BUILDING A MISSION CRITICAL WIRELESS NETWORK TO SUPPORT THE GROWING DEVICE PROLIFERATION Maxime Deparisse 07/09/2012
AGENDA Old WLAN Network Model High availability WLAN model High Performance WLAN Network High density deployment New WLAN security options 2 Copyright 2012 Juniper Networks, Inc. www.juniper.net
PROBLEMS WITH OLD CAMPUS WIRELESS Thin AP deployments model: Every intra AP traffic need to reach WLAN controller Enterprise Router Only N+1 redundancy Not scalable: adding new capacities is difficult Limited resiliency and throughout Core Switch Firewall Appliance WLAN Controller Fat AP deployments model: Difficult to manage Roaming aggressiveness is weak Wireless Access Points Access Switch Acces points 3 Copyright 2012 Juniper Networks, Inc. www.juniper.net
AGENDA Old WLAN Network Model High availability WLAN model High Performance WLAN Network High density deployment New WLAN security options 4 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SIMPLICITY AT SCALE CONTROLLER CLUSTERING Old and Complex Approach Vendor A Hot Stand-by or Back-up Controller Vendor B Juniper s Simplified Approach Controller A Controller B Controller C Discrete controllers operate independently for AP redundancy configuration Optimized for: x Scale x Resiliency x Reliability x Management Clustered controllers act collectively as single virtual controller for wireless configuration Optimized for: Scale Reliability Resiliency Management 5 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SINGLE POINT OF MANAGEMENT FEWER MANAGED DEVICES Primary Seed Secondary Seed 6 Copyright 2012 Juniper Networks, Inc. www.juniper.net
HOW THE CLUSTER ADDS A NEW CONTROLLER 1 The primary controller pushes configurations to the secondary seed and members The seed pushes the configuration to the new member 2 Primary Seed Secondary Seed 3 When a member is removed and replaced the same process is used 7 Copyright 2012 Juniper Networks, Inc. www.juniper.net
HOW THE CLUSTER ADDS A NEW AP 1 A new AP is introduced and contacts the Primary Seed. 2 The Primary Seed sends AP config to the Primary controller and the AP sets up a connection Primary Seed Secondary Seed 3 The Primary Seed sends AP config to the Secondary controller and the AP sets up a connection 8 Copyright 2012 Juniper Networks, Inc. www.juniper.net
HOW CLIENTS ARE ASSIGNED PRIMARY AND SECONDARY CONTROLLERS Primary controller authenticates/ authorizes client 2 Primary Seed 3 Primary propagates session details to backup controller for use during failure Client Session State Secondary Seed 1 A new client associates to the system Client Session State 9 Copyright 2012 Juniper Networks, Inc. www.juniper.net
ACTIVE-ACTIVE CONTROLLERS Primary controller authenticates/ authorizes client 2 Primary Seed 3 Primary propagates session details to backup controller for use during failure Client Session State Secondary Seed 1 A new client associates to the system Client Session State 10 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SELF-REPAIRING CONTROL ARCHITECTURE 1 Should the Primary be taken out of service, the Secondary immediately takes over FAIL OVER IN SUB-50 MILLISECONDS! Primary Seed Secondary Seed 11 Copyright 2012 Juniper Networks, Inc. www.juniper.net
NONSTOP OPERATION HITLESS FAILOVER Primary Seed 2 A new Secondary is designated and is given the AP configuration and client session state Secondary Seed 12 Copyright 2012 Juniper Networks, Inc. www.juniper.net
IN-SERVICE SOFTWARE UPGRADE Primary Controller initiates upgrade sequence; passes control to Secondary and upgrades 1 Primary Seed 2 HITLESS UPGRADE Secondary passes control back to Primary and upgrades Secondary Seed 4 AP moves associated stations to alternate AP then upgrades 3 Primary Seed coordinates individual member upgrades; moves APs to backup controller and upgrades 13 Copyright 2012 Juniper Networks, Inc. www.juniper.net
UNIQUE FLEXIBILITY OF THE CLUSTER ARCHITECTURE As soon as WLC s are installed on the same DC, AP affinity can be used AD/DHCP/DNS Ring Master SmartPass WLC1 / WLC2 WLC3 / WLC4 DC 1 192.168.1.0/24 192.168.2.0/24 DC 2 WAN 192.168.4.0/24 192.168.5.0/24 DHCP 192.168.3.0/24 DHCP Remote Site 1 14 Copyright 2012 Juniper Networks, Inc. www.juniper.net 192.168.6.0/24 Remote Site 2
