Hey, everyone. Welcome back to this final installment of the Modern Campus Network Management Techniques video series. You covered all these topics now, including Aruba's Edge Services Platform or ESP, and it's Unified Infrastructure. Now you'll explore the other two key pillars of ESP, Zero Trust Security, and AIOps. I talked about the Aruba ESP Unified Infrastructure for wireless, wired and WAN SD branch systems and mentioned how you can keep it all secure with Aruba's Zero Trust Security with things like Dynamic Segmentation, which adds Zero Trust Security to our Unified Infrastructure. Look at the old port-based paradigm, where you must manually apply ACLs, VLANs, Port Configurations, and QoS per device, per application, multiplied by the number of sites. It's less scalable, harder to maintain, and it's error-prone. But using a single point of policy enforcement from Aruba Central, you can provision role-based policies enforced by each branch gateway. This ensures that devices like security cameras, temperature sensors, barcode scanners are automatically assigned the right ACLs, VLANs, and QoS, regardless of what port, SSID or branch they connect. Now on top of Dynamic Segmentation, you add intrusion detection and protection systems that are tightly unified with the infrastructure. Now that includes network and host intrusion detection, both anomaly and signature-based intrusion detection, and most IPS systems do everything IDS does: identify suspicious activity, log security events, and report attempts, but they also mitigate those attacks automatically. IDS IPS systems help protect you from recon, routing and buffer overflow attacks and from protocol specific attacks, malware, zombies, and distributed denial of service attacks or DDoS. Now this all ties in with Aruba's Zero Trust Security paradigm. Zero trust networking is a concept for secure network connectivity where the initial security posture has no implicit trust between different entities, regardless of whether they're inside or outside the enterprise perimeter. Risk-optimized access to network capabilities is dynamically extended only after assessing the identity of the entity, the system, and the context. You get continuous monitoring with real-time threat telemetry info from years of Aruba deployment experience and hundreds of integrations. You get enforcement with event triggered actions, and it's all locked down with extended AAA and non-AAA services. You have complete visibility with automatic device discovery, endpoint profiling, and custom fingerprinting to auto identify specialty devices along with role-based access control that leverages a rich set of identity information and context-based rules. Now it all happens with integration with Aruba ClearPass, Device Insight for visibility and profiling, Policy Manager for authentication and posture, and role-based access control. You've got Policy Enforcement Firewall or PEF, IPS, and Aruba's 360 Security Fabric enterprise security framework for continuous monitoring and third-party integration. ClearPass Policy Manager enforcement and attack response feeds back into re-authentication and posturing. ClearPass Device Insight provides very granular visibility into what is on the network and what those things are doing. It places local collector VMs on your network with visibility of user subnets and places the analysis and coordination function in the Cloud which means that as we and our customers identify more and more devices, everyone benefits from evolving machine learning models. You get behavioral analysis and risk scoring to improve your posture and security stance with seamless ClearPass Policy Manager integration for real-time enforcement. How does it work? Suppose you've got hundreds of thousands of devices connected to your multi-campus deployment. But how do you know what's what? ClearPass Device Insight profiling leverages ML based clustering using deep packet inspection or DPI. In other words, it intelligently learns what a device is and what it is doing by analyzing packet traffic from the device. Not just the headers, but deep into the application layer. It sees MAC and IP addresses with TCP and UDP ports and protocol information. It looks at static attributes like DHCP, user management, and SNMP. It analyzes application communication, communication frequency and more. You always know what's on your network, where they're connected, what they're doing, and who's doing it. Now the system knows what is connected and it's all sent to central. Look, we have users and things connected to our network infrastructure with centralized policy control and all that rich who, what, how, where, when context info feeds into clear pass policy manager, authentication and authorization, where you have defined central policies. So if Ricardo is on his corporate assigned laptop via wired LAN at the main campus during business hours, though he has elevated access to corporate resources. But if he is on his personal tablet using Wi-Fi at a cafe on Saturday, his access maybe reduced. Its all about network access control or NAC, using this rich context and layer seven application awareness to control who can access what. The old way is to manually configure specific ports for specific VLAN, access list and quality of service, tedious. You must ensure that everyone connects each device to the correct port. It's error-prone. Instead, you have a simple collection of minimally configured colorless ports. Connected users are assigned a role which policy manager associates with a particular policy. Now that policy is then pushed down to the policy enforcement firewall or PEF features, and a tunnel forms between that PEF device and the users connected switch or AP, which permits and denies access to appropriate resources. Thus, user capabilities are centrally controlled and VLAN connectivity, security and QoS are dynamically assigned. Your network is much more secure with far less initial configuration and management cycles. All this rich Aruba contexts and application knowledge with AI and ML can be integrated with a rich ecosystem of third party integrations to support more applications and mitigate more risk. This leads us to the third and final pillar of ESP, Artificial Intelligence and AIOps. Aruba ESP's AIOps capabilities can reveal and troubleshoot issues before they impact the business. Aruba AIOps shows issues virtually undetectable by humans, and then provides prescriptive step-by-step guidance on how to resolve them. IT moves faster, SLAs are met. Remember, these capabilities