General Functions of an Access Point
Broadly speaking, there are two price classes of access points in the marketplace. A low-cost tier consisting of home devices is sold widely through retail channels directly to the end user. These low-cost devices are often specialized computing platforms with only limited memory and storage.[*] The higher-cost tier incorporates additional features required to support large deployments; frequently, these devices have additional memory and storage and incorporate more general-purpose hardware. The difference between the two price tiers is that the higher-cost devices are meant to work together as a system to build a much more reliable, secure, and manageable network. To use a somewhat simplistic analogy, the small-scale wireless LANs that have proliferated in homes and small offices are like cordless phones. They extend a single network out over a limited range, and that is all. Large-scale wireless LANs are much more like cellular telephony, with a strong focus on maintaining a network connection in a much more demanding environment. Frequent user motion and and hand-off between APs is a given, as is a much higher standard of management and troubleshooting tools.
[*] For cost savings, many of the low-cost run a stripped-down version of Linux, and have been the subject of a great deal of software hacking. See, for example, the HyperWRT (http://www.hyperwrt.org) and wifi-box (http://sourceforge.net/projects/wifi-box) projects.
Cutting across the different market segments, however, is a set of generic features that are required to fulfill the service promises made in the 802.11 standard. Configuration of these features, of course, is vendor-specific, but many products are fairly similar to each other in purpose and design.
Most obviously, access points are bridges between the wireless world and the wired world. As bridges, then, all access points have features that one would expect to see on a network bridge. They have at least two network interfaces: a wireless interface that understands the details of 802.11 and a second interface to connect to wired networks. I am not aware of any access point that does not use Ethernet as the wired back-end, though it is certainly not required by any part of the standard. As wireless LANs have grown up, more of the high-end access points have begun to support VLANs on the network uplink. Lower-end access points may have a "WAN" port, which is usually a second Ethernet port for use with a cable modem or DSL, though I have seen a few products that have RS-232 serial ports to support dial-up modems.
All wireless interfaces must provide basic support for the 802.11 channel access rules, but the similarity ends there. Early access points implemented the entire 802.11 protocol at the edge of the network; many newer devices have moved some of the 802.11 processing away from the edge of the network and have split the 802.11 MAC across multiple system components. Most access points offer the ability to use external antennas to fine-tune range and coverage area.
Bridges have some buffer memory to hold frames as they are transferred between the two interfaces, and they store MAC address associations for each port in a set of internal tables. Bridging tables are, of course, highly implementation-specific, and there is no guarantee of similarities across the industry. The most basic and inexpensive devices will usually assume that they are the only access point in the network, and bridge accordingly. When access points support roaming, it may be necessary to move sessions and user data in between access points. High-end access points may need to augment a basic bridging table with VLAN information on the wired interface, as well as information about how users authenticate their connections.
Commercial-grade devices are also designed to work cooperatively; the most common feature is a vendor-proprietary method to move association data from access point to access point without interrupting link-layer connectivity. Network management is generally much more sophisticated on commercial-grade products to enable network engineers to manage the tens or hundreds of devices used to create a large-scale coverage area.
Initially, management through a TCP/IP network interface was a standard feature. One of the big innovations in the past few years has been the development of "thin" access point solutions that move management functions from access points to central concentration devices.
Depending on the market for which an access point is developed, it may offer services to its wireless clients. The most popular service is DHCP; wireless stations may be assigned addresses automatically upon association. Larger-scale devices often rely on existing DHCP servers on the network to ensure consistence across access points. Many access points can also perform network address translation (NAT), especially the "home gateway"-type products that can connect to a modem and dial up an ISP.
Security has been a sore point for wireless network managers since before the advent of 802.11's success. Access points have a privileged position with respect to security concerns because they are the gateways to the wired network and are ideally positioned to implement security policies. In addition to first-generation security approaches such as MAC address filtering, most products now implement stronger user-based authentication. Wi-Fi Protected Access (WPA) can be run with a pre-shared key in most home products, and with an external authentication server in large corporate deployments. Many high-end devices now offer significant integration with the existing wired network. Using those features to best extend the wired network will be discussed in the next chapter.
