Scribd
Upload
220 views63 pages

Aruba Campus Access Webinar Part 1

The document outlines an upcoming webinar presented over two parts that will cover networking fundamentals including VLANs, IP routing, wireless networking, and security topics such as 802.1X authentication using Aruba networking devices and solutions. Part 1 will cover networking fundamentals and technologies while Part 2 focuses on more advanced switching, wireless, and security techniques. The webinar is offered in both English and Spanish for attendees.

Uploaded by

Juan Francisco Arias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
220 views63 pages

Aruba Campus Access Webinar Part 1

The document outlines an upcoming webinar presented over two parts that will cover networking fundamentals including VLANs, IP routing, wireless networking, and security topics such as 802.1X authentication using Aruba networking devices and solutions. Part 1 will cover networking fundamentals and technologies while Part 2 focuses on more advanced switching, wireless, and security techniques. The webinar is offered in both English and Spanish for attendees.

Uploaded by

Juan Francisco Arias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 63

Aruba Campus

Access Webinar Part


1
Aruba Campus Access Webinar
What to expect

ENGLISH | Presenter: Jacob Stelmaszczyk • Part 1 Introduces networking fundamentals,


types of networking devices, VLANs, IP routing,
PART 1: February 6th , 2023 | 9AM-11AM PST switch virtualization, Aruba WLAN bridge
PART 2: February 8th , 2023 | 9AM-11AM PST mode
• Part 2 Covers VSX, Aruba WLAN tunneled &
mixed mode, 802.1X authentication, Dynamic
Segmentation and VxLAN GBP

SPANISH | Presenter: Alvaro Tellez

PART 1: February 6th , 2023 | 12:00-14:00 PST


PART 2: February 8th , 2023 | 12:00-14:00 PST
Networking Fundamentals
What is a Computing
Network?

Group of computing resources that permit digital data exchange between


devices

Smartphon Social
Networking
e
Computing
Communication

Networking
Infrastructure
What is a
Protocol?
Set of rules that computer devices follow to establish and maintain communications

Good morning, my Good morning, Alice.


name is Alice My name is Bob
OSI Reference Model
Standard communication model for computing devices created by the ISO
Organizes computing communication in seven Layers

7 Application Layer

6 Presentation Layer

5 Session Layer

4 Transport Layer Segments

3 Network Layer Packets

2 Data Link Layer Frames

1 Physical Layer Bits, wires, hardware, RF


signals
Networking Devices
Networking Devices: Switch
L2 device: Forwards Ethernet frames based on destination MAC addresses

Multiple ports connect endpoints


• PCs, printers, cameras, and more
• Commonly 8, 24, 48, or more physical ports
• Transparent to endpoints A

90: 1
Special L2 protocols …:01

• Performance, reliability, security 90:…:03 2


• STP, LLDP, 802.1Q B MAC Address Port
90:…:01 1
90:…:03 2
Networking Devices: Router
Layer 3 device: Forwards packets based on destination IP address

Functionality and features Network 1

• Connect separate networks into an inter-network


• Offer WAN connectivity to networks

Net 2

L3 routing protocols
Net 3
• Learn all possible paths, choose a best path Net 4
• RIP, OSPF, BGP

Network 5
Networking Devices: Multi-Layer Switch
Performs both L2 switching and L3 routing

L3 Routing
• Internal routing functionality
• Runs RIP, OSPF, BGP

L2 Switching
• Multiple ports connect endpoints
• Uses STP, LLDP, VLANs
Networking Devices: Access Points
Enables wireless users to access wired resources and roam about

Functionality
Host A
• Bridges wireless devices and wired networks.
• Transform Ethernet into Wi-Fi frames and back Wi-Fi Frame Ethernet Frame

Varieties of APs
• Internal or external antennas
• Single or Dual Ethernet Ports
• Indoor or outdoor
Networking Devices: Firewall
L2-7 filtering and security

Functionality
Host A
• Block unauthorized/inappropriate access
• Permit authorized/appropriate access Limited-access
client Protected
Server

L2 MAC/ L3 IP filters
Types L4-7 ULP/App filters

• Stateless vs Stateful Stateful intelligence

• Functionality built into switches, gateways


Switching Fundamentals
Accessing the Serial Console Port:
OOBM Terminal
Console 6300M emulator
• PuTTY
• TeraTerm
• SecureCRT

OOBM
RJ45 serial or Mgmt
PC
USB
• Baud rate: 115200
Max 1-meter cable
• Data bits: 8
• Parity: None
• Stop bits: 1
• No flow control
6400
Terminal emulator
configuration
Console
Management (mgmt.) Port

• Exclusively for monitoring and management


6300M
• Complete isolation from data network

Mgmt
• Requires an IP address

SSH  HTTPS  SNMP 


NTP

OOBM • Common in data centers, or for critical core devices


Aruba
NetEdit Mgmt
PC • Not typical for campus access layer
devices
Interface Numbering for Fixed-Port Switches

