The document introduces Aruba's Virtual Branch Network solution which virtualizes complex network operations in the data center and extends services securely to branch offices and teleworkers. This provides dedicated network infrastructure control and experience at a lower cost than traditional solutions. Remote deployments are simplified for IT to manage while supporting a distributed workforce across varying device types from a centralized management system.
This lab setup document emulates the recommended campus and remote access point networks discussed in the Aruba Campus Networks Validated Reference Design and the Aruba Remote Access Point (RAP) Networks Validated Reference Design. All the screenshots and command-line interface (CLI) configurations in the Aruba Campus Networks Validated Reference Design and the Aruba Remote Access Point (RAP) Networks Validated Reference Design are from this setup.
This guide covers Aruba Mobility Controllers and is considered part of the foundation guides within the VRD core technologies series. This guide will help you understand the capabilities and options you have when deploying an Aruba Mobility Controller. This guide describes operating modes for the mobility controller, licensing, forwarding modes, logical and physical deployment, redundancy, and how to select the appropriate mobility controller based on scalability requirements. Version 9 includes information on the 7200 series controller.
This guide details the advanced guest access features available to organizations through the combination of Aruba’s Amigopod and Mobility Controller solutions. This includes details of workflow management, RADIUS configuration, AAA configuration, and testing of the solution. This guide builds on the network defined in the Campus VRD.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This document describes the process for leveraging the ClearPass Guest captive portal to bypass the Captive Network Assistant (web sheet) that is displayed on iOS devices such as iPhone, iPad, and more recently, OS X machines running Lion (10.7) and above.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The application note focuses on configuration and operation of guest access solutions on ArubaOS. The native guest access solution including configuration of the guest access and guest provisioning profiles, guest administration, and captive portal configuration.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers the deployment of Aruba remote access points (RAP) in fixed telecommuter and micro branch office sites, and it is considered part of the base designs guides within the VRD core technologies series. This guide covers the design recommendations for remote network deployment and it explains the various configurations needed to implement a secure, high-performance virtual branch office (VBN) solution with Aruba RAPs.
This Solution Guide describes best practices for implementing an Aruba 802.11 wireless network that supports thousands of highly mobile devices (HMDs) such as Wi-Fi phones, handheld scanning terminals, voice badges, and computers mounted to vehicles. It describes the design principles particular to keeping devices that are in constant motion connected to the network as well as best practices for configuring Aruba Networks controllers and the mobile devices. The comprehensive guide addresses six areas of network planning to ensure a high quality of service for roaming data and voice sessions: device configuration, airtime optimization, roaming optimization, IP mobility configuration, IP multicast configuration, and interference resistance. A detailed troubleshooting section covers common issues that arise with these types of WLANs.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The Indoor 802.11n Site Survey and Planning guide covers the design and installation of an Aruba WLAN. It includes information on choosing the right AP, performing a virtual survey, and performing a physical survey. The guide also covers using the Aruba Instant AP for physical site surveys.
This lab setup document emulates the recommended campus and remote access point networks discussed in the Aruba Campus Networks Validated Reference Design and the Aruba Remote Access Point (RAP) Networks Validated Reference Design. All the screenshots and command-line interface (CLI) configurations in the Aruba Campus Networks Validated Reference Design and the Aruba Remote Access Point (RAP) Networks Validated Reference Design are from this setup.
This guide covers Aruba Mobility Controllers and is considered part of the foundation guides within the VRD core technologies series. This guide will help you understand the capabilities and options you have when deploying an Aruba Mobility Controller. This guide describes operating modes for the mobility controller, licensing, forwarding modes, logical and physical deployment, redundancy, and how to select the appropriate mobility controller based on scalability requirements. Version 9 includes information on the 7200 series controller.
This guide details the advanced guest access features available to organizations through the combination of Aruba’s Amigopod and Mobility Controller solutions. This includes details of workflow management, RADIUS configuration, AAA configuration, and testing of the solution. This guide builds on the network defined in the Campus VRD.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This document describes the process for leveraging the ClearPass Guest captive portal to bypass the Captive Network Assistant (web sheet) that is displayed on iOS devices such as iPhone, iPad, and more recently, OS X machines running Lion (10.7) and above.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The application note focuses on configuration and operation of guest access solutions on ArubaOS. The native guest access solution including configuration of the guest access and guest provisioning profiles, guest administration, and captive portal configuration.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers the deployment of Aruba remote access points (RAP) in fixed telecommuter and micro branch office sites, and it is considered part of the base designs guides within the VRD core technologies series. This guide covers the design recommendations for remote network deployment and it explains the various configurations needed to implement a secure, high-performance virtual branch office (VBN) solution with Aruba RAPs.
This Solution Guide describes best practices for implementing an Aruba 802.11 wireless network that supports thousands of highly mobile devices (HMDs) such as Wi-Fi phones, handheld scanning terminals, voice badges, and computers mounted to vehicles. It describes the design principles particular to keeping devices that are in constant motion connected to the network as well as best practices for configuring Aruba Networks controllers and the mobile devices. The comprehensive guide addresses six areas of network planning to ensure a high quality of service for roaming data and voice sessions: device configuration, airtime optimization, roaming optimization, IP mobility configuration, IP multicast configuration, and interference resistance. A detailed troubleshooting section covers common issues that arise with these types of WLANs.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The Indoor 802.11n Site Survey and Planning guide covers the design and installation of an Aruba WLAN. It includes information on choosing the right AP, performing a virtual survey, and performing a physical survey. The guide also covers using the Aruba Instant AP for physical site surveys.
Printing and projecting with smartphones and tablets on large scale Wi-Fi networks are not as easy as it sounds. Relying on technologies such as DLNA and Apple Bonjour, these tasks require policy control across many different locations, for different sets of users. For instance, what do you do when your guest user tries to access an Apple TV installed in your meeting room? Join us to answer more of these questions in this session.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers indoor 802.11n WLANs and is considered part of the foundation guides within the VRD core technologies series. This guide describes 802.11n, differences in 802.11n vs. 802.11a/b/g functionality, and Aruba-specific technologies and access points (APs) that make 802.11n-based WLANs a viable replacement for wired Ethernet in the majority of deployments.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide focuses on configuration of DHCP fingerprinting, which is used in conjunction with user roles on the Aruba Mobility Controller. When a user authenticates, their device type is taken into account. Based on that device type, a new role can be assigned to the device, such as restricting access to certain protocols or completely blocking access.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide explains how to implement an Aruba 802.11n wireless network that must provide high-speed access to an auditorium-style room with 500 or more seats. Aruba Networks refers to such networks as high-density wireless LANs (HD WLANs). Lecture halls, hotel ballrooms, and convention centers are common examples of spaces with this requirement. Because the number of concurrent users on an AP is limited, to serve such a large number of devices requires access point (AP) densities well in excess of the usual AP per 2,500 – 5,000 ft2 (225 – 450 m2). Such coverage areas therefore have many special technical design challenges. This validated reference design provides the design principles, capacity planning methods, and physical installation knowledge needed to successfully deploy HD WLANs.
This guide covers the deployment of Aruba WLAN in a typical campus network, and it is considered part of the base designs guides within the VRD core technologies series. This guide covers the design recommendations for a campus deployment and it explains the various configurations needed to implement the Aruba secure, high-performance, multimedia grade WLAN solution in large campuses.
This guide provides a description of the various bandwidth reservation and quality of service (QoS) options for supporting voice traffic in an Aruba remote access point (RAP) telecommuter deployment scenario. The RAP solution is a key component of the Aruba virtual branch network (VBN) architecture. The Aruba RAP deployment model meets the needs of fixed telecommuter and small branch office deployments while maintaining simplicity and ease of deployment. Aruba RAPs extend the corporate LAN to any remote location by enabling seamless wired or wireless data and voice wherever a user finds an Internet-enabled Ethernet port or 3G cellular connection. RAPs are ideally suited for small remote offices, home offices, telecommuters, mobile executives, and for business continuity applications.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The Aruba Mobility Access Switch family of products provides various features including voice VLAN, Link Layer Discovery Protocol – Media Endpoint Discovery (LLDP-MED), and Quality of Service (QoS) to enable successful deployment of VoIP in enterprise networks. This application note addresses traditional techniques and introduces new device-aware support to deploy VoIP phones. This document is intended for all system engineers and network administrators who are deploying a VoIP solution in an enterprise network.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide provides an overview of Aruba beacon technology, and describes the different types of Aruba beacons, beacon use cases and deployments, as well as predeployment configuration and testing workflows.
For WLANs to be able to reliably support mission-critical, high-throughput, or time-sensitive applications, RF interference must be continuously monitored. The WLAN must automatically and dynamically adapt to mitigate the effects of any interference in the environment. WLAN infrastructure has to provide the administrators with real-time, historical, and proactive visibility into the air to diagnose and mitigate interference. In this application note we will look at some of the tools that Aruba offers as a part of its WLAN solution that enable administrators to ensure reliable, high performing RF.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The purpose of this guide is to explain the enhancements in 802.11ac standard and provide guidance towards
migrating to 802.11ac with respect to network design, deployment, and configuration best practices for campus environments like offices, university campus, and dorm environments.
This guide covers the following topics in detail:
- Summary of Recommendations
- 802.11ac Features and Benefits
- 802.11ac Planning and Deployment Guidelines
- Best Practice Recommendations for Deploying 802.11ac WLANs
This guide is intended for those who are willing to learn about the 802.11ac standards and understand the best practices in deploying a high-performing 802.11ac
Printing and projecting with smartphones and tablets on large scale Wi-Fi networks are not as easy as it sounds. Relying on technologies such as DLNA and Apple Bonjour, these tasks require policy control across many different locations, for different sets of users. For instance, what do you do when your guest user tries to access an Apple TV installed in your meeting room? Join us to answer more of these questions in this session.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers indoor 802.11n WLANs and is considered part of the foundation guides within the VRD core technologies series. This guide describes 802.11n, differences in 802.11n vs. 802.11a/b/g functionality, and Aruba-specific technologies and access points (APs) that make 802.11n-based WLANs a viable replacement for wired Ethernet in the majority of deployments.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide focuses on configuration of DHCP fingerprinting, which is used in conjunction with user roles on the Aruba Mobility Controller. When a user authenticates, their device type is taken into account. Based on that device type, a new role can be assigned to the device, such as restricting access to certain protocols or completely blocking access.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide explains how to implement an Aruba 802.11n wireless network that must provide high-speed access to an auditorium-style room with 500 or more seats. Aruba Networks refers to such networks as high-density wireless LANs (HD WLANs). Lecture halls, hotel ballrooms, and convention centers are common examples of spaces with this requirement. Because the number of concurrent users on an AP is limited, to serve such a large number of devices requires access point (AP) densities well in excess of the usual AP per 2,500 – 5,000 ft2 (225 – 450 m2). Such coverage areas therefore have many special technical design challenges. This validated reference design provides the design principles, capacity planning methods, and physical installation knowledge needed to successfully deploy HD WLANs.
This guide covers the deployment of Aruba WLAN in a typical campus network, and it is considered part of the base designs guides within the VRD core technologies series. This guide covers the design recommendations for a campus deployment and it explains the various configurations needed to implement the Aruba secure, high-performance, multimedia grade WLAN solution in large campuses.
This guide provides a description of the various bandwidth reservation and quality of service (QoS) options for supporting voice traffic in an Aruba remote access point (RAP) telecommuter deployment scenario. The RAP solution is a key component of the Aruba virtual branch network (VBN) architecture. The Aruba RAP deployment model meets the needs of fixed telecommuter and small branch office deployments while maintaining simplicity and ease of deployment. Aruba RAPs extend the corporate LAN to any remote location by enabling seamless wired or wireless data and voice wherever a user finds an Internet-enabled Ethernet port or 3G cellular connection. RAPs are ideally suited for small remote offices, home offices, telecommuters, mobile executives, and for business continuity applications.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The Aruba Mobility Access Switch family of products provides various features including voice VLAN, Link Layer Discovery Protocol – Media Endpoint Discovery (LLDP-MED), and Quality of Service (QoS) to enable successful deployment of VoIP in enterprise networks. This application note addresses traditional techniques and introduces new device-aware support to deploy VoIP phones. This document is intended for all system engineers and network administrators who are deploying a VoIP solution in an enterprise network.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide provides an overview of Aruba beacon technology, and describes the different types of Aruba beacons, beacon use cases and deployments, as well as predeployment configuration and testing workflows.
For WLANs to be able to reliably support mission-critical, high-throughput, or time-sensitive applications, RF interference must be continuously monitored. The WLAN must automatically and dynamically adapt to mitigate the effects of any interference in the environment. WLAN infrastructure has to provide the administrators with real-time, historical, and proactive visibility into the air to diagnose and mitigate interference. In this application note we will look at some of the tools that Aruba offers as a part of its WLAN solution that enable administrators to ensure reliable, high performing RF.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The purpose of this guide is to explain the enhancements in 802.11ac standard and provide guidance towards
migrating to 802.11ac with respect to network design, deployment, and configuration best practices for campus environments like offices, university campus, and dorm environments.
