Presentation is loading. Please wait.

Presentation is loading. Please wait.

The New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion Troy Roberts 2012.

Similar presentations

Presentation on theme: "The New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion Troy Roberts 2012."— Presentation transcript:

1 the New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion
Troy Roberts 2012

2 Addressing the new Wi-Fi paradigm
Agenda Addressing the new Wi-Fi paradigm Wi-Fi as the primary access layer Wi-Fi client explosion Consumer grade Wi-Fi devices are flooding the enterprise Architecting a Robust and Resilient WLAN An architecture for n, ac, and beyond Catering to consumer grade devices Considerations for high density and high performing WLANs BYOD – Bring your own device Access, Control, Resources Device Fingerprinting and Policy Enforcement Device Fingerprinting and contextual awareness The Complete Package Bonjour Challenges – Airprint and Airplay Security and Threat Assesment The remote experience

3 Wi-Fi Client Explosion
Wi-Fi primary access layer requirements 3x device explosion management burden BYOD and Corp iPad deployments Issues with low powered Wi-Fi devices

4 Wi-Fi as the primary access layer
The new Wi-Fi paradigm Wi-Fi as the primary access layer Majority of network devices will not have an Ethernet port Faster clients, more demanding applications require faster, more deterministic, reliable, and affordable Wi-Fi infrastructure Wi-Fi client explosion 3-4x increase in number of devices As IT staff are typically not RF experts and Wi-Fi can be more difficult/expensive to manage IT headcount will not increase to compensate and Wi-Fi needs to easier to use, deploy, and support Consumer Wi-Fi devices are flooding the enterprise IT has to manage employee/exec desire to BYOD Virtual Desktop Infrastructure (VDI) enables inexpensive consumer devices to run enterprise apps Consumer device Wi-Fi performance characteristics differ from enterprise devices Wi-Fi infrastructure must compensate and harness Wi-Fi has evolved into a strategic infrastructure For the last 10 years Enterprise Wi-Fi has been deployed as a convenience network and regarded as a tactical endeavor by IT Little thought being given to how reliable, scalable or deterministic the solution was as they have the business critical network to worry about – the wired LAN The maturing of Wi-Fi solutions, the standardization of n, the economic crisis and the cost of pulling cable ~ $400/drop make Wi-Fi a viable alternative access layer IT departments are now starting to look at Wi-Fi through the same strategic lens that they look at the rest of the LAN and WAN Availability Scalability Reliability Performance Quality of Service Cost Risk Enterprise IT want an Access Layer that is as ubiquitous and reliable as the Internet, with the performance and determinism of their switched networks, and the mobility, productivity and cost of Wi-Fi Administrators want reliability, performance, ease of use and visibility

5 The role of architecture in High Performance WI-FI
A New architecture Architectural advantage to controller-less Reliability, redundancy and fault tolerance Infinite scalability Purpose built for n, ac, and beyond Catering to consumer grade devices Leveraging the cloud Benefits of cloud-enabled approach Addressing enterprise issues with cloud-enabled networks

6 Introduction to Aerohive
Networking pioneer with a history of innovation Aerohive’s award-winning solutions eliminate complexity, cost, and single points of failure with: Controller-less, distributed intelligence Wi-Fi Public or private cloud-enabled networking Branch office / Teleworker routing and VPN Delivering mission critical reliability, granular security, simple management and the ability to start small and expand without limitations Cloud Services Platform Public Partner Private (on-premise) * 2H 2011 Branch & Teleworker Routers* Enterprise Wi-Fi Wireless Security Visionary Gartner Magic Quadrant 2011 MQ

7 Controller–less Wi-Fi Architecture Delivering simplicity, reliability and affordability
Policy-based configuration Complete monitoring, debug Multi-admin, multi-entity Cloud-based, or on premise Not required for ongoing operation or WAN or WAN No bottlenecks, No single point of failure Autodiscovery & configuration Seamless secure roaming, Dynamic RF, RRM, SLA Per user QoS, security Tunnel Management Control Data

8 Infrastructure that compensates for Consumer Devices
Battery powered Low power Consumer radios Varying quality High expectations New n APs High performance 3x3: 3 Stream - 450Mbps Custom-designed radios High-power radios High Rx sensitivity Better coverage, higher data rates, less errors Wi-Fi infrastructure has to compensate for consumer devices HiveAP 330 HiveAP 350 HiveAP 170

