New WLAN on Campus
Seven wireless LAN vendors went back to school outfitting new digs for SU's School of Information Studies. But only Airespace earned our bid.
September 26, 2003
We were too early for some new players, but seven companies--established providers Cisco Systems, Enterasys Networks and Symbol Technologies, and start-ups Airespace, Aruba Wireless Networks, Chantry Networks and Trapeze Networks--responded to our invite and saw the project through to completion. Among the notable no-shows, Proxim Corp. responded to our RFP but withdrew during the testing phase, citing planned product-line changes that would make its then-current offerings obsolete by our publication date. Several vendors, including Airflow Networks,Legra Systems, Extreme Networks and Nortel Networks, declined to participate, saying their newest offerings weren't quite ready for testing. Hewlett-Packard, which sells a WLAN system built around products from Proxim and Vernier Networks, declined to participate, citing limited resources. Finally, Intermec Technologies Corp. sent us a detailed explanation of why its device and application-oriented business model wouldn't make the company look good in our scenario. We greatly appreciate its honest assessment.
Take a Chance
Vendors at a Glance |
Given that our system won't be installed until mid-2004 at the earliest, we feel confident recommending that the university take a close look at several start-up offerings. In fact, we feel that all the start-up products we tested are well-conceived. Depending on your needs, you might choose any one of them, as long as you have the patience to let the products mature a bit and the risk tolerance to deal with a start-up. Remember: These are new, complex systems, and though we have no reason to question the start-ups' ability to execute, frankly, we'd be surprised if their systems were totally stable with version 1.0.
If we had to deploy a system next month, and if we hadn't required some of the advanced security and mobility services offered by the new vendors, we might have gone with a more established provider--Cisco, Enterasys or Symbol--all of which have established technology track records and mature sales and support.
So after perusing many pages of RFP responses and giving each of the seven vendors a day in the lab to show its stuff, which company got our bid?
WLAN Range Maps |
Aruba's system would be a good pick for sites that want to build around a core wireless switch architecture, but it's a costly choice if you need to deploy switches within smaller buildings. Trapeze's system is the obvious choice of buyers who want sophisticated preinstallation analysis and detailed installation work orders, but the company's requirement that access points be directly connected makes its capital cost much higher than competitors'. (Trapeze says it plans to release an appliance product, perhaps by press time.)
Symbol gets credit for early innovation in wireless switching, and there is undeniable comfort in dealing with a company that has its breadth and depth of WLAN expertise. However, Symbol's design is more limited than the designs of the start-up vendors.
Cisco is a safe and rational choice for many organizations, especially those that have existing Cisco infrastructures and don't need advanced wireless features. The trade-off: You'll pay a price premium and you'll need to wait for Cisco to deliver on its product road map or fill in gaps with third-party products. Likewise, Enterasys offers a solid, if somewhat dated, multimode AP and free management software. Finally, Chantry's product shows promise, but unfortunately we were given an offering that wasn't quite ready.
Based on vendor RFP responses and test results, we liked Airespace's offering best. An appliance-based system, the Airespace Wireless Enterprise Platform offers the best combination of features, functionality and value and easily earned our Editor's Choice award.Airespace installed more than 500 access points at customer sites before it showed up in our labs. This put the company slightly ahead of the start-up pack in field experience, and it showed. Airespace's proposal was feature-rich and cost-effective, and exceeded our minimum performance requirements. In the lab, Airespace's system blew through all our tests without breaking a sweat. We were impressed with the system's ease of setup, security features, adaptability to the changing RF environment, and pack-leading throughput and range results.
The company is well-funded, and the management team, which includes a good blend of executives from both network- and RF-oriented companies, appears solid. A global OEM agreement with NEC also helps us feel comfortable about future prospects.Airespace offers switches that provide functionality similar to Aruba and Trapeze, but it proposed using its Airespace 4100 WLAN Appliance in our environment. The 4100 connected to our building backbone switch through one or both of its Gigabit Ethernet interfaces. Airespace 1200 APs communicate with the 4100 over the existing Layer 2 Ethernet infrastructure. The Airespace Control System software can manage as many as 25 Airespace appliances and their associated APs.
Although their list price is about half that of Trapeze's offering, the Airespace APs appear well-made, sporting a unique and flexible antenna as well as external antenna jacks. The 1200 APs support 802.11b and 802.11a, and we had no interoperability problems during our testing. The APs are also software-upgradable to support 802.11g.
WLAN Performance |
Airespace walks the line between automatic and traditional site design. Although the company offers some limited RF prediction tools, they are not as capable as those offered by Trapeze. The tools let you make an educated guess about AP placement, but the company still recommends conducting a manual verification. Determining picture-perfect AP placement isn't as crucial as it is with rival products, however, because AireWave Director software, which comes bundled with the 4100, dynamically compensates for interference, coverage holes and user density by adjusting power output levels and channel allocation and leveraging load-balancing capabilities. Airespace calls this the "Intelligent RF Control Plane" and says it was designed to optimize RF performance while maintaining security.
Unlike other products that can be reconfigured manually or at defined intervals, Airespace's system works in real time, though admins can retain control by requiring a system prompt before changes are made and by allowing for manual changes if dynamic ones aren't desired. And Airespace says its products perform real-time analysis of the RF environment by the same 1200 APs that handle data traffic, with performance degradation of less than 1 percent.
