Shanghai Breakout: Aruba Mobility Access Switch Workshop
Download as PPTX, PDF1 like1,132 views
The document describes an Aruba Mobility Access Switch workshop held on December 10th and 12th, 2014. It provides an overview of the Aruba Mobility Access Switch family, including the S3500, S2500, and S1500 series switches. The switches provide role-based access control, policy enforcement, and integration with other Aruba products for unified wired and wireless access. Key features include PoE, stacking, security, and management capabilities.
Shanghai Breakout: Aruba Mobility Access Switch Workshop
- 1. Aruba Mobility Access Switch Workshop Madani Adjali & Vinay Kammar December 10th & 12th 2014
- 2. CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 2 #AirheadsConf Agenda Platform Overview & Resources Role Based Access Zero Touch Provisioning
- 3. Introducing the Aruba Mobility Access Switch Family • Security to wired access – Flexible role-based access – Policy moves from wireless to wired • Operational simplicity – Low-touch installation and configuration – Dynamic configuration of user policies – Integration with Aruba APs • 802.11ac Ready 3 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf – 802.3at on all PoE models
- 4. 4 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Mobility Access Switch Capabilities A. L2/L3 Forwarding C. Wired AP Mobility Access Switch Access Point LAN Core AirWave Management Platform Mobility Controller ClearPass Policy Manager B. User-Role Download A. Ethernet Switch - Layer 2/3 forwarding - Native Role-based policy enforcement B. Integration with ClearPass - Downloadable Role/ACL - Captive Portal C. Wired Access Point - Role-based policy enforcement at Mobility Controller - Single policy for WLAN and LAN
- 5. S3500 Mobility Access Switch 5 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf • Designed for Wired Access – 24/48 Port Models – Role-based access with user visibility – Per port PoE/PoE+ • ArubaStack – Stack up to 8 devices – Up to 384x GbE and 16x 10GbE • Modular Components – Field replaceable AC power supplies • Optional redundant power supply – Field replaceable fan tray – Optional 4-port uplink module • 1000BASE/10GBASE-x SFP/SFP+ SKU Ports PoE Budget S3500-24F 24x1000BASE-x Not Applicable S3500-24T 24x10/100/1000BASE-T Not Applicable S3500-24P 24x10/100/1000BASE-T 400W | 689W S3500-24PF 24x10/100/1000BASE-T 850W | 1465W S3500-48T 48x10/100/1000BASE-T Not Applicable S3500-48P 48x10/100/1000BASE-T 400W | 689W S3500-48PF 48x10/100/1000BASE-T 850W | 1465W
- 6. 6 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf S3500: Front & Rear Views Optional Uplink Module S3500 Rear View USB Console Field-Replaceable Fan Tray Hot-Swappable Power Supplies Ethernet Out-of-Band S3500-48P Front View Fixed 10/100/1000BASE-T Ports LCD Display • Dimensions & Airflow – 1RU – 1.75˝ (H) x 17.5˝ (W) x 17.5˝ (D) – Front/Side to Rear Airflow • Mounting Options – 2 Post Rack (front & mid-mount) – 4 Post Rack – Wall Mount • Limited Lifetime Warranty
- 7. 7 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf S2500 Mobility Access Switch SKU Ports PoE Budget S2500-24P 24x10/100/1000BASE-T 400W S2500-48T 48x10/100/1000BASE-T Not Applicable S2500-48P 48x10/100/1000BASE-T 400W • Designed for Wired Access – 24/48 Port 10/100/1000BASE-T – Role-based access with user visibility – Per port PoE/PoE+ • ArubaStack – Stack up to 8 devices – Up to 384x GbE and 16x 10GbE • Integrated Components – Built in fans for quiet operation – Fixed 4-port uplinks • 1000BASE/10GBASE-x SFP/SFP+
- 8. 8 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf S2500: Front & Rear Views • Dimensions & Airflow – 1RU – 1.75˝ (H) x 17.5˝ (W) x 12.5˝ (D) – Side to Side Airflow • Mounting Options – 2 Post Rack (Front) – Wall & 2-Post Mid Mount • Limited Lifetime Warranty S2500 Front View LCD Display Fixed 4x 1000BASE-x/10GBASE-x (SFP/SFP+) Ports S2500 Rear View Ethernet Out-of-Band RJ-45 & Mini-USB Console USB Integrated Power Supply Fixed Fans 48x 10/100/1000 (RJ45) Ports
