WLAN Design 101:

Fundamentals in the
Campus
Introduction to WLAN design
Peter Lane, Director Product Management @ArubaNetworks | #ATM16
Where to Look

#ATM16 2
Aruba Solutions Exchange

#ATM16 3
Airheads Community in Q1 16

• 41,000+ Members
• 10,000+ New Members in 2015 • New Members: 2645, 103% YoY
• 7000+ Accepted Solutions
• Page Views (Human): 1.45M, 23.5% YoY
• 30,000+ Kudos Given

• 6000+ Knowledge Base Articles • Accepted Solution Views: 335K, 62.6% YoY
• 115,000+ Total Forum Posts • Knowledge Base Views: 275.7K, 124% YoY
• 170+ Countries Represented

#ATM16 4
Factors to Consider when choosing a network solution

– User Expectations – Locations

– Voice/Roaming – How many?
– Areas to cover (bathrooms, stairwells, – How large?
elevators, parking lots)
– How many Users?
– Video – Backhaul to the DC?
– Uptime
– Speed
– Operational
– Lifetime of the deployment
– Policy control – Cost
– Block any traffic?
– Replacement/refresh cycle
– Throttle any traffic?
– QOS
– Posture assesment

#ATM16 5
AP Decision Points
– AP Model
– WiFi Standard
– 11ac wave 1 is the baseline
– Wave 2 is coming but not many clients yet
– Scale (device count)
– Number of concurrent users
– Common use cases
– Backhaul
– 1 gbps backhaul recommended
– Dual backhauls to separate switches recommended for areas that need high availability (healthcare)
– 10 gig uplinks from the edge switch

– Placement
– Typically every 40-50 feet
– <40 feet requires special RF design work
– >50 feet may not keep up with client density

#ATM16 6
 Broad of
Broad Portfolio Portfolio of WLAN Connectivity
WLAN Connectivity

Indoor Access Points Hardened Access Points

Hospitality Access Points

Outdoor Access Points

Remote Access Points

Beacons

#ATM16 7
AP Modes
CAP RAP IAP

#ATM16 8
Forwarding Modes and Traffic Processing

Campus Campus Remote

Deployment ModeDeployment Decrypt- InstantDecrypt- Split-
TunnelMode Tunnel
Decrypt-
Bridge Tunnel Bridge
(per-VAP setting)
(per-VAP setting) Tunnel Tunnel Bridge Tunnel Tunnel

802.11 Mgmt Frame

802.11 MgmtAP Frame AP AP AP AP AP AP AP AP AP
Processing Processing

Encryption and Encryption and

Decryption (per-VAP Controller
Decryption (per-VAP AP
Controller AP AP Controller
AP AP AP AP
setting) setting)

Client Traffic Client Traffic

Controller Controller
Controller APController
Controller
AP Controller AP AP
Forwarding done by
Forwarding done by

Firewall policies FirewallController

policies Controller
Controller APController
Controller
AP Controller AP AP
applied by applied by

Note: Decrypt-Tunnel requires CPsec to be turned on

#ATM16 9
WWAS16 | Confidential

Radio Modes

Hybrid AP Dedicated Air Monitor Spectrum Monitor

• Client Access • Air monitor 2.4 and 5 GHz • Air monitor 2.4 and 5 GHz
• Scan 2.4 and 5 GHz • Air monitor 4.9 GHz • IDS detection
• IDS detection • IDS detection • Rogue detection
• Rogue detection • Rogue detection • Interference detection
• Interference detection • Rogue containment • Interference classification
• Interference classification • Interference detection

#ATM16 10
Controller Decision Points

– AP Count
– Current number of APs
– Redundancy design (active+active, n+1, none)
– Leave headroom to grow and evolve (AP count <80% of supported max)
– Client count
– LPVs may require additional controllers for client support
– Throughput
– Redundancy
– Master/Local domains for large networks

#ATM16 11
Branch and Campus Controller Portfolio

7240 2048 AP/32K Devices, 40 Gbps

7220 1024 AP/24K Devices, 40 Gbps

7210 512 AP/16K Devices,

20 Gbps

7205 256 APs/8K Devices, 12 Gbps

Scale

7030 64 AP/4K Devices, 8 Gbps

7024 32 AP/2K Devices,
24 PoE, 4 Gbps

7010 32 AP/2K Devices, 12 PoE, 4 Gbps

VMC-TACT 32 AP/512 Devices, 0.4 Gbps

7005 16 AP/1K Devices, 2 Gbps

Performance
#ATM16 12
Role Based Security Architecture

Role-Based
Access Control
Access Rights
SSID-Based
PoS Access Control PoS
RADIUS
LDAP
Virtual-AP 2 AD
SSID: Corp Data
Data Corporate
Services
Voice
Voice

