domingo, 27 de junio de 2010

Scaling Branch Office Wireless LANs



The primary challenges associated with branch office WLANs are the cost and complexity of deploying WLANs in a large number of branch offices, centrally managing a large number of branch offices distributed across a Wide Area Network (WAN) and keeping users connected to the branch WLAN even when the WAN link goes down.

Self-configuring Mobility Controllers for Automated Large-scale Deployments

Branch offices typically lack skilled IT personnel to set up and operate secure WLAN networks. Yet, users expect a consistent and secure mobility experience regardless of their location. To deliver a consistent user experience at the lowest operating cost for a branch WLAN, mobility controllers must provide simple self-configuration. This capability allows for the mobility controller to be centrally provisioned and drop shipped to a branch location for plug-and-play operation.

Self-configuring mobility controllers dynamically obtain an IP address from the branch firewall/router or broadband access provider using a built-in DHCP client or a PPPoE client. Upon obtaining the IP address from the network, the local branch controller automatically synchronizes its configuration with a centrally located configuration server (master mobility controller). This capability allows a non-technical employee to bring up a secure WLAN by simply plugging the mobility controller into the branch network, eliminating the cost and hassle of sending skilled IT staff to branch offices.

Automating configuration of branch office wireless LANs drastically cuts the total cost of deployment and is a critical first step in enabling a large-scale branch WLAN deployment.

Centralized Management for Thousands of Distributed Branches

As the number of branch office WLANs increases, a scalable centralized management system becomes imperative to keep operating costs from skyrocketing. The centralized management system must not only deliver a full suite of network management tools, including configuration, monitoring, reporting and troubleshooting, but also be able to scale to thousands of distributed branches without requiring the use of multiple management systems.

A hierarchical approach is the only way to scale to such large numbers and maintain a single point of centralized management. A single master mobility controller in a hierarchical model manages several hundred local mobility controllers. A master controller delivers global configuration updates and monitors all local controllers under its control. Multiple master controllers are monitored together from a single mobility management system in order to deliver a global view of the entire system, resulting in unprecedented scalability for distributed mobile enterprises. 

Figure 5. Hierarchical Management Model Scales to Thousands of Distributed Branch Offices

Resilient, Secure WLAN Connectivity for Continuity of Branch Operations

Secure WLAN connectivity using WPA or WPA2 requires an always-on connection to back-end AAA services, which tend to be centralized in a datacenter across the WAN. If the WAN link to the centralized AAA server goes down, local branch office operations are impacted; users are unable to print to local printers or access local file services at the branch offices. These limitations are unacceptable for most enterprises. The wireless LAN must be resilient and continue to offer secure connectivity, even when the WAN link to the central AAA server is down. The user expectation is for continuous local branch network operation.

Some work-around options available today require administrators to manually configure local AAA services on branch office routers as a failover option when the WAN link goes down. However, this configuration is not synchronized with the central AAA server and requires significant manual administration. If automatic synchronization of local and central AAA servers is an option, it requires a single vendor solution, which is often unfeasible, especially when corporate mergers and acquisitions have brought together a host of department-level AAA service implementations and user directories that must be federated together to create a seamless AAA infrastructure. Furthermore, locking down a branch to a specific AAA server defeats the very purpose of mobility— allowing any user to show up at any location in the distributed enterprise and enjoy a consistent user experience. 

Figure 6. AAA FastConnect Credential Caching – Users can connect even when WAN link is down

AAA FastConnect, discussed earlier as a means of scaling campus AAA services, also offers a unique solution to the challenge of scaling branch AAA services. With AAA FastConnect, branch office controllers have the ability to locally cache user credentials the first time a user logs into the network. All subsequent connection attempts by the user are locally authenticated by the branch office mobility controller. This enables resilient access to the WLAN even when the WAN link goes down. Since AAA FastConnect caches user credentials in the form of an encrypted cookie, they are completely secure, even if the branch office controller is compromised. In addition, AAA FastConnect has the ability to interface with all industry-leading AAA servers, making it easy to integrate mobile users into federated and multi-vendor AAA infrastructures.

Scaling Telecommuter Wireless LAN Connectivity

Telecommuters increasingly demand access to corporate VoIP and data resources from their home offices. The requirement is for a simple and secure solution that users can just plug into their home networks to gain instantaneous, secure access to the corporate network over the Internet. However, telecommuter wireless LAN deployments have depended on either difficult-to-manage, stand-alone enterprise access points or completely unmanaged, highly vulnerable consumer access points.

Similar to the telecommuter WLAN requirement, there is an ever-increasing need for nomadic offices, which require setting up temporary network that last for a few weeks, a few days, or even just a few hours. This is a very common and critical requirement in the construction industry, where access to corporate resources from remote building sites. Tradeshows are another example of a nomadic office where multiple users need secure access to corporate resources from the show floor.

Figure 7 – Remote APs Instantly Create Secure Enterprise WLANs for Telecommuters

Remote Access Points (AP) deliver the benefit of securely and easily extending enterprise WLANs, to home offices and nomadic office locations. Remote APs are plug-and-play devices that require only very basic one-time provisioning by the IT department. Once provisioned to discover the central mobility controller over the Internet, remote APs allow mobile workers to take the enterprise wireless LAN with them wherever they go, securely accessing corporate VoIP and data services from any location. Large deployments of remote APs are possible at the lowest operational and capital costs since they are simple, secure and plug-and-play.

Hernández Caballero Indiana
Asignatura: CRF
Fuente:http://www.wit.co.th/pdf/Aruba/Scaling-Enterprise-Wireless_LAN.pdf

No hay comentarios:

Publicar un comentario