Pres

Question 1

The 2930M Access Layer will utlize….

Answer 1

backplane stacking and we will uplink from the top and bottom of each stack to the distribution layer in the MER and SER rooms via dual 10G uplinks.

Question 2

The Aruba 8325 distribution switches will be…

Answer 2

stacked will dual 100G connections in a VSX stack.

Question 3

The distribution will be uplinked to the 8400 series core in Hubs 1 and 2 via ..

Answer 3

dual 100G connections which will be terminated on separate line cards to ensure high availability.

Question 4

The Aruba 8400 consists of three types of modules…

Answer 4

Management Modules, Fabric Modules and Line Cards.

Question 5

The primary (active) module performs…

Answer 5

the vast majority of all system functions and replicates tables to the standby module.

Question 6

The active Management Modules has three main functions:

Answer 6

• keeps track of the state of the line cards
• makes control plane decisions for each line card
• sends keep-alive messages to the standby management module to ensure its still up and running.

Question 7

The standby module provides an additional function of…

Answer 7

maintaining an updated configuration database.

Question 8

The Fabric Module provides the ability for traffic …

Answer 8

to flow between line cards

Question 9

The 8400 supports a maximum of three fabric cards but only

Answer 9

requires one card to be functional

Question 10

To have redundancy and keep line rate speeds in case of a failure

Answer 10

three fabric modules are needed.

Question 11

Per core switch, the Vodafone proposed core solution consists of:

Answer 11

3 x 40G/100G QSFP28 Modules
• 1 x 32-port 10 GbE SFP/SFP+ with MACsec advanced module
• 1 x Management Module
• 3 x 7.2Tbps Fabric Module

Question 12

Per distribution switch the Vodafone proposed 8325 switch supports ..

Answer 12

48 ports of 1G*/10G/25GbE (SFP/SFP+/SFP28) and 8 ports of 40G/100GbE (QSFP+/QSFP28) SFP+ ports

Question 13

The Aruba 2930M Switch Series is designed for customers creating

Answer 13

smart digital campus deployments that are optimized for mobile users with an integrated wired and wireless approach.

Question 14

The 2930M series are easy to..

Answer 14

deploy and manage with advanced security and network management tools like Aruba ClearPass Policy Manager and IMC.

Question 15

The Network Analytics Engine is a root cause analysis tool that comes with the 8000 series from Aruba. Its main function is to diagnose..

Answer 15

from the problem and down the root cause.

Question 16

Engineers can easily access the NAE through a Web interface, and REST APIs allow …

Answer 16

access to individual agents and to NAE databases. When a problem arises, these agents notify IT staff of the issue and provide results of the analysis.

Question 17

NAE System Health

Answer 17

this provides reliable intelligence of the status of the performance of the switches.

Question 18

NAE Network Analytics

Answer 18

The breadth of capabilities in this category cuts across everything from Layer 1 transceiver monitoring to Layer 3 health of BGP or OSPF peers.

Question 19

NAE Security

Answer 19

Using the ability of the Aruba 8000 series to locate traffic passing through the aggregation and core portions of the network, NAE inspects and identifies errant traffic. When this occurs, NAE can then take action on the traffic, or direct it to a security device for detailed inspection.

Question 20

NAE Application Visibility:

Answer 20

NAE monitors cloud applications such as Office365 or Google Suite, tracking their performance across time. Upon detecting the degradation, NAE agent performs robust network diagnostics.

Question 21

NAE Network Optimization

Answer 21

This category diverges from root cause analysis and directs the focus at optimizing traffic by using NAE’s analytics capability in conjunction with automation. By leveraging interface usage and application performance statistics, NAE can adjust the weights of routes to direct application traffic out different links or to different providers.

Question 22

What is VRF

Answer 22

VRF is a technology that allows multiple instances of a routing table to co-exist within the Aruba Core or Aggregation Switch. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other.

Question 23

Can we support VRF

Answer 23

In order to segment the TUD network into different business needs the Aruba solution can support VRF. VRFs provide Layer 3 level isolation to achieve a segmented Virtual Private Network (VPN) across the TUD Campus.

Question 24

How many VRFs can it support

Answer 24

The proposed Aruba solution for the Core the 8400 and Aggregation Layer 8325 supports up to 32 VRFs. This would allow TUD to not only meet the current requirement today for 10 dedicated segments but also enable for the future 20 possible VRFs required and beyond.

Question 25

What is colorless ports?

