March 22, 2017 at 13:09

HPE Aruba and Cisco Controller Interfaces


    HPE Aruba equipment is not very common in Russia, but the vendor in the US market competes quite closely with Cisco. Wireless solutions from these manufacturers have a similar set of features and additional services. The equipment is comparable in cost.

    There are many marketing tests, comparisons of technical characteristics, performance and technology of each solution. After studying the documentation, you are convinced that the solutions are very similar in function. However, in addition to functional similarities, there is a slightly different manufacturer’s approach to customization, operating principles, and architectural differences. That is what I would like to draw attention to. This is a note on how tsiskovody configured HPE Aruba and what came of it.

    Functionality. Network architecture


    Both vendors offer various options for building a network. In addition to autonomous access points, this can be:
    • centralized solution with a controller (or cluster of controllers) for management and monitoring;
    • solution for a small office with a controller based on access point (s);
    • distributed solution with many remote points (controller in the center; VPN connection);
    • controller in the cloud.

    In addition to basic Wi-Fi for enterprises, there are many more products that allow you to implement various services in the company's wireless network. For example, it can be a service for positioning devices in a room, a policy-based identification / network access service for BYOD devices, analytics of connecting devices, etc.

    As equipment, I considered classic controllers (a centralized solution, the controller controls all access points) for wireless entry-level networks and typical office access points with integrated antennas.

    Equipment
    Cisco - controller 2504, access points 2600i.
    Aruba - controller 7010, access points 205.

    Compare the presence of the main functions in the solution based on Cisco and HPE controllers:
    FunctionCiscoAruba
    Automatic radio controlRrmARM
    Interference monitoringCleanairSpectrum analysis
    Neighbor AP DetectionRogue DetectionRogue Detection
    Application Monitoring and ControlAvcAppRF + URL Filtering
    Roaming optimizationOptimized roamingClient match
    Data Encryption (Point Controller)DTLSIPsec
    ReservationSSO, N + 1Active / Active, Active / Standby
    Intrusion preventionwIPSwIPS
    PositioningHyperlocation- (BLE only)
    Signal Transmission OptimizationClientlink-
    Firewall-Stateful firewall
    Routing-Static, OSPF
    IPsec / SSL VPN Remote Access- Virtual Intranet Access (VIA)
    The table shows that Cisco and Aruba have something to oppose to each other in terms of the basic WiFi functions. In fact, these are similar technologies with different names, although each has its own additional “chips”, support for technologies / protocols. At Cisco, for example, it is ClientLink technology that allows optimizing downlink transmission (from the access point to the client). HPE has a full-fledged firewall, support for dynamic routing protocols, URL filtering. Note that with HPE the additional functions are not exactly “wireless”, which makes the controller a more universal network device.

    Licensing

    Typically, Cisco has rather complex licensing schemes, licensing of individual functions. But not in the case of a wireless network. Everything is exactly the opposite, HPE goes to the “first” place.

    HPE Aruba
    There are a dozen different licenses on the controller . Any important feature is licensed separately (same firewall, spectrum analysis, or application analysis (DPI)). If you want to test your controller from Aruba, you will need to manually request a temporary license (certificate), as already mentioned, for each feature separately.

    Cisco
    All features are available in the base license. There is a temporary for 12 weeks.

    GUI setup


    HPE Aruba
    On the HPE Aruba controller, configuration is done through profiles. The branched structure of profiles for configuring wireless parameters on a point / group of points is presented below. It is logical and understandable.

    Profiles in Aruba

    For example, to create a wireless network, you need to create a Virtual AP profile, then attach an AAA profile and SSID profile to it. There is a menu of simplified settings indicating the main profiles (radio management, QoS, AAA, etc.).

    The Configuration section menu contains tabs for configuring various functions.
    Due to the abundance of detailed settings, pre-configured policies and profiles, you can get confused when setting up for the first time. The Show reference button can help here, showing the relationships of various entities (profile, policy) with each other.

    Aruba WLAN settings menu

    When you go to the All Profiles tab, you see how many different subtle details you can configure on the Aruba controller. Customization is more detailed here than in Cisco.

    Profiles on the Aruba

    Cisco controller
    The interface is divided into sections (WLANs, SECURITY, MANAGEMENT, etc.). Each has a tabbed menu. No profiles or references. The interface looks more convenient and intuitive. However, there is no such number of detailed settings and additional functions as in Aruba.

    For example, the WLAN setup menu.

    Configuring WLAN on a Cisco

    HPE Aruba Controller
    Each connected client is assigned a specific role with its access policies (User-centric network, Stateful Firewall). There are predefined profiles and firewall rules on the controller. On the one hand, this is very convenient: for example, you do not need to configure guest access policies from scratch, you can only add specific rules for this role.

    Example of predefined profiles in Aruba

    On the other hand, if you do not have a firewall license (PEFNG), then the roles lose their meaning. At the same time, they remain in the settings (AAA profiles, for example), since this is one of the key entities used in the configuration.

