Network Access Control (NAC) – keeping the devices and users where they belong.

I work in a lot of network environments and I see a lot of different approaches to security and networking.  One constant I have found is that all IT professionals struggle to adequately identify and secure the devices that may be on their network.  Aside from having insane levels of security and prohibitive onboarding practices for devices, it is almost impossible to dynamically assign network access without the use of a network access control solution.  I will dive into the basics with my mostly vendor agnostic explanation.

 

What a NAC is.

At the most fundamental level, network access control systems are designed to help identify devices and users on your network and then do something with the identification. The solution often integrates with most directory or identity providers. It can be used for authentication, authorization, and access. (AAA) The system can leverage hard-coded attributes of the user or device and enforce a security posture to them.  The NAC can also leverage other components like how the device is connecting, where the devices are connecting from, and other more nuanced dynamic characteristics of the connectivity and identity.

What the system does with that information is the most important part. As an example, it is rare that every person in a business network should have the same access. However, it is not rare that many people in a department or division would have very comparable access or restrictions. Similarly, devices that are generally doing the same job likely require identical network access.  If the NAC can leverage user attributes like department or division then it can use similar attributes for a device. It understands that an HVAC air handler requires the same access as was assigned to the other air handlers that share the same device attributes.

 

Enforcement Policies

With the use of what some vendors call roles with enforcement policies, one can automate the application of access based on identity.  This allows for a scalable solution that can deliver the same application of security without the intervention of an administrator for every network connection. This concept is called role-based access.

I use the term application of security very loosely because each vendor accomplishes this task in different ways. Some will tunnel the user traffic to a firewall or wireless controller and apply stateful firewall policies to the user traffic. Others will change the network or VLAN the device is on so that the access is restricted to that network segment.  Some rely on client-side software to enforce the application of a role assigned from the NAC. 

Other helpful things a NAC can do

• Integrate with endpoint AV software to assess the vulnerability of a client and use that as an attribute for access.
• Apply the same security posture to both wired and wireless clients.
• Centralize the administration and logging for all AAA exchanges.
• Integrate with edge firewalls from Cisco, Palo Alto, Fortinet, and others

What a NAC is not

A network access control solution is not the panacea that will make all your aliments cease.  NACs by themselves hold a great deal of machine learning potential. It does require some semblance of initial administration to create the logic by which they will apply the enforcement of policies from.  They are not infallible.  Like any computing system, they do need some TLC when first deployed. Once they are up and running, you can sleep easier at night knowing that there is an intelligent application of security for anything connecting to your network.

Here are a few other things they cannot do

• NACs are not meant for IP address management. I see a lot of people trying to use them as this and most are ill-suited for the task. Just because it has a record of the IP address does not mean it should be used as a database.
• They are not plug and play. No matter what the vendor tells you it will be a very involved deployment.
• Not every NAC integrates with every other product. Each vendor has their own special sauce that makes using their NAC with their equipment more appealing. Cisco, Aruba, FortiNet all have features that are only available when you are using their equipment with their NAC.

Use Cases

I would recommend a NAC to anyone who runs a network with more than 100 users.  If we assume that each person will likely have three computing devices, then that is 300 end-user devices.  Not all of them being corporate-owned and managed, we would need to delineate access for each user group and device type. We will then need to ascertain if we want to apply different security based on how the device/user connects or if the device presents a risk to the company.  This sounds like a lot of work and it can be. But, the work would only need to be done one time if we were programming logic into a NAC solution.

 

Best application of NACs

• Securing wired ports – We all know that users will bring in devices from home to use so why not protect your environment from the inevitable.
• Wireless for everybody – Just because the device is connected to the same SSID as all the other devices, it does not have to mean that they have the same security applied or are on the same logical network.
• Dynamic logins for your most sensitive devices – Securing your switches, routers, and firewalls with Radius or TACACS+ is how you protect against getting hacked from the inside.

This is not meant as a comprehensive analysis of each of the major players in the marketplace. In fact, there are some decent open source and free NAC-like products out there that are relatively capable.  Most of those do not support machine learning and cannot identify devices very well. However, they can provide authentication and authorization functions.

At the very least my hope was to impress upon anyone in the market that a NAC is a very necessary and essential component to your security arsenal.  The days of having the same login for every switch and router are long behind us. Treating every user and device the same is also a thing of the past. If you desire the scalability that a network access solution provides, I suggest you reach out to your partner of choice. Inquire about what products they offer in this security space. Zunesis is available to help you find the right partner for your organization.

HPE Acquisition of Silver Peak

 

DENVER, CO  October 1, 2020 – Hewlett Packard Enterprise (HPE) has completed the acquisition of Silver Peak, an SD-WAN (Software-Defined Wide Area Network) leader.  For many years, Silver Peak has been a strong leader in the WAN Optimization and SD-WAN market.  Silver Peak is now part of Aruba, a Hewlett Packard Enterprise company.

