design fundamentals for remote and branch access networks

#ATM16

Branch and Remote Access NetworksDesign FundamentalsShiv Mehra, Jone Ostebo and Yan Liu @ArubaNetworks |

2#ATM16

Agenda

Product Portfolio

Zero Touch Provisioning

Deployment Models

@ArubaNetworks |

3#ATM16

Cloud Services Controller Portfolio

@ArubaNetworks |

Scal

e

Performance

CAMPUS – 72xx

BRANCH – 70xx

700516 APs/1K Users2 Gbps Firewall

701032 APs/2K Users

12 POE Ports4 Gbps Firewall


7210512 CAP/512 RAP

16K Users20 Gbps Firewall


72201024 CAP/1024 RAP


72402048 CAP/2048 RAP


702432 APs/2K Users

24 POE Ports4 Gbps Firewall

Christian Gilby

removed new since the 7205 and 7024 are ~6 months old

4

Zero Touch Provisioning (ZTP)How to adopt a factory default IAP or Branch Controller

5#ATM16

Zero Touch Provisioning (ZTP)

–Controller Modes–Controller and IAP Base Architecture–Provision Modes–Branch Configuration?–Branch Networking–Bad Configuration Push

@ArubaNetworks |

6#ATM16

Modes supported by the controllers - Master

@ArubaNetworks |

Master11

7240/7220/7210

7#ATM16

Modes supported by the controllers - Local

@ArubaNetworks |

7005

Master11

7240/7220/7210

Local12

8#ATM16

Modes supported by the controllers - Branch

@ArubaNetworks |

7005

Master11

7240/7220/7210 Local12

Branch13

Only 70xx series support BRANCH mode

9#ATM16

ZTP

–Controller Modes–Controller and IAP Base Architecture–Provision Modes–Branch Config?–Branch Networking–Bad Config Push

@ArubaNetworks |

10#ATM16

Branch Controller Architecture

@ArubaNetworks |

INTERNET

Branch 1

Headquarter

Branch 2 Branch 3

Internet

11#ATM16

Branch Controller Architecture

@ArubaNetworks |

Branch 1

Headquarter

Branch 2 Branch 3

INTERNET

InternetVPN

12#ATM16

Instant AP Architecture

@ArubaNetworks |

INTERNET

HeadquarterInternet

Branch 1

InstantCluster

Branch 2

InstantCluster

Branch 3

InstantCluster

13#ATM16

Instant AP Architecture

@ArubaNetworks |

HeadquarterInternet

Branch 1

InstantCluster

Branch 2

InstantCluster

Branch 3

InstantCluster

INTERNET

VPN

14#ATM16

ZTP

–Controller Modes–Controller and IAP Base Architecture–Provision Modes–Branch Config?–Branch Networking–Bad Config Push

@ArubaNetworks |

15#ATM16

Provision Modes

@ArubaNetworks |

Zero Touch Provisioning (Auto) 11

Semi-Auto (mini-setup)12

Manual (full-setup)13

16#ATM16

Zero Touch Deployment

@ArubaNetworks |

DHCP Options11

Activate12

17#ATM16

Zero Touch Deployment

@ArubaNetworks |

DHCP Options11

Activate12

GE 0/0/3

GE 0/0/15

GE 0/0/7

GE 0/0/23

• Last Port of 70xx is set:• VLAN 4094• DHCP Client

18#ATM16

Zero Touch Provisioning – DHCP Options

@ArubaNetworks |

Brand Office

7005 Mobility Controller

BRANCH OFFICE / TELECOMMUTER

Internet Services

INTERNET

DHCP

DHCP Req with Option 60 set to ArubaMC

19#ATM16


@ArubaNetworks |

Brand Office



Internet Services

INTERNET

DHCP


20#ATM16


@ArubaNetworks |

Brand Office



Internet Services

INTERNET

DHCP


DHCP Resp with Option 43 set to Master controller IP and country code of operation for branch controller

21#ATM16


@ArubaNetworks |

Brand Office



Internet Services

INTERNET

DHCP


DHCP Resp with Option 43 set to Master controller IP and country code of operation for branch contoller

22#ATM16

Zero Touch Provisioning – Activate

@ArubaNetworks |

Brand Office



Aruba Activate

INTERNET

DHCP/DNS


DHCP Resp has no Option 43

Resolve device.arubanetworks.com

23#ATM16


@ArubaNetworks |

Brand Office



Aruba Activate

INTERNET

DHCP/DNS




24#ATM16


@ArubaNetworks |

Brand Office



Aruba Activate

INTERNET

DHCP/DNS




Communicate with Activate on port 443 (HTTPS)

25#ATM16

Semi – Auto (mini-setup)

@ArubaNetworks |

Brand Office



Internet Services

INTERNET

DHCP


DHCP Resp without Option 43

Device not found in activate

26#ATM16

Semi – Auto (mini-setup)

