Core

MobilityController

AirWave Management

Platform

ClearPass Policy Manager

B. User-Role Download


S3500 Mobility Access Switch

• Designed for Wired Access– 24/48 Port Models

– Wire-rate and non-blocking performance

– Role-based access with user visibility

– Per port PoE/PoE+

• ArubaStack– Stack up to 8 devices

– Up to 384x GbE and 16x 10GbE

– Single management IP address

– Single configuration file

• Flexible Forwarding Options– Traditional L2/L3 Switching

– Tunnel traffic to Mobility Controller

• Modular Components– Field replaceable AC power supplies• Optional redundant power supply

– Field replaceable fan tray

– Optional 4-port uplink module• 1000BASE/10GBASE-x SFP/SFP+ PoE budget values are provided for single PSU and dual PSU configurations

SKU Ports PoE Budget

S3500-24F 24x1000BASE-x Not Applicable

S3500-24T 24x10/100/1000BASE-T Not Applicable

S3500-24P 24x10/100/1000BASE-T 400W | 689W

S3500-48T 48x10/100/1000BASE-T Not Applicable

S3500-48P 48x10/100/1000BASE-T 400W | 689W

S3500-48PF

48x10/100/1000BASE-T 850W | 1465W


S3500: Front and Rear Views

• Modular Components– Power Supplies

– Fan Tray

– Uplink Module

• Management– Console (RJ45 Serial)

– Out-of-band Ethernet

– USB Storage

– LCD Display

• Dimensions & Airflow– 1RU

– 1.75˝ (H) x 17.5˝ (W) x 17.5˝ (D)

– Front/Side to Rear Airflow

• Mounting Options– 2 Post Rack (front & mid-

mount)

– 4 Post Rack

– Wall Mount

• Limited Lifetime Warranty

Optional Uplink Module

S3500 Rear View

USB

Console

Field-Replaceable Fan Tray

Hot-Swappable Power Supplies

EthernetOut-of-Band

S3500-24F Front View

24x1000BASE-X SFP Ports

LCD

S3500-48P Front View

Fixed 10/100/1000BASE-T Ports

LCD



• Designed for Wired Access– 24/48 Port 10/100/1000BASE-T





– Up to 384x GbE and 16x 10GbE



– Stackable with S3500



• Integrated Components– Built in fans for quiet operation

– Fixed 4-port uplinks • 1000BASE/10GBASE-x SFP/SFP+


S2500-24T 24x 10/100/1000BASE-T

Not Applicable

S2500-24P 24x 10/100/1000BASE-T

400W

S2500-48T 48x 10/100/1000BASE-T

Not Applicable

S2500-48P 48x 10/100/1000BASE-T

400W


S2500: Front and Rear Views

S2500 Front View

S2500 Rear View

LCD Display

USB Integrated Power Supply

Fixed 10/100/1000BASE-T Ports

EthernetOut-of-Band

RJ-45 & Mini-USBConsole

• Fixed Components– Built-in 4xSFP/SFP+ Uplinks

– Integrated Power Supply

• PoE Budget– 400W

– PoE Priority Available

• Management– Console (RJ45 & mUSB Serial)

– Out-of-band Ethernet

– USB Storage

– LCD Display


– 1.75˝ (H) x 17.5˝ (W) x 12˝ (D)

– Side to side airflow

• Mounting Options– 2 Post Rack (Front)

– Wall & 2-Post Mid Mount


Fixed4x 1000BASE-x/10GBASE-x

(SFP/SFP+) Ports

Fixed Fans



• Designed for Wired Access– 12/24/48 Port 10/100/1000BASE-T









• Integrated Components– Built in fans for quiet operation

(24P/48P)

– Fanless (12P)

– Fixed 2-port (12P) & 4-port (24P/48P) uplinks • 1000BASE-x SFP


S1500-12P 12x 10/100/1000BASE-T

120W

S1500-24P 24x 10/100/1000BASE-T

400W

S1500-48P 48x 10/100/1000BASE-T

400W


S1500-24P/48P: Front and Rear Views

S1500-48P Front View

S1500-24/48P Rear View

Console

USB Integrated Power Supply

Fixed4x 1000BASE-X

(SFP) Ports

48x 10/100/1000 (RJ45) Ports

Mode LEDs and Selector

• Fixed Components– Built-in 4xSFP Uplinks


• PoE Budget– 400W


• Features & Scaling– Same features as S2500/S3500

– Reduced scaling vs. S2500/S3500

• Management– Console (RJ45)

