Aruba's MOVE ArchitectureBy CWNP On 03/15/2011 - 19 Comments
Aruba announced new stuff today…a lot of new stuff. New software, new hardware, a new perspective on the architecture debate, new market entry, new solutions to consumer device proliferation problems, and the list goes on. I’ll tackle most of them in turn.
The networking industry is replete with buzz words that lack real meaning to most of us. We hear about cloud, virtualization, convergence, mobility, context-awareness, consumerization, and plenty more (often misused and misunderstood), but without some down to earth, real-world context, these words are meaningless, and can set me into that glazed mode…fast. While I don’t think Aruba has over-buzzworded their announcements, there are a few terms in there that at first glance needed some “explain-what-you-mean-by-that” skin, so my goal here is to help make sense of Aruba’s updates and why they’re meaningful.
Aruba’s announcements today center on their new approach to delivering user connectivity and services, and this new Aruba architecture is called MOVE (Aruba Mobile Virtual Enterprise). Unifying wired and wireless access, simplifying deployment, and context awareness (one of those marketing terms) are the core themes.
Joining HP and Meraki, Aruba announced a three spatial stream 3x3 dual-radio AP, dubbed the AP-134 (external antenna option) and AP-135 (internal only). So, 2011 is beginning to look like the year when 450 Mbps rates become the norm on the infrastructure side. This AP is a helpful boost for Aruba, partly because it releases them from undermining sales of their flagship AP because of spectrum analysis limitations. I wrote a few weeks ago about spectrum analysis limitations in the Atheros chip of the Aruba AP-125 (3x3:2) that is not an issue in the AP-105 (2x2). This limitation prompted an increase in sales of the lower-cost AP-105s where AP-125s may have been preferred. With the AP-134/135, that limitation no longer exists, so the new “flagship” AP can takes its rightful place.
In addition to the obvious benefit of a third spatial stream, the AP-134/135 adds other 802.11n features (by virtue of Atheros’ feature support), including TxBF, STBC, and LDPC. The usefulness of TxBF depends upon client device adoption, and perhaps the Qualcomm acquisition of Atheros will encourage this trend along. STBC and LDPC also add minimal gains in range and reliability, but even though their impact is minimal, these features are yet another sign that the industry is maturing and the theoretical features of 802.11n are becoming material.
In addition to the new indoor-focused AP, a new AP-175 outdoor AP (2x2) is coming up. This AP looks (physically) like the offspring of Aruba’s recent Azalea acquisition, but it doesn’t seem to be the full byproduct of that acquisition. Look for more from that relationship in the future.
Taking a look at the non-hardware additions to their tool belt, we should mention Aruba’s new perspective on the centralized vs. distributed architecture debate. That is, Aruba is introducing a new deployment model called Aruba Instant. Aruba has previously had a lot of success with their remote access platforms, including branch controllers/APs as well as small form factor remote APs for remote sites and home offices. Supplementing that model, Aruba Instant allows physically distributed office environments to deploy APs in a sort of locally controlled cluster without a controller appliance. They call it a virtual controller, but the control functionality has just been moved to a single AP (centralized control, distributed data forwarding) within the Instant group. Aruba Instant scales to 16 IAPs (Instant Access Points), and can be managed either by the limited interface of the virtual controller AP or by AirWave. Speaking of, it looks like a cloud-based AirWave product is back on the table, though I don’t have all the details of availability.
I’m a bit divided with Aruba Instant. On the one hand, 16 APs per group is plenty sufficient to meet the needs of most distributed enterprises, and for that, I see it as a brilliant evolution of Aruba’s architecture. The controller doesn’t go away in the large branches, datacenters, and HQ offices, but distributed offices (where a controller for each office gets expensive) have the benefit of lower cost and added simplicity. The cost model is good, because you pay only for the APs. The feature support model is what leaves me with a question mark. Specifically, Aruba Instant is not a full-featured controller-less version of Aruba OS. It is a controller subset deployment model that lacks support for spectrum analysis as well as some of the other standard functions available in their controller-based deployments. Thankfully, it does still support ARM, stateful firewall, WIPS, and stateful QoS, which are big ticket items for Aruba. So on the one hand, Aruba Instant makes perfect sense as a deployment model. On the other hand, why the feature holdout?