Airespace's security architecture impressed us. To increase the likelihood of a secure installation from day one, the 4100's default configuration supports only SSH (Secure Shell) and HTTPS connections, though telnet and HTTP can be enabled manually. Similarly, the box defaults to support the more secure SNMP, version 3.Obviously, secure management is but one element of a WLAN security implementation. With support for 802.1x, WPA, VPN termination and pass-through, hardware AES encryption and captive-portal authentication, Airespace's Enterprise Platform can handle just about any security challenge. Simple Web-based login is offered through the customizable captive portal, a handy capability when you can't imagine implementing other alternatives, such as 802.1x or VPN, in your environment. Any user with a browser-based device--including visitors and guests--can gain access with user- or group-specific access restrictions.
To help thwart WLAN intrusions, the 4100 has a blacklist feature that will prevent a user from performing an 802.11 association for an administratively configurable amount of time following a definable number of failed logins. The system also can perform rogue AP detection, notifying administrators in the event an unauthorized AP appears. It can even prevent users from associating to the rogue device--by essentially launching a denial-of-service attack on it!
Setup and testing went off without a hitch. We had the 4100 and its accompanying APs up and running in less than 10 minutes. Airespace is trying hard--and largely succeeding--in making installation as simple as possible, so you don't need an RF specialist to install and administer its product. The Web management interface is generally intuitive, without sacrificing power and flexibility. An IOS-like command line is also supported.
Subnet roaming was clean and easy. In addition to supporting 802.1x, Airespace can terminate IPsec (IP security) sessions and allow full-context mobility across subnets. Performance was at or near the top of the pack for our single- and multistation tests, both with 11a (maximum throughput of 25.7 Mbps) and 11b (maximum throughput of 6.6 Mbps). Range was also impressive: 802.11b coverage was at the top of the pack, about the same as that of Cisco and Symbol. Range for 11a was the best of any product tested, likely confirming the soundness of the antenna design.
Airespace Wireless Enterprise Platform, Airespace, (866) 546-2100, (408) 635-2000. www.airespace.comAruba Wireless Networks delivered an excellent proposal based on its highly scalable Aruba 5000 wireless switch and Aruba 52 multipurpose AP. Although configurable to support direct connection of as many as 72 APs, this beefy, $30,000, 3U device is clearly a better fit at the distribution or backbone layer rather than the edge closet. And that's exactly where Aruba pitched it to us, connected to our backbone switch via Gigabit Ethernet in what amounted to an appliance configuration.The Aruba 5000 switch can communicate with and manage APs directly connected to its switch ports, as well as those that are accessible across a Layer 2 or Layer 3 infrastructure. Third-party APs are supported, though you won't be able to take advantage of some of the system's management capabilities. A simple DNS lookup lets newly booted Aruba APs find 5000 wireless switches on their own networks or across routers using GRE (generic routing encapsulation), as well as retrieve their appropriate configuration files automatically.
Aruba positions itself as combining advanced automated site-survey capabilities similar to Trapeze with real-time infrastructure optimization similar to Airespace. Although its capabilities are not as advanced as those offered by Trapeze, Aruba can import floor plans, develop a 3-D radio model and make an initial recommendation on AP placement.
Once APs are installed, dynamic calibration of RF characteristics is performed to correct coverage problems and interference issues by altering power outputs and channel allocation. Dynamic load balancing can also be invoked if user density in the proximity of a single AP becomes too high. Unlike Airespace, which uses each AP for both network connectivity and RF monitoring, Aruba configures a limited number of APs to function as "Air Monitors." Air Monitors can switch dynamically to AP-mode if needed to enhance system availability if an AP fails. Although this approach does increase system cost by a modest amount, Aruba argues that separating AP functionality from Air Monitoring functionality in hardware eliminates the possibility of extra overhead and the subsequent performance degradation associated with performing both tasks inside a single AP.
The Aruba 5000 Wireless Switch supports a full array of security standards. Like other products, the 5000 offers 802.1x, WPA, AES and captive portal Web authentication. Aruba makes VPN access simpler to deploy and use by making Aruba's VPN dialer downloadable via a customizable captive portal Web page. But what makes Aruba unique is its per-user stateful firewall capability: Full role-based authentication is supported, with roles configured via stateful firewall policies. This provides the most granular range of access control of any product in this roundup.
Like Airespace's, Aruba's wireless switch is also capable of rogue-device detection and can prevent its users from associating with illegitimate APs. Unique to Aruba is the system's ability to perform real-time distributed packet analysis on a per-AP or per-user basis using Ethereal's protocol analyzer. Aruba plans to add support for WildPackets' AiroPeek analyzer in a coming release.Also like Airespace's, Aruba's AP supports multiple ESSIDs (Extended Service Set IDs) as well as VLAN tagging, and makes available 16 BSSIDs (Basic SSIDs, usually MAC addresses) per radio to mitigate issues with broadcast and multicast traffic aggregation when more than one ESSID is being used.
Aruba representatives arrived in our lab, then unpacked and turned on the 5000 Wireless Switch and APs. The switch was quickly found by the APs, which were then able to receive their configurations. We configured the system with APs directly connected to the 5000, APs directly connected on the same subnet and APs connected on another subnet. Regardless of how they were connected, the APs were configured properly on separate channels, and we were ready for testing in just a few minutes. At the time of our testing, configuration and management was limited to an IOS-like CLI, powerful for experienced administrators but difficult for newbies to learn. At deadline, Aruba notified us that it's now shipping a Web-based management tool.