This guide covers the following topics in detail:
- Summary of Recommendations
- 802.11ac Features and Benefits
- 802.11ac Planning and Deployment Guidelines
- Best Practice Recommendations for Deploying 802.11ac WLANs
This guide is intended for those who are willing to learn about the 802.11ac standards and understand the best practices in deploying a high-performing 802.11ac
Redes sociales, construcción del capital humanosolecorbiere
La construcción de un capital social propio es fundamental para detentar mayores oportunidades. La capacidad de crear redes de contacto efectivas es vital y las comunidades online pueden servirnos como herramientas de contacto en este mundo 2.0
Presentación destinada a alumnos de 3º y 4º de la ESO, consumidores y usuarios de móviles con tarifa de datos, como parte te mi voluntariado en la Concejalía de Juventud del Ayuntamiento de Elche. Febrero de 2015
Una buena presentación de cómo funcionan nuestras elecciones desde el punto de vista cognitivo, de cómo podemos aplicar las técnicas del neuromarketing a la publicidad y el diseño online
The Aruba Network Rightsizing Best Practices Guide provides an overview of network rightsizing. Network rightsizing is a network capacity planning and cost optimization strategy based on the principle that wired and wireless LANs should be sized and structured to meet current and future demand. After explaining the principles of network rightsizing and how it can benefit your organization, the methodology for analyzing and planning a rightsized network will be discussed. Finally, you will learn how to implement a rightsized yet scalable Aruba 802.11n network.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers the deployment of Aruba remote access points (RAP) in fixed telecommuter and micro branch office sites, and it is considered part of the base designs guides within the VRD core technologies series. This guide covers the design recommendations for remote network deployment and it explains the various configurations needed to implement a secure, high-performance virtual branch office (VBN) solution with Aruba RAPs.
This hands on workshop for OpenContrail will be led by Sreelakshmi Sarva & Aniket Daptari.
This is a labs session so we will have hard RSVP limits. Please RSVP only if you are confident that you will be able to attend.
About Sreelakshmi Sarva
Sree is currently working as part of solution engineering team at Juniper’s Contrail team. She is responsible for delivering & managing SDN solutions & partnerships relating to Contrail. She has been with Juniper for the last 13 years working on various Routing, Switching, Network programmability & virtualization platforms. Prior to Juniper, She worked at Nortel networks in the Systems Engineering group. Sree received her Masters in Computer Science from University of Texas at Dallas and Bachelor’s in Computer Science from India.
About Aniket Daptari
Aniket is currently working as part of Juniper Networks' Contrail Cloud Solutions team. He is responsible for delivering SDN solutions and technology partnerships related to Contrail. He has been with Juniper for the last 3 years working on various Network programmability & virtualization platforms. Prior to Juniper, he worked at Cisco Systems in the Internet Systems Business Unit (Catalyst 6500). Aniket received his Masters in Computer Science from University of Southern California and a graduate certificate in Management Science and Engineering from Stanford University.
Course Abstract
This session will be the first of a series of OpenContrail hands-on tutorials for developers who want to get deep into OpenContrail code.
This “Basic OpenContrail Programming” Hands-on Session will focus on making developers proficient in writing and contributing code for our OpenContrail Project.
Session will cover the following areas
1) Contrail Overview
· Use Cases
· Architecture recap
2) Contrail Hands on
· Demo + Hands on - Configuration , VN, VM, Network Policies etc
· DevStack introduction
This Solution Guide is designed to help customers understand the Aruba system architecture and the individual components that are needed to deliver reliable, high-capacity outdoor networks using 802.11n with multiple-in and multiple-out (MIMO) radios. Aruba has extensive experience designing complex outdoor WLAN solutions for applications like stadiums, outdoor transportation terminals, oil and gas facilities, municipalities, and large campus environments. This guide describes the lifecycle of an outdoor MIMO wireless network deployment; typical basic processes and tools that are used in outdoor wireless networking; MIMO antenna selection and placement for maximum capacity; design recommendations for common deployment scenarios; and much more.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
Faced with the dual threats of rising operating costs and declining revenues, network service providers are increasingly turning to network functions virtualization (NFV) to help them keep up with constantly changing market conditions.
In a virtualized Telco environment, service providers can deploy and deliver new network functions, services and capacity on demand—reducing normal rollout time from months and weeks to just hours.
Leveraging the principles of cloud computing, network service providers can deliver a level of responsiveness never before available, easily scaling capacity up or down to meet the evolving needs of their subscribers.
The result is a highly agile system that allows new revenue-generating services to be quickly developed, exhaustively tested and selectively rolled out to targeted groups in a fraction of the time and at a much lower cost than previously thought possible.
In this session, the speaker will present how the solution from Juniper networks look like and how it can be deployed by service provider to improve their agility in delivering services to their customers.
Point-to-point (PTP) wireless connections have many use cases including linking buildings on university campus, creating connections between offshore oil rigs, and eliminating the need to pull fiber cable between buildings on opposite sides of a busy road. This guide will help you select the right hardware platform (including both the AOS-based AP-175 and Aruba¹s new AirMesh products; Choose appropriate antennas and accessories; Identify and overcome some of the most common outdoor installation challenges; Set up and configure the Aruba solution.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
App to Cloud: Patrick Kerpan's DataCenter Dynamics Converged KeynoteCohesive Networks
App to Cloud: Patrick Kerpan's DataCenter Dynamics Converged Keynote
About the talk:
Customers don’t care where their cloud networks and infrastructure are, they just want apps to work. This session explains how overlay networks can help to do more networking at the IaaS level and how developers can build on top of overlay networking to extend traditional networks to the cloud.
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld
VMworld 2013
Ninad Desai, VMware
Greg Herzog, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Putting the M in MANO: Major new Ensemble release delivers NFV management and...ADVA
Our upgraded Ensemble NFV platform now features powerful management and orchestration (MANO) capabilities, enabling service providers to roll out secure virtualized services at scale. These include multi-layer security, simplified management of NFV infrastructure (NFVI) and service chain creation, visibility, monitoring and troubleshooting. Read how we’re putting the M in MANO and providing customers with a uniquely simple and cost-effective path to realizing the opportunities of NFV.
Taxonomy and Terminology: The Crossroad of Controlled VocabularyContent Rules, Inc.
Many people are confused about taxonomy and terminology. And with good reason. Both taxonomy and terminology use words – often the same words. They are both ways of controlling your vocabulary. However, taxonomy and terminology are used for different purposes. In this presentation, we define taxonomy and terminology. We examine how they are different and where they intersect. We also cover some best practices for managing them both.
Taking Your Content to Global Proportinos - Global Website Best PracticesContent Rules, Inc.
This half-day workshop looks at the good, the bad, and the ugly of global websites. Along the way, we discuss best practices, see some stellar examples, and analyze some disasters.
Personas are person-driven stereotypes that we use to create personalized content. However, personas are specific to a culture. If your company sells to a global marketplace, creating personas for every target customer, in every culture, in every language does not scale. This presentation presents Hofstede's cultural dimensions as an alternative framework for creating culture-specific content for the global marketplace.
Got words? I bet you do. This presentation covers managing your terminology - your source terminology, to be specific. It discusses why terminology management is important, what happens if you don't care, the benefits in translation if you do, and how to go about managing your source terminology.
This is the presentation I gave at the first meeting of the San Francisco Content Strategy / Content Marketing Pros Meetup group. In it, I discuss the seven components of a global content strategy. I also cover issues that are likely to arise as you embark on internationalizing your content
Your Brain on XML: Structured Content and Operational EfficiencyContent Rules, Inc.
If your brain was on XML, it would be organized. You'd be able to access any memory, conversation, and so on. You'd be able to find memories because they'd be semantically tagged.
But alas, only content can be on XML. In this presentation, we talk about how structured content effects operational efficiency and what you can do to your content to make using it more efficient.
WikiProject Medicine: Breaking Down Barriers to Save LivesContent Rules, Inc.
Imagine a world in which every single person is given free access to the sum of all medical knowledge. In their own language. That's what we're doing.
UCSF Medical School, WikiMedia Foundation, and Translators without Borders have teamed to make this vision a reality.
But, it takes more than interested people doing good things for the world. It also takes technology to provide the infrastructure and mechanisms to make this happen.
This presentation describes the efforts of hundreds of people and the technologies they are using to overcome various barriers that we face in order to save lives throughout the world.
Are you translating your content? Are you looking for ways to make your translations better, cheaper, and faster? Look no further. What you need is global-ready content.
It's a fact. If you fix your source content one time, prior to translation, your translations will be more accurate. They will also be less expensive. And your in-country reviewers will need to iterate with each translator far fewer times.
This presentation introduces Content Rules and describes our global readiness service and why you should care.
P03 swisher val_developing a global content strategy_swisherContent Rules, Inc.
If you want to deliver the right information to the right people, at the right time, in the right format and language, you must start with a content strategy. Attend this full-day workshop to learn how to get started. We will teach attendees the seven components of global content strategy, how to conduct a content inventory and content audit, and we will share a useful mix of global content strategy best practices. Attendees will break off into groups and participate in real-world, hands-on exercises including working on actual website content. They’ll participate in an online global website content inventory and audit (using a web-based tool) and share their recommendations with the group.
Everyone's talking about global content strategy these days. But few actually show you how to do it. In this presentation, you learn about the seven components of a global content strategy.
Using Language to Change the World - Translators Without BordersContent Rules, Inc.
Knowledge is power. It saves lives, lifts people out of poverty, ensures better health and nutrition, creates and maintains economies.
Access to information is critical. Language barriers cost lives. Aid groups working in crisis-situations face a mission-critical challenge in disseminating knowledge in the language of those that who need it.
Translators Without Borders is a humanitarian non-profit. Our mission is to promote the transfer of knowledge from one language to another by creating and managing a community of NGOs who need translations and professional, vetted translators who volunteer their time to help.
Thinking Strategically About Content Destined for Machine TranslationContent Rules, Inc.
Are you treating your content as a strategic asset? If not, you should. This presentation looks at the history of content creation and translation, how we create and translate content today, and how the quality of your source content effects the output of machine translation.
Learn about how to get the most from your content by focusing on the efficient of your terminology. Terminology affects structured authoring, translation, and more. Find out the dirty little secret about corporate style guides. Learn what you need to do to maintain your brand without losing your mind.
It Starts With The Source - Source English Terminology in a Multi-Channel, Gl...Content Rules, Inc.
This presentation covers the effect of source content terminology on three distinct areas of a global content strategy:
- Structured authoring
- Translation
- Global Mobile
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
3. Virtual Branch Networks
Validated Reference Design
Contents
Chapter 1:
Introduction
9
About the Aruba Virtual Branch Network
9
Aruba Validated Reference Designs
9
Design Validation and Testing
Reference Documents
16
16
20
24
25
The Network Technology Lifecycle
27
The Network Technology Lifecycle
27
Defining Requirements for Remote Networks
31
Step 1 – Quantify Facility Requirements
31
Step 2 – Quantify Device Connectivity Requirements
32
Step 3 – Define RAP Equipment Requirements
36
Physical Design
39
Aruba Physical Architecture for Remote Networks
Remote Site Physical Architectures
Data Center Physical Architecture
39
41
45
Required Equipment
Access Points
Local Controllers
Master Controllers
AirWave Appliance
46
47
48
50
52
Required Licenses
Local Controllers
Master Controllers
AirWave Appliance
Aruba Networks, Inc.
13
13
14
14
Remote Networks Key Benefits
Chapter 5:
13
Design Considerations for Remote Networks
Chapter 4:
Virtual Branch Theory of Operations
Understanding the Aruba Virtual Branch Network Architecture
Components of the Architecture
Operation of the Architecture
Chapter 3:
11
Virtual Branch Network Overview
The Fixed Telecommuter—A One-Person Branch
Medium and Small Branch Offices
The Aruba Virtual Branch Network Solution
Chapter 2:
11
52
52
52
53
Contents | 3
4. Virtual Branch Networks
Validated Reference Design
3G Modem Selection
Wide-Area Network Considerations
Bandwidth Constraints
Latency Constraints
3G Wireless Constraints
Recommendations for Minimizing Constraints
Logical Design
59
59
60
62
63
Forwarding Modes
Split-Tunnel Mode
Tunnel Mode
Bridge Mode
Operating Modes
Combined Forwarding and Operating Modes
64
64
66
68
69
70
AP/AM Data and Control Tunnels
AP Tunnels
AM Tunnels
IP Ports Used by Aruba Devices
Establish a Routable IP Subnet to the Master Controller
71
71
72
72
72
RAP Bootstrapping and Load Balancing
73
Controller High Availability
Master Controller Redundancy
Local Controller Redundancy (VRRP Layer 2 Method)
Local Controller Redundancy (LMS-IP Layer 3 Method)
75
76
78
80
VLAN Design
Choosing the Default Router
82
83
Authentication and Security Design
85
Authentication Methods (Wired and Wireless)
Authenticating with 802.1X
Authenticating with Captive Portal
MAC Address Authentication
85
86
88
88
Authentication Methods (Wireless Only)
89
SSIDs for Secure WLANs
Aruba Networks, Inc.
56
56
57
Aruba Logical Architecture for Remote Networks
Fixed Telecommuter Logical Design
Branch Office Logical Design
Data Center Logical Design
Chapter 7:
54
54
55
55
55
Regulatory Compliance for International Deployments
Access Point Compliance
Controller Compliance
Chapter 6:
53
89
Contents | 4
5. Virtual Branch Networks
Validated Reference Design
SSIDs
89
Role Derivation
90
Configuring Roles for Different Users
Secure Role for Mobile Wireless Data Terminals
Secure Role for Stationary Wired Devices
Voice Handset Role
Guest Access Role
92
92
92
92
93
Putting It All Together: Building an Authentication Design
What Is A Profile?
Aggregating Profiles into a Complete Configuration
Planning AAA and SSID Profiles
Example 802.1X Profile Configuration
Best Practices for Profiles
94
94
96
97
98
99
Wireless Intrusion Detection System Operation and Design
Detection of Rogue APs
Classification of Rogue APs
103
103
103
104
105
106
107
107
Recommended Provisioning Methods
Zero Touch Provisioning
Pre-Provisioning
108
109
109
Site Procedure for Zero Touch Method
Pre-Installation Checklist
Site Installation
Provisioning the RAPs
109
110
110
110
Site Procedure for Pre-Provisioning Method
Pre-Installation Checklist
Provisioning the RAPs
Site Selection
Site Installation
111
111
111
111
111
Site Validation Considerations
Cabling and RAP Validation
Client Device Validation
Aruba Networks, Inc.
Deploying Aruba Remote Networks
Aruba Deployment Process for Remote Networks
Step 1 – Deploy Data Center
Step 2 – Install Pilot Sites
Step 3 – Provision Backhaul Circuits
Step 4 – Train the Help Desk
Step 5 – Stage Site Equipment
Step 6 – Execute Full Deployment
Chapter 8:
100
100
101
112
112
112
Contents | 5
6. Virtual Branch Networks
Chapter 9:
Validated Reference Design
Example Configuration for the Branch Office Scenario
159
159
Configuring the Aruba Branch Office Solution
Configure the Master Controller
Configure the Local Controller
Provision and Deploy RAPs
162
162
175
176
Reporting and Management
177
Remote Management
Managing Both Legacy and New Network Elements
Role-Based Management
Planning and Location Services for Wireless Clients
Scalability
Trend Reporting
Diverse WAN Environments
177
180
180
182
184
185
186
Troubleshooting Remote Access Points
187
Troubleshooting Categories
187
Troubleshooting Zero Touch Provisioning Problems
188
Troubleshooting Basic Connectivity Problems
Working from the RAP
Working from the Controller
Troubleshooting the IPsec Tunnel
Checking the IP Address Pool and Usage
189
189
191
192
206
Troubleshooting RAP Bootstrapping Problems
Checking the VPN Role Policies
Checking the RAP Role Transition
Common Problem Symptoms
207
207
208
210
Troubleshooting Wired Port Configuration Problems
Checking for an Enabled Wired Port
Checking the Port Profile
Checking the Authentication Profile
212
213
214
215
Troubleshooting Split-Tunnel Mode Problems
Is the RAP Configured in Split-Tunnel Mode?
Aruba Networks, Inc.
116
116
141
154
Simplified Design for the Branch Office
Chapter 12:
113
Configuring the Aruba Fixed Telecommuter Solution
Configure the Master Controller
Configure Local Controllers
Deploy RAP(s)
Chapter 11:
113
Simplified Design for the Fixed Telecommuter
Chapter 10:
Example Configuration for the Fixed Telecommuter Scenario
216
217
Contents | 6
7. Virtual Branch Networks
Validated Reference Design
Is the Split-Tunnel SSID Active on the AP?
Does the Split-Tunnel SSID Have a GRE Tunnel with 802.1X?
Has the Client Succeeded with 802.1X Authentication?
Has the Client Received a DHCP IP Address from the Local LAN?
Does Split-Tunneling Work at the Client End?
Troubleshooting Bridge Mode Problems
Checking the Configured Mode
Bridge Mode with Dynamic Encryption
Troubleshooting Tips
Bridge Mode with Static Encryption (Pre-Shared Key)
218
218
219
221
224
225
227
227
229
232
Appendix A: Forwarding Mode Feature Matrix
235
Appendix B: Provisioning Parameters for Verified USB Modems
237
Appendix C: Requirements Worksheets
239
Appendix D: Sample Configuration Files for Fixed Telecommuter Example
243
Design Summary
243
Annotation Conventions
Active-Master Configuration
Active-Local Configuration
244
245
245
Appendix E: Aruba Contact Information
257
Contacting Aruba Networks
Aruba Networks, Inc.
257
| 7
9. Virtual Branch Networks
Validated Reference Design
Chapter 1: Introduction
Aruba Networks delivers secure enterprise networks wherever users work or roam. Our mobility
solutions bring the network to you—reliably, securely, and cost-effectively—whether you work in a
sales area, at home, in a branch office, or in an enterprise office. Aruba Remote Networks products
facilitate data center consolidation and virtualization initiatives, providing lower operating costs.
Remote Network technology brings the network to fixed or temporary remote work locations with plugand-play simplicity—all the heavy lifting stays at the data center. Our AirWave multi-vendor
management tool allows seamless management of old and new networks from a single console.
About the Aruba Virtual Branch Network
With the wide variety of remote locations and devices other than PCs used by today’s users IT
departments find it increasingly difficult and expensive to deliver full-featured and secure network
access and services to all the locations where users work. Aruba addresses the complexity, security,
compliance, and management challenges of these deployments, enabling IT to cost-effectively
support today's highly distributed workforce.
The Aruba Virtual Branch Network solution virtualizes the complex security, configuration, software
management, and troubleshooting operations within the data center and then transparently extends
those services to each branch office and teleworker. This provides the control and seamless user
experience associated with dedicated network infrastructure hardware, but with the security and price
point of client VPN. Remote deployments become simple for IT to set up, secure, and manage.
Aruba Validated Reference Designs
An Aruba Validated Reference Design is a package of product selections, network decisions,
configuration procedures, and deployment best practices that comprise a reference model for typical
customer deployment scenarios. Each Aruba VRD has been constructed in a lab environment and
thoroughly tested by Aruba engineers. By using these proven designs, customers can deploy Aruba
solutions rapidly, with the assurance that they will perform and scale as expected.
Aruba Networks, Inc.
Introduction | 9
10. Virtual Branch Networks
Validated Reference Design
Aruba publishes two types of validated reference designs, Base Designs and Incremental Designs.
Figure 1 illustrates the relationship between these two types of documents in the Aruba Validated
Reference Design library.
Optimizing
Aruba WLANs
for Roaming
Devices
Retail
Wireless
Networks
High Density
Wireless
Networks
Incremental
Designs
Virtual
Branch
Networks
Base
Designs
RNSG_190
Campus
Wireless
Networks
Wired
Multiplexer
(MUX)
Figure 1
Aruba Validated Reference Design Library
A Base Design is a complete, end-to-end reference design for common customer scenarios. Aruba
publishes the following Base Design validated reference architectures:
Campus Wireless Networks VRD: This design guide describes the best practices for
implementing a large campus wireless LAN (WLAN) serving thousands of users spread across
many different buildings joined by SONET, MPLS, or any other high-speed, high-availability
backbone.
Retail Wireless Networks VRD: This design guide describes the best practices for
implementing retail networks for merchants who want to deploy centrally managed and secure
WLANs with wireless intrusion detection capability across distribution centers, warehouses, and
hundreds or thousands of stores.
Virtual Branch Networks VRD (this guide): This design guide describes the best practices for
implementing small remote networks serving fewer than 100 wired and wireless devices that are
centrally managed and secured in a manner that replicates the simplicity and ease of use of a
software VPN solution.
An Incremental Design provides an optimization or enhancement that can be applied to any Base
Design. Aruba publishes the following Incremental Design validated reference architectures:
Optimizing Aruba WLANs for Roaming Devices VRD: This design guide describes best
practices for implementing an Aruba 802.11 wireless network that supports thousands of highly
mobile devices (HMDs) such as Wi-Fi phones, handheld scanning terminals, voice badges, and
computers mounted to vehicles.
Wired Multiplexer (MUX) VRD: This design guide describes the best practices for implementing
a wired network access control system that enables specific wired Ethernet ports on a customer
network to benefit from Aruba role-based security features.
High Density Wireless Networks VRD: This design guide describes the best practices for
implementing coverage zones with high numbers of wireless clients and access points (APs) in
a relatively small geographic area such as classrooms, lecture halls and auditoriums, and in
ultra-dense spaces such as financial trading floors.
Aruba Networks, Inc.
Introduction | 10
11. Virtual Branch Networks
Validated Reference Design
Design Validation and Testing
The VRD presented in this document provides best-practices architectures for two broad categories of
remote network deployments:
Small or medium branch office
“Fixed telecommuter” deployment for customers with hundreds or thousands of remote workers
Test cases for this Virtual Branch Networks VRD were executed against the physical architecture
recommended in this Guide using a mix of client devices and interconnect methods. ArubaOS release
3.3.2.11-rn3.0 was used to conduct these tests.
Reference Documents
The following reference documents provide an in-depth review of the key products described in this
guide.
Document Title
Version
ArubaOS User Guide
3.3.2
ArubaOS CLI Guide
3.3.2
ArubaOS Release Note
3.3.2.x-rn3.0
ArubaOS Quick Start Guide
3.3.2
AMP QuickStart Guide
6.2
AMP User Guide
6.2
AMP Release Notes
6.2
RAP-5 Installation Guide
n/a
RAP-5WN Installation Guide
n/a
RAP-2WG Installation Guide
n/a
Aruba Networks, Inc.
Introduction | 11
13. Virtual Branch Networks
Validated Reference Design
Chapter 2: Virtual Branch Theory of Operations
Virtual Branch Network Overview
Enterprises today support the technology needs of two broad categories of remote network users.
Remote users are those who work at a location other than an organization’s primary headquarters or a
large regional office. One remote network category is the small branch office or retail store, typically
with up to 100 employees. The other category is the “fixed telecommuter,” an individual who works
from his or her home 8 hours or more a day during the workweek. A fixed telecommuter may be
thought of as a “branch of one.”
Traditionally, IT organizations have used very different remote network architectures to serve each of
these categories. The small branch typically utilized a branch office router to interconnect an IP subnet
at the remote site to the enterprise network core. Telecommuters, who had only a single PC or laptop
and limited needs, have been served with a software Virtual Private Network (VPN) client.
These solutions are no longer satisfactory. The complexity of remotely configured and managed
branch office router solutions is too high. To reduce operating costs, IT needs the simplicity and
centralized management offered by the VPN solution. Meanwhile, the telecommuter increasingly
needs a full IT network footprint including an IP phone and wireless service with appropriate security
policies. The VPN client does not meet this requirement. The requirements of each of these remote
user populations are converging. A completely new remote networking architecture from Aruba
Networks offers a single solution that blends the simplicity of a centralized network-based VPN with
the flexibility of sophisticated role-based access control for all users at a remote site.
The Fixed Telecommuter—A One-Person Branch
Most telecommuters access the data center through a software VPN client connection via Internet
Protocol Security (IPsec)/Secure Sockets Layer (SSL) protocols from remote locations. These
locations can include customer offices, employee homes, and wireless LAN hotspots or anywhere that
3G wireless service is available. In these cases the VPN connection effectively “virtualizes” data center
services to wherever the user is located. From the user’s perspective, the data and applications
appear exactly as they would on their enterprise network. Because they are centrally managed, VPN
solutions are well known for their low operating costs.
This access methodology met the requirements of enterprise users when most applications were
accessed from a single PC-based device—a desktop or a laptop. The recent explosion of device types
and operating systems such as VoIP phones, video conferencing terminals, and smartphones with
enterprise applications renders the VPN solution incompatible. In addition to the growth of the number
of devices for a single user, there is also a growing need for distributed, temporary, and mobile
business offices. In all of these remote settings, it is more important than ever to equip distributed
workers with the same productivity tools as their LAN or WLAN-connected counterparts.
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 13
14. Virtual Branch Networks
Validated Reference Design
Medium and Small Branch Offices
Historically, most branch offices have received less-sophisticated and lower-performance network
technology and IT services than enterprise core network workers. Paradoxically, the configuration and
management costs are much higher as a whole for remote sites. Three reasons for this cost elevation
are:
1. The networks servicing these remote environments are tethered to a WAN, which—until
recently—has been inherently slower and more latency-prone than local area networks.
2. This slow WAN performance drove a network architecture employing discrete IP subnetworks at
each branch office. This architecture in turn created a requirement for a scaled-down site router,
firewall, and other network elements, which router manufacturers are only too happy to
reinforce.
3. Remote work environments have evolved incrementally during periodic field technology
refreshes. As a result, they contain inconsistent equipment and service sets across many
locations.
These factors add a layer of complexity for new services deployment, particularly in organizations
without IT staff to service remote workers. Evolving business conditions make it necessary to elevate
remote workers’ network experience to be equivalent to that of employees connected directly to the
enterprise core LAN.
Existing network infrastructure vendors have often taken the approach of attempting to retrofit the
existing network infrastructure equipment and downscale it for these small branch offices and home
offices. This practice leads to an architecture in which a new network is created for every new location
and connected back to the enterprise core network. These new networks then replicate all network
services that have already been created in the core network for every remote location. This replication
tends to include routing, switching, firewalls, and other security services. These remote networks are
then inter-connected using various WAN technologies—including frame relay, MPLS, and dedicated
circuits. Network administrators are faced with the increased costs and complexities of deploying,
operating, and maintaining these networks and their complicated interconnections.
The Aruba Virtual Branch Network Solution
The Aruba virtual branch network (VBN) architecture paradigm focuses on maintaining the simplicity
and ease of a software VPN solution while delivering full IP network services to multi-device/user
offices. This paradigm leverages two technologies for which Aruba is well known:
Secure Data Tunnels: In this architecture, a remote access point (RAP) provides similar
functionality to a VPN client but allows for shared access to multiple devices through wired and
wireless LAN interfaces. The controller acts in an analogous manner to a VPN concentrator.
Each RAP communicates with the controller over one or more secure, encrypted IPsec VPN
tunnels. This communication provides access to the devices/users connecting through the RAPs
to the enterprise core network and to the applications and services that exist there.
