Steve Broadhead, director of Broadband-Testing Labs, explains how wireless Ethernet switches can work for the enterprise and looks at two products that have emerged from the world of wireless Lans
Wireless Lan standards have been changing - no sooner did we get a ratified standard in the form of 802.11b than along came 802.11a offering faster data transfer speeds of 54mbps. Hot on its heels was 802.11g with the same bandwidth as 802.11a but in the same 2.4GHz frequency as 802.11b.
The product architecture has also changed. The initial release of WLan products - those appearing before 2003 - followed a standard format. "Fat" access points, with intelligence built in, were attached to an Ethernet switch with client adapters and software added. To build in extra security you could add a third-party virtual private network gateway and client software.
But now there is a switch-based alternative, where a dedicated Ethernet switch provides the heart of the WLan and the access points have been slimmed down to relatively simple devices.
Here we take a detailed look at the features and functionality available on two switch-based products: Symbol's Wireless Switch System and Trapeze Networks' Mobility System.
A key differentiator is the history of the two companies. Symbol has been involved in the WLan market since its inception, having established itself in several vertical markets with technology such as barcode readers and scanners, as well as a full-blown WLan system.
Trapeze is a US start-up that features names from the wired Ethernet switch world who are now looking to make their mark in the wireless field.
Wireless Switch System
Symbol's focus is on controlling total cost of ownership. It says its wireless switch system lowers the cost of deploying network infrastructure by lowering the cost of managing, maintaining and upgrading wireless systems, due to the scalability and flexibility of its product.
This revolves around the switched architecture itself. It is based on the WS 5000 wireless switch, which centralises control and management for the wireless network. Intelligence that, until recently, had been designed into the access points of a WLan has been moved to a central switch with corresponding improvements in functionality and flexibility.
The switch is based on a Linux operating system, allowing new functions to be added easily, rather than requiring hardware upgrades. This centralised intelligence unifies network access, security, policy management and quality of service at the switch level. It enables easier definition of rules for quality of service and security, delivering more efficient network management, media independence and scalability.
The wireless switch connects via standard 100BaseT cabling and Ethernet switch or router ports to a choice of 802.11b AP100 or 802.11a/b AP200 access ports - Symbol terminology for an access point.
The access ports contain the WLan radio and antenna. Symbol said the key benefit of this approach is a smooth, cost-effective incremental growth, as access ports are less expensive than traditional "fat" access points. New technologies can be deployed without disrupting an existing WLan installation. Also, they can be mounted more or less anywhere.
Power can be distributed to access ports over Ethernet cabling using power injectors, so no connection to AC mains is required, as there would be for each traditional access point.
System management functions are available via an XML-based graphical user interface, a command line facility (using Telnet, the switch's serial port or PPP), and Java-based browsers. Using this interface, the wireless switch system can be completely controlled, regardless of the number of switches and access ports added.
From a performance perspective, the WS 5000 supports load-balancing (moving users from a congested access port to one with more available capacity), pre-emptive roaming and clear-channel detection for improved bandwidth utilisation, so that as you roam across different access points, performance is constant and does not degrade or drop out.
The wireless switch quality-of-service options are extensive. Service classification and quality of service management options include support for the IEEE 802.1p traffic prioritisation standard, service fairness, support for virtual Lans (VLans, via IEEE 802.1q), the ability to provide multiple simultaneous extended service set ID domains (providing multiple WLans on a single infrastructure), Layer 2/3 filtering, Dynamic Host Configuration Protocol, Network Address Translation and mobile IP.
This amounts to a wide range of options when it comes to controlling traffic across the WLan. Similarly, where security is concerned, Symbol has tiered-security, enabling customers to choose application-level security based on what is required and what can be used. Symbol gives all the standard options such as Wired Equivalent Privacy (WEP), 802.1x and WPA (dynamic WEP, supported by XP clients and others) as well as its own Keyguard encryption and Kerberos authentication options.
We put the Symbol system to the test in a number of ways, from basic performance to security and mobility tests, focusing on the claimed ability of the Symbol system to maintain performance and application connections, regardless of how many times the connections to the different access points transparently changed as the user roamed across the network. The results were excellent - problem-free with no loss of connection at any point and good, sustained signal strength.
The ability to assign multiple extended service set IDs meant the impact of broadcast traffic on the network could be minimised, which not only saved valuable bandwidth, but also enabled the battery life of the portable client devices used to be improved, as they were not required to "wake" from their standby modes as often as they would be by regular broadcast traffic.
The signal coped with 60cm thick stone walls and reached the equivalent of the edge of a fair-sized company car park before losing connectivity (down to 2mbps minimum setting at that point). This kind of coverage also emphasised the importance of having a proper security policy in place, and again the Symbol product had a wide range of options that worked in practice.
