Presentation on theme: "The New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion Troy Roberts 2012."— Presentation transcript:
1 the New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion Troy Roberts2012
2 Addressing the new Wi-Fi paradigm AgendaAddressing the new Wi-Fi paradigmWi-Fi as the primary access layerWi-Fi client explosionConsumer grade Wi-Fi devices are flooding the enterpriseArchitecting a Robust and Resilient WLANAn architecture for n, ac, and beyondCatering to consumer grade devicesConsiderations for high density and high performing WLANsBYOD – Bring your own deviceAccess, Control, ResourcesDevice Fingerprinting and Policy EnforcementDevice Fingerprinting and contextual awarenessThe Complete PackageBonjour Challenges – Airprint and AirplaySecurity and Threat AssesmentThe remote experience
4 Wi-Fi as the primary access layer The new Wi-Fi paradigmWi-Fi as the primary access layerMajority of network devices will not have an Ethernet portFaster clients, more demanding applications require faster, more deterministic, reliable, and affordable Wi-Fi infrastructureWi-Fi client explosion3-4x increase in number of devicesAs IT staff are typically not RF experts and Wi-Fi can be more difficult/expensive to manageIT headcount will not increase to compensate and Wi-Fi needs to easier to use, deploy, and supportConsumer Wi-Fi devices are flooding the enterpriseIT has to manage employee/exec desire to BYODVirtual Desktop Infrastructure (VDI) enables inexpensive consumer devices to run enterprise appsConsumer device Wi-Fi performance characteristics differ from enterprise devicesWi-Fi infrastructure must compensate and harnessWi-Fi has evolved into a strategic infrastructureFor the last 10 years Enterprise Wi-Fi has been deployed as a convenience network and regarded as a tactical endeavor by ITLittle thought being given to how reliable, scalable or deterministic the solution was as they have the business critical network to worry about – the wired LANThe maturing of Wi-Fi solutions, the standardization of n, the economic crisis and the cost of pulling cable ~ $400/drop make Wi-Fi a viable alternative access layerIT departments are now starting to look at Wi-Fi through the same strategic lens that they look at the rest of the LAN and WANAvailabilityScalabilityReliabilityPerformanceQuality of ServiceCostRiskEnterprise IT want an Access Layer that is as ubiquitous and reliable as the Internet, with the performance and determinism of their switched networks, and the mobility, productivity and cost of Wi-FiAdministrators want reliability, performance, ease of use and visibility
5 The role of architecture in High Performance WI-FI A New architectureArchitectural advantage to controller-lessReliability, redundancy and fault toleranceInfinite scalabilityPurpose built for n, ac, and beyondCatering to consumer grade devicesLeveraging the cloudBenefits of cloud-enabled approachAddressing enterprise issues with cloud-enabled networks
6 Introduction to Aerohive Networking pioneer with a history of innovationAerohive’s award-winning solutions eliminate complexity, cost, and single points of failure with:Controller-less, distributed intelligence Wi-FiPublic or private cloud-enabled networkingBranch office / Teleworker routing and VPNDelivering mission critical reliability, granular security, simple management and the ability to start small and expand without limitationsCloud Services PlatformPublicPartnerPrivate(on-premise)* 2H 2011Branch & Teleworker Routers*Enterprise Wi-FiWireless SecurityVisionary Gartner Magic Quadrant 2011MQ
7 Controller–less Wi-Fi Architecture Delivering simplicity, reliability and affordability Policy-based configurationComplete monitoring, debugMulti-admin, multi-entityCloud-based, or on premiseNot required for ongoing operationor WANor WANNo bottlenecks, No single point of failureAutodiscovery & configurationSeamless secure roaming, Dynamic RF, RRM, SLAPer user QoS, securityTunnelManagementControlData
