This session will discuss WAN, branch and remote networking, including zero touch deployment, network security, simple and fast convergence for large scale IPSec deployments, seamless integration with cloud-based services, ADVPN, and others.

1. #ATM16
Branch and Remote
Access Networks
Design Fundamentals
Shiv Mehra, Jone Ostebo and Yan Liu @ArubaNetworks |

2. 2#ATM16
Agenda
Product Portfolio
Zero Touch Provisioning
Deployment Models
@ArubaNetworks |

3. 3#ATM16
Cloud Services Controller Portfolio
@ArubaNetworks |
CAMPUS – 72xx
BRANCH – 70xx
7005
16 APs/1K Users
2 Gbps Firewall
7010
32 APs/2K Users
12 POE Ports
4 Gbps Firewall
7030
64 APs/4K Users
8 Gbps Firewall
7210
512 CAP/512 RAP
16K Users
20 Gbps Firewall
7205
256 APs/8K Users
12 Gbps Firewall
7220
1024 CAP/1024 RAP
24K Users
40 Gbps Firewall
7240
2048 CAP/2048 RAP
32K Users
40 Gbps Firewall
7024
32 APs/2K Users
24 POE Ports
4 Gbps Firewall

4. 4
Zero Touch Provisioning (ZTP)
How to adopt a factory default IAP or Branch
Controller

5. 5#ATM16
Zero Touch Provisioning (ZTP)
–Controller Modes
–Controller and IAP Base Architecture
–Provision Modes
–Branch Configuration?
–Branch Networking
–Bad Configuration Push
@ArubaNetworks |

6. 6#ATM16
Modes supported by the controllers - Master
@ArubaNetworks |
Master11
7240/7220/7210

7. 7#ATM16
Modes supported by the controllers - Local
@ArubaNetworks |
7005
Master11
7240/7220/7210
Local12

8. 8#ATM16
Modes supported by the controllers - Branch
@ArubaNetworks |
7005
Master11
7240/7220/7210
Local12
Branch13
Only 70xx series support BRANCH mode

9. 9#ATM16
ZTP
–Controller Modes
–Controller and IAP Base Architecture
–Provision Modes
–Branch Config?
–Branch Networking
–Bad Config Push
@ArubaNetworks |

10. 10#ATM16
Branch Controller Architecture
@ArubaNetworks |
INTERNET
Branch 1
Headquarter
Branch 2 Branch 3
Internet

11. 11#ATM16
Branch Controller Architecture
@ArubaNetworks |
Branch 1
Headquarter
Branch 2 Branch 3
INTERNET
Internet
VPN

12. 12#ATM16
Instant AP Architecture
@ArubaNetworks |
INTERNET
Headquarter
Internet
Branch 1
Instant
Cluster
Branch 2
Instant
Cluster
Branch 3
Instant
Cluster

13. 13#ATM16
Instant AP Architecture
@ArubaNetworks |
Headquarter
Internet
Branch 1
Instant
Cluster
Branch 2
Instant
Cluster
Branch 3
Instant
Cluster
INTERNET
VPN

14. 14#ATM16
ZTP
–Controller Modes
–Controller and IAP Base Architecture
–Provision Modes
–Branch Config?
–Branch Networking
–Bad Config Push
@ArubaNetworks |

15. 15#ATM16
Provision Modes
@ArubaNetworks |
Zero Touch Provisioning (Auto)11
Semi-Auto (mini-setup)12
Manual (full-setup)13

16. 16#ATM16
Zero Touch Deployment
@ArubaNetworks |
DHCP Options11
Activate12

17. 17#ATM16
Zero Touch Deployment
@ArubaNetworks |
DHCP Options11
Activate12
GE 0/0/3
GE 0/0/15
GE 0/0/7
GE 0/0/23
• Last Port of 70xx is set:
• VLAN 4094
• DHCP Client

18. 18#ATM16
Zero Touch Provisioning – DHCP Options
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Internet Services
INTERNET
DHCP
DHCP Req with Option 60 set
to ArubaMC

19. 19#ATM16
Zero Touch Provisioning – DHCP Options
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Internet Services
INTERNET
DHCP
DHCP Req with Option 60 set
to ArubaMC

20. 20#ATM16
Zero Touch Provisioning – DHCP Options
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Internet Services
INTERNET
DHCP
DHCP Req with Option 60 set
to ArubaMC
DHCP Resp with Option 43 set
to Master controller IP and
country code of operation for
branch controller