– USB Storage


– 1.75˝ (H) x 17.5˝ (W) x 12˝ (D)

– Side to side airflow

• Mounting Options– 2 Post Rack (Front)

– Wall & 2-Post Mid Mount



S1500-12P: Front and Rear Views

S1500-12P - Front View

USB Console RJ-45

12x 10/100/1000Base-T With 8x PoE/PoE+)

2x 1000BASE-x(SFP)

Mode LEDs and Selector

Cooling Vents on Top and Bottom for

Fanless Design

• Fixed Components– Built-in 2xSFP Uplinks


• PoE Budget– 8x PoE/PoE+ with 120W Budget


• Features & Scaling– Same features as S2500/S3500

– Reduced scaling vs. S2500/S3500

• Management– Console (RJ45)

– USB Storage

• Dimensions & Airflow- 1.72" (H) x 13" (W) x 8.9" (D)

– Fanless

• Mounting Options– Desktop (Rubber feet included)

– Rack & Wall Mount (Included)

– Magnet Mount (Optional)


S1500-12P - Rear View

Integrated Power Supply

Security Lock Slot


• All “P” models support PoE on all ports– Both IEEE 802.3af (PoE), IEEE 802.3at (PoE+) & Pre-Standard

– Ready for PoE+ devices today (e.g. 11ac APs)

• Share PoE budget across ports– PoE draw automatically negotiated by connected device

– Minimize design and configuration effort

• Ability to limit PoE output per port– Helps manage PoE usage with limited PoE budgets

• Prioritize PoE availability during a power loss– Ensure critical devices remain available

– Ports set to low (default), high or critical

– Aruba APs automatically recognized and set to “high”

• Efficient use by defining PoE time-of-day profiles– Shut-off PoE during non-use hours and/or days

– Power cost savings and physical security

Power over Ethernet Support


S1500/S2500 PoE Budget

S1500-12P150W PSU with120W budget

S1500/S2500-24P/48P580W PSU with400W budget

Class/APMax Power at Device

(W)

Max Power at Switch (W)

Number of Devices Supported

Number of Devices Supported

802.3af 12.95 15.4 7 25

802.3at 25.5 30 4 13

AP-92/93 8 8.35 8 47

AP-93H 9 9.45 8 42

AP-104/105

12.5 13.4 8 29

AP-114/115 13 13.98 8 28

AP-124/125

16 17.5 6 22

AP-134/135

12.5 13.4 8 29

AP-224/225

15 16.3 7 24

AP-175 18 20 6 20


S3500 PoE Budget with 600W P/S

PSU 0 (600W)(standalone)400W budget

PSU 1 (600W)(redundant)

400W budget

PSU 1 (600W)(load sharing)689W budget

Class/APMax Power at

Device (W)Max Power

at Switch (W)Number of Devices Supported

802.3af 12.95 15.4 25 25 44

802.3at 25.5 30 13 13 22

AP-92/93 8 8.35 47 47 48

AP-93H 9 9.45 42 42 48

AP-104/105

12.5 13.4 29 29 48

AP-114/115 13 13.98 28 28 48

AP-124/125

16 17.5 22 22 39

AP-134/135

12.5 13.4 29 29 48

AP-224/225

15 16.3 24 24 42

AP-175 18 20 20 20 34


S3500 PoE Budget with 1050W P/S

PSU 0 (1050W)

(standalone)850W budget

PSU 1 (1050W)

(redundant)850W budget

PSU 1 (1050W)

(load sharing)1465W budget

Class/APMax Power at

Device (W)Max Power

at Switch (W)Number of Devices Supported

802.3af 12.95 15.4 48 48 48

802.3at 25.5 30 28 28 48

AP-92/93 8 8.35 48 48 48

AP-93H 9 9.45 48 48 48

AP-104/105

12.5 13.4 48 48 48

AP-114/115 13 13.98 48 48 48

AP-124/125

16 17.5 48 48 48

AP-134/135

12.5 13.4 48 48 48

AP-224/225

15 16.3 48 48 48

AP-175 18 20 42 42 48


Features & Capabilities Overview

• Spanning Tree- Multiple Spanning Tree (MSTP)- Rapid PVST+

• Link Aggregation Group• Hot Standby Link• L2 Generic Router Encapsulation• Voice VLAN- LLDP-MED- CDP Fingerprinting

