Campus Networks

Campus Network Solution, Design Guide-Bradford Networks Network Sentry for BYOD Solution

by on ‎04-03-2013 02:59 PM - edited on ‎04-07-2014 04:12 PM by pmadduru (5,361 Views)

Synopsis:  A design guide for an integrated BYOD solution with Bradford Network's Network Sentry and Brocade’s campus network products.

 

Contents

Preface

Overview

 

With the dramatic increase in the number of mobile devices connecting to the campus network, the task of securing, monitoring and managing access to the campus network becomes challenging. A new trend, Bring-Your-Own-Device (BYOD), has grown popular but multiples the security challenges. On one hand, campus networks that support BYOD provide the flexibility for anyone to use any client device (wired or wireless), but the assumption is the network infrastructure can intelligently secure traffic by identifying, authenticating and administering network access control (NAC) with minimal administrator intervention. This assumption doesn’t always hold up unless the campus network design explicitly includes a BYOD use case.

 

This guide shows how to design a BYOD solution with Brocade campus network products and Brocade partner Bradford’s Network Sentry™ appliance.

 

The Network Sentry NAC appliance provides automatic and efficient device on-boarding and monitoring of client traffic including mobile devices. This ensures uniform NAC policies for wired and wireless connections improving security without undue burden on the network administrator.

 

The following Brocade platforms are used in this solution.

  • Brocade FastIron family of switches; ICX Series, FCX Series and FastIron SX Series Switches
  • Brocade NetIron family of switches; MLX Series
  • Brocade Mobility Series WLAN Access Points and Controllers
  • Brocade Network Advisor

Combined with Bradford’s Network Sentry network access control (NAC) appliance, Brocade offers cost-effective bring-your-own-device (BYOD) solutions for campus networks scaling from a small building to large metropolitan area configurations.

 

Brocade’s ICX Series and FCX Series switches support stacking for improved performance and reliability at the edge. At the campus core or distribution layer, options include the ICX 6610 stack, the SX chassis and the larger MLX chassis. The ICX series offers Brocade’s innovative mix-and-match stacking extending Layer 3 services on a few switches to all switches in the stack. Both the ICX and FCX Series provided long distance stacking links permitting a single stack to extend beyond a single wiring closet.

 

Brocade’s Mobility Series of access points and controllers centralize wired and wireless management; optimize the wireless data path with direct forwarding of data traffic between access points. Brocade Mobility Controllers can be clustered for high-availability and can scale up to as many as 1,024 access points per controller.

 

Integration of wired and wireless management is increasingly important as wireless device connectivity continues to grow. And, integrated solutions with partner applications for NAC appliances, such as Bradford simplify network security for wired and wireless devices.

 

With a wide range of wired connectivity choices, support for 10/100/1000 Mbps Ethernet, 1, 10, 40 GbE stacking, 1/10 GbE uplinks, mix-and-match stacking, smart WAPs and scalable WLAN controllers, Brocade provides network designers with a cost-effective and flexible set of building blocks for the campus network.

 

Purpose of This Document

 

This design guide is based on Brocade’s Campus LAN Infrastructure: Base Reference Architecture. It describes how to design a Bring-Your-Own-Device (BYOD) solution using Network Sentry appliance from Bradford, a Brocade partner. The design includes two campus topologies, an advanced core/edge topology using Brocade’s HyperEdge® architecture, and a traditional core/distribution/access topology.

 

Audience

This document is intended for solution, network and IT architects who are evaluating and deploying BYOD solutions for their campus network.

 

Objectives

This design guide provides guidance and recommendations for an integrated BYOD solution with Bradford's Network Sentry and Brocade’s campus network products.

 

Related Documents

The following documents are valuable resources for the designer. In addition, any Brocade release notes that have been published for the FastIron, NetIron and Mobility operating systems should be reviewed.

 

References

 

About Brocade

Brocade® (NASDAQ: BRCD) networking solutions help the world’s leading organizations transition smoothly to a world where applications and information reside anywhere. This vision is designed to deliver key business benefits such as unmatched simplicity, non-stop networking, application optimization, and investment protection.

Innovative Ethernet and storage networking solutions for data center, campus, and service provider networks help reduce complexity and cost while enabling virtualization and cloud computing to increase business agility.To help ensure a complete solution, Brocade partners with world-class IT companies and provides comprehensive education, support, and professional services offerings. (www.brocade.com)

 

About Bradford

Bradford’s powerful and innovative security solutions are developed by a staff with years of expertise in network security and brought to market based on invaluable input received from customers. Since the company’s founding in 1999, hundreds of customers and millions of users have come to rely on our technology to secure critical IT assets and automate IT security operations.

