bbt trapeze giant wlan test - broadband-testing.co.uk · within a yard or where it actually was....

Trapeze Networks Mobility System Giant

WLAN Test

A Broadband-Testing Report

First published December 2004 (V1.0)

Published by Broadband-Testing La Calade, 11700 Moux, Aude, France Tel : +33 (0)4 68 43 99 70 Fax : +33 (0)4 68 43 99 71 E-mail : [email protected] Internet : http://www.broadband-testing.co.uk 2004 Broadband-Testing All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this Report is conditioned on the following: 1. The information in this Report is subject to change by Broadband-Testing without notice. 2. The information in this Report, at publication date, is believed by Broadband-Testing to be accurate and reliable, but is not guaranteed. All use

of and reliance on this Report are at your sole risk. Broadband-Testing is not liable or responsible for any damages, losses or expenses arising from any error or omission in this Report.

3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY Broadband-Testing. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED

WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY Broadband-Testing. IN NO EVENT SHALL Broadband-Testing BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.

4. This Report does not constitute an endorsement, recommendation or guarantee of any of the products (hardware or software) tested or the

hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products, or that the products will meet your expectations, requirements, needs or specifications, or that they will operate without interruption.

5. This Report does not imply any endorsement, sponsorship, affiliation or verification by or with any companies mentioned in this report. 6. All trademarks, service marks, and trade names used in this Report are the trademarks, service marks, and trade names of their respective

owners, and no endorsement of, sponsorship of, affiliation with, or involvement in, any of the testing, this Report or Broadband-Testing is implied, nor should it be inferred.

TABLE OF CONTENTS

EXECUTIVE SUMMARY...................................................................................................... 1

THE AIMS OF THIS REPORT ............................................................................................. 2 Overview..................................................................................................... 2

THE WLAN SCALABILITY ISSUE...................................................................................... 2

THE GIANT WLAN PUT TO THE TEST.............................................................................. 3 The Test Outlined .................................................................................................... 3 The Trapeze Products Used In The Test ................................................................ 4 Test bed Details....................................................................................................... 7 Test Highlights ......................................................................................................... 9

Roaming ..................................................................................................... 9 Real-Time Applications............................................................................... 9 User Location And Rogue Detection .......................................................... 9

CONCLUSION...................................................................................................................... 9 TABLE OF FIGURES Figure 1 – Trapeze MX-8 Examples ................................................................................................................................................................................... 4 Figure 2 – Trapeze Mobility Point ....................................................................................................................................................................................... 5 Figure 3 – Trapeze RingMaster Software........................................................................................................................................................................... 6 Figure 4 – The Giant WLAN Test Topology ....................................................................................................................................................................... 7

Broadband-Testing Broadband-Testing is Europe’s foremost independent network testing facility and consultancy organisation for broadband and network infrastructure products. Based in the south of France, Broadband-Testing offers extensive labs, demo and conference facilities. From this base, Broadband-Testing provides a range of specialist IT, networking and development services to vendors and end-user organisations throughout Europe, SEAP and the United States. Broadband-Testing is an associate of the following: • NSS Network Testing Laboratories (specialising in security product testing) • Broadband Vantage (broadband consultancy group) • Limbo Creatives (bespoke software development) Broadband-Testing Laboratories are available to vendors and end-users for fully independent testing of networking, communications and security hardware and software. Broadband-Testing Laboratories operates an Approval scheme which enables products to be short-listed for purchase by end-users, based on their successful approval. Output from the labs, including detailed research reports, articles and white papers on the latest network-related technologies, are made available free of charge on our web site at http://www.broadband-testing.co.uk The conference centre in Moux in the south of France is the ideal location for sales training, general seminars and product launches, and Broadband-Testing can also provide technical writing services for sales, marketing and technical documentation, as well as documentation and test-house facilities for product development. Broadband-Testing Consultancy Services offers a range of network consultancy services including network design, strategy planning, Internet connectivity and product development assistance.