are available via APIs for extensibility to third party solutions to extend your automation goals out to other business processes. Now here's the bottom line. Aruba AIOps impacts IT outcomes by helping to get to root cause and resolve known issues quickly. To identify and resolve issues before they impact the business and continuously optimize performance with little effort. All of this with five key features in a single pane of glass. Over 30 individual AI insights are available to monitor connectivity, performance, RF management, client roaming, airtime utilization, and wired in [inaudible] performance. Each insight is designed to reduce trouble tickets and meet SLAs for connectivity performance and availability challenges. Additional features; reduce resolution time and improve admin confidence. AI search allows you to use natural language search to quickly find relevant information. AI assist uses event-driven automation to collect troubleshooting information to identify issues before they impact the business, and virtually eliminate time-consuming log-file collection and analysis. Once log information is automatically collected, it alerts IT staff with relevant logs for you to view and even share with Aruba tech. You get impact analysis reports as well. Once AI insight network settings or configuration recommendations are made, this feature displays before and after performance data to help verify that changes achieved the desired result. Then there's user-experience insight or UXI, which lets you continuously monitor, measure, and track the complete end-to-end experience for all users and IoT devices. UXI provides user and IoT device application assurance and rapid troubleshooting. By simulating end-user activities with admin defined frequency, UXI sensors do continuous app testing and store captured analytics for up to 30 days. Easily see end-user overall experience, network services, and internal and cloud-based applications. Click any element to see details with the troubleshooting triage tool, and the ability to look back in time, make troubleshooting fast. Let's see some AI in action with machine-learning. Do you recall the machine learning or ML model that I introduced earlier in this series? What a huge data pool it has to work with. AIOps leverages all your data and feeds it into Intelligent low-level models, which enrich this raw data and serves it up to high-level models. The high-level models analyze this information and identify root causes, recommendations, and automations. Adding greatly to this power is anonymized peer data from thousands of solutions, telemetry, support cases, and more. All fed into these models for vastly increased Intelligence and improved ML models. It also allows for quicker OS and software enhancements. Let's take a look at that AI engine, where low-level modeling engines are often used as input for high level models. These models are used to classify environments and to classify client device type and capability. It leverages individual client device fingerprints and joint modeling across all historical device data collection for increased accuracy. This is the key modeling engine for connectivity insights related to Client associations, roaming, and DHCP, DNS activity, along with RF config optimization and root cause analysis. Client mobility transfer uses machine learning to detect the mobility state of client devices, and also for connectivity insights and RF config optimization. The low-level models are also used to classify clients as indoors or outdoors. Meanwhile, the high-level modeling engines generate use case outputs to recommend and automate configs like per bandwidth transmit power, per SSID minimum signal-to-noise ratio allowed, minimum transmit rates per SSID and more. You get AP density recommendations to mitigate coverage holes and predict capacity increases versus AP density. Troubleshooting assistance with connectivity event root cause analysis are along with AOS upgrade recommendations. Let's look at some examples. Starting with this low-level RF environment classifier. Input data includes AP capability, AP to AP Wi-Fi propagation loss, client device type, SNR motion and data volume, along with application type and volume. The low-level modeling engine classifies the environment and thus intelligently understands how to improve cluster performance based on distance metrics, number of clusters, minimum cluster size, feature normalization, distance distributions are selected based on expert domain knowledge, and clustering is done in 15-dimensional space. Now this plot shows a multi-dimensional temporal SNR projection in a 2D map for illustration purposes. It's pretty cool, but thankfully, you don't need to know much about all that. This is all fed into the high level modules which processes this to make configuration recommendations to you and to detect anomalies for you. How about a high-level model example of passer-by optimization? Reducing outdoor client use of indoor AP's improves performance for everyone, giving you more actionable information in the process. The inputs for this model include interaction of client device with site AP radios, SNR vectors and probe scan density and frequency. It also includes client device type, AP type and SSID type, 802.1x captive portal and so on. Intelligent processing provides the optimal probe response SNR per SSID. In effect, AP stops servicing outdoor clients because their signal strength is below a certain threshold while still providing reliable service to all indoor clients. It can distinguish between indoor and outdoor clients with greater than 95 percent accuracy. Now this improves performance for everyone. Outdoor users no longer needlessly connect to indoor APs, and APs no longer waste time processing those interactions. The graph here shows the number of minutes attached along with the vertical axis for red outdoor clients and blue indoor clients. The model includes 22 different elements and multiple metrics to distinguish indoor versus outdoor clients. You could probably look at all this manually and derive similar conclusions given enough time and expertise, but AI does this automatically. Indoor clients are happier because outdoor users no longer degrade indoor user performance. That concludes this video series about modern campus network management techniques. I hope you've learned from and enjoyed these videos. If you'd like to explore further, there's other videos in this series, like modern campus network design and others. Thanks everyone and happy networking.