Aruba's throughput results were solid. Maximum 802.11b performance was 6.5 Mbps, and maximum 802.11a performance was 24.3 Mbps. Only Airespace and Cisco delivered comparable results. For range, Aruba was near the top of the heap for 11a, but its 11b range was the worst of the seven vendors whose products we tested.
Aruba's solution was the third most expensive proposal we received, attributable in large part to the cost of the 5000 switch. On the positive side, the Aruba 5000 setup is powerful and flexible enough to sit as an appliance at the core of your network, providing a secure and scalable gateway capable of supporting legacy APs where the wired system meets the wireless. This may be all that many sites need--in which case, spending $30,000 for a core internetworking device is not unreasonable. However, by installing it as an appliance at the core, you don't really take advantage of all the power the system has to offer when directly attaching APs to the switch.
Aruba 5000 Wireless LAN Switching System, Aruba 52 Access Point. Aruba Wireless Networks, (408) 227-4500. www.arubanetworks.com
Trapeze Networks' response to our RFP comprised Mobility Exchange (MX), a distributed WLAN switch; Mobility Points (MP) APs; Mobility System Software to tie the two hardware components together; and RingMaster Tool Suite, a set of integrated planning, deployment and management tools.Although the overall Trapeze system shares many characteristics with the systems from Airespace and Aruba, Trapeze leans heavily on RingMaster as a primary competitive differentiator, even referring to it as its "crown jewels." RingMaster is indeed the most sophisticated WLAN simulation and design tool we've seen--it lets you completely design a virtual system before you dispatch a single technician to the site and before a single AP is deployed.
Factors influencing the RF profile of your site, including doors, windows, walls and floors, are accounted for in the simulation. Although the simulation isn't 100 percent complete--RingMaster doesn't take into account in the effects of furniture and people, for example--it gets you a lot closer than if you'd guessed. And it generates detailed work orders for the installation of all system components, down to the precise location and MX port to which an AP should be attached. That can be a huge time-saver if you're contracting for installation.
The key question is: How much closer to ideal does RingMaster get you than a cruder RF planning system? Interestingly, Trapeze's proposed configuration for our 50,000-square-foot building, based on AutoCAD drawings we provided, was quite similar to those submitted by competitors, which argue that RingMaster has limitations. Given the vagaries of RF signal propagation and the difficulty in predicting user bandwidth needs in advance, it often makes more sense to deploy a dense configuration of APs and let the system sort out problems by adjusting power levels and channel assignments. We did get e-mail from one systems integrator, who touted the virtues of RingMaster and the value it's had for his business. Who do you suppose put him up to that?
Although Trapeze relies on RF modeling in RingMaster, it says it considers the RF environment too unpredictable to rely on dynamic RF adaptation for proper WLAN operation. Instead, with RingMaster, you gather operational information, develop a new model and then deploy it, presumably when nobody is on the system.
Once the MXs and MPs are deployed, the configuration created by RingMaster in the planning stage can be pushed out via the management system. What-ifs, such as increased user load or failed APs, can be explored within RingMaster to see how such factors would impact network performance without actually experiencing the proposed occurrence.Of course, Trapeze's Mobility Solution isn't just about RingMaster. Security features include WEP, TKIP, WPA and, with a future software upgrade, AES. Security is designed largely around 802.1x authentication--requiring all users to authenticate with a AAA (authentication, authorization and accounting) server to be granted access to the wireless network. Trapeze also off-loads AAA processing from your back-end RADIUS server, which it claims can relieve potential performance bottlenecks. Unauthenticated users are restricted from admission to the network altogether or are allowed a preconfigured base level of access, such as to the Internet. Users granted access via this method may be promoted by the administrator to higher levels of access based on their MAC addresses. There is no support for VPN access or captive-portal Web authentication.
Trapeze's "Identity-Based Networking" features support subnet mobility services by establishing and maintaining individual users' VLAN associations as they roam, usually routing their traffic back to their home MXs. This solution works well for organizations that implement access-control restrictions based on VLANs. CoS and QoS (Class and Quality of Service) are supported as well.
Our testing of the Mobility System included a few setbacks that kept us in the lab late into the night. Although Trapeze brought more equipment than any other vendor, it chose to run through our testing scenario with a beta version of the RingMaster software to demonstrate rogue-device identification features. However, the new software proved a little buggy, and APs refused to accept updated configurations (we wanted to change the AP channel assignments), forcing an eventual cold boot of all equipment. Trapeze assured us the problem has been corrected.
Furthermore, Trapeze's authentication system is tied to 802.1x, and we experienced problems getting it to work under Windows 2000 with all the NICs on our test bed, a necessary prerequisite to performance testing. We eventually solved most of those client problems--and then learned there was an easier way to connect Windows 2000 clients to the system for testing, using a default access configuration.
Trapeze placed in the middle of the pack in performance, with peak throughput of 5.1 Mbps for 802.11b and 23.1 Mbps for 802.11a. Range tests for 802.11b and 802.11a weren't a bright spot, either: For 11b range, Trapeze finished second to last. Its 11a range proved somewhat better, coming in fourth behind Airespace, Aruba and Symbol. Similar to Aruba, Trapeze had better coverage with its 11a radio than with its 11b radio.At approximately $141,000 without redundant power supplies and Gigabit Ethernet interfaces on the MXs, Trapeze's solution was the most expensive--more than 60 percent higher than Airespace's. Of course, if you assume that capital costs represent about 25 percent of TCO (total cost of ownership) and buy Trapeze's argument that it will save operational costs, then the cost difference is not as significant. In addition, because all MPs connect directly to MXs without the need for separate Ethernet ports, there are some minor Ethernet port-cost savings that don't come through in our cost model.
