The invitations we sent to 18 vendors included qualification criteria: centralized configuration management; support for 802.11a, 802.11b, WPA and 802.11i (but not necessarily WPA2 certified); rogue AP detection capabilities; high-availability options; radio resource management; and traffic prioritization via WMM (Wi-Fi Multimedia) or some other mechanism. We knew few products would meet all these prerequisites, but to our surprise, only four vendors--Airespace, Aruba, Cisco and Trapeze--have products that met our qualifications and agreed to put their gear where their marketing mouths are. Not surprisingly, most experts consider these four vendors the technology leaders in the enterprise WLAN market. For a rundown of vendors that declined or didn't qualify, see "The No-Shows,".
Gone are the days of having to use a single vendor's APs and switches or modifying your wired network to accommodate your IP addressing scheme. We put each vendor's APs into any arbitrary network, and based on DHCP information or DNS resolution, talked back to the switch by way of a tunneled connection, with each AP serving up multiple Layer 3 networks depending on ESSID (Extended Service Set ID). Yes, you'll still need to run wire to every AP location--no vendor offers robust wireless backhaul capabilities yet. But deploying wireless APs has never been easier: Each system provides a mass-deployment scenario with support for the IEEE 802.3af Power over Ethernet standard, so once wired runs are in place, it's just a matter of assigning a name or location.
As for security, we've made major strides. The IEEE 802.11i standard, ratified in June, provides authentication and privacy services using 802.1X and RADIUS. Elements of the standard were incorporated into the Wi-Fi Alliance's WPA2 certification program in September. Cisco and Airespace have received WPA2 certification for many of their products. Aruba's 5000-series switch is certified with its 52 AP (not provided for this review). Trapeze, which cast its lot with 802.1X and RADIUS while other vendors stressed VPNs, has yet to obtain WPA2 certification. Nonetheless, all the systems we tested established secure and encrypted connections with the WPA2 supplicants we used (see "WPA2 in the Rough,", for details). And none had problems with mixed-mode encryption--using two types of encryption, such as WPA/TKIP (Temporal Key Integrity Protocol) and WPA2/AES, with one ESSID. Those that prefer to employ a VPN instead of WPA2 will find integrated VPN termination capabilities in offerings from Airespace and Aruba.
Vendors at a Glance
Click to Enlarge
On the wireless IDS front, results were mixed. All the products support rogue AP detection, but they diverge from there. Cisco partners with AirDefense to add mature IDS capabilities. Aruba and Airespace integrate these services on their platforms; both have partnered with other vendors to provide client integrity checking and application-based NAC (network access control): Airespace works with InfoExpress and Zone Labs (a Check Point company), while Aruba partners with Fortinet, Sygate and Zone Labs. Trapeze's security story is, in a word, underwhelming.
Roaming services are a fundamental function of any wireless network, but testing these capabilities proved both challenging and enlightening. In the past, we simply walked around with a laptop running an FTP session and verified that a connection was maintained as the client moved between APs. This time, we used the Azimuth W-Series WLAN Test Platform to measure roaming events more precisely. For each roam, we received a report listing the time from the last data to the last time acknowledged, from the last acknowledgement to the first probe request, and so on.
Click to Enlarge
Although the resulting granularity was overwhelming at times, these tests did reveal that the cards' roaming algorithms and behavior make up for the largest delays, sometimes by several orders of magnitude. The best results were between Cisco's CB21AG card and its 1131AG access point. In open roaming, we saw times of about 20 milliseconds from the last data on the source AP to the first data on the target AP. Generally, roaming times ranged between one and three seconds. But buyer beware: WLAN infrastructure vendors will choose numbers selectively, highlighting their own systems' performance. To be fair, roaming behavior changes substantially between client cards, and customers must be cognizant that client-controlled roaming remains a problem.
One important factor in any enterprise deployment is high availability. As wireless deployments evolve from tactical to pervasive and strategic, WLAN uptime must near that of its wired cousins. Implementing a dense AP design optimized for throughput rather than coverage fills the bill and also enhances fault tolerance, letting APs fill in coverage for a failed component by automatically raising their power levels and coverage areas.
