Aruba Enterprise WLAN Controller Buyer's Guide
In this installment of our Buyer's Guide to WLAN Controllers, we consider Mobility Controllers offered by Aruba Networks and how they can be used to oversee access points (APs) deployed throughout enterprise networks.
According to product marketing manager Ozer Dondurmacioglu, Aruba considers controllers to be network service delivery platforms. "In a WLAN, users are highly mobile; they can show up anywhere," he said. "When a device roams [between APs], users expect to get the same QoS, the same RF management, and the same secure access to the corporate network. These services are all defined at the controller but enforced by APs."
Dondurmacioglu compared this to cellular network roaming. "You can roam between base stations, but your phone works the same everywhere. The network delivers features based on who you are and what you subscribe to, and your carrier sends you one bill," he said. "Enterprise mobility should not be that different. Device authorization, user authentication, connection management, and reporting are all centralized network services provided by Mobility Controllers."
Powered by ArubaOS
Under the covers, each Mobility Controller and AP is powered by the ArubaOS, an embedded real-time OS and application engine. ArubaOS performs kernel functions like authentication and logging, packet-processing functions like routing and switching, and uses crypto engines to encipher Wi-Fi and VPN data. However, the point at which functions are applied depends on network design.
With FlexForward, customers can choose between centralized, locally-bridged, or policy-routed traffic forwarding. In centralized WLANs, all user traffic is routed or switched through a Mobility Controller. In locally-bridged WLANs, user traffic is forwarded by each access device (AP or switch) onto an attached LAN. In policy-routed WLANs, traffic forwarding depends on type and policy.
"One advantage of our Mobility Controllers is their information sharing architecture," said Dondurmacioglu. "Campus building[s] may have multiple controllers that need to share information [about] configuration, users, firewall policy, session state, and wireless security. They share this by linking to each other over any IP network so that, when a user roams from controller 1 to 2, their session is maintained. We don't care if they cross a VLAN boundary or an IP subnet -- state is maintained utilizing standard IP Mobility."
Building an access network
Of course, users could not roam it were not for underlying network access devices. Enterprises seeking high-performance, high-density indoor APs can choose the AP-124 or AP-125 - 3x3 MIMO dual-radio 802.11abgn APs with detachable or integrated antennas. Lower-density indoor WLANs can use single-radio counterparts: the AP-120 or AP-121. Locations that require lower rates and capacity may opt for 2x2 MIMO alternatives: the dual-radio AP-105 or single-radio AP-92/AP-93. Aruba also offers outdoor APs, 2.4 GHz-only indoor APs, and fist-sized Virtual Branch Network (VBN) APs for small offices and teleworkers.
The above-listed models are controller-managed "thin APs" that can be deployed locally or remotely to deliver access or a combination of access and dedicated IPS monitoring and/or spectrum analysis. To become operational, each AP must connect to a Master (central) or Local Mobility Controller using GRE or IPsec . When deployed at sites without a controller, Remote APs (RAPs) use the Internet to find a one and establish a VPN tunnel back to it. "Our APs are plug-and-play," said Dondurmacioglu. "No configuration data is stored on APs, making adds and changes relatively easy."
Delivering network services
Mobility Controllers are responsible for providing AP configuration - along with a modular set of unified network services. "Our controllers are network control devices first, WLAN control devices second," said Dondurmacioglu. "You can deploy a controller anywhere you need high-capacity firewalling, even where you don't have APs."
Aruba offers three Mobility Controller Series. "The 6000 Series is our high-end controller, which is a chassis where four controller blades share a backplane to support 512 APs each (2048 APs per chassis). At the low-end is our 620, which supports up to 32 APs," explained Dondurmacioglu. In between lie the 650/651 (16 APs) and the 3000 Series (32-128 APs). These limits apply to local APs; controllers can support 2-4 times that many RAPs.
"Some people use our 6000 Series to create a big data center which stores a lot of information in the network core. Others put several 3200 Series controllers between their distribution layer and core. Our 600 Series is perfect for retailers looking for a branch office in a box," said Dondurmacioglu.
Customers that outgrow the 3000 Series can switch to an M3 blade plugged into a 6000 Series chassis. "If you have just one big building, then we suggest buying an M3 license, usually purchased in 64 AP increments," he said. According to specs, the 6000 chassis can push up to 80 Gbps of filtered traffic through 8 x 10 Gbps Ethernet ports. Additional M3 blades can be deployed to create a standby Master Controller or an active-active Local Controller pair.
Every Aruba controller includes TPM certificate and key storage, an IPv6-capable firewall, and basic rogue AP detection. "Since we have a dedicated encryption engine on the controller, we can accelerate 802.1X to reduce packets exchanged by ~50 percent," said Dondurmacioglu. Other baked-in controller functions include mobile IP roaming, captive portal Web authentication, guest access provisioning, and Adaptive Radio Management (ARM).
In addition to controller licenses for supported APs or RAPs, licenses can be purchased for controller add-ons:
- XSec layer 2 encryption, targeted at government and military deployments.
- RFProtect wireless IPS, which leverages Aruba APs to detect, locate, and contain rogue devices and attacks, enforce security policies, and visualize/classify RF interference.
- Policy Enforcement Firewall, which enforces identity-based policies that block/forward/prioritize traffic from wireless APs, wired ports, or VPN tunnels.
Of these, Policy Enforcement Firewall has the broadest appeal. "Look at complaints in enterprise WLANs today: my performance is slow, my real-time apps don't run well, my iPad can't get access," said Dondurmacioglu. IT must map these user/app complaints onto IPs and VLANs used for policy enforcement. But what if enforcement was based on device, user, and app identity instead?
"How can I give different groups using various devices and apps the right services? We use three technologies to do this. First, we accomplish user-awareness through role-based access control. Second, we use device fingerprinting for bandwidth and access restrictions. Third, we use app fingerprinting to state-fully monitor sessions -- for example, giving SIP the right access," he said.
One concern posed by any centralized architecture is remote survival in the event of equipment failure or WAN outage. Aruba addresses this at several levels, starting with physical (standby or N+1) Master Controller redundancy. Series 600 controllers have ExpressCard slots for WAN fail-over. Local controllers support the Virtual Router Redundancy Protocol (VRRP) and receive all configurations and policies from a Master Controller.
According to Dondurmacioglu, if a RAP loses controller contact, it can continue providing local access but will lose centralized services like authentication. "We suggest redundant controllers, but you can still have link failures or power outages. You can choose to keep a locally-available SSID. If that SSID uses 802.1X, there will be no new users, but existing users can be supported. Or you can bring up a back-up SSID that uses PSK authentication to serve new users," he said.
Finally, although Master Controllers provide a single-point of policy configuration, large distributed networks often need more management tools. Aruba's AirWave Management Platform (AMP) can manage an enterprise's wireless infrastructure and provide visibility to the wired network edge - even if some APs and switches are not Aruba's. "In addition to seeing everything Aruba controllers do, AirWave can see your wired switches and relationships between ports and users. It can see user devices, AP health, switch health, controller health -- everything shows up in one place where information can be analyzed and visualized," said Dondurmacioglu.
To learn more about Aruba Mobility Controllers and supporting products, visit Aruba's Enterprise Solutions page, or drill into network architecture by reading Aruba's Mobility Controllers and Deployment Models Reference Design Guide [PDF].
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. An avid fan of all things wireless and frequent contributor to Wi-Fi Planet, Lisa has reviewed, deployed, and tested 802.11 products for nearly a decade.