Aruba_Design_Architecture

Module1Architecture&Design力麗科技黃永仁Webbwebb@llt.com.tw22Architecture&DesignOverview•Topologyanddeploymentmodels•Level1trainingrecap•L2vsL3•Scalingthemobilitynetwork•Choosingacontroller•Overviewoflabsandtopologies3ARUBA無線網路的組網架構EmailServer10/100MbpsL2/3DHCPServer1.3.4.通訊過程：1.AP連接到現有網路的交換機埠，加電起動後，獲得IP地址2.AP通過各種方式獲得ARUBA控制器的LoopIP位址（靜態或動態獲得）3.AP與控制器之間建立PAPITunnel（UDP8211），通過FTP或TFTP到ARUBA控制器上比對並下載AP的image軟體和配置檔，並根據配置資訊建立AP與控制器之間的GRETunnel，同時向無線使用者提供無線接入服務4.無線用戶通過SSID連接無線網路，所有的使用者流量都通過AP與ARUBA控制器之間的GRETunnel直接傳遞到ARUBA控制器上，進行相應的加解密、身份驗證、授權、策略和轉發2.44APDeployment:Directvs.OverlayFLOOR2FLOOR1DATACENTER10/100Mbps10/100MbpsFLOOR2FLOOR1DATACENTER10/100Mbps10/100MbpsBACKBONEBACKBONE10/100Mbps10/100MbpsOverlaymodelDirect-attachmodelControllerControllerController55CombinationFLOOR2FLOOR1DATACENTER10/100Mbps10/100MbpsFLOOR110/100MbpsBACKBONEBACKBONE10/100Mbps10/100MbpsOverlaymodelBuilding1Building2BuildingcontrollerCampusbuildingFLOOR2Building266APBootSequence•APsneedthefollowingbitsofinformationinordertoboot:•IPAddress,Netmask,DefaultGateway•APName/APGroup•IPAddressofArubaController•2waystodothis•Static•Allparametersmanuallyconfigured•Dynamic•APonlyconfiguredwithAPName/APGroup(optionalonfirstboot)77APName/APGroup•APNameandAPGroupareusedtodeterminewhatconfigurationparameters/profilesarepushedtoanAP•APNamemustbeunique•IfAPNamenotset,thenAPWiredMACisusedasAPName•APmaybelongtooneandonlyonegroup•Createasmanygroupsasneeded,eachwithuniqueprofilesets88GroupsIllustratedChemistryFloors:1-3ChemistryFloors:4-5EngineeringFloors:AllDormsFloors:AllAirMonitors各群組可以有不同的SSID,可依部門、系所、大樓。99APStaticbootsequence1.APloadsvariablesfrombootrom2.APsendsmessagetoArubacontrollerwithitsAPName/APGroup3.Ifneeded,APsendsanFTPrequesttoArubacontrolleranddownloadsOSimage4.BasedontheAPName/APGroup,thecurrentcontrollermaytakecontrolofthisAPordirectittoanothercontroller5.APauthenticatestocontrollerandestablishesGREtunnelAP啟動時會比對OS是否和controller一致，如果不一致會由controller下載更新。1010ControllerDeploymentFLOOR2FLOOR1DATACENTER10/100Mbps10/100MbpsFLOOR2FLOOR1Buildingcontroller10/100MbpsBACKBONE10/100Mbps10/100MbpsMasterControllerCampusbuildingBuilding1Building2GRETunnelsmasterlocal1111DeploymentRecommendationsAPDeployment•Whatevermakessensefromacablingperspective•APconfigurationisthesameineithercase•APsdon’tcareifthey’redirectorindirectattachedControllerDeployment•Followthedata•Deploycontrollersclosetotheterminusofuserdata•Typicallythisisthedatacenter1212Coveragevs.Capacity•SitesurveystraditionallyattempttominimizethenumberofAPs•Completecoverageiscrucialbutalsoconsider…•Peruserthroughput•Overlapforself-healing•Roamingperformance1313ControllerConnectivityWhentouseVLAN1•Forverysimpleconfigurations•SingleVLANonentirecontroller•NotusingVLANtagging•TerminatingGREtunnelsonVLAN1Whentouseloopback•LargedeploymentswithmultipleVLANs•VLANtaggingontheuplinktrunk•TerminatingGREtunnelsonVLANotherthanVLAN1ALayer2/Layer3switch•SupportsVLANsandLayer3IPforwardingLoopbackinterface•AninternalIPinterfaceusedtoterminateIPSecandGREtunnels•SourceaddressforRADIUSandmanagementcommunications•EitherVLAN1interface(ifconfigured)oraspecificloopbackaddressL2vsL3Deployments1515DecidingbetweenL2andL3•Howwilladdressingofwirelessstationsbedone?•ArubacontrollerissimilartoastandardL3switchinnetworkingcapabilities•UnderstandsVLANs•UnderstandsVLANtagging•UnderstandsIPandhowtodoL3forwarding•However,doesnotrunroutingprotocols•Keyconceptiswhichdeviceactsastheclient’sdefaultgateway•Ultimategoalistoextendwirednetworkandsecurityinfrastructureintowirelessspace•Noinherentadvantageordisadvantagetoeitherapproach–theoptionsareavailabletofitintomorenetworksL2或L3佈署方式並沒有任何差別，端看ClientGateway要在那裡。1616L2Deployment•InaL2deployment,WLANcontrolleractsasanEthernetbridge•Afterauthentication,framesfromclientarebridgedontoL2network•802.1qVLANscanbeused•ClientscanallbeonsameVLAN•ClientcanbeassignedtoVLANbasedonESSID,location,orauthenticationresult(802.1x)•Uplinkportscanbe802.1qtagged•OradifferentphysicaluplinkportcanbeusedperVLAN•AddressassignmentthroughexternalDHCPservernormally(internalDHCPserveravailable)•ClientbroadcastsforDHCP,controllerbridgesthebroadcastonuser’sVLANClientsGateway在L3Switch身上。1717TheoryofOperationsDataCenterFirstFloorSecondFloorDHCPE-mail10111410.1.10.96AP1/1stFloor10.1.10.68AP2/1stFloor10.1.11.42AP3/2ndFloor10.1.11.36AP4/2ndFloorVLAN14:10.1.14.6/24loopback:10.1.14.7/32VLAN141818L2DeploymentDataCenterFirstFloorSecondFloorDHCPE-mail10111410.1.10.96AP1/1stFloor10.1.10.68AP2/1stFloor10.1.11.42AP3/2ndFloor10.1.11.36AP4/2ndFloorMobilityControllervlan14:10.1.14.6/24loopback:10.1.14.7/32vlan100vlan101150-200UsersperVLANVLAN101VLAN100Layer3Switchvlan100:10.1.100.1/24vlan101:10.1.101.1/24apgroup“1stFloor”vlan100apgroup“2ndFloor”vlan101802.1q14,100,1011919L2PacketFlowDataCenterFirstFloorSecondFloorDHCPE-mail10111410.1.10.96AP1/1stFloor10.1.10.68AP2/1stFloor10.1.11.42AP3/2ndFloor10.1.11.36AP4/2ndFloorMobilityControllerVLAN14:10.1.14.6/24loopback:10.1.14.7/32VLAN100VLAN101Layer3switchVLAN100:10.1.100.1/24VLAN101:10.1.101.1/24D