Aruba Networks Version 3.3 manual Understanding Centralized Wireless LAN Networks

Page 7

Chapter 2

Aruba’s User-Centric

Network Architecture

This chapter provides an overview of a centralized wireless LAN architecture, followed by a high level technical overview of the Aruba User-Centric Network components and network design.

This overview describes the technology, architecture, services, and applications that make up an Aruba User-Centric Network to help you make the right design choices, and select the appropriate solution components.

Understanding Centralized Wireless LAN Networks

In the early days of wireless LAN (WLAN) networks, Access Points operated in an autonomous fashion much like other routers and switches in the network. Access Points were managed and maintained independently; which worked for very small wireless deployments, such as lobbies and conference rooms where guests were expected.

Client

Autonomous

Access

Distribution

termination

point

AP

layer

layer

Encryption

As large numbers of regular enterprise users began to expect connectivity using wireless connections, the autonomous Access Points became a management, reliability and security headache. Maintaining consistent configurations for dozens or hundreds of standalone APs became time-consuming, and introduced errors. Because each AP was a standalone device, network availability could not be guaranteed if any single AP failed. Centralized management consoles also fell short of expectations; and, in general, never grew beyond a certain point due to escalating operational costs. The workload associated with maintaining security, managing and troubleshooting large numbers of APs created a barrier to adoption in the larger enterprise; except in niche applications, such as guest access in conference rooms.

From a security perspective, users did not experience true mobility because network managers addressed WLAN security issues by treating wireless users and remote dial-up users the same way. Oftentimes, wireless users are quarantined on a single VLAN and forced through the “de-militarized zone” (DMZ) residing outside the corporate intranet. Users are then expected to tunnel into the corporate network through VPN concentrators that support industrial strength encryption such as AES.

A VPN was required primarily because of the ‘port-based security’ limitation of modern enterprise network infrastructures. VLANs and access controls are specified at the port level. When an autonomous AP is plugged in, then all users who connect to that AP inherit those security settings whether they are supposed to have them or not.

VPNs were a rudimentary way to impose identity-based authentication and provide extra encryption for first-generation wireless security systems. Unfortunately, these VPN concentrators were optimized for low speed WAN connections not intended for large numbers of high-speed wireless LAN users which then resulted in poor performance, management complexity, mobility, and scalability problems.

Campus Wireless Networks Validated Reference Design Version 3.3 Design Guide

Aruba’s User-Centric Network Architecture 7

Page 6 Page 8
Image 7
Page 6 Page 8
Contents Campus Wireless Networks Validated Reference Design Version Crossman Avenue Sunnyvale, California Phone Fax Contents Chapter RF Planning and Operation Introduction Aruba Reference ArchitecturesReference Documents Contacting Aruba NetworksTelephone Support Aruba’s User-Centric Network Architecture Understanding Centralized Wireless LAN NetworksCentralized Wlan Model Introducing Aruba’s User-Centric NetworkArubaOS ArubaOS and Mobility ControllerMobility Controller Access Point Multi-function Thin Access PointsAir Monitor Aruba’s Secure Enterprise Mesh Network Mesh Portal or Mesh PointRemote AP Mobility Management SystemMobility Management System Proof-of-Concept Network PoC Network Physical DesignVlan PoC Network Logical and RF DesignProof-of-Concept Network Proof-of-Concept Network Campus Wlan Validated Reference Design Aruba Campus Wlan Physical ArchitectureAruba Campus Wlan Logical Architecture Data center ManagementMaster Campus Wlan Validated Reference Design Understanding Master and Local Operation Mobility Controller Access Point DeploymentMobility Controller High Availability Master Controller Redundancy Local Controller Redundancy Second Local controller has an opposite configuration Vlan Design Do Not Use Special VLANs Do Not Make Aruba the Default RouterVlan Vlan PoolsVLANs 10, 20, 30 User Mobility and Mobility DomainsMD1 ArubaOS Mobility DomainMaster Controller Placement Mobility Controller Physical Placement and ConnectivityLocal Controller Placement AP Placement, Power, and ConnectivityMobility Controller and Thin AP Communication AP Location and Density Considerations AP Power and ConnectivityOffice Deployment Active Rfid Tag Deployment Voice DeploymentRequired Licenses Configuration Profiles and AP GroupsMobility Controller Configuration Configuration ProfilesAP group Profile TypesAP Groups SSIDs, VLANs and Role DerivationProfile Planning VLANs SSIDsRole Derivation Secure Authentication MethodsAuthenticating with Corporate Authentication Methods for Legacy Devices Authenticating with Captive PortalEmployee Role Configuring Roles for Employee, Guest and Application UsersGuest Role Create a bandwidth contract and apply it to an AP group Create the block-internal-access policy Modify the guest-logon role Device Role Role Variation by Authentication Method Wireless Intrusion Detection SystemWireless Attacks Rogue APs Page Mobility Controller Configuration RF Planning and Operation RF Plan ToolAdaptive Radio Management Page Minimum Scan Time Sec Quality of Service Voice over Wi-FiWMM and QoS Voice-Aware RF Management Voice Functionality and FeaturesTraffic Prioritization Network Wide QoSComprehensive Voice Management Voice over Wi-Fi LAN / WAN Controller Clusters Mobility Management SystemMultiple Master/Local Clusters Page Multiple Master/Local Clusters Licenses Appendix aLicenses Wlan Extension with Remote AP Appendix BWlan Extension with Remote AP Alternative Deployment Architectures Small Network DeploymentMobility Controller located in the network data center Medium Network DeploymentBranch Office Deployment Corporate data center DMZ Pure Remote Access Deployment
Top Page Image Contents