Article Options
HP Networking
Discover how the new HP Networking combines the technologies and alliances of 3Com, ProCurve and TippingPoint into the next networking leader.

Virtual service networks in a campus network: Learn from these use cases

HPNetworking| February 17, 2012 - last edited March 5, 2012
1 Comments
0

By Dean Snyder, Global Product Strategy, HP Networking  

 

In my previous blog, I introduced the three major FlexCampus virtual service network (VSN) building blocks: VSNA, FlexCampus Unified Controller and OpenFlow. You can read the full blog here: Virtual service networks in a campus network: Why FlexCampus VSN?

 

Let’s take a closer look at how these innovative technologies can be applied in the real world. I purposely chose the two uses cases below because these trends are already in play and are ascending quickly in many businesses and higher education institutions.     

 

Use Case 1 – dealing with the wireless invasion


ds_4.jpgHow do I deal with the invasion of wireless devices such as iPhones, Droids and iPads onto our corporate network?  Some of the devices are corporate owned devices, but increasingly we are experiencing a significant increase in the use of personal devices on our network. If network access is granted unchecked I risk not knowing who is accessing our network resources and we place ourselves in a position of high risk for a major security breach. We are currently assigning unknown device types/users to a VLAN for remediation with no network access privileges, but this is not a sustainable solution. 

 

As an administrator ,you could be utilizing HP’s Virtual Service Network Administrator (VSNA) along with its implicit access control features. Here is a 50K foot look at how VSNA would shield you from the complexities and operational costs of a traditional Network Access Control (NAC) solution. In addition, new features such as Virtual Network Services are introduced. These new services definitions and policies significantly enhance your ability to specify what corporate services/resources are granted access for user, user groups and device types vs. traditional NAC, which today only exposes a few policies.

 

1.   VSNA’s fingerprinting feature would provide the administrator with a list of users and devices types.  The users and/or devices types would be grouped into one or more Access Policy Groups. In this example an Access Policy Group named “iPAD” has been created. It’s populated with iPAD devices, which were detected with the Organization Unique Identifier (OUI) fingerprinting feature. 

 VirtualConnect.png

2.   The administrator creates one or more VSNs (network services).  Access Policy Groups are then associated with one or more VSNs.  The VSNs themselves can contain additional attributes such as location, time, routing and a security policy.  So in this example, the “iPAD” Access Policy Group has been associated with a VSN named “Guest”. The “Guest” VSN was defined to grant network access only to the Public Internet and network administration services. Once a guest user/device has been fully authenticated and authorized, they are placed in the appropriate Corporate Intranet Access Policy Group[s] and associated with a number of predefined VSNs. Users requesting access to the network would be presented a self-registration portal which would authenticate and authorize via the embedded RADIUS server for network access. 


All of this was performed without having to configure supplicants on a client, configure your switches, configure RADIUS and manage users in Directory. Figure 1 below illustrates VSNA’s authentication architecture.  For reference SNAC is HP’s Simple Network Access Control solution.  It is currently available as a standalone access control offering. In the future SNAC features will be tightly integrated into VSNA. AD in the illustration is an abbreviation for Active Directory.   

 

                  ds_2.png


 Figure 1: VSNA authentication

 

Use Case 2 – increasing wireless at the campus LAN network edge


Your company has decided to dramatically increase its adoption of wireless technologies at the edge of the campus LAN network. Primary drivers cited were low deployment costs and ease of administration experienced with their current controlled wireless environment. Wired switches will continue to play a role in the campus LAN edge, but it is expected to be about 50% of the mix by the end of the calendar year vs. 90% today.  As an administrator you’re very concerned about having to manage this mixed wired/wireless environment with his current set of device specific tools. It feels like you’re being setup to fail. 


ds_5.PNG1.  HP FlexCampus VSN solution introduces a “Hands-off Configuration” administration model. It eliminates hours of tedious network infrastructure configuration tasks such as: VLANs, ACLs, spanning tree, QoS. Wired and wireless device adoption into the network is automated. At the center of the VSN FlexCampus architecture is the HP FlexCampus Unified Controller. Its ability to automate the adoption of both wired and wireless infrastructure and present a common management plane up to VSNA frees up repetitive device specific administration and allows you to shift focus on optimizing and delivering reliable services to your customers. 

 

2.   Prior to FlexCampus VSN architecture, the thought of deploying and maintaining wired and wireless network infrastructure advanced features such as QoS and rate limiting were considered far too complex and costly to implement. Today’s model is more of a wireless overlay model, where you must configure features such as QoS and rate limiting once for your wireless infrastructure and again for the wired infrastructure .

 

And one last question: Does HP VSN architecture support heterogeneous networks?

 

My hope is that you are now armed with a little more background information on how HP FlexCampus VSN architecture is capable of addressing some of your top-of-mind business needs—while delivering on our commitment to provide you with innovative solutions that help keep your CAPEX and OPEX in check. 

 

I’ll leave you with the answer to common VSN question. Does HP’s VSN Architecture support heterogeneous networks?  Answer: Yes. Heterogeneity is inclusive.

 

Let’s continue the conversation. Do you have more questions? Or any use cases to share?

 

>> Read more: HP FlexCampus Network Solutions

>> Learn more about HP Networking products and solutions


>> Follow HP Networking on Twitter and Google+ | Join HPN LinkedIn Community | Like us HPN Facebook

Labels: FlexCampus| hp networking| networking| OpenFlow| Unified Controller| virtual service networks| vsn| VSNA
Labels:
Comments
Reed_Jeffrey(anon) | ‎02-18-2012 02:15 PM
Options

Dean, I've heard rumors of HPN's SNAC but cannot find it on the product web page. Please provide a link for us.

 

I've been designing, selling and installing complex NAC solutions for over 8 years. It’s become more main-stream and easier to install but it’s still a complex subject, even if you try to use "Simple" in the product name. I applaud HP’s persistence with NAC in general. Through partnerships and homegrown solutions they are leading the market in a holistic approach. But I do caution the repetitive message that this is going to be easy to deploy in a large complex environment. In my experience I see two types of NAC solutions out there. One is an in-line device that has total control of packets as they enter and exit the appliance(s). However, they have less control of what happens downstream. Through the use of managing DHCP services for all downstream users they can control who is in the same subnet. But if there are downstream routers without ACL’s, users in the quarantine subnet can still route to users in the production subnet. Then you have the NAC solutions that are not inline and have full access to the switches and routers throughout the network. They work in harmony with the DHCP server, the IPS, etc. But you need to touch your infrastructure to make it work. You need SNMP community strings on every network device. You need at least a production VLAN for well-behaved clients, a Guest VLAN for unknown users and a Quarantine VLAN for users that do not meet your policy requirements. Wireless controllers need the same segregation most of the time. That can be a lot of work at times.

Developing a policy can be the most difficult part of any NAC solution. Most of us networking geeks have no problem working on layers 1-4 and just ignore layers 5-7. But layers 8, 9 & 10 are very tough. Those extra layers would be politics, business culture (aka religion) and money.

0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author
Follow Us