Likewise, the systems we tested provide controller redundancy, albeit not the lightning-quick failover you're accustomed to on wired devices. Aruba impressed us with its seven- to nine-second failover time. Cisco didn't fare as well, requiring one to two minutes to restore service when we knocked off its primary switch. Considering that Cisco's ratio of supported APs to switches can reach 300:1, a failure of the wireless blade (WLSM) or the Catalyst 6500 could put the entire WLAN on hold. Our take: The ability to reliably and consistently fail over in several seconds without disconnecting clients is a must-have.
In our invitation, we specified that we'd primarily evaluate the suitability of WLAN systems for deployment in an enterprise, while considering campus, headquarter and branch-office deployments. We asked vendors to send a minimum of five APs and enough switches to replicate a dense wireless service deployment with high availability.
As in our previous review, Airespace aced our performance tests, boasting top speeds for most 802.11a/b/g tests, upstream and downstream, combined with generally good coverage that exceeded that of Cisco's setup, despite Cisco's newer 802.11a chipset. In our mixed-mode b/g tests, Airespace led the pack at an aggregate speed of 10.9 Mbps, almost 2 Mbps faster than Cisco.
Airespace's system is more distributed than Aruba's or Cisco's, so large installations will probably need lots of controllers (Airespace's term for switches). So though its APs cost half as much as Cisco's, you may need to spend more money on the back end. To get ballpark pricing, we presented the vendors with three scenarios:
1. A large, multifloor building with five floors covered and about 50 APs
2. A multibuilding campus with 25 buildings, each having an average 25 APs per building and VPN support
3. A distributed company with 15 branch offices
Click to Enlarge
You'll find a quick-reference pricing chart to the left. More detailed pricing can be found here.
Airespace took a bit of a beating with its pricing. It was never significantly more expensive than the others, but neither was it the most economical. In our multibuilding campus scenario, its price was almost double that of Aruba's and just second to Cisco's, quite a feat considering Cisco required six Catalyst 6500s. A rough comparison of switches alone shows Airespace has one of the higher per-port costs. The company needs to fill the gap between its 4100 system, which maxes out at 36 APs, and what Aruba and Cisco offer with their high-AP systems. As for Trapeze, its pricing was middle of the road.
The last time we tested Airespace's products in our labs, they performed without a hitch, and this time around we enjoyed the same experience, earning the company its second Editor's Choice award in as many reviews. Airespace's APs are sophisticated and flexible, its WLAN system is mature, and the company has made enough strides to catch Cisco's eye--Airespace is heavily involved in several IEEE and IETF committees and study groups, and Alcatel, NEC and Nortel Networks resell its gear, for awhile longer, anyway.
Mixed Mode Results
Click to Enlarge
Aruba's single-radio AP made it the most affordable offering in this review, though back-of-the-napkin calculations show that had it gone with its new dual-radio AP, it would have been the most expensive entry in every scenario except No. 2, where it would have come in second. But the stability of Aruba's system and its performance numbers couldn't quite match those of Airespace. On the positive side, Aruba provides lots of granular access control and has built a reasonably strong Web interface without requiring a separate Win32 box.
Cisco delivered the only product that didn't require a software upgrade during our tests, which hints at a higher internal QA testing standard. Every element was very stable, and its APs demonstrated that vaunted Cisco-engineered quality. The system impressed us with an aggregate throughput of almost 50 Mbps between its a and g radios on a single AP, 3 Mbps and 4 Mbps faster than Airespace and Trapeze, respectively. It also kept pace with the leader in security features.
As for Trapeze, security was weak: Although we could assign APs as dedicated sensors, Trapeze's insufficient IDS support meant we could find rogue APs and ad hoc clients, but couldn't identify DoS attacks or signatures. Performance results were mixed as well (see our mixed-mode test results on the right and other results here).
Airespace's architecture hasn't changed much since our previous tests. (Why mess with success?) Airespace sent us two 4024 switches with cryptographic cards to support VPN services. It also showed us its smaller 3500, which supports as many as six access points (the company's 4012 controller supports 12 APs; the 4100, 36 APs). We rounded out the lineup with 1200 APs and 1200R remote-office APs.
We could stack switches in the data center or distribute them more closely to the APs--for example, one per building or several stories. In either case, N+1 redundancy between switches is possible, but per-controller scalability is limited to just 36 APs at the top end. In contrast, Aruba and Cisco sell models that support 256 and 300 APs, respectively. Our 4024s support as many as 24 APs; we tested them with AireWave Director 2.2 running on each box.
