Part of the Aruba Networks Wireless LAN Switching System, the Aruba 800 is a self-contained wireless switch designed, primarily, for branch office deployment. Up to 16 so-called thin access points (APs) can be connected, the access points providing the radio connectivity while the switch adds centralised AP and user management, security and mobility services.
The Aruba 800 looks much like an ordinary Ethernet switch, housed in a 1U rack-mount case with eight 10/100 Mbit/s UTP ports at the front. Theres also a Gigabit uplink that can have either copper or fibre connectors, and a console port for local setup. Access points are attached using ordinary Cat 5 cables with support for Power over Ethernet (PoE) to eliminate the need for individual AC adapters.
The AP52 access points we tested can handle all three of the current wireless standards (802.11b/g/a) communicating with the switch over secure GRE (Generic Routing Encapsulation) tunnels. These are created automatically and work across any intervening Layer 2/3 infrastructure without having to manually define separate VLANs as on some other wireless switch products.
Like all Aruba switches the 800 runs proprietary AirOS software with a dedicated processor to offload the encryption processing . Performance varies depending on the algorithm but for 3DES (which youd use with the built in VPN server) Aruba quotes 200 Mbit/s. The switch itself is capable of a throughput of 1 Gbit/s and can accommodate 256 wireless users. Other Aruba switches are also available that can handle higher levels of throughput, more access points and users, and provide higher levels of redundancy.
Thin Access Points
Its worth just emphasising that all of the encryption work is done by the switch, even WEP encryption from the AP to the clients. User authentication and management is also handled centrally. However, despite only providing basic wireless connectivity the access points are still relatively expensive, each AP52 costing £450 ex VAT.
On the positive side, support for open standards means that no special client software is needed to connect to an Aruba network and theres the usual link layer security using either WEP, WPA or AES encryption. And, once connected, users will be automatically authenticated by the switch, typically against a RADIUS, LDAP or Active Directory server, and access to network resources managed according to pre-defined policies.
Policies can be applied on a per-user or group basis with a rules-driven firewall to limit the protocols and applications clients are allowed to use. Bandwidth limits can similarly be applied, sessions prioritised and VLAN assignment managed based on authentication results, with location and time controls also available.
Another plus with the Aruba switch is the ability to roam the network and not have to re-authenticate when moving from one AP to another. User details are stored in central database and even after disappearing from the airwaves while in a lift, for example, or moving between buildings the switch will automatically recognise users and re-instate their privileges when they re-connect (subject, of course, to time-out controls).
The firewall in the Aruba 800 employs a number of techniques to detect wireless LAN intruders, but rogue access points can also be a real headache on a corporate LAN. Both in adjoining organisations and those innocently installed by users ignorant of the security risks.
Aruba deals with this problem by having its access points continually monitor the airspace in the background. If a new AP starts up it can then be detected both in the air and from the LAN perspective, then validated against a list of trusted devices. When identified as unauthorised, alerts can be raised and security policies applied to prohibit users from accessing the LAN via the AP concerned.
This facility alone is well worth having. Microsoft is set to install Aruba switches for just this reason (see case study. Not to provide wireless access, but just to identify rogue APs.
One important thing to remember with wireless switching is that the actual packet switching only applies to wired ports. Wireless bandwidth to the AP is still shared, the switch simply adding central management and security. Bandwidth and range are unlikely to be any better than with standalone access points. Although it performed well in our tests, the Aruba wasnt that much better in terms of either throughput or range compared to some sub-£50 access points weve tried.
That said, the Aruba switch has the advantage of a built-in site survey facility to tell you how many access points to install and where to locate them. It wont draw plans, as with Trapeze switches, but it does help maximise throughput across a large campus. It can also fine tune the power and channel settings to take into account AP location, balance user loads and provide automatic failover in the event of an AP failure.
The ability to manage access points centrally is another major selling point which cant be emphasised enough, with a CLI for local management and an intuitive Web based management interface. Theres SNMP support too, and a private MIB for use with HP OpenView and other SNMP management tools.
All in, the Aruba 800 has a lot to offer and with other more capable products also available the Aruba Wireless LAN Switching System is well worth investigating.
Aruba isn’t the only player in this market, with similar products available from Airespace, Cisco, Trapeze and Symbol which need to be considered before making a buying decision. Moreover, the wireless switch market is relatively young and a number of conventional AP vendors, including Proxim, are set to join it soon. Prices are likely to drop as a result, in which case it may be worth waiting a few months before signing any dotted lines.