 

With solutions that dynamically adapt to changing network conditions and continually combat network threats, Bradford addresses the security needs of a wide variety of organizations in markets including education, financial services, state and local government, healthcare, energy, retail and many others. Bradford’s innovative, award-winning products and solutions are widely recognized by industry analysts including Forrester and Gartner, as well as leading publications including SC Magazine, CRN, and others. Bradford Networks is headquartered in Cambridge, MA and is privately held.

 

Key Contributors

The content in this guide was developed by the following key contributors.

  • Lead Architect:          Venugopal Nalakonda, Strategic Solutions Lab
  • Technical Author:      Brook Reams, Strategic Solutions Lab

 

Document History

Date                  Version        Description2013-04-09        1.0              Initial Release

 

Reference Architecture

This design guide is based on Brocade’s Campus Network Infrastructure, Base Reference Architecture, (Campus Reference Architecture) as shown below. The Campus Reference Architecture provides a rich set of flexible, wired and wireless building blocks providing cost-effective scalability for a wide range of campus environments.

 

Campus_RA_FullTopology.jpg

Campus Network Reference Architecture (click to enlarge)

 

The reference architecture can be applied to traditional core/distribution/access topologies spanning multiple buildings, or for a single school, hospital, or remote building using an optimized HyperEdge core/edge topology. The diagram below illustrates the range of design templates.

 

12240_Campus_RA_CannoicalArch#2.JPG

Campus Network Design Templates with Building Blocks (click to enlarge)

 

The Brocade HyperEdge Architecture is designed to easily support integration of partner solutions such as, Bradford Network Sentry NAC appliance. The following sections review the business requirements, design requirements and special considerations for a successful BYOD solution using the Bradford Network Sentry NAC appliance.

 

References

 

Business Requirements

 

With the growth of smart phones and tablet computers and the growth of web-hosted computing platforms, many IT organizations are being pushed by users and management to deploy a flexible, secure BYOD solution in their campus network. Modern users are accustomed to the power and convenience of their smart phones and tablet computers and expect to seamlessly use them anywhere, anytime; at school, at work or off-site.  For example, in healthcare, many doctors demand seamless use of their personal devices and expect unfettered access to hospital information anywhere, anytime. University students expect the campus network will support the latest portable devices they use; failure to meet that demand can adversely affect recruitment.

 

While users create a pull for BYOD solutions, there is also a push from the cost savings available if IT does not procure and maintain personal devices. With a proven BYOD solution IT not only satisfies user demand for their personal devices while at work, but eliminates the overhead of user device acquisition, support and maintenance. By shifting equipment ownership to the user, IT budgets are focused on the service delivery rather than device support.

 

The primary driver for BYOD solutions is user mobility. Users expect their personal device of choice to access all authorized resources needed for their job. BYOD solutions must secure wireless access via a range of devices, tablet, smartphone, and laptop, at all wireless WLAN Access Points (WAP) in the network. In the past, wired access was limited to a fixed desktop location. Today, a desktop computer is commonly a laptop computer with a WiFi card so users expect to undock and move their device anywhere they need to use it. Therefore, BYOD security has to extend to the wired as well as the wireless network.

 

Another key requirement of a BYOD solution is the increasing bandwidth use in the campus network. When users have multiple devices, engage in collaboration from any location using peer-to-peer connections, and access image, streaming video and video conferencing, then existing campus networks with limited bandwidth (10/100 Mbps) device connections become congested.

 

This guide helps network designers build a BYOD solution that meets the requirements for secure user mobility across wired and wireless networks, simplifies the network design, and delivers necessary network performance.

 

Special Considerations

 

Brocade networking products are designed to deliver line-rate Layer 2-3 forwarding, and provide information about traffic flows through built-in hardware-based sFlow monitors. This enables real-time delivery and analysis of network traffic to a variety of security, reporting, and compliance devices.

 

The Bradford Network Sentry NAC appliance acts as an SNMP-based Network Management System (NMS) receiving SNMP traps to detect wired client/device connections. However for wireless devices, detection is based on the wireless infrastructure using MAC-authentication; Network Sentry has a built-in RADIUS server for identification/isolation.

 

Network Sentry requires Layer 3 connectivity to the access layer switch and attached WAPs to potentially change a client from production VLAN to isolation VLAN, or to assign proper VLAN access based on a role. The isolation VLAN(s) can terminate at a distribution layer switch and route back to Network Sentry appliance that provides network services including DHCP, DNS and RADIUS. After the initial identification and authentication, all device traffic is re-directed to the appropriate production network service or blocked if the device is not authorized to connect.

 

Brocade switches have a built-in secure SNMP server with Link Up, Link Down traps that are sent to the Network Sentry appliance NMS Trap receiver. If the switch also uses SNMP for management and monitoring by tools such as Brocade Network Advisor (BNA) or other management applications, additional SNMP hosts are configured.

