Centralized Management and RF Security Moves Ariba to Aruba

At Ariba, the leading Enterprise Spend Management solutions provider, nearly every new employee is presented a notebook computer with integrated Wi-Fi capabilities. So for Ariba’s IT department, building an enterprise-class Wi-Fi infrastructure wasn’t an option. Ariba needed to cost-effectively rollout 802.11a+b/g services campuswide to a technically-savy community of more than 200 wireless laptop users that was quickly growing. Doing this required a new approach that conventional wireless systems couldn’t deliver.

“We needed an enterprise-class wireless system that centralized the control and security of our entire environment,” said Kevin Smith, manager of IT Global Communications at Ariba. “Aruba built that system and Ariba has standardized on it.”

Ariba’s goal was to integrate a centralized wireless system to support some 600 employees at their four-story campus headquarters in Sunnyvale, California and then roll Wi-Fi switching out to branch offices around the world. “Frankly, we couldn’t offer a wireless in our branch offices without a centralized solution due to support issues. Now that we have the Aruba system in place, we can deliver secure wireless access to every Ariba employee regardless of location,” said Smith.

Ariba’s Wireless Requirements

While Ariba had deployed a small wireless testbed of conventional fat APs, this environment proved too costly to manage, difficult to scale and impossible to remotely troubleshoot. Firmware and code upgrades had to be individually performed for each AP

Ariba’s legacy wireless LAN system was also arduous to deploy. A separate VLAN had to be configured for the fat APs and trunks created to the wireless VLAN for each AP’s network port. Wireless users had to then tunnel to the intranet through the VPN.

Topping the list of Ariba requirements for wireless was centralized control that eliminated the complexity associated with monitoring a large wireless environment. Multiple layers of wireless security, such as RF security to identify and disable rogue APs, link layer encryption and VPN support was also a must have. “We wanted a security architecture that addressed authentication, encryption, rogue AP detection along with a rich policy management infrastructure to control access for different types of users,” said Smith. “Wireless is all about knowing the user.”

Another key requirement for the wireless network was seamless integration with the existing wired network. Ariba wanted a wireless overlay that used the existing IP network as transport without any disruptions to the wired network. Aruba APs and AMs connected to existing L2/L3 wired switches and an Aruba Wi-Fi switch in the data center controlling them was the preferred architecture.

Centralizing Ariba’s Wireless Deployment

To address wireless management and security concerns, Ariba deployed an Aruba centralized WLAN switching solution consisting of the Aruba 5000 Wi-Fi switch, 44 802.11a+b/g Aruba 52 APs, the full suite of Aruba ArubaOS application software and the Aruba dialer for simplified VPN connectivity.

Access points and air monitors were deployed in the data center, on all four floors of Ariba’s headquarters building as well as in Ariba’s cafeteria. APs and AMs connect to existing L2/L3 IDF (intermediate distribution frame) switches in every wiring closet. Aruba’s 5000 Wi-Fi switching system is centralized in Ariba’s data center and connected via a gigabit uplink to an L2/L3 MDF (main distribution frame) backbone switch. Aruba’s ArubaOS applications are enabled at the Aruba Wi-Fi switch in the data center.

Aruba APs and AMs indirectly connected to the Aruba 5000 together create a logical wireless overlay that uses the wired IP network as transport without requiring any physical or logical reconfiguration. This also gives Ariba a rich policy management infrastructure for tailoring wireless services and security profiles to different users and user groups as they roam. A Web-based captive portal within the Aruba 5000 provides guest access and authentication. Employees use the Aruba dialer to create VPN tunnels from within the intranet and terminate them directly the Aruba 5000.