Switches join "mobility groups," Airespace's approach to coordinating the activity of related but physically separate boxes. Although switches offer individual command-line and Web interfaces, which could be useful for small, single-device installations, we performed most of our management from the elegant, scalable Airespace Control System Web management platform.
System configuration was a snap, though IP address assignment was less intuitive than we would have liked (we ran into this with Aruba, too). We easily created new WLANs with all the necessary settings and pushed them to our switches. Adding new APs couldn't have been easier: Once we created an entry in our DNS server to point to one of the switches, APs in different subnets resolved a software-defined host name to establish communications and configure themselves using LWAPP (Lightweight Access Point Protocol).
One thing we didn't like: We had to assign an IP address for each subnet we wanted the switch to trunk; Aruba and Trapeze let us use IEEE 802.1q tagging without this. Airespace says this will be addressed in the next major release. But even if a switch doesn't host a certain subnet, it can set up a tunnel to a switch that does, if a client roams onto it.
Airespace's auto-RF capabilities dynamically adjust an AP's power output and channel selection based on the environment. This is a powerful capability, provided changes are applied conservatively to avoid unintended consequences. Our tests left us confident that Airespace engineered enough dampening controls that the system will be responsive without port flapping.
Airespace's location and rogue-detection capabilities, which require RF training via a walkabout with a mobile device, also proved superior. In spite of the fact that these APs played a dual role of rogue and location detection, performance remained strong. Unless your security policy dictates dedicated sensors for intensive monitoring and rogue mitigation, Airespace's APs should perform well in a dense deployment. Aruba takes a different tack by recommending dedicated sensors; but though Aruba's sensors are priced at less than half of Airespace's, the additional cabling and switch port costs are a sticking point.
Although it threw a few wrenches into our testing, we liked Airespace's WLAN safety control scheme. First, it ignores client-side de-authentications as a way to minimize damage from a DoS (denial of service) attack or other malevolent activity. Second, rate-limiting is performed on the number of new clients that can attach, to thwart a load-based DoS attack. Finally, it acts a DHCP proxy to learn client IP addresses and mitigate against an IP-address resource depletion attack.
Detailed Pricing Chart
Click to Enlarge
Detailed Pricing Chart
More Test Results
Load balancing was top-notch as well. In tests, clients in an idle state were reliably moved between two APs. Some wireless administrators might consider client manipulation by sending 802.11 disassociate requests somewhat aggressive, but remember that client cards don't have a system-wide capacity perspective.
Some nits: Airespace was not as granular as Aruba and Trapeze in assigning WLAN and security policies to users. Although Airespace does support assigning VLANs to users via a RADIUS attribute, we found no way to assign a specific RADIUS server to certain WLANs; this could be problematic in multivendor environments, such as airports. In addition, the Web portal isn't particularly strong. Airespace says its customers aren't asking for that feature, which is popular mainly in university and hotspot deployments.
Although Airespace doesn't offer much high availability by way of redundant power supplies or controller cards, it did have one of the better failover times. Both Aruba and Trapeze assign one switch or appliance a special mode, such as "master" or "seed," but in the Airespace realm, all are created equal. Based on N+1 failover capabilities, the system kept on humming with any single failure, as long as there was sufficient capacity among the switches in our mobility domain, or even simpler, a spare switch with the capacity to handle the largest controller's load. Each AP can be assigned as many as three "home" switches, and if all are unavailable, it will search for other available switches. On failover, we were without connectivity for just 17 to 20 seconds, and a controlled failback produced only about four seconds of downtime.
Airespace Wireless Enterprise Platform. Airespace, (408) 635-2000. www.airespace.com
Because testing switch scalability was not part of this review, Aruba sent a pair of Aruba 2400 grid controllers for evaluation instead of an appliance from its Aruba 5000 line, as it did last time out. The 2400 supports about 50 APs, while the 5000-series appliances support 256 APs. The company also offers a lower-capacity model, the Aruba 800, for small- or branch-office deployments up to 16 APs. For APs, Aruba sent its Aruba 61 GP (grid point, Aruba's nomenclature for access point). The 61 GP's low price helped Aruba undercut the competition in two of our three pricing scenarios. Unfortunately, this is one instance where you get what you pay for--the design seemed much flimsier than Airespace's or Cisco's, and our tests revealed that using off-the-shelf APs cost Aruba in performance.
