• Share
  • Email
  • Embed
  • Like
  • Private Content
2012 ah emea   advanced mobility design
 

2012 ah emea advanced mobility design

on

  • 490 views

 

Statistics

Views

Total Views
490
Views on SlideShare
326
Embed Views
164

Actions

Likes
0
Downloads
1
Comments
0

2 Embeds 164

http://community.arubanetworks.com 163
http://www.airheads.eu 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    2012 ah emea   advanced mobility design 2012 ah emea advanced mobility design Presentation Transcript

    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved JOIN: community.arubanetworks.com FOLLOW: @arubanetworks DISCUSS: #airheadsconf
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved #airheadsconf MOBILE DEVICE FUNDAMENTALS Keith Mataranglo Aruba Networks Germany May 21st, 2012
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved TODAY’S NETWORK
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 4 #airheadsconf MOBILE DEVICE TYPES Stationary Devices Somewhat Mobile Devices (SMD) Highly Mobile Devices (HMD) Wireless Scale Laptop
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 5 #airheadsconf Mobile Device Fundamentals Topics Device Characteristics WLAN Requirements Aruba Design Pillars • Portability • Applications • 802.11 support • Management • Roaming • QOS and Access Control • Speed and capabilities • Security • Device Configuration • Airtime Optimization • Roaming Optimization • IP Mobility Configuration • IP Multicast Optimization • Interference Resistance
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 6 #airheadsconf6 Principles of Optimizing the wlan 1. Device Configuration • Some device changes require corresponding changes to the WLAN infrastructure, e.g., basic rate support & DTIM. 2. Airtime Optimization • Roaming devices are sensitive to RF congestion and inefficiencies. Improve performance using load balancing across APs & channels. 3. Roaming Optimization • Roaming decisions can be influenced by optimizing data rates, output power, retry thresholds and by using the Handoff Assist feature. 4. IP Mobility Configuration • Good IP mobility design is critical to environments. Selection of layer-2 (L2) or layer-3 (L3) roaming requires careful planning 5. IP Multicast Optimization • Reducing and optimizing multicast traffic over the air and on the wire is vital. 6. Interference Resistance • Devices are likely to encounter and by impacted by adverse RF conditions. 4. .
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 7 #airheadsconf Principle #1 – Device Configuration – Optimal device settings – Shared or dedicated SSIDs – Enable 802.11h (DFS/TPC) – Maximize battery life – End-to-End QoS for voice devices – Push-to-talk (PTT) – Security and encryption – Mobile device management (MDM)
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 8 #airheadsconf Mobile Device RF components antenna Internal Radio and WLAN NIC
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 9 #airheadsconf Don’t do this!!
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 10 #airheadsconf Mounting APs for coverage Ceiling Wall
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 11 #airheadsconf Principle #2 – Airtime Optimization – RF Optimizations • Band steering • Spectrum load balancing • Airtime fairness • Mode-aware ARM • Voice/Video-aware ARM • Load-aware ARM • PS-aware ARM – Reducing broadcasts and multicasts – Limiting “Chatty” protocols – AP capacity planning (voice devices)
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 12 #airheadsconf Principle #3 – Roaming Optimization • Ensuring complete Wi-Fi coverage • VLAN pooling • Fast roaming (802.11r & OKC) • Device-specific roaming settings: • ARM power adjustments (match client and AP power) • Retry and failure settings (voice devices) • PMK Caching results in 4x faster roaming speeds than Non- PMK Caching.
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 13 #airheadsconf Principle #4 – IP Mobility Configuration • Layer 2 mobility • Client maintains IP address as it roams and is assigned address from same IP subnet • Layer 3 mobility • User roams from AP-Subnet A to an AP-Subnet B • Layer 3 network address must change to maintain L3 connectivity on Subnet B • Aruba L3 Mobility allows the roaming client to maintain the same IP address L2 Mobility design L3 Mobility design
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 14 #airheadsconf Principle #5 – IP Multicast Optimization • Effects of multicast: reduce multicast traffic over the air and the wire to improve channel efficiency • IGMP snooping/proxy to eliminate unnecessary data replication and controller processing • Multicast rate optimization to increase lowest base rate • Dynamic multicast optimization (DMO) to convert multicast frames with unicast headers • Use of ToS/QoS on controller and wired infrastructure, port-based session ACL or user • Block mDNS (if not required) with user roles • Use bandwidth contracts to protect unicast traffic
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 15 #airheadsconf Principle #6 – Interference Resistance • FHSS and non-802.11 interference • Noise immunity • Fixed frequency interference • 802.11 co-channel (CCI) and adjacent channel interference (ACI) • RX sensitivity channel reuse • Aruba Spectrum Monitor
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved TOPIC OVERVIEW Management Tools Device Profiling Policy Enforcement
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved MANAGED VS. UNMANAGED DEVICES Overview ANY NETWORK DEVICES AND USERS VPN iOS Android Ultrabooks ANY USER Security reliable & intuitive Simplified management
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved MANAGED DEVICES • Primarily Windows Laptops • Managed using Windows Active Directory Policies • Client 802.1x Supplicant is configured by IT staff to connect securely • Applications can be limited by user • Machine Authentication can be enforced • WLAN policies or VPN software can be configured by IT Staff Overview
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved UNMANAGED DEVICES Overview WLAN Network Management Management Mobility Access WLAN Controller Network Services are needed for unmanaged devices to access the WLAN securely Policy Management
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved TOPIC OVERVIEW Policy Enforcement Management Tools Overview
