WLAN INFRASTRUCTURE SOLUTION OVERVIEW
RIGHT FOUNDATION FOR MOBILITY SERVICES
UNMATCHED RELIABILITY
Three year lead
on controller virtualization
with hitless failover,
100% application
continuity
even under failure conditions.
Validated by Tolly Group
LEADING MANAGEMENT
Predictive RF planning, Configuration,
Monitoring & reporting, History and audit
trail, Easy guest provisioning
LOCATION AWARENESS
Perimeter Firewall, Real-time Asset Tracking
and condition monitoring
COMPREHENSIVE SECURITY
Identity based roaming, WIDS/WIPS,
Dynamic authentication, firewall
SUPERIOR PERFORMANCE
Distributed switching, Low latency, Efficient
traffic flows, Seamless roaming, Client
steering, Application QoS
WLM – Management and Access Control
RingMaster
WLM - Appliance
SmartPass
Juniper wireless - Complete WLAN Solution
WLC – Controllers
Simple - Secure - Mobile
WLC—controller family
4 AP
WLC2
WLC8
12 AP
32 - 192 11n AP Distributed a/b/g/n
WLC200R
16 - 128 11n AP
WLC800
16 - 256 11n APs
WLC880
64 - 512 11n AP
WLC2800
# of AP
Juniper wireless—WLA—Access Point Family
Single Radio
Low Cost AP
WLA371
Dual Radio
Entry-level
AP
WLA422
2x2 MIMO
Dual Radio
High Density
WLA522
3x3 MIMO
Dual Radio
Max.
Coverage
WLA432
3x3 MIMO
Dual Radio
All Weather
WLA632
3 Stream
MIMO
Dual Radio
Max.
Performance
WLA532
WLM – Management and Access Control
RingMaster
WLM - Appliance
SmartPass
WLM – RMTS
Software
Licenses
5 – 1,000 Aps
WLAN Management
Optimized Linux
Server Platform
250 – 5,000 APs
WLM1200 – RMTS
WLM – SP
Software
Licenses
WLAN Access
Control
Guest Provisioning
wireless Management & Access Control
Downtime?
Not for your
wireless network
ONLY TRAPEZE HAS NONSTOP WIRELESS
WLC 1
Hitless Failover
Controller goes offline
APs instantly remapped
No disruption to voice
Other Benefits
In-service upgrades
Easy capacity scaling
Easy adds and moves
AP license pooling
“Trapeze adds a critical new dimension to
today’s WLAN deployments that is genuinely
new to the market: The non-stop WLAN.”
1
1
2
2
2
WLC 2
WLC 3
3
3
3
2
Hot Standby Approach
CONFIGURATION ADVANTAGE OF VIRTUALIZATON
Controller Virtualization
•
Each controller has a unique configuration
•
Each controller operates independently
•
Each AP mapped to one physical controller
•
High maintenance - adds, moves, changes
•
All controllers get common configuration
•
Cluster acts collectively as "virtual controller“
•
All APs map to “virtual controller” cluster
Hot Standby Approach
RESILIENCY ADVANTAGE OF VIRTUALIZAION
•
Catastrophic failure – dropped voice calls
•
APs restart using
hot standby
controller
•
No AP load balancing across controllers
•
Fully loaded hot standby required
•
Hitless failover – even for active voice calls
•
APs instantly remapped to
in-service
controller
•
Dynamic AP load balancing across controllers
•
No additional equipment required
Normal State
Each AP is “connected”
to primary and secondary
controllers both in service
Voice traffic forwarded by
primary controller
HITLESS FAILOVER DEMO - CENTRALIZED
WLC 1
IP PBX
WLC 2
Hitless Failover
Controller goes offline
AP instantly remapped
No disruption to voice
User may experience
momentary click
Failover time 0.2 sec
Recovery time < 0.1 sec
Normal State
Each AP is “connected”
to primary and secondary
controllers both in service
Voice traffic forwarded
locally by access point
HITLESS FAILOVER DEMO - DISTRIBUTED
WLC 1
IP PBX
WLC 2
Hitless Failover
Controller goes offline
AP instantly remapped
No disruption to voice
User experience not
noticable at all
Failover time <0.1 sec
Recovery time < 0.1 sec
IMMUNITY TO DATA CENTER BURNOUT
Affinity Groups allows pre-selection of fail-over controllers
One Virtual Controller may span multiple Data Centers
Made up of “Affinity Groups” containing 1-N controllers
Boot from Group 1, fail-over to Group 2 in different geography
Data Center 1
Data Center 2
Virtual
Controller
PERFORMANCE ADVANTAGE
Making the most
