Confidential 2010
October 2010
Corporate Overview
Confidential 2010
Introduction to Aerohive
Next generation enterprise WLAN systems vendor
The only WLAN solution built from the ground up for Wireless 2.0
WLAN Visionary – Gartner Breakthrough, distributed WLAN
architecture– Eliminates WLAN controllers– Built for 802.11n transition– Breakthrough performance,
resilience and flexibility– Up to 75% lower cost
Innovative cloud-based management
2
HiveManager NMS HiveAPs
MQAerohive Named Visionary in Gartner’s WLAN Magic Quadrant 2010
Visionary Gartner Magic Quadrant 2010
Confidential 2010
Aerohive – Purpose-built for Wireless 2.0
Yesterday’s WLAN- Convenience WiFi- Guest Access- Nomadic Users- Scanners & single
mode voiceProblems
- Security- Management
4
Wireless 2.0- Client Explosion- Mobile Apps- 6 X Bandwidth (802.11n)- Voice / FMC- Location Services- Ubiquitous coverage- Ethernet Replacement
Problems- Security, Mgmt & Mobility- Single Points of Failure- Performance Limitations- Deterministic
Performance- Scalability- Cost
Users
Applications
MobilityFlexibility
Productivity
Confidential 2010
Distributed Enterprise
EducationManufacturing, Distribution & Retail
Healthcare
Customer Focus
Key Requirement– Secure, resilient,
high performance managed infrastructure
Key Requirement– High performance,
easy to manage infrastructure
Key Requirement– Scalable, cost
effective, resilient managed infrastructure
Key Requirement– Scalable, cost
effective, survivable, managed infrastructure
Confidential 2010
• No single points of failure• Path resiliency• Branch survivability
Wire-like Resilience
• Distributed processing• Local data forwarding• Improved airtime utilization
Up to 10X Better
Performance
• Per user policy enforcement• Advanced Security (WIDS, FW,
wireless VPN)• Resource allocation with SLAs
Why Customers Selected Aerohive
6
Distributed WLAN
Architecture+
Best In Class Management
Secure, Multi-Service Infrastructure
• Less hardware, less cabling• Start small & expand• SaaS Wireless Mgmt
Up to 75% Lower CapEx
and OpEx
Confidential 2010
Cooperative Control - A distributed approach
Distributed Forwarding - with Policy Enforcement!
– Responsible – Local forwarding • Policy applied before forwarding!• Competitors often forget this
Distributed Intelligence– Cooperative Control: Auto RF, auto
discovery & config, secure roaming– Stateful firewall, QoS, RADIUS – Microsecond-granular handling
• Airtime management & statistics
Distributed Processing– Throughput & Client Health SLA compliance– Power to track every client in the network
and adjust parameters based on client health
Feedback RF MediumHiveOS
Confidential 2010
Wi-Fi’s Networking Detour
8
Security, Manageability & Mobility
Scalability, Resilience
& Determinism
Autonomous APs-Limited Intelligence
- No RF / Network Awareness
- Hard to manage (Managed directly)
Centralized Control- Centralized Intelligence
- Auto RF- Secure seamless roaming- Ease of management- Single points of Failure- BW Bottleneck- Increased Cost
Cooperative Control - Distributed Intelligence
- Auto RF- Secure seamless roaming- Ease of management - Increased Reliability- Improved Performance- Reduced Cost- Cloud or Centralized
management
20031999
Made possible by Moore’s
Law
2007 2010802.11b/a 802.11g 802.11n
Confidential 2010
Enterprise Wireless LAN comparison
9
Controller-Based
NMS
Thin APs
HiveManager
Distributed Control
Network
Cooperative Control APs
Network
FW WIDS
RADIUS
QoS
MESH
Aerohive Benefit• No U-turns, Bottlenecks
or Single Points of Failure
• Flexible Expansion• Superior Branch
Performance & Survivability
• Real Mesh Support• Increased Reliability &
Reduced Cost (No Controller$)
• Advanced Value-Added Functionality
Control DataTunnels
Data Center
Access Layer
Access Layer
Confidential 2010
Architectural Alternatives
Centralized Data Forwarding & Control
Rel
iabi
lity
Performance & Cost Effectiveness
Redundant Centralized Data Forwarding & Control
Distributed Forwarding with Centralized Control
Fully Distributed Forwarding & Control
VMware Controller Controller in the Cloud
Or Or
NMSWAN
HQController
Controller
NMSWAN
HQ
Controller
ControllerController
Controller
NMSWAN
HQController
Controller
Authentication Auto RF L2/L3 Roaming QoS WIPS / Rogue Detection
NMSWAN
HQ
Loss of control means they become expensive Fat APs
High Performance Highly Reliable & Cost Effective
$
Controller Failure = WLAN Failure
More Reliable But Expensive Authentication
Auto RF L2/L3 Roaming QoS WIPS / Rogue Detection
Confidential 2010
Distributed Control:A Proven, Effective Model
Performance, Resilience, Cost Effectiveness and Scalability
The Internet• Dynamic Routing
Switched Campus• Dynamic Routing• Spanning Tree
Wireless access• Cooperative Control
Confidential 2010
How does it work?
