Mod01MBC-Architecture-6.3-v1.3

8/17/2019 Mod01MBC-Architecture-6.3-v1.3

http://slidepdf.com/reader/full/mod01mbc-architecture-63-v13 1/35

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Aruba Bootcamp – Architecture

1-1





1-2





1-3





1-4





1-5

3600

- LAN-connected APs (max) 128

- Remote Access Points 512

- Users(max) 8,192

- 4 ports Total

4x Gigabit Ethernet (10/100/1000Base-T)*

4x Gigabit Ethernet (1000Base-X) SFP** Dual-personality ports - 10/100/1000Base-T or pluggable module

6000 (per M3)

- LAN-connected access points1 Up to 512

- Remote Access Points1 Up to 1,024

3200 - LAN-connected APs (max) 32- Remote Access Points 128- Users(max) 2,048- Console (RS-232) RJ-45

- 4 ports Total4x Gigabit Ethernet (10/100/1000Base-T)*4x Gigabit Ethernet (1000Base-X) SFP** Dual-personality ports - 10/100/1000Base-T or pluggable module

3400

- LAN-connected APs (max) 64- Remote Access Points 256- Users(max) 4,096- 4 ports Total

4x Gigabit Ethernet (10/100/1000Base-T)*

4x Gigabit Ethernet (1000Base-X) SFP** Dual-personality ports - 10/100/1000Base-T or pluggable module





1-6

Aruba carries a number of AP types. These may be classified based upon the number of radios(single or dual) or deployment type (indoor or outdoor) and antenna type (built-in or external)





1-7

Access Points

AP-134 features two 3!3 MIMO dual-band 2.4-GHz/5-GHz radios with

external antenna interfaces

AP-135 features two 3!3 MIMO dual-band 2.4-GHz/5-GHz radios the same

radios with internal antennas.

AP-105 features two 2!2 MIMO dual-band 2.4-GHz/5-GHz radios with two

internal omni-directional antennas.

AP-92 features a single 2!2 MIMO dual-band 2.4-GHz or 5-GHz radio

with external antennas

AP-93 features a single 2!2 MIMO dual-band 2.4-GHz or 5-GHz radio

with internal antennas

AP-68 features a single 1x1 single spatial stream one 2.4-G Hz radio

with internal antennas





1-8

The data center consists of the master controllers, and most of the other servers like DHCP, DNS,SMTP, SNMP etc used in a typical campus network

The distribution layer consists of the switches and routers in the wired network.

The wireless clients and APs are at the edge of the network





1-9

The functionality that the mobility controller provides includes:

1.Acting as a user-based stateful firewall

2.Terminating user-encrypted sessions from wireless devices

3.Performing Layer 2 switching and Layer 3 routing

4.Providing certificate-based IPsec security to protect control channel information

5.Terminating Internet-based remote APs (RAPs)

6.Performing user authentication with 802.1X and captive portal authentication, among others7. Providing guest access and captive portal services

8.Providing advanced RF services with Adaptive Radio ManagementTM (ARM) and spectrum

analysis

9. Performing rogue detection and containment





1-10

The controller is deployed at the core and AP at the access layer. The AP uses a proprietaryprotocol (PAPI) to communicate with the controller using UDP port 8211. PAPI runs within its’ owntunnel and is encrypted, by default, using CPSec.

The AP encapsulates the user traffic in a GRE (Generic routing encapsulation) tunnel. Thecontroller process the de-capsulates the traffic and switches/routes it.

-This is unencrypted control traffic. AOS 6.x, however, introduces CPSec which encrypts the

control traffic within the tunnel. CPSec is enabled by default on a default config in current AOS. If

CPSec, however, is disabled then the SW is upgraded then CPSec remains disabled.





1-11

It is important that the requisite ports for GRE (47), PAPI (8211), DHCP, FTP, and ADP (8200) if ADP discovery is used are not blocked by a firewall between the AP and the controller. If any of theports are blocked it will prevent the AP from booting up and broadcasting an SSID.

One GRE tunnel is built per SSID per Radio. So, for example, if an AP-105 (dual-radio) isadvertising the same SSID on both radios it will build two GRE tunnels to the controller. With two

SSIDs advertising on both radios there will be a total of four GREs.





1-12

A GRE tunnel is established between the AP and the mobility controller.

When an AP receives a wireless frame, the AP encapsulates the frame into GRE without

decrypting or modifying it.

