Friday, November 2, 2012

Multicast and Stadiums and ClearPass, Oh My! #Aruba #WFD3

DSC05596
Our visit to Aruba started off with the delegates gathered in the Aruba proof of concept (POC) lab where Paul Curto gave us the overview on Aruba's BYOD and mobile app solution. Aruba presented us with live demonstrations of multicast video streaming and BYOD solutions for multiple types of devices as well as high density deployments in stadium environments. I had to re-watch the video playback to take notes on the presentation after the fact since we didn't have access to our laptops while we were seated in the POC lab.


The roaming behavior of mobile devices tends to be more sticky, but there are some variances in devices. Mobile apps that are multimedia heavy and latency sensitive are Microsoft Lync, Citrix XenDesktop or Apple Facetime. Apps that are primarily data and bandwidth hungry are Dropbox, Box.net and Apple iCloud. For example, Dropbox uses 75% of the available upload bandwidth and will download at the fastest speed available.

The top 5 requirements for mobile devices according to Aruba:

  • Need to allow for any device
  • Need to ensure network security
  • Need to maximize airtime for each device
  • Need to clear the air from unnecessary traffic (ie. converting multicast to unicast)
  • Need to deliver QoS to the individual mobile apps

Not all iPads are created equal:

  • iPad1 26Mbps up, 36Mbps down
  • iPad2 35Mbps up, 40Mbps down
  • iPad3 46Mbps up, 46Mbps down

Aruba's testing team had difficulty sustaining the 65Mbps link rate with the iPad 1 and 2 unless a large file transfer was in place. The iPad 3 Wi-Fi chipset seems to be more optimized for throughput than for range. The testing was performed with the local power connected. Per Gregor, he's seen a lot of difference in testing with the power not connected and most users will run their devices without power applied directly. Your mileage may vary.

Examples of use case policies that Aruba can apply to client devices are: upload/download bandwidth limits, blacklisting and log per policy violations, time of day restrictions, two factor authentication, and redirecting to security services.

Cell size reduction limits the receive sensitivity of the access point to other access points on the same channel to reduce co-channel interference. SSID based airtime allocation can distribute the use of airtime across SSIDs based on a percentage value. The dynamic rate adaption continues to use the higher data rates for 802.11 retries in cases where the client has a high SNR value, rather than ratcheting down the connection to a lower data rate for client retries.

To optimize the use of airtime, Aruba recommends using Proxy ARP (ARP responses are sent at 802.11n rates and only from one AP), Multicast Rate Optimization (multicast sent at lowest rate of association) and Traffic Filtering (filter out selected multicast, broadcast and peer-to-peer traffic flows).

Bala Krishnamurthy (Senior TME) presented us with a demonstration of Wi-Fi Video stream scaling using typical BYOD devices, including the use of typical cloud and UCC applications (Box.net, WebEx and Lync).

Aruba does multicast to unicast conversion in two different ways. One is Dynamic Multicast Optimization (DMO) where the conversion happens at the controller and the other is Distributed Dynamic Multicast Optimization (DDMO) where the conversion happens at the access point level. The reason for these two different options is for their customers that require centralized encryption they can use DMO, and customers that do not require that can use DDMO. They demonstrated a multicast stream to 40 devices connected to one access point, one SSID broadcasted on the 5GHz frequency, streaming a 5MBps video without pixellation or video artifacts. During the video stream to the laptops, several of the delegates noticed video artifacts occurring intermittently on a few of the client devices, and is not known what codec was used for the video that was streaming. Preferred access can be configured to allow faster clients to use more of the airtime available.




Chuck Lukaszewski (Sr. Director of Outdoor Solution Engineering) gave us the run down on Ultra-High Density Connected Stadiums. The Aruba Validated Reference Design (VRD) document for High-Density Networks can be found here.

The common technical requirements for an Ultra-High Density Stadium deployment are:

  • Uncontrolled mix of device types, OSes, driver levels and radio types
  • Multiple devices per person
  • Per-user bandwidth needs can easily exceed what is allowed by Vendor and RF physics
  • Simultaneous data plane spikes during events
  • Inrush/outrush demand increases load on network control plane, address space 
  • Power save behavior also loads control plane
  • Most devices limited to 1x1:1 HT20 operation (limits clients connections to 65mbps)
  • Customer traffic needs to be separate from operational or other vendor traffic
  • Offload needs to happen in a transparent way
  • Wi-Fi networks need to be optimized to support video and other high bandwidth/latency sensitive applications

The common misconception is that you just need to add more APs to support the high density client load. The number of RF channels available determines the capacity of users that can be supported. A 3 to 1 ratio of associated to concurrent users is recommended in high density deployments. One complete RF solution is recommended for the stadium so that there is not contention between the parallel networks. 

There are three basic ways you can cover a stadium with RF. Overhead coverage, wall installations or under-floor installations. Aruba has a new VRD for outdoor MIMO designs with an appendix specific for stadium use cases. Now with deploying picocells you need to be more concerned with the radius of the interference source relative to the client device. When mounting APs under concrete, the older concrete stadiums is easier to send signal through due to the lack of moisture still retained within the concrete structure. One should enable multicast rate optimization, IGMP snooping, Dynamic Multicast Optimized for video and eliminate low legacy data rates to reduce rate adaptation. IPV6 has not been a requirement for any of the stadium deployments that Aruba has done to date.