 

Brocade Mobility Wireless Access-Points (WAP) support both MAC and 802.1 x/EAP authentication for wireless security across all wireless devices.

 

Campus networks frequently are deployed using the traditional three-tier architecture: access, distribution, and core or backbone. Many existing campus networks were built with technology that was new a decade or more ago. Consequently, choke points and bandwidth limitations can be exposed by BYOD projects that require 1 GbE connectivity at the edge and PoE+ power for high-bandwidth 802.11n capable WAPs.

 

For this reason, this guide includes designs that address the requirements to upgrade the campus network beyond just adding a NAC appliance. In order to help off-set the costs of upgrading access switches, Brocade ICX switches and the HyperEdge architecture can eliminate the distribution tier reducing equipment, maintenance and operating cost that can greatly offset the cost of network upgrades.

 

Technical Requirements

A successful BYOD integration is phased. Group policies and authentication rules are implemented after a careful study of the business needs. The phases of a BYOD implementation include:

 

  • Design
  • Implementation
  • Validation

Impulse_TechnicalRequirements.jpg

Solution Design Process (click to enlarge)

 

Design

 

During design, base requirements are gathered. The existing network is reviewed and BYOD integration points (all Layer 2 / Layer 3 boundaries) are identified. Next, a complete audit of use cases with expected outcomes should be conducted during the design phase. For example, the following questions help collect the user design requirements:

 

  • What are the types of user groups that need to be managed across the network?
    Typical user groups include internal users with full access, guests with limited internet access, vendor access with potential special privileges, specialized user groups for additional categories, and unauthorized or external users.
  • What is the projected size of each user group and how rapidly do they grow?
    This metric can help define the total number of authenticated users at any given time and the expected rate of unauthorized users.
  • What degree of mobility is anticipated for each group?
    Will network access control be provided at all locations? A common limitation in providing guest access is limiting it to the lobby, or providing vendor access only in select locations based on the work they do and the departments they work with.
  • What pool of computing and data resources will each group need access to?
    In addition to Internet, print, and file services that internal users expect to access, guests and vendors may need access to a restricted set of similar resources.
  • How many devices does a typical user in each group use?
    Assuming one device per one user may be too limiting. In many companies, users may actively use two or more mobile devices at a time. In a university, students can have from six to 10 personal devices accessing the network simultaneously.
  • How many users will be in more than one user group?
    And, it’s helpful to estimate the growth of users over time.
  • How much bandwidth will the user generate on the wireless and wired network segments?
    This helps ensure that devices will have adequate bandwidth on the wireless and wired network devices.

 

The answers to these questions are different for each organization and will likely change over time. A successful BYOD solution has to consistently and correctly secure device access, but it also needs flexibility to accommodate more users, provide fine-grained access policies and flexible user assignment to policy groups.

 

After user requirements are gathered, system level design requirements need to be identified. For example:

 

  • Will the entire campus be managed under a single set of policies or will individual business units manage their needs independently?
  • How much data can be accessed by users before a NAC profile is applied?
  • If there is a failure of the NAC appliance what access limited are acceptable?
  • What percent of the user groups will require peer-to-peer communication? Does the network support this in selected wireless segments or across the entire campus network?

Implementation

During this phase, the Network Sentry appliance is integrated and provided with out of band management access and remote access for installation and setup of the appliance. Network infrastructure requirements for wired and wireless access should also be configured.

 

The Bradford Network Sentry NAC appliance can integrate with a wide range of campus network equipment and topologies. The diagram below shows how Network Sentry connects to an existing network.

 

Bradford_NetworkSentrySolutionArchitecture.png

Bradford Network Sentry Solution Architecture (click to enlarge)

 

 

Validation

Testing of the configuration ensures user policies work as required. Test cases with users can be defined for each user group and policy to verify network configuration and Network Sentry NAC appliance operation.

Validation tests are essential to ensure security policies are correctly applied. Each organization has its own IT procedures for validation of new solutions before enabling them on a production network. Brocade provides Validation Testing publications for selected features and technologies that may prove helpful when defining what types of testing to conduct.

 

Design

 

Topology

The following diagram shows Base Design templates derived from the Campus Reference Architecture.

 

Bradford_BaseDesign.jpg

Solution Base Design (click to enlarge)

 

 

The design guide covers both a traditional core/distribution/access topology (Core + Distribution/Access templates) that is the Base Design, and alternate designs that include an efficient core/edge topology (Core + Edge templates) that are discussed later.


The Bradford Network Sentry appliance lets the network administrator create NAC polices that apply to all wired or wireless devices that connect to the campus network.

