Three years ago, when we launched the Advanced Network Computing Laboratory (ANCL) for wireless connectivity, there were no
architecture choices. The intelligent AP (access point) was all that was available, so that's what we used in our own facility.
In fact, up until 24 months ago, AP vendors such as Cisco and Enterasys were the only proven choices for the enterprise.
For those with big budgets, the intelligent AP was a viable alternative, but it incurred high costs beyond the hefty initial
hardware investment. In this deployment model, every AP manages security and authentication locally, making each AP not only
a management requirement but a potential security hole as well. Considering the world lacked centralized AP-management tools,
this meant quite a bit work for administrators managing WLANs of more than 50 access points.
Today, wireless architecture has evolved to fit better with enterprise network management. The WLAN switch takes the burden
of security off tiny, sweating CPUs in access points and places it squarely on burly, dedicated CPUs within centralized, rack-based
devices. Using technologies such as 802.1x, WPA (Wi-Fi Protected Access), RADIUS servers, and Kerberos, WLAN switches do an
excellent job at keeping hackers off your network, segmenting wireless users effectively within the network while increasing
reliability and mobility in the bargain.
Because our ANCL testing facility at the University of Hawaii was in need of a WLAN infrastructure upgrade anyway, we decided
to haul some WLAN switches into the lab and put them through their paces. Initially, we invited Airespace, Aruba, Extreme
Networks, Symbol Technologies, and Trapeze Networks. We wanted to run tests that the other magazines hadn't run, including
tests that concentrated on advanced security and active roaming. Further, instead of positioning this review as a product-against-product
competition, we made sure the vendors knew we were comparing their WLAN solutions against thick AP architectures as well as
against each other.
Perhaps that angle bothered some vendors. In any event, we were shocked that only two invitees, Aruba and Trapeze, decided
to play after viewing our test plan. As it turned out, the low turnout was only the first in a long line of unexpected results.
The Switch to Better WLAN Management
Before examining those results, it's worth reviewing WLAN switch architecture. First and foremost, it takes the brains out
of the access point. APs are simply transceivers that lead back to one place: the WLAN switch. All the intelligence is centralized
in the switch, beefed up with CPU muscle and optimized for 802.11 packet processing, mobility management, and -- above all
-- security. APs simply move radio waves and connect back to the WLAN switch at layer 2 and layer 3.
Centralized intelligence in a WLAN architecture enables faster deployment of advanced security and management, partly by virtue
of sheer muscle. Thick access points, no matter how thick they get, are still anemic when compared to a rack-mounted box.
Supporting 802.11 at layer 2 and IP traffic at layer 3, WLAN switches are further optimized to manage WLAN air-based traffic,
administrate remote AP devices, and provide high-grade, 802.1x-based authentication either within the chassis or by linking
back to a RADIUS server already in place on the network.
WLAN switching is still very much an evolving space, with new products and even new manufacturers arriving constantly. Our
tests were designed to find the high and low spots in a WLAN switch implementation and the results surprised both us and the
vendors.
How We Tested
To begin testing, we worked up a meaningful speeds-and-feeds test. Whether 802.11a, 802.11b, or 802.11g, basic throughput
numbers vary little. What sets WLAN switches apart is their ability not only to process traffic but to do so in a secure manner.
So our speed test placed a Spirent SmartBits 600 on either side of a WLAN switch running a throughput test that pumped an
increasing load of 802.1x supplicants and their associated data streams through the switch in order to see how many authentication
cycles it could handle per second.
It turns out that not all WLAN switch vendors see their devices as both wired and wireless security aggregates. Trapeze allowed
for full 802.1x wire-speed functionality, but Aruba designates its device as a wireless traffic manager only, opting not to
support 802.1x via its wired interfaces as yet.
Our security and roaming tests were more interesting. Wireless security resists being reduced to metrics. Unlike the sad house
of cards that is WEP (Wired Equivalent Privacy), an 802.1x- and AES (Advanced Encryption Standard)-protected network is darn
near invulnerable to straight cracking techniques. We scoured the dark corners of the Internet and even attempted to enlist
black ops aid from contacts at various tri-initialed government agencies to no avail. These techniques simply don't yet exist,
if they ever will. The conclusion: Move to 802.1x and AES, and traditional war-driving is no longer a problem for you.
Yet nuances in the 802.1x specification dictated that we ascertain whether the vendors had properly implemented the spec.
To this end, we designed our "loudmouth" test, designed to assess whether a third party, armed with a password or key blabbed
to him or her, would be able to snoop the air for WLAN traffic during a future session. If WPA is implemented correctly, the
would-be cracker should not be able to see broadcast data.
Such is the case because the intent behind 802.1x is to ensure that each wireless session gets a separate set of rolling encryption
keys, so that each session is separated not just from the wired back end but from other sessions. So we set up AirMagnet's
Mobile Suite 3.0 WLAN management software on a Toshiba M205-S810 Tablet PC along with our test WPA session information. We
then started another session on an IBM ThinkPad T41 wireless client and began snooping with AirMagnet. (A Toshiba Portege
R100 was employed as another client device; go here for more details on all laptops used for testing in this review.)
While these results were somewhat dull when comparing WLAN switch vendors against one another, they suggest that WLAN switch
architecture has gone a step beyond thick AP architecture. Although we contacted several thick AP vendors, only Netgear claimed
to have a thick AP capable of 802.1x and WPA. Upon receiving the product, however, we found that not only was the firmware
within the switch actually not capable of running these technologies, the CPUs in each AP were so weak that performance --
had they been able to function as advertised -- would have been abysmal.
But Netgear and Cisco will have 802.1x and WPA-capable APs by the time you read this, both probably capable of better performance
than these very early Netgear entrants. The problem you'll encounter there, however, will be a combination of price and performance.
The smaller form factor of the typical thick AP will be challenged to provide sufficient CPU horsepower to run these advanced
protocols. And, both of our WLAN switch vendors were selling their thin APs for only a couple hundred dollars. Netgear never
gave us final pricing for their new APs, but Cisco's cost more than $1,000. Combined with the time required to manually set
up and maintain a thick-AP architecture, the centralized architecture of WLAN switching easily wins another laurel in the
cost department.
Our final test concerned mobility -- that is, the capability of wireless clients to do what they were designed to do: roam.
Oddly, the vendors informed us our test was the first of its kind they'd encountered in a magazine review test (strange, given
roaming functionality is intrinsic to any WLAN deployment).
To test mobility, we asked both vendors cover the entire third floor of the University of Hawaii's Pacific Ocean Science and
Technology building in which the ANCL is housed. We then ran three test iterations: data, video on demand, and constant-bit-rate
voice. Each iteration involved establishing a session based on one of these three traffic types and then moving from one access
point to another across the third floor.
Generally, our data results fared the best. Although both vendors wound up having surprisingly "sticky" access points (meaning
the clients were loath to let go of an initiated session even if there was a stronger AP signal around) a straight data session
was the least affected by this. A video stream initiated from a video server on ANCL's production network had a few problems
but fared acceptably, because it could make use of forward error correction. Our VoIP (voice over IP) conversations, carried
on through NetMeeting-based soft phones, were hugely affected, however, as you'll see in the following reviews.
Subjective Testing
Before running all of our quantifiable metrics, we also ran both vendors through a more subjective ringer involving the two
other areas where WLAN switch architecture is supposed to dominate thick APs: deployment and ongoing management.
Here, we're happy to say all the surprises were pleasant. We did note that both vendors have a slightly different philosophy
when it comes to how these aspects play within their solutions. And it showed during testing, clearly differentiating one
vendor from the other.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