12
Reporting Heat Maps
SLA Compliance
Policy Configuration
HiveManager NMS
HiveAPs are full-featured enterprise class access points
– Identity-based security, including stateful inspection FW, rogue detection & mitigation
– Airtime scheduling, SLA compliance and local forwarding implemented at the edge
HiveAPs are discovered and policy is pushed by HiveManager
– A single mgmt interface for configuration, OS updates & monitoring of thousands of devices
Cooperative control protocols create "hives" that share control information between HiveAPs
– Enabling functions like secure fast layer roaming (L2/L3), cooperative RF management, station load balancing, wireless mesh and seamless resiliency
How does it work detail
Confidential 2010
Delivering a secure multi-service “App Ready” infrastructure
Security & VPN WPA2/802.1X, Private PSK Integrated Firewall, VPN, RADIUS WIDS, Rogue Detection & Mitigation Directory and NAC integration
13
Per User Policy Enforcement User profiles and policy are used to
“Virtualize” WLAN infrastructure User Profiles include L2-L4 policy
enforcement including security, QoS and access policy
Resource Management Prioritization – Voice BW limiting – student access Time of Day scheduling SLA Compliance
Trusted Client Launching IP DoS attack
Voice PolicyLaptop Policy
Guest Policy
Quarantine
WMMUser
QUEUEs Diff Serv
Guest Administrator
Device Types Laptops, Scanners Tags, Wi-Fi Phones Tablets, IV Pumps
User Types Guests, Employees Doctors , Nurses Contactors , Teachers
Students
Traffic Types Voice Video Data
Confidential 2010
Improving application and WLAN performance
10-20X In the Core Distributed forwarding eliminates
controller oversubscription Best path forwarding minimizes
network congestion
14
270 54 6
Thro
ughp
ut
Aerohive Controller# of APs
Controller Capacity Limit
Aerohive NWW performance results
5X Through the AP Custom Aerohive design - purpose
built hardware & optimized software Dual core network processor
10X In the Air Dynamic Airtime Scheduling
optimizes airtime utilization Reduces contention + keeps
slow clients from limiting fast clients
Time
Fast Client
Medium Client
Slow Client
10x faster 5x faster No Slower
Confidential 2010
Reducing risk with wired-like resilience
No Single Points of Failure Controllers are single points of failure Resiliency by adding more controller$ Controller failover is stateless
15
Path Resiliency Dynamic Mesh Failover Track-IP Dual homed Ethernet
Branch Survivability Distributed control & data forwarding Integrated RADIUS server allows for
local authentication or AAA caching and can link to central directory
AAA
WANAAA Cache
WAN
HiveManager
AAA
WLAN fully functional
Confidential 2010
Reducing Capex and Opex costs
Less Infrastructure Cost Controller-less architecture + SaaS
reduces H/W, sparing & energy costs SaaS Mgmt moves Capex to Opex Wi-Fi access reduces cabling Enterprise Mesh reduces cabling
16
Start Small & Expand Saas Wi-Fi Mgmt per AP service No over provisioning No feature licenses limiting new
apps Linear cost growth curve – add APs
Easy to Use Management Easy to use, policy-based mgmt
simplifies large deployments Intuitive web management with
Express mode or Enterprise mode Role-based guest mgmt delegation
Example: Central Site High Availability (30APs) Controller Solution – Includes APs and Controller$Aerohive Solution – Includes HiveAPs and HiveManager Online
“…..the physical controller has vanished either into the cloud or into the one or more access points. These new solutions in addition to lower priced access points continue to reduce the total cost of ownership for WLAN connectivity at the edge of the network.” – Gartner Magic Quadrant February 2010
HiveManager Online
HiveManager Online
Confidential 2010
802.11n HiveAP Product Line
1717
Partnerships, Certification and Interoperability
HiveAP 110
HiveAP 120
HiveAP 320
HiveAP 340
HiveAP 340 ODK
Single Radio (2.4/5Ghz) Indoor 802.11n (2x2)
Dual Radio Indoor 802.11n (2x2)
Dual Radio Indoor 802.11n (3x3)
Dual Radio Industrial 802.11n (3x3)
Dual Radio Outdoor 802.11n (2x2)
Antenna Integrated Internal Internal External External
Aggregate Link Rate 300Mbps 600Mbps 600Mbps 600Mbps 600Mbps
Packets per Second Up to 28kpps Up to 28kpps Up to 45kpps Up to 45kpps Up to 45kpps
Dual Core Processor No No Yes Yes Yes
Crypto (VPN) Accelerator No No Yes Yes Yes
TPM Chip Yes Yes Yes Yes Yes
Ethernet GigE GigE Dual GigE Dual GigE 10/100 & GigE
PoE 802.3af 802.3af Smart PoE (802.3af & at)
Smart PoE(802.3af & at)
Proprietary – Lightning Arrester
Console Virtual Access Console
Virtual Access Console
Physical & Virtual Access Console
Physical & Virtual Access Console
Physical & Virtual Access Console
Confidential 2010
Express Mode• Optimized for ease of use• Uniform company-wide policy• One user type per SSID
Enterprise Mode• Enterprise sophistication• Multiple WLAN policies• Multiple user profiles/SSID• Active Directory support
HiveManager Appliance 2U • Redundant power& fans• HA redundancy• 5000 APs
HiveManager Virtual Appliance• VMware ESX & Player• HA redundancy• 1500 APs with minimum configuration
HiveManager 1U Appliance• HA redundancy• 500 APs
HiveManager Online• Cloud-based SaaS management
Complete, Flexible Wireless Management Solutions
HiveManager Appliance 2U • Redundant power & fans• HA redundancy• 5000 APs
HiveManager Virtual Appliance• VMware ESX & Player• HA redundancy• 1500 APs with minimum configuration
HiveManager 1U Appliance• HA redundancy• 500 APs
HiveManager Online• Cloud-based SaaS management
18
Seamless
Upgrade Path
•Increasing
deployment size
•Increasing
network
complexity
Topology Reporting Heat Maps SLA ComplianceRF PlannerSW, Config, & Policy Guest Mgmt
Confidential 2010
Summary
Aerohive Cooperative Control architecture delivers:
Enabling the “Best ROI in Wi-Fi”
19
• A future-proofed secure multi-service infrastructure• Increased network and application performance• Reduced risk with wire-like resiliency• Reduced capital and operational cost
Confidential 2010
THANK YOU!