So, we’ve covered two new APs and a new deployment model. I mentioned at the beginning that part of Aruba’s impressive “new” stuff includes new market entry. That new market is access layer switching with a focus on mobility. The S3500 series is Aruba’s new “mobility access switch.” The specs are about as expected… 24 or 48 GigE ports, optional PoE+, 10 GigE uplinks, 802.1X port-based security, stateful firewall, classic L2 forwarding, and on. What’s novel is that the switches get their configuration and firmware from the controller, so no direct configuration is necessary. So, in a market that seems to be removing services from the controller, Aruba is finding new ways to utilize it. On the roadmap, some controller functionality will be integrated into the switch itself, but it’s too early to tell what this will actually look like.
We often hear about the separate panes (or is it pains?) of management between network groups within an enterprise. Part of Aruba’s goal is to piggyback on their earlier network rightsizing campaign by shifting their focus from all wireless (though that is still central, I believe) to expand into all things at the access layer (indoor/outdoor wireless, edge switching, VPN). By broadening their scope in this way, they seek to provide a “truly unified” (ouch, competitive jab) approach to user, device, location, and application aware policies. By running the Aruba OS on Aruba edge switches, aggregating context information in AirWave is much easier both for configuration and monitoring of policies. It also provides a single management console for network-wide user insight from all access methods. That’s a great thing!
Perhaps I’m just thick-skulled, but I’d never really thought of each user, device, application, and location pair as a context. But, in its simplest form, that is what it means. Holistic context awareness, then, provides central insight into each aspect of these contexts, which are powerful variables that allow you to differentiate network services with better control and more flexibility.
For me, the basic example that best illustrates the value of context awareness is the issue of consumer devices in the enterprise. Is an iPhone or an iPad a business device or a personal device? Is it a data, voice, or video device? To what VLAN should it be segmented? Should the same iDevice network services be available from home and HQ? What QoS policy should they get? What about NAC? Now answer the same questions for corporate laptops, corporate VoIP phones (wired and wireless), and all the heterogeneous device types found on guest networks.
Hopefully, these questions should demonstrate that the new burden of consumer mobile devices in the enterprise do not always fit the mold of current design practices or network policies. Today, we often segment the LAN by applications, user groups, or devices. So, we broadcast multiple SSIDs, which are each tied to a specific set of rules, policies, and services. However, with context awareness and smart fingerprinting of devices and apps, we can take a more simplified, flexible, and secure approach by intelligently differentiating services based on the context. We can apply any specific policies (application permission, segmentation, firewalling, QoS, NAC, etc.) according to the device or user or application or location dynamically, instead of relying on static mappings. And, we can implement these once-defined policies across both the wireless and wired access layer. Pretty cool.
Aruba’s Context Aware Technology video should help simplify my verbal explanation with a visual flare.
In addition to the previously mentioned architecture and product updates, Aruba has expanded their software solutions to include client-side VPNs for Windows/Macs, automated device recognition and profile provisioning for iDevices (called Mobile Device Admission Control—MDAC), guest provisioning enhancements (remember the Amigopod acquisition) that simplify corporate and guest user account deployment, and enhancements to AirWave to facilitate the Aruba MOVE architecture.
For more information, check out their resources at the link below. Their videos are quite helpful at explaining the technologies, but they don’t insult your intelligence. Thanks to Aruba for that!
The current Aruba MOVE landing page is a good place to start: http://www.arubanetworks.com/the-lan-is-dead/
I also want to thank Aruba for providing access to the 2011 Gartner Magic Quadrant: http://www.arubanetworks.com/pdf/Gartner-WLAN-MQ-2011.pdf