Overall, we liked the flexibility offered by the Symbol system in all areas, the centralised point of management and the competitive starting price.
Trapeze Mobility System
Trapeze Networks' Mobility System sits somewhere between "fat" and "skinny" access-point architectures, with intelligence both in a dedicated switch and the mobility points. The system supports 802.11a and 802.11b standards on the same mobility point, with 802.11g support due shortly.
A Trapeze WLan consists of a number of different components. At the heart is the mobility Exchange switch, which can be configured with redundant dual power supplies. This is effectively an Ethernet switch (20 x 10/100 ports plus two gigabit uplink ports) designed to be connected directly to the mobility points.
All the mobility points are dual-homing, so each can have a redundant link, and are powered over the wire using power over Ethernet. In addition to the mobility points, one or more - depending on what levels of redundancy you want - Radius servers are attached to the MX. The Radius server works directly in conjunction with its Ringmaster management software.
Whereas most network products are thought out with network management tagged on the end as a last resort, Trapeze has gone for a management-led approach.
The starting point of a Trapeze installation is not access points, switches or even WLan client adapters, but an Autocad drawing of your offices. Ringmaster software imports the drawing, then lets you tidy up the details (the more accurate the representation, the better the net results) before assigning values to each element, such as a wall or a door.
A drop-down list of options lets you assign thickness levels, material type etc, to each element. These are then used to calculate how to deploy a Trapeze system. This is based around a number of variable parameters such as the lowest connection speed you want users to connect at before going out of range.
It means that you can perform "what if" analyses before you order the products, as part of the pre-sales consultancy, to work out the most cost-effective method of deployment, given that there is always a trade-off between WLan speed and coverage.
On agreeing a specification, you can commit it to Ringmaster, which then creates a new diagram and report showing exactly where to place each element (mobility points etc), even down to which ports on the MX switch to use. Once the basic WLan hardware is deployed you can focus on the user management and security policies.
The Trapeze Mobility system uses a combination of VLans and user account policies to define which areas of the WLan any given user or group is able to access. VLans can be restricted to a single mobility point or spread across several. A "last resort" configuration option is provided to allow any user access to the WLan, but bypassing all network components apart from the internet gateway - for those who simply want to scrounge internet access.
Trapeze also offers quality/cost of service policies by providing a switch-based system to enable bandwidth to be nailed down for specific applications, such as voice over IP.
Security options are many and varied. The industry standard - and globally slated - WEP key-based authentication is provided but not recommended by Trapeze. Instead it uses the IEEE 802.1X authentication, which uses the Extended Authentication Protocol and offers a full suite of secure authentication protocols. Importantly, the authentication occurs after a wireless client has connected to a mobility point, but at the point itself, so all activity, post-IP address assignment, is authenticated and protected.
The tests Trapeze Mobility was put through included rogue mobility point/user detection, where it used the plan of the network - as developed from the initial Autocad drawing - to identify the location of the rogue to within about two feet.
The testers also carried out real-world tests using concurrent 802.11a and 802.11b configurations and were able to get about 15m outside the labs - through 60cm stone walls - and still attach at 5.5mbps. This augurs well for locations such as offices in London where these types of structures are common. It also shows the need to deploy a tightly authenticated, secure WLan if you are to keep out unwanted users.
Redundancy tests showed that a failed mobility point connection was failed-over in about 25 seconds with normal service then resumed. And multiple mobility point paths into a VLan will ensure multiple connection paths are always available.
Overall, we were very impressed with the way Trapeze has developed its WLans with its mobility system. This is genuinely a second-generation product, and has been designed to integrate with the existing network, rather than appear as an alien second network which begrudgingly converses with its wired cousin.
The system also has all the features you would expect to find in a corporate-level product, unlike some more obviously home-network-oriented products.
Symbol Wireless Switch System
Trapeze Mobility System
Steve Broadhead and Broadband-Testing Labs
Steve Broadhead runs Broadband-Testing Labs, a spin-off from independent test organisation the NSS Group.
His IT and networking experience dates back to the early 1980s, where he worked deploying and managing PC networks for two insurance companies, after which he made a sideways move into computer journalism.
In 1991 he formed Comnet, which became the NSS Group, with Bob Walder, specialising in network product testing for suppliers and the publishing industry.
In 1998, Broadhead created the NSS labs and seminar centre in the Languedoc region of France, offering a wide range of test and media services to the IT industry. Now named Broadband-Testing, it focuses on network infrastructure product testing and related areas.
Author of recent DSL and Metro Ethernet reports, Broadhead is now involved in a number of projects in the broadband, mobile, network management and wireless Lan areas, from product testing to service design and implementation.