Confidential 2010
BACKUP SLIDES AND CUSTOM SHOWS
21
Confidential 2010
HiveManager - Management System
Single management interface for configuration, OS updates, monitoring of thousands of devices
Real-time topology, performance and user views simplify troubleshooting, capacity planning and security remediation
Zero configuration HiveAP deployment
HiveManager is provided as an appliance to simplify installation
Non-essential to HiveAP operation
22
Platform Independent Web Interface
DatabaseDevice Server
Ajax GUI Server
HiveOS Devices
Confidential 2010
Topology & Network Status What APs are connected, AP Status – Alarms, mesh connections Drill down on each AP to get client information, debug issues, and update configuration
and firmware
RSSI and Rogue Detection Channel, Power and RSSI values Rogue Detection
HiveManager WLAN management
Network Summary Number and types of clients, Number of clients over time Alarms and status, Roaming Details can be found by drilling into users and logs
Powerful User-Centric Policy Management Flexible mapping of SSIDs and Users access to the network
QoS, Firewall and Mobility Policy plus VLAN and Tunnel mapping Configurations applied across any # of APs for large scale enterprise wide management
Confidential 2010
HiveManager Role Based Administration
Policy Design & Configuration
Monitoring & Maintaining
Upgrading & Adjusting
WLAN PoliciesHive, Services, WLAN Mappings (SSID),Ethernet Access,Backhaul, QoS
ReportingSummary, Radio, SSID, Client, Security, Inventory
New WLAN PoliciesUser Profiles,Services (Applications)
Security PoliciesDoS Prevention, Firewall,Rogue Detection, Filters
Active & Rogue ClientsMAC/IP Address, Host/User Name, HiveAP Name/MAC
Certificate & Key UpdatesUpload Captive Web Pages and KeysUpload AAA Certificates & Keys
AuthenticationAAA client settings,LDAP Settings,Captive Web Portal
Fault Events & AlarmsSeverity, Date, Description
SW & Config. UpdatesUpload & Activate ConfigUpload & Activate SW
Administration ManagementAdmin GroupsAdministrators
HiveAP Status HiveAP name, type, # of clients, uptime, OS version
HiveManagerOperationsBackup Database,Update SW, Tech Support Data
24
WLAN Manager
Device Life Cycle
Confidential 2010
HiveManager Role Based Administration
Policy Design & Configuration
Monitoring & Maintaining
Upgrading & Adjusting
WLAN PoliciesHive, Services, WLAN Mappings (SSID),Ethernet Access,Backhaul, QoS
ReportingSummary, Radio, SSID, Client, Security, Inventory
New WLAN PoliciesUser Profiles,Services (Applications)
Security PoliciesDoS Prevention, Firewall,Rogue Detection, Filters
Active & Rogue ClientsMAC/IP Address, Host/User Name, HiveAP Name/MAC
Certificate & Key UpdatesUpload Captive Web Pages and KeysUpload AAA Certificates & Keys
AuthenticationAAA client settings,LDAP Settings,Captive Web Portal
Fault Events & AlarmsSeverity, Date, Description
SW & Config. UpdatesUpload & Activate ConfigUpload & Activate SW
Administration ManagementAdmin GroupsAdministrators
HiveAP Status HiveAP name, type, # of clients, uptime, OS version
HiveManagerOperationsBackup Database,Update SW, Tech Support Data
25
Network Admin
SecurityAdmin
Operations
Device Life Cycle
Unlimited set of roles– Tasks and views can be delegated to each role
Virtual HiveManager
Confidential 2010
The Virtual HiveManager Feature
Multiple separate Instances of HiveManager on a single hardware platform
Complete Separation of Administration for
– Enterprise– Managed Services
Domains are completely segmented and appear as a stand alone management system.