The acquisition will enhance and strengthen Aruba ESP (Edge Services Platform). This helps to advance enterprise cloud transformation with a comprehensive edge-to-cloud networking solution. It covers all aspects of wired, wireless local area networking (LAN) and wide area networking (WAN).

Steve Shaffer, CEO of Zunesis, a long-time Platinum Aruba and HPE Partner, says “Silver Peak provides a key piece of a comprehensive end-to-end Aruba solution offering. It creates additional value for our clients providing reliable and secure work-from-home and branch office connectivity.  Work from home and branch office solutions just got a lot easier to deploy, secure and manage thanks to the combination of Silver Peak and Aruba’s SD-Branch & remote work solutions.  All of us at Zunesis are very excited about these new developments.”

 

WAN Transformation

“WAN transformation is a key component of HPE’s Intelligent Edge and edge-to-cloud vision and growth strategy,” said Antonio Neri, president and CEO of HPE. “Armed with a comprehensive SD-WAN portfolio with the addition of Silver Peak, we will accelerate the delivery of a true distributed cloud model and cloud experience for all applications and data wherever they live.”

“I am very excited to welcome the Silver Peak team to the Aruba family,” said Keerti Melkote, president of Intelligent Edge for Hewlett Packard Enterprise and founder of Aruba Networks. “With the evolving nature of the hybrid workplace, enterprises are looking to extend connectivity to branch locations and enable secure work-from-home experiences. By combining Silver Peak’s advanced SD-WAN technology with Aruba’s SD-Branch and remote worker solutions, customers can simplify branch office and WAN deployments to empower remote workforces, enable cloud-connected distributed enterprises, and transform business operations without compromise.”

As part of the acquisition, Silver Peak founder and CEO David Hughes, will join HPE as the senior vice president of the WAN business within Aruba.  “I look forward to leading the new WAN business unit within Aruba and accelerating our customers’ edge-to-cloud transformation initiatives,” said David Hughes, founder of Silver Peak and senior vice president of the WAN business at Aruba. “Digital transformation, cloud-first IT architectures, and the need to support a mobile work-from-anywhere workforce are driving enterprises to rethink the network edge. The combination of Silver Peak and Aruba will uniquely enable customers to realize the full transformational promise of these IT megatrends.”

 

SD-WAN Technologies

Enterprises are increasingly investing in SD-WAN technologies as legacy WAN architectures incur relatively high costs. They are cumbersome to operate, manage and secure. Aruba and Silver Peak share a common vision and goal to provide simplicity, scalability, and application-awareness at the edge of the network. Aruba’s all-in-one SD-Branch portfolio and remote worker solutions, combined with Silver Peak’s self-driving SD-WAN and WAN optimization solutions, allow Aruba to better address a wide set of customer requirements in order to capitalize on a promising and growing market opportunity.

At the same time, enterprises are also moving applications, including Internet of Things (IOT) and real-time analytics, to the edge of the network.  Aruba is uniquely positioned to help organizations to support this network evolution while providing the needed connectivity to Public cloud resources.  “We believe HPE Aruba are making all the right moves to help us offer the best and most reliable networking solutions for our customers large and small” says Shaffer.  The next few years are going to be very exciting!

About Zunesis

Zunesis, headquartered in Englewood, Colorado has been an HPE Platinum Partner for 16+ years.  Zunesis has expert engineers in HPE server, storage and networking technologies along with common software applications like VMware and Microsoft.  We serve clients large and small but our sweet spot is the mid-market organization – the heartbeat of the US economy.  Our mission is to make the lives of our clients and community better. www.zunesis.com

 

Back in March which seems like ages ago, Aruba Networks announced the release of Aruba ESP. It’s the industry’s first cloud-native platform designed to automate, unify and secure the Edge. Why the need for this new platform in today’s world? What are its secret powers for your network?  And, how does it work?

 

Why the Need for Aruba ESP?

According to IDC, 55 billion devices will be connected within the next two years and are expected to generate 79.4ZB of data by 2025. Combine that with the shifts to work from home and distributed work forces, there is a definite need for the right tools to keep pace. With this large amount of data at the Edge, today’s networks and the teams that manage them are struggling to keep up.

Organizations need to ensure they have the right network foundation while being ready for the next big technology transition or event. This is where the need for Aruba ESP came in.  Aruba ESP combines AIOps, Zero Trust Security, and a Unified Infrastructure.

 

What can Aruba ESP do?

 

 

It helps IT with the following:

• Identify and resolve issues quickly, preempting problems before they impact the business.
• Protect against advanced threats from a vanishing security perimeter.
• Monitor and manage thousands of wired, wireless and WAN devices across campus, branch, data center, or remote worker locations.
• Quickly deploy network services at scale at support changing business needs.
• Allow continued infrastructure investment in the face of uncertain financial changes.