Broadband-Testing – Trapeze Networks Giant WLAN Test

EXECUTIVE SUMMARY The biggest and most ambitious Wireless LAN (WLAN) test simulation ever was carried out in association with Iometrix Networks of San Francisco, to prove the scalability of Trapeze Networks’ Mobility System switched WLAN solution. The test featured several Trapeze products: two MX-400 switches, 10 MX-20 switches and eight MX-8 switches for a total of 20 Mobility Exchange switches – inter-connected via a Cisco router acting as the network core. We used 200 802.11a/b/g Access Points (APs) or Mobility Points in Trapeze-speak, on individual VLANs. 50 Linux servers ran roaming client simulations – each server simulating 200+ clients, to which we also added a live network including VoWIP and video streaming real-time applications. This all ran across a single, giant, wireless network infrastructure. Using VLANS to segment traffic, we simulated a multi-tenant (seven companies) 50-storey office block. The virtual clients simulated a typical office 24-hour day (run every hour approximately) with all the traffic patterns modelled in this simulation. We started by taking an AutoCAD drawing of the simulated office block, using Trapeze’s RingMaster software to design and deploy the WLAN. Without this kind of management tool, the whole project would have taken weeks longer to deploy. Once set up we were then able to monitor (with full history) the usage patterns of anyone on the WLAN, including their full roaming paths, even in real time. So, onto the scalability issues. The key part here is the authentication, for which we used 802.1x along with WPA 2.0 encryption and Dynamic WEP. Not only is the scalability of authenticating 10,000 plus clients on a single physical network here an issue, but we also created the network so that each and every client always authenticated via its “virtual” company that it belonged to, regardless of where that “user” was roaming in the office block. If you take the example of a restaurant being located on the 50th floor, it is easy to see how this would work in practice. Any wireless user re-associating with the WLAN in the restaurant would always be routed via their office WLAN connection to authenticate, before being allowed to roam as configured, including the virtual restaurant, for example. This means that their access controls would always be in place, regardless of where they roamed. We peaked at over 11,000 roaming clients, in addition to several live users. The real-time applications – the voice application was run using VoWIP (Voice over Wireless IP) phones, the video streaming source from a web cam – worked faultlessly in tandem with the simulated traffic. The roaming also worked without any problems whatsoever. We also carried out some rogue intrusion tests and managed to identify a rogue AP, for example, to within a yard or where it actually was. Overall, the test proved categorically that a WLAN – or at least the Trapeze Mobility System – does scale, while remaining easy to manage. And you can’t have one without the other…

Page 1


THE AIMS OF THIS REPORT

Overview Within the scope of this report we’ve looked to put WLAN scalability and roaming capabilities to their most severe test ever, taking Trapeze Networks’ total Mobility System solution and putting to the proverbial sword. By combining simulated and live users, “regular” traffic and real-time applications, across a single, giant WLAN with thousands of simultaneous connections, we are pushing roaming and client authentication further than they’ve ever been pushed in any previous test. In conjunction with Iometrix Labs in the US, the test bed was set up to simulate a 50-storey, 10,000+ user building housing seven different virtual companies, with typical user patterns modelled and simulated throughout the test. The results are therefore as representative of a real-world situation as it is possible to get within a labs environment, with the addition of roaming live users too. Primarily we were concerned with the following:

Scaling the number of simultaneous active user sessions. Scaling the size of the management domain. Understanding the management demands of a very large WLAN. Exploring real-time applications such as voice and video over

wireless. Identifying how to use location-based services to find users. Using RF location to quickly locate rogues.

Anyone wishing to follow up on any aspects of the report with the author, is welcome to contact me by email at [email protected]

THE WLAN SCALABILITY ISSUE Ask any doubters of WLAN technology what the key potential problem with it is and chances are that they will come up with scalability, first and foremost. And let’s face it – there is reason to be sceptical here. WLAN technology is still – in relative terms – in its infancy and the vast majority of deployment to date has either been in the home, or in public “hotspot” applications, neither of which would be remotely considered to carry the old burden of the “mission critical” tag. Annoying maybe, but losing a connection while checking email at the airport, or loading the next set of MP3 tracks remotely into the home, isn’t going to cost anyone millions of dollars – unless in the former scenario it meant the user couldn’t get their £10,000 bet on the 100-1 shot that ends up winning. Dream on… The reality is that, to date, most companies have shied away from deploying WLAN altogether, or at least in any kind of business-critical scenario. But are they right to be holding back? And is – with the obvious exception of SOHO and branch office applications – WLAN simply an extension of a wired network to allow a set of additional applications to be run, or can it be a true wired network replacement?

