Mobile-First Campus Switching Introducing Aruba 8400 @Arrow Aruba Inspiration Day
Dennis Ladefoged - Systems Engineer
MODERN DESIGN PHILOSOPHY: ARUBA’S HERITAGE AND VISION
BORN IN THE MOBILE-CLOUD AND IOT ERA
SOFTWARE-DEFINED, API-FIRST
OPEN, MULTI-VENDOR
SECURITY DRIVEN
2
What customers need in a Mobile-First Network
Policy: unified and multi-vendor Manageability: end-to-end and multi-vendor Wireless: best-in-breed Wired: optimized for wireless and IoT aggregation Network analytics for IT, user analytics for Lineof-Business End-to-end compelling TCO
3
AUTOMATED AND INTELLIGENT NETWORKING FULLY INTEGRATED ARCHITECTURE Faster detection, diagnosis, and resolution
Easy automation, control, integration
Policy Management
Unmatched network assurance
User and Entity Behavioral Analytics Cloud Networking
Immediate visibility into what’s happening
Access Network Management
Location Analytics
Core Network Controls
LocationBased Services
Aruba 8400
4
OLD INFRASTRUCTURE WON’T CUT IT
PROPRIETARY
INFLEXIBLE
MONOLITHIC
HARD-CODED
MANUAL
5
NG Core Requirements: Operational Simplicity New Differentiator Analytics and Visibility
Automation
Assurance
Programmability
Seamless Service Deployment
Differentiators
Table Stakes
Security: Infrastructure, Communication and Application Security Full Protocol Support High Availability L2/L3/Multicast etc..
Virtualization VSF
Sizing – speeds/feeds /table sizes
Price/ Performance
6
Introducing Aruba 8400, ArubaOS-CX, and Network Analytics Engine
Aruba 8400
ArubaOS-CX
Network Analytics Engine
Optimized form factor & cost, carrier class availability, 10/25/40/100 GbE
NG Core Switch OS fully programmable w/ best-of-breed architecture & components
Native analytics & visibility to automate troubleshooting and streamline operations
7
Aruba 8400 – Hardware Architecture
High performance 19.2Tbps switching w/ up to 1.2Tbps per slot
Dual redundant management modules for hitless failover OOBM, console management ports Status LEDs for fans, power supplies and modules
High speed connection
Redundant Power supplies
32-port 10GbE w/ MACsec 8-port 40GbE module 6-port 40/100G module
N+N for hot swappable, redundant power supplies Energy efficient 80 Plus Gold certification
Convenient bundles simplify ordering
Compact 8 slot chassis (8U)
8
Introducing Aruba 8400: Campus Aggregation & Core
8 RU x 66cm Depth 108 Kg populated 8 Line Card Slots
3 Fabric Card Slots 2 Management Slots 4 Power Supplies
18 Fan Modules
1.2 Tb/s Ingress + Egress Forwarding per Slot
21.6 Tb/s, virtual output queueing Dynamic Load Balanced Fabric
1.8 Tb/s Fabric Interface In + Out
99.999% Available, Redundant Passive Chassis
9
Front Components Power supplies
Line cards
Management modules
Line cards
Front display card 10
Orthogonal Connections
11
Rear Components
Power inlets Rear display card
Fabric modules Fan trays
Fan modules
12
Architecture benefits Distributed architecture – Crossbar vs CLOS – The CLOS fabric can dynamically load-balance internal traffic over many paths, helping the switch support 40G/100G. – CLOS scheme removes the arbiter as the sole element for scheduling all traffic through the fabric, making the system much more scalable.
– The 8400 is designed around distributed traffic architecture, which means that none of the traffic is passing through the management cards
– Using distributed architecture prevents the risk of data loss or catastrophic failure in case of a management card failure.
Centralized
Distributed 13
CLOS Fabric Architecture (Aruba 8400)
14
ArubaOS-CX - Software architecture Secure
Programmable
Complete device, network, application security, and trusted Infrastructure
Open APIs for programmability using REST and Python ArubaOS-CX OVSDB (Time Series DB)
Extensible Built for micro-services and integration with other workflow systems & services
Innovative Highly available and fault tolerant, including rollback. Built in visibility and analytics.