Virtual-AP 1 Signage
Signage SSID: GUEST ClearPass

Guest Secure Tunnel

To DMZ
Captive Portal

Guest
DMZ

#ATM16 13
 Controller Roles
– Master Controller’s primary responsibilities – Branch Office Controller
– Global configuration – ZTP
– Global Monitoring
– ARM
– Processing IDS events and alerting
– Initial AP Termination – AP termination
– Centralized license Server – User traffic
– Centralized whitelist – Apply Firewall rules (DPI, content
– CPSec trust anchor filtering)
– Can terminate APs but not recommended – PBR
– WAN visibility
– Local Controller’s primary responsibilities
– Local Config
– Adaptive Radio Management (ARM)
– AP termination (GRE tunnel from AP to Controller)
– User traffic
– Apply firewall rules
– VLAN tagging
#ATM16 14
WWAS16 | Confidential

Large Campus
– Definition
– Large number of buildings (3 – 500+)
– Large number of users (2,000+)
– Good backhaul between buildings. 10 gig or higher depending on building type and device usage
– Universities, Healthcare, Global HQs, etc.

– Typical Deployment
– Centralized controllers.
– Master/Local Architecture
– . Up to 15k APs, 150k users in one master local domain
– If you need to have multiple master/locals, break it based on natural RF dead zones
– DHCP controller discovery
– AP fast failover: Acitve:Active
– VRRP for LMS IP, centralized licensing master/backup and Master controller Master/backup master

#ATM16 15
CAP/RAP Boot Process

#ATM16 16
Master Controller Discovery
– Static Assignment (rare)
– Controller IP address is provisioned and saved in AP Flash
– Dynamic Assignment
– DHCP request (Option 43)
– AP multicasts Aruba Discovery Protocol (ADP) packets to group 239.0.82.11
– AP broadcasts ADP packets to L2/L3 recipients
– AP sends DNS query
– Who is “aruba-master.domain.com”
– “domain.com” supplied by DHCP
– “DNS server” supplied by DHCP

#ATM16 17
AP Controller Discovery Process
Gets IP Address
DHC
P

Yes Firmware No
Option 43 Controller Match ? Update
Firmware

No
Yes

Yes Download
ADP
Configuration

No

No, Reboot and Start again No

Yes Connected to Go to LMS
DNS
LMS ?

Yes

Come up in
Default Group

#ATM16 18
Master discovery packet capture

DHCP Process

ADP Process

DNS Process

#ATM16 19
What is LMS Controller?
Master Controller

AP Group = California AP Group = New York

LMS = 10.10.1.1 LMS = 20.20.1.1
Local Controller Local Controller

10.10.1.1 20.20.1.1

#ATM16 20
High Availability roles
A Controller can be configured one of 3 HA roles:-

– Active – Controller that serves APs, but cannot serve as failover standby for an AP except those
it serves as a active controller.
– Standby – Controller acts as failover backup controller, but cannot be configured as primary
controller for an AP.
– Dual – A dual controller can support both roles i.e. acting as active controller for one set of APs,
and a standby controller for other set of APs

#ATM16 21
AP Fast Failover Deployment Models
Controller 1 Controller 2
HA Role Dual HA Role Dual

Controller 1 Controller 2
HA Role Dual HA Role Dual
Active / Active

Controller 1 Controller 2 Controller 3

HA Role Active HA Role Active HA Role Standby Active / Standby

N+1 AP connection to its Active controller

AP connection to its Standby controller

#ATM16 22
AP Fast Failover – AOS 6.4

– Inter Controller Heartbeat

– Client state sync
– N+1 Oversubscription

#ATM16 23
Inter Controller Heartbeat - Introduction
• Faster detection of Active controller failure
– Heartbeat from standby to active controller
– Heartbeat interval - 100ms (Default)
– Heartbeat threshold – 5 (Default)
• Failover time less than 1 sec
• Supported on all controller platforms except 650/620
• Active/ Active, Active/Standby and N+1 topology supported
• Standby can heartbeat max 7 active controllers at a time
• AP’s heartbeat mechanism (8 missed HB) will be used when there is connectivity issue on AP
side

NOTE: Make sure link latency between two controllers is less than 100 ms

#ATM16 24
InterController Heartbeat Flow

Active Controller Standby Controller

LMS selects a AP connects to LMS

Standby for AP LMS notifies Standby controller IP Standby identifies

from HA group
Hello message with “standby” flag set Active controller IP
from Hello message
Hello Response
AP UP
Heartbeat to controller every 100 ms
Heartbeat sent count = 1
Heartbeat Response
Reset Heartbeat sent count = 0
Heartbeat to controller every 100 ms
Heartbeat sent count = 1
Heartbeat to controller every 100 ms
Heartbeat sent count = 2
Heartbeat to controller every 100 ms
Heartbeat sent count = 3
Heartbeat to controller every 100 ms
Heartbeat to controller every 100 ms
Heartbeat sent count = 4
Heartbeat sent count = 5
AP Failover request message
AP deauth all clients AP Failover response
and failover to standby AP is Active on Standby

#ATM16 28
AP Fast Failover – AOS 6.4

– Inter Controller Heartbeat

– Client state sync
– N+1 Oversubscription

#ATM16 29
Client State Sync - Introduction

• PMKID, Role and Vlan synced between controllers

• Controllers sync keys through IPSec tunnel
• Supported on 72xx, M3 and 3600 controllers
• Supported on Active : Active, Active : Standby and Master : Standby Master topology
• NOT supported for N+1 over subscription model

