The Lippis Report

There is a buying shift taking place in the WLAN market marked by a new basis of competition which values unification with wired networks. The shift places an advantage to those with LAN switch infrastructure market share. All the big network infrastructure players such as Cisco, ProCurve Networking by HP, Extreme Networks, Foundry Networks, Nortel et al., are focusing on unifying wired and wireless networking from a user experience, management and service level perspective. At the same time upstarts such as Aruba Networks, Trapeze Networks, Meru Networks, Ruckus Wireless and others offer WLAN approaches that either overlay on top of existing network infrastructure or they offer both wired and wireless devices. In this Lippis Report we analyze the unified wired and wireless
services from Cisco’s unified networking, ProCurve Networking by HP, Aruba’s Mobile Edge Architecture and Trapeze’s Smart Mobile architecture. We’ll address this topic in two parts. The first part presented here is a requirements statement based upon our consulting work with large enterprises. The second part, to be published in November is a supplier assessment against these requirements. Most IT decision makers want to cut to the chase and find out which suppliers we favor so we provide a sneak peak here.

The market for WLANs is shifting from a separate overlay deployment to an integrated or unified WLAN and wired LAN implementation. This shift in requirements and features opens the door for established infrastructure providers to leverage their large installed base of Ethernet switching to address a new multi-billion dollar market by offering unique unified features. These features include management integration with LAN systems, consistent user/client services, enhanced guest access administration and voice over WLAN (VoWLAN) services. Cisco offers the vision and solution set with a wide range of products and features. ProCurve’s new ZL WLAN controller offers a simple approach to unifying wired and wireless networks. Aruba offers both wired and WLAN connectivity in its controllers but lacks switched Ethernet market share, which limits its ability to integrate with LAN infrastructure and management. Trapeze is a pure play WLAN overlay, which does not integrate with LAN infrastructure. Ruckus Wireless is entering the enterprise market soon and we’ll provide perspective when they announce. Since access points dominate the cost of ownership for a WLAN solution, this market can be modeled as a razor/razor blade market. Innovation in user licensing which lowers the cost for the controller (or razor blade) should drive many razors (or access points).

Enterprise Market Demands A Unified Mobility Solution

While mobility is a broader topic than wireless LAN (WLAN) access including Virtual Private Networking or VPN, cellular, location services, Radio Frequency ID (RFID), etc., in this Lippis Report we focus on the movement to unify wired and wireless local area networking. It’s within the context of WLANs that we will use the term mobility.

There are multiple drivers for mobility solutions in the enterprise market. Mobility is a key attribute of networking that allows enterprises to unlock their business process from fixed points. Wireless networking is one of the key structural components of an overall mobile strategy. For example, over the past two years WLANs have entered prime time for corporate networking thanks to architectures which increase ease of deployment and management plus significant advances in security, specifically the WPA and 802.11i standards. Architectural arguments and choices have shifted from thick vs. thin access points to integrated vs. overlay and now to a unified approach to WLANs and wired LAN networking.

Market requirements for a unified wired and wireless LAN approach to network access includes client, infrastructure and netops dimensions. Client access should be consistent, independent of wired or wireless network access method. Ideally WLAN access points and controllers should be deeply integrated into existing network infrastructure and tightly linked to management, control and security services. The higher the level of integration of WLAN with wired infrastructure the lower the operational cost, as common tools and interfaces increase netops productivity while training requirements are minimized.

The value of a unified wireless and wired network where access points or radios are low cost and widely distributed and communicate to WLAN modules embedded into LAN switches offers benefits to netops, the client or end-user experience and guest access. Unified WLANs and wired LANs are accomplished through integration of hardware, software, management, network security, and protocols.

A unified WLAN and wired network needs to include the following considerations:
Wired Infrastructure Integration

To integrate WLANs with existing wired LAN infrastructure the following essential components are needed:

• Wireless encryption protocols such as WPA, 802.11i, etc.
• Identity Management for wired and wireless access control
• Rogue AP detection
• Built-in stateful firewall to defend against external intruders, which may be integrated into controllers as separate appliances
• Network Address Translation (NAT)
• Built-in Intrusion Detection System (IDS) to track commonly known wireless attacks onto the network and alert netops
• Network Access Control (NAC) to provide a consistent user authentication experience
• Management, monitoring and configuration via existing wired management platform
• Identity management integration to define user access policies, which are common to wired and wireless access providing users with true mobility
• DHCP server in case a WLAN, separate from existing wired infrastructure, is desired

Enhanced Guest Access and Administration

A guest contingent work force requirement is pervasive in the global economy as it allows collaboration between employees, consultants, suppliers, partners and contractors. But guarantees of appropriate levels of security need to be in place to protect a corporation from inadvertently opening its network and IT resources to unauthorized access. Of particular concern to netops has been the large amount of time and resources consumed during administration of guest access.

There have been few options for guest wireless network access administration. Common practice is that netops would advertise a WLAN network guest account, which would direct guest traffic via routing and Access Control List (ACLs) to a corporation’s DMZ and the internet. This is a limited capability. Netops would not know who was using the guest access service nor have tools to track its bandwidth utilization.

