Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-1
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-2
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-3
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-4
Aruba Bootcamp – Architecture 3200 - LAN-connected APs (max) 32 - Remote Access Points 128 - Users(max) 2,048 - Console (RS-232) RJ-45 - 4 ports Total 4x Gigabit Ethernet (10/100/1000Base-T)* 4x Gigabit Ethernet (1000Base-X) SFP* * Dual-personality ports - 10/100/1000Base-T or pluggable module 3400 - LAN-connected APs (max) 64 - Remote Access Points 256 - Users(max) 4,096 - 4 ports Total 4x Gigabit Ethernet (10/100/1000Base-T)* 4x Gigabit Ethernet (1000Base-X) SFP* * Dual-personality ports - 10/100/1000Base-T or pluggable module
y l n O l Use
a n r e t In
3600 - LAN-connected APs (max) 128 - Remote Access Points 512 - Users(max) 8,192 - 4 ports Total 4x Gigabit Ethernet (10/100/1000Base-T)* 4x Gigabit Ethernet (1000Base-X) SFP* * Dual-personality ports - 10/100/1000Base-T or pluggable module 6000 (per M3)
y l n O e s U l a n r e t In
- LAN-connected access points1 Up to 512 - Remote Access Points1 Up to 1,024
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-5
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Aruba carries a number of AP types. These may be classified based upon the number of radios (single or dual) or deployment type (indoor or outdoor) and antenna type (built-in or external)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-6
Aruba Bootcamp – Architecture Access Points AP-134 features two 3×3 MIMO dual-band 2.4-GHz/5-GHz radios with external antenna interfaces AP-135 features two 3×3 MIMO dual-band 2.4-GHz/5-GHz radios the same radios with internal antennas. AP-105 features two 2×2 MIMO dual-band 2.4-GHz/5-GHz radios with two internal omni-directional antennas. AP-92 features a single 2×2 MIMO dual-band 2.4-GHz or 5-GHz radio with external antennas AP-93 features a single 2×2 MIMO dual-band 2.4-GHz or 5-GHz radio with internal antennas
y l n O l Use
AP-68 features a single 1x1 single spatial stream one 2.4-G Hz radio with internal antennas
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-7
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The data center consists of the master controllers, and most of the other servers like DHCP, DNS, SMTP, SNMP etc used in a typical campus network The distribution layer consists of the switches and routers in the wired network. The wireless clients and APs are at the edge of the network
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-8
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The functionality that the mobility controller provides includes: 1.Acting as a user-based stateful firewall
2.Terminating user-encrypted sessions from wireless devices 3.Performing Layer 2 switching and Layer 3 routing
4.Providing certificate-based IPsec security to protect control channel information 5.Terminating Internet-based remote APs (RAPs)
6.Performing user authentication with 802.1X and captive portal authentication, among others 7. Providing guest access and captive portal services 8.Providing advanced RF services with Adaptive Radio ManagementTM (ARM) and spectrum analysis 9. Performing rogue detection and containment
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-9
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The controller is deployed at the core and AP at the access layer. The AP uses a proprietary protocol (PAPI) to communicate with the controller using UDP port 8211. PAPI runs within its’ own tunnel and is encrypted, by default, using CPSec. The AP encapsulates the user traffic in a GRE (Generic routing encapsulation) tunnel. The controller process the de-capsulates the traffic and switches/routes it. -This is unencrypted control traffic. AOS 6.x, however, introduces CPSec which encrypts the control traffic within the tunnel. CPSec is enabled by default on a default config in current AOS. If CPSec, however, is disabled then the SW is upgraded then CPSec remains disabled.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-10
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
It is important that the requisite ports for GRE (47), PAPI (8211), DHCP, FTP, and ADP (8200) if ADP discovery is used are not blocked by a firewall between the AP and the controller. If any of the ports are blocked it will prevent the AP from booting up and broadcasting an SSID. One GRE tunnel is built per SSID per Radio. So, for example, if an AP-105 (dual-radio) is advertising the same SSID on both radios it will build two GRE tunnels to the controller. With two SSIDs advertising on both radios there will be a total of four GREs.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-11
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
A GRE tunnel is established between the AP and the mobility controller.