The Aruba 61 GP includes just one radio that serves b/g or a clients, but not both simultaneously, a significant step back from its earlier Aruba 52 GP, which sells for about $300 more and includes dual-radio support. Aruba recently announced its Aruba 70, a dual-radio GP priced less than $600.
Unlike Airespace's setup, which uses a separate Win32 box for management, one or more Aruba switches are designated as master switches, while others are slaves. Master switches can be configured in redundant mode for high availability, and slaves need only a basic setup. We made our detailed configuration choices on our masters; settings were then pushed to the slave switches. This hierarchical model likely has limitations with distributed deployment of master switches in relation to slaves.
Rather than assign a certain configuration to each switch, each AP is assigned a location, in x.y.z format, where configurations can be inherited hierarchically from those sharing the same x or y values. This made it easy to create a default configuration for all APs, then assign unique settings to groups and subgroups of access points, perhaps based on function or building location.
Aruba's CLI is modeled after Cisco's IOS, making those comfortable in that environment immediately productive. The Web interface, however, is not as simple to use as Airespace's. To view details about a specific AP, for example, we had to select a radio button, then click a button at the bottom of the page. Moreover, the interface offers no online help; you'll need to study the PDF manual or printed documentation.
Aruba has always placed a high value on security, and it shows. Unlike rivals, Aruba performs Layer 2 encryption--RC4 for WEP (Wired Equivalent Privacy) and AES for CCMP (Counter Mode CBC MAC Protocol)--on the switch's Cavium chip, instead of on the AP. This makes it easier to upgrade to newer encryption technologies and ensures that whatever Layer 2 encryption is in use will extend from the wireless client to the switch. This will appeal to organizations that lack confidence in the security of their wired networks' distribution and/or access layers. On the other hand, performing encryption at the core prevents the AP from executing any advanced or dynamic frame manipulation, such as QoS for downstream traffic.
Scalability also could be a problem with all the cryptography centralized in one chip instead of distributed across many APs--doing crypto in the controller requires more powerful controllers or faster crypto modules, all else being equal. The company claims 400 Mbps of encrypted throughput on its Aruba 2400, which is rated to handle about 50 APs, about 8 Mbps each. Do the math and you'll see the need to assess anticipated traffic patterns and design your wireless switching infrastructure accordingly.
Like Airespace, Aruba let us use VPNs to provide Layer 3 security while still enabling subnet roaming. Organizations that don't want to wrestle with the complexities of supporting WPA or want to allow a combination of WPA2 and VPN security may favor this method. Aruba's VPN support includes a downloadable agent that configured our Windows 2000 and XP native IPsec clients for use with their systems. This approach worked like a charm, and we got a third-party VPN client to connect as well.
Like Cisco, Aruba included an ICSA-certified firewall. We could associate access with specific users and policies, giving us the best integration and control among the products we tested. Departments seeking segregation, remote offices and small businesses should find this tightly integrated firewall a security boon; of course, enterprise security teams might see it as just another function to manage. Regardless, all WLAN vendors should follow Aruba's lead and develop a tighter coupling between individuals, policies and control at the network edge.
For all Aruba's impressive security chops, and though it had all the pieces in place, we couldn't give it top marks for performance and stability. During our WPA2 association capacity tests, which admittedly stressed the products to a level not likely experienced by most organizations, Aruba's switch spontaneously rebooted. A new build resolved that issue. However, at 7.6 Mbps, mixed-mode 802.11b/g testing showed the lowest results in this roundup, and even pure 802.11g testing gave us only 16.9 Mbps. With Aruba's adaptive radio management enabled, we couldn't sustain a baseline of seven VoWLAN calls with any reasonable call quality. We question the capability of a system that needs rogue detection turned off to provide VoWLAN service. In response, Aruba recommended we deploy additional APs to act as air monitors for VoWLAN. After we optimized all possible settings, this setup aced our traffic-laden VoWLAN test, with the best R-value (the ITU's G.107 spec for determining call quality) and significantly less jitter than rivals.
On the other hand, roaming times for Aruba's WPA-associated clients were about eight to nine seconds, compared with less than two seconds for rivals. Aruba officials said the problems were configuration-related, but despite running these tests multiple times using different APs and client cards, we couldn't resolve the issue before our testing period expired.