8 Infrastructure that compensates for Consumer Devices Battery poweredLow powerConsumer radiosVarying qualityHigh expectationsNew n APsHigh performance3x3: 3 Stream - 450MbpsCustom-designed radiosHigh-power radiosHigh Rx sensitivityBetter coverage, higher data rates, less errorsWi-Fi infrastructure has to compensate for consumer devicesHiveAP 330HiveAP 350HiveAP 170
9 Why use High Powered Radios to aid Mobility? Given that FCC and CE requirements limit power output, why bother with high-power radio?While this is mostly true, high-powered radios give other benefitsA high-power radio operating at the same power as a regular-power radio will deliver a lower error rate (lower EVM)Regular Power RadioHigh Power RadioLower Error RatesAudio Analogy10W amp outputting 10W100W amp outputting 10WAmplifier set to 10 = DISTORTIONAmplifier set to 1 = MUSIC
10 Automatic Optimazation and Remediation Client Health Score at a glance…understanding a client’s health.Client Health Setting -> EnvironmentHigh density, performance oriented network -> conference centers/rooms, classrooms, stadiumsNormal density network -> Standard office space, hospitalsLow density, coverage oriented network -> Warehouse, outdoor, hospitalityAutomatically Remediate Client & Network IssuesMove ClientsBand steer or load balance clients triggered by low client health scoreAirtime BoostBoosts clients’ airtime if unable to hit performance targetVisibility and Control Detail
11 A Cloud Services Platform – Redefining Ease of Management TopologyReportingHeat MapsSLAComplianceRF Survey& PlannerHiveManager OnlineScalable multi-tenant cloud services platformEase of bring up – time to valueZero touch device provisioningFlexible expansionManagement from anywhereImproved supportabilityReduced costs: backup, power, cooling, rack spaceOn demand upgradesAerohive Cloud ServicesWANCustomer 1Branch 1Customer 1Branch 2Customer 2HQ / Campus / HospitalConfiguration and ReportingPartner Admin
12 BYOD – Bring your won device Managing different devices with different needsDetermining my BYOD StrategyDevice Fingerprinting and contextual awarenessAccess Control and applying the right policyReally, I can use my own Device?
13 Device Ownership and Management What is the difference between these iPads?AlmostEverythingCompany-OwnedConsumer devices qualified, bought and deployed by IT (Consumerization of IT)Replace legacy devicesLower HW costsFlexible, powerfulEnable new working modelsBYODEnable employees to bring their device of choiceNot owned or controlled by ITWide range of devicesDriven by employee satisfaction and shifting of CapEx spendEmbraceMDM Agents on DevicesMore App FlexibilityContainNetwork-based MDMSecure Apps Only (e.g. VDI, Citrix)
14 Limited Access Zone: The Third “Network” Corporate NetworkGuest NetworkNAC's role is to provide flexible mechanisms for protecting the corporate network while allowing a wide variety of endpoints to be used. Network protection will come in the form of a "limited access network," which will give them the flexibility to support some employee-owned devices and restrict access from others. For example, an organization may choose to allow Android v.2 and v.3 on the limited access network, but block access to Android v.1, simply because it does not have the resources to monitor vulnerabilities and maintain configuration guidelines on older operating systems. Some organizations may choose to explicitly block endpoints that have no place on corporate networks, such as gaming consoles. Most limited access networks will include WLANs as the primary access mechanism, as employee-owned smartphones and tablets will generally connect via Wi-Fi. A limited access network will function as a third network zone for most organizations, as it will be distinct from the production network and the wireless guest network. Whereas the guest network only allows Internet access, the limited access network will allow access to a subset of applications and data. NAC policies will limit access to sensitive applications and data, depending upon the device and possibly the user's role.Managed DeviceCredentialsManaged DeviceCredentialsManaged DeviceCredentials