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved DEVICE PROFILING AND ROLE Device Profiling Based on AOS 6.0.1 or 6.1.1 Type of Device allowed on the WLAN Role determines access: • Firewall policy • Bandwidth constraints • VLAN • QoS
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved • OS Fingerprinting allows the Aruba Controller to classify device type and assign a role – iOS – Blackberry – etc • Two Methods – Monitor dhcp-option (User Class Option) included in client’s request • Browser HTTP user-agent string identification – Watches HTTP traffic from the station looking for user- agent string OS FINGERPRINTING PURPOSE
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved • Identify the device value of the DHCP option • Create a firewall role • Write and apply a user derivation rule FINGERPRINTING PROCESS
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved IDENTIFYING THE DEVICE SIGNATURE Enable DHCP debugging: # configure terminal # logging level debugging network subcat dhcp View debug output: #show log network all | include Option Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936 Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved • Inspection and role assignment enabled through User Derived Rules – New UDR condition “dhcp-option” • Note that 37 0103060F77FC means dhcp option 55 (hex 37) and the value is 010306… CREATE FIREWALL DERIVATION RULE aaa derivation-rules user abc set role condition dhcp-option equals 370103060F77FC set role ios set role condition dhcp-option starts-with 0c616E64726F69645F set role android set role condition dhcp-option equals 3C426C61636B4265727279 set role blackberry
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved CONFIGURATION IN WEB UI
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved TOPIC OVERVIEW Policy Enforcement Overview Device Profiling
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved MOBILE DEVICE ACCESS CONTROL Management Tools 802.11n Wi-Fi Device Fingerprinting, Role Based Access Security & BW policies by Device, Multimedia Grade Web Login Server Self-Service Device Configuration Portal Device Authorization Management Server Device and OS Visibility Troubleshooting & Capacity Planning
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved DEVICE MANAGEMENT VS ACCESS CONTROL Access Control Mobile Device Management (MDM) Protect the network  Restrict usage and bandwidth  Device-level visibility  Configure net/sec settings   Remote wipe & remote control  Manage applications and firmware  Management Tools
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved WHEN TO USE MDAC & MDM Management Tools Email, Intranet Business-specific Apps Use MDAC Only • Remotely configure network access • Protect network • Device visibility • Cost-effective Use MDAC + MDM • Remotely configure net access AND applications • Protect network AND device data • Device troubleshooting Employee Liable Corporate Liable
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved Tolerated (Employee Liable) • Employee Owned (BYOD) • Partially secured and controlled • Limited to safe interactions IT POLICY Management Tools Trusted (Corporate Liable) • Corporate Issued • Fully Controlled and secured • Unrestricted
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved ✔ Zero IT touch, context aware access ✔ Auto-identification of user, device, application ✔ Monitoring, reporting per user and per device Active Directory Amigopod 2. Device Fingerprinting 4. Context Aware Access Control 3. iPad Self Registration 1. User Fingerprinting Mobility Controller 802.11n AP MOBILE DEVICE PROVISIONING Management Tools Bring Your iPad to Work
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved TOPIC OVERVIEW Management Tools Overview Device Profiling
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved SECURE NETWORK ACCESS FOR MOBILE DEVICES Policy Enforcement Provision Device 1 Invoke a Policy 2 Enforce Policy 3
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved AUTOMATE DEVICE CONFIGURATION Policy Enforcement Configures 802.1x, VPN & e- mail and provisions device credentials 1.Connects to web portal 3. Access Network 2. VPN Policy Manager Server Application installer *Windows only at launch
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved CONTROL COMPROMISED DEVICES Policy Enforcement Detect unsecure devices • Block access to network resources across wired, wireless & remote • Auto-Remediate the device • Minimal Risk to Network Access Network Policy Manager
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved AUTOMATE ACCESS Policy Enforcement 1. 3. Access Network 2.Sponsor prompted to confirm that guest is valid Policy Manager Account enabled, visitor notified via screen, SMS, or emailCollect visitor information New Visitor Sponsor
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved ACCESS POLICY Policy Enforcement Policy VPN Allow personal devices into a limited access zone (LAZ) BYOD Policy Deliver executive traffic with higher priority Executive Class Policy Optimize delivery of Lync traffic over the air Multimedia Policy Disable Rogue AP, Blacklist User Unauthorized Use Policy Disable device access, not user access, if stolen/lost Device Revocation Policy Quarantine unhealthy devices for remediation Device Quarantine Policy
    • CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved New Certification!
    • CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved40 Aruba Certifications • Become one of the few experts on secure mobility. • Make a good move for your career, get certified.  Product Training • Mobility and Mesh certifications  End-to-End, Solutions Based • Aruba Certified Solutions Professional (ACSP) Certification • Open to all IT engineers • Practical training on RF, secure network access and mobile devices ACMA ACMP ACSP CCxx MCxx CWxx ACMX ACDX
    • CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved41 ACSP Training Classes Module 1 802.11 RF Fundamentals Module 3 Mobile Device Wi-Fi Best Practices Module 2 Wi-Fi Authentication & EncryptionApril, 2012 Part 1 Module 5 Centralized WLAN Design Module 4 RF Design in Challenging Environments Module 6 Mobile Device Management & SecurityAugust, 2012 Part 2 Module 8 WLAN Security for Compliance Module 7 Advanced Topics in Wi-Fi Design Module 9 Multimedia and UC Services over Wi-FiJanuary, 2013 Part 3