When compared against the traditional, thick-AP methodology (configuring each manually and then managing them via dedicated
third-party tools such as AirMagnet), the tools offered by both WLAN switch vendors are a quantum leap forward. These products
finally make WLANs a truly enterprise-enabled infrastructure component, complete with structured deployment, ongoing monitoring,
and true centralized management.
Still Not a Perfect World
That's the good news. The bad news was made crystal clear during our mobility test, in which each vendor behaved exactly the
same as soon as we ran into problems.
At first, both vendors claimed the problems were due to us running the initial test in 802.11g mode rather than 802.11b. So
we switched to 802.11b -- but the problems persisted. At this point, both vendors conceded that a production implementation
of a true roaming session was still rarely encountered in the real world. Most WLAN implementations assumed roaming to mean
an executive wandering from AP to AP, VLAN to VLAN, subnet to subnet with a closed notebook -- in other words, an inert session
that simply re-established itself in a new stationary position. In our tests, we were carrying an active and transmitting
session from one AP to another.
Had we been using actual wireless VoIP phones instead of simply establishing a streaming traffic session, things might have
been slightly different. That's because VoIP phones, like cell phones, are designed to establish connectivity with new APs
as they come into scanning range. This way the device can decide which is the strongest signal and roam to the new AP whenever
it wants. Our cards held on to their existing AP sessions for dear life, only releasing when communication became almost impossible
and then running through handshaking and reauthentication latency with the new AP while attempting to maintain session state.
Unfortunately, this problem isn't resident with the WLAN switch. It's resident in the client's WLAN NIC (network interface
card) and associated driver. Both vendors conceded that their products each had a set of favorite WLAN NICs and drivers, and
that the reason they encountered problems in our test was because in real life they wouldn't be constrained to a single NIC
platform, such as a Proxim card -- they'd have used different cards optimized for different activities.
Although this somewhat colors their claim that WLAN switches can be seamlessly dropped onto any existing WLAN infrastructure,
it also shows that even with a central back-end intelligence such as a WLAN switch, the client side of wireless is far from
ubiquitous. Centrino may be in every notebook rolling off the production line, but that doesn't mean it's the best thing for
your enterprise WLAN.
What this means to you is that althought WLAN switching is a huge step forward in manageability and security, it's not a silver
bullet for every Wi-Fi woe. WLANs still have a long way to go in terms not only of updating their technology but integrating
that technology into all the moving parts of a WLAN engine. Those of you considering a WLAN implementation will still need
to closely test back-end security and management, client-side interoperability, and especially specific application performance.
Aruba 2400 Wireless LAN Switching System
The Aruba 2400 has been around as long as WLAN switching has been a product type, but it's hardly a dusty product. Since its
inception, the Aruba 2400 has undergone a number of feature refinements and the version we tested was no exception, providing
more support for advanced encryption standards and the silicon to back these new features up.
The core of the system is the back-end, datacenter-oriented 2400 WLAN switch. The 2400 we reviewed is based on three specialized
CPUs: a PowerPC running embedded Linux as the switch OS, a Broadcom Sibyte to handle data-plane control, and a Nitrox Cavium,
handling the proverbial kitchen sink of encryption protocols. Each 2400 can handle as many as 512 users and 48 managed APs
-- while still processing at up to 2Gbps using IPSec traffic. Aruba also offers the 5000, which can handle as many as 4,096
attached users running over a maximum of 128 managed access points, as well as the 800, which holds as many as 256 users and
a maximum of 16 managed APs.
For larger installations, these switches can be daisy-chained into larger logical units, but we found no need for this during
our test. This 3U, rack-based device can attach up to 72 access points directly via 10/100 Ethernet wired connections. Port
configurations are flexible, however, as the 2400 can just as easily connect to and manage access points using only level
2/level 3 logical connections, meaning the APs only need to be on the network and the 2400 will find them. For backbone performance,
the 2400 can provide up to six GBIC (Gigabit Interface Converter)-based GbE uplinks, making this device quite easily the most
flexible WLAN switch we've seen to date from a pure hardware perspective.
In fact, the 2400's resemblance to a standard Ethernet switch is one of the things we found most attractive about the device.
Features, including port count and type, as well as redundant power supplies, can be implemented in the same modular fashion
as any quality Ethernet switch. You'll even find some of the newer wired switch features supported, including power over Ethernet,
the 802.3af Power via MDI standard, and serial over Ethernet, the Electronic Industries Alliance's recommended standard RS-232.
Aruba does include a management and deployment software suite, dubbed AirOS, that it positions against Trapeze's RingMaster.
Although AirOS isn't quite as slick or feature-rich as RingMaster, it does handle all the basics of deployment and management,
with a few goodies thrown in that you won't find in Trapeze's solution.
On the management side, Aruba has RF (radio-frequency) modeling based on basic environmental stats and can even extend these
models into a three-dimensional space, though it does so by combining its data of multiple coverage areas (such as floors),
not by treating the entire area as an actual three-dimensional space. It can make basic access point recommendations based
on this data, but you'll almost certainly need to tweak this configuration once real life begins to creep in. While laying
out its AP map for our test, AirOS could only input static values for things such as wall or floor construction, and its initial
deployment plan was really just a good place to start. Designing a final coverage plan required us to input our own values
into the plan and re-adjust AP placement and configuration accordingly.
After AP installation, Aruba's software handles all basic configuration and advanced tweaking, such as altering channel assignments,
from a central location. Aruba also supports dynamic load balancing as well as ongoing device management. The latter feature
spawned something of an argument among us testers. Unlike Trapeze, which monitors each device via software agents, Aruba designates
a certain number of access points as Air Monitors.
An Air Monitor acts as a wireless management device that allows the Aruba system to gather device and traffic data for management
purposes. This bothered us, as we considered it a waste of AP hardware, a source of unnecessary traffic, and a deployment
complication. Each Air Monitor, however, can switch into AP mode should an AP in its coverage area fail, thus maintaining
system integrity and even supplying a form of fail-over.
Although these additional APs do increase the overall solution cost somewhat, Aruba argues that the expense isn't that high
and that the value gained is worthwhile. By placing its management overhead onto a separate hardware infrastructure, the company
argues that it eliminates the possibility of overall system performance degradation often associated with active monitoring
systems.
Where Aruba's software stands out, however, is in overall WLAN security. Next to all the 802.1x and AES buzzword features
you'll find in most WLAN switching solutions, Aruba has done some careful planning not only to maximize its security offering
but to tailor it to real-world WLAN difficulties and integrate it into an existing network security policy as well.
An important feature in this regard: The 2400 has what amounts to an embedded, stateful inspection firewall. That means not
only is the box running all the WLAN encryption you'll need, it also can be used to identify noncrack WLAN hacks, such as
ping of death or a DDoS (distributed denial of service) attack, and stop them simply by dumping that traffic. The system can
also respond to man-in-the-middle attacks by identifying a valid user that's continually attempting to access the same AP
(a precursor to a DDoS attack) and automatically force that user to roam. And, like Trapeze, the 2400 can detect rogue APs;
but unlike Trapeze's solution, it can remove these boxes from the network as well as use a combination of deauthentication
and a DoS attack against the rogue AP.
Our only disappointment with the 2400 came during performance testing. Our initial 802.1x cycle speed test was predicated
on the assumption that the 2400 could do 802.1x on the wired side. This would have allowed us to generate the massive traffic
we needed using a standard wired traffic generator from Spirent. Generating equivalent load from a purely wireless source
was not feasible at test time. Consequently, we don't have exact numbers on how many 802.1x authentication cycles the 2400
can handle, but given its internal CPU muscle, the amount should be more than adequate for all but the highest performance
requirements.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