Aruba ESP offers services at the Edge that include onboarding, provisioning, orchestration, analytics, location and management. These are accessed through Aruba Central. The SaaS consumption model enables rapid deployment and provides unified management, AIOps, and security. Through Central, network admins can use AI insights to help quickly troubleshoot, identify, and resolve issues before issues occur.

 

Significant innovations within Aruba ESP

Several new innovations are within the Aruba ESP platform:

• Cloud-native management for any size enterprise: The industry’s only controller-less, cloud-based platform that provides full-stack management and operations for wired, wireless and SD-WAN infrastructure of any size campus, data center, branch, and remote worker locations to be consumed on-premises or in the cloud.
• Simplified daily operations with unified infrastructure: The latest version of Aruba Central has simplified navigation, advanced search, and contextual views.
• Reduced resolution time with AI and automation: Aruba’s new AI Insights reduces troubleshooting time by identifying hard-to-see network configuration issues and providing root-cause, prescriptive recommendations and automated remediation to continuously optimize network operations.
• AI-powered IT Efficiencies: AI Search enables IT Teams to eliminate “swivel chair” investigations. AI Assist uses event-driven automation to collect and post all relevant data for both the internal help desk and Aruba Technical Assistance Center (TAC)
• Granular visibility across applications, devices and the network: User-center analytics from User Experience Insight to identify client, application, and network performance issues faster.
• Extension of next-gen switching to distributed and mid-size enterprises: The Aruba CX6200 switch series brings built-in analytics and automation capabilities to every network edge where user and device connectivity occurs, generating insights that can be applied to informing better business outcomes.
• Ongoing innovation with new Developer Hub: A comprehensive resource for developers that includes Aruba APIs and documentation to streamline the development of innovative, next-generation edge applications leveraging the open Aruba ESP platform.

Recently, new enhancements were announced that help unify IoT, IT and Operational Technology networks to enable customers to quickly adapt to changing environments and user requirements. Unifying these networks, enables hyper-aware facilities that are safer, more adaptive, and enhance productivity. This is a big leap forward over what can be achieved with basic connectivity and machine learning-based monitoring.

These enhancements are integral to sensing, analyzing, and reacting to device data and contextual information. Virtually every subsystem spanning machine inputs and outputs (I/O) on a manufacturing floor through multimedia devices in the CEO suite can be accommodated. Solutions are available for education, enterprise, healthcare, hospitality, industrial, manufacturing, retail, transportation and government applications.

 

Some Use Cases

Some use cases with Aruba ESP-based hyper-awareness include smart buildings, industrial/manufacturing facilities and the broader Intelligent Edge.

Hyper-aware smart buildings for enterprises, education, healthcare, hospitality, retail, and government:

1. Building control and digital twin enablement: Identify sub-optimized processes, recommend operational enhancements, and monitor the trajectory of energy usage needed for proactive interventions.
2. Context- Aware, real-time integrated emergency response and notification.: It actively communicates with tenants, visitors and staff. The use of 4D Graphics for first responders enables them to quickly see where people are within buildings.
3. Seamless extension of the 5G Footprint with Wi-Fi: Mobile operators can extend 5G footprint into the building. It seamlessly powers Wi-Fi calling using Aruba Air Slice Technology.

Hyper-aware industrial facilities:

1. Migrating from break/fix to proactive maintenance: Enables machinery sensors to monitor equipment to identify points of failure. Notifies before they happen, improve productivity, reliability, and efficiency.
2. Reducing mean time to repair with location services: Provides site occupants with turn-by-turn navigation to a destination without human assistance.
3. Monitoring personnel and asset safety: Can deliver real-time 3D situational awareness by tracking the location of people and assets.  It can integrate with automated ventilation, geofencing, and vehicular navigation systems.

Aruba ESP produces AI- powered insights with greater than 95% accuracy.  It helps automatically improve communications and visibility across and among IoT, IT and OT Networks.

Have more questions about Aruba ESP? Attend our webinar on September 30^th or reach out to one of our account reps to learn more.

Using Aruba Dynamic Segmentation will help keep the Boogeyman away

 

One reality terrifying most business owners is the thought of someone compromising their network and their data.  Companies spend gratuitous amounts of money and time to protect themselves from cyber threats. They configure edge firewalls and multi-factor authentication mechanisms to protect their most sensitive data in the cloud. The thing that is often left untouched and overlooked are the data ports which are physically accessible to the public.

 

If the business operates in a public or shared office space, the risk of intrusion from an unprotected or unmanaged port is astounding.  Aruba Networks have developed a technology that can now extend the same role-based firewall policies that are applied to the enterprise wireless to the wired ports.  By enforcing the same role-based policies, administrators can simplify the deployment and management while also staying consistent across the network.

