Campus Networks

Campus Network Solution-Design Guide: Impulse Point SafeConnect for BYOD Solution

by ‎03-14-2013 11:52 AM - edited ‎08-06-2014 08:22 AM (3,887 Views)

Synopsis: A design guide for an integrated BYOD solution Using Impulse Point's SafeConnect and Brocade’s campus network products.

 

 

 

Preface

 

Overview

According to IDC, the number of mobile workers will grow to 1.3 billion by 2015, 37% of the global workforce. Gartner's research predicts 1 billion smart phones and tables will be sold in 2013. With the dramatic increase in the number of mobile devices connecting to the campus network, the task of securing, monitoring and managing access to the campus network becomes challenging. A new trend, Bring-Your-Own-Device (BYOD), has grown popular but multiplies the security challenges. On one hand, campus networks that support BYOD provide the flexibility for anyone to use any client device (wired or wireless), but the assumption is the network infrastructure can intelligently secure traffic by identifying, authenticating and administering network access control (NAC) with minimal administrator intervention. This assumption doesn’t always hold up unless the campus network design explicitly includes a BYOD use case.

 

The campus network should be flexible, easy to manage, and cost-effective. The Effortless Network™ is expresses Brocade's vision. Brocade® HyperEdge™ Architecture is the framework that delivers that promise. The HyperEdge Architecture seamlessly integrates new innovations and products with legacy investments improving network flexibility. reducing management complexity, and lowering cost so BYOD solutions can be added to existing networks quickly and cost-efficiently.

 

This guide shows how to design a BYOD solution with Brocade campus network products and network access control (NAC) from Brocade partner Impulse Point using their SafeConnect NAC appliance. SafecConnect provides automatic and efficient device on-boarding and monitoring of client traffic including mobile devices. This ensures uniform NAC policies for wired and wireless connections improving security without undue burden on the network administrator.

 

The following Brocade platforms are used in this solution.

  • Brocade FastIron family of switches; ICX Series, FCX Series and SX Series Switches
  • Brocade NetIron family of switches; MLX Series
  • Brocade Mobility Series WLAN Access Points and Controllers
  • Brocade Network Advisor

 

The HyperEdge Architecture with SafeConnect delivers a scalable BYOD solution for campus networks scaling from a small building to large metropolitan area configurations.

 

At the Brocade campus core and distribution layer, options include the Brocade ICX 6610 switch stack, the BrocadeSX chassis or the larger Brocade MLX chassis. At the campus edge, the Brocade ICX 6450/5430 switches and FCX Series switches support stacking for improved performance and reliability. The ICX Series offers Brocade’s innovative mixed stacking capability where premium and entry level switches can be combined and managed as a single logical switch.  Both the ICX and FCX Series support long distance stack links so a single stack can extend beyond a single wiring closet but retain consolidated management and distributed services capabilities. 

 

Brocade’s Mobility Series of access points and controllers centralize wired and wireless management; optimize the wireless data path with direct forwarding of data traffic between access points. Brocade Mobility Controllers can be clustered for high-availability and can scale up to thousands of access points per controller.

 

Integration of wired and wireless management is increasingly important as wireless device connectivity continues to grow. And, integrated solutions with partner applications for NAC appliances, such as Impulse Point simplify network security for wired and wireless devices.

 

With a wide range of wired connectivity choices, support for 10/100/1000 Mbps Ethernet, 1, 10, 40 GbE stacking, 1/10 GbE uplinks, mixed stacking, self-healing WAP meshes and scalable WLAN controllers, Brocade provides network designers a cost-effective and flexible set of building blocks for the campus network.

 

Purpose of This Document

This design guide is based on Brocade’s Campus LAN Infrastructure: Base Reference Architecture. It describes how to design a BYOD solution with the SafeConnect network access control (NAC) appliance from Impulse Point, a Brocade partner. The design includes two campus topologies, an advanced core/edge topology using Brocade’s HyperEdge® architecture, and a traditional core/distribution/access topology. A companion Solution Deployment Guide provides detailed configuration steps for this solution.

 

Audience

This document is intended for solution, network and IT architects who are evaluating and deploying BYOD solutions for their campus network.

 

Objectives

This design guide provides guidance and recommendations for an integrated BYOD solution with Brocade’s campus network products.

 

Related Documents

The following documents are valuable resources for the designer. In addition, any Brocade release notes that have been published for the FastIron, NetIron and Mobility operating systems should be reviewed.

 

References

 

About Brocade

Brocade® (NASDAQ: BRCD) networking solutions help the world’s leading organizations transition smoothly to a world where applications and information reside anywhere. This vision is designed to deliver key business benefits such as unmatched simplicity, non-stop networking, application optimization, and investment protection.