– Separate views– Separate Policies– Separate Reporting
26
HiveManager A HiveManager B HiveManager C
Virtualized HiveManager
A B C
Confidential 2010
Virtual HiveManager Capabilities
Up to 50 Virtual HiveManagers per physical hardware platform
Self Administration enables Virtual HiveManager to be accessible to customers in a Managed Service
SuperUser Admin can create, modify and delete Virtual HiveManagers
Complete segmentation of all data-objects including SSID and security information
Role based admin within a Virtual HiveManager
– Read and/or Write per configuration feature
– Read and/or Write per location Automated emailed
Reporting, Logs and email alerts available for each Virtual HiveManager
HiveAPs establish DTLS tunnel to HiveMananager for management traffic
– Works across NAT boundaries
27
Confidential 2010
Large/Distributed Enterprise
Large enterprises with multiple operating companies or distributed IT functions often require separate administrative interfaces.
Single central HiveManager instance would appear to be dedicated to each organization
Can be separated by:– Separate IT organizations– Separate roles – Geographic regions
28
Subsidiary A Subsidiary B Subsidiary C
A B C
Retail Store
Warehouse
Distribution Center
By Location or
Role
By Organization
Virtualized HiveManager
Confidential 2010
Aerohive Rogue Mitigation & WIDS
Rogue Detection– Detect Both Rogue & AdHocPC’s– Detect “On-Network” Rogue– Confirm compliant BSSID, SSID, WMM,
Preamble– Generate Reports on rogue activity
Rogue mitigation– Mitigation continuously de-authorizes and
disassociates client connected to Rogue AP or Rogue Client
– Works in conjunction with Aerohive’s Rogue Detection and Location features
IP & MAC DoS Detection – Detect RF 802.11 Management Layer Attacks (i.e
Probes & association floods ect.)– Detect Wireless Authentication attacks – Detect IP Dos (i.e Port scan, flood & TCP syn
Check ect)– Mitigate attacks at the RF layer and “BAN” client
for determined period of time29
HiveAP’s periodically scan all channels..(HiveAP’s coordinate scan & do not impact VoIP or data app’s)
http://www.cactusmountain.com/Photos/Patches/PP116.jpg
“On-Network” Rogue
Trusted Client Launching IP DoS attack
Confidential 2010
Policy Enforcement at the Edge
30
Edge-based policy enforcement– Instantly responds to variations in
wireless network characteristics– Policy enforced at network
ingress
54246
VLANs
Tunnel
Bandwidth varies due to instantaneous changes in SNR
Wired Backhaul NetworkWireless Network
Policy Enforcement – QoS
WMM, 8 QUEUEs per user, 802.1p & Diff Serv
– Access control & firewall Stateful Firewall WIDS & Rogue mitigation In-line L2-L4 DoS protection Web Portal
– Backhaul Profile-based or dynamic
VLAN or Dynamic Network Extension mapping
WMMUser
QUEUEs Diff Serv or .1p
Voice PolicyLaptop Policy
Guest Policy
Quarantine
Identity-based user profiles– User profiles are statically or
dynamically assigned– User Profiles include L2-L4
policy enforcement including security, QoS and access policy
Confidential 201031
WLAN Policy-HospitalsWLAN Policy-Hospitals
SSID:Guest
Hive-San Jose
WLAN Policy-ClinicsWLAN Policy-Clinics
SSID:Ops-1X
Hive-San Jose
Policy Management Example
SSID:Ops-1X
SSID:Guest
Patients
Contractors
Drs., Nurses 7x24 VLAN 5 Vocera = P1Data = P2
SSID: Clinic
Visiting Doctors
Element Specific Configurations: Map, Interfaces, Mesh, On-board Radius …
Drs., Nurses 5x8 Tunnel
Imaging 7x24 VLAN 6
Maintenance 5x8 TunnelMaintenance 5x8 Tunnel
Patients 7x24 Tunnel
Contractors 7x24 Tunnel
1Mbps
3Mbps
Confidential 201032
SLA Compliance Solution SLA Monitoring – How does it work?
“Performance Sentinel” feature compares client throughput and demand with predefined throughput SLA level
– Uses client data statistics to determine client throughput – Uses buffer statistics in the QoS engine to determine if client is
actually trying to send more.
SLA
Above the SLA
Below the SLA and wants more throughput
Below the SLA Getting enough throughput
Enterprise application
File transfer
Low data rate video
Confidential 201033
SLA Compliance Solution SLA Actions – How does it work?
Actions may be triggered by the failure to meet an SLA
– Actions attempt to enable client to achieve required throughput
The first action available is “Airtime Boost”– Provides more airtime to client not meeting SLA– Designed to work in concert with Dynamic Airtime
Scheduling Other actions will be available in future releases
SLA
Above the SLA
Below the SLA and wants more throughput
Below the SLA Getting enough throughput
Boost Enabled
Enterprise Application
File Transfer
Low data rate video
Confidential 2010
SLA Compliance Solution Example using HiveManager
34
HiveManager SLA reporting shows that 3 clients on 1 AP were in violation - Red When Airtime Boost action is enabled reporting shows all clients and APs are SLA
compliant but 3 are a result of an action - Yellow
Confidential 2010
Roam
35
Layer 2 Roaming
User associates and authenticates and keys are distributed
AP predicatively pushes keys and session state to one hop neighbors
As client roams and associates with another AP the traffic continues uninterrupted
RADIUS Server
Confidential 2010
Subnet A Subnet B
Router
GRE Tunnel
36
Layer 3 Roaming
Like Layer 2 roaming the Layer 3 roam predicatively pushes keys to one hop neighbors.
