Post on 27-Jul-2018
SmartZone 3.5 - Feature ReviewJune 2017
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
2
New Features in 3.5 … 1
RUCKUS PROPRIETARY AND CONFIDENTIAL
New Dashboard Maps Connectivity
AnalysisAP Health
Quickly assess network status, narrow your focus, and resolve problems.
Visually check on your sites and floor plans along with AP health and usage.
Walk through the client’s connection flow to find hang-ups and root causes.
Flag APs, easily find the worst performing APs, and compare with others.
✔
✗
✔✔✔
Cluster Health
Client Health
Monitor and flag cluster node status. Keep critical alerts up front and center.
Check on real-time client performance metrics, connectivity, and traffic.
✔
✔
✔
Traffic AnalysisFind your top users, APs, WLANs, apps, and OS types.
Topology HealthAssess AP health by domain, zone, or group to assess localized problems.
3
New Features in 3.5 … 2
RUCKUS PROPRIETARY AND CONFIDENTIAL
Bonjour FencingPrevent unwanted Bonjour service discovery outside the desired range.
Role-Based PolicyAssign users to roles, then apply the VLAN, OS, and L3-7 policies you desire.
ZD ParityAdds many more critical features previously available only on ZoneDirector.
Isolation WhitelistManually control the network destinations that clients can access.
✓✓✓✓✓✓
ChannelFlyMonitor channel changes and capacity, adapt to client capabilities, and more.
1 6 11
Spectrum Analysis
L7 AppControl
Use the AP’s integrated spectrum visibility to troubleshoot RF interference.
Gain control over usage with policies to deny, limit, or reprioritize apps.
ZD-to-SZ MigrationEasily migrate from ZD to SmartZone with built-in step-by-step tools.
4
New Features in 3.5 … 3
RUCKUS PROPRIETARY AND CONFIDENTIAL
SmartZone300
MSP OAM CALEA
Introducing the newest carrier-grade, high-scale controller appliance
Enhanced management segmentation and object control for MSPs
Improvements to APIs, SNMP, and reporting granularity
Maintain compliance with lawful intercept functionality for public or govt networks
DHCP/NAT in APKeep small sites small and low cost with built-in DHCP, NAT in the AP.
DPSK Phase2Improvements to scale, function, and flexibility of our patented Dynamic PSK.
vSZ-D UpdatesIncreased scale and control for your virtual data plane implementation.
5
Added ZoneDirector Features
RUCKUS PROPRIETARY AND CONFIDENTIAL
Mark Rogues as KnownView a list of detected rogue APs that are not managed by the controller and manually identify the trusted APs as “known”
Manually Block ClientMonitor connected clients and easily block a specific device if suspicious behavior is detected or a device is stolen
Block UE After Repeat Auth FailureAPs will temporarily block client devices that have failed authentication multiple times within a short period of time; this prevents some DoSattacks
LDAP over SSL
Allows the SmartZone’sconnection to use the non-standard LDAPS, which initiates a TLS session before LDAP messages are transferred
Test AAA with Role AttributeTest authentication services, usernames and passwords, and user role assignment, all at the same time
Introducing SZ-300
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION6
Back
Front
Front Fan
AC PS
HDD
No cover
AC PS
6x Fans, 2x 10 Gbps data cards, 6x 1 GigE ports
SZ300 Roadmap
RUCKUS PROPRIETARY AND CONFIDENTIAL7
3.5.0 GA(Q1 of 2017)
3.6.0 GA(2H2017)
Supported in phase-2:• 3GPP tunneling (RMNO),• MAP-Gateway (RMAP),• 3d party AP aggregation (RWAG)• Scale: 600K Clients,• Up to 10 external vDP support,• Access: Q-in-Q, SoftGRE• Secure Inter-WAC communications.
Not supported in phase-2:• No PMIPv6,• No Mixed cluster with SCG200.
Supported in phase-1:• Feature parity with SCG200,• Scale parity with SCG200 (same # AP, # Clients etc),• 4x Node Cluster supported,• Tunneling and Local Breakout support:
Core: Local Breakout (VLAN/Q-in-Q), SoftGREAccess: RuckusGRE, LB,
• Config Migration from SCG200 to SZ-300.
Not supported in phase-1:• No RMNO (3GPP-tunneling),• No RMAP (MAP-Gateway),• No 3d party AP aggregation,• No Mixed cluster with SCG200.
SZ-300 / Phase-1 (3.5.0) SZ-300 / Phase-2 (3.6.0)
Roadmap is subject to change
3.5.0 Beta(End of 2016)
8
New UI – Look and Feel
RUCKUS PROPRIETARY AND CONFIDENTIAL
Completely redesigneddashboard
experience.
New menu structure with
simplified navigation.
Global filter preserves admin context throughout menus and pages
Fresh layout, user interaction, and styling throughout.
9
New UI – Contextual Enhancements
RUCKUS PROPRIETARY AND CONFIDENTIAL
Manage the network
hierarchy from most menus.
Quickly change scope and
easily manage profiles.
Monitor and configuration
workflows are fully integrated.
Simplified and enhanced search functionality.