Mobility System. Trapeze Networks, (877) FLY-TRPZ, (925) 474-2200. www.trapezenetworks.com
Symbol Technologies was the first vendor to introduce a true distributed enterprise wireless solution last year with its Symbol Wireless Switch and accompanying thin APs, which it calls Access Ports.
With little more than a radio, an Ethernet interface and some PoE (Power over Ethernet) circuitry, Symbol's Wireless Switch design is the archetype of thin-AP solutions. When powered on, the Access Port locates the Wireless Switch via broadcasts, and the switch responds with an appropriate configuration. As with the other switching products, Symbol's APs house no valuable information and can't be used without the central controller. That makes theft a low-risk proposition, further enhanced by the slick design that let you hide access ports above a ceiling.
Wireless networking is a shared medium, and though the Wireless Switch is more of an appliance-type WLAN device, its moniker more accurately describes the Airespace 4000, Trapeze and Aruba systems, which sport switched Ethernet ports to which APs can be attached. The Wireless Switch is overlayed on a standard Ethernet wired infrastructure. The product offers redundant 10/100 Ethernet ports and will support Gigabit Ethernet in a future version. Although it can sit on a single subnet, the Wireless Switch is intended to handle 802.1q trunked VLANs so it can communicate with APs and users across all subnets. For APs that don't sit on a roaming user's native VLAN, subnet roaming is achieved by tunneling traffic across non-native APs' VLANs to and from the Wireless Switch, without the need to traverse a router. This reliance on VLANs is functional, but complex.
Of all the vendors included in this review, Symbol has the most experience dealing with a range of wireless handheld devices, and its product is optimized for this type of environment. For example, Symbol pointed out that wireless VoIP (voice over IP) phones, handhelds or any device that takes advantage of PSP (power save polling) can experience extra latency and have their battery-saving capabilities negated in environments not intended to handle sporadic mobile traffic.This queued traffic is advertised in a frame at a set interval, along with that ESSID's BSSID (usually the AP's MAC address), to notify applicable devices there may be traffic waiting for them. Broadcast and multicast traffic is sent out in this interval as well. However, in environments with multiple ESSIDs on a single AP--a good practice to help isolate latency-sensitive traffic--PSP devices will be constantly inundated with broadcast and multicast traffic from all SSIDs, negating the benefits of PSP mode and bringing the devices to their electronic knees. The way to fix this is to provision each AP with more than one BSSID so extra SSIDs may use them, and broadcast and multicast traffic won't have the same ill effect.
Symbol's AP, with its ability to have 32 ESSIDs, makes 4 BSSIDs available to mitigate this issue. Airespace and Aruba are the only other vendors to address this.
The Wireless Switch supports 802.1x, as well as Kerberos authentication and WEP encryption. The company says it plans to add support for WPA-TKIP, AES and its proprietary KeyGuard key-rotating algorithm soon.
Setup of the Wireless Switch and APs was painless. After powering on the switch and pushing a configuration policy to the APs, we were ready to test. We were able to evaluate the still-beta 802.11a capabilities available in Symbol's newest AP. Our 11b testing was performed with Symbol's shipping 11b AP.
Symbol's throughout results put it in the middle, with peak 802.11b performance of 5.8 Mbps and peak 802.11a performance of 22.2 Mbps. Interestingly, we found in our 802.11b testing that our notebook equipped with a Symbol NIC achieved better performance than the other NICs, with throughput of 3 Mbps while the others teetered below 1 Mbps. Symbol performed admirably in range tests--tying for first with Airespace and Cisco in 11b range, and placing third in 11a range.Even with a configuration that included a redundant standby switch, Symbol's system was priced slightly below the average of the other offerings. The company's alternative proposal--to supply us with Foundry switches to replace the Cisco gear--cut an additional $10,000.
Symbol Wireless Switch 5000. Symbol Technologies, (800) 927-9626, (631) 738-2400. www.symbol.com
Cisco Systems, today's leading enterprise WLAN provider, answered our RFP with a mixture of IOS-enabled APs, a management appliance (Cisco Works Wireless LAN Solution Engine, or WLSE) and promises for future enhanced functionality as part of its SWAN (Structured Wireless Aware Networking) architecture. It's a credible product map that leverages Cisco's ultra-reliable and powerful APs--but objectively speaking, based on what's shipping, Cisco simply can't match the functionality of its upstart competitors. Then again, if the majority of its customers don't need all that functionality yet, it's a safe bet that many will be content to stay the course and wait for future enhancements.
To pull off its vision, Cisco will need to coordinate the efforts of several business units, including those responsible for WLAN products, management products and switching products. That could be a real challenge, but the company appears to be off to a good start with WLSE 2.5, a Linux-based management appliance that lets administrators easily configure, monitor and manage as many as 2,500 Cisco Aironet APs. Newly deployed APs sitting anywhere on the network can retrieve configuration information from WLSE using a predefined default template. Configuration parameters that deviate from the default can be handled based on a single AP or a group of APs. WLSE can handle management chores ranging from ensuring proper security policy implementation--by guaranteeing that all APs are configured properly and 802.1x servers are up and responding--to pushing new firmware upgrades and downgrades to APs en mass. These are tasks that would otherwise be laborious.
