Unified access with Aruba Mobility Access Switches – Live Demo

#ATM15 |

Aruba Mobility Access Switch Workshop

Vinay Kammar & Scott Calzia

March 2015

2 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Agenda

Platform Overview & Resources

Role Based Access

Zero Touch Provisioning

3 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |

Introducing the Aruba Mobility Access Switch Family

• L2/L3 Access Switch• 10/100/1000

• 802.3at on all ports

• Security to wired access– Flexible role-based access

– Policy moves from wireless to wired

• Operational simplicity– Low-touch installation and

configuration

– Dynamic configuration of user policies

– Integration with Aruba APs

CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved4#ATM15 |

Mobility Access Switch Capabilities

A. L2/L3

Forwarding

C. Wired AP

Mobility Access

Switch

Access Point

LAN Core

Mobility

Controller

AirWave

Management

Platform

ClearPass

Policy

Manager

B. User-Role

Download

A. Ethernet Switch- Layer 2/3 forwarding

- Native Role-based policy enforcement

B. Integration with ClearPass

- Downloadable Role/ACL

- Captive Portal

C. Wired Access Point- Role-based policy enforcement

at Mobility Controller

- Single policy for WLAN and LAN


S3500 Mobility Access Switch

• Designed for Wired Access– 24/48 Port Models

– Role-based access with user visibility

– Per port PoE/PoE+

• ArubaStack– Stack up to 8 devices

– Up to 384x GbE and 16x 10GbE

• Modular Components– Field replaceable AC power supplies

• Optional redundant power supply

– Field replaceable fan tray

– Optional 4-port uplink module

• 1000BASE/10GBASE-x SFP/SFP+

SKU Ports PoE Budget

S3500-24F 24x1000BASE-x Not Applicable

S3500-24T 24x10/100/1000BASE-T Not Applicable

S3500-24P 24x10/100/1000BASE-T 400W | 689W

S3500-24PF 24x10/100/1000BASE-T 850W | 1465W


S3500-48P 48x10/100/1000BASE-T 400W | 689W

S3500-48PF 48x10/100/1000BASE-T 850W | 1465W



• Designed for Wired Access

– 24/48 Port 10/100/1000BASE-T



• ArubaStack

– Stack up to 8 devices

– Up to 384x GbE and 16x 10GbE

• Integrated Components

– Built in fans for quiet operation

– Fixed 4-port uplinks

• 1000BASE/10GBASE-x SFP/SFP+


S2500-24P 24x10/100/1000BASE-T 400W


S2500-48P 48x10/100/1000BASE-T 400W



• Designed for Wired Access– 12/24/48 Port 10/100/1000BASE-T



• ArubaStack– Stack up to 8 devices

• Integrated Components– Built in fans for quiet operation

(24P/48P)

– Fanless for public spaces (12P)

– Fixed 2-port (12P) & 4-port (24P/48P) uplinks

• 1000BASE-x SFP


S1500-12P 24x10/100/1000BASE-T 120W

S1500-24P 24x10/100/1000BASE-T 400W

S1500-48P 48x10/100/1000BASE-T 400W


Features & Capabilities

• Spanning Tree Protocols- MSTP & Rapid PVST+

• Link Aggregation Group

• L2 Generic Router Encapsulation

• Voice VLAN- LLDP-MED & CDP Fingerprinting

• Port Security- DHCP Snooping, DAI & IPSG

• Quality of Service- Strict Priority Queuing

- 1 Rate Tri-Color Policing

Platform / Layer 2 Features Routing Features• Routed VLAN Interfaces (RVI)

• Static Routing

• OSPFv2- Summarization & Route Filtering

• Policy Based Routing

• Virtual Router Redundancy Protocol

• L3 Generic Router Encapsulation

• Multicast- PIM-SM & PIM-SSM

- IGMPv1/v2/v3 Snooping

- MLDv1


Features & Capabilities (cont.)

