Shanghai Breakout: Aruba Mobility Access Switch Workshop

Aruba Mobility Access Switch Workshop Madani Adjali & Vinay Kammar

December 10th & 12th 2014

CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved

2 #AirheadsConf

Agenda

Platform Overview & Resources

Role Based Access

Zero Touch Provisioning

3CONFIDENTIAL


All rights reserved#AirheadsConf

• Security to wired access– Flexible role-based access

– Policy moves from wireless to wired

• Operational simplicity– Low-touch installation and configuration

– Dynamic configuration of user policies

– Integration with Aruba APs

• 802.11ac Ready– 802.3at on all PoE models

Introducing the Aruba Mobility Access Switch Family

4CONFIDENTIAL



Mobility Access Switch Capabilities

A. L2/L3

Forwarding

C. Wired AP

Mobility Access

Switch

Access Point

LAN Core

Mobility

Controller

AirWave

Management

Platform

ClearPass

Policy

Manager

B. User-Role

Download

A. Ethernet Switch- Layer 2/3 forwarding

- Native Role-based policy enforcement

B. Integration with ClearPass

- Downloadable Role/ACL

- Captive Portal

C. Wired Access Point- Role-based policy enforcement

at Mobility Controller

- Single policy for WLAN and LAN

5CONFIDENTIAL



• Designed for Wired Access– 24/48 Port Models

– Role-based access with user visibility

– Per port PoE/PoE+

• ArubaStack– Stack up to 8 devices

– Up to 384x GbE and 16x 10GbE

• Modular Components– Field replaceable AC power supplies

• Optional redundant power supply

– Field replaceable fan tray

– Optional 4-port uplink module

• 1000BASE/10GBASE-x SFP/SFP+

S3500 Mobility Access Switch

SKU Ports PoE Budget

S3500-24F 24x1000BASE-x Not Applicable

S3500-24T 24x10/100/1000BASE-T Not Applicable

S3500-24P 24x10/100/1000BASE-T 400W | 689W

S3500-24PF 24x10/100/1000BASE-T 850W | 1465W


S3500-48P 48x10/100/1000BASE-T 400W | 689W

S3500-48PF 48x10/100/1000BASE-T 850W | 1465W

6CONFIDENTIAL



S3500: Front & Rear Views

Optional

Uplink Module

S3500 Rear View

USB Console

Field-Replaceable

Fan Tray Hot-Swappable Power Supplies

Ethernet

Out-of-Band

S3500-48P Front View

Fixed 10/100/1000BASE-T Ports

LCD

Display • Dimensions & Airflow

– 1RU

– 1.75˝ (H) x 17.5˝ (W) x 17.5˝ (D)

– Front/Side to Rear Airflow

• Mounting Options

– 2 Post Rack (front & mid-mount)

– 4 Post Rack

– Wall Mount

• Limited Lifetime Warranty

7CONFIDENTIAL





S2500-24P 24x10/100/1000BASE-T 400W


S2500-48P 48x10/100/1000BASE-T 400W

• Designed for Wired Access

– 24/48 Port 10/100/1000BASE-T



• ArubaStack

– Stack up to 8 devices

– Up to 384x GbE and 16x 10GbE

• Integrated Components

– Built in fans for quiet operation

– Fixed 4-port uplinks

• 1000BASE/10GBASE-x SFP/SFP+

8CONFIDENTIAL



S2500: Front & Rear Views

• Dimensions & Airflow

– 1RU

– 1.75˝ (H) x 17.5˝ (W) x 12.5˝ (D)

– Side to Side Airflow

• Mounting Options

– 2 Post Rack (Front)

– Wall & 2-Post Mid Mount


S2500 Front View LCD Display

Fixed

4x 1000BASE-x/10GBASE-x

(SFP/SFP+) Ports

S2500 Rear ViewEthernet

Out-of-Band

RJ-45 & Mini-USB

Console

USB Integrated

Power Supply

Fixed Fans

48x 10/100/1000 (RJ45) Ports

9CONFIDENTIAL





S1500-12P 24x10/100/1000BASE-T 120W

S1500-24P 24x10/100/1000BASE-T 400W

S1500-48P 48x10/100/1000BASE-T 400W

• Designed for Wired Access– 12/24/48 Port 10/100/1000BASE-T



• ArubaStack– Stack up to 8 devices

• Integrated Components– Built in fans for quiet operation

(24P/48P)

– Fanless for public spaces (12P)