Today's shipping version of WLSE is somewhat limited, but Cisco showed us the 2.5 version that should be hitting the streets by the time you read this. The company says it plans to add rogue-AP detection, assisted site-survey capabilities, and dynamic channel and power output management to its upcoming WLSE 2.5 release.
Continuing to focus on management, Cisco has revamped its 350-, 1100- and 1200-series APs with upgrades from the older Vx-Works OS to the popular IOS. Admins accustomed to the command lines of their Cisco routers and switches will welcome the upgrade. If a CLI doesn't thrill you, Cisco has also reworked the AP's Web interface, allowing access to the same functionality the old, cluttered interface permitted, but in a somewhat more intuitive and hierarchical fashion.Cisco's flagship AP, the dual-band Aironet 1200, is both an 802.11b and an 802.11a AP, and will soon be field-upgradable to support 802.11g. The 1200 AP is capable of 802.1q VLAN trunking and can handle as many as 16 VLANs and ESSIDs, though the AP has only one BSSID per radio and therefore can't limit the ill effects of broadcast and multicast traffic across many ESSIDs.
Subnet roaming in an Aironet environment relies on Mobile IP-enabled routers and APs configured to support Proxy Mobile IP. Such an approach overcomes the need for Mobile IP clients, but Cisco chose not to demonstrate this capability in our lab.
Security options for the 1200 AP include 802.1x authentication, including Cisco's own LEAP authentication type, as well as support for WEP, WPA and Cisco's TKIP encryption methods. AES support will be available via an upgrade. A new addition is the ability for the 1200 to act as its own 802.1x server. Although this is hardly an enterprise-scalable solution, it's a nice feature for isolated locations with relatively few users.
Setup of the WLSE management server and 1200 APs was straightforward. WLSE discovered the APs quickly, and we were then able to configure the APs. Testing results were somewhat of a mixed bag for the 1200. Throughput testing showed the AP excelled in some tests and lagged in others. For example, throughput for 802.11b peaked at about 5.9 Mbps, significantly less than systems based on the newest Atheros silicon. 802.11a results were respectable, but did little to differentiate the incumbent WLAN provider from its competition, turning in maximum throughput of about 22 Mbps.
Range results were mixed as well: 802.11b coverage was excellent, putting the 1200 AP in a dead heat with Airespace and Symbol for first place. The 11a range, however, was a different story. Cisco's dual-band AP came in second to last in 11a range, ahead of only Enterasys, and with only about 70 percent of the coverage provided by Airespace's products.Although it didn't deliver all the functionality of its competitors, Cisco's solution was one of the priciest proposed, largely a result of the higher cost for Cisco's APs. And beyond the initial capital cost of equipment, operational costs for a Cisco WLAN are likely to be higher than the competition, at least until SWAN is fully baked. However, for sites with large Cisco wired installations, there's also a significant benefit associated with looking to the leading enterprise network vendor for wired and wireless.
Cisco Aironet Series of Wireless LAN Solutions. Cisco Systems, (800) 553-6387. www.cisco.comEnterasys Networks, known chiefly for its enterprise wired infrastructure gear, responded to our RFP with a system built around its RoamAbout R2 dual-slot-capable "smart" AP. The RoamAbout R2's ability to support two radio cards via an optional Mezzanine Adapter makes it versatile in that it can accommodate both 11b and 11a radios. The system will be able to support any combination of 11b, 11g and 11a radio cards once Enterasys releases its 11g radio cards later this year.
The RoamAbout is a solid product, but the overall system design can't compete with newer offerings. Nonetheless, if you're an existing Enterasys customer and your wireless needs don't call for advanced capabilities like subnet roaming, it's an effective solution.
Configuration and management of RoamAbout R2 is handled by Enterasys' RoamAbout AP Manager, which comes free with every AP. AP discovery is performed by entering an IP range to scan and the APs' management password. Once discovered, APs are entered into a managed list so that configuration attributes, such as channel, power output and security settings, can be set, either for a single AP or for a logical grouping of APs.
The RoamAbout AP Manager has no fancy bells or whistles, but it can configure all AP settings from one central location, all for the perfect price--free. Management can also be done through serial console, telnet, SSH, HTTP, HTTPS or integration with any SNMP-based network management software.The RoamAbout R2's security features are functional but somewhat limited. Start with basic WEP encryption: Keys can be generated automatically and rotated using Enterasys' RrK (rapid rekeying) functionality in conjunction with an 802.1x server. Also leveraging 802.1x, though used in its stead, is Enterasys' UPN (User Personalized Networking) framework. UPN can match authenticated users' credentials with their authorized network resources, allowing for fast and secure access.
The company will support AES in an upcoming firmware upgrade, as well as WPA, but only for Enterasys' 11a and 11g radios. Support for 802.11i also is planned.
When compared with the functionality of some of its competitors' products, the RoamAbout R2 comes up short in some ways. There's no assistance for the site survey process or rogue detection and location, so administrative legwork remains high. Similarly, subnet roaming capabilities--not a high priority for existing customers, Enterasys says--are noticeably absent.