    User Roles in the AAA Profile

    Since we have touched on the firewall settings, the following is a menu of general settings. Very extensive. There are sections with access lists (ACLs), services, bandwidth limits, etc.

    Configuring General ME Settings on the

    Cisco Aruba
    Controller There is no firewall function on the controller. Full-fledged ME can be implemented on a separate device. However, for traffic analysis in a wireless network, one of the key functions is traffic analysis by application (DPI), the possibility of prioritizing or blocking it. Both vendors have this option. At Cisco it is called AVC (Application Visibility and Control), at HPE Aruba - AppRF. Also on the Cisco controller, you can configure (except for standard ACLs) access restriction policies for a specific type of device.

    Cisco, like Aruba, can determine the type of client (profiling) by HTTP, DHCP headers. For a specific type of client (for example, iPad or Android-Samsung) on ​​the controller, you can create an access policy (local policy) with the necessary parameters and restrictions - ACL, VLAN, QoS, hours of operation, etc.

    Local policies on the Cisco controller

    CLI setup


    Configuring a wireless controller is more comfortable through a graphical interface. On the command line, it’s rather convenient to select by parameters or debug the problem. For comparison, I will give an example of a WLAN configuration on controllers. Many people know that the CLI on Cisco controllers is a little like the usual Cisco IOS command line (hello Aironet), familiar to many. So, when you look at the example below, the thought creeps in that Aruba is more like Cisco IOS.

    HPE Aruba
    aaa profile "tst-dot1x-peap"
   mac-default-role "employee"
   authentication-dot1x "ad-users-radius"
   dot1x-default-role "employee"
   dot1x-server-group "default"
!
wlan ssid-profile "test123"
   essid "test123"
   opmode wpa2-aes
!
wlan virtual-ap "virt-ap"
   aaa-profile "tst-dot1x-peap"
   ssid-profile "test123"
   vlan 21


    Cisco
    config  radius auth add 1 1.1.1 1645 ascii secret123
 config wlan create 3 test123 test123
 config wlan interface 3 users_vlan21
 config wlan security wpa akm 802.1x enable 3
 config wlan radius_server auth add 3 1 
 config wlan broadcast-ssid enable 3
 config wlan enable 3


    Monitoring


    In terms of monitoring, both solutions look good. If you use only the controller (without additional servers), Aruba provides more detailed information. Cisco has less network monitoring data. This is due both to the lack of some functions in principle (for example, a firewall), and to the general approach of Cisco, when we are offered to install a separate system (of course, from Cisco) to monitor the wireless network and store statistics.

    HPE Aruba also has a management and monitoring system, of course. But at the same time, there are a lot of things in the database that Cisco can get only with an additional server. For example, guest access with printout of connection information, sending by mail, traffic statistics (addresses, url, categories). In the latest version of the software, Aruba also has a means of proactive traffic monitoring and wireless network. HPE Aruba Aruba

    Radio Monitoring Monitoring provides an overview of all wireless users on the network. Here we see the distribution of the ranges, connection speeds, signal strength, etc.




    General Network Information (Clients, Range, Speed)

    Cisco
    At Cisco we also see general statistics on connections at the moment.
    Information on network utilization on the Cisco controller

    Traffic monitoring (applications, users, sessions)

    It is not entirely correct to compare solutions here, since Aruba has a Stateful Firewall, which means more detailed information about the session.

    HPE Aruba
    Aruba provides information on the applications used. There are signatures for our resources like vkontakte and yandex. There are data on sessions, distribution by user roles, information on URL.

    Information on the applications used

    A general idea of ​​site categories, roles, WLAN, device types, etc.

    Cisco
    Everything is more modest here - only applications and device type. You can see statistics for a specific user. There are signatures for Russian applications too.



    General Application Statistics for Cisco

    Logging


    HPE Aruba
    The main protocol for maintaining system messages is syslog. The system uses the distribution of logs into categories (system, AAA, firewall, etc.). For each, the necessary level of logging is configured. They are stored in separate files.
    System Messages in the Aruba

    Cisco GUI
    System logs are collected in a single syslog console. An important tool for tracking events on a wireless network are snmp notifications. Messages can be configured by type (auth \ deauth, etc.) and categories (ap, security, etc.).

    Cisco SNMP Messages and Filtering

    Conclusion


    Material - a subjective look at the difference of approaches, control interfaces of two solutions. Only a small part of the functions that the devices provide is described. The wireless features are similar. Cisco seemed more intuitive and logical to configure (although, perhaps, a matter of habit). Aruba is more complicated, but do not forget that there are more various additional services (VPN, FW, Routing). Of course, when choosing a solution, it is worth focusing on other aspects: the reliability of the solution; stability of its work, user services; technical support of the vendor, etc.
    Tags:

    Also popular now: