Close

HPE Aruba Networking Blogs

The Aruba-Celona CBRS Partnership:  A Technology View

By Chuck Lukaszewski, Vice President and Chief Wireless Technologist, Aruba

Today we announced that Aruba is joining forces with Celona to bring CBRS private mobile networks to the enterprise – validating that cellular technology is now ready for widespread enterprise use. Celona is an exciting startup, founded by former Aruba and Qualcomm veterans, that has built the first Citizens Broadband Radio Service (CBRS) solution designed from the ground up to integrate seamlessly into enterprise networks. In the United States, CBRS spectrum shows great promise to simplify what until now have been the twin intractable problems for private LTE networks: access to spectrum and consolidating multiple mobile network operators into a single-layer infrastructure. This is the second of a two-part overview of our strategy behind CBRS-based private mobile networks; part one highlights the business drivers behind the decision and what it means for customers. In this blog, I’ll take you behind the technology strategy behind the decision and the future of the “multi-RAN enterprise.”

The Rise of the Multi-RAN Enterprise

Enterprises have long had diverse connectivity requirements at the edge. Ethernet and Wi-Fi have each been in widespread use for over two decades. Recently, our customers have begun to deploy new special-purpose wireless access networks in the enterprise. Bluetooth Low Energy (BLE) tags in unlicensed 2.4 GHz spectrum are being used for an array of Internet-of-Things (IoT), asset tracking, and wayfinding applications. Zigbee, Thread, ISA100 and WirelessHART – all based on the 802.15.4 standard using unlicensed 2.4 GHz or 900 MHz spectrum – have become de facto in-building IoT access networks. To borrow the cellular term, each of these are separate enterprise radio access networks (or “enterprise RANs”).

It is common to find some classes of devices that include support for two or more RANs in use at the same time. A smartphone with LTE, Wi-Fi and Bluetooth is a familiar example, but headless IoT devices such as medical devices or portable scan guns increasingly come equipped with multi-RAN features. Against this backdrop, privately-owned 4G/5G wireless networks based on the CBRS spectrum can be best understood as access networks with specific performance and cost characteristics to serve particular application use-cases or groups of end-user devices. These additional forms of enterprise RANs are vital additions to the network architect’s toolbox to solve specific business problems.

Aruba’s cellular integration strategy

Aruba is pursuing a multi-pronged strategy to deliver cellular integration into the enterprise. Phase one is to improve the in-building cellular experience by providing automatic Wi-Fi offload on enterprise networks. Our Aruba Air Pass™ service enables Wi-Fi enabled devices with SIM credentials from major cellular network operators to automatically connect to enterprise networks. With Air Pass, users can send and receive Wi-Fi calls and text messages, and the Wi-Fi network can deliver high-speed data offload. The combination of the Aruba Air Pass service, Passpoint authentication and Wi-Fi Calling (WFC) enables robust in-building and campus cellular coverage, delivered over Wi-Fi. WFC is now pervasive globally – with over 135 operators in 45 countries active as of June 2019. For most enterprises, this is a compelling and cost-effective solution. It allows an IT department to extract more return on investment from an existing WLAN network, addresses coverage problems, and increases capacity with minimal additional investment. Because Air Pass dramatically increases the attach rate of smartphone devices to the WLAN, the utility of the Wi-Fi infrastructure as a sensor system is also enhanced. Applications such as shopper analytics in the retail vertical, space and energy/lighting optimization for facilities departments, and network security systems have greater visibility of visitor data traffic, location, and behavior. Air Pass can be deployed by itself or in combination with a CBRS neutral-host solution to reach even more subscribers.

Role-based policies for CBRS

With the Celona resale partnership announcement, Aruba is making public the second phase of our strategy. In a nutshell, we aim to deliver a full role-based policy-driven solution for enterprise-owned 4G / 5G RANs. Our vision is to integrate privately-owned cellular RANs with existing enterprise networks including WLAN, LAN, SD-WAN and other domains under a single unified policy framework, as shown in Figure 1.