Page 2

mailto:[email protected]


THE GIANT WLAN PUT TO THE TEST

The Test Outlined So what is the real difference between wired and wireless networks from a testing perspective? The answer is in the mobility itself. As a client device moves, its data rate is likely to change and as it continues to move, the client may associate with different Access Points (APs). Security requirements are also different, not just in terms of authenticating users and encrypting their traffic – open WLANs are easy targets – but also in terms of identifying rogue users. It is easy for a company employee to bring their own AP into work and create an additional WLAN which itself may provide a simple point of entry onto the network for an outsider. Security also places additional burdens on the network infrastructure. To see how the Trapeze solution coped with this requirement we enabled IEEE 802.1x authentication and Wi-Fi Protected Access (WPA)/IEEE 802.11i and dynamic WEP encryption with rotating broadcast/multicast keys, for all users. If these are not properly implemented, they can be a performance drain on the network, especially as the network grows to support thousands of users. Yet another excellent test for the network then… Not only is the scalability of authenticating 10,000+ clients on a single physical network here an issue, but we also created the network so that each and every client always authenticated via its “virtual” company that it belonged to, regardless of where that “user” was roaming in the office block. If you take the example of a restaurant being located on the 50th floor of a high-rise building, it is easy to see how this would work in practice. Any wireless user re-associating with the WLAN in the restaurant would always be routed via their office WLAN connection to authenticate, before being allowed to roam as configured, including the virtual restaurant, for example. This means that their access controls would always be in place, regardless of where they roamed. And if the roaming cannot be completed quickly enough, a user application session may drop, which makes the service unreliable and real-time applications such as Voice over Wireless IP (VoWIP) impossible. To put this to the test, we created a multi-tenant, 50-storey, high-rise commercial building simulation, with seven companies (tenants) with a total user base in excess of 10,000 clients. Each company effectively had its own private network, with its own user authentication, encryption, roaming, management and quality of service (QoS) requirements. As the underlying physical WLAN infrastructure was provided by the building owner, the infrastructure was a shared service. With such a shared infrastructure, security, scalability and reliability were obviously paramount for all tenants. As such it targeted all the common concerns about WLAN technology that we highlighted earlier. In order to make life more interesting we also created a real, live network to run two real-time applications, VoWIP and streaming video, at the same time as the simulated network ran continuous data traffic.

Page 3


The Trapeze Products Used In The Test The Mobility Exchange (MX) switch is the platform upon which the Trapeze WLAN solution, the Mobility System, is based. MXs manage users' identities as they roam and configure and control all aspects of the Mobility Points and third-party access points. Multiple MXs function as a peer-to-peer system to support mobility and enforce security. One MX can support a mobile user's connection to a subnet even though the actual attachment to that subnet is through a different MX. This MX-to-MX exchange requires no changes to existing IP backbones. MXs make sure that attributes like virtual private groups, access control lists (ACLs), authentication, usage tracking, location tracking and network statistics stay with users anywhere they roam in the network. The MXs exchange users' identities amongst themselves, ensuring secure access to the appropriate user services and distributing intelligence throughout the Trapeze Mobility System.

Figure 1 – Trapeze MX-8 Examples

The MXs also control Mobility Points and access points, configuring and managing them whether the MXs directly link to them or use the existing wired infrastructure to connect to them. MXs are available in a variety of form factors - MXR-2, MX-8, MX-20 and MX-400 - and provide the same feature set regardless, including Identity-Based Networking, multiple users per port, multiple private groups per MX, and AAA offload.

The compact MXR-2 delivers wireless LAN services to branch offices using automatic, no-touch deployment and remote configuration and management capabilities that require no onsite IT expertise.

The MX-8 includes eight 10/100 Mbps ports and provides PoE. It is

designed for distributed deployments in the wiring closet and can support eight Mobility Points or third-party APs.

