Wireless Access

Hi,

is there any plan to provide controllers as VMs? It will simplify deployment for smaller installations big time.

Best,

D

I thought there was talk of there being a widely available controller VM. I say widely available as I believe there's a millitary customer with VM controllers. 

Caveat: There are just things I've heard...

There is currently a VM-based controller that is supported ONLY for VPN termination (WiFi is not yet officially supported) and is delivered to the US Government and Military only currently. There may be an option for non-US GOV/MIL coming in the next year, but it will be very small. As far as easily deployed, in MOST cases the 7005 is smaller than a server require to run the VM, or Instant takes no size whatsoever. Additionally, the VM-based controllers are NOT cloneable, as they are licensed individually, so there's no 'assembly line' capabilities with the VM. If you clone a VM controller, it will brick and will require a new serial number and passphrase be generated and licensed. 

What is your use case/need for a VM-based controller, exactly? I would be interested to know and you can send me a PM if you would rather not share publicly. 

@Jerrod Howard

There is no need for PM since it is not military or something like it :-). The thing is that most of the customers have some spare capacity on their virtualized enviroments. We have been using Fortinet/Ruckus/Aerohive (even only management) in virtualized enviroment with great success. It is less boxes to maintain, less power dragged and most important thing it is easer to "service" and upgrade. 

When I say service, there are part of the world you don't have spare part stock, there is customs and complicated paperwork with VAT returns once you have to return box for repair. For all of these reasons we have switched to localy avaliable and services HP/DELL/Lenovo servers and software solutions on top of it. 

As far as I am concern, this is big shortcoming of Aruba but maybe I am the only one outthere so it won't break a bank :-).  Issue with serial number for VM is solved already with different vendors and I don't see what it would be problem with Aruba since I am 99% sure it is some kind of linux under tweeked for wireless stuff :-). 

To be honest with you, we are more interested in ClearPass then Aruba wireless but we found ClearPass bit complicated with licensing. As I said in previous post, I just started exploring Aruba and those are initial toughts. We will be offering another solutions until we gain confidece in Aruba as best price/perfomance/feature solution. 

Best regards,

D

So what size AP deployments are you looking for? VMC will be for very small AP deployments (think less than 32 and possibly less than 16 APs). The power draw for an x86 based controller like the 7010 or 7008 are well below that of a VM in most cases (when the VM is sized appropriately), and note that for VMC, it requires hardware resource reservations (3 CPUs, 16GB RAM, 10-60GB disk). So the true useability for VMC will be pretty limited as it will have a higher 'cost' within the VM resource pool as no over-subscription is supported or allowed (which is different from web servers and other servers that are idle most of the time). Most VM admins won't be fans of standing up resources that lock out resources and don't make them available to other idle machines when they need it. The use case now (for GOV/MIL) are for tactical use cases where they require MILSPC hardware to deploy.

What is different between Aruba controllers versus others like Cisco, Ruckus, Aerohive, etc is that "Aruba Controllers" terminate the AP connections and handle ALL the encryption/decryption. No other vendor does it like this within a VM (most all other vendor's VM-controllers are more 'config management and control', but dont' actually terminate crypto and user traffic dataplane. As such, in an x86 environment, it's VERY resource intensive so controllers with hardware-programmable crypto chips just 'work' better to scale compared to VMs. In most environments, if you are looking for small deployments and you DON'T require high security crypto or government certs, you would use Aruba Instant which wouldn't need anything in your DC. 

What is your need for a controller-based WLAN over an Aruba Instant WLAN? Honest question, the more feedback we get, the more we can look at applicability to the benefit of our customers.

As far as VMC and serial numbers, becuase we terminate crypo AND manage the RF for those thin APs, the serials are *required* to manage and control regulatory permissions. The serial and pasphrase generated on the platform govern whether it's US FCC, ROW, JP, or IL, and very likely will not be going away. So there will not ever be (at this point in time) any way to easily clone VMCs without re-serializing and re-licensing the platform. Controlling the serialization is also part of the revrec process in tracking assets as sold by Aruba, think of it as a form of DRM. it's not overly cumbersome, the serial is entered, a passphrase is generated, and those two elements are taken to the licensing site to generate your license keys. If you have a Mobility Manager, you can manage your licenses centrally instead (which is what MOST customers would do where they have multiple small controller deployed in a distributed fashion.