• Port Security- DHCP Snooping, DAI & IPSG

• Quality of Service- Strict Priority Queuing- 1 Rate Tri-Color Policing

• Ethernet OAM 802.3ah

Platform / Layer 2 Features Routing / Branch Features• Routed Virtual Interfaces (RVI)• Static Routing• OSPFv2- MD5 Authentication- Route Filtering

• Policy Based Routing• Virtual Router Redundancy Protocol• L3 Generic Router Encapsulation• Multicast- PIM-SM- IGMP Snooping/MLDv1

• Network Address Translation• Stateful Firewall• Site to Site VPN- Includes OSPF over VPN


Features & Capabilities Overview

• Role Based User Access• User Derived Roles- MAC Address Variable Match- DHCP Signature Match- LLDP/CDP Phone Match

• AAA Authentication- 802.1x- MAC Auth- Captive Portal (Internal/External)

• External Authentication Servers- Radius- TACACS+- LDAP

• Radius Fail-Open

Authentication & Security Aruba Portfolio Integration• Aruba Activate• Mobility Controller- Tunneled Node- AirGroup- Auto AP PoE Prioritization- Auto AP QoS Trust

• Instant AP- Auto AP PoE Prioritization- Auto AP QoS Trust- Rogue AP Enforcement- VLAN Sharing

• ClearPass Policy Manager (CPPM)- Downloadable Roles & ACLs- Redirect to ClearPass Guest


• Supported on All Platforms– S2500/S3500• Includes mixed family ArubaStack support

which creates cost optimized wiring closets

– S1500

• Join Up to 8 Mobility Access Switches– 10GBase-X or DAC– 1GBase-X– Up to 10km Links

• Simplified & Cost Optimized– Single management IP address– Single configuration file

• Flexible Access Architecture– Extend stack across wiring closets and&

buildings– Right-size number of uplinks to

distribution/core

• Built-in Redundancy– Automatic insertion/removal– Optimized traffic forwarding

ArubaStack

Closet 2

10GBase-SR/LR/LRM

Closet 1 ArubaStack extends a single managed stack across wiring

closets


• Hardware Monitoring & User Visibility – Inventory and Uptime

– Visibility Into Wired Network Usage

– SNMP Trap and Syslog Support

• Software Configuration & Firmware Management– Configuration Changes

– Configuration Backups

– Firmware Upgrades

• Reporting– Compliance Reporting

– Report and Track Wired Users

AirWave Management Platform &Mobility Access Switch


2. Mobility Access Switch first attempts to download a configuration via TFTP

Aruba Activate

Simplify and enable rapid deployment

1. Connect device 2. Verify LEDs GREEN 3. Move to new location 4. Repeat steps 1 3

Branch Location

Mobility Access Switch

Airwave Management Platform

Headquarters Location

3. When TFTP fails, the Mobility Access Switch attempts to contact Activate. Mobility Access Switch sends Serial Number and system MAC address.

4. Airwave responds with Airwave IP, Shared Secret, Group Name and Folder Name.

5. Mobility Access Switch contacts Airwave and provides Shared Secret, Group Name and Folder Name.

6. Airwave contacts Mobility Access Switch and pushes down group configuration

TFTP? Are you there?

Help me Aruba Activate, you’re my only

hope!Hi Airwave! Configure

Me!

• Automates Product Installation

• Automates Software Updates

• Inventory Management

1. Customer Enables Service& Inputs Provisioning Rules

Hi Mobility Access Switch!

Yippie! All Configured!

Hi Mobility Access Switch!

Aruba Activate


Software Defined Networking


Software Defined Unified AccessPe

rson

alize

d Ex

perie

nce

User

Sim

plify

Net

wor

k O

ps

IT

VPN

Access Policy Mobility State Performance

Management Location Content Network AppsAnalytics

Onboard New Apps, BYOD & Guests

Flow Awareness, App Services

Monitor Wi-Fi, Wired & WAN Controller AirWaveClearPass

SDN Control Plane


Airgroup Today

Airwave Management Platform (Optional)

ClearPass Policy Manager (Optional)

Mobility Controller

Core/Distribution

Registered to: User X

Role Faculty

Guest

Registered to: User C

Role Student

Guest

Registered to: User C

Role StudentRegistered to: User Y

Role Faculty

Registered to: User B

Role Student

Registered to: User X

Role Faculty

Campus-PSK VLAN: 100-104

Campus-802.1x VLAN: 200-204VLAN 400VLAN 500

Guest VLAN: 999

GuestRegistered to: User A

Role Student

Multicast DNS traffic is forwarded via GRE to Mobility Controller to provide AirPlay/AirPrint services between VLANs and between Wired/Wireless.