– Fixed 2-port (12P) & 4-port (24P/48P) uplinks

• 1000BASE-x SFP

10CONFIDENTIAL



S1500-24P/48P: Front & Rear Views

• Features & Scaling- Same features as S2500/S3500

- Reduced scaling vs. S2500/S3500

• Dimensions & Airflow– 1RU

– 1.75˝ (H) x 17.5˝ (W) x 12.5˝ (D)

– Side to Side Airflow

• Mounting Options– 2 Post Rack (Front)

– Wall & 2-Post Mid Mount


S1500-24/48P Rear View

Console

USB

Fixed

4x 1000BASE-X

(SFP) Ports

48x 10/100/1000 (RJ45) Ports

Integrated

Power Supply

Fixed Fans

Mode LEDs and

SelectorS1500-48P Front View

11CONFIDENTIAL



S1500-12P: Front & Rear Views

• Features & Scaling- Same features as S2500/S3500

- Reduced scaling vs. S2500/S3500

• Dimensions & Airflow– 1.75˝ (H) x 13˝ (W) x 12.5˝ (D)

– Fanless

• Mounting Options– Desktop (Rubber feet included)

– Rack & Wall & Mount (Included)

– Magnet Mount (Optional)


S1500-12P - Front View

USB

Console

RJ-45

12x 10/100/1000Base-T

With 8x PoE/PoE+)

2x 1000BASE-x

(SFP)

Mode LEDs and

Selector

Vents for Cooling

on Top and Bottom

for Fanless Design

S1500-12P - Rear View

Integrated

Power Supply

Security Lock Slot

12CONFIDENTIAL



Platform Comparison

Capability / Feature S3500-XXP S3500-XXT S2500-XXP S2500-XXT S1500-XXP S1500-12P

Number of Ports 24/48 24/48 24/48 24/48 24/48 12

Uplink Performance 4 x 10G SFP+ 4 x 10G SFP+ 4 x 10G SFP+ 4 x 10G SFP+ 4 x 1G SFP 2 x 1G SFP

Uplinks Options Modular Modular Integrated Integrated Integrated Integrated

LCD Yes Yes Yes Yes No No

Modular Power Yes Yes No No No No

Dual Power Yes Yes No No No No

PoE Budget (W) 400/689/1465 N/A 400 N/A 400 120

Max Simultaneous PoE/PoE+ 48A/48A N/A 25/13 N/A 25/13 7/4

Modular Fan (FRU) Yes Yes No No No No

Depth 17.5”/19.5” A 17.5” <13” <13” <13” <9”

Ambient Sound 48dB 48dB 42dB 42dB 42dB 0dB

List Price (24/48) $3,995B/$6,995B $3,195B/$5,495B $3,795/$6,795 $2,995/$5,195 $2,495/$4,595 $1,595

Note A: Assumes dual 1050W power supplies | Note B: Single power supply (600W for P SKU and 350W for T SKU) and no uplink module (S3500-4x10G - List $1495)

13CONFIDENTIAL



Features & Capabilities

• Spanning Tree Protocols- MSTP & Rapid PVST+

• Link Aggregation Group

• L2 Generic Router Encapsulation

• Voice VLAN- LLDP-MED & CDP Fingerprinting

• Port Security- DHCP Snooping, DAI & IPSG

• Quality of Service- Strict Priority Queuing

- 1 Rate Tri-Color Policing

Platform / Layer 2 Features Routing Features• Routed VLAN Interfaces (RVI)

• Static Routing

• OSPFv2- Summarization & Route Filtering

• Policy Based Routing

• Virtual Router Redundancy Protocol

• L3 Generic Router Encapsulation

• Multicast- PIM-SM & PIM-SSM

- IGMPv1/v2/v3 Snooping

- MLDv1

14CONFIDENTIAL



Features & Capabilities (cont.)

Branch Features• Redundant Uplinks

- L3 Interface Monitoring (ping-probe)

- Route Metrics for DHCP Enabled L3

Interfaces

• Dynamic DNS Client

• Network Address Translation- Source/Destination NAT via ACL

- Interface Based Source NAT

- NAT Pools

• Stateful Firewall- Session ACLs on RVIs & User-Roles

Branch Features (cont.)• Site to Site VPN

- Standby VPN Interface

- Default Route to VPN

- OSPF over VPN

• Aruba VPN- Certificate based VPN using Mobility

Controller Whitelist

• Tunneled Node over Site to Site

or Aruba-VPN

• DHCP Services- Dynamically distribute DHCP scopes

from Mobility Controller

15CONFIDENTIAL




Authentication & Security• Role Based User Access

• Deny Inter User Traffic

• User Derived Roles- MAC OUI, DHCP Sig. & LLDP/CDP

Phone Match

• AAA Authentication- 802.1x, MAC Auth & Captive Portal

• External Authentication Servers- Radius, TACACS+ & LDAP

• Radius Fail-Open

Aruba Portfolio Integration• Mobility Controller

- Aruba VPN

- Tunneled Node

- AirGroup

• Access Points- Auto AP PoE Prioritization (IAP/CAP)