 

Innovative Ethernet and storage networking solutions for data center, campus, and service provider networks help reduce complexity and cost while enabling virtualization and cloud computing to increase business agility.

 

To help ensure a complete solution, Brocade partners with world-class IT companies and provides comprehensive education, support, and professional services offerings. (www.brocade.com)

 

About Impulse Point

Impulse Point is a privately-held company addressing the challenges of managing network access policies and endpoint security within large infrastructures. SafeConnect offers an easy to implement and support endpoint policy management system. It seamlessly connects into existing multi-vendor network infrastructures while providing the flexibility to adhere to each organization’s unique computing policy philosophies. SafeConnect’s unique architecture provides a true out-of-line NAC solution that is vendor-independent, scalable, and flexible to meet your growth needs – resulting in reduced time, expense, and risk.

 

Key Contributors

The content in this guide was developed by the following key contributors.

Lead Architect: Venugopal Nalakonda, Strategic Solutions Lab

Technical Author: Brook Reams, Strategic Solutions Lab

 

Document History

Date                Version        Description

2013-03-15      1.0                Initial Release

 

Reference Architecture

This design guide is based on Brocade’s Campus LAN Infrastructure, Base Reference Architecture, (Campus Reference Architecture) as shown below. The Campus Reference Architecture provides a rich set of flexible, wired and wireless building blocks providing cost-effective scalability for a wide range of campus environments.

 

Campus_RA_FullTopology.jpg

  Campus Network Reference Architecture (click to enlarge)

 

The reference architecture can be applied to traditional core/distribution/access topologies spanning multiple buildings, or for a single school, hospital, or remote building using an optimized HyperEdge core/edge topology. The diagram below illustrates the range of design templates available. SafeConnect is part of the Network Management template providing the NAC service.

 

11919_Campus_RA_CannoicalArch#2.JPG 

Campus Network Design Templates with Building Blocks (click to enlarge)

 

The Brocade HyperEdge Architecture is designed to easily support integration of partner solutions such as, Impulse Point’s SafeConnect NAC appliance. The following sections review the business requirements, design requirements and special considerations for a successful BYOD solution using the Impulse Point SafeConnect NAC appliance.

 

References

 

Business Requirements

With the growth of smart phones and tablet computers and the growth of web-hosted computing platforms, many IT organizations are being pushed by users and management to deploy a flexible, secure BYOD solution in their campus network. Modern users are accustomed to the power and convenience of their smart phones and tablet computers and expect to seamlessly use them anywhere, anytime; at school, at work or off-site.  For example, in healthcare, many doctors demand use of their own personal devices that they are accustomed to and expect seamless access to hospital information anywhere, anytime. University students expect the campus network will support the latest portable devices they use; failure to meet that demand can adversely affect recruitment.

 

While users create the pull for BYOD solutions, the push comes from the IT cost savings when users procure their own personal devices. With a proven BYOD solution IT not only satisfies user demand for their personal devices while at work, but eliminates the overhead of  user device acquisition, support and maintenance. By shifting equipment ownership to the user, IT budgets are focused on the service delivery rather than device support.

 

The primary driver for BYOD solutions is user mobility. Users expect their personal device of choice to access all authorized resources needed for their job. BYOD solutions must secure wireless access via a range of devices, tablet, smartphone, and laptop, at all wireless WLAN Access Points (WAP) in the network. In the past, wired access was limited to a fixed desktop location. Today, a desktop computer is commonly a laptop computer with a WiFi card so users expect to undock and move their device anywhere they need to use it. Therefore, BYOD security has to extend to the wired as well as the wireless network.

 

Another key requirement of a BYOD solution is the increasing bandwidth use in the campus network. When users have multiple devices, engage in collaboration from any location using peer-to-peer connections, and access image, streaming video and video conferencing, then existing campus networks with limited bandwidth (10/100 Mbps) device connections become congested.

 

This guide helps network designers build a BYOD solution that meets the requirements for secure user mobility across wired and wireless networks, simplifies the network design, and delivers necessary network performance.

 

Special Considerations

Brocade networking products are designed to deliver line-rate Layer 2-3 forwarding, and provide information about traffic flows through built-in hardware-based sFlow monitors. This enables real-time delivery of network traffic to a variety of security, reporting, and compliance devices. With sFlow, Brocade provides network monitoring capabilities to sFlow collectors, complementing the protection services available via solutions from Brocade security partners such as Impulse Point.

 

Impulse Point SafeConnect NAC appliance includes a sFlow collector to receive notification of device connections. Brocade switches have built-in sFlow that is configured to send sFlow sample traffic from all its device interfaces to one or more sFlow connectors. All switches with a Layer 2 / Layer 3 boundary send samples to the IP address of the SafeConnect sFlow collector. If sFlow traffic monitoring is also used, such as with Brocade Network Advisor or partner sFlow traffic monitoring applications, then the IP address of the additional sFlow collectors is included in the switch configuration.