 

Is this a new threat?

 

In truth, the threat has always existed.  The difference is that now more than ever, IOT devices require a hard-wired connection to function. This is because many of them do not support the same security and encryption standards we enforce on the wireless network.  Some devices simply require the low voltage power supplied from the switch port to function.  These devices include security cameras, lighting controllers, intelligent HVAC devices and some printers or scanners.

 

Another common scenario is when there is a need for a wired port for a special event. The port is configured for one purpose but then it is forgotten about. Then, anyone who plugs into that port has whatever access it was originally configured for.  The reality is that these devices and circumstances are not going away any time soon. The best way to protect the network and the switch ports is to secure and isolate the clients and the devices from your sensitive networks and services.

 

What have engineers and administrators done about this attack vector?

 

From a management perspective, port security has always been the bane of network engineers and administrators. It has never been very practical or scalable to deploy.  One must define clear attributes to distinguish each device from another. Then, you tell the switch port to change the network the device it is connected to or to simply block the port all together.

 

Often the unique attributes used to distinguish these devices are easy to counterfeit. Deploying the configuration on only the public facing ports takes planning and insight. This often falls through the cracks after the initial deployment. Furthermore, the deployment of these settings must be done on each switch in the environment that may be connected to from a public facing port.  Aruba’s Dynamic Segmentation takes a different approach.  It unifies policy enforcement and delivers the same seamless experience that people come to expect of wireless connectivity.

 

How does it work?

 

The technology leverages many of the same security and profiling mechanisms that exists in the Aruba wireless world. It applies them to the switch port adding a scalable security solution without the complexities of deploying another costly security product.  It works by treating an Aruba network switch like an access point.  The switch tunnels the switch port traffic to the Aruba mobility controllers. It profiles the connected devices in the same manner it would a wireless client.

 

If the device passes certain authentication criteria, then it is granted the same access as if it were on the wireless network.  If the device has certain attributes but does not pass specific authentication criteria, than it is treated differently. It will be assigned the same role and given the same privileges as it would on the wireless network.  In isolating these devices or unknown users, we can better protect the environment at large while not limiting the connectivity some users may need.

 

 

What else can Aruba Dynamic Segmentation do?

 

By tunneling the traffic to the mobility controllers, Dynamic Segmentation provides greater visibility of the traffic from IOT devices and guests users on your network.  You can enforce a captive portal with email registration for guest users. This can add some accountability to a visiting contractor or guest speaker.

 

If an employee brings in a consumer device from home and plugs it in, you can distinguish what the device is, where it is plugged in and what it is communicating with.  The most valuable use-case for this technology lies in the constant struggle of BYOD and onboarding of employee devices.  If an employee chooses to use their own computing device and company policy allows it, you can check the security posture of the device before granting it access to any resources on your network.  Ideally those users would have a policy enforced that would allow them to reach only the least sensitive resources and the internet.

 

 

Why should network/security engineers and administrators be excited about Dynamic Segmentation?

 

Unlike traditional port security which normally rely on 802.1x and radius authentication to authorize access on a single VLAN, Dynamic Segmentation does not require unique network segments to be defined to physically separate users.  Aruba uses the term VLAN sprawl to describe the never-ending creation of new VLANs and subnets to create new layer 2 boundaries to physically segment user and device traffic.

 

With this solution, all the unknown devices and users could reside on the same network segment. Because the traffic is tunneled, all the traffic is subject to deep packet inspection, stateful firewall policies, layer 7 application visibility including web content filtering.   Most IT professionals usually wouldn’t believe that their wireless controllers are capable firewalls.  They would be wrong where Aruba is concerned.

 

What Aruba components are necessary to make it all work?

 

If you are already an Aruba wireless customer, you may already have what it takes to start leveraging this technology today.  Listed below are the solution ingredients directly from the Aruba Solution Overview.

 

• Aruba wireless access points
• Aruba network switches
  • Models 2930F/M, 3810M, 5400zl2
• Aruba Gateways or Mobility Controllers
  • Running AOS 8.1 or later
• Aruba Clearpass Policy Manager with profiling

 

Overall, the solution will simplify your efforts at securing the network edge and unifying security into one manageable platform.   Why spend time configuring and deploying a solution that you would have to duplicate with the wireless infrastructure?  Save yourself from that spooky nightmare.

 

To learn more, contact your local Zunesis sales representative.

 

Additional Resources

Dynamic Segmentation Solution Brief

Aruba Learning Video

Technical Whitepaper

 

REST for the Weary – RESTful APIs

 

 

As the expression goes, “no rest for the weary.”  A lot of us in the IT industry can relate to that statement. We are often needing to work long hours with heavy workloads.