Aruba's use of VRRP (Virtual Router Redundancy Protocol) made configuring for high availability relatively easy. One switch is designated as the master and it advertises to one or more slaves. If the master switch fails, then, based on a weighting scheme, one slave on the same subnet takes over the master's IP address. APs think they're talking to the same switch and experience only a short connectivity loss. We had failover times down to seven to nine seconds but were never able to get near the same results on failback, though we worked closely with Aruba to identify the problem.
Aruba 2400 Wireless LAN Switching System. Aruba Wireless Networks, (408) 227-4500. www.arubanetworks.com
Last time around, Cisco didn't have much of a switch story to tell. And now, even after being teased on the WLAN playground for its switches' obesity, Cisco sent us yet another heavyweight--a blade for its Catalyst 6500 that scales WDS (wireless domain services) from the 60 APs supported on a standalone AP to 300. WDS is the aggregation point for a multitude of RF statistics and rogue information, and it caches security credentials, enabling fast Layer 3 roaming across a wider area. Cisco's 1100-series APs sport a new look, while its sturdier 1200-series devices now support external antennas in the 5-GHz range. Also new is an 11a chipset that provides a credible 5-GHz enterprise solution.
Cisco's architecture and acronyms can be confusing, so here's a quick overview: The WLSM, or Wireless LAN Services Module, is a blade that slides into a Catalyst 6500 chassis. It has all the functionality of WDS but scales to the aforementioned 300 APs; Cisco hints it will support even more in the future. The WLSM requires another high-end switching blade, the Supervisor 720, to terminate mGRE (multipoint Generic Routing Encapsulation) tunnels for each wireless network or SSID an AP serves. Cisco's WLSE (Wireless LAN Solutions Engine) is a 1U Linux server that aggregates and analyzes RF traffic forwarded by the WDS and is the management, configuration and alerting piece of the puzzle. Got that?
Cisco's primary goal with its SWAN (Structured Wireless-Aware Network) architecture is to fully integrate the wireless into the wired network. Hence the use of a blade that plugs in to its enterprise switching chassis so that wireless users can employ the same firewall, VPN and Web authentication systems wired users enjoy, all wrapped up in an similarly scaled package.
For the most part, Cisco has succeeded, albeit not without complexity. Configuration, intelligence and processing power reside on its APs, but don't mistake intelligence for simplicity: Airespace, Aruba and Trapeze all made setup easier. Two of the more complex tests we ran--multicast and Web authentication--required protracted configuration of the product and re-configuration of our host network. Although Cisco says it supports out-of-the-box deployment of its APs through DHCP and WLSE, this was not demonstrated to us. During their extended visit, Cisco engineers configured APs using the command-line or the Web interface, not WLSE's AP template. This added complexity gave us agita, but it may be more of a problem for product reviewers than IT pros accustomed to investing lots of time implementing new systems.
As we mentioned, the quality and stability of Cisco's devices are impeccable. With its own CB21AG client card, Cisco turned in the best performance in most of the rate-versus-range tests, but performance fell off sharply with the Proxim Orinoco card. Those who use LEAP (Light Extensible Authentication Protocol) and EAP-FAST (EAP Flexible Authentication via Secure Tunneling) with Cisco's CCKM (Cisco Centralized Key Management, a proprietary prerequisite for fast, secure roaming) will enjoy sub-50-ms roaming times when using Cisco 350 cards--an end-to-end Cisco architecture will yield the best roaming performance. The CB21AG card currently supports only LEAP; CCKM with EAP-FAST support are slated for late Q1.
VoWLAN tests with data load resulted in an R-value that fell slightly short of Aruba's, with double the jitter. Although the Catalyst 6500 provides plenty of redundancy by way of extra power supplies and supervisor cards, and supports nonstateful one-to-one failover, it had the highest failover times of any product tested. In the best sample, failover happened in less than one minute; in the worst, almost two minutes. Cisco promises its next major WLSM code release will include stateful failover and should approach sub-second failover times. If that holds true, Cisco's WLAN system will mirror its wired products' failover capabilities and far exceed those of competitors.