Registered to: User B

Role Student

*New in AOS 7.2


Flow Steering Tomorrow

OF

OFOF

OF

OF

OFOF

OF

OF

OFOF

OF

• Virtual paths per

user/app

• Unified access on

multi-vendor network

• Stitching flows

across roles

Aruba SDN Control Plane

Any Vendor Core

OF


Aruba AP Interworking


Aruba AP Interworking

Auto PoE Prioritization (IAP/CAP)

Auto QoS Trust (IAP/CAP)

Rogue AP Enforcement (IAP)

VLAN Sharing (IAP)

Hi! You’re critical to the network so I’m going to set your PoE priority to high!

Hi! I’m an Aruba AP!

Hi! You’re an extension of the access layer so I’m going to

trust your QoS markings

Hi! I’m an Aruba AP!

I’ll shut it down! I’ll block its traffic if I find it on trunk or shutdown the access port

ALERT! I’ve found a Rogue AP!

Alright, I’ll automatically add them to our trunk port. Thanks!

I’ve created 3 VLANs!


Begin Demo 1


Role Based User Access


Aruba AAA View Of The World

ManufacturersVia MAC OUI

Operating SystemsVia DHCP

Fingerprinting

Our Mobility Access Switches see…

And our security enforcement model uses…

MAC Addresses

Usernames/Passwords

IP PhonesVia Device-Type Fingerprinting

User-roles

…provisioned locally or dynamicallywhich simplifies AAA deployments


A user-role is a container that consists of:

• VLAN ID• Access Control Lists• QoS Profile• Policer Profile• Captive Portal Settings• VoIP Profile

What is User-Role?

…A user-role can be referenced locally or passed down via a Radius Vendor Specific Attribute


•User Derivation Rules

• Manufacturers by Vendor OUI– Instead of pre-populating a user database or a static MAC bypass list with

MAC addresses from the same vendor, create a UDR to match on the Vendor’s OUI (first 6 digits or 24 bits) and assign a VLAN or user-role.

• Operating Systems by DHCP Fingerprinting– Operating systems and some classes of devices utilize unique DHCP

messages (e.g. the options they request, the order of the options). A UDR can be created to match on that unique fingerprint or signature and assign a VLAN or user-role.

• IP Phone by Device-Type Fingerprinting– IP Phones and AAA don’t always get along. Device-Type fingerprinting

allows you to match on an IP Phone’s LLDP/CDP “phone” capability announcement so you can create a UDR to assign a VLAN or user-role.

How Do I Implement User-Roles?

No External Radius Required!


•Traditional AAA Services

• 802.1x– For clients with 802.1x compatible supplicants, 802.1x provides secure

access using usernames/passwords and/or certificates. Authenticated users can be assigned a default user-role or a specific user-role.

• MAC Authentication– For network assets that do not support 802.1x, MAC authentication can

be used to allow access to the network. Authenticated users can be assigned a default user-role or a specific user-role.

• Captive Portal– For guest clients, a web page can be provided so that they can login

and gain access. Guest users can then be assigned a specific user-role limiting their network access.

How Do I Implement User-Roles?

Supported with Internal and External Auth Servers!


Begin Demo 2


ClearPass Policy Manager Integration


802.11n AP ClearPass

ClearPass Policy Manager Integration

Mobility Controller

1. User provides their credentials and other

context to Authenticate

Context• User: Joe Smith• Role: Guest• Device: Apple iPad• Date: M-F, 8am-5pm• Access: Internet

Mobility Access Switch

2. ClearPass Policy Manager returns Role

& Policy for User/Device

3. Role & Policy pushed to the Mobility

Controller for Role & Policy Enforcement**

3. Role & Policy pushed to the Mobility Access

Switch for Role & Policy Enforcement

Policy Enforcement Policy Definition

**Roadmap


Begin Demo 3


MACAO

breakout - airheads macau 2013 - unified access: deploying mobility access switches & instant

Technology

aruba networks

unified access

s3500 mobility access

s2500 mobility access

s1500 mobility access

switch port

port poepoe

aruba aps