In order to maintain IP connectivity a tunnel is created to home subnet.
Tunnel continues to follow roaming user until sessions end then tunnel is terminated and the user accesses the local network
Confidential 2010
Wired ArchitectureTraffic Flows
37
WAN
Data Center
SAAS
VoIP RTP
Client – ClientClient – WorkgroupClient – Server/DatabaseClient - Internet
Confidential 2010
WLAN Controller ArchitectureTraffic Flows
38
WAN
Data Center
SAAS
VoIP RTP
Remote Controller$
Local Forwarding• Aruba Remote AP
• Split Tunnel (ACL)• Cisco Hybrid-REAP
Motorola Adaptive AP• Separate SSIDs
Local Data Center
Client – ClientClient – WorkgroupClient – Server/DatabaseClient – InternetClient – Local/Internet
Remote controllers offer most of the functionality but:
Expensive to DeployExpensive to Scale
Controller Adds LatencyNot optimized for Branch
Remote/Hybrid AP are a compromise:No WIDS
No Self HealingNo Layer 3 fast roaming
No LocationingNo Guest Services
Limited WPA-PSK, 802.1xLimited Layer 2 fast roaming
Confidential 2010
Cooperative Control Architecture Traffic Flows
39
Internet/WAN
Central Office
Branch Office
Small Branch/SOHO
Client – ClientClient – WorkgroupClient – Server/DatabaseClient – Internet
No CompromisesBest TCO
Easy to DeployScalable
Best Performance
Confidential 2010
Enterprise Resiliency
40
Survives multiple
inline failures statefully
Single point of failure
Access
Distribution/ Core
Phone call maintained
Wired Resiliency Traditional WLAN Resiliency
Phone call long gone
Wireless state is lost
DHCP AAA
Confidential 2010
Enterprise WLAN resilience with Cooperative Control
Dual homed data and PoE capability
Stateful failover & best path forwarding
802.11n mesh resilience Track IP Seamless secure
roaming
41
Confidential 2010
Location and Asset Tracking with AeroScout
Aerohive has partnered with AeroScout and Ekahau to offer Location and Asset Tracking
Aerohive APs can act as a sensor for tags and client devices
42
Location Tracking
WiFi Tags and Clients
RTLS Engine
AeroScout MobileView
HiveAPs
Confidential 2010
GuestManager – Guest Administration
Central management of guest accounts
Role based guest management – Contractors can be differentiated from
hourly visitors– Different company employees can create
different levels of accounts Works with policy enforcement
on the APs to enable different access and backhaul policy
Offered with an unlimited user license
43
Guest Management
Contractor
GuestManager 1.0
Guest
1.
2.
3.
Employee
Guest Administrator
Employee
Confidential 2010
GuestManager Overview
Coupled with Aerohive HiveAPs provides a complete Guest Management solution
Enables non-technical users to create and manage guest accounts
Role based administration enables between Different types of guests
44
Confidential 2010
Guest Manager Workflow
1. An authorized employee, like a receptionist logs into guest manager and creates an account
2. The guest is handed printed credentials
3. The Guest then accesses the network and is presented a captive web portal
4. The Guest enters his or her credentials and the guest is authorized to the guest network
45
Firewall
Guest
Corp RADIUS
Guest VLANCorp VLAN
Public Network
Captive Web Portal Authentication
Authorized Employee
GuestManager
Credentials
GuestManager - Guest Administration Solution
Confidential 2010
Guest Manager Features
RADIUS Based Backend– Works with Aerohive AP
RADIUS based configuration– Works with wired gateways
for consistent Guest Solution Easy to use by non-IT
personnel Administrators can easily
set up employee and guest roles.
Bulk import and account creation for large events.