Role-Based Access Control (RBAC): The Aruba controller has an integrated, ICSA-certified
stateful firewall capable of up to 20 Gbps (cleartext) or 8 Gbps (encrypted) performance. Each
RAP also includes the same firewall functionality. With the firewall, each user is assigned a “role”
with associated policies. Policies follow the wired or wireless user and are centrally managed for
simplicity. Deep packet inspection makes sure that roles are strictly enforced on a per-packet,
per-flow basis. Devices violating a policy are automatically blacklisted.
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 14
15. Virtual Branch Networks
Validated Reference Design
The Aruba secure data tunnel and RBAC technologies work together to deliver the VBN experience,
as shown in a logical diagram in Figure 2:
Branch Office /
Telecommuter Home
Internet
Services
Enterprise LAN
Guest / Family
Voice
Enterprise
Network
Split
Tunnel
VL
AN
C
Guest /
Family
Bridge VLAN
Enterprise
Controller
Remote Access
Point
Internet or WAN
Firewall/
NAT-T
RNSG_066
VL
AN
A
VLAN B
Voice
Figure 2
Virtual Branch Network and Role-Based Access Control
This architecture shatters the cost and complexity barriers that exist today in establishing new remote
offices for multiple devices and users, providing businesses with the following advantages:
Greater flexibility and agility in business operations
Lower total cost of ownership to establish new branch offices
Justification for a “branch of one,” making “work from home” initiatives viable
Ability to embrace “going green” by supporting initiatives that allow employees to work from
home
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 15
16. Virtual Branch Networks
Validated Reference Design
Understanding the Aruba Virtual Branch Network Architecture
Components of the Architecture
The Aruba Virtual Branch Network architecture consists of the following logical components:
Remote Access Point (RAP): Aruba RAPs serve as on-ramps to aggregate user traffic onto the
enterprise LAN and direct this traffic to Aruba controllers. When provisioned as a RAP, APs
extend the enterprise LAN to any remote location by enabling seamless wired or wireless data
and voice wherever a user finds an Internet enabled Ethernet port or 3G cellular connection.
RAPs are ideally suited for small to medium remote offices, home offices, telecommuters,
mobile executives, and for business continuity applications. The major modules of the RAP are
shown in Figure 3.
Internet
rnet
Inte
Enterprise
Enterprise
Wi-Fi
& WIPS
LAN
Dynamic
Role
Assignment
PEF
Internet
Enterprise
Ethernet
Secured
Wired
“NAC”
(Per-User Stateful
Policy Forwarding)
VPN
Client
Enterprise
To Controller
USB Modem
LAN
RNSG_064
LAN
Figure 3
RAP Modules
VPN client: Included with the RAP software license, this feature provides VPN client capability
to securely communicate with the VPN server located in the local controller on the enterprise
DMZ.
PEF (Policy Enforcement Firewall): Provides a stateful policy enforcement firewall for
restricting access to enterprise core network resources. A role-based access rights policy is
configured on the controller and then applied upon completion of RAP authentication and
establishment of an IPsec connection. This policy contains control traffic protocol, traffic type
within GRE tunnels, the types of traffic permitted from the RAP to the controller (L2TP, TFTP,
FTP, for example), and NTP and syslog protocol and ports.
Wireless LAN interface(s): Provide Wi-Fi enterprise features supporting single and dual radio
802.11 b/g, 802.11 b/g/n, 802.11 a/b/g, and 802.11 a/b/g/n, depending on model selection.
Wired LAN interface(s): Provide Network Access Control (NAC) capable 10/100 Mbps or 100/
1000 Mbps RJ-45 Ethernet ports, depending on model selection.
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 16
17. Virtual Branch Networks
Validated Reference Design
WAN Interface(s): Provide wide-area connectivity including EVDO/HSDPA 3G USB modems
or Ethernet, depending on model selection.
Controller: Aruba Networks high-performance controllers are built specifically to scale ArubaOS
software module capabilities for enterprise networks of all sizes. All Aruba controllers share a
common hardware architecture that includes a dedicated control processor, a high-performance
programmable network processor unit, and a unique programmable encryption engine.
Controllers aggregate network traffic from APs, process it using Aruba software, and deliver it to
the network.
The controller resides in the data center or the DMZ, depending on the network design. RAPs
connect to the controller using secure tunnels. The data is transmitted from the remote locations
to the enterprise LAN through these secure tunnels. After the controller receives the data, it
processes it and routes the data into the core network. In other words, the controller is the
“gateway to the enterprise LAN” for the remote users and devices connecting to the RAP. The
major modules within the controller are shown in Figure 4.
Management
RADIUS / Active Directory / LDAP
Mobility Controller
Encryption
To RAPs
Authentication
VPN
Server
Policy Definition
and
System Management
To Enterprise
Network
Central
Wireless
& WIPS
PEF
(Policy
Enforcement
Firewall)
Central
Wireless &
Wired NAC
Redundancy
QoS
Rich Networking
Figure 4
Integrate with Network
RNSG_065
VRRP for Controller
High Availability
Controller Modules
VPN server: Included with the RAP software license, this feature provides VPN server
functionality to communicate with RAP VPN clients. The Aruba controller must have VPN
server functionality configured to terminate the secure RAPs. The configuration consists of
authentication protocols, an address pool for RAPs, DNS information, shared secret for
RAPs, and a policy governing the shared secret including priority, encryption, hash algorithm,
authentication, group and life time.
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 17
18. Virtual Branch Networks
Validated Reference Design
PEF (Policy Enforcement Firewall): Aruba is currently the only vendor to integrate an ICSAcertified stateful firewall into its wireless LAN, ensuring that parameters such as security,
suitability for a task, default configuration, and logging/audit trails have been validated.
Authentication/Encryption modules: Work with the PEF module to authenticate users and
enforce roles. Provide an internal authentication (AAA) server that is enabled by default on
each controller; external authentication can be configured for enterprise authentication
servers (RADIUS, Active Directory—AD or Lightweight Directory Access Protocol—LDAP).
The encryption module supports WEP, dynamic WEP, TKIP, WPA, WPA-2, DES, 3DES,
AES-CCMP, AES-CBC, EAP, PEAP, TLS, TTLS, LEAP, EAP-FAST, and xSec-L2 AES.
ArubaOS uniquely supports AAA FastConnect™, which allows the encrypted portions of
802.1X authentication exchanges to be terminated on the controller where the Aruba
hardware encryption engine dramatically increases scalability and performance. Supported
for PEAP-MSCHAPv2, PEAP-GTC, and EAP-TLS, AAA FastConnect™ removes the
requirement for external authentication servers to be 802.1X-capable and minimizes
authentication latency, which is advantageous when leveraging centralized AAA
infrastructure for remote network deployments.
Centralized Wired NAC services: Provides centralized secure-jack capability for tunneling of
wired Ethernet traffic.
Redundancy: To scale to large networks where multiple controllers are required, Aruba
supports the concept of a master controller-local controller cluster hierarchy among
controllers. This hierarchy allows the administrators to use the master controller as the central
point of all policy configurations while the local controllers are used to scale the “data plane”
by terminating active connections from RAPs and users.
AirWave Management Platform (AMP): The AMP is a management server that provides highly
scalable and centralized total solution management. This multi-vendor management tool can
monitor some versions of branch office routers, wired switches, and other devices. An AMP
implementation provides IT administrators full visibility into the remote networks—including
users, activity, and helpdesk operations.
Role-Based Security
Aruba customers use a role-based security model that facilitates extending a trusted IP footprint into a
home or branch office.
The Aruba controller authenticates a user or device, rather than the port or VLAN. For wired users,
multiple profiles and roles can be configured for a single port so that user/device security granularity is
provided.
For wireless devices, role-based security generally begins by offering several Service Set Identifiers
(SSIDs) simultaneously from the same AP. Each SSID has its own authentication and encryption
settings based on the capabilities of the clients and the services that each client needs.
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 18
19. Virtual Branch Networks
Validated Reference Design
A typical fixed telecommuter home has three wireless SSIDs available for association via the RAP
(Figure 5):
Enterprise, for the employee’s PC and data devices
Family, for non-employee users and devices to route directly to the Internet using specific
protocols (for example, HTTP, HTTPS), and to access local family resources such as servers
and printers
Voice, for enterprise voice devices, which receive a restricted role
Enterprise
SSID
RNSG_145
Family/Guest
SSID
Voice/Video
SSID
Figure 5
Fixed Telecommuter SSIDs
A typical branch office will also have four SSIDs. The Family SSID is replaced with a Guest SSID,
which can utilize a Captive Portal feature to direct guests to a log-in page that is user name and/or
password protected. A pre-shared key SSID is added for legacy devices that are not capable of
modern encryption methods.
High Security
SSID
Figure 6
Aruba Networks, Inc.
Voice/Video
SSID
RNSG_144
Pre-Shared Key
SSID
Guest
SSID
Branch Office SSIDs
Virtual Branch Theory of Operations | 19
20. Virtual Branch Networks
Validated Reference Design
For detailed examples of both the fixed telecommuter scenario and the branch office scenario, refer to
Chapter 6: Logical Design on page 59.
All users connect to the RAP and authenticate with the RADIUS server that already exists in the
network. The stateful firewalls in the controller and RAPs enforce the role and policy associated with
each user and device. Users are only able to access those resources they have permissions for, and
only after they have successfully authenticated to the network.
Operation of the Architecture
To understand the mechanisms employed in branch network virtualization, the following steps explain
how a RAP connects to a controller and then how users and devices connect to the enterprise LAN
through the RAP.
Connection Establishment
In this architecture, the RAP, using any of four standard discovery mechanisms (Aruba Discovery
Protocol-ADP, Domain Name Service-DNS, Dynamic Host Configuration Protocol-DHCP, or statically
configured IP or host name), initiates an IPsec connection to the controller over any public or private IP
network. This connection is analogous to the VPN connection initiated by a VPN client on a laptop or
desktop to a VPN concentrator. However, in the case of a RAP, there is no single user to be
authenticated. Instead, the RAP itself is authenticated on the controller—either by using a preprovisioned user name and password on the RAP or by using certificates that are installed on the
RAP.
Bootstrap Protocol Between Controller and RAP
A key difference between the Aruba virtual branch network (VBN) solution and branch router networks
is that all configuration is centralized and uploaded to the RAP in real time. No remote configuration is
required. After RAP authentication is completed by the controller and the IPsec tunnel has been
established, all communication between the controller and the RAP occurs through this secure
channel. This encrypted tunnel is now used to upgrade the image on the RAP (if there is an image
mismatch with the controller image version) and then to push the RAP configuration from the controller
to the RAP. This configuration includes all security settings, firewall roles and policies, wired port
policies, and wireless LAN policies. This process is referred to as “bootstrapping” the RAP in this
architecture. For more information about this process, refer to Chapter 6: Logical Design on page 59.
Network Access Control
Once the RAP has successfully bootstrapped to a controller, the RAP applies the configuration it has
received to the wired ports and wireless interfaces. Users and devices can now connect to the wired
ports and wireless SSIDs as provided for in the bootstrapped policies.
Administrators can control the exact access provided to the users and devices through these ports and
SSIDs by using authentication mechanisms such as 802.1X or MAC address authentication. Using
WPA or WPA2 on wireless SSIDs also provides an additional level of security by encrypting all frames
in the wireless medium.
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 20
21. Virtual Branch Networks
Validated Reference Design
When 802.1X authentication is used to authenticate wired or wireless users, the authentication frames
are sent through the IPsec tunnel to the controller, which then authenticates and authorizes the user/
device credentials by using RADIUS or LDAP protocols to communicate to the existing AAA server
infrastructure. Depending on the result of the authentication the user/device is placed in the
appropriate “user role.” Aruba enforces the principle of least privilege by identifying users or devices,
placing them into separated roles, and permitting or denying access to network resources or protocols
based on those roles. The user role is mapped to a series of firewall policies that define the network
access that the user is provided.
For detailed information about network access control, refer to Chapter 7: Authentication
and Security Design on page 85.
Associate
Associate response
EAP request identity
EAP response
EAP exchange
Key1
Station
Key2
RAP
Key3
802.11 Association
Figure 7
802.1X Authentication
4-way Handshake
RNSG_057
Key4
802.1X Authentication Handshake
IP Routing
The IP address management and routing design for the RAP solution is one of the major differentiators
from a traditional branch office solution. Similar to the manner in which a VPN client is “assigned” an IP
address from an enterprise pool by the VPN concentrator, all enterprise users connecting to a RAP
may be assigned IP addresses from the controller. This mechanism extends the simple IP routing
model of a software VPN solution to the virtual branch network, making the client device connecting to
a RAP a part of the enterprise LAN. Guest or family devices are assigned an IP address from a local
address pool on the RAP.
This design is in contrast to a branch office router model that uses separate IP subnets for every
branch office network and then interconnects these subnets to the enterprise LAN for access to
business applications and data. This traditional model introduces a set of issues that includes:
Complicated VPN routing protocols
Complicated IP address management
Application issues related to going through NAT (for example, VoIP)
Requirement for special protocols for enabling multicast over these connections
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 21
22. Virtual Branch Networks
Validated Reference Design
The Aruba virtual branch network architecture avoids all these concerns and provides centrally
managed enterprise LAN application functionality, thereby reducing the cost and complexity of
deploying and managing branch and home offices.
