Aruba Campus Switching
ArubaOS-Switch 16.07 and 16.08
Software ReleaseCustomer Presentation
December 2018
2
Agenda
1 Overview
2 Feature Details
3 Platforms Supported
3
Complete Software-Defined CampusAutomated and Intelligent Networking
4
Ac
ce
ss
A
gg
reg
ati
on
C
ore
Aruba Switching Portfolio
5
New Features in ArubaOS-Switch 16.07
Hardware
2930M switches with 802.3bt Two new 2930M models with 60W of PoE per port
Ease of use
Central onboarding support on Web
GUI
A new Web GUI page to help monitor onboarding status of Aruba
Central
Manageability
Stacking support for 2930F & 3810M
on Central
Aruba Central 2.4.6 or later can manage stacks of 2930F or
3810M using template config
6
New Features in ArubaOS-Switch 16.08
Ease of use
Dynamic Segmentation 2.0 Simplicity - No need to coordinate VLANs between switch and controller
Traffic Isolation - Client traffic isolation with Role Policy on the Controller
Visibility - Tunneled clients visualized on AirWave, Controller and Switch
Dynamic Segmentation over IPv6 User-based tunneling working in an IPv6-only deployment
User Role Improvements Device attributes in DUR for deployment simplicity
AAA
Configurable order and priority of
Authentication
Choose order of authentication between dot1x and MACAuth and have
LMA as fallback
Bypass Auth. For VoIP phones Use CDP and LLDP information to identify and bypass auth. for VoIP
phones
TACACS over IPv6 Support for TACACS over a v6-only network
Increased Local User Roles To help in deployments with 3rd party RADIUS servers
L2
UFD Enhancements Object tracking for Uplink Failure Detection
SmartLink Enhancements Use the number of links on LACP to trigger a SmartLink failover
7
New Features in ArubaOS-Switch 16.08
Automation
Additional REST APIs Additional REST APIs needed for Campus & Branch deployments
AAA for REST REST APIs can use RADIUS/TACACS server instead of per-device passwords
Simplified ClearPass certificate
download
Validating CPPM server before downloading policies and multiple client and port based
options via Downloadable User Roles
Manageability
AirWave ZTP over OOBM Reach AirWave via OOBM ports on both v4 and v6 networks
Monitoring enhancements for
Aruba Central
Improved visibility into device status and PoE monitoring.
GUI Configuration on Central LACP, STP, Port security, Routing features are now available on Central GUI
8
ArubaOS-Switch 16.07 and 16.08 Software Release
Management
Aruba AirWave
Policy
Aruba ClearPass
Zero Touch
Provisioning
Cloud Mgmt.
Aruba Central
Wireless Optimized
& Integrated
16.01 - 16.02 16.03 – 16.04
Server-initiated Captive Portal
Port Bounce via CoA
Local User Roles
MAC auth user visibility
Configuration, management,
and monitoringFirmware Upgrade, Template based config management
Zero Touch Provisioning (ZTP)
with AirWave using DHCPZTP with Aruba Activate**
IPSec for mgmt traffic**
Support for 2540
Partial Config (CLI
Window)
Topology View ++
Activate firmware
upgrade
IPsec for Private Cloud
ZTP for 2930F VSF
Static IP User
Visibility
Downloadable User
Roles
Support for 2920 and 2930F
Config. & management from
the cloud
Rogue AP detection with IAP
Device Profile: auto configure VLAN, PoE priority/power etc.