CONTROLLER VIRTUALIZATION A COST EFFECTIVE SOLUTION Non juniper Redundant Licenses - 200 APs 512 Licenses required! Each licensed for 256 APs High Availability Licenses - 200 APs ONLY 256 Licenses required! Virtual Controller Cluster Each licensed for 128 APs* 100 APs 100 APs 100 APs 100 APs Each controller has license for 256APs Juniper Each controller has license for 128 APs* Each controller is supporting 100 APs If a controller fails, APs will fail over to the remaining controller, supporting all 200 APs *Note: Juniper 2800 licenses sold in blocks of 64 15 Copyright 2012 Juniper Networks, Inc. www.juniper.net
AGENDA Old WLAN Network Model High availability WLAN model High Performance WLAN Network High density deployment New WLAN security options 16 Copyright 2012 Juniper Networks, Inc. www.juniper.net
PERFOMANCES WLAN CRITERIA Bandwidth 802.11n, 3T3R, TXBF, Airtime Fairness Load balancing accros Ap s and radio s Avoid interferences wifi and non wifi Avoid latency local switching Avoid broadcast dhcp, multicast 17 Copyright 2012 Juniper Networks, Inc. www.juniper.net
WIRELESS LAN TECHNOLOGY STANDARDS 2.4GHz Band : 3 non-overlapping channels 802.11g 6 54Mbps data rates 802.11ng 6.5 195Mbps data rates Note: the 802.11n Standard allows for data-rates up to 600Mbps Note: throughput is between 50%- 60% of the data-rate full duplex 5GHz Band: 20 non-overlapping channels (region dependant) 802.11a 6 54Mbps data rates 802.11na 6.5 450Mbps data rates 18 Copyright 2012 Juniper Networks, Inc. www.juniper.net
INDOOR 11N AP PRODUCT PORTFOLIO WLA532 / (E) WLA321 Advanced Features - Spectrum Analysis (LR) Transmit Beamforming Single Radio 802.11an or gn 1 GE interface 802.3af/az PoE Moderate Performance WLA322 Advanced Features - Spectrum Analysis (LR) Transmit Beamforming 802.11n 1 GE interface 802.3af/az PoE WLA522 / (E) Advanced Features - Spectrum Analysis (HR) - Wired crypto Dual Radio Dual Radio 802.11n Moderate Performance 1 GE interface 802.3af PoE Superior Performance 19 Copyright 2012 Juniper Networks, Inc. www.juniper.net Juniper Networks reserves the right to change product specifications without notification Advanced Features - Spectrum Analysis (HR) - Wired crypto Transmit Beamforming Dual Radio 802.11n 1 GE interface 802.3af/az PoE Highest Performance
JUNIPER WLA SERIES FLAGSHIP ACCESS POINT WLA532 INDOOR 802.11N AP 3 Industry Bests Highest Performance AP Lowest Power Consumption AP Smallest Form Factor AP Mandate this technology in RFP 450Mbps data rate (3x3, 3 spatial stream) What to know Juniper designed Access Point Juniper WLAN is 15-20% less expensive when comparing complete BOMs Juniper WLA 532 outperforms Cisco and Aruba by up to 35% as validated by Novarum 20 Copyright 2012 Juniper Networks, Inc. www.juniper.net
AIRTIME FAIRNESS What will Juniper s Airtime Fairness do for the clients? Juniper s Airtime Fairness will provide each clients with an equal amount of time to send traffic. When a client goes into retransmission for whatever reason, that client will get less time next time he wants to send traffic. This will improve the throughput for all of the other clients connecting to that ap. 21 Copyright 2012 Juniper Networks, Inc. www.juniper.net
TRANSMIT BEAMFORMING TxBF is a technique that uses an array of transmit antennas to transmit radio signals with adjusted magnitude and phase at each transmit antenna to achieve a focused beam that is targeted to the receiver. Focused Beam TxBF can raise the signal-to-noise (SNR) ratio at the receiver and thus improve performance. 22 Copyright 2012 Juniper Networks, Inc. www.juniper.net
PERFOMANCES WLAN CRITERIA Bandwidth 802.11n, 3T3R, TXBF, Airtime Fairness Load balancing accros Ap s and radio s Avoid interferences wifi and non wifi Avoid latency local switching Avoid broadcast dhcp, multicast 23 Copyright 2012 Juniper Networks, Inc. www.juniper.net
AUTOMATIC CLIENT LOAD BALANCING Automatic Load Balancing per RF Band Band Steering 5 GHz capable client encouraged to connect at 5 GHz 2.4 GHz only client connects at 2.4 GHz 24 Copyright 2012 Juniper Networks, Inc. www.juniper.net