 

Traffic must be routed to the SafeConnect NAC appliance so when devices first connect to the network they are identified, authenticated and the appropriate NAC policy is applied. Policy-based Routing (PBR) is configured on the first Layer 2 / Layer 3 boundary across the network to redirect traffic associated with a device connection to the SafeConnect appliance. After authentication, traffic is redirected to the appropriate network service (e.g., DNS, bootpc,etc.) or blocked if the device is not authorized to connect.

 

Campus networks frequently are deployed using the traditional three-tier architecture: access, distribution, and core or backbone. Many existing campus networks were built with technology that was new a decade or more ago. Consequently, choke points and bandwidth limitations can be exposed by BYOD projects that require 1 GbE connectivity at the edge and PoE+ power for high-bandwidth 802.11n capable WAPs.

 

For this reason, this guide includes designs that address the requirements to upgrade the campus network beyond just adding a NAC appliance. In order to help off-set the costs of upgrading access switches, Brocade ICX switches and the HyperEdge architecture can eliminate the distribution tier reducing equipment, maintenance and operating cost that can greatly offset the cost of network upgrades.

 

Technical Requirements

A successful BYOD integration is phased. Group policies and authentication rules are implemented after a careful study of the business needs. The phases of a BYOD implementation include:

  • Design
  • Implementation
  • Validation

 

Impulse_TechnicalRequirements.jpg

  Solution Design Process (click to enlarge)

 

Design

During design, base requirements are gathered. The existing network is reviewed and BYOD integration points (all Layer 2 / Layer boundaries) are identified. Next, a complete audit of use cases with expected outcomes should be conducted during the design phase. For example, the following questions help collect the user design requirements:

  • What are the types of user groups that need to be managed across the network? 
    Typical user groups include internal users with full access, guests with limited internet access, vendor access with potential special privileges, specialized user groups for additional categories, and unauthorized or external users.
  • What is the projected size of each user group and how rapidly do they grow? 
    This metric can help define the total number of authenticated users at any given time and the expected rate of unauthorized users.
  • What degree of mobility is anticipated for each group? 
    Will network access control be provided at all locations? A common limitation in providing guest access is limiting it to the lobby, or providing vendor access only in select locations based on the work they do and the departments they work with.
  • What pool of computing and data resources will each group need access to? 
    In addition to Internet, print, and file services that internal users expect to access, guests and vendors may need access to a restricted set of similar resources.
  • How many devices does a typical user in each user use? 
    Assuming one device per one user may be too limiting. In many companies, users may actively use two or more mobile devices at a time. In a university, students can have from six to 10 personal devices accessing the network simultaneously.
  • How many users will be in more than one user group?
    And, it’s helpful to estimate the growth of users over time.
  • How much bandwidth will the user generate on the wireless and wired network segments?
    This helps ensure that devices will have adequate bandwidth on the wireless and wired network devices.

 

The answers to these questions are different for each organization and will likely change over time. A successful BYOD solution has to consistently and correctly secure device access, but it also needs flexibility to accommodate more users, provide fine-grained access policies and flexible user assignment to policy groups.

 

After user requirements are gathered, system level design requirements need to be identified. For example:

  • Will the entire campus be managed under a single set of policies or will individual business units manage their needs independently?
  • How much data can be accessed by users before a NAC profile is applied?
  • If there is a failure of the NAC appliance what access limited are acceptable?
  • What percent of the user groups will require peer-to-peer communication? Does the network support this in selected wireless segments or across the entire campus network?

 

Implementation

During this phase, the SafeConnect NAC appliance is integrated and provided with out of band management access and remote access for installation and setup of the appliance. Once the appliance is configured, sFlow and PBR are configured on all Layer 2 / Layer 3 boundary switches.

 

The Impulse SafeConnect NAC appliance can integrate with a wide range of campus network equipment and topologies. The diagram below shows how SafeConnect connects to an existing network.

 

Impulse_SafeConnectTopology.jpg 

  Impulse Point SafeConnect Architecture (click to enlarge)

 

SafeConnect uses sFlow and Brocade’s Policy Based Routing (PBR) at the first Layer 3 hop, or Layer 2/Layer 3 transition to redirect device traffic as shown above for correct policy enforcement. Depending on the topology of the network, the SafeConnect appliance connects to the distribution or the core router. The router is configured to export sFlow sample data to a built-in SafeConnect appliance sFlow collector. When planning the integration of SafeConnect, each boundary between Layer 3 and Layer 2 traffic should be identified to ensure the routers are correctly configured for sFlow and PBR.