- 9. 9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf S1500 Mobility Access Switch SKU Ports PoE Budget S1500-12P 24x10/100/1000BASE-T 120W S1500-24P 24x10/100/1000BASE-T 400W S1500-48P 48x10/100/1000BASE-T 400W • Designed for Wired Access – 12/24/48 Port 10/100/1000BASE-T – Role-based access with user visibility – Per port PoE/PoE+ • ArubaStack – Stack up to 8 devices • Integrated Components – Built in fans for quiet operation (24P/48P) – Fanless for public spaces (12P) – Fixed 2-port (12P) & 4-port (24P/48P) uplinks • 1000BASE-x SFP
- 10. Mode LEDs and Selector 10 USB CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf S1500-24P/48P: Front & Rear Views • Features & Scaling - Same features as S2500/S3500 - Reduced scaling vs. S2500/S3500 • Dimensions & Airflow – 1RU – 1.75˝ (H) x 17.5˝ (W) x 12.5˝ (D) – Side to Side Airflow • Mounting Options – 2 Post Rack (Front) – Wall & 2-Post Mid Mount • Limited Lifetime Warranty S1500-24/48P Rear View Console Fixed 4x 1000BASE-X (SFP) Ports 48x 10/100/1000 (RJ45) Ports Integrated Power Supply Fixed Fans S1500-48P Front View
- 11. 11 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf S1500-12P: Front & Rear Views • Features & Scaling - Same features as S2500/S3500 - Reduced scaling vs. S2500/S3500 • Dimensions & Airflow – 1.75˝ (H) x 13˝ (W) x 12.5˝ (D) – Fanless • Mounting Options – Desktop (Rubber feet included) – Rack & Wall & Mount (Included) – Magnet Mount (Optional) • Limited Lifetime Warranty S1500-12P - Front View USB Console RJ-45 12x 10/100/1000Base-T With 8x PoE/PoE+) 2x 1000BASE-x (SFP) Mode LEDs and Selector Vents for Cooling on Top and Bottom for Fanless Design S1500-12P - Rear View Integrated Power Supply Security Lock Slot
- 12. 12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Platform Comparison Capability / Feature S3500-XXP S3500-XXT S2500-XXP S2500-XXT S1500-XXP S1500-12P Number of Ports 24/48 24/48 24/48 24/48 24/48 12 Uplink Performance 4 x 10G SFP+ 4 x 10G SFP+ 4 x 10G SFP+ 4 x 10G SFP+ 4 x 1G SFP 2 x 1G SFP Uplinks Options Modular Modular Integrated Integrated Integrated Integrated LCD Yes Yes Yes Yes No No Modular Power Yes Yes No No No No Dual Power Yes Yes No No No No PoE Budget (W) 400/689/1465 N/A 400 N/A 400 120 Max Simultaneous PoE/PoE+ 48A/48A N/A 25/13 N/A 25/13 7/4 Modular Fan (FRU) Yes Yes No No No No Depth 17.5”/19.5” A 17.5” <13” <13” <13” <9” Ambient Sound 48dB 48dB 42dB 42dB 42dB 0dB List Price (24/48) $3,995B/$6,995B $3,195B/$5,495B $3,795/$6,795 $2,995/$5,195 $2,495/$4,595 $1,595 Note A: Assumes dual 1050W power supplies | Note B: Single power supply (600W for P SKU and 350W for T SKU) and no uplink module (S3500-4x10G - List $1495)
- 13. Platform / Layer 2 Features Routing Features 13 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Features & Capabilities • Spanning Tree Protocols - MSTP & Rapid PVST+ • Link Aggregation Group • L2 Generic Router Encapsulation • Voice VLAN - LLDP-MED & CDP Fingerprinting • Port Security - DHCP Snooping, DAI & IPSG • Quality of Service - Strict Priority Queuing - 1 Rate Tri-Color Policing • Routed VLAN Interfaces (RVI) • Static Routing • OSPFv2 - Summarization & Route Filtering • Policy Based Routing • Virtual Router Redundancy Protocol • L3 Generic Router Encapsulation • Multicast - PIM-SM & PIM-SSM - IGMPv1/v2/v3 Snooping - MLDv1
- 14. 14 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Features & Capabilities (cont.) Branch Features • Redundant Uplinks - L3 Interface Monitoring (ping-probe) - Route Metrics for DHCP Enabled L3 Interfaces • Dynamic DNS Client • Network Address Translation - Source/Destination NAT via ACL - Interface Based Source NAT - NAT Pools • Stateful Firewall - Session ACLs on RVIs & User-Roles Branch Features (cont.) • Site to Site VPN - Standby VPN Interface - Default Route to VPN - OSPF over VPN • Aruba VPN - Certificate based VPN using Mobility Controller Whitelist • Tunneled Node over Site to Site or Aruba-VPN • DHCP Services - Dynamically distribute DHCP scopes from Mobility Controller