 

 

Base Design

 

The base design meets the following requirements that are typical for a well-designed campus network:

 

  • Ease of expansion
  • STP-free Layer 2 network
  • Standards-based sFlow network traffic monitoring and analysis
  • Layer 2 or Layer 3 connectivity for devices with support for secure SNMP
  • Wired or wireless connectivity
  • High-availability and resiliency
  • High bandwidth with low latency
  • Unified network management (wired and wireless)

 

Brocade’s HyperEdge architecture for campus networks is specifically crafted to cost-effectively meet these requirements. With the introduction of the latest Brocade ICX Series of switches, mixed stacks, high performance PoE+ ports, unified wired and wireless management and a centralized WLAN controller cluster simplify how customers secure a BYOD environment. As more mobile devices connect to the network and more powerful devices come to market every 18 months, a HyperEdge network provides scalable bandwidth with low latency and low over-subscription.

 

The base design includes;

 

  • 40 GbE stacking options, 1
  • 10 GbE uplinks and
  • Higher performance PoE+ ports to meet the power demands of 802.11n WAPs.

 

Management Template with Bradford Network Sentry Appliance

 

Synopsis

Bradford’s Network Sentry NAC appliance is a flexible network security BYOD platform that can automatically identify and profile all wired/wireless devices and all users. Integration of Network Sentry extends the Management template defined in the Campus Reference Architecture and requires certain features to be configured in the Distribution/Access and/or Edge blocks.

 

Network Sentry integrates with existing infrastructure and correlates network, security, endpoint device, and user information to provide total visibility and control over every user and device accessing the network. Network Sentry solution can be deployed either as a dedicated hardware appliance, or as a virtual appliance ‘in the cloud’ to easily adapt to any network environment.

 

Network Sentry’s out-of-band architecture leverages the inherent security capabilities of existing network equipment along with authentication and authorization technologies such as 802.1X, RADIUS and Active Directory for identity management.

 

The following diagram shows the out-of-band Network Sentry NAC architecture for wired and wireless devices.

 

Bradford_NetworkSentrySolutionArchitecture.png

Bradford BYOD Network Sentry Architecture (click to enlarge)

 

As shown by the double headed arrows, Network Sentry identifies and monitors both wired and wireless clients depending on the access point the device connects from. Network Sentry integration requires minimal changes to the network switches and routers.

 

  • Wired BYOD:  Clients and devices can connect directly into a network access switch or via an IP Phone. A directly connected client is automatically identified by Network Sentry using SNMP based Link Up, Link Down traps enabled on all access or edge switches. A client that connects to the network via a VoIP Phone is identified and monitored using a combination of 802.1x and RADIUS authentication.

 

  • Wireless BYOD: For wireless devices using WAP to connect, devices are automatically identified using 802.1 x/EAP authentication with RADIUS over-ride. Integration of Network Sentry with existing wireless infrastructure, including WLAN controllers and WAPs, requires configuration of the WLAN Controller and WAP as well as the Network Sentry appliance. This should be followed by wireless client connection validation to ensure correct end-to-end BYOD policy enforcement.

 

Configuration of Brocade Network for Wired Devices

 

The following diagram illustrates the operation of Network Sentry when wired devices connect to the network. The VLAN configuration for the various types of traffic is not shown. Configuration of the Brocade network for wired devices requires SNMP traps to be directed to the Network Sentry SNMP server.

 

Bradford_WiredDeviceAuthenticationProcess.jpg

Bradford Network Sentry Wired Connectivity Authentication Process (click to enlarge)

 

Configuration of Brocade Network for Wireless Devices

 

The following diagram shows operation of Network Sentry when wireless devices connect to the network. The VLAN configuration for the various types of traffic is not shown. 

 

 

Bradford_WiredlessDeviceAuthenticationProcess.jpg

Bradford Network Sentry Operation Schematic for Wireless Connectivity (click to enlarge)

 

Network Sentry manages the wireless controller which in-turn manages the WAPs that wireless devices connect to. For additional information on Brocade Mobility Controller and Brocade Mobility Access Point configuration, please refer to the product specific Brocade configuration guides listed in the References.

 

1.Define Client WLANs and VLANs: Any wireless device connecting to the wireless network requires an SSID-based WLAN that is enabled and broadcast across the WAPs. As needed, multiple WLANs can be defined but only a selective few can be managed by Network Sentry for NAC enforcement.

 

Wireless devices connecting through an open/close SSID go through a VLAN assignment process. This corresponds to assigning clients to different states that include, but are not limited to, default (production), isolation (registration, quarantine, and authentication) or guest. Each WLAN representing a wireless network is defined with these states and VLANs in addition to enabling ‘Allow RADIUS override’ option for RADIUS based VLAN assignment. Any interface on the controller that is used to manage a WAP should be configured to trunk the different VLANs including the default or native VLAN.