Cell Size Reduction (CSR) is a new feature available in Aruba code 6.1.3.2 where the receive sensitivity of the AP can be adjusted to reject the interference from co-channel sources outside the high-density coverage area. CSR can also provide some immunity to adjacent channel interference (ACI) sources within the same auditorium or high-density environment. It is also referred to as the "ear muff" feature. In a high density deployment you should not use bonded channels because a lot of devices are not capable of using bonded channels and you can get more throughput from an un-bonded RF environment. The antennas that were used at Turner Field in Atlanta. Indoor arenas are more difficult to put high-density RF into than open stadiums, and the AP that is recommended for stadiums is the AP 135.



Carlos Gomez gave us the rundown on how Aruba has progressed since Wireless Field Day 2. Then he demonstrated Profile using the Aruba corporate network. He went over Clear Pass and explained that it is multi-vendor and completely interoperable with other vendor solutions, not just 802.1x compliant. ClearPass can also deal with headless devices such as printers, cameras and VoIP telephones. 

Policy Definition Point (PDP)
To start finding devices on the network, you simply put DHCP helper IP addresses into the ClearPass Policy Manager to start finding devices. You can also use CDP, LLP and SNMP to discover devices. The device fingerprinting database is currently not editable, but you can forward information to Aruba in order to help update the database. The discoverable devices can be profiled on any vendor's technology, even when connected via VPN.

ClearPass has built in certificate authority, full context search (username, serial number etc) within the certificate. ClearPass can also support being an intermediate Certificate Authority.

The endpoint table can be fed information from an MDM provider to begin to build a policy derivation security workflow (this was released with the 6.0 ClearPass update). Aruba is working with many different MDM vendors, since the list of  MDM solution providers is still developing.

ClearPass has built in authorization capabilities with AD/LDAP, can configure Wi-Fi profiles, VPN, proxy, and Active-Sync configurations. The guest and visitor registration can be fully branded with information pertinent to the customer's deployment. It can support 25,000 clients on a single appliance. All (ClearPass Policy Manager) CPPMs are fully active in a single cluster, there is no need for dedicated nodes or separate personas. There can be up to 1M endpoints in a full ClearPass cluster.


Bala Krishnamurthy then demonstrated the features of the ClearPass (CP) AirGroup functionality.

AirGroup allows service discovery over L3 boundaries, can implement traffic optimization, and can restrict access control. AirPlay sends mDNS multicast announcement information at the lowest supported RF data rates, which is often a sub-optimal configuration.  AirGroup has added an mDNS proxy to the Aruba controller (code version 6.1.5), restricting access to the mDNS service requires a role based ACL on the controller (does not require ClearPass). AirGroup makes it possible to share the Apple TV with up to 10 users or you can assign the Apple TV to a group.

Controller CLI commands to obtain AirGroup information:

  • show airgroup service
  • show airgroup users
Currently the APs that are getting information about AirGroups is applied through the CPPM, perhaps in future it will be a template from AirWave.


Peter Lane (Sr. Product Manager) and Bala Krishnamurthy (Technical Marketing Engineer) discussed Aruba's Spectrum Analysis and 802.11ac 
Per Peter, spectrum analysis is 'viewed differently' by Aruba, they think that your network by default should be attempting to work around sources of interference. All of their APs support Adaptive Radio Management. Aruba supports dedicated spectrum monitors and hybrid spectrum monitors (105/135). They will be adding spectrum analysis to the RAP3 AP, but the Instant AP already supports spectrum support (will be shipping as Instant 3.1). Monitor mode APs will show client devices detected (unlike the cisco remote spectrum sensor when in spec mode).

The red chart made it look like the RF was really bad when the RF wasn't bad in the room. Aruba is looking at how busy the radio is from the radio driver level, and interference is any time the radio is busy and can't send or receive. They are not looking at data flows or the amount of data, just the RF.

Hybrid mode has a harder time identifying frequency hoppers since the AP is set to a specific channel. Aruba can currently classify 13 or 14 types of devices but they see the interference information is more important than identifying the actual device. The dedicated spectrum monitor AP does IDS and rogue detection, the dedicated AirMonitor mode scans based on threats. If there is activity it scans for offenders in the area where threats are detected.  AirMonitor APs can also scan the 4.9 frequency and can also do containment if desired. Configuring all APs to support hybrid spectrum is recommended. All spectrum analysis information is per radio. The AP can serve clients on the 2.4GHz radio and if interference is seen it can switch over to 5GHz and serve clients there and do full monitoring on the 2.4GHz frequency. This may be disruptive to clients that only support 2.4GHz if there are not enough APs in the vicinity to support the roaming needed by the client.

The location of sources of interference can be displayed in AirWave once maps have been added, scaled and APs placed onto the floor plan. RF health reports can be run to show the 10 worst APs according to their noise floor. The Aruba APs use ARM every 10 sec for slightly under 100ms to check the other channels for rogue devices. The APs are looking for wifi interference, not non-wifi interference. Phase 1 of 802.11ac devices must support 80MHz wide channels, be 3 stream products and support 256QAM. The addition of the 144 channel opens up one more band in the 5GHz for channel bonding.

Aruba was a sponsor of Wireless Field Day 3. As such, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 3. They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis.  The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone.

4 comments:

  1. Hi Jennifer!
    Just wanted to point folks to the Aruba Airheads Social Community to learn more: https://community.arubanetworks.com/

    Thanks!
    Jeanie
    Aruba Networks, Airheads Social Community

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hi Jennifer,

    I would like to ask why do you say this:
    "the older concrete stadiums is easier to send signal through due to the lack of moisture still retained within the concrete structure"

    Why do you think that older stadiums has less moisture?

    ReplyDelete
  4. Johny,

    It was explained in the presentation that the concrete in a new stadium has a lot of the water used to create the concrete still present in the structure. Older stadiums/concrete would have less water in the structure simply due to age and water evaporation.

    ReplyDelete