This article is the first of two that discuss important issues in choosing a wireless vendor architecture and describes products from a small sampling of vendors.
The wireless LAN (WLAN) market has seen an outpouring of products from both start-ups and established network equipment suppliers. While these products all provide similar facilities, they differ in design. Nevertheless, no one design is best for every network. A product set optimal for a multi-building, campus wide network is not likely to suit a network extending over a single floor of one building. You need to examine each in terms of your current and future requirements, the size of your network, the level of traffic and the types of traffic to be carried.
Much of your attention has been focused on WLAN security, but you must also be cognizant of issues that arise as you scale up your WLAN to serve the entire enterprise, extend Virtual LANs (VLANs) to the WLAN, and add support for voice over wireless.
You must first analyze your requirements; what will be the physical extent of your WLAN, how many users and what level of traffic must it support, how many VLANs will you have, what applications will utilize the WLAN, and what are the Quality of Service (QoS) requirements of those applications? You may have no immediate plans for voice, but Voice over IP (VoIP) is proving to be an effective way to reduce costs. Once you have adopted VoIP, you will want to enable your users to make calls from anywhere within your facility. Voice support places QoS requirements on the WLAN, so you should plan for it now rather than have to replace equipment later.
Remember that whichever WLAN architecture you choose, you must integrate it into your existing network. Not only must users be able to access the same facilities on the wired and wireless networks, but your network management staff must also be able to diagnose problems in both networks and in the interaction between them.
Switches vs. APs
Recent wireless products are often referred to as Switched Wireless products, which is a misnomer. Some of the vendor architectures do include switches, but others do not. The same functions: encryption/decryption, radio management, authentication, intrusion detection and the ability for users to move through the WLAN must be performed in each architecture. Focusing on how each function is performed is an excellent way to understand each architecture.
All wireless architectures include Access Points (APs) consisting of minimally a radio and an ethernet port. Early WLANs consisted of a few APs scattered throughout an office area and providing coverage of isolated areas. Each AP had to be configured individually. As WLAN support was extended across the enterprise, the number of APs made individual configuration too time consuming. Recent products include a management package that enables groups of APs to be managed as a group.
Wireless traffic must be encrypted to maintain privacy, but WLAN architectures vary based on where the encryption is done. APs from Cisco Systems and others including Chantry Networks and Colubris Networks perform encryption and decryption in the AP.
Other vendors including Symbol Technologies and Aruba Networks have developed what they call "Thin APs," which have less powerful processors and less memory and hence are less expensive. Encryption and decryption are performed in switches designed specifically to support these APs. According to Symbol and Aruba, since you will need many APs and a few switches, reducing the cost of an AP will reduce overall network cost. Vendors that have not adopted the above approach counter that processor and memory costs in their APs are insignificant. You need to evaluate each architecture in terms of your own network, including equipment, training, installation, ongoing management, and support, to decide which is best for you.
Radio management is necessary in any network with more than a single AP. APs must be located close enough together so that there are overlapping areas of coverage between APs. Adjacent APs must transmit on different channels and transmit levels must be adjusted to avoid interference. Most vendors perform the calculations to perform this function in their switches or control stations.
In contrast, Chantry Networks' APs perform the calculations and communicate with each other directly. When one AP is approaching overload it directs a nearby lightly loaded AP to increase its transmit power. The overloaded AP reduces its power causing a user located between them to transparently switch APs.
Most WLAN vendors provide intrusion detection to identify unauthorized users and APs. Unauthorized APs are a danger because an employee may purchase a retail AP and plug it into his network port without turning on encryption or authentication, opening an enormous hole in network security. Most vendors' APs monitor the air around them for unauthorized users and APs and report them to network management.
But how about the case where someone plugs in an AP in an area where there is no WLAN, such as a warehouse? There are no authorized APs in the area. Colubris Networks has designed its access controller to detect activity on the wired network that indicates an unauthorized AP is installed somewhere on the network.
The second article in this series will discuss how WLAN products differ in how users are authenticated, VLAN support, and installation issues.
David B. Jacobs has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.