9 Why use High Powered Radios to aid Mobility?
Given that FCC and CE requirements limit power output, why bother with high-power radio? While this is mostly true, high-powered radios give other benefits A high-power radio operating at the same power as a regular-power radio will deliver a lower error rate (lower EVM) Regular Power Radio High Power Radio Lower Error Rates Audio Analogy 10W amp outputting 10W 100W amp outputting 10W Amplifier set to 10 = DISTORTION Amplifier set to 1 = MUSIC

10 Automatic Optimazation and Remediation
Client Health Score at a glance…understanding a client’s health. Client Health Setting -> Environment High density, performance oriented network -> conference centers/rooms, classrooms, stadiums Normal density network -> Standard office space, hospitals Low density, coverage oriented network -> Warehouse, outdoor, hospitality Automatically Remediate Client & Network Issues Move Clients Band steer or load balance clients triggered by low client health score Airtime Boost Boosts clients’ airtime if unable to hit performance target Visibility and Control Detail

11 A Cloud Services Platform – Redefining Ease of Management
Topology Reporting Heat Maps SLA Compliance RF Survey & Planner HiveManager Online Scalable multi-tenant cloud services platform Ease of bring up – time to value Zero touch device provisioning Flexible expansion Management from anywhere Improved supportability Reduced costs: backup, power, cooling, rack space On demand upgrades Aerohive Cloud Services WAN Customer 1 Branch 1 Customer 1 Branch 2 Customer 2 HQ / Campus / Hospital Configuration and Reporting Partner Admin

12 BYOD – Bring your won device
Managing different devices with different needs Determining my BYOD Strategy Device Fingerprinting and contextual awareness Access Control and applying the right policy Really, I can use my own Device?

13 Device Ownership and Management
What is the difference between these iPads? Almost Everything Company-Owned Consumer devices qualified, bought and deployed by IT (Consumerization of IT) Replace legacy devices Lower HW costs Flexible, powerful Enable new working models BYOD Enable employees to bring their device of choice Not owned or controlled by IT Wide range of devices Driven by employee satisfaction and shifting of CapEx spend Embrace MDM Agents on Devices More App Flexibility Contain Network-based MDM Secure Apps Only (e.g. VDI, Citrix)

14 Limited Access Zone: The Third “Network”
Corporate Network Guest Network NAC's role is to provide flexible mechanisms for protecting the corporate network while allowing a wide variety of endpoints to be used. Network protection will come in the form of a "limited access network," which will give them the flexibility to support some employee-owned devices and restrict access from others. For example, an organization may choose to allow Android v.2 and v.3 on the limited access network, but block access to Android v.1, simply because it does not have the resources to monitor vulnerabilities and maintain configuration guidelines on older operating systems. Some organizations may choose to explicitly block endpoints that have no place on corporate networks, such as gaming consoles. Most limited access networks will include WLANs as the primary access mechanism, as employee-owned smartphones and tablets will generally connect via Wi-Fi. A limited access network will function as a third network zone for most organizations, as it will be distinct from the production network and the wireless guest network. Whereas the guest network only allows Internet access, the limited access network will allow access to a subset of applications and data. NAC policies will limit access to sensitive applications and data, depending upon the device and possibly the user's role. Managed Device Credentials Managed Device Credentials Managed Device Credentials

15 Policy based on Context Identity, Device, Location, Time of Day
CORP Policy Corp VLAN LAN & Web FW 10Mbps per user 24HR Access BYOD Policy Restricted VLAN & Web FW 5Mbps per user M-F 8am-9pm GUEST Policy DMZ Web Only FW 1Mbps per user M-F 9am-5pm L2-4 Firewall OS Detection RADIUS PPSK CWP Corp user Corp user - BYOD Guest user

16 Device Fingerprinting and Policy Application
Secure Guest Access Guest self-registration via CWP Assigned unique Private-PSK Personal Device Access CWP can also authenticate users to AD Device can be determined by various means Specific personal MIDs policy can be applied Does not require certificates leverages PPSK Can be set to work with only one device Corp Device Access Self-registration with AD or Preconfigured 802.1X or Assigned unique Private-PSK Policy applied based on role or identity limiting access and applying QoS VDI protocols can be prioritized SaaS Corp Internet HR VDI User Agent Safari iOS4, iPhone 4 Active Directory Secure Guest (SSID) Access (SSID) Corp (SSID) Encrypted with a unique revocable key Corporate access to only and internet Corporate access to business APPs only Guest Captive Web Portal Private PSK Or 802.1X Private PSK Private PSK Personal iPhone Corp iPad (business APPs only) Corp Laptop (full access)