Firewall
The firewall service in the RAP provides flexible policy-based forwarding access control list (ACL) for
split-tunnel forwarding mode. Split-tunnel is the recommended and the most flexible mode for
interconnecting RAPs with their local controller. The benefits of split-tunnel mode include:
Enterprise traffic is tunneled to the controller over an encrypted IPsec tunnel.
The IPsec tunnel is trusted and shared by all wireless Virtual APs (VAPs) and wired ports.
All other traffic is locally source routed (NATed) and forwarded on wired uplink and downlink
ports according to user roles and session ACLs.
The RAP firewall implementation also provides a bridge forwarding mode that restricts local traffic
locally but permits split-tunnel users access to selected resources. Access and trunk modes are
supported on RAP wired ports.
For remote voice applications, minimizing latency is critical. A low latency tunnel forwarding mode is
supported where all traffic is tunneled to the enterprise network. For this forwarding mode, wireless
encryption is performed on the wireless client as usual and these encrypted frames are sent directly to
the local controller, where decryption is performed and forwarding policies are applied. This feature is
also of value to customers who have a compliance requirement to see all traffic from their employees.
Refer to Chapter 7: Authentication and Security Design on page 85 for detailed information about
these features,
Redundancy
The Aruba virtual branch network architecture was designed from the ground up for high availability.
Redundancy may be configured at either the controller or the Remote Access Point or both. Controller
redundancy is achieved through standards-based Virtual Router Redundancy Protocol (VRRP) in
which controllers share a virtual IP address so that planned and unplanned outages are transparent to
remote users. RAP redundancy is achieved by configuring both an active and a standby master
controller IP address during the provisioning process. If for any reason the active master becomes
unreachable, the RAP can automatically failover to the standby master.
These configuration options provide network administrators with significant flexibility to design virtual
branch networks that leverage existing data center and WAN investments while fitting within available
budgets. From simple RAP failover between two standalone controllers at a single data center, to fully
redundant controller pairs at geographically diverse data centers, Aruba enables customers to meet
high service level expectations. Redundancy is considered fully in Chapter 6: Logical Design on
page 59.
Scaling to Multiple Controllers
For RAPs operated as a production IT service that must meet uptime and availability Service Level
Agreements (SLAs), there may be a requirement to deploy more than one controller to accept the RAP
connections. Aruba supports “clustering” controllers using the “master/local” concept.
In a master/local design, one of the controllers is configured to be the “master” controller. This
controller is responsible for providing centralized configuration and coordination for the entire network.
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 22
23. Virtual Branch Networks
Validated Reference Design
The “local” controller is the aggregation point where RAP tunnels terminate, and where security
policies are applied. All global settings (such as authentication profiles, firewall policies, and WLAN
policies) can be configured on the master controller. These settings are then automatically propagated
to all the local controllers. Aruba supports full 1+1 redundancy via VRRP for both the master and the
local controller levels.
The master controller can be viewed as the “control and management plane” of the network. RAPs
initially connect to the master controller and receive their configuration as described above. The local
controllers can be viewed as the “data plane” of the network, where the policies are actually applied
and all user traffic flows through these controllers.
Designing large-scale networks using these concepts is explained further in Chapter 6: Logical Design
on page 59.
Licensing and Software Updates
One of the ways that Aruba reduces the IT labor requirement associated with managing remote
networks is by centralizing licensing and software updates for all branch locations at the controller. As
we have seen, traditional branch network solutions create mini-enterprise networks at each location
with separate routing, firewall, VPN and other equipment. Many of these devices must have software
licenses installed. Also, their operating software must be kept up to date, which can require careful
planning and consume significant IT resources.
The Aruba virtual branch network architecture eliminates these requirements by overlaying the
enterprise network securely across the WAN, managed by controllers located in the data center.
Software license keys are installed only on the controllers, and the controller automatically upgrades
RAPs any time they authenticate to the network if a code change has taken place. Remote Access
Point licenses can be purchased in increments from 1 through 512, and there is no need to purchase
more than are needed. Additional remote sites can be added at any time. Choosing the right software
licenses is addressed in Chapter 5: Physical Design on page 39.
Deployment
The virtual branch network architecture dramatically reduces deployment costs through its Zero Touch
provisioning capability. Provisioning refers to the process of programming the APs to find their
controller and optionally assigning their physical location on an electronic floor plan in order to show
real-time heat maps on a controller.
The Aruba RAP-5, RAP-5WN, and RAP-2WG products are preloaded with a unique security certificate
at the factory. When combined with the 3000-series standalone controller or the M3-series blade that
also include a factory-installed certificate, a low-cost provisioning model becomes possible. This model
is particularly attractive for telecommuter deployments.
Aruba calls this feature zero touch provisioning, meaning that the IT organization simply pre-programs
the MAC address of each authorized RAP into a white list on the master controller before shipping it to
the end user. The IT professional can do this without having to plug the AP into the controller, and the
AP remains in its packaging untouched. Once received at the site, the end user simply enters the IP
address/hostname of the local controller into the provisioning screen on the RAP. The RAP exchanges
keys automatically with the controller and completes the provisioning process with no further manual
intervention.
For customers who prefer to stage equipment in advance, Aruba supports a pre-provisioning model.
Pre-provisioning refers to the process of staging the APs before they arrive at a site. This staging is
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 23
24. Virtual Branch Networks
Validated Reference Design
most often done when an IT team or system integrator will be traveling to each location to install or
refresh multiple pieces of equipment, and it is not possible or not desirable for site employees to
perform IT tasks themselves. With pre-provisioning, a staging center is required to prepare equipment
to be delivered to the remote locations. The Aruba RAPs are unpacked, configured, and verified at the
staging center prior to final delivery. The staging center should have secure LAN connectivity to the
data center where the controllers are housed so that RAPs can connect to the controller.
The choice of deployment methodology is generally determined by two factors: the cost to send
installers onsite, and whether the end user can or should be expected to perform a few simple tasks to
activate an Aruba RAP. For detailed information on deploying an Aruba virtual branch network, see
Chapter 8: Deploying Aruba Remote Networks on page 103.
Design Considerations for Remote Networks
The following are general considerations when designing an Aruba virtual branch network for
scenarios discussed in this chapter. Typically in a branch office environment, the majority of devices
will be enterprise owned. These may include:
Employee wireless laptops
Wired and wireless VoIP phones
Employee wired desktops and servers
Handheld scanning terminals
Shared wired and wireless printers
Local application server and network attached storage (NAS)
In the telecommuter home environment, in addition to the employee laptop and desktop and wired and
wireless VoIP phone, there may be:
Wired family desktops
Wireless family laptops
Family multimedia devices (XBox, Media Center, TiVo, for example)
Shared wired and wireless printers
Shared wired and wireless network attached storage (NAS)
Planning appropriate connectivity and security for these devices is easily accomplished with inventory
design worksheets and example configurations, the details of which are covered in subsequent
chapters.
VLANs and IP Addressing
For both the fixed telecommuter and branch office solutions presented in this VRD, the following IP,
VLAN, and routing configurations are implemented:
A single VLAN can be configured for wired and wireless access.
Separate VLANs are configured for enterprise access and for family and guest access.
A separate VLAN is configured for enterprise voice access.
For enterprise users and devices, IP addresses are obtained from the enterprise DHCP server
regardless of the device type (wired or wireless) or the tunnel forwarding mode configuration.
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 24
25. Virtual Branch Networks
Validated Reference Design
For family and guest users and devices, IP addresses are obtained from the DHCP service
provided locally by the RAP.
For the fixed telecommuter solution, enterprise users are permitted unidirectional access to local
family devices such as printers via policy settings pushed down to the RAP.
Remote Networks Key Benefits
In summary, the Aruba virtual branch network architecture centralizes access control, authentication,
encryption, and management, thereby simplifying network management and enhancing security while
providing remote workers and their multiple network devices with access to centralized services. Key
features of this architecture include:
Operational simplicity. The RAP provides a similar functionality to a software VPN client but
allows for shared access to multiple devices through standard wired and wireless Ethernet
interfaces. The centralized controller acts in an analogous manner to a VPN concentrator for
multiple RAPs and provides access to the devices/users connecting through the RAPs to the
enterprise network and to the applications and services that exist there.
Flexibility and agility. The unique combination of security mechanisms and Aruba Role-Based
Access Control (RBAC) gives an Aruba Remote Network far greater granularity of control over
wired and wireless user traffic than traditional port-based approaches.
Scalability. The Aruba remote network architecture accommodates the needs of a single
teleworker all the way up to a medium size branch office. This solution offers flexible
configurations and price points that meet the needs of remote networks regardless of size, while
delivering high-performance throughput and transparent enterprise application access.
Low total cost of ownership. The Aruba Remote Network architecture requires just one device
at the remote location to service many remote devices/users, allowing the organization to
reduce the IT footprint and associated management cost for each remote location.
Aruba Networks, Inc.
Virtual Branch Theory of Operations | 25
27. Virtual Branch Networks
Validated Reference Design
Chapter 3: The Network Technology Lifecycle
Successive generations of wired and wireless voice and data communications systems have been
deployed by a wide variety of organizations over many years. Early generations of Ethernet LANs
used coaxial cable, which subsequently gave way to layer 1 (L1) hubs for aggregating wired ports over
standard inside wiring. The development of Ethernet switches greatly reduced forwarding latency and
the processing load on the network device. Switching also provided the capability for collision domain
segmentation into Virtual LANs (VLANs). VLANs have since become the cure-all for moves, adds, and
changes as well as providing segmentation in an otherwise flat network.
In a similar way, early generations of WLANs used autonomous or “fat” access points (APs) with
Frequency-Hopping Spread Spectrum (FHSS) or Direct Sequence Spread Spectrum (DSSS) radios.
Until very recently, deployments were based on 802.11a/b/g technology. The current widespread
rollout of the latest 802.11n technology is being driven by its capacity to deliver wire-speed
performance and increased reliability.
With a new generation of remote access points (RAPs) supporting combined wired and wireless
connectivity for small branch offices and employee homes, Aruba is poised once again to deploy a
new wave of technology that promises to reduce costs and improve efficiencies for remote networking
environments.
The Network Technology Lifecycle
The lifecycle of an enterprise network typically moves through four distinct phases over a period of 4 to
5 years. The organization of this guide’s contents follows this lifecycle, beginning with the Define
phase and moving sequentially through the Design, Deploy, and Operate phases.
Define
Operate
Design
RNSG_110
Deploy
Figure 8
Aruba Networks, Inc.
Network Technology Lifecycle
The Network Technology Lifecycle | 27
28. Virtual Branch Networks
Validated Reference Design
Each new evolution of the lifecycle begins by defining the objectives, requirements,
and constraints facing the organization. The Define phase may also include predeployment wired/wireless site surveys.
The requirements definition process addresses the broad project-level,
infrastructure-level, and application-level drivers and dependencies for the network. Common
examples (explored in depth in Chapter 4: Defining Requirements for Remote Networks on page 31)
include:
Remote site types, locations, and regulatory domains
WAN backhaul speeds, latencies, and redundancy options
User populations, authentication modes and device types
Quantification of key design or scale parameters
Financial, technical, and scheduling design constraints
Centralized controller-based remote network architectures offer significant security,
self-healing, performance, and flexibility advantages. They also offer vital
automation features that greatly reduce the workload for shorthanded IT
organizations. These capabilities require new types of design and architectural
decisions that are different from legacy branch router or software VPN solutions.
Aruba recommends segmenting the Design phase for a remote network into the following parts, each
of which is described in a separate chapter in this guide:
Physical Network Design. In a RAP architecture, controllers and APs work together as a
system that is overlaid on the existing wired LAN and WAN infrastructure. The network architect
must choose where to physically locate controllers and APs within that infrastructure, identify the
equipment and software licenses required, perform capacity planning for controllers and WAN
links, and make sure that optional AP radios comply with local laws. For more information, see
Chapter 5: Physical Design on page 39.
Logical Network Design. The network architect must determine how the network endpoints will
communicate logically at layer 2 (L2) and layer 3 (L3), choose how to configure controller and
AP redundancy, and complete a VLAN design. For more information, see Chapter 6: Logical
Design on page 59.
Authentication and Security Design. The network architect must determine how to integrate
the centralized controller with the existing Authentication, Authorization, and Accounting (AAA)
infrastructure. He or she must also decide how to detect, classify, and potentially contain
unauthorized or ‘rogue’ devices in both the wired and wireless spaces. For more information,
see Chapter 7: Authentication and Security Design on page 85.
Large organizations face deployment challenges when migrating network
technology and refreshing network software. Hundreds or thousands of locations
must be accommodated, typically in narrow pre-scheduled time windows,
sometimes by remote technicians with limited IT skills, and usually at the lowest
possible cost. Project management and logistics excellence are required.
Aruba offers system administrators a choice of provisioning methods specifically designed to enable
customers to successfully undertake rollouts with thousands of remote locations. The choice of
method is driven by the number of locations, geography, and WAN link characteristics of each site. For
Aruba Networks, Inc.
The Network Technology Lifecycle | 28
29. Virtual Branch Networks
Validated Reference Design
detailed information about deployment methods, refer to Chapter 8: Deploying Aruba
Remote Networks on page 103.
To reduce the workload of network administrators who must manage far-flung
equipment and respond promptly to alerts and notifications, the Aruba controllerbased architecture is able to independently manage all authenticated wired and
wireless devices, user sessions, and roaming states. When the Aruba WIP module
is deployed, the controllers will automatically blacklist rogue devices. If the RAPs
include optional radios, Aruba provides for automated dynamic RF management of settings for
wireless devices and users.