15 Policy based on Context Identity, Device, Location, Time of Day CORP PolicyCorp VLANLAN & Web FW10Mbps per user24HR AccessBYOD PolicyRestricted VLAN& Web FW5Mbps per userM-F 8am-9pmGUEST PolicyDMZWeb Only FW1Mbps per userM-F 9am-5pmL2-4 FirewallOS DetectionRADIUSPPSKCWPCorp userCorp user - BYODGuest user
16 Device Fingerprinting and Policy Application Secure Guest AccessGuest self-registration via CWPAssigned unique Private-PSKPersonal Device AccessCWP can also authenticate users to ADDevice can be determined by various meansSpecific personal MIDs policy can be appliedDoes not require certificates leverages PPSKCan be set to work with only one deviceCorp Device AccessSelf-registration with AD or Preconfigured802.1X or Assigned unique Private-PSKPolicy applied based on role or identity limiting access and applying QoSVDI protocols can be prioritizedSaaSCorpInternetHRVDIUser AgentSafariiOS4,iPhone 4Active DirectorySecureGuest(SSID)Access(SSID)Corp(SSID)Encrypted with a unique revocable keyCorporate access to only and internetCorporate access to business APPs onlyGuestCaptive Web PortalPrivate PSKOr802.1XPrivate PSKPrivate PSKPersonal iPhoneCorp iPad (business APPs only)Corp Laptop (full access)
18 Extending The Enterprise THE COMPLETE PACKAGEApple DevicesManaging BonjourExtending The EnterpriseMobile HotspotsTeleworkerSmall Branch officeSecurity and Threat AssessmentRogue DetectionMitigationBringing it all together
19 Bonjour Gateway – Aerohive & Non Aerohive Networks Router / L3 SwitchOptionally attach to both subnets for non AerohiveAppleTV (AirPlay)Share Services ListBonjour GW Feature ON“with filters”Server:(file sharing etc)Printer(AirPrint)SSID“Subnet #2”SSID“Subnet #1”Multi-Vendor – Works in both Aerohive and Non-Aerohive networksPlug and Play – No requirement for VLAN and Multicast gymnasticsFlexible – Supports bi-directional service advertisementsEfficient – No tunneling, only sends changes in service, with option to filterSecure and Scalable – Preserves enterprise security & data forwarding methodologyAvailable for beta Q2; shipping mid yeariPad canAirPrint or AirPlayiPad can print and project via AirPrint & AirPlay
20 Work Is something you do, not somewhere you go !
22 Aerohive Branch on Demand™ This slide: By supplementing the capabilities in the branch with cloud services we’re able to achieve the entire branch requirements in an amazingly tiny, palm sized device.
23 Deployment Scenarios - Teleworker Deployment Scenarios – Small BranchDeployment Scenarios - TeleworkerHQCloud VPN Gateway(VPN Concentration)3G/4GPrimary/BackupWAN/VPN GatewayCloud Service PlatformInternetHiveManager OnlineGuestAccessHome Network - Internet Access OnlyCorporate Access via VPN & Internet via Cloud SecurityCorporate Access
24 The Complete Mobility Solution Stadiums / Theatres / Lecture HallHigh Density SolutionsIGuest Access / BYOD / FingerprintingAccess control and PolicyBranch Office / Teleworker SolutionVPNRetail / Point of SaleVPNI-device, AppleTV, Projector, PrinterBonjourGatewayIndoor / Outdoor / MeshCloud Services Platform(Management)Security / WIPS / Location TrackingMobile ApplicationsVPN3G / 4G
25 Reducing Capex and Opex costs Less Infrastructure CostWi-Fi access reduces cablingIntegrated Mesh, RADIUS, AD integration and QoS also reduces costsController-less architecture + CloudReduced H/W, sparing & energy costsCloud Mgmt moves Capex to OpexStart Small & ExpandCloud Wi-Fi Mgmt per AP serviceNo over provisioningNo feature licensesLinear cost growth curve – add APsEasy to Use ManagementEasy to use, cloud-enabled, policy-based mgmt simplifies deploymentsVertical specific appsStudentManager/TeacherViewCost ComparisonsAerohiveCisco