@ArubaNetworks |

Brand Office



Internet Services

INTERNET

DHCP


DHCP Resp without Option 43

Device not found in activateEnter Option (partial string is acceptable): mini-setupEnter Branch Master switch IP address or FQDN: 10.69.129.100

Auto-provisioning is in progress. Choose one of the following options to override or debug... 'enable-debug' : Enable auto-provisioning debug logs 'disable-debug' : Disable auto-provisioning debug logs 'mini-setup' : Stop auto-provisioning and start mini setup dialog for branch role 'full-setup' : Stop auto-provisioning and start full setup dialog for any role

Enter Country Code: US

27#ATM16

Manual (full-setup)

@ArubaNetworks |

Enter Option (partial string is acceptable): full-setup

Auto-provisioning is in progress. Choose one of the following options to override or debug... 'enable-debug' : Enable auto-provisioning debug logs 'disable-debug' : Disable auto-provisioning debug logs 'mini-setup' : Stop auto-provisioning and start mini setup dialog for branch role 'full-setup' : Stop auto-provisioning and start full setup dialog for any role

Are you sure that you want to stop auto-provisioning and start full setup dialog? (yes/no): yesEnter System name [Aruba7005]: branch01-7005Enter Switch Role (master|local|standalone|branch) [master]: branchEnter Branch Master switch IP address or FQDN [172.16.0.254]: 10.69.129.100Enter Branch wired uplink port [GE 0/0/0]: GE 0/0/3Enter Branch wired-vlan Type (pppoe|dhcp|static) [static]: dhcpThis controller is restricted to Country code US for United States, please confirm?: yesEnter Time Zone [PST-8:0]: Enter Time in UTC [00:24:38]: Enter Date (MM/DD/YYYY) [5/5/2015]:

28#ATM16

HTTPS (mac address, serial number, SKU)

IAP - Activate Provisioning

@ArubaNetworks |

Internet

Master IAP/VC Activate

HTTPS (Provisioning settings)

DNS


HTTPS

29#ATM16

IAP – DHCP Provisioning

@ArubaNetworks |

Internet

Master IAP/VC ActivateDHCP

DHCP request with option 60

HTTPS

DHCP response with option 43

30#ATM16

ZTP


@ArubaNetworks |

31#ATM16

How does branch get its configuration?

@ArubaNetworks |

– 6.4.3 Introduces Smart Config Menu

– GUI based configuration ONLY

7240/7220/7210

Branch Config Group Whitelist

00:0b:86:b8:c2:98

00:0b:86:bd:33:44

00:0b:86:b8:ff:cd

MAC Address of Remote Branch Controllers 70xx

32#ATM16

How to configure the Whitelist?

@ArubaNetworks |

7240/7220/7210

Aruba Activate

Automatic via Activate

33#ATM16


@ArubaNetworks |

7240/7220/7210

Aruba Activate

Automatic via Activate

34#ATM16


@ArubaNetworks |

7240/7220/7210

Aruba Activate

Automatic via Activate Manual via User Input

7240/7220/7210

35#ATM16


@ArubaNetworks |

7240/7220/7210

Aruba Activate

Automatic via Activate Manual via User Input

7240/7220/7210

36#ATM16

ZTP


@ArubaNetworks |

37#ATM16

What options does the branch config group have?

@ArubaNetworks |

• System• User/Password• Timezone• Syslogs etc.

• Networking• VLAN’s• Ports

• Routing • Policy Based • Static Routes• DHCP

• VPN• WAN

• Survivability• PAN• Optimization • Bandwidth management

Smart Config Menu

38#ATM16

What options does the branch config group have?

@ArubaNetworks |




• VPN• WAN


Smart Config Menu

39#ATM16

What options does the branch configuration group have?

@ArubaNetworks |




• VPN• WAN


Smart Config Menu

40#ATM16

Branch Side VLANs and Subnets

@ArubaNetworks |

Brand Office



Printer

VLAN 2 VLAN 4094

• Uplink VLAN 4094• In-branch VLAN 2

• Dynamically Assign Subnet • Statically upload subnet info

CSC controller-ip cannot be IP of VLAN 4094

41#ATM16

Branch Side VLANs and Subnets

@ArubaNetworks |

Brand Office



Printer

VLAN 2 VLAN 4094

• Uplink VLAN 4094• In-branch VLAN 2

• Dynamically Assign Subnet • Statically upload subnet info

CSC controller-ip cannot be IP of VLAN 4094

42#ATM16

Dynamically Assign Subnets

@ArubaNetworks |

Headquarters

172.16.0.0 – 172.16.255.255

Create a large subnet (e.g. /16)