 

 

Why is it then, that at least in my observation, many systems and network engineers still have not jumped on the automation train?  We’re so busy being busy, that we don’t take the time to save time.  Some of us still think RESTful APIs are something that only “devs” use. Luckily for our sanity, many of us are picking up this much needed skill.

 

 

If you haven’t played with RESTful APIs yet, and are in IT operations, I highly encourage you to check out RESTful APIs and get some lab time.  By sharing some personal experience, I’d like to argue that there really can be “REST for the weary.”(Pun intended)

 

 

 

A slightly better way

 

 

I remember before RESTful APIs were something that more vendors were supporting. I had to do write Expect scripts in Linux to do my automation.  Really, this was just screen scraping terminal output and brute forcing automation.  It was messy at best, especially trying to automate devices that weren’t made for automation.

 

 

This wasn’t a whole lot of fun, but it was worth the pain involved since it still saved mountains of time.  There was quite a bit of pain with some vendors. They needed weird keystroke combinations before it would allow CLI access even after SSH’ing in.  Implementing “CTRL+Y” through an SSH session via script was way more of a headache than you’d think it should be.

 

 

Complaining aside, spending time writing Expect scripts was certainly MUCH easier than doing things manually.  As an example,  in a large environment I previously worked in, my co-workers spent time manually SSH’ing to literally hundreds of switch stacks.  They had to run some commands and capture output to save.

 

 

I was asked on a regular basis by management to get MAC address/switchport/dot1x info, and other data which could be queried for historical data in a database. This was in preparation for a forklift upgrade on the network.  The use case was to get a history of devices, interface information, and all other relevant historical data.  Pulling MACs from the cores via uplinks wouldn’t give necessary detail.

 

 

This wasn’t an option. We had to go to the switches as a source of truth.  The idea was also to compare to data from other sources (the IP-PBX system was one example) in preparation for the upgrade.  They wanted to make sure network cut-overs were un-noticed by end users, aside from the downtime to swap equipment of course.  I spent quite a bit of time writing and tuning Expect scripts, but still much less than doing things the old fashioned way.

 

 

The actual better way

 

Fast forward to my next job managing literally thousands of server nodes in a high uptime environment. I started getting asked to do things like update BIOS settings ON EVERY SERVER.  To make things worse, as software engineering changed their code, they’d ask me to change BIOS settings multiple times.  There was no way I was going to iLO into every one of those servers, reboot, wait, press F9 to access system utilities, select BIOS/Platform configuration(RBSU)… etc.  Thankfully, I didn’t have to draw a line in the sand and explain that I was unwilling to do this.

 

 

After some research, I learned that HPE makes a RESTful API available on their Gen9 and Gen10 servers.  Lucky for me, we were using Gen9 servers at the time.

 

 

Managing BIOS settings isn’t the only thing you can do by the way.  You could probably integrate this into your monitoring system if it allows, for non responsive devices as an example.  We’ve all seen servers where the lights are on but nobody is home.  They seem dead, but respond to pings…intermittently and with high latency.  You could use your monitoring system to poll services, and metrics like CPU and RAM utilization. Then, reboot the server via iLO RESTful API, if it is really locked up.  No more waiting for a human to notice alerts, escalate if needed, then reboot the server manually.

 

 

 

 

 

 

 

 

Synergy is the interaction or cooperation of two or more organizations, substances, or
other agents to produce a combined effect greater than the sum of their separate effects.

 

 

HPE Synergy

 

 

HPE Synergy is a composable infrastructure which treats computing, storage, and devices as resources that can be pooled together and used as needed. An organization has the ability to adjust the infrastructure depending on what workloads are required at the time. This allows for an organization to optimize IT performance and improve agility.

 

 

The best definition I found for Composable Infrastructure is the following:

 

 

Compose your infrastructure for any workload.

 

 

Some History

 

 

HPE started shipping the Synergy Platform during the first half of 2016, over 3 years ago. It is hard to believe this platform has been around for 3 years already.

 

 

In general, the Synergy platform provides options in compute, storage and networking.  It offers a single management interface and unified API to simplify and automate operational complexities. It helps to increase operational response to new demands.

 

 

Composer and Image Streamer Management

 

 

Using the Composer and Image Streamer management, an organization has the software-defined intelligence to rapidly configure systems to meet the requirements and needs of the organization. Using HPE composer’s integrated software-defined intelligence, you are able to accelerate operations using a single interface.

 

 

Synergy Image Streamer enables true stateless computing for quick deployments and updates. This is a new approach to deployment and updates for composable infrastructure. This management appliance works with HPE Synergy Composer for fast software-defined control over physical compute modules with operating system provisioning.

 

 

 

 

 

 

The Synergy platform provides a fully programmable interface that allows organizations to take full advantage of potential vendor partnerships for open-source automation.  Tools such as Chef, Docker, and OpenStack also work with the Synergy Platform. Using these tools an organization is able to seamlessly integrate multiple management tools, perform automation and future-proof the data center.