 

2.  Client Detection and Authentication: Network Sentry supports client authentication via MAC-authentication or 802.1x. Each WLAN on the controller is configured with the authentication type along with the associated parameters.

 

If MAC-authentication is chosen for a WLAN, Network Sentry acts as the RADIUS server. In the case of 802.1x, an external RADIUS server is required and additional parameters such as EAP and encryption type are also required.

 

3. Define AAA Policy and Association ACL: Any choice of authentication i.e., MAC-authentication or 802.1x, requires a WLAN to be mapped to a RADIUS server via an AAA policy. This policy is pre-defined on the WLAN controller with the following attributes in addition to any optional parameters:

 

    • IP-address of RADIUS server (built-in to Network Sentry or external)
    • Request Proxy Mode (‘Through Wireless Controller’) to ensure all RADIUS requests are initiated by the controller and,
    • Port on which the RADIUS server is listening i.e., 1812

As a wireless device transitions between different states and VLANs, such as isolation, authentication, production, guest, Network Sentry ‘Blacklist’s all devices during the dissociation, association state. This requires an ‘Association ACL’ to be mapped to each WLAN.

4. Map Wireless Radios to WLAN and AAA Policy: After defining a WLAN with all the mandatory and optional attributes, it is important to map the WLAN to each radio of the WAP. This ensures every wireless device connecting via the WAP radios goes through the NAC enforcement process configured for the Network Sentry appliance.

 

Key Features

Feature

Reason

Non-Blocking Wireless LAN Architecture

All-in-one adaptive architecture that distributes intelligence, security and networking features with 802.11n performance

Comprehensive Wireless LAN Security

Standards based built-in security and intrusion protection across Controllers and WAPs in addition to Layer 2 firewall  functionality

All-Wireless Enterprise High-Availability

No Single Point-of-failure via Mesh Technology and Adaptive APs along with Controller Clustering

 
Configuration of Network Sentry BYOD Appliance

 

This section summarizes how to configure the Network Sentry appliance to integrate with an existing Brocade wireless network. The Network Sentry appliance is configured and managed through a web-based GUI accessible from any browser.

 

Please refer to the Bradford published documentation for complete details about configuration and advanced options for the Network Sentry appliance

 

1.  Define Network Type and Isolation VLANsAn important consideration when deploying Network Sentry is to specify the Network Type, e.g., Layer 2 or Layer 3. Depending on the type,  specify either Layer 2 VLAN isolation networks or Layer 3 IP routed isolation networks and the corresponding client DHCP IP address ranges. It is recommended that the Network Sentry appliance use the Layer 3 Network Type to simplify future network expansion.

 

2. Topology Discovery and Device Modeling: BYOD policy enforcement requires every network access point to be reachable, monitored and managed in real time. The initial topology discovery process ensures IP and SNMP reachability to all devices (switches, routers, WLAN controllers and WAP) in addition to creating a network topology database. Device modeling allows Network Sentry to interact with devices for dynamic monitoring and identification of new and existing device connections and to manage device VLAN assignments which change based on the state of the device (Default, Isolation, Guest, and Employee).

 

3.  Automatic Client Detection: Network Sentry based device modeling in combination with pre-configured wired and wireless infrastructure ensures all the wired clients are automatically detected via the SNMP link up, link down traps. Wireless clients are identified using RADIUS based MAC-authentication.

 

4.  Configure Role-based Authentication: After the device is identified, an appropriate authentication policy is assigned based on the role the device is assigned to. All credentials for guest devices are entered in the Network Sentry configuration for local-authentication. However, all employee authentication uses external LDAP-based Active-Directory (AD) or RADIUS servers. Access to these from the Network Sentry appliance should be tested..

 

5.  Web Portal Management:At the time of identification and authentication, every organization has unique requirements with respect to the look and feel of the landing web portal that the client is initially re-directed to. The Network Sentry GUI supports an Apache-based web portal that is customized to include company specific signage and a welcome page for different client roles, e.g., Guest, Employee Guest-registration.

 

Key Features

Feature

Reason

Unified and Comprehensive Network Control and Visibility

Provides a single user-interface for provisioning and managing BYOD wired/wireless network with dynamic  visibility into device connectivity

Distributed Multi-site Architecture

Multi-site BYOD network  can be deployed and managed centrally from one location

Flexible Authentication Schemes

Client authentication via local database or LDAP based AD or via RAIDUS

 

References

 

Campus Core Template

The following diagram shows the Campus Core template and its building blocks. This template can be used with either the advanced core/edge or traditional core/distribution/access topology. 

 

 

Campus_RA_Template_Core+WLANController.jpg

Campus Core with WLAN Controller Template (click to enlarge)

 

This template includes Core Routing and a central WLAN Controller block.  It provides connectivity to the Internet and the data center core routers. It also connects to the Management Template for network management, NAC and sFlow traffic monitoring.