43#ATM16


@ArubaNetworks |

Headquarters

Brand Office 1

Brand Office 2

Brand Office 3

Brand Office 4

Brand Office 5

Brand Office 6

Brand Office 256

●

●

●

●

172.16.0.0 – 172.16.255.255

Branch 1 – 172.16.1.0/24

Branch 2 – 172.16.2.0/24

Branch 3 – 172.16.3.0/24

Branch 255 – 172.16.255.0/24

●●●●

Specify the size of branch subnet (e.g. /24 )

Branch 4 – 172.16.4.0/24

Branch 5 – 172.16.5.0/24

Branch 6 – 172.16.6.0/24

44#ATM16


@ArubaNetworks |

Headquarters

Brand Office 1

Brand Office 2

Brand Office 3

Brand Office 4

Brand Office 5

Brand Office 6

Brand Office 255

●

●

●

●

172.16.0.0 – 172.16.255.255

Branch 1 – 172.16.1.0/24

Branch 2 – 172.16.2.0/24

Branch 3 – 172.16.3.0/24

Branch 255 – 172.16.255.0/24

●●●●

Specify the size of branch subnet (e.g. /24 )

Branch 4 – 172.16.4.0/24

Branch 5 – 172.16.5.0/24

Branch 6 – 172.16.6.0/24

45#ATM16

Statically Assign Subnets

@ArubaNetworks |

Create a CSV File with the following parameters

• MAC Address – 00:55:55:55:55:43 • Description – STORE01• Timezone - Pacific• DST - ON• Pool1 - Employee• Domain1 – arubanetworks.com• DNS1 – 10.1.10.10• Vlan1 - 2• Vlan1 IP – 192.168.2.1• Mask1 – 255.255.255.0

• Pool2• Domain2• ……….• Pool3• Domain3• ……..• Pool4• Domain4

46#ATM16

Statically Assign Subnets

@ArubaNetworks |

Create a CSV File with the following parameters

• MAC Address – 00:55:55:55:55:43 • Description – STORE01• Timezone - Pacific• DST - ON• Pool1 - Employee• Domain1 – arubanetworks.com• DNS1 – “10.1.10.10,10.2.10.10”• Vlan1 - 2• Vlan1 IP – 192.168.2.1• Mask1 – 255.255.255.0

• Pool2• Domain2• ……….• Pool3• Domain3• ……..• Pool4• Domain4

47#ATM16

ZTP


@ArubaNetworks |

48#ATM16

What happens if we push a bad configuration?

@ArubaNetworks |

7005

Master pushes wrong VLAN11

7240/7220/7210 Causes Connectivity Loss12

49#ATM16

What happens if we push a bad configuration?