For our other products that are out or are coming that DON'T terminate wireless connections, we have the same serializing that other vendors use and cloning is more 'supportable'. 

I'm curious what licensing difficulties you had with CPPM, for the most part it's volume and feature based and I've not heard much feedback that the licensing was hard to understand (unless the licensing itself is not liked, which then yea I get it heh). 

@Jerrod Howard

"what size AP deployments are you looking for? VMC will be for very small AP deployments (think less than 32 and possibly less than 16 APs)." --> we do from 20-30 APs to some like 500-600 APs. We operate in SMB, upper-level small up to upper-level midsize, from time to time in lower-level enterprise. 

"Most VM admins won't be fans of standing up resources that lock out resources and don't make them available to other idle machines when they need it." --> most of our customers are with 1-2 admin guys.  They are looking to lower number of boxes, not to increase. That's why they love Aerohive for example. We are not in USA and I actually came accross companies like Aruba which doesn't understand other markets. In other markets things are a lot smaller then in USA. For example we didn't even considered Aruba before HPE purchase since Aruba is (my understanding and info):

1. Focused on US enterprises 

2. More expensive then Cisco (compared some quotes today I received from Aruba distributor)

3. Totally unknow brand in our country (even small one) but learned that region is also unaware of Aruba as networking brand. 

"The power draw for an x86 based controller like the 7010 or 7008 are well below that of a VM in most cases (when the VM is sized appropriately), and note that for VMC, it requires hardware resource reservations (3 CPUs, 16GB RAM, 10-60GB disk)." --> still I do prefer VMC and my customers prefer VMs. Recently they started deploying Fortinet Fortigates as VMs and killing appliances. There are pro's anc con's for each way. 

"What is different between Aruba controllers versus others like Cisco, Ruckus, Aerohive, etc is that "Aruba Controllers" terminate the AP connections and handle ALL the encryption/decryption." --> I'll check on this but I am pretty sure Fortinet has encryption between, even Aerohive once you deploy VM localy. But I will check this even do it is not much of concers with this since we are not working with NATO ;-). 

"if you are looking for small deployments and you DON'T require high security crypto or government certs, you would use Aruba Instant which wouldn't need anything in your DC" --> nice, I have to learn exact differences between Instant and controller-based in order to be able to communicate with customers. Can you share some kind of documents where this is described? Tnx.

"So there will not ever be (at this point in time) any way to easily clone VMCs without re-serializing and re-licensing the platform." --> looks like we are talking about different things. It is just more convinient to have VM (as far as I am concerned) then appliance. Nobody is looking for a way to actually pirate controller and resell it as pirated copy. As far as regulations, I am not up to speed but if other US vendors are doing it and I assume same set of rules and laws apply to them as well, I see no problem. 

"think of it as a form of DRM" --> there is way to solve this probably since other vendors are doing it.

"I'm curious what licensing difficulties you had with CPPM" --> As I said, I am new to Aruba and I ran accross document which is doing some sort of explanation how to do guest licensing, onboard, onguard, etc etc :-)))). I asked distributor for quote and they were confused what to offer :-)))). But they will come around. If you have good document to understand differences and learn how to calculate, be my guest :-)

ClearPass is really good. Rest of the stuff, we shall see :-). 

Well, I think you are misunderstanding what Aruba is and where we 'fit'...

1. We support all sizes from 1 AP shops to enterprises with 100k APs or more. Enterprises, Education, Government, SMB, SOHO, etc are all supported and we have products to fit within and support all manner and sizes of deployment models.

2. I would say that is far from the case, but not knowing the details of what quotes you received and what the discounts and designs were, it's impossible know if that's indeed correct in your case or not. But generally, in our analyses, we are usually far less expensive, in both initial cost AND TCO when feature parity is present. 

3. What region are you in?

Share your country/region and if you're interested, we can find out which sales team may be in your area and we can have them contact you to open dialogue. Distributors are not always the best sources of quotes and educational info on our products. 

As far as licensing, you would need to tell me how other vendors do it, that the way we do it far different and more burdensome? And again, chances are in most of your deployemtns, certainly in SMB, Instant would be your preferred platform and that has zero controller with the option of just managing the Instant cluster locally, using Aruba Central for global cloud management, or using AirWave for local/on-prem management of separate clusters. Instant with AirWave or Cloud would be more analagous to Aerohive or Fortinet with their VM management appliance.