- 15. 15 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Features & Capabilities (cont.) Authentication & Security • Role Based User Access • Deny Inter User Traffic • User Derived Roles - MAC OUI, DHCP Sig. & LLDP/CDP Phone Match • AAA Authentication - 802.1x, MAC Auth & Captive Portal • External Authentication Servers - Radius, TACACS+ & LDAP • Radius Fail-Open Aruba Portfolio Integration • Mobility Controller - Aruba VPN - Tunneled Node - AirGroup • Access Points - Auto AP PoE Prioritization (IAP/CAP) - Auto AP QoS Trust (IAP/CAP) - Auto AP Interface Config. (IAP/CAP) - Rogue AP Containment (IAP) - VLAN Sharing (IAP) • ClearPass Policy Manager - Downloadable Roles & Guest
- 16. 16 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Features & Capabilities (cont.) Management • Command Line Interface • Web UI • Aruba Activate - Cloud Provisioning Service - Direct Mobility Access Switch to Airwave or Controller for VPN • Aruba Central - Cloud Management Service • Airwave Management Platform • Discovery via DHCP • Discovery via Activate Optics & DACs • SFP/SFP+ Optics - 1000BASE-T - 1000BASE-SX - 1000BASE-LX - 1000BASE-EX - 1000BASE-ZX - 10GBASE-SR - 10GBASE-LR - 10GBASE-LRM - 10GBASE-ER - 10GBASE-ZR • Twinax/Direct Attach Copper - 50cm/1m/3m/5m/7m
- 17. Configuration made simple through intelligent wizards. https://ase.arubanetworks.com 17 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf • 27 solutions and growing. • Solutions for Aruba Mobility Controllers, Mobility Access Switches, Instant APs, and CPPM/CPG. • 1900+ users. 75,000 views.
- 18. 18 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Role Based Access
- 19. Usernames/ Passwords 19 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf AAA View of the World Manufacturers Via MAC OUI Operating Systems Via DHCP Fingerprinting Our Mobility Access Switches see… MAC Addresses And our security enforcement model uses… IP Phones Via Device-Type Fingerprinting User-roles …provisioned locally or dynamically which simplifies AAA deployments
- 20. 20 ClearPass Policy Manager Integration CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Context • User: Joe Smith • Role: Guest Policy Enforcement Policy Definition Mobility Controller 1. User provides their credentials and other context to Authenticate 802.11n AP ClearPass Mobility Access Switch 2. ClearPass Policy Manager returns Role & Policy for User/Device 3. Role & Policy pushed to the Mobility Controller for Role & Policy Enforcement 3. Role & Policy pushed to the Mobility Access Switch for Role & Policy Enforcement
- 21. 21 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Role Based Access Demo
- 22. 22 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Zero Touch Provisioning
- 23. 23 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 1. Customer Enables Service & Inputs Provisioning Rules Argh! No Airwave details Help me Aruba Activate, you’re from DHCP my only either! hope! Mobility Access Switch #AirheadsConf Airwave Discovery using DHCP & Aruba Activate Branch Location 2. Mobility Access Switch first attempts to download a configuration via TFTP Aruba Activate Airwave Management Platform Headquarters Location 3. When TFTP fails, the Mobility Access Switch attempts to contact Airwave using credentials supplied by DHCP. 5. Activate responds with Airwave IP, Shared Secret, Group Name and Folder Name and optional Controller IP for Aruba-VPN 6. Mobility Access Switch contacts Airwave and provides Shared Secret, Group Name and Folder Name. 7. Airwave contacts Mobility Access Switch and pushes down group configuration TFTP? Are you there? Hi Airwave! Configure Me! Hi Mobility Access Switch! Yippie! All Configured! Hi Mobility Access Switch! 4. If no credentials are supplied via DHCP options, the Mobility Access Switch attempts to contact Activate.
- 24. AirWave Management Platform & Mobility Access Switch 24 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf • Hardware Monitoring & User Visibility – Inventory and Uptime – Visibility Into Wired Network Usage – SNMP Trap and Syslog Support • Software Configuration & Firmware Management – Configuration Changes & Backups – Firmware Upgrades • Reporting – Compliance Reporting – Report and Track Wired Users
- 25. 25 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Zero Touch Provisioning Demo
- 26. Thank You 26 #AirheadsConf CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
- 27. 27