 

Core Routing Block

 

Synopsis

To allow for dynamic reachability across subnets in the design, the OSPF protocol is used across interfaces connected to the Distribution-Access Template, the Edge Template and to the data center core routers.

 

The Brocade FastIron SX Series chassis provides different slot capabilities for inserting data and management modules making it a cost-effective and scalable component for this block. In addition, the chassis supports full redundancy of management, switch-fabric and power module cards for high-availability.

 

As required, advanced IP requirements (e.g., BGP/IPV6 peering) for WAN connectivity can be easily enabled. For additional details, please refer to the documents related to the campus LAN reference architecture and FastIron SX Series switches.

 

Block Diagram

Campus_RA_Block_CoreBackbone.jpg  

Core Routing Block Detail (click to enlarge)

 

Key Features

Feature

Reason

Layer 3 IGP Connectivity via OSPF

To provide dynamic reachability to the rest of the network

Route only Mode on core devices

To provide Layer 3 forwarding with no Layer 2 switching

 

References

 

Core WLAN Controller Block

 

Synopsis

 

Brocade Mobility controllers simplify the WLAN using central control of distributed WAPs. Up to 1,024 Mobility Access Points can be managed from a single Mobility Controller.

 

Block Diagram

 

Campus_RA_Block_Core-WLANCntrl.jpg  

Core with WLAN Controller Block Detail (click to enlarge)

 

Key Features

 

Feature

Reason

Non-blocking, high-performance 802.11n architecture

Delivers higher bandwidth to every access point without congestion

  • Integrated role-based wired/wireless firewall, integrated IPSec VPN gateway,
  • AAA RADIUS Server,
  • Network Address Translation (NAT),
  • Secure guest access web portal,
  • MAC-based/802.1x authentication,
  • Integrated wireless Intrusion Detection System (IDS)/Intrusion Prevention System (IPS),
  • Anomaly analysis,
  • Geo-fencing,
  • Network Access Control (NAC) support with third-party systems including Bradford Point

Secure wireless device access

Cluster support with Hitless failover capabilities

Ensures high-availability of controllers.

 

References

 

Distribution-Access Template

 

The following diagram shows the Distribution-Access template and the building blocks used.

 

Campus_RA_Template_DistributionMCT+VRRPE-AccessWAP.jpg

Distribution-Access Template (click to enlarge)

 

 

The Distribution block in the design mainly provides Layer 2 /Layer 3 transition point for all devices in connected to the Access block. Brocade SX Series chassis switches are common choices for this block.

The Access block uses stacking and supports PoE/PoE+ powered ports on one or more switches in the stack. ICX 6430/6450 switches are common choices for this block.

 

Distribution Block with MCT and VRRP-e

 

Synopsis

Layer 2/Layer 3 transition point requires redundancy for Layer 2 and Layer 3 traffic. Multi-chassis Trunking (MCT) and LACP LAG provides link and node level redundancy for Layer 2 traffic and eliminates STP at Layer 2.

A resilient Layer 3 default-gateway is required. Virtual Routing Redundancy Protocol-Extended (VRRP-E) provides a virtual default-gateway that spans both physical switches. VRRP-E is a Brocade enhancement to VRRP providing active/active switches in the cluster for improved performance.

 

Block Diagram

 

Campus_RA_Block_Distribution-MCT&VRRPE.jpg  

Distribution with MCT and VRRP-E Block Detail (click to enlarge)

 

 

Key Features

Feature

Reason

Multi Chassis Trunking (MCT)

Multi Chassis Trunking allows two switches to appear as one enabling design of a resilient and redundant router implementation

LACP LAG

Provides standards based Link-level redundancy

VRRP-E

Provides a virtual Layer 3 gateway, spanning across two individual network devices/switches

 

 

References

 

Access Stack Block with PoE/PoE+

 

Synopsis

The Access block uses stacking for resiliency and scalability. Hitless fail-over of the master stack controller to a standby controller ensures data traffic continues to flow should the master controller go off-line. With the Brocade ICX Series, the ICX 6450 switch provides up to 48 1 GbE device ports, four 10 GbE uplink/stacking ports and the option for PoE/PoE+ power. Maximum stack size is eight switches providing 384 device ports. A licensed option provides Layer 3 routing services for the ICX 6450. For traffic monitoring, the ICX 6450 has sFlow built-in at no additional cost.

 

When WAPs, such as the Brocade Mobility 7131 Access Point, are connected to PoE/PoE+ switch ports, the WLAN Controller block can configure and set policies for all access points. This is shown by the dotted green line labeled “To WLAN Controller” in the diagram below. This feature simplifies configuration, management and monitoring of remote access points. As shown by “Indoor Mesh AP”, Brocade Mobility Access Points can forward data traffic to other access points in the mesh. This eliminates data traffic going up to the core WLAN Controller and then back down to the destination access point removing traffic off uplinks and improving efficiency of WLAN traffic.