Guest access capabilities need to be more granular in their definition and easier to administer. With a unified network there could be multiple guest administrators setting up guest accounts. For example, upon the arrival of a customer, a business leader could establish a user name and password assigned to a guest access group and configure its policy, which specifies the length of time access is available to the customer.

Combining the guest access group with identity management offers netops an even more powerful set of options in the administration of guest access accounts. Many IT leaders are uncomfortable with adding temporary users into network and IT databases. Identity management provides netops with a way to push the operation and control of guest users to business leaders, allowing them to set up group administration while being confident that netops is still in control of security and how guests gain access to the network. This eliminates requiring netops to perform extensive work in provisioning temporary guest access based on an event, i.e., sales training, customer visits, etc. Netops can set up multiple guest access accounts at which multiple WLAN controllers can all point and share a common area where guest accounts can be created, maintained, and deleted. This is a key unified networks feature where a centralized location can host a database of guests’ accounts which can be maintained, easing administration and closing the vulnerability of undeleted guest accounts.

Client Experience

The user experience of wired access sets the performance expectation during wireless access. While bandwidth is still much greater on wired networks, WLANS continue to close the bandwidth gap and are in fact more secure than wired connections. Many past WLAN frustrations can be eliminated with a unified WLAN and wired architecture. Corporate users have been frustrated when locating a wireless network, authenticating the wireless network, losing connections while roaming through a campus or office building and questioning the security of their access. One of the largest complaints about WLANs has been the inability to roam.
Roaming

Layer three roaming is enabled by having WLAN controllers or modules embedded in the network fabric. There are two deployment options for layer three roaming, which depend on the number of controllers or modules deployed across the network fabric. In a single module scenario, IT leaders would deploy multiple radios across layer three boundaries where traffic is tunneled across subnets to the single module. In a multiple module scenario where all modules participate in controlling traffic from radios scattered across multiple subnets, the modules set up tunnels among each other and route traffic as wireless clients roam between subnets and network segments. This provides a consistent user experience as they roam throughout the network.

VoWLAN Support

New applications, such as voice over wireless LAN (VoWLAN) are posed for rapid mainstream adoption. IT leaders desire to future proof their wireless investment to address future application requirements such as VoWLAN. The roaming discussion above is critical to maintain voice connections while roaming with VoWLAN handsets. Wi-Fi WMM (multimedia) support, which provides QoS functionality in wireless networks by prioritizing wireless traffic from different applications offers future proofing too. SpectraLink voice priority (SVP) support, which prioritizes SpectraLink voice IP packets, sent from a SpectraLink NetLink SVP server to SpectraLink wireless voice handsets enable VoWLAN service. Unscheduled Automatic Power Save Delivery (uAPSD), also known as 802.11e power save extends the battery life for Wi-Fi devices such as VoWLAN handsets. All of these features are key to future proofing the unified network.
Unified Network Design

There are two basis approaches to unified network design. The first is to place wireless services (controller or module) located at the network core or distribution level embedded in Ethernet switches. Though simple to deploy and maintain, this network configuration has limitations worth noting. Wireless traffic transverses the network headed to the core switch where the WLAN module is placed. But encrypted (if clients use wireless encryption) user/device authentication and traffic ingressing the network has not been challenged or verified, making the network vulnerable to exploits. Network latency may be increased during the back and forth journey between end-point and core switch, having a negative impact on real-time network applications such as VoWLAN.

The second alternative is to deploy wireless services at the network edge. This deployment offers several advantages over wireless services at the core or distribution level. User/device authentication occurs at the edge of the network before traffic can enter into the network, mitigating the above vulnerability. Built-in RADIUS authentication and DHCP service, firewall, static ACLs and identity management are dynamically assigned and user-based network policy is enforced at the edge of the network to ensure safe and appropriate network access. Traffic is classified and efficiently routed at the edge of the network. In addition, PoE can be more effectively and efficiently administered to radio ports/access points. Also with layer 3 roaming, mobile users transverse routed boundaries and subnets.

With a unified network infrastructure, which includes the components mentioned above, the following type of fail over services are enabled. Self-healing access points or radios allow a controller to detect a failed radio and adjust the RF coverage accordingly to provide appropriate access. RF adjustment based upon an aggregated network view, thanks to distributed data collection, can identify RF interference from Bluetooth or wireless headset devices, for example and adjust RF power accordingly. As controllers or modules are integrated into switch chassis/fabric they share the power redundancy already designed into LAN switching products to provide consistent service in the case of failure.

NetOps Integration

With WLAN service deeply embedded in LAN switches and associated management, netops is able to integrate the configuration, monitoring and management of WANs through a common set of management tools. Further, as NAC and identity management and other network security services have been built around the LAN switch architecture, these services are then integrated and offered to WLAN clients, easing netops administration of WLAN services.

In short, netops is offered a single pane of glass management for wired and wireless: device, policy and access management. User-based policies are defined once, centrally in the network, and then applied consistently throughout the network independent of access method. This provides a scalable framework. As new capacity is required for additional users, controllers are added to LAN switches and radios adjust their power and bandwidth accordingly while centrally defined policies are applied in lock step with existing devices. This framework inherently reduces operational expense as network administrators are not repeating tasks such as defining access control policies unnecessarily.