solution brief Mobility Optimized Access Layer Completing the Hive with Aerohive Switches
Designing for Mobile First Legacy enterprise networks were never designed to accommodate the complexity of a mobile-first enterprise one where the focus is on the user and the device and the primary access medium is wireless. In a traditional enterprise network design, the network policy, including access, priority, and security requirements, is applied based on a physical port, a VLAN, or even an SSID. In these network-centric environments, network elements could be managed as individual devices by disparate management systems because they were comparatively simple and end users were static. Trying to accommodate the modern-first reality where wireless is the primary access layer and where users are doing mission-critical work from virtually any location with these legacy systems is cumbersome. This typically leads to adding wireless functionality as an overlay to the legacy infrastructure and managing it as a separate solution. The modern mobile-first network requires a mobility-optimized approach that is not dependent on network access and is more user-centric. Context elements, such as user identity, device type, application, location, and time of day are the primary building blocks used to create granular policies that dictate how, when, and what the user can access. Even more importantly, supporting mobility means ensuring the user experience is optimized based on that context. Trying to deliver the required levels of manageability and control associated with enterprise mobility using legacy suboptimized systems is virtually impossible and significantly increases the operational burden on IT departments. In comparison, designing for a mobile-first enterprise leads to a mobility-optimized approach that focuses on tightly integrated systems that reduce the complexities of a highly mobile user base. In response to this growing need, Aerohive is expanding its cloud-networking portfolio to include enterprise-class access switches that will greatly simplify network management and provisioning. When combined with Aerohive s access points and branch routers, this approach not only allows the access layer to be managed as a single unified entity, but it also allows management information to be presented by context user identity, device type, application, location, and time. While adding the user-centric intelligence of Aerohive Wi-Fi to enhance a legacy enterprise network is an excellent first step and is valuable in its own right, complementing the Wi-Fi with Aerohive access switches and/or branch routers creates a mobility optimized access layer and substantially improves the visibility and control that IT has over the access layer and reduces the operational cost associated with a modern mobile-first enterprise. 2 Copyright 2013, Aerohive Networks, Inc.
Enter the Aerohive SR series of enterprise access switches Aerohive Networks SR platforms combine enterprise-class access switching with cloudenabled management, on-demand provisioning, and secure branch routing to provide an advanced networking feature set to the edge of your network. Built on the deep, feature-rich HiveOS operating system, the SR platforms offer state-of-the-art gigabit switching with advanced features like user-based QoS and 802.1X multiple authentication for voice and data coexistence, along with traditional switch features such as LLDP, Spanning Tree, and IGMP snooping. In addition, the SRs accelerate branch consolidation efforts by integrating secure branch routing, 3G/4G connectivity, and advanced switching to provide an all-in-one solution for branch offices. Combining these capabilities with cloud-based services such as hands-free configuration and updates and unified wired and wireless policies allows the SRs to join the rest of the Aerohive Cooperative Control devices to provide a seamless, mobileoptimized experience for all connected users. Secure Switching with On-Demand Provisioning The SR series are gigabit switches with high-power PoE for security cameras or high-powered versions of new 802.11ac APs, and support the advanced capabilities of HiveOS, including RADIUS, 802.1X security, and cloud-based management. By integrating with the Aerohive Cloud Services Platform, the SR series can be brought online by simply shipping the equipment to the install site and plugging it in. The SR will automatically find the HiveManager, either in Aerohive s public cloud or on a customer premises, download complete configuration, security, and corporate policies, and instantly provide service for connected devices. Cloud-Enabled Stacking - The SR switches support Aerohive Cooperative Control protocols, allowing them to interoperate with other HiveOS devices and securely share policy information. By using the unified policy configured in HiveManager, it is possible to combine multiple Aerohive SR switches together to provide a seamless experience for connected clients, even if the devices aren t in the same physical location. Devices can be put into groups and managed and monitored as a single group. Cloud enabled stacking doesn t require additional configuration or ports, proprietary cables or protocols, or concern for geography. Multi-Level Authentication In keeping with the focus on unified security across the access layer, the Aerohive switches also support multi-level authentication, which allows an administrator to specify multiple types of authentication per port, such as MAC authentication and 802.1X, and the order in which they will be processed. This provides flexibility to use the port for multiple purposes while still ensuring the access ports are secured. Copyright 2013, Aerohive Networks, Inc. 3
Branch Consolidation SRs combine a power branch router, stateful firewall, and enterprise-class switch offering full-line rate switching along with IPSec VPN, 802.1X, Policy-Based Routing, Cloud Proxy, and 3G/4G WAN diversity. The SR Series offers administrators the flexibility and ease-ofuse required to drastically reduce the time-to-operation and expenses associated with managing large-scale branch deployments. Being part of the Hive The SR family leverages Aerohive HiveOS Cooperative Control to provide robust switching functionality that is in harmony with the Wi-Fi infrastructure, including unified policy, management, and reporting. Since the SR series joins the Hive created by Aerohive devices sharing information using the cooperative control protocols, these switches learn context from the APs or branch routers, including user identity and device type. This information can be used in policy enforcement decisions in the switch, such as routing, firewall, or Quality of Service (QoS). 4 Copyright 2013, Aerohive Networks, Inc.