In spite of Cisco's wireless/wired integration mantra, it has partnered with wireless IDS company AirDefense to provide enhanced security services, instead of capitalizing on its existing IDS blade or dramatically expanding WLSE capabilities in-house. Cisco demonstrated the first stage of this integration, which has been deployed only to select customers. We were impressed and look forward to seeing the second stage, which is scheduled to ship in the first half of this year and will essentially enable sensorlike functionality to Cisco APs instead of requiring AirDefense sensors. Information from the APs will be passed on to the AirDefense server (at an additional cost), and information exchanged between AirDefense and WLSE to synchronize information--for example, if a first-time wireless client connects over 802.1X with valid AirDefense credentials--will change that client from "rogue" to "known."
The price tag for a system that includes redundancy in a large campus environment exceeded $870,000, more than twice Aruba's cost. In Scenarios 1 and 3, Cisco did not quote its expensive Catalyst 6500 with bladed WSLM. If Scenario 1 had included a Catalyst, the price would have quintupled to $220,000. Small environments should be able to get by with an existing AP acting as the WDS, but VPN support and fast secure roaming between subnets will be sacrificed. Cisco should introduce a complete WLSE and WDS system priced and sized for small and midsize businesses; the company says it is well aware of the functionality gap. Maybe its acquisition of Airespace will help fill this niche.
Catalyst 6500 Series Wireless LAN Services Module, Aironet 1131AG. Cisco Systems, (800) 553-6387, (408) 526-4000. www.cisco.com
Trapeze sent us its MX-20 switch, which supports as many as 40 APs, and several MP-252 APs, all running the recently released version 3.0 of Trapeze's Mobility System Software. Trapeze has a wide variety of switches, from an MXR-2 for branch-office deployments to its MX-400, which tops out supporting 100 APs, but the company is probably best known for its RingMaster planning, deployment and management tool.
Trapeze's MP-252 is a nicely designed, smoke-detector-shaped AP that includes two dual-band radios and dual Ethernet connectors, which let us dual-home the devices to multiple controllers, but system performance and functionality were somewhat lacking.
Trapeze's architecture is similar to Aruba's. One switch, or "Mobility Exchange" in Trapeze lingo, is designated the main switch, or "seed," while others participating in the mobility domain are "members." APs physically attached to the switch are called MPs (Mobility Points); unattached APs are dubbed DAPs (Distributed Access Points). Trapeze, like Airespace, required a separate Win32 box to run RingMaster. But in contrast to Airespace's setup, you must access it through a Win32 app instead of a Web interface. This meant we were tied to the system where we'd installed the app. There is an option to install on a local server, which performs some RF and data aggregation; we hope this leads to a Web interface. One neat feature: With RingMaster we imported floor plans and assigned dB-loss values to walls and other construction, and the software optimally placed our APs on the map and even generated a bill of materials.
The MX-20 proved something of a hindrance in our rogue detection because it polls every 5 minutes, which means on average it will take 2.5 minutes for a new rogue AP to show up. We configured individual switches using a primitive Web console or the more complete CLI. Trapeze engineers working with us in the lab chose to configure each switch and then copy settings, rather than configure once at the domain and push configs down to each associated device. Every configuration change must be pushed out to every switch from a different part of the Win32 interface, though it was only a keystroke combination away. Although this lets a large set of changes be pushed down simultaneously, the batch process got old when making successive tweaks.
Moreover, system configuration was far from straightforward. Although we found some wizardlike functions in the MX-20 properties page, adding another WLAN usually means creating several objects and tying them together. Adding an open WLAN (one that requires no authentication) required configuring the authentication as "last resort," then creating RADIUS users with a specific naming scheme that included the SSID, just so that unauthenticated users can connect. We did like that VLAN membership, session time-out and several other elements can be drawn from the AAA (authentication, authorization and accounting) server.
In our last tests, Trapeze was somewhat indifferent on dynamic RF adaptation, but pressure from competitors has brought a change. This time, though Trapeze is the only vendor that did not formally support WPA2 in its management interface, we could turn it on in the CLI. This hampered our tests, because it prevented RingMaster from syncing with the seed after new DAPs were added. Also, executing a command at the CLI that lists connected users made the MX-20 reboot if there were several hundred (virtual) clients associated. Two patched builds of Mobility System Software resolved those problems, but Trapeze is lagging in keeping up with standards.
Performance was a mixed bag. On our VoWLAN tests, Trapeze garnered the highest R-value and exhibited the lowest jitter, but we couldn't complete a good round of tests with data load before our editor wrenched this review from us. Trapeze also had the best open authentication and WPA roaming times with the Cisco a/b/g card, but it fared much worse with the Orinoco card. It turned in middle-of-the-road results with our mixed-mode b/g testing. Price was middling as well in all three scenarios.