of shared bandwidth
SMART MOBILE: MORE SCALABLE AND RELIABLE
Internet
Internet
Security Management
Reliability Performance
Security Management
Reliability Performance
Internet
DISTRIBUTED SWITCHING MAXIMIZES SCALABILITY
• All traffic gets forwarded by controller
• Twice the traffic through network core
• 802.11n increases load up to 10x
• Can't scale without expensive upgrades
Centralized-Only Switching Breaks Down
Under Increased Load from 802.11n
Distributed Switching Handles
802.11n without Breaking Down
• Traffic can be forwarded by the AP
• Optimized traffic flows – ideal for voice
• 802.11n has no impact on controller
• Scales in place without upgrades
10x increase exceeds
controller capacity
11n increases load
by up to 10x
DISTRIBUTED SWITCHING IS BETTER FOR VOICE
• Longer path, more latency and jitter
• Vulnerable to controller congestion
• Not optimized for voice or video
Centralized Switching
Distributed Switching
• Most direct path, optimal flows
• Lowest latency in industry
• Optimized for voice—SIP-like
•
Toll-quality, no dropped calls
PERFORMANCE & SCALABILITY ENHANCEMENTS
Dynamic Band Steering
Preserves b/g bandwidth for
voice and medical devices
Increases capacity 30-40%
Client Load Balancing
Prevents “front door” problem
Maximizes per-user bandwidth
Improves overall scalability
AP Load Balancing
APs dynamically assigned to
least loaded controllers
Eliminates management chore of
AP-Controller mapping
Scale capacity w/ zero config
Less waste of AP licenses
Airtime, bandwidth, QoS controls
By user, SSID or application
Voice application awareness
Active call management (CAC)
SIP inspection / prioritization
Call details record, audit trail
SmartPass dynamic authorization
Throttle down bandwidth abusers
Dynamically adjust privileges or
STEERING CLIENTS ACROSS APS AND BANDS
Most clients
default to 2.4Ghz
on the AP with
strongest signal
5 Ghz
1
2
2.4 Ghz
Point of Entry
VOICE: STATEFUL SIP AWARENESS
Easy to prioritize dedicated voice
devices correctly
Assign them to Voice SSID
Per device / user policies
But growing # of Softphones,
PDAs and Smartphones now do
data and voice
Stateful SIP awareness detects
and prioritizes
voice flows
on
any SSID
SSID: Data
SSID: Voice
21
Juniper Confidential Copyright © 2010 Juniper Networks, Inc. www.juniper.netVOICE: SIP AND WMM TSPEC INTEGRATION
Holistic approach to AP
resource management
Detects SIP call setup to get
resource requirements
Detects WMM TSPEC session
setup signaling to get resource
requirements
CAC count incremented for both
SIP and TSPEC clients
S
IP
W
M
M
T
S
P
E
C
VOICE: DYNAMIC CALL ADMISSION CONTROL
CAC objective is to limit calls in
order to preserve voice quality
Session CAC
Counts sessions not active calls
Blind to non “voice” clients
Drops roaming calls at CAC limit
Session CAC
Roam denied
call dropped
2 active calls
New caller
session denied
Any new client
session denied
New caller
call accepted
Roam
accepted
8 voice devices
associated but idle
limit 10 reached
Dynamic CAC
Recognizes voice
flows
Only considers active calls
Accepts roaming calls at CAC limit
Voice-grade
service
8 voice devices
associated but idle
Dynamic CAC
23
Juniper Confidential Copyright © 2010 Juniper Networks, Inc. www.juniper.netPer-user bandwidth limiting
Strict limiting based on QoS profiles
Optional QoS priority “demotion” for traffic
exceeding BW limits
GRANULAR QOS AND BANDWIDTH MGMT
1 Mbps
2 Mbps
SSID Data1
6 Mbps
SSID Voice1
2 Mbps
SSID Data1
80% available
medium
SSID Voice1
20% available
medium
Per-SSID bandwidth limiting
Strict limiting of traffic through SSID
Granular control in units of Kbs
SSID bandwidth weighting
SSIDs assigned % of available “air time”
Enables guaranteed minimum service
Pervasive
Location awareness
IMPROVING EFFICIENCY WITH RTLS
Location
Appliance
Define all locales
1
2
Take RSSI fingerprints
3
Configure asset database
4
Find things fast!