Answer 25

A great feature we can use as a part of this is Colorless ports, ClearPass can identify clients connected to switch ports based on 802.1x credentials, mac-auth, Captive Portal and can place them into the relevant VLAN or ACL based on this.
All the switches would have similar configuration with IP, credentials, authentication, VLANs and uplinks. All access ports need only a few lines of configuration common for all ports.
With an all Aruba portfolio this technology gets even more intuitive.

Question 26

what is dynamic segmentation?

Answer 26

when we talk about dynamic segmentation we are talking about the separation of traffic based on device or user roles on the TUD network. This is a secure way to provide network segmentation that’s based on user roles on your network. Everything that sits on your network whether it’s a fully trusted 802.1x authenticated user, a guest user trying to access the internet or An IoT/CCTV device that needs access to a backend server. What dynamic segmentation does is allow you to tunnel some or all of this traffic, based on your preference, back to the centralised controllers where it can be inspected or handed off into a DMZ depending on the nature of the traffic.

Question 27

Is DS all or nothing?

Answer 27

this is not an all or nothing approach. Universities or enterprise customers can use things like dynamic segmentation in tandem with a more classic VLAN/VRF approach to traffic separation. Its all about what types of traffic we want to tunnel back and what we are happy to route across the network using the same VLAN techniques we’ve been using for the last 20 years or so. And while we don’t need an all or nothing approach the key building blocks here are the Aruba product portfolio – its best to have a unified approach to wired and wireless and the benefits are listed here on the right: Unified Access policy for wired and wireless, Deep packet inspection at the controller, role based awareness and colorless ports, device profiling and fingerprinting and all of this is being done at a central point so the ease of management.

Question 28

What types of traffic dont have to be tunnelled?

Answer 28

Trusted traffic can stay local such as IP or conference Phones. Or an employee on a managed device.

Question 29

what types of traffic should be tunneled?

Answer 29

You should prob tunnel guests to a dmz, tunnel employees on a unmanaged device, devices that fail posture checks or IoT devices.

Question 30

The Aruba mobility controllers utilise the power of …

Answer 30

the mobility master (which is essentially the central intelligence point for a controller cluster)

Question 31

So when we power up the boxes some hello messages are…

Answer 31

exchanged and a cluster leader is elected. The controllers are then placed into a fully meshed IPSEC tunnels between each other. They will then begin to do things like automatically load balance GRE tunnels across the cluster.

Question 32

Stateful failover, so this ensures

Answer 32

user traffic is uninterrupted if a cluster member fails.

Question 33

Just to run through how that failover would look I have a slide here that shows an access point (although it is the exact same with a switch) connecting back to the AAC with an active tunnel and the S-AAC with a standby. The AP Anchor Controller and the Standby-AP Anchor Controller.

Answer 33

1. AAC fails and Failure is detected by S-AAC
2. S-AAC instructs switch to fail over and switch stops its Active tunnel with failed AAC
3. The Standby tunnel with S-AAC becomes Active
4. New S-AAC is assigned by Cluster Leader

Question 34

In terms of scalability from a segmentation point of view you can see here the breakdown of the controllers and switches. So for the design we are discussing now we can support over

Answer 34

over 4000 active tunnels on the controller with 1024 per switch or stack and 32 user tunnels per port.

Question 35

DS Benefits Secure IoT Devices

Answer 35

Dynamically segment your traffic in secure tunnels to protect the IoT traffic and protect critical clients’ traffic.

Question 36

DS Benefits Better, Consistent User Experience

Answer 36

centralized, unified role-based policy and authentication and enforcement delivers same policy and consistent user experience wherever user or IOT device is and however they connect (wireless or wired).

Question 37

DS Benefits Simplify Operations

Answer 37

Save time and reduce configuration errors by eliminating manual, static configurations of VLANs and ACLs on switches by dynamically applying unified wired and wireless policies and advanced services anywhere in the network. No new networking skills required!

Question 38

DS Benefits Ensure Branch Security

Answer 38

Utilize ZTP for switches and tunnel specific wired (per port) traffic to controller with Firewall - great for retail PCI compliance, remote education satellite research campuses or healthcare facilities.

Question 39

DS Benefits Use Built-in Controller Security Services

Answer 39

Take advantage of Aruba mobility controller and branch gateway’s built-in security features such as Firewall, packet inspection and finger printing for wired and wireless traffic.

Question 40

DS Benefits Overlay Architecture Solution

Answer 40

Enables smooth integration with existing segmentation such as VLANs means no ripping and replacing entire switching infrastructure, co-exist with existing VLAN segmentation