MX-20 (Mobility Exchange); MP 252 (Mobility Point); Mobility System Software and RingMaster 3.0.4. Trapeze Networks, (877) FLY TRPZ, (925) 474-2200. www.trapezenetworks.com
Frank Bulk is a technology associate focusing on wireless and mobile technologies with the Center for Emerging Network Technologies at Syracuse University. Write to him at [email protected].
Our roaming tests returned highly variable results, mostly due to client card behavior. Enterprises looking for a smooth roaming experience should test a few wireless cards with the WLAN gear under consideration. One sure-fire way to optimize roaming is to stick with a single vendor for both pieces of the puzzle, but only Cisco and Proxim can bring this to the table. Long term, push for open WLAN client card standards to ensure better and more predictable roaming. Here Cisco has made some progress--in a somewhat brute-force fashion--with its CCX (Cisco Compatibility Extensions) program, but unfortunately this helps only card vendors, not infrastructure providers, because Cisco does not license CCX on the AP side.
Although the first wireless infrastructure systems tested with WPA2 (Wi-Fi Protected Access 2) were announced in September, few supplicants were available when we performed our tests. For most of our WPA and open testing, we used the supplicant and driver provided by the card manufacturers--Cisco's Aironet Desktop Utility (ADU) for its CB21AG, Proxim's client utility for its Orinoco 8480-WD or Intel's ProSet utility for its Centrino 2200BG.
But when it came to WPA2, pickings were slim. Intel's ProSet 9.x supports WPA2, and we tested it against a few systems. Cisco says its next major release of ADU will include WPA2 and support for fast secure roaming with PEAP and EAP-TLS, but we couldn't wait. As a stopgap, we acquired a beta version of the Funk Odyssey client, which works with any of these cards. We also tried out an alpha version of a native Microsoft WPA2 supplicant, but decided it was too green.
We used the Azimuth W-Series WLAN Test Platform to perform some WPA2 (using PEAP-MSCHAPv2 with Azimuth's built-in supplicant) association-capacity testing, and all the products attained more than 200 associations, some more quickly than others. Trapeze surprised us, climbing to 499 WPA2 clients in only a few minutes.
Although WPA2 supplicant support may not be fully baked, organizations using 802.1X should configure their wireless system to support mixed-mode encryption or create a new WLAN for this latest standard. With its support for the more secure AES encryption and hooks for fast roaming support--for example, key caching and preauthentication--it's a no-brainer security move.
We were assisted by two wireless LAN testing-tool vendors, Azimuth Systems and VeriWave. With Azimuth's W-Series WLAN Test Platform, we performed association load, rate-versus-range and roaming tests. For association load testing, we used Azimuth's modules to associate as many virtual clients as possible until the vendor's equipment told us the association table was full. We did this for open WLANs and WPA2 (Wi-Fi Protected Access 2).
The rate-versus-range test examined access-point sensitivity and performance with different signal losses. As a client moves farther from the AP, the signal decreases and the connection rate drops, eventually causing a disconnection. For this test, we used two clients, the Cisco CB21AG and the Proxim Orinoco 8480-WD, both 802.11a/b/g cards. We tested each vendor's setup against these cards, individually in 802.11a, b and g modes, and both upstream and downstream. In the 802.11g tests, we made sure the client and infrastructure supported 802.11b as well. We generated traffic using Ixia's Chariot; we used one script with UDP (User Datagram Protocol) traffic for upstream, and a different script with UDP traffic for downstream with a data payload of 1,400 bytes. We ran each combination at least three times and averaged the scores.
Our roaming tests used the same wireless cards, but in 802.11b mode. We set up two APs and, using the Azimuth system's isolated chambers and RF attenuators, made the clients roam from one AP to the other and back. We ran each test several times and selected the better numbers from each sample; there could be a lot of variance between runs, and we wanted to minimize the card's variability as a factor.
For our 802.11b/g co-existence analysis, we performed more Ixia Chariot tests, this time in open air with just one AP. We configured six laptops and our infrastructure for pure 802.11g mode. Then we changed three laptops to pure 802.11b mode, changed the infrastructure to support mixed 802.11g and b, and reran the tests. For the mixed 802.11a/g testing, we used the same six laptops, but set three to run in 802.11a and three to pure 802.11g.