I.V. PUMP
SECURITY ADVANTAGE
Beyond basic
access control
Dynamic Authorization
based on location, time-of-day, bandwidth
Encrypted
EXTENDING SECURITY FRAMEWORK FOR MOBILITY
AAA
Servers
Rogue AP
Rogue User
Trusted
Client
X
X
Authentication &
Encryption
•
802.1X, EAP-TLS,
PEAP, TTLS, MAC,
Web, ...
•
802.11i, WPA / WPA2
•
TKIP, AES, CCMP …
•
DODD 8100.2 and
FIPS 140-2 validated
Intrusion Protection
•
Core WIDS/WIPS
•
Scan, detect, locate,
disable rogues etc
•
Counter measures for
~40 attack types
Untrusted
Client
802.1X
Authentication
RingMaster
Endpoint Integrity
Check
Intrusion
Protection
Application Firewall
•
Per user, station, group
policy enforcement
•
Application-aware QoS
scheduling, geographic
security
SmartPass
Application
Firewall
LA-200
Authorization &
Endpoint Integrity
•
RADIUS / LDAP …
•
Trusted Network Connect
(Trusted Computing Group)
Microsoft NAP
Juniper UAC
CORE IDS/IPS DETECTED ATTACKS
•
Spoofed access point mac-address attacks
•
Spoofed client mac-address attacks
•
Ssid masquerade attacks
•
Spoofed deauthentication attacks
•
Spoofed disassociation attacks
•
Null probe responses
•
Broadcast deauthentications
•
FakeAP ssid attacks
•
FakeAP bssid attacks
•
Netstumbler clients
•
Wellenreiter clients
•
Active scans
•
Wireless bridge frames
•
Adhoc client frames
•
Access points present in attack-list
•
Access points not present in ssid-list
•
Access points not present in vendor-list
•
Clients not present in vendor-list
•
Clients added to automatic black-list
•
Rogue access points
•
Interfering access points
•
Rogue 802.11 clients
•
Interfering 802.11 clients
•
802.11 adhoc clients
•
Unknown 802.11 clients
•
Interfering 802.11 clients on wired LAN
•
802.11 probe request flood
•
802.11 authentication flood
•
802.11 null data flood
•
802.11 mgmt type 6 flood
•
802.11 mgmt type 7 flood
•
802.11 mgmt type d flood
•
802.11 mgmt type e flood
•
802.11 mgmt type f flood
•
802.11 association flood
•
802.11 re-association flood
•
802.11 disassociation flood
•
Weak WEP initialization vectors
SECURE, IDENTITY-BASED NETWORKING
Overlay on Layer 2/3 network
No VLAN / Subnet changes
User credentials define access and
network resource privileges
Different groups with different
privileges share infrastructure
Privileges and services follow users
as they roam
Privileges and services adjusted
based on time, location, activity
MOBILITY – SECURITY – SERVICES
AAA
Centralized
Policies
User
roams
1
Credentials
& services
follow user
2
Consistent mobility services across a
building, campus or enterprise
Cluster of Mobility Exchanges and
Mobility Points deliver end-to-end
session mobility
Distributed database for:
Client management
RF management
Key exchange / mgmt
Session persistence
Fast, reliable handoffs
Secure Voice and Data
802.11i and 802.11e compliant
Smart Mobile - Seamless Mobility
Controller A
Controller B
Subnet 1
Subnet 2
MOST ADVANCED MOBILITY ARCHITECTURE
•
Dependence on "home" controller
•
Inefficient round-trip through network
•
No advance knowledge of roaming client
•
No immunity to controller failure
•
High rate of timeout & dropped calls
Controller A
Controller B
Anchored Mobility – Basic Roaming
•
No dependence on controller
•
Optimized flows across infrastructure
•
Advance knowledge of roaming client
•
Leverages resiliency in the infrastructure
•
Optimized for toll-quality VoIP
Client A on
Subnet 1
Client B on
Subnet 1
Client A on
Subnet 1
Subnet 1
Subnet 2
Client A on
Subnet 1
Client B on
Subnet 1
Client A on
Subnet 1
Mobility
Domain
A
A
MANAGEMENT ADVANTAGE
No change to
staffing or OpEx!