Setup was simple. After installing the RoamAbout AP Manager and entering the IP subnet to scan for our 11b/11a testing R2 AP, we configured its basic parameters and had it ready to go. Throughput results for the R2 were mediocre, with speeds hovering somewhere between the middle of the pack and the slowest. Peak 802.11b throughput was 5.2 Mbps, while peak 802.11a throughput was 20.3 Mbps.
Enterasys experienced some interoperability problems with a Netgear NIC, which none of the other vendors encountered. Range results were fair: Coverage for its 11b radio put the company in fifth place behind Chantry and the first-place finishers--Airespace, Cisco and Symbol--with about 90 percent of the area of those leaders. Its 11a range proved much worse, bringing up the rear of the six 11a products tested at about 65 percent of Airespace. Presumably, 11b range would be increased with the addition of an external antenna, but 11a range can't be extended with external antennas on account of FCC limitations.Enterasys RoamAbout R2. Enterasys Networks, (978) 684-1000. www.enterasys.comChantry Networks' proposed RFP solution is based on its BeaconWorks wireless router system and BeaconWorks APs. Unlike the competition, Chantry's system operates as a Layer 3 device, letting it work with any IP-accessible AP. Whether it's across the hall, across campus or across the country, Chantry's BeaconMaster wireless router acts as a point of aggregation and a mode of central management for BeaconPoints. No changes to the existing infrastructure are required, save for a simple DHCP option to let newly booted APs find their primary and secondary BeaconMasters. It's an appealing solution for many networks, but the product just isn't mature enough for us to give it a positive evaluation.
Leveraging what Chantry dubs Virtual Network Services, or VNS, the BeaconMaster creates virtual networks across the wireless network, no matter the actual subnets on which the APs reside. This lets users belong to one of many possible networks based on the SSID to which they connect, though broadcast and multicast traffic aggregation can still be an issue because the AP has only one BSSID and associated MAC address. The BeaconMaster appliance routes traffic from these VNS subnets to the rest of the wired infrastructure. This approach simplifies management by letting security and configuration attributes be tied to VNS networks, rather than requiring configurations to be performed on a per-AP basis.
Chantry addresses security concerns with a basic set of features: WPA and 802.1x support, with upcoming support for 802.11i and AES encryption. The company doesn't support VPN session termination, nor is there support for captive Web portal authentication. BeaconMaster is capable of rogue detection, however, and can offer an approximate location based on the triangulation of BeaconPoints that hear the offending AP.
Rather than offer its own RF site-planning system, Chantry has partnered with Wireless Valley, whose LANPlanner software provides a rich feature set--for the fairly high price of $18,995.
After first configuring our lab's Cisco 3550 Layer 3 switch to perform routing across four subnets (one for the BeaconMaster and one for each of three BeaconPoints), and then setting up our DHCP server to provide addresses on each subnet, we encountered an issue that prevented the BeaconMaster system from operating properly. The option on our Cisco switch that allows each subnet to receive addresses from a DHCP server on a separate network wasn't available on the gigabit fiber uplink port that connected to the BeaconMaster. Although it had a static IP address, it couldn't reach the DHCP server to be informed that it was the primary BeaconMaster; therefore, it wouldn't respond to the BeaconPoints. This glitch had to be circumvented by using the wireless router's 10/100 Ethernet management port as an uplink port--an ill-advised work-around.Although Chantry's RFP response included an AP capable of 802.11a, b and g, company reps showed up for testing with older 802.11b-based BeaconPoints. Even with the 802.11b BeaconPoints, the performance was the worst of any product tested, with a peak throughput of 3.5 Mbps and single-station results of 1.6 Mbps. On the positive side, range results were fine. Chantry's BeaconPoint came in with about 95 percent of the coverage area posted by Airespace, Cisco and Symbol, the 11b range leaders.
BeaconWorks. Chantry Networks, (800) 816-8099, 617-663-5257. www.chantrynetworks.com
Dave Molta is a senior technology editor at Network Computing. He is also assistant dean for technology at the School of Information Studies at Syracuse University and director of the Center for Emerging Network Technologies. Molta's experience includes 15 years in IT and network management. Write to him at [email protected].
Jesse lindeman is a consultant and lab manager for the Center for Emerging Network Technologies. He has been a systems administrator for a historic roofing firm in Washington. Write to him at [email protected].
Post a comment or question on this story.
In our Syracuse University Real-World Labs®, we conducted feature, functionality, range and performance tests with each product. Before we got started, we gave each vendor a scripted list of tests to be performed, and arranged a day for them to assist us in installing the systems in our lab and performing the tests.For throughput testing, we used NetIQ's Chariot 4.3 network-performance application and Dell Latitude laptops with 256 MB of RAM running Windows 2000. We used Chariot's TCP-based unidirectional long file receive (filercvl) test script with 100 iterations of a 1-MB file. We tested both 802.11b and 802.11a capabilities with one and then four clients of each standard.
We ran each test in two directions: from the wired endpoint to the wireless client or clients (downstream); and from the wireless endpoint or endpoints to the wired endpoint (upstream). Laptops were located about five feet from the APs (access points).
We gave the vendors a choice of which client card to use for single-station testing, but confined them to a set array of cards for our four-station tests. Clients for our four-station 11b testing consisted of a Symbol Spectrum24 card, a Netgear 11a/b card and two Cisco 350 cards. For 802.11a four-station testing, we used a Proxim Harmony 802.11a card, an Intel card, a Netgear 11a/b card and a Proxim 11a/b/g ComboCard. We used a variety of client cards in our four-station throughput tests to reflect a real-world scenario and to assess basic interoperability.