To provide another data point for our rate-versus-range tests, we performed some open-air analysis with each vendor, in both 802.11a and 802.11b/g. We placed an AP in a hallway corridor, where we usually perform such testing, and did a walkabout.
We used VeriWave's TestPoints in our association performance and capacity analysis. Most important, VeriWave let us quantify VoWLAN (voice over wireless LAN) tests. We set up 14 SpectraLink phones and a gateway, all configured with the H.323 code base. IP-only calls were established between seven handsets associated with the first AP to the remaining seven handsets on the second access point. Each AP used a different SSID (Service Set Identifier) and channel to preclude interference and roaming. The VeriWave TestPoints listened to the traffic and assigned an R-value score (similar to the Mean Opinion Score). We then ran the tests again, but this time each TestPoint injected 500 Kbps of traffic, so that each set of seven phones would have about 1 Mbps of additional background traffic. Again, the TestPoints listened to the VoWLAN traffic and calculated an R-value. We ran the tests several times and averaged the scores.
In addition, we ran a multicast traffic test in which we had three APs in 802.11b mode, each on a different, nonoverlapping channel. Each AP had a laptop associated with it, and a fourth laptop joined in to listen for traffic on the third AP. We created a multicast traffic test with 64 Kbps of traffic, using Ixia's Chariot, and ran it on the first two clients only. Then we listened on the third AP to make sure it wasn't sending multicast traffic--it shouldn't, because the third laptop, though associated, was not participating in the multicast session. Many thanks to Seneca Data for providing NexLink laptops for testing.
For security, we had the vendors demonstrate their support for VPNs, different EAP types, captive portals and mixed-mode encryption.
To test auto-RF, we set up four APs in the hallways surrounding our lab and let the system come up with a stable configuration. Then we removed the power to one AP and monitored the system for a response. In the same physical setup, we did our rogue testing using a generic AP in three locations.
To evaluate load balancing, we set two physically adjacent APs to channels on either end of the spectrum. We then enabled the wireless cards on the same six laptops used for previous tests to see how well the APs load-balanced as clients came online. Then we powered off one AP until all the clients roamed over to the second AP, then powered the first AP back on again and monitoring the clients to see which ones rolled back.
For failover testing, we set up a few laptops associated with one AP on each vendor's system, then we started pinging the client's local gateway. We failed different pieces of the infrastructure, timing the loss of pings and using WildPacket's AiroPeek to monitor the first time the AP would beacon after having lost activity. In some cases, the AP beaconed long before it was ready to pass client traffic back to the hosting switch.
All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.
Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.
Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.
Click here for more information about our Interactive Report Card ®.
Don't see your favorite vendor among our reviews? Here's what happened with 14 vendors that were invited but didn't participate in our tests:
Proxim Corp. and Symbol Technologies initially accepted but dropped out before our tests began. Proxim cited difficulty in providing its switch architecture solution, which requires integration with products from Wavelink Corp. and Avaya. We hope potential customers don't experience the same challenges. Symbol decided its new WLAN 5100 and Mobility Services Platform, which should be released by the time you read this, were not ready for evaluation.
Meru Networks, which has received a lot of attention for its claims to offer QoS (quality of service) and serve a high-density wireless population--and has attracted customers looking to deploy VoWLAN--initially declined because its multiband AP wasn't quite baked. We issued an extension, hoping to get the product in the lab, but the company still turned us down.
None of the enterprise wireless gateway vendors--Bluesocket, ReefEdge and Vernier Networks--took the bait, generally citing a poor fit with the focus of our tests; this suggests that only those with an existing or heterogeneous wireless infrastructure should consider these players.
Wired switch vendor Enterasys Networks said the timing wasn't right, while Extreme Networks said that the review looked at only one part of its whole product picture. Foundry Networks couldn't meet our prerequisites. Alcatel and Nortel Networks both cited their existing partnership with Airespace.
Hewlett-Packard's ProCurve Networking declined to participate because its products were not applicable to stated guidelines.
Legra Systems declined, then folded before testing began. Chantry Networks said it couldn't spare the resources (the company was bought out by Siemens near the end of our testing process), and its Boston neighbor, Colubris Networks, lacked a few prerequisite features.