The AP sends the frame to the mobility controller. When the mobility controller receives the frame,

it performs the decryption operation,

applies the user’s firewall policy, and forwards or filters the frame as appropriate

GRE tunnel is created per ssid and per radio.





1-13

A single controller is deployed in smaller organizations where redundancy is not needed or costeffective.

In the above e.g the controller has 2 Wireless LANs (WLAN) configured each with different set of

parameters for authentication, encrytption and access control





1-14

The above diagram shows a Large campus with a Master controller deployed at the core andsome Access points at the edge of the network.

In Mid-size branch we have a local controller which builds an Ipsec tunnel to the Master controller.

The branch Aps terminate their GRE tunnel to the local controller

There are some RAPs located in different home offices which terminate on another local controller

deployed at the DMZ. The RAPs build an Ipsec tunnel back to the DMZ controller

and tunnel all traffic inside this Ipsec tunnel





1-15





1-16

Campus deployments are extremely common for Aruba solutions. Most deployments involvemultiple local mobility controllers with redundancy deployed either in the distribution layer or datacenter. These deployments also have redundant master mobility controllers.





1-17

The Aruba VIA agent, RAPs, site-to-site VPNs, and third-party IPsec clients typically terminate onlocal mobility controllers in the network DMZ. If this Aruba deployment is the only one in theorganization, mobility controllers may be deployed in a master/local cluster in the DMZ





1-18

In the distributed enterprise network, branch offices of many sizes exist. When a branch officegrows beyond the capabilities of a RAP deployment, a smaller scale mobility controller that canhandle multiple APs can be deployed.





1-19

In the above diagram a Master controller is deployed in the data center in building 1, a localcontroller is deployed in building 2

The APs in building 2 terminate on the local controller. Any changes to configuration is made on

the Master controller which syncs

the config between local controller and itself.





1-20

This deployment model is typically used in campus networks where an existing Layer 3 switch isalready functioning as the default gateway and makes routing decisions for the network.

This deployment model is recommended where multicast routing will occur.





1-21

The above diagram shows a Building with the following network design

The floors are divided into different vlans, all devices in floor 1 are on vlan 11, devices on floor 2

are on vlan 12

The data center server and controller belong to vlan 14





1-22

Since all the wireless users are put in vlan 14 from the previous network configuration, we create 2 AP groups in the controller with 2 separate vlans.

The users will be assigned a vlan based on the AP group, in which the AP that associate to,

belongs.





1-23

The DHCP packet from the wireless user is encapsulated by the AP in the GRE tunnel.





1-24

The controller de-capsulates the packet and checks the AP group. Since AP1 belongs to group 1stfloor . The controller assigns vlan 101 to the user data and sends the packet to the upstream router

The upstream router routes the packet to the DHCP server.





1-25

The DHCP server assigns the IP address based on vlan 101.





1-26

The controller removes the 802.3 header of the DHCP reply and replaces it with 802.11 header.Then it encapsulates the packet in GRE tunnel and sends it to the AP.

The AP removes the encapsulation and transmits the packet to the client. The client gets an IP

address on vlan 101.





1-27

With roaming enabled on the controller, the controller maintains the vlan 101 for client packetseven when the wireless user moves to an AP belonging to AP group 2nd floor.





1-28





1-29





1-30

This deployment is common for remote networking, where the users receive their IP addressingfrom the mobility controller





1-31

When the controller is deployed as the default gateway, routers in the network need to know howto reach that gateway. The two methods for handling these advertisements are static routes andOSPF.

The Aruba Mobility Controller supports running the dynamic routing protocol called Open ShortestPath First (OSPF). The implementation allows the mobility controller to operate in either stub or

totally stub mode.





1-32

802.11h include two features, DFS and TPC. These can effect which channels you can use incertain places. Dynamic Frequency Selection and Transmit Power Control were introduced withthe 802.11h amendment in 2003. The UNII-2 and UNII-2E bands could also be used by radar or

satellite systems on the same channels as 802.11 access points. Wireless devices must be able todetect the radar and change to a different channel if it is present. If a vendor does not want to

support DFS, they do not have to, providing that they block the use of the UNII-2 and UNII-2Ebands

The following APs support DFS: AP-22x, AP-13x, AP-10x, AP-9x, AP-175, RAP-10x. Additional

models will have DFS support added in later SW releases.

Transmit power control was also introduced with the 802.11h amendment. When devices are

communicating, they will negotiate so that they can keep their power level as low as possible. Thiswill still allow communications, while minimizing the potential of interfering with other devices.





1-33





1-34




Mod01MBC-Architecture-6.3-v1.3

Documents