Wednesday, November 7, 2012

Sniffapalooza Lisbon 2012! #SniffaLisbon

Soon I will be on another Sniffapalooza adventure! You probably have no idea what I'm talking about, and that's ok. I'll be tweeting with the hashtag #SniffaLisbon, so you can follow the madness (or not).
Sniffapalooza is an event-based group of fragrance aficionados that originated in New York City and now unites perfume passionatas from around the world. What started as a small group of women getting together to shop and share their enthusiasm for fragrance, has grown into a phenomenon that has attained international recognition through TIME Magazine, Allure,, CBS MarketWatch, The Wall Street Journal, The New York Times, Women's Wear Daily, Glamour, Brigitte (Germany), WWD BeautyBiz, and many others.
(It's kind of like Tech Field Day, but think perfume not technology)

The two ladies behind Sniffapalooza Karen Adams and Karen Dubin (with travel arrangements made by Kathy Wachter from Travel Exchange) have organized an excursion to Lisbon, Portugal!

We'll be staying at the Hotel Mundial for eight days and our itinerary looks something like this:

We'll be visiting niche perfume boutiques, as well as hearing presentations from Portugal-based fragrance companies. The first Sniffapalooza trip I took was to Barcelona last year, and it was fantastic! I'll be taking tons of photos (analog and digital) and smelling so many wonderful things (those are harder to capture).

Monday, November 5, 2012

The Hotspot, the Throughput and the Gateway #Cisco #WFD3


Sujit Ghosh (TME Manager) set the stage and introduced us to Bob Friday CTO in WNBU. He outlined the topics that would be covered as:
  • Hotspot 2.0
  • 802.11ac,
  • Bonjour Gateway
  • Cisco's Application Visibility and Control (AVC).
Bob Friday kicked off the discussion of Hotspot 2.0 by stating that interoperability is the key word going forward. There are a great many startup companies working to enable information sharing seamlessly. 

Detect, Connect, Engage: bringing enterprise security into the public Wi-Fi space for the first time. 
The Samsung Galaxy was one of the first devices certified on the same day that the Wi-Fi Alliance made Hotspot 2.0 certification available. He mentioned that he is meeting more with marketing personnel at companies rather than the engineering staff. The momentum is to monetize access to the Internet as well as enabling advanced features of a Wi-Fi experience. 3G offload is all about optimizing the connectivity experience of the end users. The Services Notification framework in the iPhone allow you to configure how and when you would like to be notified of events. This also allows venues to interact with your mobile device to send you relevant information about things you would be aligned with your interests. In the enterprise space it is about making workforces more efficient. Streamlining work flows to cut out lost time waiting can be very meaningful to the bottom line financials.

Mark Denny and Damodar Banodkar gave us an overview of the 802.11ac specification as well as a demonstration of the throughput possibilities. 

The 802.11ac module for the 3600 series Access Point is the same form factor as the monitor module that is currently available. They're not waiting for the first clients to ship, they're working with the chip vendors to do client testing as soon as the chips are manufactured. Wave 1 of 802.11ac is 3x3:3, will be available in Q1 of 2013. Speeds capable with 802.11ac clients and the 802.11ac module in a 3600 are 1.3Gbps PHY, 80MHz, 256QAM with optional explicit beam forming support as per the 802.11ac standard. The 3600 AP with the 802.11ac module will require enhanced PoE, 802.3at PoE+, Local power or a PWR-INJ4. The module has it's own independent 5GHz radio, it will utilize the ac module just for ac capable clients. If the main radio in the AP is using 40MHz bonded channels, the 802.11ac module will us 80MHz bonded channels. If the retries counters begin to increase, the 802.11ac module with downgrade to using 802.11n rates. At that point, the internal radio will take over from the module to serve clients.

The initial form factor restricts the use of the module inside a NEMA enclosure since the antennas are integrated into the module itself. There are no external antenna options at this time, but Cisco is giving thought to this option.