Per-port Tunneled Node **Trust QoS
Support for 2530,
2540, 2930M and
3810M
Custom Certificates
16.05 – 16.06
Config push without reboot
Topology View with LACP and
MSTP ++
v6 ZTP with AirWave
Advanced Threat Detection
PUTN + DUR Enhancements
Device Fingerprinting
Net-destination & Net-services
with DUR
Config push and rollback
without reboot
Support for 5400R VSF
and 2930M Stacking
Per-user Tunneled Node
Device Profile with 3rd
party devices
HPE Confidential
Better ZTP using HTP
HTTP Proxy support for Central
Aruba APs on Tunneled Node
IPSec Tunnel to Secondary
Controller
16.07 – 16.08
v4 & v6 ZTP with AirWave on OOBM
Simplified onboarding to Central on
Web GUI
Support for 2930F & 3810M stacks
GUI Config – LACP, STP, Routing, Port
Security
Monitoring – Faceplate, PoE & VLAN
Auto CA certificate download
Device Attributes for DUR
Dynamic Segmentation Visibility
Enhancements
** Activate is not supported in 2620; IPsec is not supported in 2530, 2620; Tunnel node is not supported on 2530, 2620 or 2540
++ No changes needed on switch software to support this feature – shows alignment of switch software with AirWave releases
Dynamic Segmentation
Enhancements
Dynamic Segmentation over v6
9
Agenda
1 Overview
2 Feature Details
3 Platforms Supported
10
Support for new High Power PoE Aruba 2930M Switch Series
New Aruba 2930M models with up to 60W PoE per port:
– Aruba 2930M 40G 8 Smart Rate PoE Class 6 1-slot Switch (R0M67A)
– 36 1GbE ports; 8 Smart Rate ports (1, 2.5, 5, 10GbE); 4 dual personality ports (1SFP, 1G BASE-T – includes PoE)
– Aruba 2930M 24 Smart Rate PoE Class 6 1-slot Switch (R0M68A)
– 24 Smart Rate ports (1, 2.5, 5GbE)
2930M is a layer 3 switch series that is easy to deploy, manage, and secure with consistent
wired/wireless experience and ideal for enterprise edge, midsize and branch offices. Offers provides
modular stacking, modular 10GbE, 40GbE, or Smart Rate multi-gigabit ports, and hot-swappable power
supplies for redundancy, up to 60W PoE per port (up to 1440W PoE total)
HPE/Aruba Confidential – Share Under NDA ONLY
All front panel ports are able push up to 60Wof PoE per port**
* Back of all 2930M switches include 2 modular power supply slots, 1 stacking module slot and 1 modular uplink slot** For 1440W PoE, 2x JL087A Aruba X372 54VDC 1050W 110-240VAC Power Supplies must be installed
11
New Higher Power PoE Devices Drives New IEEE Standard
Why? More power without an electrical outlet. Devices: Security cameras - New APs with power forwarding – Lighting
2003 2009New higher power
standard (in 2018)
Standard IEEE 802.3af IEEE 802.3at IEEE 802.3bt
Acronym PoE PoE+
Classes
Type 1 Type 2 Type 3 Type 4
2 pairs 4 pairs 4 pairs 4 pairs
Power 15.4 W 30 W 15.4 W 30 W 60 W 100 W
No consistent acronymProprietary implementations:
UPoE, PoE++
12
Future Proof With More Speed and PoE Over Existing Cabling
Be prepared with HPE Smart Rate Multi-gigabit Ethernet (IEEE 802.3bz) and 60W of PoE (IEEE 802.3bt)
40GbE
High Performance
APs
1, 2.5, 5, 10 GbE(varies by device)
Faster Simple Future proof
IoT
Power Users
10GbE
Up to 30 or 60W of PoE per port
13
• A new page on the Switch Web GUI helps monitor the Aruba Central onboarding process
• A single button to turn on Central ZTP hides complexity and takes the switch to Central regardless of current config state
• Contextual help provides the next steps in case the device has issues either with Activate or Central
Ideal for customers migrating from Web GUI to Aruba Central for management
Aruba Central Onboarding Support on Switch Web GUI
14
Aruba Central stacking support for Aruba 2930F and 3810M
BenefitsSimplified management
for common use case at
branch officesNo longer have to manage the
switches individually
2930F and 3810 SupportRequires ArubaOS-Switch
16.07 and Central 2.4.6
Aruba Central
Aruba Central Support for Aruba Switches
Single Switch
Management
via Central Web GUI or
Template Config Groups
Switch Stack
Management
via Central Template
Config Groups
2530 Yes Not applicable
2540 Yes Not applicable
2920 Yes Yes
2930F Yes Yes (with 16.07 and Central 2.4.6)
2930M Yes Yes
3810 Yes Yes (with 16.07 and Central 2.4.6)
5400R Yes (with Template Config Group Only) Yes
15
Dynamic Segmentation Enhancements
Simplified Network Implementation
• Remove VLAN coordination between controller and switch as a pre-configuration requirement
• Enable controller policy to enforce broadcast and multicast client isolation
Visibility Enhancements
• Representation in the controller GUI of tunneled clients
• Aruba AirWave tunnel clients view, switch to controller visibility
Client traffic isolation - Policy for IoT
• Single controller – Role Based Policy
• Cluster – IP and L2 based ACL for client isolation
16
Better Visibility for Dynamic Segmentation Solution
Aruba AirWave
• Tunnel Client UserID, switch name, switch interface, authentication method, client data path controller
Aruba Controller
• Dynamic Segmentation Client details in GUI
• Additions from Switch: Auth Method, port string
Aruba Switch
• Client IP visibility
• Tunnel health enhancements
• Show controller supplied client attribute
17
Dynamic Segmentation Secures, Simplifies and Unifies Access
KEY USE CASESSecure IoT Devices Dynamically segment IoT traffic in secure tunnels to protect the IoT traffic and protect critical
clients’ traffic.
