Blog

Aruba: Converged Access

Written by IPTel Solutions | 1 March 2019 1:16:11 AM

Bringing Wired and Wireless Together

IPTel are vendor independent, and while Cisco remain the predominant market player in the enterprise space, Aruba - or HPE - are undoubtedly gaining ground. This week we've been getting intimate with Aruba's OS 8.0 software and specifically its ability to see exactly what is happening on your network.

Wired and wireless networks have long formed the backbone of user connectivity and the two are becoming more and more integrated - notably with concepts such as SDN (Software Defined Networking), providing an overlay to the network, providing a consistent management experience.

Aruba are keen to promote the features which monitor and display traffic types in a very readable fashion. And while this can easily be done by 3rd party URL filters such as Firesight, Scrutiniser or Websense at the gateway, by performing the inspection at the controller, you are catching the intra-network traffic as well.

ASSOCIATED BLOG:

Aruba AppRF: Who's using Facebook at work?

'AppRF' performs deep packet inspection (DPI) on the local wireless traffic, working at Layer 7 to detect over 1500 applications. From this you can configure policies to reject or throttle traffic, or tag with a particular QoS values. Tagging is good since on a quiet weekend for example, you may be more than happy to let students stream Youtube clips where the bandwidth would otherwise go to waste.

Aruba promote the notion of 'roles' to people or things; a guest role may have a limited and less urgent requirement, a corporate role a moderate but trusted position, while a printer may possess a role and offer no threat. Policies may then be created from those roles.

With more applications moving to the web, Web Content Classification (WebCC) is added to the mix. Aruba leverage a 3rd party (Webroot) cloud-based service to dynamically determine the types of websites being visited, and their safety.

Example of Aruba MC Dashboard

 

The dashboard on the right shows an example of how this looks.

Convergence with Aruba

In most networks, disparity exists between wired and wireless traffic with different standards, different policies and separate monitoring engines. It is expected that by late 2018, WiFi will account for 49% of traffic, cellular 12%, and fixed traffic 39%. Hence Aruba's take is to channel energy into the wireless sphere and take advantage of it for wired gains.

This is nothing new since 2011 saw wired traffic being GRE tunnelled to the wireless controllers, but now we have tighter integration with Clearpass and Airwave management allowing features previously absent. Juniper and Aruba have agreed recently to offer converged wired and wireless networks combining their respective products so there is no longer a tie to a proprietary solution.

 

 

Aruba's Converged Access

The latest feature, User-based tunnelling, means a more intelligent approach can be taken to handling the device on the switchport especially when combined with Clearpass which is able to profile the device and categorise it. Traffic may be switched locally or tunnelled to the controller dependent on the role. Hence some ports may be more trusted than others, or you may just want to relieve pressure on the controller.

Cisco

Cisco are taking a slightly different approach to convergence. They have already taken wireless to the switch by embedding a WLC within a Cisco 3850, 3650, 4500E, 6800 and more recently the 9000 series of switches. However the latest buzz around Cisco's software defined access (SD-Access) sees a certain level of abstraction in force, whereby the user, device or application is separated from the infrastructure.

The solution is made up of a controller based orchestrator (the DNA centre, or Digital Network Architecture), a Cisco ISE server, and a single network fabric encompassing wired and wireless devices. This ultimately makes for a consistent user experience over the wire and over the air. Policies are built on the DNA controller and presented as virtual network overlays. Therefore security is maintained without knowledge or care for the actual mechanics (VLANs, switchports, routing, etc).

This is only possible with switches offering advanced capabilities and programmability such as support for LISP (Locator Identity Separation Protocol) at the data and control planes, basically a method to separate the identity from its actual location. Hence where Aruba/HPE are tying their traffic together and parsing it in one place, Cisco are going for a more complex distributed and virtualised model.

Conclusion

With the growing use of Bring-Your-Own-Devices in the workplace, more emphasis will be placed on integration, security, tracking and visibility.

There's more than one way to skin a cat but whichever method becomes the clear winner, there is no doubt that wired and wireless will come together at some point, just like data and voice, audio and video, or ... <insert favourite combination here> apple pie and custard.

 

.