21. 21#ATM16
Zero Touch Provisioning – DHCP Options
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Internet Services
INTERNET
DHCP
DHCP Req with Option 60 set
to ArubaMC
DHCP Resp with Option 43 set
to Master controller IP and
country code of operation for
branch contoller

22. 22#ATM16
Zero Touch Provisioning – Activate
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Aruba Activate
INTERNET
DHCP/DNS
DHCP Req with Option 60 set
to ArubaMC
DHCP Resp has no Option 43
Resolve
device.arubanetworks.com

23. 23#ATM16
Zero Touch Provisioning – Activate
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Aruba Activate
INTERNET
DHCP/DNS
DHCP Req with Option 60 set
to ArubaMC
DHCP Resp has no Option 43
Resolve
device.arubanetworks.com

24. 24#ATM16
Zero Touch Provisioning – Activate
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Aruba Activate
INTERNET
DHCP/DNS
DHCP Req with Option 60 set
to ArubaMC
DHCP Resp has no Option 43
Resolve
device.arubanetworks.com
Communicate with Activate on
port 443 (HTTPS)

25. 25#ATM16
Semi – Auto (mini-setup)
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Internet Services
INTERNET
DHCP
DHCP Req with Option 60 set
to ArubaMC
DHCP Resp without Option 43
Device not found in activate

26. 26#ATM16
Semi – Auto (mini-setup)
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Internet Services
INTERNET
DHCP
DHCP Req with Option 60 set
to ArubaMC
DHCP Resp without Option 43
Device not found in activateEnter Option (partial string is acceptable): mini-setup
Enter Branch Master switch IP address or FQDN: 10.69.129.100
Auto-provisioning is in progress. Choose one of the following options to override or debug...
'enable-debug' : Enable auto-provisioning debug logs
'disable-debug' : Disable auto-provisioning debug logs
'mini-setup' : Stop auto-provisioning and start mini setup dialog for branch role
'full-setup' : Stop auto-provisioning and start full setup dialog for any role
Enter Country Code: US

27. 27#ATM16
Manual (full-setup)
@ArubaNetworks |
Enter Option (partial string is acceptable): full-setup
Auto-provisioning is in progress. Choose one of the following options to override or debug...
'enable-debug' : Enable auto-provisioning debug logs
'disable-debug' : Disable auto-provisioning debug logs
'mini-setup' : Stop auto-provisioning and start mini setup dialog for branch role
'full-setup' : Stop auto-provisioning and start full setup dialog for any role
Are you sure that you want to stop auto-provisioning and start full setup dialog? (yes/no): yes
Enter System name [Aruba7005]: branch01-7005
Enter Switch Role (master|local|standalone|branch) [master]: branch
Enter Branch Master switch IP address or FQDN [172.16.0.254]: 10.69.129.100
Enter Branch wired uplink port [GE 0/0/0]: GE 0/0/3
Enter Branch wired-vlan Type (pppoe|dhcp|static) [static]: dhcp
This controller is restricted to Country code US for United States, please confirm?: yes
Enter Time Zone [PST-8:0]:
Enter Time in UTC [00:24:38]:
Enter Date (MM/DD/YYYY) [5/5/2015]:

28. 28#ATM16
HTTPS (mac address, serial number, SKU)
IAP - Activate Provisioning
@ArubaNetworks |
Internet
Master IAP/VC Activate
HTTPS (Provisioning settings)
DNS
Resolve device.arubanetworks.com
HTTPS

29. 29#ATM16
IAP – DHCP Provisioning
@ArubaNetworks |
Internet
Master IAP/VC ActivateDHCP
DHCP request with option 60
HTTPS
DHCP response with option 43

30. 30#ATM16
ZTP
–Controller Modes
–Controller and IAP Base Architecture
–Provision Modes
–Branch Configuration?
–Branch Networking
–Bad Configuration Push
@ArubaNetworks |

31. 31#ATM16
How does branch get its configuration?
@ArubaNetworks |
– 6.4.3 Introduces Smart Config Menu
– GUI based configuration ONLY
7240/7220/7210
Branch Config Group Whitelist
00:0b:86:b8:c2:98
00:0b:86:bd:33:44
00:0b:86:b8:ff:cd
MAC Address of Remote
Branch Controllers 70xx

32. 32#ATM16
How to configure the Whitelist?
@ArubaNetworks |
7240/7220/7210
Aruba Activate
Automatic via Activate