17 Solution Scenarios: Network & Profile-Based MDM Solutions
Device Management App/SW Installs & Updates Policy Enforcement and Compliance eBook distribution www Corp Embrace (Corporate-Deployed) MDM Quarantine Enroll Force MDM profile install www Corp Contain (BYOD) Access Isolate Network-based MDM Enrollment - CWP, PPSK - AD integration Access Control - Device/OS Type - Domain Membership Policy Enforcement - QoS, Security - Apps (e.g., VDI only)

18 Extending The Enterprise
THE COMPLETE PACKAGE Apple Devices Managing Bonjour Extending The Enterprise Mobile Hotspots Teleworker Small Branch office Security and Threat Assessment Rogue Detection Mitigation Bringing it all together

19 Bonjour Gateway – Aerohive & Non Aerohive Networks
Router / L3 Switch Optionally attach to both subnets for non Aerohive AppleTV (AirPlay) Share Services List Bonjour GW Feature ON “with filters” Server: (file sharing etc) Printer (AirPrint) SSID “Subnet #2” SSID “Subnet #1” Multi-Vendor – Works in both Aerohive and Non-Aerohive networks Plug and Play – No requirement for VLAN and Multicast gymnastics Flexible – Supports bi-directional service advertisements Efficient – No tunneling, only sends changes in service, with option to filter Secure and Scalable – Preserves enterprise security & data forwarding methodology Available for beta Q2; shipping mid year iPad can AirPrint or AirPlay iPad can print and project via AirPrint & AirPlay

20 Work Is something you do, not somewhere you go !

21 Consistent Policy, Security, and Permissions
Internet Corp @ Corporate Personal iPhone Work Laptop Guest Laptop @ Branch Corp VoIP Phone Work Laptop Personal iPhone Guest Laptop @ Home Home Printer Work Laptop Personal iPhone

22 Aerohive Branch on Demand™
This slide: By supplementing the capabilities in the branch with cloud services we’re able to achieve the entire branch requirements in an amazingly tiny, palm sized device.

23 Deployment Scenarios - Teleworker
Deployment Scenarios – Small Branch Deployment Scenarios - Teleworker HQ Cloud VPN Gateway (VPN Concentration) 3G/4G Primary/Backup WAN/VPN Gateway Cloud Service Platform Internet HiveManager Online Guest Access Home Network - Internet Access Only Corporate Access via VPN & Internet via Cloud Security Corporate Access

24 The Complete Mobility Solution
Stadiums / Theatres / Lecture Hall High Density Solutions I Guest Access / BYOD / Fingerprinting Access control and Policy Branch Office / Teleworker Solution VPN Retail / Point of Sale VPN I-device, AppleTV, Projector, Printer Bonjour Gateway Indoor / Outdoor / Mesh Cloud Services Platform (Management) Security / WIPS / Location Tracking Mobile Applications VPN 3G / 4G

25 Reducing Capex and Opex costs
Less Infrastructure Cost Wi-Fi access reduces cabling Integrated Mesh, RADIUS, AD integration and QoS also reduces costs Controller-less architecture + Cloud Reduced H/W, sparing & energy costs Cloud Mgmt moves Capex to Opex Start Small & Expand Cloud Wi-Fi Mgmt per AP service No over provisioning No feature licenses Linear cost growth curve – add APs Easy to Use Management Easy to use, cloud-enabled, policy-based mgmt simplifies deployments Vertical specific apps StudentManager/TeacherView Cost Comparisons Aerohive Cisco

26 Thank you!

27 Increase AP Density/Reduce Power Increase AP Receive Sensitivity
Use of Discreet Components: Better Quality Signal, Less APs, Balanced Links Using discrete radio components High-powered radios are discrete components, affording the opportunity to improve receive sensitivity by also using better receive components (e.g. Low- Noise Amp (LNA)) Superior receive sensitivity can improve upstream performance, especially of low-power consumer devices, balancing the AP/client link AP Tx AP Rx Increase AP Density/Reduce Power Marginal Performance AP Rx AP Rx AP Tx AP Tx AP Tx AP Rx Increase AP Receive Sensitivity

