Aruba and Trapeze wireless switches offer tough choices

Wireless lans have real issues with security and performance, and with letting users move seamlessly across various portions of the network. Fortunately, there are wireless switches such as Aruba Wireless Networks’ Aruba 5000 and Trapeze Networks’ Trapeze Mobility System, which are capable of resolving many of the issues that have kept CTOs from approving wireless networks.

Both products provide security that will reassure most senior IT managers, tools to fine-tune performance, and a combination of authentication and mobility features that allow users to go from office to conference room to cafeteria while continuing their mission-critical chat session.

No one could mistake one of these solutions for the other. Aruba marries security and QoS features in a system that can be fine-tuned for virtually any set of circumstances, though setting up the finely tuned system can be tedious. Trapeze features a network planning tool that does a solid (and realistic) job of planning coverage areas and generating action statements. It offers roaming between subnets that is almost invisible to users, though some security notification features

are lacking. The question for prospective purchasers is, What is my biggest wireless networking problem?

Aruba 5000

The Aruba 5000 is a modular switch that incorporates layer 2 and layer 3 switching, security, QoS, and management features in a 3U rack- mount chassis. A single Aruba 5000 can contain as many as three line cards with a total of 72 10/100 Ethernet ports and six GbE (Gigabit Ethernet) ports, up to two supervisor cards providing switching and management functions, and as many as three power supplies. All are hot-swappable.

Accompanying the switch is the Aruba 52 AP (access point), an 802.11a/b AP with twin antennas. The Aruba 52 can receive power over Ethernet directly from the Aruba 5000 or from an optional PoE (Power Over Ethernet) adapter.

Aruba’s planning tool, Aruba Site Survey, helps administrators decide how many APs to place within a given building floor and where. Portions of the tool are rudimentary. The software tends to treat floors as rectangles, and it has no easy way to take radio-absorbing or -reflecting obstacles into account. Trapeze, by contrast, has built more advanced file import and the radio characteristics of building material into its overall superior software.

Site Survey certainly has its strengths. The suggested AP placement feature includes recommended power levels, and there are functions for playing “what-if” scenarios for AP failures. In all, it’s a tool that may be useful but will not be the only planning system necessary for deployment.

The tool does not try to predict where to place the switch itself because Aruba has provided great flexibility in this respect. The Aruba 5000 can control APs connected directly to its ports or connected to its ports through intermediary switches, making it a real candidate for deployment in a network operations center.

The Aruba 5000 is also compatible with APs from other vendors. Although it will not provide the advanced control features available with the Aruba 52 AP, I found that Cisco and D-Link APs operated with the Aruba 5000 as they would with any switch, so organizations can continue to use legacy APs.

When a complete Aruba network is deployed, some APs will act as monitoring devices, providing transmitter field strength, intrusion detection, and other functions to the switch. If needed, the switch can automatically change these monitoring APs into normally functioning APs, which counters the effect of an AP dropping offline and maintains service quality, one of Aruba’s strongest points.

An administrator may assign QoS, defined as minimum allowable throughput, to individual users, user groups, or APs. If that throughput is threatened by a heavy user load, the Aruba 5000 will turn on additional APs, deny access to a particular AP from new users, and juggle AP power levels to try to maintain QoS. Watching the management screen, it was easy to see the Aruba 5000 performing all these actions as I disabled APs and brought new clients into the test scenario.

Aruba includes the security features that are becoming standard in wireless switches, with 802.1x and WEP (Wired Equivalent Privacy) encryption, support for VPNs and EAP (Extensible Authentication Protocol), though the company has taken the implementation to higher levels of performance. A good rogue system detection identifies both unauthorized APs and clients. A variety of warning and response mechanisms are available to administrators, making intrusion detection another strong point. The Aruba 5000 also includes a built-in RADIUS (Remote Authentication Dial-In User Service) database that can be used to authenticate users if a corporate RADIUS server is not available.

Aruba provides access to security, QoS, and other features via the Aruba AirOS WLAN Switch management software, which is quite complete but far from simple to navigate due to its plethora of choices.

The interface is dense with information and the default for all security settings is “locked down” in the most restrictive configuration. Most organizations will balance ease of use and security in ways that require less “paranoid” settings of many security options. The result is a safe, restrictive system that will require some serious thought and reconfiguration before it’s ready for enterprise use.

Trapeze Mobility System

The Trapeze Mobility System is comprised of three components. The Mobility Exchange switch is a 2U rack-mountable box with 20 10/100 Ethernet ports and two GbE ports. Mobility Points are 802.11a/b APs, powered over Ethernet. Both Mobility Exchange and Mobility Points are controlled by RingMaster, Trapeze’s planning and management software. Deployment of the system begins with a session on the Java-based RingMaster.

RingMaster contains one of the more capable wireless networking planning tools I’ve seen. Beginning with an imported AutoCAD or JPEG file of floor plans, an administrator defines the location and composition of walls, partitions, and other obstacles. Radio-signal attenuation figures are built into the definitions of building materials, so when the tool places APs for particular coverage areas, it takes obstacles into account.

When the final AP placement is determined, RingMaster will generate work order forms for installation, with precise locations and AP details noted. Placement for Mobility Exchange units is included in the design because APs must be directly connected; intervening switches aren’t supported. Trapeze Mobility Exchange will act as a standard switch with non-Trapeze APs, allowing for retention of legacy APs or special-purpose APs in harsh environments.

Deploying Trapeze entails running through a series of easy-to-use wizard-based menus in RingMaster after an initial, brief session setting up foundation parameters with the IOS-like CLI (Common Language Infrastructure). Before pushing the parameters out to the individual APs, RingMaster checks them for consistency with other parameters and against any changes made to APs via CLI.

Roaming between APs and subnets across Trapeze networks is easy for users. Once authenticated through the Mobility Exchange via RADIUS  or EAP, a network connection remains open until it is closed by the NOS. This system means that there is only one session time-out that must be set by administrators, although network parameters may need to be modified to allow for connection interruption while roaming.

Security for Trapeze is consistent with that seen in other products in this growing niche, with user authentication, WEP encryption, and VPN support built in. Its range of security deployment options and initial security default settings falls short of that offered by Aruba, although it is still better than that available through APs alone.

Rogue detection is aimed at changes in the wireless infrastructure. The system flags unknown APs and peer wireless traffic immediately for administrator attention, and indicates where on the deployment map a particular rogue will be found.

Rogue client attempts get less attention; the system generates an authentication error but no immediate warnings. I would like a more immediate notice if a hacker with AirSnort is trying to get into an AP.

Trapeze allows administrators to establish minimum acceptable connection rates but, as with Aruba, does not use APs or time intervals within the traffic stream for monitoring system signal strength or throughput.

Both of these systems will improve security, service quality, and roaming over what is available through APs alone. IT departments without radio expertise will find the Trapeze approach to network design an enormous aid, though they will want to spend time writing scripts  to help provide notification of attempted security breaches.

If security is an organization’s chief WLAN concern, Aruba’s system will provide a significant level of comfort, though the staff learning curve to reach optimum results will be steep.