15
Applications
Applications
Applications
ArubaOS-CX Meets the Challenge with Innovation
Insights APIs
Simple UI Programmability
LXC Container
Manageability Aruba Network Analytics Engine Usability Time-series database: Built-in network record
Performance
ArubaOS-CX
16
ArubaOS-CX overview Active
Standby Current State Database
History Database
Current State Database Monitoring Policies
Management Interfaces
Chassis Management
Protocols
Chassis Management
Protocols
Kernel sync
Kernel sync ASIC Sync
ASIC Sync
Virtual L2/3 Interfaces
ASIC Driver
Routing, ARP tables
Virtual L2/3 Interfaces
Drivers
Kernel
ASIC Driver
Routing, ARP tables
Drivers
Kernel Legend
Line/Fabric Cards Line card Line card
ASIC
Control HW
Fully Active Data Control
Mostly Dormant State Sync State caching
17
Current State Database The entire current state of the system is in the DB
Active Current State Database
• Configuration • Current status of all features • Statistics
Agents of the system do not interact with each other outside of the DB.
Benefits • High modularity – easy to extend and maintain • Full visibility – everything is in one place • Full programmability – everything is modeled • Resiliency – agent that fails resyncs from the DB • High availability – easy to sync to standby MM
18
High Availability Active
Standby Current State Database
• Almost all logic runs on Active • Active agents don’t know that standby exists • Current state database synchronizes continuously to standby
Current State Database
• Standby is mostly syncing current state database • Kernel tables are synced to speed up failover
Kernel sync
Routing, ARP tables Kernel
19
Full Programmability Supported Protocols
Active Current State Database
• HTTP REST API • WebSockets based notifications
Future Support Management Intetrfaces
• Device originated Websocket for both configuration and notifications
Benefits • Everything is programmable – no catchup game • Appropriate for cloud management, local management systems, automation and scripting
20
Full Visibility and Monitoring • Everything is in the database and exposed
Active
• History can be maintained for any piece of data in the system
Current State Database History Database
Monitoring Policies Management Interfaces
• Customer can write simple Python scripts to monitor any aspect of the system, alert and correct “Alert if some BGP neighbor disconnects more than 2 times in 10 minutes”
“Notify my inventory system if bandwidth tops 90% on any interface for more than 15 minutes per day” • External analytics can be implemented Kernel
• Full state of the network can be accumulated for later analysis • “Tell me what was the state of BGP on switch1 when switch2 complained about high traffic load
21
22
Network Analytics Engine
Root Cause Analytics
Problem Intelligent monitoring Automated diagnostics and data collection Rapidly drill-down to root cause
Root Cause
24
Monitoring & Troubleshooting Made Easy Complement to AirWave
Web UI & REST API
Complete REST API for integration Policies can generate Syslog messages for legacy
AirWave and 3rd party tools
Web UI
Intelligence and Automation Full power of Python Parameters for customization Variables for persistent policy state
REST API Monitoring Policy Engine
Policy scripts
Alert level CLI command execution CLI command output capture Configuration checkpoint diff capture Syslog generation Script function callback
Low system overhead and sandbox isolation
Switch
Condition Trigger Language Flexible Actions
Auto-generated for each policy script
– – –
Built-in ASE Custom
Configuration and State
Scripts upload, readable, can be customized
Time Series Data
Time series data recording capability
Wide Monitoring Capabilities Configuration • Protocol and System State ASIC Counters • ACL’s
Simple: Programmability for Network Operations…Driving Predictability
25
Aruba Network Analytics Engine, AI for Networking
ArubaOS-CX OVSDB (TimeSeries DB)
Python-based Agents
HPE Aruba Community
Connections
Mobile First Infrastructure
Baseline
User Community
Agents
Automate
Act
Monitor
Condition
User Interface (UX)
Network Analytics Engine
Solution
26
Network Analytics Engine Accessibility Easy to Access • Aruba Solution Exchange hub for policies • Links to useful resources, tutorials and help • Monitoring Policies pre-loaded on 8400