28 The Value of Sensitivity
5 dB 5 GHz dB 2.4 GHz 20 dB 5 dB 5 GHz 8 -10 dB 2.4 GHz 20 dB HiveAP 320 HiveAP 330 5 dB 2.4 GHz 10 – 15 dB The extra 5 dB sensitivity beyond a standard AP can even out coverage for various client types Better 5Ghz coverage enables 2.4GHz to be preserved for single band devices

29 Enhanced Visibility and Control

30 How Aerohive automates client self healing
Move Clients Encourage clients to move to different radio (band steer) or a different AP (load balance) Triggered by low client health score Enhanced Airtime Boost Boosts clients’ airtime if unable to hit performance target Enhancement – only does this for healthy clients based on Client Health Score

31 Rogue Mitigation and WIPS
HiveAP’s periodically scan all channels.. (HiveAP’s coordinate scan & do not impact VoIP or data app’s) Rogue Detection Supports a/b/g & n Detect Both Rogue & AdHocPC’s Detect “On-Network” Rogue Confirm compliant BSSID, SSID, WMM Generate Reports on rogue activity Rogue Mitigation Mitigate rogue APs and clients connected to Rogue APs IP & MAC DoS Detection Detect RF Management Layer Attacks (i.e Probes & association floods etc.) Detect Wireless Authentication attacks Detect IP Dos (i.e Port scan, flood & TCP syn Check ect) Mitigate attacks at the RF layer and “BAN” client for determined period of time Trusted Client Launching IP DoS attack “On-Network” Rogue

32 Principles of Dynamic Airtime Scheduling
2 Fast Clients 1 Slow Client, 1 Fast Client With Contention, Fast Clients Wait for Airtime and Perform Like the Slowest Client Throughput Fast Client Slow Client Speed of the network is subject to the slowest client Time 2 Fast Clients 1 Slow Client, 1 Fast Client Dynamic Airtime Scheduling Allows Fast Clients to Transmit more Packets, Finish Quickly and Free Up the Air for the Slow Clients Throughput Fast Client Slow Client Faster clients dramatically improve their performance without impacting slower clients 10x faster

33 Dynamic Airtime Scheduling How it works
Microsecond Air Interface Distributed control plane puts control and data intelligence in the same place as the radio Enables near instantaneous reaction to client behavior Requires intelligence in the AP not milliseconds away Fast n Client (135Mbps) Feedback RF Medium HiveOS 90 ms 802.11g Client (48 Mbps) 650 ms 253 ms Microsecond Air Interface Measures actual airtime for each packet - faster clients consume less airtime Measures retries as well If the clients have equal weight, they get equal access to airtime – faster clients get to send more often Additional weight can applied by User Policy 2208 ms Distant or Legacy Client (5.5 Mbps)

34 Dynamic Airtime Scheduling How it works
Equal Airtime Allocation Client A (135Mbps) Client B (48 Mbps) Client C (5.5 Mbps) Aerohive QoS Engine Scheduler Schedules traffic (based on airtime allocation & airtime consumed) into the Wireless Multi-Media hardware queues Client A 6 Frames Faster clients are able to send more often achieving higher throughput Client B 3 Frames Client B has used up its share of airtime Client C 2 Frames Client C has used up its share of airtime Web Server Time

35 Veriwave WiMix TCP Downlink Test Mixed 802. 11a & 802
Veriwave WiMix TCP Downlink Test Mixed a & n – 20,000 Frames 6 x .11a/n clients - ~ 100 Seconds Without Dynamic Airtime Scheduling Goodput Kbps Time (s) Goodput Kbps Time (s) - 10sec ~ 10x performance improvement - 15sec ~ 6x performance improvement With Dynamic Airtime Scheduling - 30sec ~ 3x performance improvement - 35sec ~ 2.5x improvement - 65sec ~ 1.5x improvement Upstream IxChariot

36 Scalable Wireless Mesh
Inherent wireless mesh eases the deployment of wireless APs in hard to wire locations Automatic Dynamic Routing makes mesh easy to deploy and resilient Automatic loop prevention allows more than one portal to be active at once Voice Ready - Low latency, QoS enabled Mesh Wireless Mesh Network Wired Network Access Switches Wireless Uplink Distribution Switches Wired Uplink HiveAPs Wireless Client 36 36

Download ppt "The New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion Troy Roberts 2012."

Similar presentations

Ads by Google