It seems every wireless manufacturer has its own preferred way of providing more or less the same service. Intelligence in the access point, intelligence in the switch, intelligence in a central controller? You can’t say you don’t have choice.
We’ve already reviewed Trapeze Networks, Symbol and Vernier (marketed by HP) systems. Cisco does things differently—it’s a firm proponent of the intelligent AP, with its Aironet range providing added functionality including the likes of Proxy Mobile IP for Layer 3 roaming (see Roaming the hard way. Its SWAN architecture offers a greater tie-in between the wired and wireless parts of your network, but what does that actually mean, and what can you buy today?
Cisco's Structured Wireless-Aware Network (SWAN) isn’t an off-the shelf product; rather it’s an architecture comprising many pieces. To build a SWAN, you’ll need Cisco compatible clients (wireless NICs), access points, switches and routers, an AAA server (the Cisco ACS) for authentication. If it is a big enough deployment, you will need CiscoWorks LAN Management Solution software and the Wireless Solutions Engine (WLSE) appliance for management.
Which sounds a lot, but Cisco is banking on the fact that you have a fair bit of this anyway to support your wired infrastructure, so to actually add the SWAN part is mainly software upgrades to existing APs, and maybe the purchase of a WLSE.
What does SWAN do?
There are two main focus areas, on secure mobility and RF management. The former covers basically fast roaming (Layer 2 and 3), while the second deals with all the aspects of rogue AP detection, site surveys, RF monitoring and performance.
With SWAN, Cisco introduced something it calls Wireless Domain Services (WDS). It’s basically a set of IOS features that run on an Access Point that let that AP, in addition to doing its normal AP duties, act as a mini-controller for other APs on the same subnet. In terms of speeding up Layer 2 roaming, this is how it operates:
- All APs register with WDS AP using 802.1x A client on power-up initially authenticates (using 802.1x) with the AAA server. The key information is sent via the WDS, which sends it on to the AP.
The WDS also acts as a backup local authenticator for remote offices if the WAN connecting back to the AAA server in head office fails, although it can only handle 50 user accounts. It’s not synchronised to the central RADIUS server for this — instead you’ll need to use the WLSE, which is designed for the management and monitoring of hundreds of APs, or type each username/password entry into the AP manually.
At present, though, WDS can’t do anything to speed up Layer 3, cross-subnet, roaming. It’s on the roadmap for later this year, but in the meantime the Cisco answer to this issue is Mobile IP proxy software on each AP.
A WDS-enabled AP will also act as an aggregator for RF statistics from the other APs, which it will pass to the WLSE to highlight rogue APs. The RF monitoring done allows the WLSE to draw up a map of wireless coverage, and uses existing APs to carry out site surveys, identifying areas with no coverage—you can import floorplans onto the software to make this easy to spot where you need extra APs.
The plan is, along with getting WDS to do something useful for inter-subnet roaming, to provide support for it on some of the Cisco switch/router portfolio, probably on the Catalyst 6500, 4500 and 3750 series, and the likes of the 3725/45 routers.
It is perhaps a little ironic that the combination of WLSE and the WDS functionality is moving some of the functionality away from the APs themselves, which is similar to the approach taken by the ‘thinner AP’ vendors. Cisco didn’t seem to approve of the wireless switches and gateways favoured by other vendors: however with the development of its SWAN architecture, it seems to be offering more choice of where to put the clever bits.