- Auto AP QoS Trust (IAP/CAP)

- Auto AP Interface Config. (IAP/CAP)

- Rogue AP Containment (IAP)

- VLAN Sharing (IAP)

• ClearPass Policy Manager- Downloadable Roles & Guest

16CONFIDENTIAL




Management• Command Line Interface

• Web UI

• Aruba Activate- Cloud Provisioning Service

- Direct Mobility Access Switch to

Airwave or Controller for VPN

• Aruba Central- Cloud Management Service

• Airwave Management Platform• Discovery via DHCP

• Discovery via Activate

Optics & DACs• SFP/SFP+ Optics

- 1000BASE-T

- 1000BASE-SX

- 1000BASE-LX

- 1000BASE-EX

- 1000BASE-ZX

- 10GBASE-SR

- 10GBASE-LR

- 10GBASE-LRM

- 10GBASE-ER

- 10GBASE-ZR

• Twinax/Direct Attach Copper- 50cm/1m/3m/5m/7m

17CONFIDENTIAL



• 27 solutions and growing.

• Solutions for Aruba Mobility Controllers, Mobility

Access Switches, Instant APs, and CPPM/CPG.

• 1900+ users. 75,000 views.

Configuration made simple through

intelligent wizards.https://ase.arubanetworks.com

18CONFIDENTIAL



Role Based Access

19CONFIDENTIAL



AAA View of the World

ManufacturersVia MAC OUI

Operating SystemsVia DHCP

Fingerprinting

Our Mobility Access Switches see…

And our security enforcement model uses…

MAC Addresses

Usernames/Passwords

IP PhonesVia Device-Type Fingerprinting

User-roles

…provisioned locally or dynamically which simplifies AAA deployments

20CONFIDENTIAL



Context• User: Joe Smith

• Role: Guest

Policy Enforcement Policy Definition

ClearPass Policy Manager Integration

802.11n AP ClearPassMobility

Controller

1. User provides their

credentials and other

context to Authenticate

Mobility Access

Switch

2. ClearPass Policy

Manager returns Role

& Policy for

User/Device

3. Role & Policy pushed

to the Mobility Controller

for Role & Policy

Enforcement

3. Role & Policy pushed

to the Mobility Access

Switch for Role & Policy

Enforcement

21CONFIDENTIAL



Role Based Access Demo

22CONFIDENTIAL



Zero Touch Provisioning

23CONFIDENTIAL



Airwave Discovery using DHCP & Aruba Activate

Branch Location

Mobility Access Switch

Argh! No Airwave details

from DHCP either!

2. Mobility Access Switch first attempts

to download a configuration via TFTP

Aruba

Activate

Airwave Management Platform

Headquarters Location

3. When TFTP fails, the Mobility Access

Switch attempts to contact Airwave using

credentials supplied by DHCP.5. Activate responds with

Airwave IP, Shared Secret,

Group Name and Folder

Name and optional Controller

IP for Aruba-VPN

6. Mobility Access Switch contacts Airwave and provides

Shared Secret, Group Name and Folder Name.

7. Airwave contacts Mobility Access Switch

and pushes down group configuration

TFTP? Are

you there?

Help me Aruba Activate,

you’re my only hope!

Hi Airwave!

Configure Me!

1. Customer Enables Service

& Inputs Provisioning Rules

Hi Mobility

Access Switch!

Yippie! All

Configured!

Hi Mobility

Access Switch!

4. If no credentials are supplied via

DHCP options, the Mobility Access

Switch attempts to contact Activate.

24CONFIDENTIAL



• Hardware Monitoring & User Visibility

– Inventory and Uptime

– Visibility Into Wired Network Usage

– SNMP Trap and Syslog Support

• Software Configuration & Firmware Management

– Configuration Changes & Backups

– Firmware Upgrades

• Reporting

– Compliance Reporting

– Report and Track Wired Users

AirWave Management Platform & Mobility Access Switch

25CONFIDENTIAL



Zero Touch Provisioning Demo

26

Thank You

#AirheadsConfCONFIDENTIAL


All rights reserved

27

Technology

Shanghai Breakout: Aruba Mobility Access Switch Workshop