33. 33#ATM16
How to configure the Whitelist?
@ArubaNetworks |
7240/7220/7210
Aruba Activate
Automatic via Activate

34. 34#ATM16
How to configure the Whitelist?
@ArubaNetworks |
7240/7220/7210
Aruba Activate
Automatic via Activate Manual via User Input
7240/7220/7210

35. 35#ATM16
How to configure the Whitelist?
@ArubaNetworks |
7240/7220/7210
Aruba Activate
Automatic via Activate Manual via User Input
7240/7220/7210

36. 36#ATM16
ZTP
–Controller Modes
–Controller and IAP Base Architecture
–Provision Modes
–Branch Configuration?
–Branch Networking
–Bad Configuration Push
@ArubaNetworks |

37. 37#ATM16
What options does the branch config group have?
@ArubaNetworks |
• System
• User/Password
• Timezone
• Syslogs etc.
• Networking
• VLAN’s
• Ports
• Routing
• Policy Based
• Static Routes
• DHCP
• VPN
• WAN
• Survivability
• PAN
• Optimization
• Bandwidth management
Smart Config Menu

38. 38#ATM16
What options does the branch config group have?
@ArubaNetworks |
• System
• User/Password
• Timezone
• Syslogs etc.
• Networking
• VLAN’s
• Ports
• Routing
• Policy Based
• Static Routes
• DHCP
• VPN
• WAN
• Survivability
• PAN
• Optimization
• Bandwidth management
Smart Config Menu

39. 39#ATM16
What options does the branch configuration group have?
@ArubaNetworks |
• System
• User/Password
• Timezone
• Syslogs etc.
• Networking
• VLAN’s
• Ports
• Routing
• Policy Based
• Static Routes
• DHCP
• VPN
• WAN
• Survivability
• PAN
• Optimization
• Bandwidth management
Smart Config Menu

40. 40#ATM16
Branch Side VLANs and Subnets
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Printer
VLAN 2 VLAN 4094
• Uplink VLAN 4094
• In-branch VLAN 2
• Dynamically Assign Subnet
• Statically upload subnet info
CSC controller-ip cannot be IP of VLAN
4094

41. 41#ATM16
Branch Side VLANs and Subnets
@ArubaNetworks |
Brand Office
7005 Mobility
Controller
BRANCH OFFICE / TELECOMMUTER
Printer
VLAN 2 VLAN 4094
• Uplink VLAN 4094
• In-branch VLAN 2
• Dynamically Assign Subnet
• Statically upload subnet info
CSC controller-ip cannot be IP of VLAN
4094

42. 42#ATM16
Dynamically Assign Subnets
@ArubaNetworks |
Headquarter
s
172.16.0.0 – 172.16.255.255
Create a large subnet (e.g. /16)

43. 43#ATM16
Dynamically Assign Subnets
@ArubaNetworks |
Headquarter
s
Brand Office 1
Brand Office 2
Brand Office 3
Brand Office 4
Brand Office 5
Brand Office 6
Brand Office 256
●
●
●
●
172.16.0.0 – 172.16.255.255
Branch 1 – 172.16.1.0/24
Branch 2 – 172.16.2.0/24
Branch 3 – 172.16.3.0/24
Branch 255 – 172.16.255.0/24
●
●
●
●
Specify the size of branch subnet (e.g. /24 )
Branch 4 – 172.16.4.0/24
Branch 5 – 172.16.5.0/24
Branch 6 – 172.16.6.0/24

44. 44#ATM16
Dynamically Assign Subnets
@ArubaNetworks |
Headquarter
s
Brand Office 1
Brand Office 2
Brand Office 3
Brand Office 4
Brand Office 5
Brand Office 6
Brand Office 255
●
●
●
●
172.16.0.0 – 172.16.255.255
Branch 1 – 172.16.1.0/24
Branch 2 – 172.16.2.0/24
Branch 3 – 172.16.3.0/24
Branch 255 – 172.16.255.0/24
●
●
●
●
Specify the size of branch subnet (e.g. /24 )
Branch 4 – 172.16.4.0/24
Branch 5 – 172.16.5.0/24
Branch 6 – 172.16.6.0/24

45. 45#ATM16
Statically Assign Subnets
@ArubaNetworks |
Create a CSV File with the following parameters
• MAC Address – 00:55:55:55:55:43
• Description – STORE01
• Timezone - Pacific
• DST - ON
• Pool1 - Employee
• Domain1 – arubanetworks.com
• DNS1 – 10.1.10.10
• Vlan1 - 2
• Vlan1 IP – 192.168.2.1
• Mask1 – 255.255.255.0
• Pool2
• Domain2
• ……….
• Pool3
• Domain3
• ……..
• Pool4
• Domain4