Better, Consistent User ExperienceCentralized, unified role-based policy and authentication and enforcement delivers same policy
and consistent user experience wherever user or IOT device is and however they connect
(wireless or wired).
Simplify OperationsSave time and reduce configuration errors by eliminating manual, static configurations of VLANs
and ACLs on switches by dynamically applying unified wired and wireless policies and advanced
services anywhere in the network. No new networking skills required!
Ensure Branch SecurityUtilize ZTP for switches and tunnel specific wired (per port) traffic to controller with Firewall - great
for retail PCI compliance, remote education satellite research campuses or healthcare facilities.
Use Built-in Controller Security Services Take advantage of Aruba mobility controller and branch gateway’s built-in security features such
as Firewall, packet inspection and finger printing for wired and wireless traffic.
Overlay Architecture SolutionEnables smooth integration with existing segmentation such as VLANs means no ripping and
replacing entire switching infrastructure
Solution Requirements:
Aruba 2930F, 2930M, 3810 and 5400R Campus Switches (Requires ArubaOS-Switch 16.04 or later)
Aruba Mobility Controllers with AOS 8.1
Aruba Branch Gateway s with ArubaOS 8.4 and Aruba Central 2.4.3
Aruba ClearPass Policy Manager
18
Device Attributes in User Roles
• Downloadable User Roles (DUR) will allow additional client attributes as well as device attributes to address common deployment scenarios
• Example CLI:aaa authorization user-role name “test”
vlan-id 200vlan-id-tagged 201-456reauth-period 120cache-reauth-period 360device
port-modepoe-alloc-by-classpoe-priority criticaladmin-edge-port
exitExit
• Note that device attributes are applied per-port and not on a per-client basis
Tagged VLAN IDs
Allows multiple tagged VLANs to be associated with a particular client. Useful for AP deployments.
Port ModeAuthenticates only the first client on the port and
bypasses authentication for subsequent clients. Useful
for AP deployments.
PoE Alloc By Class
Assigns the PoE class for a device. This prevents the device from requesting more PoE power than what is allocated by the power class.
PoE Priority
Sets the PoE priority for the device. APs typically will be set to “critical”.
Admin Edge Port
Sets the port to a downlink resulting in faster port bring up
19
AAA Enhancements
Configurable Order & Priority of Authentication
• Users can assign an order of Authentication between 802.1x and MACAuth.
• Instead of the running multiple authentication methods at the same time, the switch will follow
the order and if both methods fail, will default to Local MACAuth if it is configured.
• Apart from order, the priority can also be set. For example, MACAuth can be tried first before
dot1x but dot1x has higher priority. This is useful in deployments where clients have to first download the supplicant after authenticating via MACAuth.
Authentication Bypass for VoIP Phones
• For customers who want to bypass authentication for their VoIP phones but still want the PC
behind phones to go through authentication, this feature comes in handy.
• The switch used CDP or LLDP packets to identify VoIP phones and automatically bypasses
authentication for such devices but enforces authentication for other clients on the same port.
20
AAA Enhancements
Increased Local User Roles
• Increased number of Local User Roles to support deployments with 3rd party RADIUS servers
• 16.08 will allow for up to 512 local user roles to be created, which can be used by the
RADIUS server to download VSAs with the Local User Role specified
• Note that because TCAM resources are fixed per platform, an increase in user roles does not
increase the TCAM resources but only reallocates how those resources are used
TACACS+ over v6
• With 16.08, both RADIUS as well as TACACS+ are supported over v6 networks
21
Manageability Enhancements
AirWave ZTP over OOBM (v4 and v6)
• 16.08 allows switches to use the OOBM to check-in with AirWave
• Applies to v4 and v6-only networks. AW parameters need to be made available via DHCP
vendor options.