 

The ICX 6430 switch stack is an option for 1 GbE device connectivity device count is lower and only Layer 2 switching is needed. The ICX 6430 has four 1 GbE ports for stacking/uplinks and a stack maximum of four switches. Unlike the ICX 6450, the ICX 6430 does not have sFlow traffic monitoring available.

An optional external power supply, Brocade 6400 EPS, can be added to a stack when higher availability is required or when powering all ICX 6530/6450 ports at PoE+ power levels.

 

Block Diagram

 

Campus_RA_Block_Access10GbEwithPoE.jpg

 

Access Stack, 10 GbE Stacking with PoE/PoE+ Block Details (click to enlarge)

 

Campus_RA_Block_Access1GbEwithPoE.jpg  

Access Stack, 1 GbE Stacking with PoE/PoE+ Block Details (click to enlarge)

 

Key Features

 

Feature

Reason

10 GbE stack & uplinks (ICX 6450)

Provide scalable, chassis-like redundancy on a single form factor switch

POE/POE+

Powered Ethernet connection for devices such as VoIP phones, security cameras and WAPs to an access switch

sFlow traffic monitoring (ICX 6450)

Allows for standards based client traffic analysis at access Layer

Cost-optimized 1 GbE stack & uplinks (ICX 6430)

Cost-effective stacking for smaller device counts where the cost of 10 GbE stack & uplinks are not necessary.

SNMP Trap Generation

Enables NAC based client detection via Link Up/Down Traps

 

References

 

Alternate Design with Edge Template

 

An alternative design for this solution adds an Edge template as shown below. 

 

 

Bradford_BaseDesign+EdgeAlternate.jpg

 

 

Alternate Design with Edge Template (click to enlarge)

 

The Edge template collapses the distribution/access layers into a single management element simplifying the network and reducing cost. The Edge template can be added to the Base design or can be used without a Distribution/Edge template, as appropriate.

 

Edge Template

 

The following diagram shows the Edge template. It contains an Edge block and a WAP block. Edge blocks terminate Layer 2 traffic within the stack and provide PoE/PoE+ powered ports. Traffic is routed at Layer 3 on uplinks from the Edge template to the Core template. 

 

 

Campus_RA_Template_EdgeStackWAP.jpg

Edge Template with PoE/PoE+ and WAP (click to enlarge)

 

Edge Block, 40 GbE with PoE/PoE+

 

Synopsis

The ICX Series includes a powerful new stacking switch, the ICX 6610 with 40 GbE stacking connections and eight 10 GbE uplink ports. This block supports PoE/PoE+ powered ports with a maximum of 384 device ports per stack. Redundant power and cooling provide high availability. Inclusion of the Layer 3 license adds OSPF routing services. Hitless fail-over means non-stop traffic flow should the master switch go off-line. For traffic monitoring, the ICX 6450 has sFlow built-in at no additional cost.

 

The 40 GbE stacking ports ensure over-subscription rates within the stack approach 1:1 even with all devices flowing at the maximum line rate of 1 GbE. Eight 10 GbE ports per switch deliver low-oversubscription of uplinks to the Core block.

 

When WAPs, such as the Brocade Mobility 7131 Access Point, are connected to PoE/PoE+ switch ports, the WLAN Controller block can configure and set policies for all access points. This is shown by the dotted green line labeled “To WLAN Controller” in the diagram below. This feature simplifies configuration, management and monitoring of remote access points. As shown by “Indoor Mesh AP”, Brocade Mobility Access Points can forward data traffic to other access points in the mesh. This eliminates data traffic going up to the core WLAN Controller and then back down to the destination access point removing traffic off uplinks and improving efficiency of WLAN traffic.

 

Block Diagram

 

Campus_RA_Block_Edge40GEPoE.jpg  

   Edge 40 GbE with PoE+ Block Detail (click to enlarge)

 

Key Features

Feature

Reason

40 GbE stacking

High-performance edge stack achieves nearly 1:1 oversubscription

10 GbE uplinks LACP LAG

Provides standards based Link-level redundancy

Layer 3 Routing

Provides a virtual Layer 3 gateway with hitless fail-over

Collapsed Layer Topology

Lowers initial and operating costs by collapsing Distribution and Access layers into advanced HyperEdge Core/Edge topology

sFlow

Enables standards based traffic analysis for BYOD client detection

SNMP Trap Generation

Enables NAC based client detection via Link Up/Down traps

 

References

 

Alternate Design with Distribution Stack

 

Another alternative design substitutes a stacking block for the distribution layer instead of the MCT+VRRP-E block.  The diagram below shows the Distribution/Access template with this block substitution. 