The SR can also route, filter, or prioritize traffic based on an assigned user profile. For example, during a WAN outage when WAN traffic is rerouted to a 4G connection, all BYOD users or guests could be excluded from routing out the expensive mobile connection. Another example could include a firewall policy that allows contractors to access to certain resources but not others based on their identity. This approach also means that network policies can be used on both wired and wireless devices and the configuration of these policies can be done centrally from a single management console. Aerohive HiveManager provides a single workflow to configure all HiveOS devices, starting from the SSID where an administrator can define the network, authentication, user profiles, and security policies assigned to wireless users based on their identity and device. The administrator can then move on to configuring wired access ports using the same user profile and security policy elements assigned to the SSID(s). The port configurations are extremely flexible, and allow for standardizing switching configurations across an entire organization. Continuing through the workflow, administrators can move on to services such as IPSec VPN, Identity-based routing, and Bonjour Gateway that again can reuse the policy elements configured above. Not only does this take the guesswork out of configuring consistent policies and services on separate network devices, but it also means that network configuration is easily replicable on hundreds or thousands of devices. Unified Policy and Workflow Step 1: Wireless Access Configuration Copyright 2013, Aerohive Networks, Inc. 5
Step 2: Wired Access Configuration Step 3: Services Configuration 6 Copyright 2013, Aerohive Networks, Inc.
Once the policy is complete and the devices have all retrieved the information from HiveManager, the administrator can use the customizable dashboard to monitor and manage the network. Administrators can use the available perspectives to detail usage trends or troubleshoot the network, or create their own perspectives to plan capacity or review analytics that detail client device types, top users and clients by data usage, and even application statistics. All of the information is available real-time as well as in historical reports that can be rolled up and distributed to provide trend information across the entire deployment. Optimizing for Mobility Designing a solution truly focused on user mobility and enabling productivity from anywhere is something many organizations strive for in this mobile-first age. Once you have all the elements in place, ensuring optimized user experience based on what is business-critical to a particular user based on their identity and device type is the next major hurdle. With the addition of application visibility and control to HiveManager and HiveOS, administrators can see what applications are in use by each mobile user, and prioritize application and network access based on user context such as identity, device type, location and time. This user-centric policy configuration is unique to Aerohive, built upon the power of cooperative control and the HiveOS operating system which was designed from the ground up to provide flexible and optimized user experience. Copyright 2013, Aerohive Networks, Inc. 7
Administrators can use the powerful HiveManager dashboard to match applications with individual users, or user groups (Guest, BYOD, Employee), and in just a few clicks modify their unified policies to block, limit or prioritize the applications. The robust traffic shaping capabilities on Aerohive access points includes almost 1000 Layer 7 applications, which allows an administrator to identify and prioritize the delivery and user experience for mission critical applications based on the type of user and device attempting to use the protocol. In addition, the stateful firewall capabilities built into access points supports the ability to block or permit access to applications based on user, device type, location and time. This enables administrators to enforce policy even on evasive applications such as BitTorrent and Facebook based on identity and device type. For example, an administrator could permit access to any application for a C-level executive, block YouTube for contractors, and limit YouTube for employees. All together, Aerohive provides comprehensive access solutions for the mobile-first enterprise. Built from the ground up for today s challenges, Aerohive sets new standards for how to address the global trends that are impacting every organization with a unique and powerful combination of distributed networking intelligence and an industry leading, cloud services infrastructure. This allows Aerohive to deliver secure, mobility-optimized access to every site with consistent, predictable service and maximum security. Enabling secure mobility regardless of the users location or device and optimizing the user experience with mobile applications allows the enterprise to enjoy greater productivity, improved employee morale, and better customer service, while at the same time reducing cost and complexity. Aerohive truly transitions work from a place you go to a thing you do. 8 Copyright 2013, Aerohive Networks, Inc.
About Aerohive People want to work anywhere; on any device, and IT needs to enable them -- without drowning in complexity or compromising on security, performance, reliability or cost. Aerohive's mission is to Simpli-Fi these enterprise access networks with a cloudenabled, self-organizing, service-aware, identity-based infrastructure that includes innovative Wi-Fi, VPN, branch routing and switching solutions. Aerohive was founded in 2006 and is headquartered in Sunnyvale, Calif. The company's investors include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light Venture Capital, New Enterprise Associates, Inc. (NEA) and Institutional Venture Partners (IVP). For more information, please visit www.aerohive.com, call us at 408-510-6100, follow us on Twitter @Aerohive, subscribe to our blog, join our community or become a fan on our Facebook page. Corporate Headquarters EMEA Headquarters Aerohive Networks, Inc. Aerohive Networks Europe LTD 330 Gibraltar Drive The Courtyard Sunnyvale, California 94089 USA 16-18 West Street Phone: 408.510.6100 Farnham Toll Free: 1.866.918.9918 Surrey, UK GU9 7HW Fax: 408.510.6199 +44 (0)1252 736590 info@aerohive.com Fax: +44 (0)1252711901 www.aerohive.com