Get your network ready for Apple Observations from Aruba Networks March 2012 Get your network ready for Apple Observations from Aruba Networks
Who Is Aruba? Leading provider of secure mobility HQ: Sunnyvale, CA Aruba MOVE Architecture NASDAQ: ARUN Industry’s most secure WLAN ~ $500M in annual revenue Easiest BYOD & Guest Access Leader in Gartner MQ Zero-touch remote networking
Issues facing Apple-centric networks Device density (Aruba Experience) Spectrum optimization Roaming issues Service issues (Bonjour) Device management issues VoIP, Printers, Laptops, Voice phones, video cameras = few apps per device
Density problem Airtime is precious. It must be preserved iPad connect rate is 150mbps best-case Divided by 30 users = 5mbps per channel. Real-world usage will halve this number. Implies 1 channel per class Other devices are even worse (53mbps) 2.4 Ghz band with 3 channels will not scale in a typical school Clean 5Ghz is mandatory, provides 22ch Clients should be LoS to the AP to keep speeds up Keep randoms off the classroom AP (Guest, etc) VoIP, Printers, Laptops, Voice phones, video cameras = few apps per device
5Ghz spectrum is the key Design for 5Ghz and 802.11ac Use Band-steering or selective SSID deployment Keep power low. HT20 channel-plan instead of HT40 in dense areas Airtime fairness prevents starvation VoIP, Printers, Laptops, Voice phones, video cameras = few apps per device
Roaming issues Sticky-clients: slow to roam Clients at a lower rate waste airtime for everyone Marginal link quality is frustrating Trim lower MCS rates to encourage roaming Monitor for low rates and associations to distant APs Coverage Models don’t work in HD (1-1) classrooms Newer versions of iOS (5+) fix many WiFi issues VoIP, Printers, Laptops, Voice phones, video cameras = few apps per device
What is Apple Bonjour Bonjour/mDNS Bonjour is a discovery and communications method that lets Apple devices communicate over LAN/WLAN Bonjour Screen mirror from an iPhone, iPad, MacBook to an AppleTV Personal use by students in dorms Discovery based on location by all users Shared use among execs in meeting rooms Print from an iPhone or iPad with a Bonjour enabled printer Personal use by execs in offices Shared use based on user role within the org Most Popular Apps What is zero configuration networking? Zero configuration networking (Zeroconf) is designed to enable service discovery, address assignment and name resolution for desktop computers, mobile devices and network services. It is designed for flat, single subnet IP networks such wireless networking at home. Bonjour, Apple’s trade name for its implementation of zero configuration networking, is the most common example. It is supported by most of the Apple product line including the MacOS X operating system, iPhone, iPod Touch, iPad, AppleTV and AirPort Express. Bonjour can be installed on computers running Microsoft Windows operating system and are supported by most of the latest generation of networked printers. Bonjour is also included within popular software programs such as the Apple iTunes, Safari, iPhoto.
Challenges with Apple Bonjour / mDNS 1. Designed for home Operates in a single broadcast domain and is not VLAN friendly Devices are not visible across network boundaries Pre-Shared Key (PSK) for Wi-Fi security 2. Limited WiFi performance Multicast use lowest 802.11 rates L3 forwarding increases Wi-Fi waste Announcements eat airtime What are the challenges in enabling plug-n-play services within large scale WLANs? 1. Lack of visibility: Designed for single VLAN. In large universities and enterprise networks, it is common for Bonjour-capable devices to connect to the network across VLANs. As a result, user devices such as an iPad on VLAN 30 will not be able to discover the Apple TV that resides on another VLAN. 2. Reduced Wi-Fi performance: Enabling service discovery across different IP networks with no control can compromise wireless network performance by generating excessive discovery traffic and generic filtering of such services. When a router is enabled to propagate all the mDNS traffic between VLANs across wired and wireless networks, the network is flooded with mDNS traffic that consumes valuable wireless airtime. Network administrators are faced with a difficult choice between either propagating mDNS traffic across VLANs and risk significant reduction in wireless performance or block mDNS traffic to prevent connectivity for Bonjour-capable devices and services. 3. End user errors: Users get access to wrong set of services by mistake, take over wrong devices for printing or streaming – hence ithout regard for the user context, this creates additional usability issues and helpdesk escalations. What if everyone calls their personal printer “My Printer” and personal AppleTV “My Apple TV”? 3. Prone to end user errors Services do not require authorization Easy to pick the wrong service No directory services