The MX-20 includes 20 10/100 Mbps ports, all with PoE, and two

Gigabit Ethernet ports. It is designed for either distributed deployment in wiring closets or centralised deployment in the data centre. It supports 40 Mobility Points or third-party APs.

The MX-400, designed for data centre deployment, includes four

Gigabit Ethernet ports and supports 100 Mobility Points or third-party APs.

Page 4


All MXs perform Layer 2 forwarding and support Layer 3-4 and identity-tracking capabilities. MXs integrate with wired infrastructures and offer redundant load-sharing links, 802.1Q trunking, spanning tree and per-VLAN spanning tree (PVST+). They also support IGMP snooping, which is vital to supporting IP multicast streams. Quality of service (QoS) is done with Layer 3-4 application information on a per-user or per-group basis and can utilise IP DiffServ code points. The Trapeze Access Points (Mobility Points) are defined as system devices that augment secure mobility and provide WLAN connectivity for users via the MX, as line cards in a chassis-based switch provide client access. Unlike a classic “fat” AP, the MP is under the control of the MX and has no local data storage, with numerous configuration and deployment advantages resulting from this. Trapeze supports both directly connected MPs as well as MPs and third-party APs that connect to the MX through an intervening network. With no IP address assigned to it and no data on it, the MP is not a hackable device. An Ethernet link to an MP cannot be used by a station to gain network access, nor is there a console port; so no local access is possible within an open office environment. All security management is handled by the MX, including the generation of session keys. The MPs receive their power from the MX’s Power-over-Ethernet ports or standard PoE devices. Two Ethernet ports on the MP give it dual homing capabilities so redundant connections to two separate MX units or other network infrastructure can be created.

Figure 2 – Trapeze Mobility Point

Page 5


Management and deployment of the Mobility System is undertaken using Trapeze’s RingMaster management software. RingMaster is a software tool, based around a context-sensitive, rules-based engine that enables a network manager to perform pre- and post-deployment planning, configuration, verification, management and optimisation of the WLAN infrastructure. It includes a complete, wizard-based, virtual site survey (using existing graphics of floor plans) with a built-in library of RF attenuation factors, and deployment mechanism that removes the need for a physical - and expensive - site survey to be carried out to plan the WLAN deployment. RingMaster automatically determines the number of MPs that need to be installed in any part of a building, taking into consideration the building obstacles on the floor plan, the number of users, and the level of traffic they’re likely to generate. It also allows the network manager to easily adjust WLAN capacity with minimal disruption as all the “what-if” type scenario investigations can be carried out offline. It can also be used for rogue detection (see test section) as well as to verify RF coverage in general.

Figure 3 – Trapeze RingMaster Software

Page 6


Test bed Details Enough of the theory – let’s put these scalability issues to the test. With Trapeze, the ability of individual users and groups to roam to different MPs or wired-authentication ports is governed by Mobility Profiles. The users retain the same access rights, including VLAN assignment, no matter where they roam, even if the new access point is separated by a router. The network must be architected to gracefully handle the increased demands of wireless authentication and encryption. The key derivation algorithms in Transport Layer Security (TLS) and other Extensible Authentication Protocol (EAP) methods used by IEEE 802.1X demand serious computation. Cryptography too requires considerable processing power. If not properly architected then, the performance demands of the authentication and encryption can impact the network’s ability to scale to hundreds of users, let alone thousands. Ensuring that each tenant received a reliable, secure WLAN service was essential. Trapeze Virtual Service Sets deliver multiple virtualised services over a single infrastructure, so defining each tenant company’s required authentication, encryption and IEEE 802.11 characteristics. This ensured that each tenant’s network traffic was isolated and secured even though the underlying infrastructure is actually shared.

Figure 4 – The Giant WLAN Test Topology

Page 7


For the test bed, we simulated 802.11 a/b/g clients – all of the 200 APs in the test (from both Trapeze Networks and 3Com) supporting all these standards - using a cluster of 50 Linux workstations, with each workstation simulating 200 clients. Each of these client groups was put on a separate VLAN to enable us to manage this number of connections sensibly. To test the ability to scale the number and types of users, any or all of the 10,000+ clients were allowed to roam anywhere. We simulated a “typical” working day for these virtual clients, so that every real hour of testing represented a 24-hour working period with typical peaks and troughs of activity. We then added a live network of real users in order to test real-time applications – VoWIP and streaming video – running across the wireless network at the same time as the traffic generator was peaking. The test also focused on the ability to manage a very large network. Our starting point in deploying this network was to use Trapeze’s RingMaster management software to create an installation plan. Having fed an AutoCAD drawing of the simulated building into the system, along with our user requirements, it generated a detailed plan of exactly where to position each AP (Mobility Points or MPs in Trapeze “speak”) what it should be attached to, switch port wise, and where possible AP channel conflicts/overlaps might cause performance problems. The APs could then be fine-tuned to minimise cross-interference, though in practice, due to real space constraints we simulated this deployment by hard wiring the APs back to the network, in addition to which several others were spread around the labs for the live user testing. In reality, the APs would have been spread across thousands of square metres of floor space. RingMaster also gave us visibility into network activity and performance. We used RingMaster for 24/7 monitoring of the network, including monitoring all users, the RF, rogues – all with detailed histories available to us at any time. The WLAN test infrastructure included two Trapeze MX-400 switches, 10 MX-20 switches and eight MX-8 switches for a total of 20 Mobility Exchange switches. It also included a Nortel IP PBX and a SpectraLink Voice Priority (SVP) server for controlling the voice traffic. The underlying wired infrastructure included two RADIUS servers that shared the AAA authentication duties. Each user session was authenticated using IEEE 802.1X TLS to these two RADIUS servers. Alternatively, the MXs can take over processing chores handled in the AAA back end, thus increasing the efficiency and scale of a RADIUS server. For example, the MXs can perform crypto operations like public key algorithm processing and key generation. The network also included a Microsoft Internet Authentication Service (IAS) server and Cisco Catalyst 6500 and 4500 routers at the core, so adding more realism to the test setup. We enabled a number of VoWIP phones and also set up a permanent security web-cam streaming video across the network. We then created “guest” access to the WLAN so that real users could open a browser to see the live webcam sessions.

Page 8


Page 9

Test Highlights

Roaming This was the real highlight of the test. Regardless of the nature of the roaming user – virtual or real – we experienced no problems at any time. We peaked at over 11,000 roaming clients, roaming across 50 virtual floors of an office time, as well as live users roaming the labs. In addition to allowing employees to access the WLAN, we permitted guest access. This way, visitors with a wireless-enabled laptop or PDA could sign onto a web portal and get immediate and appropriate access. We controlled guest access by location and time of day. As a result, guests could only access the Internet from conference rooms during business hours. Trapeze’s WebAAA provided full authentication, authorisation and accounting support for guests at the different tenant companies. The guests were given access to the real-time applications (see below).

Real-Time Applications The real-time applications – the voice application was run using VoWIP (Voice over Wireless IP) phones and the security web cam video streaming source – worked faultlessly in tandem with the simulated traffic. These real-time applications were able to work because we enabled QoS, allowing them to share the WLAN bandwidth with lower priority data transmissions accorded to non-critical traffic.

User Location And Rogue Detection We explored the ability to locate users anywhere in the 50-storey simulated building. We set the MPs to scan for unknown clients, using both their active and unused radios. We then used RingMaster’s topology mapping capability to locate the unknown devices. The active scanning process did not incur significant overhead – less than five percent. We were able to follow the movements of any user on the network, both in real-time and historically. We also carried out some rogue intrusion tests and managed to identify a rogue AP, for example, to within a yard or where it actually was.

CONCLUSION

The test proved categorically that a WLAN – or at least the Trapeze Mobility System – does allow for very extensive scaling, while remaining easy to manage users, both existing and additional. That we were able to run real-time applications on top of general network traffic is real ammunition for those who argue that – in the right environment –wireless can indeed be a replacement for wired LANs.

bbt trapeze giant wlan test - broadband-testing.co.uk · within a yard or where it actually was....

Documents