Role Based Administration of Guests
– Differentiate between visitors and guests
– Send attributes to AP for User Policy and VLAN assignment
Role based Administration of Authorized Employees
– User Role Assigned through AD integration (LDAP)
– Use role to define what type of guest can be set up • Receptionist can create 2 hour
visitor • HR can create a multi week
contractor
46
Confidential 2010
Other Guest Networking Capabilities
User Profiles provide differentiated access
– Separate QoS settings– Separate security
settings Segmentation of
Guest Traffic– Support for VLANs– Selectively tunnel guest
traffic to a DMZ– TCP/IP Firewall Rules– MAC Firewall Rules
Captive Web Portal– Collect User data– Authenticate users– Agree to “Acceptable
Use Policy”
WirelessClients
Firewall DNX Tunnel
Confidential 201048
Major Investment in Partnerships, Certifications and Interoperability
HTC Phones
S60Platform
Blackberry8820
Mobility and FMC
Single Mode Voice
Cisco 7921
Healthcare, Logistics and Retail
Scanners and mobile computers
Symbol MC70
CK31
Authentication and Client Management
Location and Asset
Tracking
IAS, AD and Windows Clients
Network Access Control (NAC)
Network Access Protection (Server 2008)
Unified Access Control
Industry Affiliations
Tools
Security
SBR and Odyssey
eDirectory
Access Switching and PoE
Meetinghouse and ACS +Etherchannel
Confidential 2010
Less Infrastructure Cost
49
Comparison for 30 APs Aerohive HiveAP 120 and HiveManager OnlineAruba 105 AP & 3200-32 Controller & FW/WIPS licenseCisco 1142 AP (bundle price) & 5508-50 Controller
High Availability
Confidential 2010
Start Small and Expand Easily
50
1 Site – 10 APs
$-
$50
$100
$150
$200
Cisco Aruba Aerohive
Thou
sand
s
Support Management Licensing Controller AP
Wireless NMS
Backup
Rack Space
HiveManager Online
Rack Space
Backup
Rack Space
HiveManager Online
10 Sites – 10 APs
Confidential 2010
Distributed Enterprise WLAN comparison
51
# Sites Cost (Controllers + APs + Mgmt)
10 50 100 500
Non Red.
$186K $926K $1.8M $9.2M
Red. $286K $1.4M $2.8M $14.2M
HQ
AC-50 x 2
AP x 30
$76,995
NMS
HiveAP x 30
$25,069
HiveManager
AC-12 x 2
AP x 8
$27,982
Distributed Enterprise / Sites
HiveAP x 8
$6,152
Aerohive Cooperative
Control
Centralized Controller Approach
# Sites Cost (HiveAPs + Mgmt)10 50 100 500$62K $308K $615K $3.1M
Cost comparison of 802.11n networks designed to support expansion, mission-critical operation and VoWLAN
Based on Cisco 1140 802.11n series APs, 2100/4400 series controllers and WCS management software
Confidential 2010
Aerohive benefits for Healthcare
Wi-Fi Enabled Medical Applications– Patient Telemetry and Bedside Monitoring– Medical Equipment Monitoring – Location and Asset Tracking – Barcode Medication Administration– Voice Messaging– Secure Guest Access
Security– Integrated advanced security for
HIPAA compliance Deterministic and high
performance– VoWi-Fi, Imaging, Telemetry– Immune to slow clients
consuming all the airtime Highly resilient
– No single points of failure– Path resilience
Accurate location tracking– Ekahau and Aeroscout certified
Mesh connectivity– Coverage in hard to wire locations
Spectralink
Confidential 2010
Aerohive benefits for Manufacturing, Distribution and Retail
Wi-Fi Enabled Applications– Inventory Management– Voice Picking– Point of Sale Systems– Secure Guest Access– Secure Employee Access
Highly resilient– No single points of failure– Path resilience
Security – Integrated advanced security for
PCI compliance Mesh connectivity
– Coverage in hard to wire locations Deterministic performance
– Voice over Wi-Fi – Seamless roaming
Cost Effective– Linear cost structure and scalability– Centralized management
Central Warehouse
Confidential 2010
Aerohive benefits for Education
Wi-Fi Enabled Applications– Student Access– Secure Guest Access– Secure Faculty Access– Voice over Wi-Fi – Video Surveillance
Ease of Use– Centralized management– Policy-based configuration
Deterministic high performance– Voice over Wi-Fi – QoS and BW management– Immune to slow clients
consuming all the airtime Security
– Advanced integrated security– Sophisticated policy
segmentation Cost Effective
– Linear cost structure and scalability
Central Campus
Confidential 2010
Aerohive benefits for Distributed Enterprise
Wi-Fi Enabled Applications– Secure Guest Access– Secure Employee Access– Voice over WiFi– Wireless branches– Video Surveillance
Security– Integrated advanced security
Deterministic and high performance
– Business productivity, VoWi-Fi, CAD, SaS Apps
– Immune to slow clients consuming all the airtime
Highly resilient– No single points of failure– Path resilience– Survivable branches
Mesh connectivity– Coverage in hard to wire
locations
Confidential 2010
Aerohive benefits for Distributed Enterprise
Wi-Fi Enabled Applications– Secure Guest Access– Secure Employee Access– Voice over WiFi– Wireless branches– Video Surveillance
Security– Integrated advanced security