Easier creation of profiles while linking into other objects.
10
Multi-Zone Support in “Essentials” (SZ100/vSZ-E)
RUCKUS PROPRIETARY AND CONFIDENTIAL
o Multi-zone now supported on “Essentials” platforms• Supports up to 1,024 zones
o Allows the network to be segmented into independent organizational units
o Supports different firmware across zones• Starting in 3.5 and going forward• No backward compatibility, no 3.4 (or earlier) zones
o Supports different country codes across zoneso Note that some profiles/objects are global and some are
zone-specific. Plan accordingly.o Note some differences with “High-Scale” profile:
• Default Zone instead of Staging Zone• No Domain or Subdomain concept• Admin privileges are not segmented by zone• No MVNO concept
11
Maps
RUCKUS PROPRIETARY AND CONFIDENTIAL
o Allows admin to import custom maps and place APs in proper location
o Quickly check status of APs across floorplan to find online, flagged, offline APs
o View health/traffic data for each AP to evaluate site performance/load
o Allows view of all sites and outdoor APs at the same timeo Sites are indoor mapso Outdoor APs are placed by GPS lat/long
o Quick check of AP status on a site-by-site basis
o Easily launch point into indoor maps
Google Maps Indoor Maps
12
Troubleshooting Workflows
RUCKUS PROPRIETARY AND CONFIDENTIAL
o Easily troubleshoot client connection problems
o Pinpoint the failure stage and likely cause
o Assess AP environmental conditions and client RSSI
o Check on association, authentication, RADIUS, EAP, DHCP, and portal behavior
o Evaluate the flow for Open, PSK, 802.1X, and WISPrnetworks
13
Traffic Analysis
RUCKUS PROPRIETARY AND CONFIDENTIAL
o Quickly find your highest points of AP and WLAN load as well as top network users and devices
o Check on domain, zone, APgroup, WLAN, and AP traffic and client load over time
o View client OS types and top applications
o Filter by band (2.4 GHz, 5 GHz, or both) and traffic direction (uplink, downlink, or both)
14
Health Stats
RUCKUS PROPRIETARY AND CONFIDENTIAL
o Highlight APs with poorest performance, as determined by key performance indicators
o Flag AP status when APs cross performance/health thresholds
o Compare an AP with larger groups of APs
o Review recent KPI history to assess AP health trend
o Initiate a real-time steady flow of stat collection for an AP or client
New Admin and Object Model
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION15
o New “partner domain” concept• Allows admin to create domains that contain
profiles used by many zones
o Adjustments to object hierarchy provide more flexibility for MSPs• System, Domain, Zone
o Simplified approach to Admin RBAC• Pre-grouped admin permissions make common
roles easier to setup• Easier to set Read-Only or Modify permissions• Easily add new admins and set permission
o Create, Edit, Delete Zones & AP Groups, Zones
o Create, Edit, Delete services likeo AAA, Accounting services,
Hotspot, Profiles, Templates
o Advanced Stats & Reports, Logs & Alarms
o Create, Edit, Delete WLANo WLAN Attributes
management (WLAN Types, Hotspot 2.0)
o Custom Portals/URLso Statistics & Reportso AP Management
o AP firmware control
o Upload AP Firmware o Cluster managemento SZ System Upgrade/Rebooto Backupso Logs & SNMP management o User Management
o Create users and define roles
https://jira-wiki.ruckuswireless.com/display/prd/Multi-tenancy+for+3.5https://jira-wiki.ruckuswireless.com/display/Team/Managed+Services+%28Multi-tenancy%29+PRD>
Tiered Access & Privileges
Partner-Owned or MSP-Owned Domains
Global (MSP-Owned)
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 16
New System/Domain/Zone Object Hierarchy
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 17
• SMTP• Node Affinity• AP Registration• Syslog• Critical AP tagging
• SCI• Certificates• Event
Management• SNMP
• WLAN• DPSK• Guest Access• WISPr• WebAuth• WeChat• UA Blacklist• OS Policy• VLAN Pool• L2 ACL• Blocked Clients• Client Isolation
Whitelist
• Time Schedules• Non-Proxy AAA• Bonjour Gateway• Bonjour Fencing• Ethernet Port
policies• DSCP policies• DHCP for APs• DHCP Pools
• User Traffic Profile• AVC• NBI• FTP• SMS• Zone Template• WLAN Template• Local Users• User Roles• Guest Pass• Guest Pass
Template• HS 2.0 > Operator• HS 2.0 > Identity
Provider• HS 2.0 > Signup
Portal• DNS Server• SCG Proxy AAA• Realm-Based
Proxy AAA• Core Network
Tunnel profiles• Tunnel profiles
(RuckusGRE, SoftGRE, IPSec)
• Location Svcs
System (Global) Domain (high-scale)Global (essentials)
Zone (high-scale and essentials)
Custom Admin Roles – Design Change
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 18
o Prior to 3.5• Custom admin roles are assigned by
selecting the permission level of each page or operation.
• This approach is very flexible, but time consuming to configure.
• The possible number of combinations is very large, creating a huge number of problems in implementation and testing because of interaction between operations/objects.