Performance metrics for explicit beam-forming will be available by the end of the year, Cisco is waiting on 802.11ac client devices. The MAC throughput is calculated assuming a MAC efficeincy of 70% the defined PHY capability (194 Mbps - 845 Mbps then 2.25 Gbps). Utilizing wider channels are part of the Wave 2 timeline, coming in 2014.
The biggest use cases of 802.11ac will be medical imaging files, offloading of 2.4GHz, collaborative classrooms with HD video as well as High Density "build it and they will come" use cases. There is no information yet on roaming from 802.11ac to 802.11n and what does that do to speeds/distances. This is something that will need to be tested as more 802.11ac client become available. The plan is to use all three radios concurrently and use a channel plan accordingly. The live demonstration of the 802.11ac module and an 802.11ac client (Broadcom chipset) was very interesting to see. No one has ever seen a live demonstration of the data throughput that will be possible as 802.11ac wireless becomes widely available. The client connected at speeds varying 700Mbps to 1.3Gbps, depending on the interference present in the environment. The AP and the client were operating on channel 36, utilizing an 80MHz wide spectrum. Using the Ixia throughput testing software, speeds of 550Mbps were achievable in a real world conference room setting. Duty cycle utilization was upwards of 80% when the 550Mbps speeds were obtained. When asked if there were any further questions, Rocky summed it up best.

Jeevan Patil, 
Damodar Banodkar and Sudhir Jain presented on Cisco's Bonjour Gateway solution. The K-12 and Higher Ed are pushing the need for a Bonjour Gateway, due to the prevalence of Apple devices used in the classroom as learning tools, and as the students bring their iDevices from home to the dorm rooms.

The Bonjour protocol sends multicast packets which advertise and discover services offered by other client devices. It is Apple's service discovery protocol. Some customers want Apple to solve the problem of how to corral the Bonjour service on a network, but the majority of wireless vendors are taking it upon themselves to offer solutions to make the Bonjour protocol behave better in large enterprise networks. Bonjour services do no cross VLAN boundaries without assistance from the wireless infrastructure. 

The Cisco Wireless LAN Controller (WLC) caches Bonjour services on the controller, then the client can be on VLAN X and ask what services are available on VLAN Y. No Bonjour services available may be available on VLAN X, but the WLC can tell the client that AirPlay is available on VLAN Y. With VLAN override configured on the WLC, you can have AirPlay on a single VLAN and enable mDNS Global Snooping on the WLC and configure query status for the service name. This can be set on per VLAN or per interface. The WLC can disallow or allow AirPlay, AirPrint, File Sharing or the App Store.

By snooping Bonjour the WLC can optimize delivery of multicast information. Multicast responses are unicasted to the the clients requesting the service. This implementation is more efficient and does not burden the network with multicast traffic. Only the users that have the device permissions will receive the multicast information based on the locally cached information in the WLC. WLC traffic statistics show there is 80% less multicast traffic generated for four access points when mDNS snooping is enabled on a WLC. The multicast request goes all the way to the AppleTV to check for permissions. The response is unicasted back to the original requesting client.

Cisco was a sponsor of Wireless Field Day 3. As such, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 3. In addition, they provided me with a OGIO duffle bag containing a Cisco 3602 Series Access Point. They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis.  The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone.

Friday, November 2, 2012

Multicast and Stadiums and ClearPass, Oh My! #Aruba #WFD3

Our visit to Aruba started off with the delegates gathered in the Aruba proof of concept (POC) lab where Paul Curto gave us the overview on Aruba's BYOD and mobile app solution. Aruba presented us with live demonstrations of multicast video streaming and BYOD solutions for multiple types of devices as well as high density deployments in stadium environments. I had to re-watch the video playback to take notes on the presentation after the fact since we didn't have access to our laptops while we were seated in the POC lab.

The roaming behavior of mobile devices tends to be more sticky, but there are some variances in devices. Mobile apps that are multimedia heavy and latency sensitive are Microsoft Lync, Citrix XenDesktop or Apple Facetime. Apps that are primarily data and bandwidth hungry are Dropbox, and Apple iCloud. For example, Dropbox uses 75% of the available upload bandwidth and will download at the fastest speed available.

The top 5 requirements for mobile devices according to Aruba:

  • Need to allow for any device
  • Need to ensure network security
  • Need to maximize airtime for each device
  • Need to clear the air from unnecessary traffic (ie. converting multicast to unicast)
  • Need to deliver QoS to the individual mobile apps

Not all iPads are created equal:

  • iPad1 26Mbps up, 36Mbps down
  • iPad2 35Mbps up, 40Mbps down
  • iPad3 46Mbps up, 46Mbps down

Aruba's testing team had difficulty sustaining the 65Mbps link rate with the iPad 1 and 2 unless a large file transfer was in place. The iPad 3 Wi-Fi chipset seems to be more optimized for throughput than for range. The testing was performed with the local power connected. Per Gregor, he's seen a lot of difference in testing with the power not connected and most users will run their devices without power applied directly. Your mileage may vary.