Figure 1 – Converged Wi-Fi and CBRS based cellular data path in the enterprise

Figure 1 – Converged Wi-Fi and CBRS based cellular data path in the enterprise

While this statement is not particularly remarkable to an enterprise IT architect, it is nothing short of a radical revolution in the cellular domain. As I explain in my new white paper on the convergence of CBRS, 5G and Wi-Fi, it is not possible to bridge traffic directly from a cellular device to an Ethernet network while maintaining enterprise visibility all the way to the endpoint, since cellular devices do not have IEEE 48-bit MAC addresses. Virtually all competing cellular solutions in the market require primitive source-NAT integration and are confined to crude traffic breakout techniques, such as blind DNS redirection. This severely limits the ability of most private LTE solutions to integrate with existing enterprise L2/L3 network architectures as well as authentication and policy infrastructures. In turn, these constraints force the enterprise to adopt course-grained security strategies, such as segmenting off cellular traffic into untrusted subnets. With the current technology from traditional cellular equipment makers, identifying individual LTE devices, protecting specific application quality of service markings on egress, and applying per-device policy inside the trusted enterprise perimeter is simply not possible.

Imagine that you had a neutral host provider that supported the ability for public SIMs to roam onto your privately-owned LTE network with access to your corporate network. How does the corporate network know what security policy to apply to traffic from that device? It cannot, because the authentication systems are not compatible. There is no way to associate a particular IMSI+IMEI combination with an enterprise user in the AAA server. The only solution is to treat all such traffic as untrusted.

As of today, privately issued SIMs also cannot be “bound” to enterprise AAA identities. The old enterprise trick of using MAC authentication and L2 ACLs for limited-function devices won’t work because cellular devices lack MAC addresses. And there is no way for a cellular core to inform an enterprise policy engine of the L3 identity of a given cellular device. This means that local breakout for private cellular RANs must terminate in either (1) an isolated VLAN that is explicitly trusted with direct access to any required network services and firewalled from any other corporate network segments; or (2) an untrusted VLAN with at most access to the Internet but no other corporate resources. This is unsurprising if you look at it from a cellular operator perspective – they operate large, single-tenant networks that peer only with other cellular operators.

Celona CBRS integrates with existing enterprise infrastructure

By contrast, the Celona solution has been designed from the ground up for seamless integration to existing enterprise infrastructures and to address the full set of these requirements. As shown in figure 2, Celona’s unique MicroSlicing™ technology supports flexible L2 VLAN assignment on a per device, per-group or per-application basis and can enforce sophisticated QoS levels (latency, jitter, throughput, packet error rate) from end-to-end.

Figure 2 – Celona Microslicing Extends Enterprise Visibility of CBRS All the Way to Endpoint Devices

Figure 2 – Celona Microslicing Extends Enterprise Visibility of CBRS All the Way to Endpoint Devices

In addition, Celona supports the extension of enterprise L3 address space into the cellular domain on the one hand and is capable of creating synthetic L2 identities for each connected device on CBRS based cellular wireless. This unlocks rich enterprise policy in existing L3 forwarding elements, allowing the core network to apply a single device-agnostic policy regardless of whether traffic originates on CBRS, Wi-Fi SD-WAN or even Ethernet.

In short, Aruba sees the enterprise edge as:

  • Composed of multiple, overlapping enterprise RANs using different radio technologies to serve particular, differentiated device types and use cases
  • Leveraging unlicensed, shared spectrum (e.g. CBRS) and licensed spectrum as appropriate
  • Segmented into enterprise trust domains, with transit between each RAN and upstream destinations controlled by an automated policy framework
  • Leveraging both enterprise authentication stores (e.g. Active Directory, ClearPass) and external third-party identity providers (e.g. AT&T, Verizon, Facebook, Apple) as appropriate to the use case
  • Unified under a common operational model and policy framework

No one-size-fits-all

Aruba believes that there is no one-size-fits-all answer to access-layer connectivity at the edge. We are committed to a holistic approach that integrates cellular and non-cellular technologies over time.  There is much more to the Celona solution, but I choose to highlight the enterprise data path integration because it is fundamentally differentiated from all previous attempts to market cellular technology in the enterprise. If your organization has interest in this technology, I urge you to carefully evaluate the capabilities and limitations of competing solutions to extend enterprise network visibility and control all the way to the 4G / 5G device.

Check out this podcast from WirelessLAN Professionals about what the Aruba and Celona partnership means for enterprise networks. 

Go deeper

Blog: Aruba enters the CBRS market through a close partnership with Celona

White paper: CBRS, 5G and Wi-Fi: Radio Access Network Convergence in the Enterprise