Note that many factors influence the performance of real-world wireless networks. Our performance measurements provide only a crude comparison between products operating in a best-case lab environment. Results for all performance tests are shown on here.
WLAN Features |
We performed range testing for the APs in a central, ceiling-level location in a large walled classroom/office building constructed in the mid-1980s. Most walls were Sheetrock over metal studs, and most doors were metal with some glass. We restricted APs to minimum data rates of 5.5 Mbps for 11b and 12 Mbps for 11a, then measured maximum ranges based on packet loss. Comparative product ranges are illustrated left.To perform a simple test of subnet roaming (on products that supported this feature), we configured two APs on different subnets, on different nonoverlapping channels and with the same SSID (Service Set ID). We then performed an FTP transfer (a session-oriented protocol) from a local server in our lab as we roamed from one AP to the next and verified that the FTP session continued to run on the new subnet.
We conducted basic security testing for 802.1x using either Funk's Odyssey server or Microsoft's IAS, depending on vendor preference. For our supplicant, we used the Windows XP 802.1x client with PEAP.Syracuse University's School of Information Studies (IST) is moving to Hinds Hall, a fully renovated four-story, 50,000-square-foot building originally built in 1953.
A preliminary wired Ethernet design has been developed, built around a standard SU configuration. A Cisco Systems 4503 multilayer switch is used as a distribution-layer building backbone switch, with Gigabit Ethernet connectivity into the university's backbone and Gigabit Ethernet connections to Power over Ethernet-enabled Cisco Catalyst 3550 switches.
The estimated list price for the Ethernet backbone components is $63,410. RFP respondents were invited to overlay their wireless systems on top of the Cisco 3550/4503 infrastructure or propose an alternative wired infrastructure. Cost comparisons were made between each vendor's combined wired/wireless network.
IST is home to approximately 1,200 undergraduate, professional, master's and doctoral. students; 40 full-time faculty; 30 full-time research staff; and 30 administrative staff. Degree programs include a bachelor's in information management and technology; master's professional programs in information management, telecommunications, network management and library science; and a doctoral program in information transfer. All programs are computer-intensive. IST faculty members are also active researchers; per-faculty research funding at IST is higher than that of any other program at the university.The building structure consists of reinforced flat-slab concrete floors with concrete columns reinforced with steel bars. The renovated facility will have open ceilings and exposed mechanicals for modular cubical work areas, private offices, conference rooms, collaboration facilities, classrooms, labs and public areas. Wireless usage is expected to be highest in public and quasipublic areas, such as classrooms and labs.
Vendors were given guidance regarding anticipated user density in specific parts of the building, and were required to meet a minimum per-user average throughput goal of 500 Kbps.
IST's network is integrated into the campus network, and the program "insources" to the central IT organization for basic network services. Not unlike many other organizations, SU's central IT group has deployed a number of wireless hotspots around campus, using Cisco 350 and 1200 access points in public spaces, like the library and student unions, as well as in several campus departments. Even if the university were to move to a new wireless network supplier, it would want to preserve as much of its existing investment as possible.
Currently, among the labs, classrooms and offices, there are about 145 desktop computers and 70 notebooks communicating with servers running NetWare, Windows and Linux. IST has been given two IP subnets on the university's Class B network. In the next three years, IST expects an increase in the number of notebooks, PDAs and other wireless-capable devices, many of them student-owned machines. About 200 wireless notebooks are anticipated in 2004, increasing by at least 100 per year, and 20 percent of these are expected to be connected to the wireless network at any given time.
IST has found its existing Cisco wireless system to be adequate, but perhaps not suitable for the new building environment, where new technologies and applications, including converged voice, video and data, are expected to play a more prominent role. Like many existing Cisco customers, SU's central IT organization has a high comfort level with Cisco's product line, which has proved cost-effective and reliable. For it to consider alternatives, the value proposition must be very high and the new products must interoperate with existing wireless infrastructure devices. --Aris CastilloMany studies have been conducted in recent years to assess the return on investment associated with WLANs. In general, these studies have concluded that wireless delivers both efficiency and effectiveness benefits. In short, most knowledge workers perceive WLANs as making them more productive. They also like using it.If you need to document WLAN ROI systematically, the Wi-Fi Alliance has released a WLAN benefits calculator (see www.wi-fi.org/OpenSection/WLAN_Calculator.asp). Although this will help you document benefits, you still will need to assess the capital and operational costs on your own.
Capital costs represent 25 percent of the total cost of ownership, according to Chris Kozup, a program director at Meta Group. The remaining costs are operational.
Kozup says only a small percentage of his firm's clients bother to perform detailed WLAN ROI analyses. That's mainly because IT and its customers view wireless deployment as inevitable--a "no-brainer," according to some managers we've talked to. It usually makes more sense to focus resources on more pressing issues, like developing internal wireless policies and planning for implementation.
Within the majority of enterprises where strategic WLANs are not yet in place, pent-up demand for wireless is significant and broad. And there's no avoiding the budget pinch: Even a decision not to deploy wireless carries with it the cost of verifying that consumer-oriented wireless routers and other rogue devices aren't placed into service via back channels. That may mean significant expenditures to perform periodic scans, either with analyzers like AirMagnet or through a more sophisticated wireless monitoring system, like AirDefense's RogueWatch.