Access Network Issues The access layer is being call upon to provide more than just connectivity. Your network vendor should be helping you address the issues that come with 1-to-1 and BYOD initiatives Minimize device-touch with onboarding Direct visibility into how the network is performing Wired/Wireless Convergence (Gartner does not distinguish) Flexibility+options in how the Access Layer is deployed Intelligent Access control (AAA) Address technology-specific issues such as Apple Bonjour VoIP, Printers, Laptops, Voice phones, video cameras = few apps per device
Onboarding How are you going to configure hundreds of iPads? First things first: Get it on the network without a phone call Leverage the Apple API for configuration? Certificates? Minimize confusion over SSIDs. Enrollment vs Secured PIN enforcement, other settings above/beyond? VoIP, Printers, Laptops, Voice phones, video cameras = few apps per device
Onboarding iPad Example Student connects with AD credentials Credentials are validated, but district policy says device is required to register Student registers at portal Certificates generated and pushed down Network configuration pushed down Device is now functional using unique credentials instead of AD credentials VoIP, Printers, Laptops, Voice phones, video cameras = few apps per device
Visibility BOTH real-time and historical signal quality Username/Device type/ Infrastructure health Device association history Location services? VoIP, Printers, Laptops, Voice phones, video cameras = few apps per device
Flexible Access Layer Architecture Campus Mode Integrates with high performance controller Same AP, multiple modes of operation Branch Mode Instant branch network with IPSec VPN to a central controller Instant APs form instant campus network without controllers Remote Mode AP enabled with IPSec VPN connect to a central controller
Wired/Wireless convergence Smart AAA Consistent user experience regardless of connection Common areas Staff devices Multi-vendor support VoIP, Printers, Laptops, Voice phones, video cameras = few apps per device
Aruba AirGroup Context Based Access Only the necessary services are made visible to mobile devices – per user, per role, per location. Centralized Registration of Services Simple registration of shared and local services by IT. End users self-register their own personal service. Aerohive can only deliver shared (per role) service delivery. No personal or local services. Aerohive does not support centralized registration of services. Aerohive requires a gateway AP. Cisco does not support shared, personal, local services – just L3 forwarding of services. Cisco does not support centralized registration of services. Cisco requires specific multicast VLAN and SSID. Relies on multicast router. Why is AirGroup different than other solutions in the market? Aruba AirGroup is the only solution that enables context aware secure access to zero configuration networking, such as the Apple Bonjour, in a wireless LAN. In addition to preventing waste of valuable Wi-Fi performance during service discovery, it enables: Context based access control using Aruba Mobility Controllers where the end user’s role within the organization (eg. marketing), devices that he is using (eg. iPad), his location (eg. conference room) are all taken into account before the zero configuration services are made available to that particular user. Self registration of services using Aruba ClearPass Policy Manager where the end user or the IT administrator can register the devices that support zero configuration networking and define user and location based access privileges. Zero touch install of services as it does not require any changes within the existing wireless LAN and wired network configuration. No additional SSIDs, VLANs, IP subnets, MAC filters, etc are required. Zero Touch Install No gateways or multicast VLANs. No additional SSIDs, VLANs, MAC filters. No multicast routing configuration.
Aruba AirGroup Personal, Shared, Local Plug-n-Play Services Teacher Macbook AppleTV in the meeting room Local AirGroup “Apple TVs” Laptop in close proximity Printer in CFO’s office Personal AirGroup “Super” Aruba Access Network AppleTV in the classroom Shared AirGroup “Teachers” Super’s iPad Who is AirGroup for? Aruba AirGroup is available for all Aruba customers who use Mobility Controllers and ClearPass Policy Manager in their network. It is mainly designed for: IT organizations in the general enterprise that want to make zero configuration networking available to end users at work. Use cases may include context based access to shared network resources such as an AppleTV in a conference room for projecting a mobile device screen or printers in common areas. IT organizations in education institutions that want to enable zero configuration networking in classrooms and dormotories. Use cases may include context based exclusive access to a student’s AppleTV in a dorm room (dorm rooms are student’s new home) or to an AppleTV in a classroom registered to be used only by teachers. iPhone in close promixity Printer in the copy room Local AirGroup “Printers”
Thank You