27 Increase AP Density/Reduce Power Increase AP Receive Sensitivity Use of Discreet Components: Better Quality Signal, Less APs, Balanced LinksUsing discrete radio componentsHigh-powered radios are discrete components, affording the opportunity to improve receive sensitivity by also using better receive components (e.g. Low- Noise Amp (LNA))Superior receive sensitivity can improve upstream performance, especially of low-power consumer devices, balancing the AP/client linkAP TxAP RxIncrease AP Density/Reduce PowerMarginal PerformanceAP RxAP RxAP TxAP TxAP TxAP RxIncrease AP Receive Sensitivity
28 The Value of Sensitivity 5 dB5 GHzdB2.4 GHz20 dB5 dB5 GHz8 -10 dB2.4 GHz20 dBHiveAP 320HiveAP 3305 dB2.4 GHz10 – 15 dBThe extra 5 dB sensitivity beyond a standard AP can even out coverage for various client typesBetter 5Ghz coverage enables 2.4GHz to be preserved for single band devices
30 How Aerohive automates client self healing Move ClientsEncourage clients to move to different radio (band steer) or a different AP (load balance)Triggered by low client health scoreEnhanced Airtime BoostBoosts clients’ airtime if unable to hit performance targetEnhancement – only does this for healthy clients based on Client Health Score
31 Rogue Mitigation and WIPS HiveAP’s periodically scan all channels..(HiveAP’s coordinate scan & do not impact VoIP or data app’s)Rogue DetectionSupports a/b/g & nDetect Both Rogue & AdHocPC’sDetect “On-Network” RogueConfirm compliant BSSID, SSID, WMMGenerate Reports on rogue activityRogue MitigationMitigate rogue APs and clients connected to Rogue APsIP & MAC DoS DetectionDetect RF Management Layer Attacks (i.e Probes & association floods etc.)Detect Wireless Authentication attacksDetect IP Dos (i.e Port scan, flood & TCP syn Check ect)Mitigate attacks at the RF layer and “BAN” client for determined period of timeTrusted ClientLaunching IP DoS attack“On-Network” Rogue
32 Principles of Dynamic Airtime Scheduling 2 FastClients1 Slow Client,1 Fast ClientWith Contention, Fast Clients Wait for Airtimeand Perform Like the Slowest ClientThroughputFast ClientSlow ClientSpeed of the network is subject to the slowest clientTime2 FastClients1 Slow Client,1 Fast ClientDynamic Airtime Scheduling Allows Fast Clients to Transmit more Packets, Finish Quickly and Free Up the Air for the Slow ClientsThroughputFast ClientSlow ClientFaster clients dramatically improve their performance without impacting slower clients10x faster
33 Dynamic Airtime Scheduling How it works Microsecond Air InterfaceDistributed control plane puts control and data intelligence in the same place as the radioEnables near instantaneous reaction to client behaviorRequires intelligence in the AP not milliseconds awayFast n Client (135Mbps)FeedbackRF MediumHiveOS90 ms802.11g Client (48 Mbps)650 ms253 msMicrosecond Air InterfaceMeasures actual airtime for each packet - faster clients consume less airtimeMeasures retries as wellIf the clients have equal weight, they get equal access to airtime – faster clients get to send more oftenAdditional weight can applied by User Policy2208 msDistant or Legacy Client(5.5 Mbps)
34 Dynamic Airtime Scheduling How it works Equal Airtime AllocationClient A(135Mbps)Client B(48 Mbps)Client C(5.5 Mbps)Aerohive QoS EngineSchedulerSchedules traffic (based on airtime allocation & airtime consumed) into the Wireless Multi-Media hardware queuesClient A6 FramesFaster clients are able to send more often achieving higher throughputClient B3 FramesClient B has used up its share of airtimeClient C2 FramesClient C has used up its share of airtimeWeb ServerTime
36 Scalable Wireless Mesh Inherent wireless mesh eases the deployment of wireless APs in hard to wire locationsAutomatic Dynamic Routing makes mesh easy to deploy and resilientAutomatic loop prevention allows more than one portal to be active at onceVoice Ready - Low latency, QoS enabled MeshWireless Mesh NetworkWired NetworkAccessSwitchesWireless UplinkDistributionSwitchesWired UplinkHiveAPsWireless Client3636
Your consent to our cookies if you continue to use this website.