PERFOMANCES WLAN CRITERIA Bandwidth 802.11n, 3T3R, TXBF, Airtime Fairness Load balancing accros Ap s and radio s Avoid interferences wifi and non wifi Avoid latency local switching Avoid broadcast dhcp, multicast 25 Copyright 2012 Juniper Networks, Inc. www.juniper.net
MULTICHANNEL CELL DESIGN 802.11b/g/n 11 channels available in the U.S. (varies by Regulatory Domain) 3 non-overlapping channels Ch 1 2 3 4 5 6 7 8 9 10 11 2.4GHz 802.11a/n 20 non-overlapping channels Ch 36 40 44 48 52 56 60 64 149 153 157 161 11b Capacity: 11Mbps per channel 11a Capacity: 54Mbps per channel 11n Capacity: 150Mbps per channel 450Mbps with 40MHz 100 104 108 112 116 132 5GHz UNII Band 136 140 26 Copyright 2012 Juniper Networks, Inc. www.juniper.net
MULTICHANNEL DEPLOYMENT PLAN (AUTOTUNE 2.0) 2.4GHz Operation Limited to 3 non-overlapping 20 MHz channels Ch 1 Ch 6 Ch 11 5GHz Operation 20 non-overlapping 20 MHz channels Ch 36 Ch 52 Ch 60 Ch 6 Ch 11 Ch 1 Ch 60 Ch 64 Ch 40 Ch 44 Ch 1 Ch 6 Ch 11 Ch 44 Ch 56 Ch 36 Intra-channel overlap for better coverage Same channel isolation Same channel well isolated by more adjacent cells 27 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SPECTRUM ANALYZER Why do you need Spectrum Management In order to get the best performance the physical layer needs to be as clean as possible. 802.11 is wireless and the physical layer is the air you use. A Spectrum Analyzer will identify interference which enables you to: Avoid certain channels and automatic frequency selection based on SA Identify interferences and take action (replace, turn off or avoid channel) Provides an illustration of the health of the Spectrum Plan for expansion Helps troubleshoot problems 28 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SPECTRUM ANALYZER Methods of getting SA information From RingMaster in the Monitoring section Using RingMaster Monitoring will provide a way to see interfering devices in a reporting way From RingMaster Spectrum In the Spectrum view provides a live graph of the spectrum* 29 Copyright 2012 Juniper Networks, Inc. www.juniper.net * Using the RingMaster Spectrum view will take the WLA out of service for client traffic
PERFOMANCES WLAN CRITERIA Bandwidth 802.11n, 3T3R, TXBF, Airtime Fairness Load balancing accros Ap s and radio s Avoid interferences wifi and non wifi Avoid latency local switching Avoid broadcast dhcp, multicast 30 Copyright 2012 Juniper Networks, Inc. www.juniper.net
NO NEED TO COMPROMISE JUNIPER NETWORKS WIRELESS LAN EVOLUTION Fat AP Architecture Local Switching Thin AP Architecture Central Switching Juniper WLAN Architecture Local AND Central Switching Optimized for: x Security x Management x Reliability Performance Optimized for: Security Management x Reliability x Performance Optimized for: Security Management Reliability Performance 31 Copyright 2012 Juniper Networks, Inc. www.juniper.net
REMOTE LOCATION (NEXT GENERATION OF LS) WAN FAILURE BACKUP SCENARIO Background: The Juniper WLAN solution Local Switching story is a good fit for remote deployments to enable EARLY QoS for the Traffic Also adds survivability in case remote location router can t send traffic to the Core anymore Maintain Wireless service in WAN failure condition Core Cluster of WLC880 Ringmaster Feature Description: New AP mode: remote-ap Allows extended WAN outage window (5 days) Seamless re-joining to WLC when WAN service is restored High latency link deployment, and MTU independant Remote AP survivability Data path security Breakout to local VLAN based SSID, User, RADIUS Authentication Add DiffServ marking to traffic based on ACL, User, SSID, RADIUS Authentication Remote Locations WAN MX / SRX 32 Copyright 2012 Juniper Networks, Inc. www.juniper.net
PERFOMANCES WLAN CRITERIA Bandwidth 802.11n, 3T3R, TXBF, Airtime Fairness Load balancing accros Ap s and radio s Avoid interferences wifi and non wifi Avoid latency local switching Avoid broadcast dhcp, multicast 33 Copyright 2012 Juniper Networks, Inc. www.juniper.net
AVOIDING BROADCAST TO INCREASE PERFORMANCE Broadcast is the network enemy but it is even worse in Wireless LAN Each braodcast is sent on the entire subnet (same as Wired Network), but also sent to the min data rate Broadcast is undesirable in situations where battery powered devices such as phones in sleep mode wake up on receiving a broadcast packet. Juniper provide tools to limit broadcast on Wireless LAN No broadcast Proxy ARP 34 Copyright 2012 Juniper Networks, Inc. www.juniper.net