Fortigate and Aerohive's controllers are ONLY doing management and monitoring of their Fat APs (nothing wrong with that), whereas Aruba controllers are actually terminating crypto. So your customer's needs will REALLY dictate whether you need a controller (VM or hardware) versus Instant. But more often than not, unless there is a controller feature requirement, you would use Instant.

You can search Google or the community here for posts where our user community discuss the differences.

http://community.arubanetworks.com/t5/Wireless-Access/Controller-vs-IAP/td-p/67730

http://community.arubanetworks.com/t5/Wireless-Access/Difference-between-Aruba-Instant-APs-and-controller-managed-APs/td-p/140095

Another unique feature is that you can initially deploy Aruba Instant APs, and if you decide a few years down the road that you need a controller, you can convert all your IAPs to run on a controller (note that non-Instant APs cannot be converted to Instant). 

@Jerrod Howard

"Fortigate and Aerohive's controllers are ONLY doing management and monitoring of their Fat APs (nothing wrong with that), whereas Aruba controllers are actually terminating crypto" --> Hm! When you say crypto, you mean IPSEC or otherwise encrypted tunnel from AP to controller? I beleive Fortinet has something called tunnel mode and if I recall corectly, it encrypts traffic between AP and controler. Didn't check documentation for new 5.4.1 release (time issue). Aerohive also if management is deployed localy, they can encrypt traffic but had no pleasure checking this out since all our installations are cloud based. 

"What region are you in?" --> Eastern Europe

Thanks for the links.

D

The way Aruba controllers work, and why we are different from other vendors, is that when a client sends a WPA2 encrypted frame over the air to the AP (or when the AP sends one to the client), what is ACTUALLY happening is the controller or AP is wrapping the encrypted WPA2 frame with GRE, and then sending these encrypted WPA2 frames into a GRE tunnel destined for the controller. The controller is then stripping the GRE header off and decrypting the WPA2 frames from the clients and converting them to wired 802.3 frames, and encrypting wired 802.3 frames into WPA2, putting the GRE header on, and sending back out to the AP/client. 

All other vendors just end up creating an encryption tunnel between the AP and 'controller', but the 802.11 to 802.3 conversion is still happening on the AP. So if you have 100 APs, and each AP has 10 users (1,000 users), your Fortinet or Cisco or Aerohive controller is only decrupting 100 tunnels from the APs (not very crypto-intensive, esp with IPsec) and the frames are all wired 802.3 frames from the AP. The Aruba controller is decrypting/encrypting 1000 user's many WPA2 frames (which in many cases WPA2 is more crypto-intensive), and then converting to wired 802.3 frames.

This has NUMEROUS security benefits over the other methods from other vendors (namely centralized encryption, and this makes each Thin ap TRULY thin, and not a security risk, since if they are stolen there's no crypto local to the AP, compared to other vendors where keys could be leaked or stolen. Not everyone needs centralized crypto though, so Instant works instead. But that is how other vendors can claim that, but it's not the same. Additionally, you will find that most vendors will note a decrease in thorughput or capacity when these controllers are run in Tunnel or Encrypted mode, because of the additional crypto load (and if they don't you will see a performance drop when their controller is under load). 

@Jerrod Howard

tnx for explanation. I'll play with it since I ordered some demo kit :-).

@timcappalli 

So Aruba Instant has exactly same capabilities as "regular" Aruba with controllers? Including ClearPass and rest of the stuff?

I am new here, long time HP networking partner. We started to exploring Aruba few months ago and still learning about stuff. 

Best regards,

D

The feature sets are similar. Choosing one depends on the use case and
topology of the customer's network.

EDIT: I should clarify. I was referring to Instant vs controller.

@timcappalli

I am not native English speaker so is "similar"="exaclty same" as far as feature set is in questions? I am just loooking for precise answer since I was asked by one of my customers. 

Tnx,

D

imadam, they are NOT exactly similar, there are some features that a Virtual controller will not support that hardware-based controllers will. The goal is to get feature parity, but in some cases, some features will be excluded because of limited resources within the x86 platform.

More will come out in the coming months regarding VMC, and some of those are still fluid. So standby for more towards the end of the year.

The answer really depends on the customer's environment. Some environments are small enough or conducive to Instant. Others, controllers work better.

Have you reached out to one of your local Aruba SEs?