• Used with VSF • Used in modular switches


• Indicates cluster member ID • Indicates line card number • Port number
• Defaults to 1 • Fixed port switches use 1

Member / Slot / Port

Interface 1/1/48 Interface 2/1/44


Member ID = 1 Slot = 1 Port = 48 Member ID = 2 Slot = 1 Port = 44

VSF member VSF member


1 2
VS
F
LANs and
VLANs
LAN: Devices in the same broadcast domain VLAN: Devices in the same broadcast domain

LAN-A
A 1 VLAN-
1 10
B 2 A Two virtual
2 switches
B
LAN-B
VLAN-20
D 11 11
D
12
E 12

E
One physical
Switch SW1 switch

Both scenarios operate in the same way


VLANs, Performance, and
Security
One large VLAN  Multiple small VLANs 
Lots of broadcasts wastes resources Fewer broadcasts per VLAN
Limited Security options Improved security options

VLAN- VLAN-
1 10 1 10
A A
2 2

B B
VLAN-20
47 11
Y D
48 12

Z E

Switch SW1 Switch SW1


MAC Address Table
Used by L2 switches to make forwarding decisions

Forward frames based on Destination MAC Build MAC table based on Source MAC

Destination MAC Source Len Payload FCS


MAC
SW1
VLAN-
SW1# show mac-address A 1
MAC age-time : 300 seconds 10
Number of MAC addresses : 3 90:...:00
B 2
MAC Address VLAN Type Port
- 00:...:37
90:20:c2:bc:ee:00 10 dynamic 1/1/1
00:0b:86:b4:eb:37 10 dynamic 1/1/2 C 11
30:8d:99:ef:84:56 20 dynamic 1/1/11
30:...:56
VLAN-20
Entry timeout = 300s
Redundant Network
Single Point
Core-1 of failure Core-1 Core-2

Access- Access- Access-1 Access-


1 2 2

A B A B

Core-2 fails - network down Core-2 fails - network up


Spanning Tree – Operation Overview
Goal Maintain a redundant loop-free topology

Core-1 Core-2
Root
Switc
x
h

• Elect a root switch


• Connected tree of switches emanates from this root
• Redundant ports in blocking mode x x

Access-1 Access-
2

Layer 2 Loop-free Topology


Link Aggregation: Overview

Bundle multiple physical links into one logical link - a Link Aggregation Group (LAG)
Virtual Interface controls physical ports Protocols and processes refer now to LAG

1/1/1 1/1/5
Virtual 1/1/2 1/1/6 Virtual
Interface LAG Interface
1/1/3 1/1/7
1

Performance Increase bandwidth – traffic is distributed across member ports

Reliability One member port fails, traffic flows over other member ports
Link Aggregation: Requirements

Match LAG interfaces to avoid errors

Duplex ● Link Speed ● Media

1/1/1 1/1/5
1/1/2 1/1/6
LAG
1/1/3 1/1/7
1

Up to 8 physical ports in LAG


IP Addressing &
Routing
IP Addressing

Layer 3 identifier for each network device


Feature IPv4 IPv6
Size of address 32 bits – 4 octets 128 bits – 16 octets
Example address 192.168.10.250 fe80:0000:0000:0000:844d:a9ff:febb:62c3
Possible addresses 4.29 Billion 340 Undecillion (3.4 x 1038)

IP Header Payload
Source IP Dest IP

A B C

10.0.1.1 10.0.1.2 10.0.1.3


Home Address vs. IP
Address
123 Main Street Anytown
Street House Number

House Number Street and City

10 . 0 . 1 . 100
Network Endpoint
Network Portion Host Portion
IP Routing

Objective Device communications between different networks

Network A Routing Network B

VLAN 10 VLAN 20

A B

Host B is not in Host A is not in


my Network Host A must communicate with Host B my Network
Layer 3
Analysis
Routing: Layer 3 lookup information to take decisions

6 Presentation Layer

5 Session Layer
Routing devices
Layer 3 Header
4 Transport Layer
Source IP Destination IP
3 Network Layer
10.1.10.20 192.168.1.100 Multilayer Router
Switch
2 Data Link Layer

1 Physical Layer
IP Route

Objective Device communications between different networks

Network A Network B Network


C
172.16.0.1 172.16.0.2

Server-1 Core-1 Core-2 Server-2


10.0.0.1 192.168.0.
1
A
172.16.0.100
Destination Next-
hop
10.0.0.0/8 172.16.0.1
192.168.0.0/24 172.16.0.2

Host can add routes into its table, but this solution does not scale
Need for Layer 3 Redundancy
Single DG, single point of failure