Examples of use case policies that Aruba can apply to client devices are: upload/download bandwidth limits, blacklisting and log per policy violations, time of day restrictions, two factor authentication, and redirecting to security services.

Cell size reduction limits the receive sensitivity of the access point to other access points on the same channel to reduce co-channel interference. SSID based airtime allocation can distribute the use of airtime across SSIDs based on a percentage value. The dynamic rate adaption continues to use the higher data rates for 802.11 retries in cases where the client has a high SNR value, rather than ratcheting down the connection to a lower data rate for client retries.

To optimize the use of airtime, Aruba recommends using Proxy ARP (ARP responses are sent at 802.11n rates and only from one AP), Multicast Rate Optimization (multicast sent at lowest rate of association) and Traffic Filtering (filter out selected multicast, broadcast and peer-to-peer traffic flows).

Bala Krishnamurthy (Senior TME) presented us with a demonstration of Wi-Fi Video stream scaling using typical BYOD devices, including the use of typical cloud and UCC applications (, WebEx and Lync).

Aruba does multicast to unicast conversion in two different ways. One is Dynamic Multicast Optimization (DMO) where the conversion happens at the controller and the other is Distributed Dynamic Multicast Optimization (DDMO) where the conversion happens at the access point level. The reason for these two different options is for their customers that require centralized encryption they can use DMO, and customers that do not require that can use DDMO. They demonstrated a multicast stream to 40 devices connected to one access point, one SSID broadcasted on the 5GHz frequency, streaming a 5MBps video without pixellation or video artifacts. During the video stream to the laptops, several of the delegates noticed video artifacts occurring intermittently on a few of the client devices, and is not known what codec was used for the video that was streaming. Preferred access can be configured to allow faster clients to use more of the airtime available.

Chuck Lukaszewski (Sr. Director of Outdoor Solution Engineering) gave us the run down on Ultra-High Density Connected Stadiums. The Aruba Validated Reference Design (VRD) document for High-Density Networks can be found here.

The common technical requirements for an Ultra-High Density Stadium deployment are:

  • Uncontrolled mix of device types, OSes, driver levels and radio types
  • Multiple devices per person
  • Per-user bandwidth needs can easily exceed what is allowed by Vendor and RF physics
  • Simultaneous data plane spikes during events
  • Inrush/outrush demand increases load on network control plane, address space 
  • Power save behavior also loads control plane
  • Most devices limited to 1x1:1 HT20 operation (limits clients connections to 65mbps)
  • Customer traffic needs to be separate from operational or other vendor traffic
  • Offload needs to happen in a transparent way
  • Wi-Fi networks need to be optimized to support video and other high bandwidth/latency sensitive applications

The common misconception is that you just need to add more APs to support the high density client load. The number of RF channels available determines the capacity of users that can be supported. A 3 to 1 ratio of associated to concurrent users is recommended in high density deployments. One complete RF solution is recommended for the stadium so that there is not contention between the parallel networks. 

There are three basic ways you can cover a stadium with RF. Overhead coverage, wall installations or under-floor installations. Aruba has a new VRD for outdoor MIMO designs with an appendix specific for stadium use cases. Now with deploying picocells you need to be more concerned with the radius of the interference source relative to the client device. When mounting APs under concrete, the older concrete stadiums is easier to send signal through due to the lack of moisture still retained within the concrete structure. One should enable multicast rate optimization, IGMP snooping, Dynamic Multicast Optimized for video and eliminate low legacy data rates to reduce rate adaptation. IPV6 has not been a requirement for any of the stadium deployments that Aruba has done to date.

Cell Size Reduction (CSR) is a new feature available in Aruba code where the receive sensitivity of the AP can be adjusted to reject the interference from co-channel sources outside the high-density coverage area. CSR can also provide some immunity to adjacent channel interference (ACI) sources within the same auditorium or high-density environment. It is also referred to as the "ear muff" feature. In a high density deployment you should not use bonded channels because a lot of devices are not capable of using bonded channels and you can get more throughput from an un-bonded RF environment. The antennas that were used at Turner Field in Atlanta. Indoor arenas are more difficult to put high-density RF into than open stadiums, and the AP that is recommended for stadiums is the AP 135.