Rapid resolution of remote user and device issues is a basic function of any IT support desk. Support
personnel must obtain actionable information about the health of specific client device connections in
order to resolve problems. Long-term trending is necessary for accurate capacity planning. The Aruba
Remote Networks architecture provides the tools required for supporting short-term troubleshooting
and long-term trend analysis.
Finally, automated operational and compliance reporting is a key requirement for many organizations
because their IT groups must support large numbers of users and devices with very limited personnel.
Remote networking potentially increases site counts by an order of magnitude. The AirWave Wireless
Management Suite offers powerful centralized reporting, management, and forensic tools that enable
customers to support tens of thousands of RAP locations. See Chapter 11: Reporting and
Management on page 177 for a discussion of AirWave capabilities. See Chapter 12: Troubleshooting
Remote Access Points on page 187 for detailed information about troubleshooting a remote network
deployment.
Aruba Networks, Inc.
The Network Technology Lifecycle | 29
31. Virtual Branch Networks
Validated Reference Design
Chapter 4: Defining Requirements for Remote Networks
This chapter presents a three-step process that can be used by organizations to
define the business and technical requirements that drive the design and rollout
of an Aruba remote network solution. The information gathered in the Define
phase will be used in subsequent chapters to successfully design and deploy the
remote network solution.
Step 1 – Quantify Facility Requirements
Begin by determining what kind of remote sites will be served by the deployment. To generate the
equipment bill of materials, you need to know the number, location, and type of facilities that will be
covered.
Remote Network facility types fall roughly into these categories:
Fixed telecommuters
Remote call center agents
Medium branch offices and stores
Small branch offices and stores
Some organizations may have only one type of remote site, while others may have all of these. In
addition, global organizations may vary their site types and distributions on a country-by-country basis.
For each facility type, answer the following questions:
How many of each type of facility exists?
In how many separate country and regulatory domains does this facility type exist?
Is guest access required?
How many wired devices need to be supported at each facility?
What is the minimum and maximum WAN backhaul link speed for each facility type?
What WAN technologies (for example, frame relay, point-to-point, and VSAT) are in use for each
facility type?
What is the associated WAN link latency for each link type?
In addition, you must plan which of two possible provisioning methods will be used—Zero touch
provisioning or pre-provisioning. With zero touch provisioning, the MAC address of the RAP is entered
on a whitelist on the controller. The RAP is drop-shipped directly to the user, who installs the RAP and
initiates an automatic provisioning process using the web GUI. With pre-provisioning, the RAP is
connected to a controller at a staging site and programmed with required provisioning parameters. It is
then shipped “ready to go” to the installation site. For more information about selecting a provisioning
Aruba Networks, Inc.
Defining Requirements for Remote Networks | 31
32. Virtual Branch Networks
Validated Reference Design
method, refer to Recommended Provisioning Methods on page 108. Be sure to plan for anticipated
usage four or five years into the future, and not just for today’s requirements. These requirements
apply both to the number of individual sites and to the number of devices at each one. Construct a
worksheet similar to the following sample to capture the answers to these questions.
Table 1
Facility Inventory Worksheet Example
Usage Requirements
Facility Type
WAN Link Requirements
Provisioni
ng
Max
Devices
per Site
Guests
Family
Existing or
New Link
Type
Speed
Latency
Provisioning
Method
100
20
n/a
Yes
Existing
Cable
2 Mbps
< 25 ms
Zero Touch
Canada
50
20
n/a
Yes
New
DSL
1 Mbps
< 25 ms
Zero Touch
Mexico
20
20
n/a
No
New
DSL
768 Kbps
< 25 ms
Zero Touch
10
2
n/a
No
New
DSL
2 Mbps
< 25 ms
Zero Touch
Canada
2
2
n/a
No
New
DSL
1 Mbps
< 25 ms
Zero Touch
Mexico
2
2
n/a
No
New
DSL
768 Kbps
< 25 ms
Zero Touch
302
10
No
n/a
Existing
Frame
256 Kbps
< 50 ms
Pre-Provision
Canada
47
5
No
n/a
New
Frame
256 Kbps
< 50 ms
Pre-Provision
Mexico
22
5
No
n/a
New
3G
512 Kbps
< 100 ms
Pre-Provision
Site
Count
Fixed Telecommuters
USA
Remote Call Center Agents
USA
Small Branch Offices
USA
Medium Branch Offices
USA
56
35
Yes
n/a
Existing
Frame
768 Kbps
< 25 ms
Pre-Provision
Canada
21
15
Yes
n/a
Existing
Frame
768 Kbps
< 25 ms
Pre-Provision
Mexico
11
15
Yes
n/a
Existing
Frame
768 Kbps
< 25 ms
Pre-Provision
This information is used to construct the logical and physical architecture discussed in Chapter 5:
Physical Design on page 39 and in , “Logical Design” on page 59. This information is also used to plan
the logistics of the deployment covered in Chapter 8: Deploying Aruba Remote Networks on page 103.
Step 2 – Quantify Device Connectivity Requirements
Completing an inventory of present and future applications and the devices on which those
applications run is the second step in the planning process. The inventory assists you in properly
forecasting device populations and RAP hardware capabilities, and in developing the network design.
Aruba Networks, Inc.
Defining Requirements for Remote Networks | 32
33. Virtual Branch Networks
Validated Reference Design
For each facility or site type, complete a worksheet that captures all current and future networked
application use. Use the following example application summaries as a tool to facilitate planning
meetings between IT, department managers, and executive management.
For each application and device identified, estimate the average number of users in each
location today, as well as several years into the future.
Note whether each device is wired or wireless, along with the relevant interfaces. All RAPs have
the ability to broadcast multiple virtual Service Set Identifiers (SSIDs) from a single physical AP.
Each SSID may have different encryption and traffic flow (forwarding mode) settings. In addition
to wireless devices, Aruba RAPs support wired devices for which specific profiles and user roles
can be created and applied, providing a uniform, managed, and secure remote network solution
for branch offices and fixed telecommuter implementations.
Define the different authentication modes by interface and device type required in the remote
location. Choose the strongest authentication supported by the device class. For wireless
devices, SSIDs can be used to further segment devices based on security requirements:
A high security SSID (WPA2/802.1X) for employees with individual login IDs and devices
such as PDAs. This requires an external AAA server to integrate with the Aruba controller.
A voice SSID (WPA/WPA2 with PSK) to support voice handsets optimized for QoS and
battery conservation.
In branch offices, a guest SSID (captive portal authentication with no encryption) for vendors or
customers to access the Internet. This SSID has explicit firewall access control lists (ACLs)
applied to limit access to unauthorized networks and has bandwidth contracts to limit airtime
usage.
In fixed telecommuter homes, a family SSID (WPA/WPA2 with Pre-shared Key).
The following examples show the user authentication and device type requirements for a generic
medium branch office and a fixed telecommuter site to help you determine your particular
requirements. Aruba recommends completing worksheets separately for each category of branch
office and fixed telecommuter site.
Aruba Networks, Inc.
Defining Requirements for Remote Networks | 33
34. Virtual Branch Networks
Validated Reference Design
For detailed information about the different forwarding modes and their respective benefits and
limitations, refer to , “Logical Design” on page 59.
Table 2
Site Template Example—Medium Branch Office
Forecast
Description
Max
Devices
(Today)
Connection Method
Wireless
Max
Devices
(5 Years)
Wired
2.4
GHz
5 GHz
Logical & Security Design
Interface
Auth
Mode
Forwarding
Mode
Operating
Mode
DHCP
Source
Enterprise Devices
Local Server
1
1
X
fe/2
MAC
Bridge
Always
RAP
Local Printer
2
2
X
fe/1
(L2 switch)
MAC
Bridge
Always
RAP
Wired POS*
5
1
X
fe/1
(L2 switch)
MAC
Bridge
Always
RAP
Voice
Handset
1
5
Voice SSID
MAC
Tunnel
n/a
Enterprise
Scan
Terminal
3
9
X
Pre-shared
Key SSID
PSK
Bridge
Always
RAP
Manager
Laptop
1
2
X
High
Security
SSID
802.1X
Split-Tunnel
n/a
Enterprise
Wired PCs
2
5
fe/3
(L2 switch)
Captive
Portal
Split-Tunnel
n/a
Enterprise
Wireless
Laptops
2
10
Guest SSID
Captive
Portal
Split-Tunnel
n/a
Enterprise
Total
Devices
17
35
X
Guest Devices
X
X
X
*Over time, wired devices transition to wireless.
Aruba Networks, Inc.
Defining Requirements for Remote Networks | 34
35. Virtual Branch Networks
Validated Reference Design
The following is an example of an application worksheet for the fixed telecommuter site.
Table 3
Site Template Example— Fixed Telecommuter
Forecast
Description
Max
Devices
(Today)
Connection Method
Logical & Security Design
Wireless
Max
Device
(5 years)
Wired
2.4
GHz
Interface
Auth
Mode
Forwardin
g Mode
Operating
Mode
DHCP
Source
5 GHz
Enterprise Devices
Wired PCs*
1
0
X
fe/1
802.1X
Split-Tunnel
n/a
Enterprise
Wired IP
Phone
1
0
X
fe/2
MAC
Tunnel
n/a
Enterprise
Employee
Laptop
0
1
Enterprise
SSID
802.1X
Split-Tunnel
n/a
Enterprise
Voice
Handset
0
1
Voice SSID
MAC
Tunnel
n/a
Enterprise
Shared
Printers
1
3
X
fe/3
(L2 switch)
Open
Bridge
Always
RAP
Wired
Devices
2
5
X
fe/3
(L2 switch)
Open
Bridge
Always
RAP
Wireless
Devices
2
10
Family
SSID
Open
Bridge
Always
RAP
Total
Devices
7
20
X
X
Family Devices
X
X
*Over time, wired devices transition to wireless.
Aruba Networks, Inc.
Defining Requirements for Remote Networks | 35
36. Virtual Branch Networks
Validated Reference Design
Step 3 – Define RAP Equipment Requirements
With completed templates for each type of remote facility, the final step is to itemize the hardware and
software requirements for each one. This information is needed in order to select the best RAP model.
In most cases, the same model will be used for all sites in a given category in order to keep
management as simple as possible. Sometimes, it is desirable to deploy different RAP models for
different user classes. For example, if wireless is not supported at a given location, it may be more
economical to deploy APs that do not include radios but support the number of wired ports required.
Construct a table similar to the one in Table 4 on page 37 to capture these items.
In determining the model of AP that is required for each site, consider the following important factors:
Are any wired devices to be supported at the site?
The RAPs can support layer 1 (L1) hubs downstream
The RAPs can support a PC downstream connected to a wired IP phone (802.1Q trunk)
Does the site require support for wireless devices?
Which bands need to be supported (2.4 GHz or 5 GHz or both)?
Follow the decision tree in Figure 9 to select the optimal AP model for each class of remote site.
Start
Is
Wireless
Required?
Yes
No
Is
Dual-Radio
Required?
Yes
No
Is
802.11n
Required?
Yes
No
Over 5
Users Per
AP?
Yes
No
Select
AP-125
Select
Power Supply
(US or ROW)
Figure 9
Aruba Networks, Inc.
Select
RAP-2WG
Select
RAP-5WN
Select
Power Supply
(US, EU or
ROW)
Select
Power Supply
(US or ROW)
RNSG_155
Select
RAP-5
RAP Selection Decision Tree
Defining Requirements for Remote Networks | 36
37. Virtual Branch Networks
Table 4
Validated Reference Design
RAP Requirements Worksheet Example
Facility Type
Local
Wired Ports
USB
Required
Wireless
Required
Radio
Regulatory
Domain
AP Model
(with
Power Supply)
WIPS
Required
Medium Branch Offices
USA
3
No
Yes
USA
RAP-5WN-US
Yes
Canada
3
No
Yes
Canada
RAP-5WN
Yes
Mexico
3
No
Yes
Mexico
RAP-5WN
Yes
USA
3
No
No
n/a
RAP-5-US
No
Canada
3
No
No
n/a
RAP-5
No
Mexico
3
Yes
No
n/a
RAP-5
No
USA
3
No
Yes
USA
RAP-5WN-US
No
Canada
3
No
Yes
Canada
RAP-5WN
No
Mexico
3
No
Yes
Mexico
RAP-5WN
No
Small Branch Offices
Fixed Telecommuter
Remote Call Center Agents
USA
1
No
No
n/a
RAP-2WG-US
No
Canada
1
No
No
n/a
RAP-2WG
No
Mexico
1
No
No
n/a
RAP-2WG
No
Aruba Networks, Inc.
Defining Requirements for Remote Networks | 37
38. Virtual Branch Networks
Aruba Networks, Inc.
Validated Reference Design
Defining Requirements for Remote Networks | 38
39. Virtual Branch Networks
Validated Reference Design
Chapter 5: Physical Design
Aruba remote wireless networks are designed to support users at large numbers
of sites with high reliability and security levels. To enable IT network architects to
successfully plan deployments, Aruba has developed a Virtual Branch Networks
Validated Reference Design (VRD) that leverages the experience of customer
deployments, peer review by Aruba engineers, and extensive laboratory
performance testing. This VRD leverages and extends the familiar enterprise wired core/distribution/
access model so prevalent in most enterprises today.
A complete Aruba VRD base design typically consists of three major elements:
Physical network design
Logical network design
Authentication and security design
In this chapter, we discuss the first element, physical network design. This element encompasses
selecting the appropriate access points (APs) and controllers, choosing software licenses, WAN link
capacity planning, and regulatory compliance for international networks. Aruba recommends the
general architecture shown in this chapter as a best practice for remote networks. This architecture
presents the optimal combination of cost savings, performance, and reliability.