Core- Core-
1 2
Add second DG, however
• Hosts can only have one DG
10.1.10.1 10.1.10.2
• You must manually change DG if primary fails
• For DHCP, hosts must disconnect/reconnect

PC-
1

DG fails, hosts are isolated


Virtual Router Redundancy Protocol
Objective Standard FHRP protocol that mitigates DG failure outages

Coordinated Gateway
Respond to VIP traffic VRRP Active VRRP Monitors the state of Master
Standby

Core-1 Core-2
VI
P

IP: 10.1.10.100/8
Default Gateway: VIP
IP Routing Table

Objective Used by routing devices to select the best path to a destination

Route to 10.0.0.0/8 is needed for bidirectional communication

Network 10.0.0.0/8 Network 172.16.0.0/16 Network 192.168.0.0/24

.2 .254 .253

.1 .1
Server- Core-1 Core-2 Server-
1 2
.2
IP Destination Next Hop Interface
192.168.0.0/24 172.16.0.253 VLAN172 Network NOT directly connected
10.0.0.0/8 - VLAN10
Networks directly connected
172.16.0.0/16 - VLAN172
Route Types in ArubaOS-CX

• Connected: subnet is physically connected to the device

• Local: local IP address configured on the switch

• Static: route added manually as a static route

• RIPv2: route learned via RIPv2

• OSPF: route learned via OSPF (preferred over RIPv2)

• BGP: route learned via BGP


Scalability Issues

Static routes Dynamic routes


• Suitable for simple networks • Scale to any size
• No automated failover • Offer automatic failover
• Human factor can cause outages • Router exchanges improve availability
• Maintenance could be challenge • Maintenance is simple
Interior and Exterior Gateway Protocols

Autonomous System Routers under the same administrative domain

Company 1 ISP
External Gateway Protocol

Exchange routes between ASes

RI BGP OSP
P F

Internal Gateway Protocol


Exchange routes inside AS

Autonomous System 1 Autonomous System 2


Distance Vector Routing Protocols

• An early, less sophisticated routing protocol


• Each router only aware of directly connected peers Slow convergence
Not scalable (max 15 hops)
• Examples: RIPv2, RIPng

10.0.3.0/24 10.0.3.0/24 10.0.3.0/24


Distance: 2 hops Distance: 1 hops Distance: 0 hops
Vector: port 23 Vector: port 24 Vector: port 1
Next-hop: 10.0.1.1 Next-hop: 10.0.2.1 Next-hop: -

10.0.1.1 10.0.2.1
23
10.0.3.0/24
24 1
R1 R2 R3
Link-State Routing Protocol

• Dijkstra algorithm calculates best paths


• Each router is aware of the entire topology Fast convergence
• Examples: OSPFv2, OSPFv3 Very scalable

Switch-2

I know all possible


paths to reach 10.0.3.0/24
10.0.3.0/24
Switch-1 Switch-4

Switch-3
OSPF
Introduction Server Switch
• RFC 2328 defines OSPFv2 for IPv4
Server
routing subnets
• Popular enterprise solution

• Link-state protocol: Topology-aware


Campus
subnets

Core-1 Core-2

HTT TFTP
P80 69

TCP OSPF
UDP

6 89 17

IP
Network Redundancy
Introduction to Stacking Technologies

Objective A group of switches managed as a single virtual device

Features Benefits
• Centralized control and management plane • Ease of management
• Independent data planes • Network simplification

Virtual Switch
Control/Mgmt

Data Data Data

Switch1 Switch2 Switch3 Switch4


Switch Virtualization Technologies
VRRP + Spanning-Tree VSF & VSX

VRRP VRRP
Master & STP Both switches active
Backup
root
Standby Activ Act iv
Active e e
RP
DP
VI DP DP VI
P P

LAG

RP ALT
VSF Member Roles and
Links • Member ID 1, Conductor role
• Runs control/management plane
Primary • Data plane forwards frames
• Default role

• Normally: Only data plane


Secondary • Primary failure: Becomes Conductor
• Configure any member except 1

• Uses uplink ports VSF Link

• Only runs data plane.


Member • Cannot take the Conductor role.
Aruba WLAN
IEEE 802.11
Standards
802.11a/b/g 802.11n 802.11ac 802.11ax
Data 6.5-600 Mbps
1 to 54 Mbps 600Mbps-6.93Gbps Up to 4.8 / 7.8Gbps
rate 300 Mbps typical

Freq 2.4 GHz ISM 2.4 GHz ISM 2.4GHz


band 5 GHz U-NII 5 GHz U-NII 5 GHz U-NII 5 GHz / 6GHz

Legacy (avoid) 80MHz ch. width 160 MHz ch. width Mu-MIMO
20MHz channels 64-QAM mod. 256-QAM mod. 8 spatial streams
MIMO OFDMA up/down