 

Campus_RA_Template_DistributionStack-AccessWAP.jpg

Alternate Distribution/Access Template with Distribution Stack (click to enlarge)

 

The Access and WLAP AP blocks are the same as shown in the Base Design.

 

Distribution Block, 40 GbE Stack

 

Synopsis

The ICX Series includes a powerful new stacking switch, the ICX 6610 with 40 GbE stacking connections and eight 10 GbE uplink ports. This block supports a maximum of 384 device ports per stack. Redundant power and cooling provide high availability. Inclusion of the Layer 3 license adds OSPF routing services. Hitless fail-over means non-stop traffic flow should the master switch go off-line. For traffic monitoring, the ICX 6610 has sFlow built-in at no additional cost.

 

Block Diagram

 

Campus_RA_Block_Distribution40GbEStack-ToCore.jpg 

 

Distribution Block, 40 GbE Stack

 

Key Features

 

Feature

Reason

40 GbE stacking

High-performance distribution stack achieves nearly 1:1 oversubscription

10 GbE uplinks LACP LAG

Provides standards based Link-level redundancy

Layer 3 Routing

Provides a virtual Layer 3 gateway with hitless fail-over

sFlow

Enables standards based traffic analysis for BYOD client detection

 

References

 

Components

The following lists typical components that can be used in the design templates for this solution.

 

Bradford Network Sentry Components

Product

Notes

Bradford Network Sentry NAC Appliance (NS-500)Bradford Network Sentry Software 6.0 with License

  • 1RU NAC Linux server appliance
  • Software License

 

Core Backbone Template Components

Product

Notes

Brocade SX-800 Chassis

  • SX-FI2XGMR6 2-port MP
  • SX-FI-8XG 8-port 10 GbE Fiber
  • SX-FI62XG 2-port 10 GbE
  • FastIron 7.4 (SXR07400)
  • FastIron 7.4 (SXR07400)

Brocade Mobility Controllers

  • Version 5.4.0
  • Brocade RFS4000, RFS6000 and RFS7000 controllers

 

Distribution-Access Template Components

Product

Notes

Brocade SX-800 Chassis

  • SX-FI2XGMR6 2-port MP
  • SX-FI-8XG 8-port 10 GbE Fiber
  • SX-FI62XG 2-port 10 GbE
  • FastIron 7.4 (SXR07400)

Brocade ICX6610-48

  • ICX6610-48 48-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  •   ICX6610-10 GbE-LIC-POD

Brocade ICX 6610-24

  • ICX6610-24F 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD

Brocade ICX 6450Switches

  • ICX6400-EPS1500 (External PS)
  • FastIron 7.4 (ICXR07400)
  • ICX6450-PREM-LIC for optional Layer 3 routing services
  • FastIron 7.4 (ICXR07400)
  • ICX6450-PREM-LIC for optional Layer 3 routing services

Brocade ICX 6430 Switches

  • ICX6400-EPS1500 (External PS)
  • FastIron 7.4 (ICXR07400)

Brocade Mobility AP 7131 Access Point

  • Version 5.4.0

Brocade Mobility RFS 6000 Controller

  • Version 5.4.0

 

Edge Template Components

Product

Notes

Brocade ICX 6610-24

  • ICX6610-24F 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD

Brocade ICX 6610-24P

  • ICX6610-24P POE 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD

Brocade ICX6610-48

  • ICX6610-48 48-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD

Brocade Mobility AP 7131 Access Point

  • Version 5.4.0

 

Comments
by fhameed
on ‎04-24-2013 04:57 PM

Good document. I need few clarifications :--

1) What other components do I need besides Bradford, Brocade switches if I want the ability to do MAC-based VLAN authentication. Do I need separate Radius server ?

2) Can Bradford act as Radius server as well as NAC appliance ?

3) Cannot find the config for Brocade switches.

by vnalakon
on ‎04-24-2013 05:05 PM

Thanks Faisal for your comment and questions. BYOD implementation with Bradford using MAC-authentication requires a RADIUS server which is in-built into Bradford Network Sentry appliance. No other external RADIUS server is necessary. Based on your feedback, I have updated the document with the necessary Brocade VLAN configuration.

For additional configuration details, please feel free to refer to the deployment guide as well.

by fhameed
on ‎04-24-2013 05:34 PM

It would be helpful to add ICX config in the bradford deployment guide and not necessarily in design guide.

From the content section in the deployment guide, there should be item for ICX config similar to Bradford and wireless section.

by vnalakon
on ‎04-25-2013 10:32 AM

Yes the ICX config update was originally made to the deployment guide.

Contributors