Aruba Physical Architecture for Remote Networks
As we have seen, organizations increasingly deliver IP network services to remote workplaces that do
not have local IT support. It is common for these sites to have private, untrusted WAN connectivity to a
central data center. Remote sites may have varying redundancy requirements, depending on their
size, geography, and whether a local server exists. Therefore, any remote networking physical
architecture must be flexible enough to accommodate multiple site requirement categories.
The diagram shown in Figure 10 depicts a high level view of the physical architecture recommended
by Aruba and embodied in this VRD. This architecture is intended to serve a variety of branch office
and fixed telecommuter scenarios, such as:
Medium branch office (10-50 wired or wireless client devices with wired WAN link)
Small branch office (1-10 wired or wireless client devices with 3G wireless or wired WAN link)
Fixed telecommuter (1-10 enterprise and family devices with a broadband Internet link)
Remote call center agent (one data and one voice device via broadband Internet)
Aruba Networks, Inc.
Physical Design | 39
40. Virtual Branch Networks
Validated Reference Design
Each remote site communicates over an untrusted WAN link that is directly connected to a remote
access point (RAP). There is no need for an intermediate router or firewall device between the RAP
and the wide-area customer-premises equipment (CPE) device. These links all home to the enterprise
DMZ where redundant Aruba controllers are located.
AirWave Management
Platform
Master
active
Master
standby
Application
DHCP/
DNS
PBX
RADIUS
Data Center
DMZ
Local
active
Internet or
WAN
Local
active
Branch Office Sites
Fixed Telecommuter Sites
3G
EVDO/GSM
Carrier
Broadband
Carrier
Cable
Provider
RAP-5
3G
EVDO/GSM
Carrier
RAP-2WG
RAP-5WN
Medium Branch
Figure 10
Aruba Networks, Inc.
Small Branch
Remote Call
Center Agent
Fixed Telecommuter
RNSG_120
RAP-5WN
Aruba Remote Network Physical Architecture
Physical Design | 40
41. Virtual Branch Networks
Validated Reference Design
The key components of the physical architecture are:
Master Controllers. Two Aruba controllers located at the data center are configured to use
master redundancy. Each controller has redundant gigabit Ethernet links into the data center
distribution switches, and shares a Virtual Router Redundancy Protocol (VRRP) address.
Local Controllers. Local controllers are managed by master controllers. They are installed
inside the data center DMZ. An Aruba recommended best practice is for two local controllers to
run in “active-active” redundancy, with two VRRP addresses shared between them. Very large
RAP deployments may require clusters of local controllers. All Aruba controllers share a
common hardware architecture that includes a dedicated control processor, a high-performance
programmable network processor unit, and a unique programmable encryption engine. Local
controllers aggregate network traffic from APs, process it using Aruba software, and deliver it to
the network based on defined security polices.
Remote Access Points. Aruba APs serve as on-ramps to aggregate user traffic onto the
enterprise network and direct this traffic to Aruba local controllers. APs extend the enterprise
network to any remote location by enabling seamless wired or wireless data and voice wherever
a user finds an Internet-enabled Ethernet port or cellular connection. While all Aruba AP models
support the RAP service, this VRD assumes the exclusive use of Aruba dedicated RAP models.
RAPs are selected based on the required number of wired ports, wireless service band (5 GHz/
2.4GHz), and 802.11 mode (a/b/g/n).
RAPs operate in “hybrid mode” to provide intrusion detection services. This means that the AP
performs security and air monitoring functions on a part-time basis between serving client traffic.
Hybrid APs are used in the physical design for this Virtual Branch Networks VRD.
AirWave Management Platform. The AirWave console provides a single user interface that
enables administrators, help desk staff, security analysts, and other IT staff to have full visibility
into and control over the wireless network and users. For more information, see Chapter 11:
Reporting and Management on page 177.
Remote Site Physical Architectures
The physical designs of the fixed telecommuter and branch office deployment scenarios have many
similarities. For maximum clarity, we consider them separately in each of the design chapters in this
VRD.
Fixed telecommuter implementations generally fall into one of two categories:
Fixed telecommuter home environment
Fixed telecommuter call center environment
Aruba Networks, Inc.
Physical Design | 41
42. Virtual Branch Networks
Validated Reference Design
The Fixed Telecommuter Home Environment
The fixed telecommuter home environment includes two facets: the employee accessing enterprise
resources, the Internet, or shared family resources such as printers; and the family accessing personal
resources or the Internet. The following diagram shows an Aruba RAP-5WN AP providing all of these
services.
Data
Center
Internet or
WAN
Enterprise
LAN
3G
WWAN
Enterprise
IP Address Pool
(Remote DHCP)
Roles
Enterprise
Voice
SSID
DSL
MPLS
Frame Relay
Voice
Guest
Internet
Services
Family SSID
Remote Access
Point
IP Address Pool
(Local DHCP)
Enterprise
SSID
Enterprise
Wired Access
IP Phone
Game Console/
DVR
Shared
Printer
Family PC
Wired PC
Figure 11
RNSG_108
Family
Wired Access
Fixed Telecommuter Home Network
To create enterprise and family access from the home environment, customers deploy an Aruba RAP
that is plugged directly into the WAN via a Digital Subscriber Line (DSL) or cable modem. The RAP is
configured to support both secure enterprise access and shared family access using the role-based
access control capability inherent in ArubaOS. Wired devices are connected directly to one or more
secure jacks on the AP and wireless devices associate to one of three secure SSIDs.
Employee PC and laptop devices are assumed to use 802.1X whether wired or wireless, while
enterprise voice devices use the strongest authentication mode that they are capable of using. The
security design will be explored in greater detail in Chapter 7: Authentication and Security Design.
Family wireless users access the family SSID and family wired devices are connected directly to or via
a hub or switch that is uplinked to a secure jack on the RAP that is statically configured for family and
Internet access. The built-in firewall inside the RAP is configured with unidirectional ACLs so that the
Aruba Networks, Inc.
Physical Design | 42
43. Virtual Branch Networks
Validated Reference Design
family printer can be accessed from the employee devices. Internet access is implemented via splittunnel for both employee and family devices.
NOTE
In this VRD, it is assumed that each wired port is preconfigured for the specific
device that will be plugged into it. Aruba calls this “Per Port” configuration.
For family devices, a third-party hub (e.g. a layer 1 repeater) or layer 2 switch may be installed on a
wired RAP port to aggregate traffic from multiple devices. Identical authentication methods and roles
must be in use on each of the devices, however, because all users sharing the same wired port will
also share the same role, policies, and VLAN settings.
A layer 2 switch must never be used for enterprise wired devices if 802.1X authentication is in use,
because 802.1X EAPOL frames are processed by the switch rather than forwarded.
NOTE
Do not use a layer 2 switch in front of a RAP wired port if 802.1X
authentication is in use.
The Fixed Telecommuter Call Center Environment
The Aruba remote networking solution offers great flexibility to the enterprise with respect to the
services it wishes to offer to its employees. To illustrate this flexibility, we present as part of the
reference design a remote call center agent with a restricted configuration.
Home-based agents can be implemented as a special case of the home environment with two
important differences:
Very low cost AP with only two wired ports
No family access
The Aruba RAP-2WG is recommended for this scenario. To create wired access to the call center
environment, the RAP is configured so that the IP phone connects to a second secure jack on the AP
via an 802.1Q trunk. The wired PC then connects to the phone. Internet access for the employee PC is
allowed via split-tunnel, as seen in Figure 12. The RAP-2WG includes a 802.11b/g radio that can be
enabled if the organization wishes.
Enterprise
Access
RAP
Data
Center
IP Phone
Internet
Services
Figure 12
Aruba Networks, Inc.
Wired PC
Roles
Enterprise
Voice
RNSG_109
802.1Q Trunk
Internet or
WAN
Fixed Telecommuter Call Center Application
Physical Design | 43
44. Virtual Branch Networks
Validated Reference Design
Figure 12 shows how the versatility of the Aruba RAP solution can support various enterprise postures
with respect to providing home Internet connectivity to employees, at low cost to the organization.
The Branch Office Solution
The Aruba remote network solution provides an extension of the enterprise LAN into the branch office
without the complexity of enterprise LAN routing, firewall, and VPN equipment. In this use case, an
Aruba RAP is wire-connected to a Frame Relay, DSL, MPLS, or other service provider premise device
for its WAN uplink. On the downlink side, three devices are connected to the RAP:
Branch office employee wired devices are connected to a hub or switch that is uplinked to a
secure jack configured for enterprise and Internet access
Guest (vendors and customers, for example) wired devices are connected to a second hub or
switch that is uplinked to another secure jack configured for controlled Internet access
A local server is connected to a third secure jack, which allows for convenient traffic control via
locally enforced security policies
This reference design requires an Aruba RAP-5WN access point to provide the number of secure
jacks required for this application. This design is illustrated in the following drawing.
Roles
Enterprise
Data
Center
Enterprise
LAN
3G
WWAN
Enterprise
IP Address Pool
(Remote DHCP)
Voice
Internet or
WAN
Guest
DSL
MPLS
Frame Relay
Internet
Services
Remote Access
Point
IP Address Pool
(Local DHCP)
Voice
SSID
Guest
SSID
Enterprise
SSID
Guest
Wired Access
RNSG_107
Enterprise
Wired Access
HTTPS
Application
Server
Figure 13
Remote Branch Office Network
Wireless services can be offered on either the 2.4 GHz or 5 GHz bands for maximum compatibility and
performance; Aruba offers a flavor of the RAP5 that does not include any radio for wired-only
deployments. Aruba also offers dual-radio access points to meet requirements for simultaneous
802.11 a/b/g/n deployments.
Aruba Networks, Inc.
Physical Design | 44
45. Virtual Branch Networks
Validated Reference Design
Data Center Physical Architecture
Production remote networking deployments are IT services that are expected to maintain high
availability and performance levels. Therefore, Aruba recommends deploying two master controllers in
the data center. These master controllers are configured in an “active-standby” configuration that
provides 1:1 redundancy. In the Virtual Branch Networks VRD, the master controllers do not terminate
APs. The redundant local controllers are located on the DMZ and terminate the RAPs in the remote
network. The AirWave appliances are also located in the data center.
Colocating Remote Network and Campus Controllers
Aruba offers special-purpose code trains such as Remote Networking (RN) and Federal Information
Processing Standard 140-2 (FIPS) in addition to our mainline releases. This VRD is based on the RN
code train. The RN release is required to manage the RAP-5WN, RAP-5, and RAP-2WG hardware, as
well as to provide many of the remote networking features described in this VRD such as zero touch
provisioning. Controllers running the RN code train are not intended to manage locally-connected, or
“campus” access points. Therefore, separate controller clusters are required for remote network and
campus deployments.
Adding a new Aruba master/local cluster to a data center with an existing master/local cluster serving
campus APs is very simple. Two pairs of master controllers should have redundant connections to the
core network. One pair runs the RN code train, and the other runs mainline ArubaOS.
The local controller pair that manages the remote access points must run the RN code train and
should be located in the DMZ with one-armed connections to DMZ switches. The other pair of local
controllers is typically connected to distribution layer switches via one-armed connections. This
controller pair runs mainline ArubaOS.
Data Center
AirWave Management
Platform
Remote Network
Campus Network
Master
active
Master
standby
Master
active
Master
standby
Application
DHCP/
DNS
PBX
RADIUS
Distribution Layer
DMZ
Campus
RAP
Local
active
Local
active
RAP
Local
active
Local
active
Internet
or WAN
Figure 14
Aruba Networks, Inc.
RNSG_114
Campus
Aruba Remote Network Physical Architecture
Physical Design | 45
46. Virtual Branch Networks
Validated Reference Design
During the staging process, RAPs must communicate with a master controller running RN code in
order to be provisioned. Aruba customers that are already using DNS autodiscovery of “aruba-master”
for bootstrapping of campus APs must use DHCP Option 43 for RAPs to discover the proper master
controller. The simplest method is to use a private IT testing subnet with a local DHCP server that is
configured to offer the IP address of the RN master controller. This is only required if you plan to use
the pre-provisioning deployment method described in Chapter 8. By contrast, zero touch provisioning
uses either a static public IP address or an externally-resolvable FQDN that is entered by the remote
user after plugging the RAP into a broadband WAN link.
Required Equipment
To adapt the general physical design shown in Figure 10 on page 40 for your organization, you must
make a series of hardware selections. Aruba recommends that you proceed from the AP level inward
to the local controller and then to the master controller levels. Follow this decision tree as you work
through the process.
Branch Office
Select
RAP Model(s)
Select
RAP Model(s)
Estimate
Client Device Count
(using Table 2)
Estimate
Client Device Count
(using Table 3)
Multiply
Client Device Count
by Site Count
(using Table 1)
Remote
Sites
Fixed Telecommuter
Multiply
Client Device Count
by Site Count
(using Table 1)
Select
Local Controller Model
equal to 150% of Total
Client Device Count
(each)
DMZ
Select
Master Controller Model
(using Table 3)
Multiple
Masters
required?
Data
Center
Yes
Assign all Locals
to separate
Master/Local clusters
Select
AirWave Server Appliance
equal to 150% of
All APs & Controllers
Figure 15
Aruba Networks, Inc.
RNSG_153
No
Equipment Decision Tree
Physical Design | 46
47. Virtual Branch Networks
Validated Reference Design
Access Points
This VRD assumes the use of Aruba dedicated RAP models for large-scale, production deployments.