Deterministic and high performance
– Business productivity, VoWi-Fi, CAD, SaS Apps
– Immune to slow clients consuming all the airtime
Highly resilient– No single points of failure– Path resilience– Survivable branches
Mesh connectivity– Coverage in hard to wire
locations
Confidential 2010
Improving application and WLAN performance – In the core
57
Thro
ughp
ut
AerohiveController
# of APs
Controller Capacity Limit
WLAN Controller capacity and performance limits scalability– Aggregate throughput is limited
by the processing and encryption capacity of the controller
– Controllers are all 10-20x oversubscribed with 802.11n
– Thin APs scale to the limit of the controller. Scalability can only be increased by replacing the controller
– Aerohive HiveAPs scale incrementally up to the limit of the wired network not the WLAN
Confidential 2010
Improving application and WLAN performance – Through the AP
Up 5x faster* in pure 802.11n tests
58
No
Res
ult M
otor
ola
No
Res
ult S
iem
ens
No
Res
ult M
otor
ola
No
Res
ult S
iem
ens
Up to 4x faster* in mixed 802.11ag/n tests
*Derived from NWW and internal testing Q3 2008
The HiveAP was fastest in nearly all of our pure-802.11n tests, and it delivered the highest throughput for downstream traffic (the most common for most enterprises) in tests that mixed 802.11n and non-802.11n clients – David Newman - NetworkWorld
Confidential 2010
Time
2 FastClients
1 Slow Client, 1 Fast Client
With Contention, Fast Clients Wait for Airtime and Perform Like the Slowest Client
Principles of Dynamic Airtime Scheduling
59
Time
2 FastClients
1 Slow Client, 1 Fast Client
Dynamic Airtime Scheduling Allows Fast Clients to Transmit more Packets, Finish Quickly and Free Up the Air for the Slow Clients
Throughput
Fast Client Slow Client
Speed of the network is subject to the slowest client
Throughput
Fast Client Slow Client
Faster clients dramatically improve their performance without impacting slower clients
10x faster
Airtime Capacity
Airtime Capacity
Confidential 2010
Goo
dput
Kbp
s
Time (s)
Veriwave WiMix TCP Downlink TestMixed 802.11a & 802.11n – 20,000 Frames
60
n@270M, n@108M, n@54M a@54M, a@12M, n@6M
~ 100 Seconds
6 x .11a/n clients - n@270M, n@108M, n@54M, a@54M, a@12M, a@6M
Without Dynamic Airtime
Scheduling
With Dynamic Airtime
Scheduling
n@270M - 10sec ~ 10x performance improvement
n@108M - 15sec ~ 6x performance improvement
n@54M - 30sec ~ 3x performance improvement
a@6M
a@54M - 35sec ~ 2.5x improvement
a@12M - 65sec ~ 1.5x improvement
Goo
dput
Kbp
s
Time (s)
Upstream
IxChariot
Confidential 2010
Dynamic Airtime Scheduling How it works
61
Client A(135Mbps)
Client B(48 Mbps)
Client C(5.5 Mbps)
Time
Client A
Web Server
Client B
Client C
Equal Airtime Allocation
Aerohive QoS EngineScheduler • Schedules traffic (based on airtime allocation
& airtime consumed) into the Wireless Multi-Media hardware queues
Client C has used up its
share of airtime
Client B has used up its
share of airtime
Faster clients are able to send more often achieving higher throughput
6 Frames
3 Frames
2 Frames
Confidential 2010
WLAN Controller Resiliency
62
Access
Distribution/ Core
Traditional WLAN Resiliency
Phone call long gone
Wireless state is lost
DHCP AAA
Confidential 2010
Branch Survivability
Remote Office AAA caching– Using integrated HiveAP RADIUS server– Enables caching of user credentials to
prevent downtime when there is a loss of connectivity with the central site.
– Caches user credentials (hash) in volatile HiveAP memory such that if there is a WAN failure, authentication will continue to work
63
AAA
WANAAA Cache
Confidential 2010
200 Mbps FDX
Wired/WLAN integration in the Campus
Switch and VLAN discovery
Etherchannel legacy switch support
Link and Path Resiliency
Unified authentication, attributes, and NAC
Unified Guest Management and segmentation
Support for global event management
64
Datacenter
Authoritative User Store
SEM or Central Monitoring HiveManager Guest Manager
CDP/LLDP Discovery + VLAN Debug
LDA
P/N
TLM
RADIUS/EAP
LDAP
RA
DIU
S
RA
DIU
S
Dual Homing
Track GatewaySN
MP
/Sys
log
SNMP/Syslog
Confidential 2010
Wired/WLAN integration in the Branch
RADIUS Caching and remote office RADIUS functionality
– Act as RADIUS server for wired 802.1X
Full function DHCP Server
Wireless VPN– Split tunneling
support Controllerless
deployment
65
Authoritative User Store
SEM or Central Monitoring HiveManager Guest Manager
RADIUS
DatacenterIPsec VPN
DHCP
Confidential 2010
HiveManager Online
SaaS delivery of enterprise Wi-Fi Mgmt
– Per AP service / Customer domain– Policy-based mgmt, topology, reporting, heat
maps, SLA compliance and RF survey and planning tools
– Virtualized, resilient infrastructure– Two modes – Express & Enterprise– Role-based customer administration– Seamless transition from Online and standalone
HiveManager APs with distributed control and
data forwarding– Minimal onsite hardware– Pay as you go expansion– No single points of failure!