Custom Admin Roles – Design Change
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 19
o In 3.5• Admin can create custom permission, but
objects and operations are divided into 6 functional categories.
• Each category has 4 permissions (full, modify, read, none).
• The approach is intuitive to use, provides flexibility, and significantly reduces the development and testing burden of each release.
Because of these changes, custom roles cannot migrate perfectly. We will reduce permission to preserve security where there is a conflict.
20
Spectrum Analysis
RUCKUS PROPRIETARY AND CONFIDENTIAL
o On-demand real-time spectrum troubleshooting using AP radio
o AP radio must stop serving clients during spectrum scan
o Visualize spectrum by• Real-Time Energy
• Real-Time Utilization
• Density
• Waterfall of energy
• Waterfall of utilization
https://jira-wiki.ruckuswireless.com/display/Team/Spectrum+Analysis+PRD
Client Isolation + Whitelist
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION21
https://jira-wiki.ruckuswireless.com/pages/viewpage.action?pageId=38798974
o Adds ZD-like feature to manually identify L2 whitelist
o Admin can specify MAC destinations that users will be able to reach
o SZ will still support auto whitelist• Admin able to use manual, auto, or
both
o User workflow• Migrate the configuration from ZD
(separate)• Enter ZD IP and login credentials• Connect to ZD from SZ (note, they
must be able to communicate with each other)
• Select APs to be migrated and click migrate
• SZ then converts APs and migrates them to SZ, keeping AP connectivity configs (mesh, mgmtVLAN, etc) during reset
o https://jira-wiki.ruckuswireless.com/display/Team/ZD+to+SZ+migration
Enhanced ZD to SZ Migration
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION22
23
Enhanced Application Control
o Users can deny, rate limit, and change QoS of applications
o Rate Limit Action (new)• Throttle uplink and downlink
throughputo QoS Action (new)
• Uplink – AP rewrites 802.1p and DSCP settings
• Downlink – AP uses designated queue for wireless transmission
o Supported in both “Essentials” and “High-Scale” platforms
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
24
Enhanced Application Reporting
o Essentials platforms focus on short-term in-product app visibility• Top apps• Top users per app• Top apps per user
o High-Scale platforms focus on forwarding application data to SCI
o SCI serves long-term data for Essentials and High-Scale platforms
o SZ app signatures can be updated without SZ upgrade
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
Role-Based Policies
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION25
o Apply policies to users based on their role• Assign roles during authentication• Perfect use case for Cloudpath
o New policy elements• Role-based VLAN and VLAN pool• Role-based L3/4 policy• L3/4 rate limiting• Configurable precedence policy
Supported only with Proxy Authentication (not non-proxy)
L7 role policy deferred to 3.5.1 or 3.6
Bonjour Fencing
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION26
AppleTV
wireless devices
wired devices
AppleTV
o Limits discovery range for Bonjour advertisements
o Prevents unwanted and irrelevant lists of mDNSservices
o Supports wireless or wired Bonjour devices
o Can limit discovery range to “same AP” or “1-hop neighbors”
o Group DPSK – Creates a DPSK that can be shared by multiple different devices.
o User-Specified Passphrase – Allows the user to specify a specific passphrase for a DPSK or Group DPSK.
o ZD DPSK Migration – Export DPSK list from ZD (10.0) and import CSV into SmartZone
o Number-Only DPSK – System will auto-generate DPSKs with numbers only
o Scalability• 50K DPSK on High-Scale Platforms (10K / zone)• 20K DPSK on Essentials Platforms (10K / zone)
DPSK Phase-2 Enhancements
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION27
https://jira-wiki.ruckuswireless.com/display/Team/DPSK+Phase2+PRD
28
DHCP/NAT in AP (3.5)
RUCKUS PROPRIETARY AND CONFIDENTIAL
3rd Party Router for Campus WAN Services
Campus Site 3rd Party Router
WAN RoutingNAT
DHCP
AP as Router for SMB WAN Services
Smaller/Remote Sites
WAN RoutingNAT
DHCP
WAN RoutingNAT
DHCP
WAN RoutingNAT
DHCP
WAN RoutingNAT
DHCP
WAN RoutingNAT
DHCP
WAN RoutingNAT
DHCP
o Allows AP to serve as router for remote sites, SMB, and home users
o APs are still centrally managed by SZ
Centralized Control Channel
o Zone Affinity Supporto Upto 10 instances per vSZ nodeo Upto 40 instances per vSZ clustero Support for northbound tunnels (L2oGRE)o DHCP Server and NAT Supporto CALEA Mirroring Supporto L3 Roaming using Flexi Ruckus GRE Tunnels
vSZ-D Enhancements
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION29
vSZ-D – Zone Affinity
Schools Hotels Managed Enterprises
StadiumsGuest
Staff
Public Access
Switch
Local AD/RADIUSAuthenticationServer
Mesh APsvSZ-D
vSZ-DvSZ-DvSZ-D vSZ-D
Switch
Switch
Guest
Staff Student
Centralized AD/RADIUSAuthenticationServer
Virtual SmartZoneController
Datacenter