Easy to Use • Users can modify existing Monitor Policy scripts. • Switch GUI to upload scripts and activate policies; pre-loaded & pre-activated. • REST interface to also manage scripts and policies
Ramping Up • Submit requests for scripts like feature requests in the ramp up period. • Training tools 27
28
Modern Network for Digital Business Sensors Integrated w/other sensors for maximum intelligence
Assurance Network and application assurance w/ rules based monitoring and correlation with network changes
Robust Platform
Insights & Visibility
High performance carrier class system
Real time visibility. Historic visibility with time series database
Services Delivery & Integration w/Systems Automated connectivity with other management, security and workflow systems
Automation based on Policy Powerful, yet simple tools to automate all network operator functions
Built for the Network Operator with Evolving Autonomy
29
Bringing it All Together
Aggregation
Core
Aruba Campus Switch Portfolio
Aruba 8400 Aruba 3810
Access
Aruba 2930F
Aruba 5400R
Aruba 2930M Aruba 2540
Aruba 2530 31
New IEEE 802.3bz standard for Multi-gigabit Ethernet Continued leadership in multi-gigabit Ethernet – May 2015: first to introduce multi-gigabit Ethernet technology with HPE Smart Rate ports – Supports standard IEEE 802.3bz on HPE Smart Rate ports with update to ArubaOS-Switch 16.04
Flexibility – Connect with any standard 1G and 10G ports
– Connect at 2.5G and 5G with NBASE-T or IEEE 802.3bz devices
Investment protection – Use existing CAT 5E cable – Interoperable with HPE Smart Rate on switches before 16.04 32
Stacking: Virtual Switching Framework (VSF) 5400R with VSF
Simplify network operations Scalable performance Increases resiliency Available on Aruba 5400R and 2930F • Aruba 5400R • •
Up to 2 members Chain topology
• Aruba 2930F • •
Up to 4 members Chain and Ring topologies 33
Tunnel Node for enhanced security and unified policy enforcement
Centralized role-based policy enforcement for wired and wireless
Enhanced security with traffic separated by tunnels
Use Aruba controller’s security features such as Firewall, packet inspection and finger printing
Trust QoS 34
Per User Tunneled Node Secured and flexible control of access layer – Use Aruba ClearPass authentication and switch’s User Role to tunnel selective user/device to the Aruba Controllers – Policies (e.g. QoS, ACL, VLAN, rate-limit) can be enforced at Tunneled Node ports Access to Controller’s applications – Users can access Controller’s applications such as stateful firewall and Aruba AppRF Higher availability and scalability – Load balance to multiple controllers for high scalability – Stateful failover to standby management module for high availability – Sticky controller: avoid bouncing tunneled sessions between different controllers
Aruba Controllers
Aruba AP Tunnels
5400R
2930M 3810
Available on the Aruba 5400R with v3, 3810, 2930F, 2930M
35
Downloadable User Roles 1. Wired or wireless user provides credentials
Single point of policy management
2. CPPM returns Role & Policy
– Dynamically assigned by ClearPass at the time of authentication Builds on top of the existing local User Roles – Every user/device is assigned a User Role BYOD
AP
– User Role policies include QoS, VLAN, ACL, Rate Limits
Mobility Controller ClearPass Policy Manager (CPPM)
Consistent wired/wireless policy management – Same as WLAN AP, simplify policy configuration and management
ArubaOS-Switch PC/Laptop
3. Role & Policy push to the Mobility Controller or Aruba Switches
36
“Any CLI” in REST API CLI commands (configuration, show, and action)* can be used in REST API – Familiar ArubaOS-Switch CLI syntax – Enable REST support for more software features
Support in current Aruba switches – 5400R, 3810, 3800, 2920, 2930F/M, 2540, 2530
Examples – POST /cli {"cmd": "aruba-vpn default-gateway enable"} – POST /cli {"cmd":"vlan 20"}
REST API switch CLI REST API client
– POST /cli {"cmd": "show run"}
37
Protect your network with Control Plane Policing
Limit traffic going to switch CPU – Control and protocol traffic such as MSTP, unicast and multicast control packet
Prevent overloading of CPU, protect against – Denial-of-Service attack – Misconfiguration – Problems in the network
Rate Limit
User configurable rate limit
38
Tak for jeres tid…
[email protected] @DennisLadefoged