• WAN outage does not impact WLAN Connectivity or Functionality (Roaming, Auto RF, QoS, Authentication)
Intelligent APs (Integrated Firewall, Radius, QoS, Mesh)
66
FW WIDS
RADIUS
QoS
MESH
DataControl
Web Interface
Topology
Reporting
Heat Maps
SLA Compliance
RF Survey & Planner
WAN
HiveManager Online
Confidential 2010
Server Infrastructure and connectivity
Infrastructure– Utilizes HiveManager
• AJAX interface • Database virtualization
– Customer and system management back-end provides support and customer automation
– Automatic system backup and recovery• Although, customer network operation
is not dependant on HiveManager Online
Network Connectivity– AP initiates connection
• Requires no firewall configuration, just drop in the AP
• Traffic is secured using SSH and DTLS– Policy and configuration is pushed to HiveAP– Distributed control and data forwarding limits
HiveManager Online to monitoring / configuration and not WLAN operation
67
Customer A
Aerohive Virtualized Hosted Infrastructure
CustomerSites
Aerohive Virtualized Hosted Infrastructure
……
Public Network
Customer B Customer C
Confidential 2010
HiveManager Demo & RF Planner
Try before you buy!– HiveManager Online demo system will allow
potential customers to try before they buy– Configurations created in the demo system can
be easily moved to production systems to add real APs
Free web-based RF planning tool– Included in the HiveManager is a new RF
planning tool– RF planning tool will be available as a part of
the demo system and part of a separate web-based RF planning tool available at www.aerohive.com
– RF planning tool will work for virtually any vendors AP and will allow enterprise customers to easily answer their first question. How many APs do I need?
68
HiveManager Online
Demo System
Confidential 2010
Enterprise Class Wi-Fi Start small, seamless upgrade path
69
IT SophisticationSmall Enterprise Medium Enterprise Large Enterprise
Dep
loym
ent S
ize
HiveUI
HiveManager Online: Express Mode• Simplified
workflow without compromising features
• Per AP/year fee incl. SW support
HiveManager:Appliance (1U/2U) orVirtual Appliance (VMware)• Express/Enterprise • Appliance + per AP
fee + SW supp.
HiveManager Online: Enterprise Mode• Full HiveManager
Experience Online
• Per AP/year fee incl. SW support
Seamless Upgrade Path
Confidential 2010
Wireless VPN
Easy to Use– L2 IPSec VPN solution simplifies deployment– Automatic certificate creation and distribution– Profile-based Split Tunneling
• Users and Services can be bridged locally or tunneled based on user profile
Flexible– Single mode of operation supports all
deployments – Supported in all HiveAP platforms, Hardware
Acceleration in 300 series– Multiple end point support
• Backup VPN gateway support • Distributed Wireless VPN tunnel termination
Complete Functionality– Multiple AP Support with fast roaming– Mesh Portals and Mesh Points supported– RADIUS, DHCP, NTLM, LDAP and NTP can
selectively go to local or remote network
70
Home Laptop
Corporate Laptop
IPSec VPN
Internet
Confidential 2010
How does it work?A single HiveAP by itself
acts as a full-
featured enterprise class access point
Identity-based security, including stateful
inspection FW, rogue detection & mitigation
Airtime Scheduling,
SLA compliance and local
forwarding implemented at the edge
HiveAPs are
discovered, policy
is pushed and the WLAN is operation
alHiveManager
is a single mgmt interface
for configuration, OS updates & monitoring of thousands of
devices
71
Wireless Network
Wired Network
Secure Fast L2/L3 RoamingTraffic Flow ComparisonResiliency ComparisonSeamless Wired Integration
Reporting Heat Maps
SLA Compliance
Policy Configuration
HiveManager NMS
With a second HiveAP,
fast stateful
roaming, cooperati
ve RF, station load
balancing and
seamless resiliency
are enabled
Mesh networking and
best path forwarding can be used for
extra resiliency
and reachability
Dynamically
reroutes around failures
As more HiveAPs
are added,
coverage,
reliability and
backhaul bandwidt
h increase
s
Cooperative RF power levels
minimize co-
channel interferen
ce
With Cooperat
ive Control, clients
can securely
and seamlessly roam across
the WLAN
Dynamic best path forwardin
g and stateful roaming provides resiliency without a
single point of failure
With Cooperat
ive Control, clients
can securely
and seamlessly roam across
the WLAN
Confidential 2010
WLAN Magic Quadrant - Visionary
72
In its Second Magic Quadrant appearance - Aerohive is a Visionary!
Aerohive is the newest* and one of the most visionary vendors in the magic quadrant• “…..the physical controller has vanished either into the cloud or
into the one or more access points. These new solutions in addition to lower priced access points continue to reduce the total cost of ownership for WLAN connectivity at the edge of the network.”
• “Although Aerohive is one of the smaller companies considered in this research, its record of innovation and product enhancements is impressive”
• “Aerohive supports an innovative service-level agreement (SLA) capability that not only monitors, but proactively manages user-defined SLAs for applications that need a minimum level of wireless access to maintain application performance.”
• “With failover and security functionality built into the access point mesh, and no single point of failure (the controller), Aerohive's solution supports a high degree of redundancy.”
• “Customers gave Aerohive high marks for its experience, including sales, support and performance of the solution.”
* Other vendors included are at least 3 years older than Aerohive
Aerohive moves to the Visionaries
Source: Gartner WLAN Magic Quadrant – Feb 2010
Top Related