#ATM16 30
Client State Sync – Failover Scenario

Active Controller IPSEC Tunnel Standby Controller

1. Client successfully
authenticates to dot1x ssid;
PMK-SA is generated

#ATM16 31
Client State Sync – Failover Scenario

2. PMK-SASync

Active Controller IPSEC Tunnel Standby Controller

1. Client successfully
authenticates to dot1x ssid;
PMK-SA is generated

#ATM16 32
Client State Sync – Failover Scenario

2. PMK-SASync

Active Controller IPSEC Tunnel Standby Controller

1. Client successfully
authenticates to dot1x ssid;
PMK-SA is generated

3. On failure of Active
controller, AP deauths client
and failovers to Standby

#ATM16 33
Client State Sync – Failover Scenario

2. PMK-SASync

Active Controller IPSEC Tunnel Standby Controller

1. Client successfully 4. Client re-assoicates and

authenticates to dot1x ssid; performs 4-way key
PMK-SA is generated exchange only

3. On failure of Active
controller, AP deauths client
and failovers to Standby

#ATM16 34
Supported Topologies

– Inter Controller Heartbeat and Client State Sync is not supported in Master-Standby Master
topology because standby controller does not allow AP termination unless its VRRP state
becomes active.

#ATM16 35
AP Fast Failover – AOS 6.4
– Inter Controller Heartbeat
– Client state sync
– N+1 Oversubscription

#ATM16 36
N+1 Oversubscription - Introduction

• Allows backup controller to terminate standby AP tunnels above its platform limit
• Supported for 72xx, M3 and 3600 controllers
– 72xx allows 4 times oversubscription
– M3 & 3600 allows 2 times oversubscription
• Centralized licensing is recommended for this feature

Example Controller 1 Controller 2 Standby Controller (# AOS 6.3 AOS 6.4

(# of APs) (# of APs) of standby APs)

1 7210 (512) 7210 (512) 7210 (1024)

#ATM16 37
N+1 Oversubscription

Active 7210 Controller Active 7210 Controller Active 7210 Controller Active 7210 Controller Standby 7210 Controller

512 AP’s 512 AP’s 512 AP’s 512 AP’s

#ATM16 38
N+1 Oversubscription

Active 7210 Controller Active 7210 Controller Active 7210 Controller Active 7210 Controller Standby 7210 Controller

512 AP’s 512 AP’s 512 AP’s 512 AP’s 512 AP’s

#ATM16 39
N+1 Oversubscription – Standby AP support

Platform Max # APs Max GRE Tunnels Ratio

7005 16 512
7010 32 1024
7024 32 1024
7030 64 2048
3600 128 8192 2:1
M3 512 16384 2:1
7205 256 8192 4:1
7210 512 16384 4:1
7220 1024 32768 4:1
7240 2048 65535 4:1

#ATM16 40
N+1 Oversubscription – Caveats

• Client state sync is not supported for N+1 topology

• Only standby AP limits are being extended
– User-table, station-table, IPSec tunnel limits remain as it is

#ATM16 41
WWAS16 | Confidential

Large Campus
– Definition
– Large number of buildings (3 – 500+)
– Large number of users (2,000+)
– Good backhaul between buildings. 10 gig or higher depending on building type and device usage
– Universities, Healthcare, Global HQs, etc.

– Typical Deployment
– Centralized controllers
– Master/Local Architecture
– . Up to 15k APs, 150k users in one master local domain
– If you need to have multiple master/locals, break it based on natural RF dead zones
– DHCP controller discovery
– AP fast failover: Acitve:Active
– VRRP for LMS IP, centralized licensing master/backup and Master controller Master/backup master

#ATM16 42
What about putting a controller in each building?

– Supported deployment
– Rare due to increased controller cost
– Appropriate for large buildings with small backhauls between buildings

WWAS16 | Confidential #ATM16 43

WWAS16 | Confidential

K-12 Deployment Types

– Central Controllers – Controllers per school – Instant

– Architecture: – Architecture: – Architecture:

– Master/Local centralized in DC – Local Controller per school – IAPs
– AP Fast Failover: N+1 – Master controller in DC – AirWave
– DHCP discovery – Optional
– Standby Failover controller in DC – Common for schools:
– Common for schools with:
– Fiber between them – AP FF Active Active per school – Aerohive has talked with them
– Traffic typically heading through the – Common for schools with: – Not a fan of controllers
DC – Comfortable with configuring
– Weak connections between
– Benefits: schools or back to DC VLANs
– Leverage low cost large scale – Traffic patterns that go straight to – Benefits:
controllers the internet
– Simple fail over solution – ZTP
– Benefits
– Single point of config for all – Great redundancy
– All controller features
controllers – Low Cost (not as low as you
– Single master configuration point
– Single location for all controllers for all schools think)

#ATM16 44