About AOS 10

AOS 10 is a distributed network operating system integrated with Aruba Central that manages and controls Aruba Access Points (APs) and Aruba Gateways. With its flexible architecture, network teams can deliver reliable and secure wireless connectivity with a consistent feature set for remote workers, small offices, mid-sized branches, and large campus environments. By being built on Aruba Central, AOS 10 can also leverage the integrated security features, AI Artificial intelligence (AI) is the simulation of human intelligence processes by machines, especially computer systems. AI reduces trouble tickets by identifying the network entity that is facing problems through event correlation and root cause analysis. operations and single pane of glass management with other Aruba solutions.

With AOS 10, onboarding, configuring, and provisioning APs and gateways is simpler and requires no manual CLI configuration or maintenance windows. Once the AP is plugged in, the device connects and receives its running configuration from the cloud using zero touch provisioning, which allows remote workers and offices to onboard and configure wireless connectivity without any onsite IT support.

AOS 10 deployments are categorized into:

Campus Network
Branch Network
Microbranch Network

A campus network refers to a LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. or a set of interconnected LANs serving a corporation, government agency, university, or a similar organization. A typical campus network encompasses a set of buildings in close proximity with a large number of Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard.-connected clients and applications deployed in public, private, and hybrid clouds.

A branch network is generally an offshoot of the campus network with a small area of operation. In campus and branch networks, the WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. are critical to address the challenges of widespread user mobility, client density, and security. A branch network also typically leverages a full stack networking solution combining both LAN and WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. in a single box.

The Aruba SD-Branch solution (now also powered by AOS 10) offers wireless and wired infrastructure, management, and orchestration in the LAN side with the corresponding SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. capabilities on the WAN side; Route and tunnel orchestration, Dynamic Path Steering, Forward Error Correction, SaaS traffic Optimization, SASE Orchestration and so on. The SD-Branch solution extends revolutionary concepts like user-centric security and orchestration to all elements in the branch to deliver a full-stack solution that addresses the business challenges of distributed enterprises.

AOS 10 also supports Microbranch networks where deploying a single AP is required in remote sites such as home offices, small branch offices, retail locations, and so on. The AOS 10 architecture enables Microbranch to combine Wi-Fi and SD-WAN in the same device to extend the WAN to remote workers using a single AP, IT can secure the remote location by applying unified policy-based routing and providing an orchestrated integration with Secure Service Edge providers.

IT gains comprehensive visibility into campus, branch, and remote work environments (SD-Branch and Microbranch) in a combined dashboard to streamline operations and accelerate problem resolution. Remote workers benefit from an office-like experience, accessing the same corporate resources, or plugging into VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. devices from home. Route and tunnel orchestration and policy-based routing are combined to deliver the highest levels of performance and availability, ensuring the productivity of remote workforces while maintaining a lean IT footprint.

AOS 10 Architecture

The AOS 10 architecture consists of two layers:

Infrastructure layer—The infrastructure layer consists of a WLAN setup that can be either a campus setup or a branch setup. Either can consist only of APs, or APs combined with gateway clusters.
Cloud management layer—The cloud management layer consists of Aruba Central which is a cloud management SAAS platform.

Aruba Central offers the following services for managing WLAN devices:

Onboarding
Configuration
Monitoring
Live Upgrade
Licensing
Troubleshooting

The following AOS 10 architectural diagram displays the components of the cloud management and infrastructure layers.

Figure 1 AOS 10 Architecture

AOS 10 WLAN Services include the following capabilities:

AirMatch RF Management and Optimization⁠—AirMatch analyzes periodic RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. data across the entire network, or a subset of the network, to algorithmically derive configuration changes for every Aruba AP on the network. The APs receive regular updates based on changing environmental conditions, which benefits both IT and the users. AirMatch is the enhanced version of the Adaptive Radio Management (ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. ) technology. It is equipped with the new automated channel optimization, transmit power adjustment and channel width tuning system that utilizes dynamic machine learning intelligence to automatically generate the optimal view of the entire WLAN network.
ClientMatch⁠—ClientMatch continually monitors the RF neighborhood of the client to support the ongoing band Band refers to a specified range of frequencies of electromagnetic radiation. steering and load balancing of channels, and enhanced reassignment for roaming mobile clients. The ClientMatch service helps to improve the experience of wireless clients. ClientMatch identifies wireless clients that do not get the required level of service from the AP to which they are currently associated and intelligently steers them to an AP radio that can provide better service and thereby improves user experience. ClientMatch periodically checks the health of current association of clients and determines if a sticky steer or band steer should be considered.
Cloud-Assisted Roaming Services—The Cloud-Assisted Roaming Services feature supports 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. fast transition and Opportunistic Key Caching (OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. ), to enable seamless roaming with minimal or no disruption to the application traffic such as voice and video.
Tunnel Orchestrator— Gateways running AOS 10 form clusters in both homogeneous and heterogeneous modes. The GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. with optional IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels between the AP and the Gateway cluster is orchestrated by the WLAN Tunnel Orchestration service. Even if one Gateway joins the deployment, an automatic cluster is formed by this service.