 

 

 

Infosight and Synergy

 

 

 

HPE has also announced Synergy Support in HPE InfoSight. InfoSight is a cloud-based artificial intelligence (AI) management tool that came with the Nimble purchase. HPE has expanded the platform to include HPE Servers including Synergy and Apollo systems.

 

 

 

It includes the Predictive Analytics, Global Learning and the Recommendation Engine. The AI Engine provides data analytics for server security and predictive analytics for parts failure. Future capability will include firmware and driver analytics.

 

 

The Global Learning aspect provides a server wellness dashboard, a global inventory and performance and utilization information. The Recommendation Engine will provide information to eliminate performance bottlenecks on the servers.

 

 

 

Built with the Future in Mind

 

 

 

The Synergy platform is built with the future in mind. From the Management analytics to new compute platforms, to higher power requirements, to increased networking bandwidth, this platform is ready. Architectures are evolving to memory-driven computing, 100Gb networking and non-volatile memory (NVM).

 

 

 

The Synergy frame has been architected to handle these new technologies and more. Each HPE Synergy bay is ready to support future technologies such as Photonics, future CPUs, GPUs and new memory technologies.

 

 

For more information on HPE Synergy, Contact Zunesis today.

Aruba Instant Access Points

Years ago, the concept of purchasing and deploying enterprise grade wireless infrastructure was reserved for only the largest or wealthiest companies.  The average small to mid-sized businesses were left to make compromises on features and performance because of the prohibitive price and deployment complexity associated with wireless infrastructure.  Well no more.

Aruba Instant access points allow any business to deploy a full featured and scalable solution anywhere. Without compromising features often reserved for the most cost prohibitive solution.  Aruba Instant has a place in the hair salon all the way to the corporate office.  If you need a solid and secure wireless solution that doesn’t require a full-time worker to administer, than look no further.

 

What is Aruba Instant?

Aruba Instant is a wireless access point operating system and platform that does not require the purchase of hardware/virtual controllers for deployment.  Instead Aruba instant access points leverage each other as virtual controllers. They work in a cluster like the standard campus deployment most are familiar with.

For small to mid-sized businesses, the most common deployment of wireless is less than 100 access points. This is fully supported by the Aruba instant deployment model.  Not only does the deployment scale in size but it is innately redundant.

Each access point can act as the primary virtual controller if the current controller goes down.  Furthermore, the access points come in a wide variety of models.  Some support the newest Enterprise features such as 802.11ax, WPA3, and M-PSK.

 

Where is the value?

Almost all the current generation Aruba access points are sold as a unified AP. This deploys in an Instant cluster or as a campus AP controlled by dedicated controllers.  By shipping a single image on all access points, Aruba has made the product fit all use-cases. It has simplified the ordering and provisioning of the product.

Additionally, if a customer does outgrow the instant AP deployment model, they can simply convert their existing access points to work with a controller-based solution.  Never losing a penny on their existing investment.  This use-case happens frequently. Aruba customers are always thankful to know that they haven’t thrown money down the drain as their business grow and they need to expand the reach of wireless connectivity.

 

Aruba Instant Tour

I will spend some time showcasing the features and simplicity of the Aruba Instant operating system.  There are numerous guides online showing how to configure the APs in greater detail.  I will give a brief overview of some of the included features.

There is also a community driven YouTube channel dedicated to the education of customers and partners called: Airheads Broadcasting Channel.  This tour is meant for someone with 1-2 years of IT experience. Wired and wireless networking concepts will be used without explanation.

 

Logging In

The virtual controller is accessed through a web interface that is very similar to logging into a traditional Aruba Mobility controller. There are default credentials which are publicly available for the initial login.

 

 

 

User Interface

The dashboard presented after the user logs in is very helpful. It will show everything from active wireless networks, cluster members, connected clients, and performance and health statistics.

Again, keep in mind that using this deployment model is free.  There are no additional licenses or support fees to use the Aruba Instant operating system.  All Aruba access points come with a lifetime warranty that include software/firmware upgrades.

 

 

 

Advanced Features

The Aruba Instant operating system supports features like:

• Guest network with custom captive portal
• Radius authentication with COA
• Stateful firewall policies
• QOS\COS
• Internal guest provisioning for guest network
• IDS

 

Another feature that is surprising to see on this platform is AppRF.  It differentiates what applications are in use on the network.  It is of great value to administrators and engineers to be able to identify unwanted applications on the network and apply QOS policies to either limit or block them entirely.

 

 

 

 

Third Party Integrations

Unlike other platforms that limit features in their respective introductory platform, Aruba supports third party integrations with firewall vendors, and even custom XML API services.  Features that leverage location-based services are available using the Aruba Instant platform.

 

 

 

 

Overall, the platform is feature rich. It can do almost everything a traditional controller-based platform can do. The shear scalability of having the access points act as the controller grants a flexibility many in the industry have been looking for.

Small to mid-sized businesses should explore the possibilities of what the Aruba Instant platform can offer. A budget friendly option to consider for your networking needs.

Use the Networking Product Wizard on our site to find out the right switches, access points and network management solution for your organization.

End User-Centric Network and Application Performance Analytics

 

Increasing reliance on Wi-Fi for Enterprise and IoT applications mean IT departments are facing new challenges to deliver the best user and client experience possible. To provide a consistent level of performance, the Aruba Service Assurance solution enables IT to proactively simulate real-world user and client experiences.

 

IT can continuously monitor network connectivity and the performance of wireless and Ethernet connections in critical, high-value locations like office spaces, retail, education, healthcare, and similar types of environments.

 

How it works

 

The Aruba Service Assurance solution includes simple to deploy sensors, cloud-based data processing and an easy to learn web-based administrative dashboard. It can be accessed from anywhere using either Chrome or Safari browsers.

 

It’s a great tool for any organization and IT team tasked with delivering the best possible network experience with their user’s connectivity and app performance in mind – especially the “C-suite” or users with cyclical problems reported to the help desk.

 

Components to the Solution

 

Purpose-built Sensor

 

Aruba LTE sensors can be placed within any area where users or IoT devices are located to reduce the time to identify and resolve application responsiveness and user experience issues. The sensor is placed at the same height where user’s devices are placed or held, to run accurate simulated tests over Wi-Fi. Wired connections are also supported.

 

Tests can be set up for LAN and WLAN connectivity, DHCP, DNS, authentication, captive portal response, cloud and internal applications. Installation of the sensor, even in extremely remote locations is easy due to built-in out-of-band cellular connectivity. This reduces the time and effort normally required to go on-site, diagnose a problem and put a resolution into action.

 

 

 

 

Configuration and visibility: Web-based dashboard

 

The cloud-based analytics and insights engine provides a robust and scalable model that allows IT to centrally configure and run tests for today’s cloud-based (SaaS) or internal applications. Pre-configured templates or custom defined tests can monitor the most important apps and services. For example, tests can automatically ping a server to confirm responsiveness, or run a script through a browser to see how an application is performing before users encounter a problem.

 

The web-based service assurance dashboard is designed with simplicity and one-glance visibility in mind. It changes how an assurance dashboard should work. A unique, five-column traffic light model easily lets you see when things are working great and when they’re not.

 

The status of each sensor, SSID, service and application being tested are highlighted under each of the traffic light icons. This provides IT a good understanding of overall user experience, Wi-Fi connectivity and quality, responsiveness of core network services, and the reachability of internal and external services. Smart notifications can be setup to keep you informed on your mobile device.

 

 

 

How can Zunesis help?

 

Zunesis is an Aruba Platinum partner, which is the highest level of achievement. We can help any customer or prospective customer on even a small project with a concern such as we have outlined in this post.

 

A simple deployment of a single sensor and a 1 year subscription to the data and analytics gathering would cost only about $1200. Zunesis can install a quick test solution for our clients who need to get to the bottom of a tough end-user experience issue through our unique Customer Connect Program. This program provides 2-3 hours of no-cost onsite consulting with customers.

 

For instance, we could use that time to setup a basic Service Assurance sensor and dashboard. We then provide another hour or two of time after deployment to work with the client on reviewing results of the data gathering.

 

Plus for that small cost, the sensor is available to use for other testing, and one would simply need to renew the annual service subscription (or purchase up to 5 years up front!).

 

More Information:

Aruba Networking Service Assurance

 

 

 

 

 

Aruba 8400: Designed from the Ground Up for Automation and Network Insight

 

Looking at networking gear over the past several decades, not much has really changed from a high level.  Okay, we’ve gotten bigger pipes to fit the much larger volume of data that needs to pass through them.  We have added more protocols to manage the control plane, but a lot of the core technology is still pretty much the same.

 

OSPF, BGP, VRRP, etc … hasn’t really changed much.  Sure, some of us are over spanning tree and aren’t wasting half of our links anymore, but the point is that many network engineers themselves haven’t changed how they deploy and manage solutions.  Specifically, many of us are still managing our networks statically via the command line, troubleshooting after a problem has caused an outage, and not automating.

 

In the era of mobile, cloud, and IoT, this simply isn’t scalable anymore.  If you’re a forward thinker, you may have already been using ansible, python, etc. for network automation, and it definitely helps when the vendor has designed a platform specifically for this.  Gone are the days of screen scraping and expect scripting over SSH.

 

Aruba has been disrupting the networking industry for some time now in wireless and wired, but one thing missing from the product portfolio was an offering for the core… until now.