Carlos Gomez gave us the rundown on how Aruba has progressed since Wireless Field Day 2. Then he demonstrated Profile using the Aruba corporate network. He went over Clear Pass and explained that it is multi-vendor and completely interoperable with other vendor solutions, not just 802.1x compliant. ClearPass can also deal with headless devices such as printers, cameras and VoIP telephones. 

Policy Definition Point (PDP)
To start finding devices on the network, you simply put DHCP helper IP addresses into the ClearPass Policy Manager to start finding devices. You can also use CDP, LLP and SNMP to discover devices. The device fingerprinting database is currently not editable, but you can forward information to Aruba in order to help update the database. The discoverable devices can be profiled on any vendor's technology, even when connected via VPN.

ClearPass has built in certificate authority, full context search (username, serial number etc) within the certificate. ClearPass can also support being an intermediate Certificate Authority.

The endpoint table can be fed information from an MDM provider to begin to build a policy derivation security workflow (this was released with the 6.0 ClearPass update). Aruba is working with many different MDM vendors, since the list of  MDM solution providers is still developing.

ClearPass has built in authorization capabilities with AD/LDAP, can configure Wi-Fi profiles, VPN, proxy, and Active-Sync configurations. The guest and visitor registration can be fully branded with information pertinent to the customer's deployment. It can support 25,000 clients on a single appliance. All (ClearPass Policy Manager) CPPMs are fully active in a single cluster, there is no need for dedicated nodes or separate personas. There can be up to 1M endpoints in a full ClearPass cluster.

Bala Krishnamurthy then demonstrated the features of the ClearPass (CP) AirGroup functionality.

AirGroup allows service discovery over L3 boundaries, can implement traffic optimization, and can restrict access control. AirPlay sends mDNS multicast announcement information at the lowest supported RF data rates, which is often a sub-optimal configuration.  AirGroup has added an mDNS proxy to the Aruba controller (code version 6.1.5), restricting access to the mDNS service requires a role based ACL on the controller (does not require ClearPass). AirGroup makes it possible to share the Apple TV with up to 10 users or you can assign the Apple TV to a group.

Controller CLI commands to obtain AirGroup information:

  • show airgroup service
  • show airgroup users
Currently the APs that are getting information about AirGroups is applied through the CPPM, perhaps in future it will be a template from AirWave.

Peter Lane (Sr. Product Manager) and Bala Krishnamurthy (Technical Marketing Engineer) discussed Aruba's Spectrum Analysis and 802.11ac 
Per Peter, spectrum analysis is 'viewed differently' by Aruba, they think that your network by default should be attempting to work around sources of interference. All of their APs support Adaptive Radio Management. Aruba supports dedicated spectrum monitors and hybrid spectrum monitors (105/135). They will be adding spectrum analysis to the RAP3 AP, but the Instant AP already supports spectrum support (will be shipping as Instant 3.1). Monitor mode APs will show client devices detected (unlike the cisco remote spectrum sensor when in spec mode).

The red chart made it look like the RF was really bad when the RF wasn't bad in the room. Aruba is looking at how busy the radio is from the radio driver level, and interference is any time the radio is busy and can't send or receive. They are not looking at data flows or the amount of data, just the RF.

Hybrid mode has a harder time identifying frequency hoppers since the AP is set to a specific channel. Aruba can currently classify 13 or 14 types of devices but they see the interference information is more important than identifying the actual device. The dedicated spectrum monitor AP does IDS and rogue detection, the dedicated AirMonitor mode scans based on threats. If there is activity it scans for offenders in the area where threats are detected.  AirMonitor APs can also scan the 4.9 frequency and can also do containment if desired. Configuring all APs to support hybrid spectrum is recommended. All spectrum analysis information is per radio. The AP can serve clients on the 2.4GHz radio and if interference is seen it can switch over to 5GHz and serve clients there and do full monitoring on the 2.4GHz frequency. This may be disruptive to clients that only support 2.4GHz if there are not enough APs in the vicinity to support the roaming needed by the client.

The location of sources of interference can be displayed in AirWave once maps have been added, scaled and APs placed onto the floor plan. RF health reports can be run to show the 10 worst APs according to their noise floor. The Aruba APs use ARM every 10 sec for slightly under 100ms to check the other channels for rogue devices. The APs are looking for wifi interference, not non-wifi interference. Phase 1 of 802.11ac devices must support 80MHz wide channels, be 3 stream products and support 256QAM. The addition of the 144 channel opens up one more band in the 5GHz for channel bonding.

Aruba was a sponsor of Wireless Field Day 3. As such, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 3. They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis.  The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone.