Putting 802.11b to the test
Cisco's Aironet access point knocks us out in the 802.11b arena, but others aren't far behind.
 
|
|||
 | |||
|
While this may be the fourth or fifth straight year you've heard this, it's finally the year of the wireless LAN.
With the acceptance of the 802.11b standard, a number of products and vendors have hit the market with access point products for the enterprise. We tested nine wireless LAN access points: the Buffalo Airstation from Buffalo Technologies; the Aironet 340 from Cisco; the DWL-1000 AP from D-Link; the RoamAbout Access Point 2000 from Enterasys; the Intel Pro/Wireless 2011 Access Point from Intel; the Intermec 2102 Universal Access Point from Intermec; the Orinoco AP-1000 Access Point from Lucent; the Harmony 802.11 Access Point and Access Point Controller from Proxim; and the Spectrum 24 11M bit/sec Access Point from Symbol Technologies. Breezecom accepted our invitation, but could not send us the equipment for our tests in time to be included in the review.
Putting your wireless house in order
Let's talk about NICs
Interactive Buyer's Guide database
Go ahead, cut the wires
How we did it
Interactive Scorecard and NetResults
Going the distance
Subscribe to the Product Review newsletter
To fit into an enterprise network, performance is essential, but it's not enough by itself. You also want manageability, stability and security. Anyone who has managed large and small LANs knows that what works in a small office, home office (SOHO) environment doesn't always scale well into a company. Several vendors sent us very good SOHO equipment that we would have severe reservations about in a larger environment. Also, some enterprise gear was lacking in performance.
In the end, despite a higher price, the Cisco Aironet 340 series equipment delivered the best mix of performance and manageability and won our World Class Award.
D-Link, while not truly delivering enterprise-class hardware, offers an extremely good price/performance ratio and gets an honorable mention in a SOHO environment. Proxim offers some stunning management tools, but its product's performance was the lowest of any of the enterprise-class access offerings. Enterasys and Lucent offer good tools, good performance, but their range isn't on par with Cisco's. The Intel and all-but-identical Symbol equipment fell a bit short on management tools.
How fast is it?
We spent a lot of time benchmarking our 802.11b networks, and the findings are interesting. In all the tests we ran (see "How we did it," page 58), four nodes could saturate the network. An access point is comparable to a 10M bit/sec Ethernet segment, so you can use pretty much the same guidelines you use for 10Base-T loading to govern 802.11b loading.We were surprised to find such a wide spread of data transfer rates between the products. Depending on the test, some network interface cards (NIC) were almost twice as fast as others, and some access points were as much as 50% faster than others (see graphic, page 52).
Statistics showed us that 100M bit/sec Ethernet was between 10 and 20 times faster than the 802.11b network components, depending on the wireless vendor and the test we were running. One thing our benchmarks don't show is what happened to the rest of the network while the benchmarks were running. At one point, we ran the usual office automation tasks during the testing on 100M bit/sec Ethernet and the wireless LAN. With the 100M bit/sec Ethernet, the tasks ran at an acceptable speed.
With the 802.11b network, things crawled to a stop while the benchmarks were running. In short, the wired Ethernet had more headroom. Again, that shouldn't be a surprise.
We were disappointed by the performance of Proxim's Harmony. Proxim has taken an interesting approach with Harmony, making its access points "dumber" and putting the intelligence into the Harmony Access Point Controller. With the intelligence in the controller, you automatically get a single point of control. This lets you control many more access points (Proxim recommends 10, although it can handle more), and also lets you have access points based on different technologies. The "dumb" access points also are less expensive than those of the other enterprise-class vendors. Several are cheaper, such as the D-Link and Buffalo, but they aren't in the same league.
It was never clear to us why the performance of the Proxim Harmony lagged. The system design means that all Harmony wireless traffic crosses the wired network twice, but Proxim assured us that wasn't usually a bottleneck, and a bit of math suggests that doubling the traffic of an 802.11 link is still less than 20% of the capacity of a 100Base-T network.
Security options
The 802.11b standard offers several layers of security. At the lowest level is the System ID, also known as the Electronic System ID, SSID or ESSID. This is an identifier code the system manager enters into the setup of all the access points and NICs that will participate in the network. By default for all the vendors except Intel and Symbol, you can enter the word "any" into the NIC setup, and the PC can participate in any network. This makes it easy to get a wireless network running, but offers no security. Even if the "any" option is disabled, it isn't hard for someone to look up the ESSID and use it later - on a laptop in the parking lot, for example. As a management issue, it is difficult to change the ESSIDs of all your access points and NICs quickly. As a result, we don't consider ESSIDs to be a valid security tool. Some of the NICs had drivers that let us enter several ESSIDs into their setups, letting them connect to any number of access points. This offers users greater flexibility in connecting to a wireless LAN in a hotel, conference center or airport. However, this increased flexibility for the user means that the system manager is more constrained from making changes because they will impact infrequent users.The next layer of security is the access list. The access list contains the media access control (MAC) address of the systems that are authorized to access the network through that access point. With most NICs, you can change MAC addresses at setup, so it is again easy for an employee to write down MAC addresses and then enter one of them into his laptop in the parking lot. A more significant management liability is the access list needs to be entered into each access point that you are managing. Proxim offers a centralized point of management through its Access Point Controller, while Cisco, Enterasys and Lucent offer ways to automate the updating process. But for the rest of the vendors tested, this remains a manual process.
The previous security options authenticate the computer to access the network rather than the user. The last level of access security is the use of Remote Authentication Dial-In User Service (RADIUS). RADIUS has the advantage of authenticating the user rather than the machine. Based on a user identification and a password, RADIUS can be centrally managed. Only D-Link and Intermec don't offer RADIUS compatibility. Any password scheme is vulnerable to careless users, but RADIUS gives the administrator a central location to disable user access to the network, which is a major step forward over previous approaches. We strongly prefer a RADIUS-based solution to the other current alternatives.
Once a user has access, the next level of security is encryption. Wire Equivalent Privacy (WEP) can use a 40- or 128-bit encryption key to keep people from being able to use a product such as a WildPacket's AiroPeek to monitor the data. WEP can be disabled. The WEP setting is disabled by default across all the tested products. Disabling WEP makes it easy to set up a network, but also means that protocol monitors can monitor the data on the network. We suggest that you enable WEP as soon as the installation is done. Each machine can have four WEP keys entered into it, and the system manager can decide which key to use, and can use a separate key for transmission and reception. However, managing WEP keys can be a significant maintenance and management issue.
Can you manage?
Management issues can make or break your security, and overall the management tools of the products we tested are not where they should be.
Each product offered several ways to control the access point. These ranged from serial cables - useful if the access point won't respond to other means of persuasion - to telnet, Web interfaces, FTP, SNMP and proprietary management consoles. The vendors that offered proprietary management consoles usually didn't offer a Web console. Enterasys told us that a Web interface couldn't have the richness of its proprietary console. Looking at the Cisco, Intel and Symbol Web-based consoles showed that a Web-based console could be very rich indeed. We preferred using a Web interface because it meant we didn't have to install another set of vendor-specific software on our machines. System managers seem to reinstall more often than most, so a Web interface means we don't have to keep track of the vendor's CDs and reinstall the proprietary client again.
Some of the units we reviewed don't support a RADIUS server, and as a result, they have to use ESSIDs or access lists to control access. As mentioned, ESSIDs aren't all that secure. Access lists are a step up, but there are some management issues. An access list is a table of the MAC addresses of NICs that are allowed to connect to the network. The list takes up memory in the access point, so there is a limit of how many nodes an access point can support. By default, Cisco supports 2,048 nodes, but that number can be increased to as many as 64,000, although the unit could run out of memory if this is done. Lucent comes in second with 497. After that, the numbers drop off quickly.
Among the vendors we tested, only Cisco has access lists large enough to comfortably support an enterprise-sized network. Most vendors' access lists are too small, with most vendors claiming 256 to 512 entries for an enterprise network that is supposed to support global roaming, so RADIUS support is essential for a company.
Encryption prevents others from grabbing data, but the management issue in WEP is distributing and managing the WEP keys. While the keys are quite difficult to guess or crack, it is easy to write them down and enter them into the laptop. Cisco and Enterasys offer tools to distribute and manage WEP keys, so that they can be changed fairly easily. However, these are extensions of the 802.11b standard, which means you will need to use their NICs as well as their access points to take advantage of these management tools.
As mentioned earlier, Proxim approaches management with its Access Point Controller. We liked the management aspects of this, but we are concerned that using the controller introduces yet another point of failure into a network.
Hardware considerations
Where you want to put your access point is governed by radio propagation, user locations and property boundaries of your company. Then there is the cost, as the price of running a power line can range from high to absurd, depending on where you want to put the access point. Most vendors, including Cisco, Enterasys, Proxim, Intel, and Symbol, offer ways to route power to the access point through an Ethernet cable connecting it to the network, which lets you avoid installing a power outlet near the access point. However, this approach is not yet standardized, and if you are careless a misconnection can fry a port in one of your hubs or switches.As with the NICs (see story, page 56), antennas are also a crucial component of your access point. The units from Buffalo, Enterasys and Lucent had no external antennas, which averaged 813K bit/sec on all our performance tests, performing worse overall than the units that had external antennas, from Cisco, D-Link, Intel, Intermec, Proxim and Symbol, which averaged 843K bit/sec on all our performance tests. Several vendors say an external antenna increases the signal by about 15%. However, of greater importance is that you can position the external antenna so the signal can avoid obvious obstacles. Because an external antenna increases your range, the number of access points you'll need to buy to cover your area is reduced.
Most of the access points are sealed devices. Others, such as Lucent's and Enterasys', use the same NICs to communicate as are used by PCs. This has an obvious effect on the antenna - these products have internal antennas, although you can purchase an external antenna for them too. On the other hand, using PC Card NICs let the customer save a bit of money by buying less-expensive NICs if they don't need 128-bit WEP keys.
This also suggests that you could upgrade the access point to higher-speed technologies without replacing the entire access point. Whether those access points can handle the proposed 22M bit/sec (802.11b extensions) and 54M bit/sec (802.11a) topologies remains to be seen.
The Lucent Access Point-1000 can hold two NICs, which lets you put two channels into an area to increase data-handling capability without the cost of another access point and its installation - just another NIC and antenna.
Interop, can it happen?
On the point of interoperability, vendors try to tie you to using their access points and NICs. The Lucent NIC client software will show you the signal strength of the access point you are using, but if that access point isn't a Lucent device, you'll get a warning that you aren't connected to an access point. Most vendors offer some degree of reduced capability if you insist on mixing and matching different brands of access points and NICs. In most cases, the issues are largely cosmetic, but they will result in increased calls to the help desk.However, until the next generation of products are released, the system manager has a difficult decision: Use a single-vendor system, with all the NICs and access points coming from that vendor, or forgo the more advanced management tools.
In a closed network, such as a corporate network, the answer is to go with a single vendor. In a more open environment, such as a college or university network, you may not have that luxury. You can suggest what the students and staff should purchase, but when it comes down to it, you'll likely have to support whatever the users bought.
The Proxim product delivered the only compatibility problem we en-countered. None of the machines that we used could access a NetWare file server through Novell's RConsole, regardless of which NIC the node was using. This is a significant issue for a NetWare system manager, but it won't really matter to most users. At press time, we were still discussing performance and compatibility issues with Proxim, which let us unravel the performance issues (see story, page 56) that were caused by a slow PC.
We rated the products tested on installation and documentation. For the most part, all products were easy to install and use, and the manuals were adequate to their purpose. The one exception was the Buffalo manual and software - its manual and on-screen instructions were often confusing.
Let's get wireless?
At the end of the test, we wouldn't suggest that 802.11b be used to replace an existing wired network, unless there's an overriding need to do so. The 802.11b standard has its places, and in those places it works well. Wireless is great for employees with laptops who move around the company, as it lets them stay in touch. It is marvelous for installations that have to be set up and taken down quickly, such as student registration automation systems in colleges and universities or at a trade show seminar. The cost of installing a wireless network is often much less than wiring existing buildings.Once the next developments in wireless technology appear - 22M bit/sec at 2.4 GHz, and 54M bit/sec at 5.7 GHz - we will be more enthusiastic about running more bandwidth-intensive applications.
At the end of the day, the Cisco Aironet 340 Access Point earned our World Class Award for its strong fit in the enterprise.
It delivers consistently higher performance than the other products, has good manageability, and the price is not totally out of line. For a SOHO environment, we'd lean heavily toward the D-Link DWL-1000 Access Point because it offers good performance and a gang-busters price.
RELATED LINKS
Avery is the founder of Gunnison Territory Network Consultants, a small firm specializing in network design, management and administration. He can be reached at mavery@mail.otherwhen.com.
Avery is also a member of the Network World Global Test Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Test Alliance information, including what it takes to become a member, go to www.nwfusion.com/alliance.
Putting your wireless house in order
Imagine heading home from the office and connecting the same notebook to your wireless home network.
Let's talk about NICs
Looking at wireless network interface cards (NIC) from nine vendors was an eye opener.
Interactive Buyer's Guide database
Detailed product information from nine vendors. Compare specific criteria or download the vendor information on an excel spreadsheet.
Go ahead, cut the wires
Companies are installing wireless LANs for portable access to the corporate network and providing a better means for collaborating with co-workers.
How we did it
Our testing methods explained.
Interactive Scorecard and NetResults
Use our calculator to see which app would best suit your needs.
Case study: Saving lives with roving LANs
Swedish ambulance becomes a true mobile platform.