 

SafeConnect provides a fail-open design. In the event that the SafeConnect NAC appliance is removed or fails, the network has open access. This is the preferred design for many organizations to ensure that network access is not blocked to all users by a NAC failure.

 

No network changes beyond the configuration of sFlow and PBR are needed for the SafeConnect NAC appliance. This simplifies implementation while lowering cost and risk. Since the SafeConnect solution provides a wide range of policy options, following the above design process provides clear documented requirements to ensure a successful implementation. See the Brocade Campus Network Solution, Deployment Guide: Impulse Point SafeConnect BYOD for details about how to configure sFlow, PBR and the SafeConnect NAC appliance.

 

Validation

Testing of the configuration ensures user policies work as required. Test cases with users can be defined for each user group and policy to verify network configuration (sFlow and PBR) and SafeConnect NAC appliance operation

 

Validation tests are essential to ensure security policies are correctly applied and sFlow and PBR are properly configured on routers. Each organization has its own IT procedures for validation of new solutions before enabling them on a production network. Brocade provides Validation Testing publications for selected features and technologies that may prove helpful when defining what types of testing to conduct.

 

Design

 

Topology

The following diagram shows Base Design templates derived from the Campus Reference Architecture.

 

Impulse_BaseDesign.jpg  =

  Solution Base Design (click to enlarge)

 

The design guide covers both a traditional core/distribution/access topology (Core + Distribution/Access templates) that is the Base Design, and alternate designs that include an efficient core/edge topology (Core + Edge templates) that are discussed later.

 

The Impulse SafeConnect appliance lets the network administrator create NAC polices that apply to all wired or wireless devices that connect to the campus network.

Base Design

The base design meets the following requirements that are typical for a well designed campus network:

  • Ease of expansion
  • STP-free Layer 2 network
  • Standards-based sFlow network traffic monitoring and analysis
  • Layer 2 or Layer 3 connectivity for devices with support for PBR
  • Wired or wireless connectivity
  • High-availability and resiliency
  • High bandwidth with low latency
  • Unified network management (wired and wireless)

 

Brocade’s HyperEdge architecture for campus networks is specifically crafted to cost-effectively meet these requirements. With the introduction of the latest Brocade ICX Series of switches, mix-and-match stacking, high performance PoE+ ports, unified wired and wireless management and a centralized WLAN controller cluster simplify how customers secure a BYOD environment. As more mobile devices connect to the network and more powerful devices come to market every 18 months, a HyperEdge network provides scalable bandwidth with low latency and low over-subscription. The base design includes 40 GbE stacking options, 10 GbE uplinks and higher performance PoE+ ports to meet the power demands of 802.11n WAPs.

 

Management Template with Impulse Point SafeConnect Appliance

Synopsis

The SafeConnect NAC appliance is a flexible platform that seamlessly connects to any existing network providing uniform policy management for all devices, wired or wireless. Integration of SafeConnect extends the Management template defined in the Campus Reference Architecture and requires certain features to be configured in the Distribution/Access and/or Edge templates. Even though SafeConnect is an “out of line” network appliance, it is attached at one, or more, Layer 3 switch/routers in the network. SafeConnect requires sFlow and Policy-based Routing (PBR) configured on the Layer 3 router the SafeConnect appliance connects to.

 

SafeConnect is delivered with standard Policy Modules (Authentication, Guest Registration, Acceptable Use Policy Auditing, Anti-Virus, Anti-Spyware, Microsoft Patch, P2P File Sharing, Access Point, Power Management, and Broadcast Messaging), as well as a Custom Policy Builder Module that allows an organization to easily create policies, enforcement rules, and custom notification messaging based on file types, services, process, and registry settings that may exist or might not exist on a particular endpoint.

 

SafeConnect includes access to a service team that works to keep ahead of any problems. The health of the system is monitored from the Impulse Support Center and Impulse Point is responsible for delivering all necessary hardware and software maintenance, problem determination and resolution, and ongoing feature enhancements. The IT groups maintains full control of managing their desired endpoint computing policies and enforcement rules via the SafeConnect Policy Management Console.

 

The following configuration steps add the SafeConnect appliance to a network.

 

  1. Configure client detection and identification
  2. Configure client authentication
  3. Configure Client monitoring and management using SafeConnect Policy Manager

 

The following diagram shows how SafeConnect manages NAC for wired and wireless devices.

 

Impulse_SafeConnectTopology.jpg

  Impulse Point SafeConnect Architecture (click to enlarge)

 

As shown by the colored lines and the legend, NAC follows a set procedure no matter where the user device connects to the campus network.