46. 46#ATM16
Statically Assign Subnets
@ArubaNetworks |
Create a CSV File with the following parameters
• MAC Address – 00:55:55:55:55:43
• Description – STORE01
• Timezone - Pacific
• DST - ON
• Pool1 - Employee
• Domain1 – arubanetworks.com
• DNS1 – “10.1.10.10,10.2.10.10”
• Vlan1 - 2
• Vlan1 IP – 192.168.2.1
• Mask1 – 255.255.255.0
• Pool2
• Domain2
• ……….
• Pool3
• Domain3
• ……..
• Pool4
• Domain4

47. 47#ATM16
ZTP
–Controller Modes
–Controller and IAP Base Architecture
–Provision Modes
–Branch Configuration?
–Branch Networking
–Bad Configuration Push
@ArubaNetworks |

48. 48#ATM16
What happens if we push a bad configuration?
@ArubaNetworks |
7005
Master pushes wrong VLAN11
7240/7220/7210
Causes Connectivity Loss12

49. 49#ATM16
What happens if we push a bad configuration?
@ArubaNetworks |
7005
Master pushes wrong VLAN11
7240/7220/7210
Causes Connectivity Loss12
BoC Factory Defaults13
Master pushes config14
No push after 10 failures15

50. 50#ATM16
Summary - ZTP
@ArubaNetworks |
New mode called “Branch” introduced (only supported on 70xx)11
70xx ships with last port on 4094 with DHCP Client enabled12
ZTP requires DHCP (Option 43) or Activate configured13
Smart Config Menu on 72xx introduced to manage branch configs14
Ability to push VLANs, IP, DHCP server etc config from Smart Menu15
Ability to recover from bad config or upgrade push16

51. 51
Deployment Models - Branch Controller

52. 52#ATM16
L3 Distributed Architecture – Branch Controller
@ArubaNetworks |
70xx
72xxCSC deployed across Internet11
INTERNET
Corp Network

53. 53#ATM16
L3 Distributed Architecture – Branch Controller
@ArubaNetworks |
70xx
72xxCSC deployed across Internet11
Employee Traffic Tunneled12
VPN
Employee
INTERNET
Corp Network

54. 54#ATM16
L3 Distributed Architecture – Branch Controller
@ArubaNetworks |
70xx
72xxCSC deployed across Internet11
Employee Traffic Tunneled12
All Guest Traffic NAT’ed13
VPN
Employee
INTERNET
Corp Network
GuestNAT’ed
DHCP Server Distributed (On CSC)14

55. 55#ATM16
Configure Activate – Branch Controller
@ArubaNetworks |
Aruba Activate
Create Folders and Provision Rules11
Identify & Configure Master Controller12
Identify & Configure Branch Controller13

56. 56#ATM16
Enable Redundancy and Centralized Licensing
@ArubaNetworks |
Headquarter
s
INTERNET
Aruba Activate
Aruba 5400R
Corp NetworkVIP – 10.69.129.100
Centralized Licensing

57. 57#ATM16
AP Groups and CSC Smart Configuration
@ArubaNetworks |
Headquarter
s
INTERNET
Aruba Activate
Aruba 5400R
Corp Network
Create AP Groups (WLANs)11
Create Smart Config Group12
Configure VLAN’s, IP’s, DHCP etc.13

58. 58#ATM16
Sync Whitelist from Activate
@ArubaNetworks |
Headquarter
s
INTERNET
Aruba Activate
Aruba 5400R
Corp Network

59. 59#ATM16
Adopt CSC’s
@ArubaNetworks |
Branch 1
Headquarter
s
Branch 2 Branch 3
INTERNET
Aruba Activate
Aruba 5400R
Corp Network
VLAN 4094
DHCP Client
VLAN 4094
DHCP Client
VLAN 4094
DHCP Client
VPN

60. 60#ATM16
Master Pushes Configuration to CSC
@ArubaNetworks |
Branch 1
Headquarter
s
Branch 2 Branch 3
INTERNET
Aruba Activate
Aruba 5400R
Corp Network
VLAN 4094
DHCP Client
VLAN 4094
DHCP Client
VLAN 4094
DHCP Client
VPN
Employee
VLAN 2
172.16.0.1/24
Guest
VLAN 3
11.11.0.1/24
Employee
VLAN 2
172.16.1.1/24
Guest
VLAN 3
11.11.1.1/24
Employee
VLAN 2
172.16.2.1/24
Guest
VLAN 3
11.11.2.1/24