Branch Features• Redundant Uplinks

- L3 Interface Monitoring (ping-probe)

- Route Metrics for DHCP Enabled L3

Interfaces

• Dynamic DNS Client

• Network Address Translation- Source/Destination NAT via ACL

- Interface Based Source NAT

- NAT Pools

• Stateful Firewall- Session ACLs on RVIs & User-Roles

Branch Features (cont.)• Site to Site VPN

- Standby VPN Interface

- Default Route to VPN

- OSPF over VPN

• Aruba VPN- Certificate based VPN using Mobility

Controller Whitelist

• Tunneled Node over Site to Site

or Aruba-VPN

• DHCP Services- Dynamically distribute DHCP scopes

from Mobility Controller



Authentication & Security• Role Based User Access

• Deny Inter User Traffic

• User Derived Roles- MAC OUI, DHCP Sig. & LLDP/CDP

Phone Match

• AAA Authentication- 802.1x, MAC Auth & Captive Portal

• External Authentication Servers- Radius, TACACS+ & LDAP

• Radius Fail-Open

Aruba Portfolio Integration• Mobility Controller

- Aruba VPN

- Tunneled Node

- AirGroup

• Access Points- Auto AP PoE Prioritization (IAP/CAP)

- Auto AP QoS Trust (IAP/CAP)

- Auto AP Interface Config. (IAP/CAP)

- Rogue AP Containment (IAP)

- VLAN Sharing (IAP)

• ClearPass Policy Manager- Downloadable Roles & Guest



Management• Command Line Interface

• Web UI

• Aruba Activate- Cloud Provisioning Service

- Direct Mobility Access Switch to

Airwave or Controller for VPN

• Aruba Central- Cloud Management Service

• Airwave Management Platform• Discovery via DHCP

• Discovery via Activate

Optics & DACs• SFP/SFP+ Optics

- 1000BASE-T

- 1000BASE-SX

- 1000BASE-LX

- 1000BASE-EX

- 1000BASE-ZX

- 10GBASE-SR

- 10GBASE-LR

- 10GBASE-LRM

- 10GBASE-ER

- 10GBASE-ZR

• Twinax/Direct Attach Copper- 50cm/1m/3m/5m/7m

12#ATM15 |

Role Based Access


AAA View of the World

ManufacturersVia MAC OUI

Operating SystemsVia DHCP

Fingerprinting

Our Mobility Access Switches see…

And our security enforcement model uses…

MAC Addresses

Usernames/Passwords

IP PhonesVia Device-Type Fingerprinting

User-roles

…provisioned locally or dynamically which simplifies AAA deployments


Context• User: Joe Smith

• Role: Guest

Policy Enforcement Policy Definition

ClearPass Policy Manager Integration

802.11n AP ClearPassMobility

Controller

1. User provides their

credentials and other

context to Authenticate

Mobility Access

Switch

2. ClearPass Policy

Manager returns Role

& Policy for

User/Device

3. Role & Policy pushed

to the Mobility Controller

for Role & Policy

Enforcement

3. Role & Policy pushed

to the Mobility Access

Switch for Role & Policy

Enforcement

15#ATM15 |

Role Based Access Demo

16#ATM15 |

Zero Touch Provisioning


Airwave Discovery using DHCP & Aruba Activate

Branch Location

Mobility Access Switch

Argh! No Airwave details

from DHCP either!

2. Mobility Access Switch first attempts

to download a configuration via TFTP

Aruba

Activate

Airwave Management Platform

Headquarters Location

3. When TFTP fails, the Mobility Access

Switch attempts to contact Airwave using

credentials supplied by DHCP.5. Activate responds with

Airwave IP, Shared Secret,

Group Name and Folder

Name and optional Controller

IP for Aruba-VPN

6. Mobility Access Switch contacts Airwave and provides

Shared Secret, Group Name and Folder Name.

7. Airwave contacts Mobility Access Switch

and pushes down group configuration

TFTP? Are

you there?

Help me Aruba Activate,

you’re my only hope!

Hi Airwave!

Configure Me!

1. Customer Enables Service

& Inputs Provisioning Rules

Hi Mobility

Access Switch!

Yippie! All

Configured!

Hi Mobility

Access Switch!

4. If no credentials are supplied via

DHCP options, the Mobility Access

Switch attempts to contact Activate.


AirWave Management Platform & Mobility Access Switch

Hardware Monitoring & User Visibility

– Inventory and Uptime

– Visibility Into Wired Network Usage

– SNMP Trap and Syslog Support

Software Configuration & Firmware Management

– Configuration Changes & Backups

– Firmware Upgrades

Reporting

– Compliance Reporting

– Report and Track Wired Users

19#ATM15 |

Zero Touch Provisioning Demo

THANK YOU

20#ATM15 |

Technology

Unified access with Aruba Mobility Access Switches – Live Demo