WIFI MULTIMEDIA WITHOUT DATA RATE PROTECTION Multicast server sending flow at 15 Mbps 11Mbps not enough for the flow Multicast on wire WLC is IGMP aware (report/snooping/pseudo quierer ) Multicast on Wireless is using the min data rate speed for the multciast flow for all clients 35 Copyright 2012 Juniper Networks, Inc. www.juniper.net
WIFI MULTIMEDIA WITH DATA RATE PROTECTION Multicast server sending flow at 15 Mbps 450Mbps Multicast on wire WLC is IGMP aware (report/snooping/pseudo quierer ) clients cannot connect to the multicast group at a smaller rate than 36Mbps x 36 Copyright 2012 Juniper Networks, Inc. www.juniper.net
MULTICAST TO UNICAST FOR RICH MEDIA CONTENT Feature Description Detail Rich Media Enablers Reliable Multicast Traffic Delivery (Phase 2 IGMP based optimization in rel 8.0) Feature Rationale: Multicast transmission is unreliable due to the absence of feedback mechanism in IEEE 802.11 protocol. Broadcast is undesirable in situations where battery powered devices such as phones in sleep mode wake up on receiving a broadcast packet. IGMP group based conversion required to avoid unnecessary unicast to all clients on affected VLAN. Deployment types: Critical requirement in Education, Healthcare customers, physical security and surveillance products/applications running "TV-like" video distribution applications. 37 Copyright 2012 Juniper Networks, Inc. www.juniper.net
WIFI MULTIMEDIA WITHOUT MULTICAST CONVERSION Multicast server 11Mbps Multicast on wire WLC is IGMP aware (report/snooping/pseudo quierer ) Multicast transmission is unreliable due to the absence of feedback mechanism in IEEE 802.11 protocol Multicast on Wireless is using the min data rate speed for the multciast flow for all clients 38 Copyright 2012 Juniper Networks, Inc. www.juniper.net
WIFI MULTIMEDIA WIT MULTICAST CONVERSION Multicast server 450Mbps Multicast on wire WLC is IGMP aware (report/snooping/pseudo quierer ) With multicast conversion set to ON, each client get it s on flow with it s own rate 39 Copyright 2012 Juniper Networks, Inc. www.juniper.net
AGENDA Old WLAN Network Model High availability WLAN model High Performance WLAN Network High density deployment New WLAN security options 41 Copyright 2012 Juniper Networks, Inc. www.juniper.net
WIRELESS LAN TRENDS Unique Daily Wireless Sessions Large American University ~50,000 Students, Multiple Devices Per Student 400000 300000 200000 100000 0 Spring Summer 2010 Fall 6x Spring Summer 2011 Fall Top WLAN requirements BYOD Unified Policy Performance at Scale Highly Resilient High Density High Scale 42 Copyright 2012 Juniper Networks, Inc. www.juniper.net
HIGH DENSITY BEST PRACTICE General network best practices: Avoid latency using Local swiching Avoid bottleneck using local switching Avoid broadcast using multicast to unicast proxy arp and no broadcast Wifi best practices: Enough coverage for data capacity Use dual radio coverage and 3 stream AP (WLA 532) Reduce TX power for micro cell type of deployment. This has a positive Impact on performances and radio redundancy Use load balancing accross radio and AP Avoid slow data rate to associate Avoid using beamforming 43 Copyright 2012 Juniper Networks, Inc. www.juniper.net
AGENDA Old WLAN Network Model High availability WLAN model High Performance WLAN Network High density deployment New WLAN security options 44 Copyright 2012 Juniper Networks, Inc. www.juniper.net
ENFORCING A NO BYOD POLICY WITH DEVICE PROFILING 1 Mobile device connects to secure wireless network 4 WLA sends device type info to WLC for matching against policy WLC 3 Device type policy is configured to restrict ipads; WLA holds device traffic for inspection UAC Android Tablet/smartphone AP Device is determined to be an Android device and is allowed on the network 5 EX Series EX Series User dot1x authenticates to wireless network 2 45 Copyright 2012 Juniper Networks, Inc. www.juniper.net
46 Copyright 2012 Juniper Networks, Inc. www.juniper.net
47 Copyright 2012 Juniper Networks, Inc. www.juniper.net
48 Copyright 2012 Juniper Networks, Inc. www.juniper.net