@ArubaNetworks |

7005

Master pushes wrong VLAN11

7240/7220/7210 Causes Connectivity Loss12

BoC Factory Defaults13

Master pushes config14

No push after 10 failures15

50#ATM16

Summary - ZTP

@ArubaNetworks |

New mode called “Branch” introduced (only supported on 70xx)11

70xx ships with last port on 4094 with DHCP Client enabled12

ZTP requires DHCP (Option 43) or Activate configured13

Smart Config Menu on 72xx introduced to manage branch configs14

Ability to push VLANs, IP, DHCP server etc config from Smart Menu15

Ability to recover from bad config or upgrade push16

51

Deployment Models - Branch Controller

52#ATM16

L3 Distributed Architecture – Branch Controller

@ArubaNetworks |

70xx

72xx CSC deployed across Internet11

INTERNET

Corp Network

53#ATM16


@ArubaNetworks |

70xx


Employee Traffic Tunneled12

VPN

Employee

INTERNET

Corp Network

54#ATM16


@ArubaNetworks |

70xx


Employee Traffic Tunneled12

All Guest Traffic NAT’ed 13

VPN

Employee

INTERNET

Corp Network

GuestNAT’ed

DHCP Server Distributed (On CSC) 14

55#ATM16

Configure Activate – Branch Controller

@ArubaNetworks |

Aruba Activate

Create Folders and Provision Rules11

Identify & Configure Master Controller12

Identify & Configure Branch Controller 13

56#ATM16

Enable Redundancy and Centralized Licensing

@ArubaNetworks |

Headquarters

INTERNET

Aruba Activate

Aruba 5400R

Corp NetworkVIP – 10.69.129.100

Centralized Licensing

Christian Gilby

changed from HP to Aruba 5400R

57#ATM16

AP Groups and CSC Smart Configuration

@ArubaNetworks |

Headquarters

INTERNET

Aruba Activate

Aruba 5400R

Corp Network

Create AP Groups (WLANs)11

Create Smart Config Group12

Configure VLAN’s, IP’s, DHCP etc. 13

58#ATM16

Sync Whitelist from Activate

@ArubaNetworks |

Headquarters

INTERNET

Aruba Activate

Aruba 5400R

Corp Network

59#ATM16

Adopt CSC’s

@ArubaNetworks |

Branch 1

Headquarters

Branch 2 Branch 3

INTERNET

Aruba Activate

Aruba 5400R

Corp Network

VLAN 4094DHCP Client



VPN

60#ATM16

Master Pushes Configuration to CSC

@ArubaNetworks |

Branch 1

Headquarters

Branch 2 Branch 3

INTERNET

Aruba Activate

Aruba 5400R

Corp Network




VPN

EmployeeVLAN 2

172.16.0.1/24

GuestVLAN 3

11.11.0.1/24

EmployeeVLAN 2

172.16.1.1/24

GuestVLAN 3

11.11.1.1/24

EmployeeVLAN 2

172.16.2.1/24

GuestVLAN 3

11.11.2.1/24

61#ATM16

Tunnel Employee Traffic to Corp

@ArubaNetworks |

Branch 2Branch 1

Headquarters

Branch 3

INTERNET

Aruba Activate

Aruba 5400R

Corp Network

Employee Employee Employee

VPN

EmployeeVLAN 2

172.16.0.100/24

EmployeeVLAN 2

172.16.1.100/24

EmployeeVLAN 2

172.16.2.100/24

10.0.0.0/8

62#ATM16

Master Advertises Routes to Wired using OSPF

@ArubaNetworks |

Branch 2Branch 1

Headquarters

Branch 3

Aruba Activate

Aruba 5400R

Corp Network


VPN

EmployeeVLAN 2

172.16.0.100/24

EmployeeVLAN 2

172.16.1.100/24

EmployeeVLAN 2

172.16.2.100/24

10.0.0.0/8

OSPF

INTERNET

63#ATM16

Wired Advertises Routes to Master using OSPF

@ArubaNetworks |

Branch 2Branch 1

Headquarters

Branch 3

Aruba Activate

Aruba 5400R

Corp Network


VPN

EmployeeVLAN 2

172.16.0.100/24

EmployeeVLAN 2

172.16.1.100/24

EmployeeVLAN 2

172.16.2.100/24

10.0.0.0/8

OSPF

INTERNET

64#ATM16

Trace Employee Packet Path

@ArubaNetworks |

Branch 1

Headquarters

INTERNET

Aruba 5400R

Employee

VPN

10.1.1.100

172.16.1.100

ping 10.1.1.100

1. Employee to default GW (172.16.1.1)

2. CSC routes to Master-CSC IPSec tunnel

3. Master routes to Wired Switch (OSPF)

4. Wired switch routes to Server

65#ATM16

NAT Guest Traffic via Uplink

@ArubaNetworks |

Branch 2Branch 1

Headquarters

Branch 3

INTERNET

Aruba Activate

Aruba 5400R

Corp Network

VPN

Guest Guest Guest

NAT

66

Deployment Models - Instant AP

67#ATM16

Centralized Layer 3

@ArubaNetworks |

InternetPrimary VPN Backup VPN

Master Master

IAP

SSID

Activate

Master

IAP

SSID

IAP

SSID

MasterMaster

Master

Load balancer Load balancer

Firewall Firewall

DHCP DHCP

68#ATM16

Centralized Layer 3 – Packet FlowInternet

Firewall Load Balancer ControllerIPSec tunnel UDP 4500

802.1x RADIUS

DHCP

DHCP requestDHCP request unicast to DHCP server by IAP using

VLAN IP

DHCP response by DHCP server to IAP’s VLAN IPDHCP response

Client

Corporate traffic

VC is the gateway

69#ATM16

Distributed Layer 3 – Packet Flow

Internet

Client Member IAP Master IAP/VC Controller

Internet Traffic Src NATed with VC’s Local IP

Corp. Traffic forwarded through IPSec tunnel

DHCP Discover

ARP reply

Internet Traffic

Corp. Traffic

DHCP Offer

DHCP Request

DHCP Ack

Gateway ARP

IPSec tunnel UDP port 4500

VC is the GW.

BID allocation process

70#ATM16

Centralized Layer 2 – Packet Flow

Internet

Client Member IAP Master IAP/VC Controller

Internet Traffic Src NATed with VC’s Local IP

Corp. Traffic forwarded through IPSec tunnel via GRE

DHCP Discover

ARP reply

Internet Traffic

Corp. Traffic

DHCP Offer

DHCP Request

DHCP Ack

Gateway ARP

IPSec tunnel UDP port 4500

Forwarded by VC to Controller via GRE

Forwarded by VC to Controller via GRE

Forwarded by VC to Controller via GREGW is in the DC, if WAN is down VC will proxy ARP for GW.

71#ATM16

Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.

Share your results with friends and receive a free superpower t-shirt.

www.arubatitans.com

Thank you

Month day, year

design fundamentals for remote and branch access networks

Technology