The AOS 10, SD-Branch, and Microbranch solution includes the following capabilities:

WAN Tunnel Orchestration— The SD-WAN Orchestrator automates tunnel negotiation, establishment and re- key between the branch and hub sites. This service can be enabled globally or for individual groups in Aruba Central.
Route Orchestration— The SD-WAN Orchestrator automates the redistribution of routing prefixes across the entire SD-WAN network. It allows gateways and microbranches to advertise their subnets Subnet is the logical division of an IP network. as well as to learn the shortest path to any subnet in the network.
Virtual Gateway (vGW) Orchestration— Aruba Central can integrate with cloud security providers to handle the entire life cycle of virtual gateways deployed in public cloud environments. It handles the activities such as discovering the cloud topology, instantiating the VM Virtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer., licensing the Virtual Gateway in Central, connecting it to the relevant cloud networking elements, monitoring the device health, and providing High Availability (HA) in single VPC or VNET environments.
Dynamic Segmentation— Aruba Dynamic Segmentation The Dynamic Segmentation feature is Aruba’s security architecture that provides the ability to dynamically assign roles to a wired port based on the access method of a client and enforce application-aware policies to all devices connecting to the infrastructure. automatically applies consistent policies across wired, wireless, and WAN networks to keep traffic for any user or device separate and secure, regardless of the application or service. It also ensures east-west segmentation within a site, or across the entire enterprise.
Unified Threat Management System (UTM)— Aruba provides fully integrated security with a stateful, application-aware firewall Firewall is a network security system used for preventing unauthorized access to or from a private network., including Deep Packet Inspection (DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. ) combined with application classification and web content filtering (WebCC). Aruba 90xx Series Gateways also optionally supports IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network./IPS Intrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. for advanced threat detection.
Rogues and Intrusion Detection—With Rogues and Intrusion Detection, you can quickly identify and act on a rogue or interfering device that can be later considered for investigation, restrictive action, or both. After rogue devices are discovered, Aruba Central sends alerts to your network administrators about the possible threat and provides essential information required to locate and manage the threat.
Client Insights— Aruba provides Client Insights, a feature that allows network and security administrators to discover, monitor, and automatically classify new and existing clients connecting to a network. Clients are categorized and grouped by categories, such as Internet of Things (IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet.) devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, and switches. Integrating Client Insights with ClearPass ClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. allows context sharing. Based on this context, policies and roles can also be assigned.

Personas

A persona of a device represents the role that the device plays in a network deployment. Creating a persona for devices helps in customizing configuration workflows, automating parts of configurations, and showing the default configuration and the relevant settings for the device. Persona configuration also helps in customizing the monitoring screens and troubleshooting workflows that are appropriate for the device.

Gateway Personas

Gateways can have the following personas:

Mobility—In this persona, gateways provide Overlay WLAN and (or) wired LAN functionalities. This persona applies only to the AOS 10 architecture.
Branch—In this persona, gateways provide the Aruba InstantOS and SD-Branch (LAN + WAN) functionality. This persona applies to both AOS 10 and ArubaOS 8 architectures, with AOS 10 being a superset of ArubaOS 8.
VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. Concentrator—In this persona, gateways provide VPN concentrator functionality for AOS 10 Microbranch or ArubaOS 8 or AOS 10 + SD-Branch deployments.

Creating Personas

Personas can be created when creating a group. Persona and architecture can be set at the group level. All devices within a group inherit the same persona from the group settings.

While creating a group, the architecture and persona settings of the current group can be marked as preferred settings for adding subsequent groups. For subsequent groups, you can either automatically apply the preferred settings or manually select settings for the new group.

Based on the device persona selected in a group, the device configuration page displays only particular device tabs for that group. For example, if a group has only access points persona assigned to it, then the device configuration page for that group displays only the access points tab.