  • User Registration – Devices are registered with the SafeConnect Policy Enforcer database when they first access the network.
  • Non-Compliant Quarantine – Places devices into quarantine preventing access to any applications. Access control is further processed using existing authentication control services such as DHCP and Active Directory which grants permissions to applications and other services.
  • Guest Restricted Access – Devices that match a policy definition of “Guest” are placed in this restricted access category. Access is limited to other restricted Guest devices or the internet as defined by the policy.
  • Compliant Full Access – Devices that match this policy definition have access to the full range of applications and services

 

The following diagram illustrates the operation of SafeConnect when a client device connects to the network. The VLAN configuration for the various types of traffic is not shown. See the Campus Network Solution, Deployment Guide: Impulse Point SafeConnect BYOD Solution for details.

 

Impulse_OperationDiagram.jpg 

  Impulse SafeConnect Operation Schematic (click to enlarge)

 

 

Configuration of SafeConnect NAC Appliance

This section summarizes how to configure the SafeConnect appliance in an existing Brocade campus network. Please refer to Impulse published documentation for complete details about configuration and options for the SafeConnect appliance

 

1. Configure Device Detection and Identification: An important consideration when deploying SafeConnect is the requirement to identify devices/clients at Layer 3 via the IP address assigned to the device. SafeConnect does not look at the Layer 2 MAC-address when mapping NAC polices to devices. Therefore, a device must first have an IP address assigned by the DHCP servers. When SafeConnect first detects the device, it assigns it a ‘quarantine’ status until it applies the appropriate NAC policy.

 

SafeConnect uses sFlow and Brocade’s Policy Based Routing (PBR) at the first Layer 3 hop, or Layer 2/Layer 3 transition point the device’s traffic arrives at. Depending on the design of the network, this could be the aggregation or core router. That router is configured to export sFlow sample data to a built-in sFlow collector in the SafeConnect appliance.

 

How quickly SafeConnect detects a new device depends on the following sFlow configuration parameters.

  • Sampling rate (defines the sampling ratio). It is recommended to not change the rate lower than the default value because sampling of the incoming packets requires CPU resources.
  • Polling-interval (defines the frequency at which the sFlow data is sent to the collector). This interval can range from ‘1 to any higher value’ supported by the device.

 

2. Configure Policy Based Routing (PBR): PBR (using ACLs and route-maps) when enabled on the Layer 3 device, is used to selectively modify and route client IP packets to the BYOD NAC Enforcer. As soon as the client is detected (via Sflow), the NAC Enforcer modifies the ACL to permit all client traffic (from the associated client IP) that will eventually be re-directed (using the PBR route-map) to the Enforcer for further authentication

 

For additional information on Sflow and PBR configurations, please refer to the product specific Brocade configuration guides listed in the References.

 

3.  Configure Client Device Authentication: Post identification, SafeConnect provides multiple ways to authenticate devices. This is the list of recommended types of authentication:

    • NAC Local Authentication (on Enforcer)
    • AD based Authentication
    • Radius Server Authentication
    • 802.1x Authentication

 

Adoption of one or the other authentication mechanism will require the associated infrastructure (e.g., Radius, Active Directory servers) to be mapped to the SafeConnect appliance.

 

4.  Configure Policy Based Monitoring and Management: Depending on the device compliance or authorization, an organization’s security policy can be enforced by defining individual policies. Using the SafeConnect Policy Manager, unique policies can be defined or pre-existing policy modules (for example: anti-virus, anti-spyware, Microsoft patch, P2P file sharing, Access Point, Power Management, and Broadcast Messaging) can be used. For example, the following types of polices can be defined and enforced for devices:

 

  • Devices subject to policies: Laptop/MAC/Tablet/Smartphone
  • Applications subject to policies: P2P social media/chat tools, browser-types (IE/Firefox/Chrome)
  • Operating Systems subject to policies: Windows/MAC-OS/iOS/Linux etc.

 

Key Features
FeatureReason

Out-of-Line Solution

Enforcer appliance sits out-of-line with any pre-existing LAN network presenting no single-point of failure

Active Directory integration for device authentication

This provides role-based (employee, guest, etc.) policies and enforcement rules as defined in the Active Directory database

I-LAN quarantine technology

Helps isolate non-compliant devices preventing them from accessing any Layer 2 or Layer 3 network resources

No Changes to LAN/WAN required

Enforcer appliance is independent of the network device (router/switch) vendor with no vlan changes needed (for client identification) on the switches

 

References

 

Campus Core Template

The following diagram shows the Campus Core template and its building blocks. This template can be used with either the advanced core/edge or traditional core/distribution/access topology.

 

Campus_RA_Template_Core+WLANController.jpg

 

  Campus Core with WLAN Controller Template (click to enlarge)

 

This template includes Core Routing and a central WLAN Controller block.  It provides connectivity to the Internet and the data center core routers. It also connects to the Management Template for network management, NAC and sFlow traffic monitoring.

 

Core Routing Block

Synopsis

To allow for dynamic reachability across subnets in the design, the OSPF protocol is used across interfaces connected to the Distribution-Access Template, the Edge Template and to the data center core routers.

 

The Brocade SX Series chassis provides different slot capabilities for inserting data and management modules making it a cost-effective and scalable component for this block. In addition, the chassis supports full redundancy of management, switch-fabric and power module cards for high-availability.

 

Each SX router is configured with PBR and sFlow.  See the Campus Network Solution, Deployment Guide: Impulse Point SafeConnect BYOD Solution for details.

 

As required, advanced IP requirements (e.g., BGP/IPV6 peering) for WAN connectivity can be easily enabled. For additional details, please refer to the documents related to the campus LAN reference architecture and FastIron SX Series switches.

 

Block Diagram

 

Campus_RA_Block_CoreBackbone.jpg 

  Core Routing Block Detail (click to enlarge)

 

 

Key Features
FeatureReason

Layer 3 IGP Connectivity via OSPF

To provide dynamic reachability to the rest of the network

Route only Mode on core devices

To provide Layer 3 forwarding with no Layer 2 switching

 

References

 

Core WLAN Controller Block

Synopsis

Brocade Mobility controllers simplify the WLAN using central control of distributed WAPs. The total number of Mobility Access Points managed by a WLAN Controller cluster is dependent on the model. Refer to the Mobility Controller release notes for current values. It is to be noted that the BYOD SafeConnect NAC integration is independent of the WLAN implementation with or without mobility controllers as the key Safe Connect NAC requirements, including sFlow and PBR, are met by network devices that the NAC is connected to.

 

Block Diagram

 

Campus_RA_Block_Core-WLANCntrl.jpg

  Core with WLAN Controller Block Detail (click to enlarge)

 

Key Features
FeatureReason

Non-blocking, high-performance 802.11n architecture

Delivers higher bandwidth to every access point without congestion

  • Integrated role-based wired/wireless firewall, integrated IPSec VPN gateway,
  • AAA RADIUS Server,
  • Network Address Translation (NAT),
  • Secure guest access web portal,
  • MAC-based authentication,
  • Integrated wireless Intrusion Detection System (IDS)/Intrusion Prevention System (IPS),
  • Anomaly analysis,
  • Geo-fencing,
  • Network Access Control (NAC) support with third-party systems including Impulse Point

Secure wireless device access

Cluster support with Hitless failover capabilities

Ensures high-availability of controllers.

 

References

 

Distribution-Access Template

The following diagram shows the Distribution-Access template and the building blocks used.

 

Campus_RA_Template_DistributionAccessWLANAP.jpg

 

    Distribution-Access Template (click to enlarge)

 

The Distribution block in the design mainly provides the Layer 2  /Layer 3 demarcation point for all devices connected to Access blocks. It uses Multi-chassis Trunking (MCT) and Virtual Routing Redudancy Protocol, Extended (VRRP-E) for high-availability and resiliency for Layer 2 uplinks and Layer 3 gateway access. Routing services in the Distribution block include Policy-based Routing (PBR) for forwarding traffic to the Impulse NAC appliance attached to the Core block. Brocade SX Series chassis switches are common choices for the Distribution block

 

The Access block uses stacking and supports PoE/PoE+ powered ports on one or more switches in the stack. ICX 6430/6450 switches are common choices for this block. And the WLAN AP block provides wireless WAP units that are connected to and powered by PoE/PoE+ ports in the Access Stack block.

 

Distribution Block with MCT and VRRP-e

Synopsis

Layer 2/Layer 3 transition point requires redundancy for Layer 2 and Layer 3 traffic. Multi-chassis Trunking (MCT) and LACP LAG provides link and node level redundancy for Layer 2 traffic and eliminates STP at Layer 2.

 

A resilient Layer 3 default-gateway is required. Virtual Routing Redundancy Protocol-Extended (VRRP-E) provides a virtual default-gateway that spans both physical switches. VRRP-E is a Brocade enhancement to VRRP providing active/active switches in the cluster for improved performance.

 

Each SX router is configured with PBR and sFlow.  See the Campus Network Solution, Deployment Guide: Impulse Point SafeConnect BYOD Solution for details.

 

Block Diagram

 

Campus_RA_Block_Distribution-MCT&VRRPE.jpg

 

  Distribution with MCT and VRRP-E Block Detail (click to enlarge)

 

Key Features
FeatureReason

Multi Chassis Trunking (MCT)

Multi Chassis Trunking allows two switches to appear as one enabling design of a resilient and redundant router implementation

LACP LAG

Provides standards based Link-level redundancy

VRRP-E

Provides a virtual Layer 3 gateway, spanning across two individual network devices/switches

SFlow

Enables standards based traffic analysis for BYOD client detection

PBR

Selectively modify and route client traffic to the BYOD NAC Enforcer

 

References

Access Stack Block with PoE/PoE+

Synopsis

The Access block uses stacking for resiliency and scalability. Hitless fail-over of the master stack controller to a standby controller ensures data traffic continues to flow should the master controller go off-line. With the Brocade ICX Series, the ICX 6450 switch provides up to 48 1 GbE device ports, four 10 GbE uplink/stacking ports and the option for PoE/PoE+ power. Maximum stack size is eight switches providing 384 device ports. A licensed option provides Layer 3 routing services for the ICX 6450. For traffic monitoring, the ICX 6450 has sFlow built-in at no additional cost.

 

When WAPs, such as the Brocade Mobility 7131 Access Point, are connected to PoE/PoE+ switch ports, the WLAN Controller block can configure and set policies for all access points. This is shown by the dotted green line labeled “To WLAN Controller” in the diagram below. This feature simplifies configuration, management and monitoring of remote access points. As shown by “Indoor Mesh AP”, Brocade Mobility Access Points can forward data traffic to other access points in the mesh. This eliminates data traffic going up to the core WLAN Controller and then back down to the destination access point removing traffic off uplinks and improving efficiency of WLAN traffic.

 

The ICX 6430 switch stack is an option for 1 GbE device connectivity device count is lower and only Layer 2 switching is needed. The ICX 6430 has four 1 GbE ports for stacking/uplinks and a stack maximum of four switches. Unlike the ICX 6450, the ICX 6430 does not have sFlow traffic monitoring available.

 

An optional external power supply, Brocade 6400 EPS, can be added to a stack when higher availability is required or when powering all ICX 6530/6450 ports at PoE+ power levels.

 

Block Diagram

 

Campus_RA_Block_Access10GbEwithPoE.jpg

 

  Access Stack, ICX 6450 10 GbE Stacking with PoE/PoE+ Block Details (click to enlarge)

 

Campus_RA_Block_Access1GbEwithPoE.jpg

   Access Stack, ICX 6430 1 GbE Stacking with PoE/PoE+ Block Details (click to enlarge)

 

 

Key Features
FeatureReason

10 GbE stack & uplinks (ICX 6450)

Provide scalable, chassis-like redundancy on a single form factor switch

POE/POE+

Powered Ethernet connection for devices such as VoIP phones, security cameras and WAPs to an access switch

sFlow traffic monitoring (ICX 6450)

Allows for standards based client traffic analysis at access Layer

Cost-optimized 1 GbE stack & uplinks (ICX 6430)

Cost-effective stacking for smaller device counts where the cost of 10 GbE stack & uplinks are not necessary.

 

 

 

References

 

 

Alternate Design with Edge Template

An alternative design for this solution adds an Edge template as shown below.

 

Impulse_BaseDesign+EdgeAlternate.jpg 

  Alternate Design with Edge Template (click to enlarge)

 

The Edge template collapses the distribution/access layers into a single management element simplifying the network and reducing cost. The Edge template can be added to the Base design or can be used without a Distribution-Edge template, as appropriate.

 

Edge Template

The following diagram shows the Edge template. It contains an Edge block and a WAP block. Edge blocks terminate Layer 2 traffic within the stack and provide PoE/PoE+ powered ports. Traffic is routed at Layer 3 on uplinks from the Edge template to the Core template.

 

Campus_RA_Template_EdgeStackWAP.jpg

 

  Edge Template with PoE/PoE+ and WAP (click to enlarge)

 

Edge Block, 40 GbE with PoE/PoE+

Synopsis

The ICX Series includes a powerful new stacking switch, the ICX 6610 with 40 GbE stacking connections and eight 10 GbE uplink ports. This block supports PoE/PoE+ powered ports with a maximum of 384 device ports per stack. Redundant power and cooling provide high availability. Inclusion of the Layer 3 license adds OSPF routing services. Hitless fail-over means non-stop traffic flow should the master switch go off-line. For traffic monitoring, the ICX 6450 has sFlow built-in at no additional cost.

 

The 40 GbE stacking ports ensure over-subscription rates within the stack approach 1:1 even with all devices flowing at the maximum line rate of 1 GbE. Eight 10 GbE ports per switch deliver low-oversubscription of uplinks to the Core block.

 

The ICX 6610 switches are configured with PBR and sFlow.  See the Campus Network Solution, Deployment Guide: Impulse Point SafeConnect BYOD Solution for details.