 

What’s New:

 

• High-performance Aruba core and aggregation switch with 19.2 Tbps switching capacity and carrier-class high availability.
• ArubaOS-CX automates using built-in REST APIs and Python scripts.
• Monitor and troubleshoot with Aruba Network Analytics Engine.
• High availability, virtualization and simplicity with Aruba VSX.
• High density, line rate 10GbE/40GbE/100GbE connectivity.
• Advanced Layer 2/3 feature set includes BGP, OSPF, VRF and IPv6.

 

Game-Changing Business Agility

 

The Aruba 8400 Switch Series is a core and aggregation switch solution with an innovative and powerful approach to dealing with the new applications, security and scalability demands of the mobile, cloud and IoT era.

 

Fully programmable with ArubaOS-CX, it brings automation and visibility and helps troubleshoot via simple scripting.

 

Aruba Network Analytics Engine provides the ability to monitor and troubleshoot the network, system, application and security related issues easily, through simple python agents and REST APIs.

 

High-availability, high-speed architecture with 19.2 Tbps switching capacity for always on networking.

 

Robust security and QoS with advanced Layer 2 and Layer 3 features including support for BGP, OSPF, VRF and IPv6.

 

Modern Software System Simplifies and Automates

 

The Aruba 8400 Switch Series is based on the new ArubaOS-CX, a modern software system for the core that automates and simplifies many critical and complex network tasks.

 

The built-in time series database enables customers and developers to develop software modules for historical troubleshooting, as well as analysis of historical trends, to predict and avoid future problems due to scale, security and performance bottlenecks.

 

Includes stability, independent monitoring and restart of individual software modules, and enhanced software process serviceability functions. And it allows individual software modules to be upgraded for higher availability; and supports enhanced serviceability functions.

 

Delivers enhanced fault tolerance and facilitates nearly continuous operation and zero-service disruption during planned or unplanned control-plane events.

 

High Performance and Carrier-Class High Availability

 

The Aruba 8400 Switch includes a high-speed, fully distributed architecture and provides up to 19.2 Tbps switching capacity to meet the demands and bandwidth-intensive applications today and in the future.

 

Aruba’s new high availability technology is Aruba VSX which has been designed from ground up to deliver the continuous availability, virtualization and simplicity requirements unique to the core of the network.

 

Resiliency and high availability with hot-swappable, redundant and load-sharing fabrics, management, fan assemblies and power supplies.

 

Scalable, compact 8U chassis delivers industry-leading line rate 10GbE/40GbE/100GbE port density, very low latency, and scalability ideal for the campus core.

 

So how is this any different from other chassis based switches?

 

ArubaOS-CX

 

Meet ArubaOS-CX, a modern network operating system.  The entire state of the system is stored in a database, and all aspects of the system interact with it, and not directly with each other outside of it.  This provides much greater modularity, extensibility, and allows seamless recovery when failures are detected.  If one particular daemon crashes, it simply restarts and restores it’s state back from the database with almost zero downtime.  This is huge!  If you’ve ever had to recover a major process like OSPF and had to deal with the consequences, you know exactly what I’m talking about.  Further, the system automatically generates a REST API for all objects in the data model, and can expose all features, functions, statistics…EVERYTHING to AOS-CX applications/services and to external systems if desired.

 

If that wasn’t enough, Aruba has also provided us with automated monitoring and troubleshooting via the network analytics engine.  This allows IT professionals to easily monitor, detect problems, analyze trends, and immediately resolve issues instead of relying on traditional tools like SNMP and CLI after the fact.  If a particular condition is detected, it is possible to automatically remediate via scripted actions.

 

 

Again, ArubaOS-CX is fully programmable via REST API, and for those of you who are ready to dig in, here’s a handy reference document to help get you started.

 

So are you ready to switch?(Pun intended)

 

 

 

 

In this post, I want to take a look at Aruba’s latest addition to their switching portfolio – the 2930m.

 

The 2930m is the modular brother to the 2930f (fixed) switch, which been selling for a number of months. The 2930m is the long-awaited replacement for the older 2920 switch, one of the best-selling switches ever for HPE networking, and includes some configurable options that are not available on the 2930f.

 

The new 2930m has configurable redundant power supplies, modular backplane stacking, higher stacking density, extremely high PoE capabilities, and a more advanced (but still not complete) layer 3 feature set for the modern edge network. The uplinks are also configurable on the 2930m, allowing for 1x 40G QSFP+ port, 4x 10G SFP+ ports, or 4x 10G SmartRate ports (1, 2.5, 5, or 10G copper ports depending on the capabilities of the device plugged into each port).

 

In addition to the data sheet below, I wanted to supply you with some information for quick reference. The best way to depict this information will be in table format, so we can compare the older 2920, the fixed configuration 2930f, and the new 2930m:

 

 

For more detailed information on this new switch, please download the data sheet here.