61. 61#ATM16
Tunnel Employee Traffic to Corp
@ArubaNetworks |
Branch 2Branch 1
Headquarter
s
Branch 3
INTERNET
Aruba Activate
Aruba 5400R
Corp Network
Employee Employee Employee
VPN
Employee
VLAN 2
172.16.0.100/24
Employee
VLAN 2
172.16.1.100/24
Employee
VLAN 2
172.16.2.100/24
10.0.0.0/8

62. 62#ATM16
Master Advertises Routes to Wired using OSPF
@ArubaNetworks |
Branch 2Branch 1
Headquarter
s
Branch 3
Aruba Activate
Aruba 5400R
Corp Network
Employee Employee Employee
VPN
Employee
VLAN 2
172.16.0.100/24
Employee
VLAN 2
172.16.1.100/24
Employee
VLAN 2
172.16.2.100/24
10.0.0.0/8
OSPF
INTERNET

63. 63#ATM16
Wired Advertises Routes to Master using OSPF
@ArubaNetworks |
Branch 2Branch 1
Headquarter
s
Branch 3
Aruba Activate
Aruba 5400R
Corp Network
Employee Employee Employee
VPN
Employee
VLAN 2
172.16.0.100/24
Employee
VLAN 2
172.16.1.100/24
Employee
VLAN 2
172.16.2.100/24
10.0.0.0/8
OSPF
INTERNET

64. 64#ATM16
Trace Employee Packet Path
@ArubaNetworks |
Branch 1
Headquarter
s
INTERNET
Aruba 5400R
Employee
VPN
10.1.1.100
172.16.1.100
ping 10.1.1.100
1. Employee to default GW (172.16.1.1)
2. CSC routes to Master-CSC IPSec tunnel
3. Master routes to Wired Switch (OSPF)
4. Wired switch routes to Server

65. 65#ATM16
NAT Guest Traffic via Uplink
@ArubaNetworks |
Branch 2Branch 1
Headquarter
s
Branch 3
INTERNET
Aruba Activate
Aruba 5400R
Corp Network
VPN
Guest Guest Guest
NAT

66. 66
Deployment Models - Instant AP

67. 67#ATM16
Centralized Layer 3
@ArubaNetworks |
Internet
Primary VPN Backup VPN
Master Master
IAP
SSID
Activate
Master
IAP
SSID
IAP
SSID
Master
Master
Master
Load balancer Load balancer
Firewall Firewall
DHCP DHCP

68. 68#ATM16
Centralized Layer 3 – Packet Flow
Internet
Firewall Load Balancer Controller
IPSec tunnel UDP 4500
802.1x RADIUS
DHCP
DHCP request
DHCP request unicast to DHCP server by IAP using
VLAN IP
DHCP response by DHCP server to IAP’s VLAN IP
DHCP response
Client
Corporate traffic
VC is the gateway

69. 69#ATM16
Distributed Layer 3 – Packet Flow
Internet
Client Member IAP Master IAP/VC Controller
Internet Traffic Src NATed with VC’s Local IP
Corp. Traffic forwarded through IPSec tunnel
DHCP Discover
ARP reply
Internet Traffic
Corp. Traffic
DHCP Offer
DHCP Request
DHCP Ack
Gateway ARP
IPSec tunnel UDP port 4500
VC is the GW.
BID allocation process

70. 70#ATM16
Centralized Layer 2 – Packet Flow
Internet
Client Member IAP Master IAP/VC Controller
Internet Traffic Src NATed with VC’s Local IP
Corp. Traffic forwarded through IPSec tunnel via GRE
DHCP Discover
ARP reply
Internet Traffic
Corp. Traffic
DHCP Offer
DHCP Request
DHCP Ack
Gateway ARP
IPSec tunnel UDP port 4500
Forwarded by VC to Controller via GRE
Forwarded by VC to Controller via GRE
Forwarded by VC to Controller via GRE
GW is in the DC, if WAN is down VC will proxy ARP for GW.

71. 71#ATM16
Join Aruba’s Titans of Tomorrow
force in the fight against network
mayhem. Find out what your
IT superpower is.
Share your results with friends
and receive a free superpower
t-shirt.
www.arubatitans.com

72. Thank you

73. Month day, year