AAA for REST
• REST customers don’t have to rely on per-device passwords and can now use a RADIUS
server for centralized authentication for their scripts.
• Improves the security posture of the deployment by eliminating per-switch passwords.
22
Simplified Aruba ClearPass CA Certificate Download
• Improved process where the switch automatically downloads the CA root cert from the ClearPass server during ZTP
• No out-of-band process needed to load ClearPass CA root certificate on the switch
• Adding the keyword “clearpass” to “radius-server host <ipaddr/fqdn>” makes the switch to check-in with ClearPass and automatically download the server certificate over HTTP
• If the Certificate Authority (CA) changes, the following command needs to be issued “crypto ca-download usage clearpass force” to download the new CA root certificate
23
Features5400R/v3
(KB)
5400R(Compat. Mode
with v2 blades)
3810
(KB)
2930M/F
(WC)
2920
(WB)
2540
(YC)
2530
(YA/YB)
Support for 802.3bt (60W PoE) 2930M only
Central onboarding on Web GUIX X X X X
Central support for 3810M & 2930F
stacks **X 2930F only
Platform Support Matrix – ArubaOS-Switch 16.07
** Note that with the above additions in 16.07 and Central 2.4.6, all stacking capableAOS-Switches are supported in Central Template Config including:
• 5400R VSF (up to 2 members)• 3810 BPS (up to 10 members)• 2930M BPS (up to 10 members)• 2930F VSF (up to 8 members)• 2920 BPS (up to 4 members)
24
Features5400R/v3
(KB)
5400R(Compat. Mode
with v2 blades)
3810
(KB)
2930M/F
(WC)
2920
(WB)
2540
(YC)
2530
(YA/YB)
Increased Local User Roles (512)X X X X
Configurable order and priority of
authentication methodsX X X X X X
Dynamic Segmentation
Enhancements **X X X
User Based Tunnels over v6 ̂ X X X
TACACS+ over v6 (Data and OOBM) X X XDataport only
for 2930FDataport only
v4/v6 ZTP over OOBM # X X X 2930M only
ClearPass automatic CA cert.
download %X X X X X
Device Attributes in User Roles X X X X X
Object Tracking for Uplink Failure
DetectionX X X X X
LACP with minimum active links X X X X X
Auth. bypass for VoIP phones X X X X X
AAA for REST X X X X X
Platform Support Matrix – ArubaOS-Switch 16.08
** Needs AOS 8.4 and AirWave 8.2.8^ Needs AOS 8.4, AirWave 8.2.8, ClearPass 6.7 or better# Needs AirWave 8.2.8% Needs ClearPass 6.7.8
25
Zero Touch Provisioning
Auto-config for VLAN, QoS, PoE priority
Full, open REST APIs
Aruba Network Analytics Engine at the core
Aruba Campus Switching Advantages
Automated and Simple
Secure andUnified
Dynamic Segmentation secures with Aruba Controllers, Services and ClearPass
Unified Policy with Unique Aruba ClearPass Integration with User Role and Captive Portal
Flexible Single View
Multi-vendor Aruba AirWave for configuration, mgmt. and monitoring
Cloud-based Aruba Central for single view of WLAN and switching
Flexible management choice with same hardware
Industry leading TCO with no software licensing
26
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Aruba, a Hewlett Packard Enterprise company. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties or merchantability or fitness for a particular purpose.
HPE (Aruba) Receives the Highest Score in 5
out of 6 Gartner Critical Capabilities Use Cases
Source: Gartner Critical Capabilities for Wired and Wireless LAN Access InfrastructureAugust 2018 – Christian Canales, Tim Zimmerman, Bill Menezes, Mike ToussaintID Number: G00316060
27
Resources
• Aruba Switch Softwarehttps://www.arubanetworks.com/products/networking/switches/software/
• Aruba Support Portal for Software, Documentation and morehttps://asp.arubanetworks.com/
• Learn more Aruba campus switches
Thank You