 

When WAPs, such as the Brocade Mobility 7131 Access Point, are connected to PoE/PoE+ switch ports, the WLAN Controller block can configure and set policies for all access points. This is shown by the dotted green line labeled “To WLAN Controller” in the diagram below. This feature simplifies configuration, management and monitoring of remote access points. As shown by “Indoor Mesh AP”, Brocade Mobility Access Points can forward data traffic to other access points in the mesh. This eliminates data traffic going up to the core WLAN Controller and then back down to the destination access point removing traffic off uplinks and improving efficiency of WLAN traffic.

 

Block Diagram

 

Campus_RA_Block_Edge40GEPoE.jpg

  Edge 40 GbE with PoE+ Block Detail (click to enlarge)

 

 

Key Features
FeatureReason

40 GbE stacking

High-performance edge stack achieves nearly 1:1 oversubscription

10 GbE uplinks LACP LAG

Provides standards based Link-level redundancy

Layer 3 Routing

Provides a virtual Layer 3 gateway with hitless fail-over

Collapsed Layer Topology

Lowers initial and operating costs by collapsing Distribution and Access layers into advanced HyperEdge Core/Edge topology

sFlow

Enables standards based traffic analysis for BYOD client detection

 

 

References

 

Alternate Distribution-Access Block with Distribution Stack

Another alternative design substitutes a stacking block for the distribution layer instead of the MCT+VRRP-E block.  The diagram below shows the Distribution/Access template with this block substitution.

 

Campus_RA_Template_DistributionStack-AccessWAP.jpg 

  Alternate Distribution-Access Template with Distribution Stack (click to enlarge)

 

The Access and WLAP AP blocks are the same as shown in the Base Design.

 

Distribution Block, 40 GbE Stack

Synopsis

The ICX Series includes a powerful new stacking switch, the ICX 6610 with 40 GbE stacking connections and eight 10 GbE uplink ports. This block supports a maximum of 384 device ports per stack. Redundant power and cooling provide high availability. Inclusion of the Layer 3 license adds OSPF routing services. Hitless fail-over means non-stop traffic flow should the master switch go off-line. For traffic monitoring, the ICX 6610 has sFlow built-in at no additional cost.

 

Block Diagram

 

Campus_RA_Block_Distribution40GbEStack-ToCore.jpg

 

  Distribution Block, 40 GbE Stack (click to enlarge)

 

 

Key Features
FeatureReason

40 GbE stacking

High-performance distribution stack achieves nearly 1:1 oversubscription

10 GbE uplinks LACP LAG

Provides standards based Link-level redundancy

Layer 3 Routing

Provides a virtual Layer 3 gateway with hitless fail-over

sFlow

Enables standards based traffic analysis for BYOD client detection

 

 

 

Components

The following lists typical components that can be used in the design templates for this solution.

 

Impulse Point SafeConnect Components

ProductNotes

Impulse SafeConnect NAC Appliance

Impulse SafeConnect Software 5.1 with License

1RU NAC Linux server appliance

Software License

 

Core Backbone Template Components

ProductNotes

Brocade SX-800 Chassis

  • SX-FI2XGMR6 2-port MP
  • SX-FI-8XG 8-port 10 GbE Fiber
  • SX-FI62XG 2-port 10 GbE

FastIron 7.4 (SXR07400)

Brocade Mobility Controllers

Version 5.0

Brocade RFS4000, RFS6000 and RFS7000 controllers

 

 

Distribution-Access Template Components

ProductNotes

Brocade SX-800 Chassis

  • SX-FI2XGMR6 2-port MP
  • SX-FI-8XG 8-port 10 GbE Fiber
  • SX-FI62XG 2-port 10 GbE

FastIron 7.4 (SXR07400)

Brocade ICX6610-48

  • ICX6610-48 48-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD

Brocade ICX 6610-24

  • ICX6610-24F 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD

Brocade ICX 6450Switches

  • ICX6400-EPS1500 (External PS)
  • FastIron 7.4 (ICXR07400)
  • ICX6450-PREM-LIC for optional Layer 3 routing services

Brocade ICX 6430 Switches

  • ICX6400-EPS1500 (External PS)

FastIron 7.4 (ICXR07400)

Brocade Mobility AP 7131 Access Point

Version 5.0

 

Edge Template Components

ProductNotes

Brocade ICX 6610-24

  • ICX6610-24F 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD

Brocade ICX 6610-24P

  • ICX6610-24P POE 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD

Brocade ICX6610-48

  • ICX6610-48 48-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)
  • FastIron 7.3 (FCXR07300)/
  • ICX6610-ADV-LIC-SW
  • ICX6610-10 GbE-LIC-POD

Brocade Mobility AP 7131 Access Point

Version 5.0