When an AP receives a wireless frame, the AP encapsulates the frame into GRE without decrypting or modifying it. The AP sends the frame to the mobility controller. When the mobility controller receives the frame, it performs the decryption operation, applies the user’s firewall policy, and forwards or filters the frame as appropriate GRE tunnel is created per ssid and per radio.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-12
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
A single controller is deployed in smaller organizations where redundancy is not needed or cost effective. In the above e.g the controller has 2 Wireless LANs (WLAN) configured each with different set of parameters for authentication, encrytption and access control
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-13
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The above diagram shows a Large campus with a Master controller deployed at the core and some Access points at the edge of the network. In Mid-size branch we have a local controller which builds an Ipsec tunnel to the Master controller. The branch Aps terminate their GRE tunnel to the local controller There are some RAPs located in different home offices which terminate on another local controller deployed at the DMZ. The RAPs build an Ipsec tunnel back to the DMZ controller and tunnel all traffic inside this Ipsec tunnel
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-14
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-15
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Campus deployments are extremely common for Aruba solutions. Most deployments involve multiple local mobility controllers with redundancy deployed either in the distribution layer or data center. These deployments also have redundant master mobility controllers.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-16
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The Aruba VIA agent, RAPs, site-to-site VPNs, and third-party IPsec clients typically terminate on local mobility controllers in the network DMZ. If this Aruba deployment is the only one in the organization, mobility controllers may be deployed in a master/local cluster in the DMZ
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-17
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
In the distributed enterprise network, branch offices of many sizes exist. When a branch office grows beyond the capabilities of a RAP deployment, a smaller scale mobility controller that can handle multiple APs can be deployed.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-18
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
In the above diagram a Master controller is deployed in the data center in building 1, a local controller is deployed in building 2 The APs in building 2 terminate on the local controller. Any changes to configuration is made on the Master controller which syncs the config between local controller and itself.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-19
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
This deployment model is typically used in campus networks where an existing Layer 3 switch is already functioning as the default gateway and makes routing decisions for the network. This deployment model is recommended where multicast routing will occur.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-20
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The above diagram shows a Building with the following network design
The floors are divided into different vlans, all devices in floor 1 are on vlan 11, devices on floor 2 are on vlan 12 The data center server and controller belong to vlan 14
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-21
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Since all the wireless users are put in vlan 14 from the previous network configuration, we create 2 AP groups in the controller with 2 separate vlans. The users will be assigned a vlan based on the AP group, in which the AP that associate to, belongs.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-22
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The DHCP packet from the wireless user is encapsulated by the AP in the GRE tunnel.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-23
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The controller de-capsulates the packet and checks the AP group. Since AP1 belongs to group 1st floor . The controller assigns vlan 101 to the user data and sends the packet to the upstream router The upstream router routes the packet to the DHCP server.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-24
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The DHCP server assigns the IP address based on vlan 101.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-25
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The controller removes the 802.3 header of the DHCP reply and replaces it with 802.11 header. Then it encapsulates the packet in GRE tunnel and sends it to the AP. The AP removes the encapsulation and transmits the packet to the client. The client gets an IP address on vlan 101.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-26
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
With roaming enabled on the controller, the controller maintains the vlan 101 for client packets even when the wireless user moves to an AP belonging to AP group 2nd floor.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-27
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-28
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-29
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
This deployment is common for remote networking, where the users receive their IP addressing from the mobility controller
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-30
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
When the controller is deployed as the default gateway, routers in the network need to know how to reach that gateway. The two methods for handling these advertisements are static routes and OSPF. The Aruba Mobility Controller supports running the dynamic routing protocol called Open Shortest Path First (OSPF). The implementation allows the mobility controller to operate in either stub or totally stub mode.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-31
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
802.11h include two features, DFS and TPC. These can effect which channels you can use in certain places. Dynamic Frequency Selection and Transmit Power Control were introduced with the 802.11h amendment in 2003. The UNII-2 and UNII-2E bands could also be used by radar or satellite systems on the same channels as 802.11 access points. Wireless devices must be able to detect the radar and change to a different channel if it is present. If a vendor does not want to support DFS, they do not have to, providing that they block the use of the UNII-2 and UNII-2E bands The following APs support DFS: AP-22x, AP-13x, AP-10x, AP-9x, AP-175, RAP-10x. Additional models will have DFS support added in later SW releases. Transmit power control was also introduced with the 802.11h amendment. When devices are communicating, they will negotiate so that they can keep their power level as low as possible. This will still allow communications, while minimizing the potential of interfering with other devices.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-32
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-33
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-34
Aruba Bootcamp – Architecture
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
1-35