We also assume the use of APs that offer at least two Ethernet ports to provide for a secure wired jack.
This use provides maximum flexibility and allows for local wired bridging applications. As of this
writing, these APs include:
Aruba RAP-5 Remote Access Point
4 Wired Ports + 1 Uplink Port
No Wireless Radio
Up to 256 users/devices
1 USB Port
PoE or 12V DC Powered
Aruba RAP-2WG Remote Access Point
1 Wired Port + 1 Uplink Port
Single 802.11 b/g Radio
Up to 5 users/devices
12V DC Powered
Figure 16
Aruba RAP-5WN Remote Access Point
4 Wired Ports + 1 Uplink Port
Single 3x3 MIMO Radio, 802.11a/b/g/n
Up to 256 users/devices
1 USB Port
PoE or 12V DC Powered
Aruba AP-125 Access Point
1 Wired Port + 1 Uplink Port
Dual 3x3 MIMO Radios, 802.11/a/b/g/n
Up to 256 users/devices
PoE or 5V DC Powered
Aruba Dedicated Remote Access Point Product Family
These models include features specifically designed and tested for remote deployments such as
certificate-based zero touch provisioning. These AP models are not intended or supported for local
campus deployments.
NOTE
Aruba Networks, Inc.
All Aruba campus AP models can be deployed in a RAP. However, campus
APs such as the AP-AP70 and AP-120 series do not contain certificates and do
not support zero touch provisioning.
Physical Design | 47
48. Virtual Branch Networks
Validated Reference Design
With Aruba Software-Defined Radio (SDR) technology, APs can be used anywhere in the world. It is
not necessary to stock different AP models on a per-country basis for regulatory reasons. Regulatory
compliance on Aruba products is managed at the controller level, as we will discuss later in this
chapter.
Please note that RAPs can be ordered as US and ROW (Rest of World) models based on electrical
requirements. The available SKUs are:
Table 5
RAP-5 and RAP-2 SKUs
SKU
Description
RAP-2WG-US
Aruba Remote Access Point Model 2WG, US power supply
RAP-2WG-EU
Aruba Remote Access Point Model 2WG, EU power supply
RAP-2WG
Aruba Remote Access Point Model 2WG, International power adapter kit
RAP-5WN-US
Aruba Remote Access Point Model 5WN (Wired and Wireless), US power supply
RAP-5WN
Aruba Remote Access Point Model 5WN (Wired and Wireless), International power kit
RAP-5-US
Aruba Remote Access Point Model 5 (Wired Only), US power supply
RAP-5
Aruba Remote Access Point Model 5 (Wired Only), International power kit
Local Controllers
To build the Aruba VRD as shown in (Figure 10 on page 40) appropriately sized local controllers are
deployed in the enterprise DMZ. Local controllers terminate AP tunnels and serve as an enforcement
point for security policies. The reference design assumes full 1+1 redundancy, which requires a pair of
identically configured local controllers in support of failover.
Aruba 3600 Controller
Up to 512 RAPs (2,048 Users)
4 Gigabit Ethernet (1000Base-T or 1000Base-X SFP)
Figure 17
Aruba Networks, Inc.
Aruba M3 Blade
Up to 2,048 RAPs (8,192 users)
10 1000Base-X Ethernet ports (SFP)
2 10GBase-X Ethernet ports (XFP)
1 1000Base-T Ethernet port (RJ-45)
Aruba Controller Blades for MMC-6000 Chassis
Physical Design | 48
49. Virtual Branch Networks
Validated Reference Design
In order to utilize zero touch provisioning and/or certificate-based authentication, it is necessary to use
either an Aruba 3000-series controller or M3-series blade. Like the RAP-2 and RAP-5 access points,
these controllers include an integrated security certificate.
Controller Sizing
This Virtual Branch Networks VRD assumes that local controllers to reside in the DMZ will be sized
according to the number of RAPs they terminate, as well as the total number of client devices on all the
RAPs. As we will discuss later in this chapter, in full 1+1 redundancy deployments, each controller
must be capable of assuming the entire load of APs in remote sites that are assigned to it. Therefore,
local controllers should be sized and licensed so that 50% of the RAP population terminates on each
unit during normal operation.
For large RAP deployments, the VRD assumes the use of either the MMC-3600 standalone controller
or M3-series controller blade in an A6000-series chassis with redundant 400W power supplies. Two
identically configured chassis are installed in the DMZ in a 1+1 redundancy model. Up to 4 M3 blades
can be installed in a single chassis to serve up to 8,192 remote sites and 32,768 users or devices.
Certificate-based provisioning and zero touch provisioning are only supported
on the M3 Blade and 3000 series controllers.
NOTE
Table 6
Controller Product Line Matrix
MMC-3000 Series
MMC-6000 Series
Features
MMC-3200
MMC-3400
MMC-3600
M3 Blade
Chassis
(4 Blades)
Max number of campus-connected APs per
controller
32
64
128
512
2,048
Max number of RAPs per controller
128
256
512
2,048
8,192
Max number of users or devices per controller
512
1,024
2,048
8,192
32,768
64,000
64,000
64,000
64,000
256,000
Maximum number of concurrent tunnels
128
256
512
2,048
8,192
Maximum number of VLANs
128
256
512
2048
8,192
Zero touch provisioning supported
Yes
Yes
Yes
Yes
Yes
MAC addresses
Aruba Networks, Inc.
Physical Design | 49
50. Virtual Branch Networks
Validated Reference Design
The user and RAP limits from Table 6 can be combined in matrix form. Use the following table to select
the appropriate model and quantity of controller for your deployment. Use the same model for both
active local controllers.
Table 7
Local Controller Sizing by License Count
RAP Site Count
Devices per Site
50
100
250
500
1,000
2,000
1
MMC-3200
MMC-3200
MMC-3400
MMC-3600
1xM3
1xM3
5
MMC-3200
MMC-3200
MMC-3600
1xM3
1xM3
2xM3
10
MMC-3200
MMC-3400
1xM3
1xM3
2xM3
3xM3
MMC-3400
MMC-3600
1xM3
1xM3
2xM3
4xM3
15
A quantity of the appropriate SFP and/or XFP modules may also be required; Aruba offers a complete
line of modules on its price list.
International Regulatory Compliance
The United States and Israel restrict the Aruba controller to managing only APs that are located within
those countries. Aruba offers country-specific SKUs for these two areas. All other countries in an
international deployment can be managed from a single Rest of World (ROW) controller. When
ordering Aruba controller SKUs, be careful to order the appropriate country SKU for the location where
the controller will be installed. For additional information, see the Regulatory Compliance section later
in this chapter or consult your Aruba representative.
Master Controllers
Master controllers serve as a central point of configuration for the system. Masters also offload
network management, wireless IDS (WIDS), and RF decision making from the local controllers. This
VRD assumes either the MMC-3600 standalone controller or M3-series controller blade in its 6000series chassis with redundant 400W power supplies.
NOTE
Certificate-based provisioning and zero touch provisioning are only supported
on the M3 Blade and 3000 series controllers.
Figure 18
Aruba Networks, Inc.
Aruba MMC-6000 Chassis with 4 M3 Blades
Physical Design | 50
51. Virtual Branch Networks
Validated Reference Design
Controller Sizing
The proper size of a master controller is determined by both the number of connected or associated
wired and wireless user devices as well as the number of APs managed by all of the downstream
locals. Even though AP tunnels do not terminate on the master, each RAP transmits WIDS and RF
telemetry directly to the master. Aruba has thoroughly tested all of its controller models in a master role
supporting various AP and local controller loads.
Table 8
Maximum Number of APs and Users or Devices per Master Controller Model
Maximum APs
Maximum Users
or Devices
M3 Blade/MMC-3600
4,500
15,000
MMC-3400
2,250
7,500
MMC-3200
1,500
4,500
Master
The user or device and AP limits from these tables can be combined in a matrix form. Use the
following table to select the appropriate controller model for your deployment. Use the same model for
both the active master and the standby master.
Table 9
Master Controller Sizing by Client Device Count
Number of RAP Sites
Devices per Site
50
100
250
500
1,000
2,000
1
MMC-3200
MMC-3200
MMC-3200
MMC-3200
MMC-3200
MMC-3200
5
MMC-3200
MMC-3200
MMC-3200
MMC-3200
MMC-3400
MMC-3600
10
MMC-3200
MMC-3200
MMC-3200
MMC-3400
MMC-3600
M3 Blade
15
MMC-3200
MMC-3200
MMC-3200
MMC-3400
M3 Blade
M3 Blade
Very large deployments that require more than one M3 blade for a master should be divided into
clusters of locals, each with its own master. Use one M3 blade configured as the active master for
each cluster, with a second M3 blade configured as a standby master. Up to four active masters or
standby masters can be installed in a single A6000 chassis. Aruba does not recommend collocating
active and standby masters in the same chassis.
International Regulatory Compliance
The United States and Israel restrict master controllers to managing only local controllers that are
located within those countries. Aruba offers country-specific SKUs for these two areas. All other
countries in an international deployment can be managed from a single Rest of World (ROW)
controller. When ordering Aruba controller SKUs, be careful to order the appropriate country SKU for
the location where the controller will be installed. For additional information, see the Regulatory
Compliance section later in this chapter or consult your Aruba representative.
Aruba Networks, Inc.
Physical Design | 51
52. Virtual Branch Networks
Validated Reference Design
AirWave Appliance
AirWave offers two different hardware appliance models. They are sized based on the number of APs
and controllers being managed. For large deployments, you purchase and deploy multiple AirWave
appliances, and the software will automatically cluster the controllers together and distribute the
processing workload appropriately. The SKUs are: AMP-HW-ENT, AirWave Management Platform for
managing up to 2,500 devices, and AMP-HW-PRO, AirWave Server Appliance for managing up to
1,000 devices.
Required Licenses
To support RAPs, the local controllers must have RAP licenses to provide IPsec encryption and splittunnel or local bridging features. All controllers in a Master/Local cluster must be running the same
version of software.
NOTE
Aruba has released a dedicated code train for Remote Networking
deployments. This VRD is based on ArubaOS 3.3.2.11-rn3.0. The mainline
ArubaOS code train does not include many of the remote networking features
discussed in the VRD and should not be used.
Local Controllers
To build this Aruba VRD as depicted, the following licenses are required on each of the local
controllers, assuming that there are a total of 2,048 Aruba RAPs being managed, with an MMC-6000
Multiservice Aruba Controller acting as a backup to a second MMC-6000:
LIC-2048-RAP Remote Access Point License (2048 RAPs)
LIC-WIP-2048 Wireless Intrusion Protection Module License (2,048 AP Support)
LIC-PEF-4096 Policy Enforcement Firewall Module License (4,096 Users, 2:1 PEF users to
RAPs)
The ratio of PEF users to RAPs is 2:1 and is determined by the number of devices accessing the
network through each RAP.
Master Controllers
The following licenses should be applied to the master controllers, assuming a MMC-3600 controller
with no APs terminating and not acting as a backup for any local controller:
LIC-1-RAP Remote Access Point License (1 RAP)
LIC-WIP-8 Wireless Intrusion Protection Module License (8 AP Support)
LIC-PEF-128 Policy Enforcement Firewall Module License (128 Users1)
It should be noted that each RAP counts towards the RAP License count, while each SSID on a radio
plus each wired port in use counts as one (1) tunnel against the total concurrent tunnel capacity of the
controller serving as the local. Concurrent tunnel capacity is indicated on the datasheet for each Aruba
controller.
1. Users on a tunnel in bridge forwarding mode need not be added to the total user count for a controller PEF license.
Aruba Networks, Inc.
Physical Design | 52
53. Virtual Branch Networks
Validated Reference Design
AirWave Appliance
The AirWave Management Platform (AMP) is licensed using the same sizing criteria as the hardware
appliance:
AMP-ENT, AirWave Management Platform software for a single server with no limit on
processor cores. Recommended for managing up to 2,500 devices such as controllers, wireless
access points, or switches.
AMP-PRO, AirWave Management Platform software for a single server with up to four processor
cores. Recommended for managing up to 1,000 devices such as controllers, wireless access
points, or switches.
Both SKUs include the full selection of AirWave modules, including the AirWave Management Platform
(AMP), Visualization and mapping software module (Visual RF), and RAPIDS (Rogue detection
software).
3G Modem Selection
3G service providers supply lists of wireless modems that are supported in their networks. The
availability of 3G service from wireless carriers continues to increase rapidly, and more modems are
being introduced by a variety of manufacturers.
USB cellular modems are supported via the USB port on the AP-70, RAP-5, and RAP5-WN. ArubaOS
3.3.2.0-rn3.0 supports several EVDO (Evolution Data Optimized, up to 3.1 Mbps, CDMA) and 3G
HSPA (High-Speed Packet Access, 3G data service) modems. This software release, with its built-in
flexibility, can support future USB modems and protocols without a software code change. 3G HSPA is
provided by AT&T in the United States and by numerous other 3G providers worldwide. The following
USB modems are verified in this release:
Manufacturer
Model
AT&T
USBConnect 881 (Sierra 881U)
Mercury (Sierra Compass 885)
Quicksilver (Globetrotter ICON 322)
Huawei E272, E170, E220
Sprint
Compass 597 (Sierra)
USB 598 (Sierra)
Ovation U727 (Novatel)
U300 (Franklin wireless)
Verizon
USB U727 (Novatel)
USB U720 (Novatel/Qualcomm)
UM175 (Pantech)
UM150 (Pantech)
U597 (Sierra)
Aruba Networks, Inc.
Physical Design | 53