WORLD-CLASS NETWORK MANAGEMENT
Planning and Deployment
3D predictive planning tool
Indoor and Outdoor network plan
Configuration and Verification
Complete offline configuration
System and service wizards
Pushes configuration to WLCs
Monitoring and Reporting
By user, radio, AP, WLC, SSID
Present location, roaming history
30 day history aids compliance
SOX, JCAHO, PCI-DSS, CALEA …
WIDS/WIPS integration
RINGMASTER – HOLISTIC RF PLANNING
• Plan entire building vs. just a floor
• Supports CAD files with pre-configured layers
• 3 dimensional model takes account of other floors
• Calculates attenuation based on building properties
• Auto generated coverage map and work order
Predictive RF
planning indoor
and outdoor
RINGMASTER – CONFIGURATION MANAGEMENT
• Wizards for services and device configuration
• Cluster-based configuration management
• Network wide change management
• All possible as in-service upgrades
• No truck-roll required
Predictive RF
planning indoor and
outdoor
Network-wide
Deployment
RINGMASTER – REAL-TIME MONITORING
• Easy to use Dashboard view
• Network wide fault correlation and location
• Hierarchical drill down to details
• Multi-dimensional data aggregation
• Real-time location search
Predictive RF
planning indoor and
outdoor
Network-wide
Deployment
Comprehensive
Monitoring
RINGMASTER – COMPREHENSIVE REPORTS
• 1 hour to 30 day reporting
• Standard and customizable reports
• Performance and utilization reporting
• Mobility history and audit trail
• Comprehensive installation report
Predictive RF
planning indoor and
outdoor
Network-wide
Deployment
Comprehensive
Monitoring
History and
Reporting
SAME SERVICE MODEL INDOORS AND OUTDOORS
Typical Indoor / Outdoor WLANs
Completely Separate Service Models
Integrated Indoor / Outdoor WLAN
Common Service Model & Mgmt
• Outdoor mesh bandwidth is premium
requiring advanced traffic engineering
• Centralized architectures are a poor fit
• Most vendors partner for outdoor APs
• Inconsistent services, limited roaming
• Dual vendors increases complexity
•Roaming, Management, QoS
• Leverages Smart Mobile local switching
and traffic management capabilities
• Seamless roaming indoors / outdoors
• Allows consistent service offerings
• Unified management platform
SMARTPASS - ADVANCED ACCESS CONTROL
Dynamic Authorization
Location, date, time, behavior
Based on filters and triggers
Scheduled or on-demand
Invoked via GUI or APIs
Easy guest provisioning
Safe and scalable
Bulk name creation
Designed for non-IT staff
History and reporting
Centralized and auditable
USER/ROLE
IDENTITY-BASED NETWORKING ON STEROIDS
SmartPass delivers Advanced Access Control
Traditional view of
Identity-based networking
Ensuring consistent network access and service profiles
Based on unique user-based identification in AAA servers
Assurance of services while roaming within a location
Transparency of services across multiple locations
...
regardless of location, time-of-day and usage
Identity-based networking
with SmartPass
Augments access with advanced policies (Access Control Rules)
Enables real-time variations in service profiles and privileges
Change authorization attributes during active sessions
EXAMPLES OF
DYNAMIC
AUTHORIZATION
Prevent Cheating During Tests
Prevent any network access from any
device from 2pm-3pm from room 540
Lock-down Bandwidth Abusers
If traffic threshold exceeded within 1hr, during
peak hours restrict that user's bandwidth
Control Corporate Guests
Prevent Internet access unless
Corporate Guest is in Conference RM,
Time and Location-based Billing
Charge Guests for Internet access from
room, charge an event organizer for total
RINGMASTER MANAGEMENT ARCHITECTURE
WLC Controllers
WLC Controllers
WLC Controller
CAMPUS 2
CAMPUS 1
CAMPUS 3
LAN / WAN
Unified
Management
Console
WEB
API
RingMaster
Server
WIDS/WIPS
Server
RF Firewall
Location
Appliance
Guest
Server
RMG MANAGEMENT ARCHITECTURE
WAN
RingMaster
Global
WLC Controller
RingMaster
WLC Controllers
RingMaster
Appliance
Web API
ARCHITECTURE AND PRODUCT LINE SUMMARY
48
Juniper Confidential Copyright © 2010 Juniper Networks, Inc. www.juniper.netSMART MOBILE:
FOUNDATION FOR MOBILITY SERVICES
LEADING MANAGEMENT
Predictive RF planning, Configuration,
Monitoring & reporting, History and audit
trail, Easy guest provisioning
LOCATION AWARENESS
Perimeter Firewall, Real-time Asset
Tracking and condition monitoring
COMPREHENSIVE SECURITY
Identity based roaming, WIDS/WIPS,
Dynamic authentication, firewall
UNMATCHED RELIABILITY
Controller virtualization, Hitless failover,
100% application continuity
under failure
conditions - validated by Tolly group
SUPERIOR PERFORMANCE
Distributed switching, Lowest latency,
Efficient traffic flows, Seamless roaming,
Load balancing, Application QoS
WLC—controller family
WLC Series Highlights
Cluster Reliability
In-Service Upgrades
One Software Platform
Distributed & Centralized
4 AP
WLC2
WLC8
12 AP
32 - 192 11n AP Distributed a/b/g/n
WLC200R
16 - 128 11n AP
WLC800
16 - 256 11n APs
WLC880
64 - 512 11n AP
WLC2800
# of AP
Model
Ports
Power
# APs active
# Sessions
WLC2
2 x 10/100
1 x uplink, 1 x PoE
1 x Console
External A/C
converter
4
75
WLC8
8 x 10/100
2 x uplink, 6 x PoE
1 x Console
Single or dual
internal power
supplies
12
300
WLC800R
4 x GigE (copper)
4 x GigE (SFP)
1 x 10/100 management
1 x Console
1 x USB port
Dual internal
power supplies
Up to 128
(increments of
16)
3200
WLC880R
4 x GigE (copper)
4 x GigE (SFP)
1 x 10/100 management
1 x Console
1 x USB port
Dual internal
power supplies
Up to 256
(increments of
16)
(3200)
WLC200R
2 x GigE (SFP)
1 x 10/100 management
1 x Console
Dual internal
power supplies
Up to 192
(increments of
32)
3,200
WLC2800
2 x 10Gb (XFP/SFP+)
8 x GigE (UTP/SFP)
1 x 10/100 management
1 x Console
Dual internal
hot-swappable power
supplies
Up to 512
(increments of
64)
12,800
Juniper wireless—WLA—Access Point Family
Single Radio
Low Cost AP
WLA371
Dual Radio
Entry-level
AP
WLA422
2x2 MIMO
Dual Radio
High Density
WLA522
3x3 MIMO
Dual Radio
Max.
Coverage
WLA432
3x3 MIMO
Dual Radio
All Weather
WLA632
WLA Series Highlights
High Performance
Intelligent Switching
AP and Band Steering
Auto RF calibration
Built-in Spectrum Analysis
Bridging and Mesh
3 Stream
MIMO
Dual Radio
Max.
Performance
WLA532
Access Point Comparison
Model
Form Factor
Radios
Ethernet
Ports
Antennas
Advanced
Features
WLA371
(a/b/g)
Smoke Detector
1
(2.4GHz or
5GHz)
2
(10/100Mbps,
802.3af)
Internal diversity
External
(SMA)
WLA422B
(a/b/g)
Smoke Detector
2
2
(10/100Mbps,
802.3af)
Internal diversity
External
(RP-SMA)
Mesh
Distributed
forwarding
WLA522
(a/b/g/n)
Low Profile / Smoke
Detector
(non-Plenum)
2
1
(GigE, 802.3af)
Internal diversity
External
(AP522E RP-SMA)
Mesh
Distributed
forwarding
Spectrum-ready
WLA532
(a/b/g/n)
New
2
1
(GigE, 802.3af)
Internal diversity
External
RP-SMA
Mesh
Distributed
forwarding
Spectrum-ready
WLA432
(a/b/g/n)
Smoke Detector
(Plenum)
2
2
(GigE,
802.3af/af+/at)
Internal diversity
Mesh
Distributed
forwarding
WLA632
(a/b/g/n)
Ruggedized
Weatherproof
Casing
2
1
(GigE,
802.3af+/at,
waterproofed)
External
(N-type)
Mesh
Distributed
forwarding
THANK YOU!