1997 2003 2009 IEE 2013 2018 2020


E
WLAN Configuration -
BSS

SSID/ESSID: Defines the logical WLAN SSID=employee

Basic Service Set (BSS): Radio, all associated clients 2.4 GHz BSS 5 GHz BSS

Basic Service Set ID (BSSID): Radio MAC Address BSSID=aa:aa:aa BSSID=bb:bb:bb


WLAN Configuration -
ESS Extended Service Set (ESS): One SSID Broadcast on Multiple Radios

SSID=employee SSID=employee

2.4 GHz 5 GHz 2.4 GHz 5 GHz


BSSID=aa:aa:a BSSID=bb:bb:bb BSSID=cc:cc:c BSSID=dd:dd:dd
a c
Aruba WLAN forwarding
modes
Bridge Tunnel Mode Mixed Mode
1 SSID: Bridge & Tunnel
Gateway or Gateway Cluster Gateway or Gateway Cluster

AP APs APs
s
SSID2 SSID Bridge &
SSID1 Tunnel Tunnel
Bridge
Traffic Forwarding Mode – Bridge & Native
VLAN

vlan access 4

10.1.4.57
10.1.4.49 10.1.4.1
Traffic Forwarding Mode – Bridge & Static
VLAN

SSID
Employee
VLAN 11
10.1.11.150 802.1Q Native : 4
Allowed: 4,11,12
SSID 10.1.4.49 10.1.4.1
Guest
VLAN 12
10.1.12.140
Traffic Forwarding Mode – Bridge & Dynamic
VLAN

Aruba-User-
10.1.16.57 (VLAN 16) Vlan=16

00:11:22 VLAN rule 10.1.4.1


RADIU
S
10.1.17.65 (VLAN 17)
Need for Secure Wireless Communications

Malicious
client

Bob AP

Encrypt and authenticate data


Protect against eavesdropping and tampering
Security

• 802.1x
Enterprise • WPA3, WPA2, Dynamic WEP
• External RADIUS or Cloud Auth

• PSK
Personal • WPA3, WPA2, Static WEP, MPSK AES, MPSK Local

• External Captive Portal (IE: ClearPass)


Visitors • Cloud Guest (Central CP)
• Encryption optional

• Enhanced Open
Open • Open
Aruba Central Management
Running Aruba APs and Gateways with
AOS10
INSTANT
Aruba Instant
(Controller-less
WLANs)

Mobility Conductor
and Controller-
based WLANs
AOS 10
SD-BRANCH
Branch and
Headend
Gateways

Evolution to unified operating system MOD 6- 57


AOS8 to AOS10
Comparison
AOS8/InstantOS8 AOS10
IAP, CAP, RAP AP, Microbranch AP

Mobility Conductor Aruba Central

Mobility Controller/VC Gateway

SD-Branch Gateways SD-Branch & Mobility

Local or Cloud Mgmt Cloud Management


MOD 1- 58
Device to Aruba Central Communication

A
P

HTTPS
Switch Strong mutual authentication
using certificates
Aruba Central

Gateway

MOD 1- 59
ArubaOS 10: Overview
Powered by Aruba Central

Analytics Configuration Control Plane Monitoring and Security Location


Services Reporting
Management

MOD 6- 60
ArubaOS 10: Architecture

Scalability Powered by
Aruba Central
AI, automation, security
Unifies WLAN, LAN, WAN mgmt Central Services Layer

Optional Gateway Layer


Infrastructure Layer

MOD 6- 61
ArubaOS 10: Architecture

Central Services Layer

Use case:
• Scale higher than 5,000 clients or 500 APs
• Security: Tunneled WLANs, Guest WLANs, LAN network encryption, UBT
• Greater mobility: L2/L3 roaming
• MultiZone support: multiple gateways on one AP infrastructure
• Dynamic RADIUS Proxy
Gateway Layer
Infrastructure Layer

MOD 6- 62
Aruba Central group
Building 1 Home Office
AP-Building-1 Group Group AP-Building1
SSID - WLAN - employee (802.1X)
employee SSID WLAN - voice (PSK-AES)
- voice SSID - WLAN - guest (Captive Portal)
guest
Switch-Building-1 Group
Group Switch-Building-1
VLANs – 10,20,30 VLANs
Ports 1-12 enabled Interface config
Power-over- PoE Home-Office Group
ethernet
Group Home-Office SSID -
WLAN - employee (802.1X) employee SSID
WLAN - voice (PSK-AES) - internet

MOD 7- 63
Group Types

UI Group Configure with a web browser

Template Group Configure with CLI-based templates


Group Persona: Overview

• Represents the device's role in a network deployment


• Defines the type of devices and features to be available and managed by the group

APs
 Customize configuration workflows
Gateways  Automate parts of configurations
 see default config and relevant settings
Switches  Customize monitoring screens
 Troubleshoot workflows
Template groups
Thank
You !

You might also like