Friday, April 8, 2011

Aruba Mobility Bootcamp Experience and Random Cisco Wireless Comparisons

This post is about wireless technology. However, I'm not a wireless expert. I've worked with Cisco Wireless LAN Controllers (WLCs) for a few years and have been quite happy with them.  That said, I've seen Aruba's prices and they're very competitive. I have the opportunity to work with both Aruba and Cisco now in my current position.

I attended the Aruba Mobility Bootcamp (MBC), a week-long class including Powerpoint instruction as well as hands-on labs with Aruba model 3200 controllers, AP125s, and RAP2s. The class was very well taught by an experienced Aruba instructor (Ken Elwell). The material was well designed and Ken did a great job boiling down some of the more complicated slides saying things like "This is an overly complex slide that really is just trying to tell you X."

Topics covered included the following, and there was a hands-on lab for each one. I've included my own interpretation for most of them.
  • Architecture
  • Initial Controller Setup
  • AP Provisioning - AP's come online using Aruba Discovery Protocol, which uses things like DHCP option 43 and/or looking for DNS "aruba-master" record; AP's come up in default AP group, then are provisioned to desired group, assigned a useful name, and rebooted for changes to take effect
  • Authentication - MAC-based, Captive Portal, 802.1x with different EAP types
  • Firewall Policies - Aruba controller can be licensed with additional stateful firewall with policies that can be applied to individual devices and users (They also mention it's ICSA certified)
  • Roles - Every device and user has a role associated with it; there are different methods how these roles can be derived, such as through MAC address, 802.1x authentication, Captive Portal login credentials, as well as the actual SSID the user is associated with
  • RF Plan - Decent application available on the controller as well as standalone for Windows that allows import of floor plans and automatic placement of APs on map; can then print a bill of materials for order placement (I'm sure that's a favorite feature of Aruba SEs :-) )
  • Adaptive Radio Management (ARM) - automatic detection of channel-based WiFi interference and automatic channel and power-level changes to maximize coverage
  • Captive Portal Operations - web-based authentication for guest networks
  • Remote Access Points (RAPs) - useful for SOHO, can tunnel all traffic and/or do split-tunnel for employee SSID; can also provide additional SSID for non-employee Internet access for personal/family use
  • Remote AP Installation with ZeroTouch Deployment - administrator adds a RAP's MAC address to a "white list", then user takes RAP home, plugs it in, enters basic info allowing it to "phone home" to the controller and get it's config policies
  • Virtual Intranet Access (VIA) - remote-access client for PCs running Windows 32-bit; future support for Win 64-bit and Mac
  • Wired Access Control - apply security policies used for wireless users to wired ports on APs; particular useful for SOHO running a RAP with additional Ethernet ports
  • Site-To-Site VPN - Compatible with other Aruba controllers as well as Netscreen, Sonicwall, Microsoft, and Cisco
  • Master Redundancy - VRRP active/standby redundancy
  • Master and Local Operation - AP's can be associated to a controller on-prem ("Local") and failover to Master (back at datacenter) in case of Local controller failure
  • Local Redundancy - VRRP active/standby, N+1 failover where one controller backs up multiple conrollers as VRRP standby for those other controllers, active/active redundancy where each controller in a pair is active VRRP for different VRRP groups
  • Mobility - Keep same IP even while roaming between different controllers, useful for dense deployments on large campuses
  • Mesh - Outdoor or indoor
  • Wireless Intrusion Protection (WIP)
One of the most critical things I learned this week is the level of abstraction involved with configuring Aruba Mobility Controllers.  In order to configure something as simple as a set of access points with multiple SSIDs (e.g., employee and guest), you actually create two different "Virtual APs" or VAPs. Then you associate those two VAPs with an "AP Group". Then you provision particular APs to that group.  It's a little challenging to get used to after working with Cisco for so long, but it's a very powerful way of configuring the controller. The concept of object-oriented programming comes to mind.

Keeping in mind that I am NOT A WIRELESS EXPERT, here are some of my thoughts on Aruba vs Cisco:

Random Comparisons between Aruba and Cisco (Swack's $0.02):
Aruba ARM vs Cisco CleanAir - Aruba's current ARM technology appears to be limited to seeing channel-based interference, whereas Cisco CleanAir incorporates a special chip designed to see the entire RF environment including interference not caused by 802.11 sources (think microwave ovens, analog jammers, radar, etc.).  CleanAir is more expensive, but is much more advanced. Depends how critical your wireless environment is and how much you're willing to pay for the added functionality.

Aruba RAP vs Cisco OfficeExtend - Aruba's RAP2 provides 802.11b/g and retails for $99. Cisco OfficeExtend uses 1140 or 1130AG APs which I think are more than $99 (correct me if I'm wrong). These costs don't take into effect the licensing you'll need on the controllers.

Aruba Policy Enforcement Firewall (PEF) vs Cisco SSID-based ACLs - Stateful firewall policies based on user and/or device vs. non-stateful ACLs.

Aruba RF Plan software vs Cisco WCS Planning Tool - Aruba's RF Plan software is available on their controllers as well as through a Windows-based executable. We got it for free from our Aruba SE. Cisco WCS is not cheap, and I'm not aware of another source for the planning software.

Swack's Take:
I learned a ton this week that I can apply at my current job. Also, thanks to some folks I interact with on Twitter, I was able to learn more about Cisco's wireless solutions.  In the end, it's up to the individual engineer at a particular company to decide what is best for their environment.

Please comment below or hit me up on Twitter (@swackhap) with your comments/questions/snarky remarks about the competition.