From a performance and reliability standpoint, except for SOHO environments and quasi-public spaces like conference rooms and cafeterias, it's usually impractical to think of WLANs as a true cable-replacement technology. An Ethernet network will offer performance and reliability that exceed even the best-designed wireless system.Thus, for mission-critical applications where the cost of downtime is high and mobility isn't absolutely essential, wired networks still make more sense.Syracuse University's School of Information Studies (IST) is moving to Hinds Hall, a fully renovated four-story, 50,000-square-foot building originally built in 1953.
A preliminary wired Ethernet design has been developed, built around a standard SU configuration. A Cisco Systems 4503 multilayer switch is used as a distribution-layer building backbone switch, with Gigabit Ethernet connectivity into the university's backbone and Gigabit Ethernet connections to Power over Ethernet-enabled Cisco Catalyst 3550 switches.
The estimated list price for the Ethernet backbone components is $63,410. RFP respondents were invited to overlay their wireless systems on top of the Cisco 3550/4503 infrastructure or propose an alternative wired infrastructure. Cost comparisons were made between each vendor's combined wired/wireless network.
IST is home to approximately 1,200 undergraduate, professional, master's and doctoral. students; 40 full-time faculty; 30 full-time research staff; and 30 administrative staff. Degree programs include a bachelor's in information management and technology; master's professional programs in information management, telecommunications, network management and library science; and a doctoral program in information transfer. All programs are computer-intensive. IST faculty members are also active researchers; per-faculty research funding at IST is higher than that of any other program at the university.
The building structure consists of reinforced flat-slab concrete floors with concrete columns reinforced with steel bars. The renovated facility will have open ceilings and exposed mechanicals for modular cubical work areas, private offices, conference rooms, collaboration facilities, classrooms, labs and public areas. Wireless usage is expected to be highest in public and quasipublic areas, such as classrooms and labs.Vendors were given guidance regarding anticipated user density in specific parts of the building, and were required to meet a minimum per-user average throughput goal of 500 Kbps.
IST's network is integrated into the campus network, and the program "insources" to the central IT organization for basic network services. Not unlike many other organizations, SU's central IT group has deployed a number of wireless hotspots around campus, using Cisco 350 and 1200 access points in public spaces, like the library and student unions, as well as in several campus departments. Even if the university were to move to a new wireless network supplier, it would want to preserve as much of its existing investment as possible.
Currently, among the labs, classrooms and offices, there are about 145 desktop computers and 70 notebooks communicating with servers running NetWare, Windows and Linux. IST has been given two IP subnets on the university's Class B network. In the next three years, IST expects an increase in the number of notebooks, PDAs and other wireless-capable devices, many of them student-owned machines. About 200 wireless notebooks are anticipated in 2004, increasing by at least 100 per year, and 20 percent of these are expected to be connected to the wireless network at any given time.
IST has found its existing Cisco wireless system to be adequate, but perhaps not suitable for the new building environment, where new technologies and applications, including converged voice, video and data, are expected to play a more prominent role. Like many existing Cisco customers, SU's central IT organization has a high comfort level with Cisco's product line, which has proved cost-effective and reliable. For it to consider alternatives, the value proposition must be very high and the new products must interoperate with existing wireless infrastructure devices. --Aris CastilloTotal cost includes
• Cost of Ethernet infrastructure (supplied by vendor or based on our $63,410 Cisco configuration)• Cost of vendor-provided infrastructure hardware (switch, APs and other devices)
• Cost of any required software
• Cost of installation (assuming $500 per AP)
Airespace: Airespace's total system cost, including Cisco switches, its Model 4100 WLAN appliance ($13,195) and 22 APs ($400), with installation, was $96,405. Its Air Control System, needed to manage multiple appliances or switches, costs $1,000.
Aruba: Aruba's total system cost, including Cisco switches, a starter setup consisting of one WS-5000 switch, supervisor module, and 10 APs ($38,995), 15 additional APs ($500), with installation, was $122,405.Chantry: Chantry's total system cost, including Cisco switches, a starter setup consisting of one Wireless Router and 4 APs ($14,900), 22 additional APs ($349), with installation, was $98,988.
CISCO: Cisco's total system cost, including switches, 40 1200-series dual-band APs ($1299) and the WLSE management system, with installation, was $143,865.
Enterasys: Enterasys provided two proposals, one with Cisco switches and one with its own switches. With the Cisco switches, Enterasys' proposed a configuration with 23 APs ($969 each), Netsight Manager ($20,940), with installation, was $118,137. Using Enterasys switches, the cost was $133,197.
Symbol: Symbol provided two proposals, one with Cisco switches and one with Foundry switches. With the Cisco switches, Symbol's proposed configuration with 24 11b and 24 11a APs ($249 each) and 3 switches (16,360), with installation, was $110,585. With Foundry switches, the cost was $98,130.
Trapeze: Trapeze's total system cost, including Cisco switches, 4 MX wireless switches with Gigabit Ethernet support ($7990 each), 24 single-band APs ($649 each), 19 dual-band APs ($899 each), system software ($11,975), with installation, was $162,222.
R E V I E W
WLAN Infrastructure
Sorry,
your browser
is not Java
enabled
Welcome to
NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon
above. The program components take a few moments to load.
Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.Click here for more information about our Interactive Report Card ®.
You May Also Like