Management interfaces often leave something to be desired. Configuration of access points tends to be challenging because access points must be manufactured cheaply, and low-cost devices tend not to have the processing power to run an easy-to-use configuration engine. Most vendors use lightweight operating systems running on low-powered hardware, but one of the trade-offs of using a lightweight operating system is that it does not provide the programming environment necessary to build rich functionality. Early access points offered both a command-line interface and a web-based management interface. The recent development of "Wi-Fi switches" offers some hope for network administrators. Rather than requiring management of individual APs as standalone network elements, stripped-down (or "thin") access points are managed through a handful of centralized control switches. With greater processing power and functionality, the switches can support more functionality and much improved management interfaces.
Debugging and troubleshooting tools are as advanced as management tools, which unfortunately means that they often leave network administrators mired in inconclusive or irrelevant information. Ideally, products should maintain detailed logs of activities, but it is common to find vague logs of results that give very little insight into failures. Counters can be helpful, but only if the right counters are accurately maintained. Tools such as ping and traceroute are common, but network analyzers and packet capture tools are not.
Types of Access Points
Broadly speaking, there are three major types of access points. Many of the best-known devices are low-cost access points sold at major consumer electronics outlets. Although these devices make up the bulk of the market, they are unsuited for use in a large-scale deployment. Just as consumer electronics-class Ethernet switches are not suitable for building a major network, cheap APs cannot offer the features needed to build a major wireless netowrk. Higher-priced devices with significant additional functionality exist for the corporate enterprise market.
For the home: residential gateways
The low-cost tier is composed of devices often called residential gateways. Residential gateways are designed to be as low-cost as possible, so only the basic features required for the typical small or home office are included. To further reduce cost, most of the residential products are based on "reference designs" from 802.11 chipmakers. Equipment manufacturers may (or may not) customize a reference design, the external case, and sell the resulting device under their own brands.
Residential gateways generally share the following characteristics:
- Most devices include a DHCP server to make plug-and-play configuration easier.
- They are often deployed by users with one routable IP address, so NAT implementations are common.[*] Many can use PPPoE or DHCP to dynamically assign the routable external address.
[*] The NAT implementation is usually restrictive. It is able to translate many internal devices to varying ports on the external IP address, and fixed ports on the external IP address to specific internal addresses (for, say, inbound web or SSH requests). Some vendors may refer to this as port address translation (PAT) instead of NAT.
- Depending on the type of customer the residential gateway is aimed at, the WAN interface is a modem, a serial port, or even DSL. (Some residential gateway products may use an Ethernet port as the "WAN" connection to a cable modem or DSL modem.)
- They are often built as a single integrated unit, complete with a built-in antenna. If suitable coverage cannot be found, it is necessary to relocate the entire unit.
- Many products now claim to have an IPsec pass-through feature to allow the use of IPsec through NAT, which works with varying degrees of success depending on the IPsec VPN solution chosen.
- Configuration of residential gateways usually relies on a default internal IP address. When it is plugged in and powered up for the first time, you connect with a web browser to its default address and enter the default username and password. In some cases, all of a manufacturer's devices may come up with the same address by default. A popular choice for the default web address is often 192.168.0.1, the first address in the RFC 1918 reserved address block of traditional class C address. As wireless LANs have become more popular, however, some vendors have built equipment to coexist with other gear by default, either by choosing a random value for the final number in the IP address, or by testing to ensure the address is not in use.
- They are often sold directly to the end user and are designed to be aesthetically pleasing. Unfortunately for many end users, the improved visual design sometimes prevents the stacking of residential gateways with other network equipment. Many vendors design their equipment to be stackable with their other components, however.
- Security configuration options are often limited to smaller-scale solutions. Much older residential gateways only implemented MAC filtering or static WEP, so be careful about purchasing used equipment. Nearly every device now sold uses WPA's preshared key authentication with dynamic encryption keys.
- Most residential devices do not have sophisticated radios. They typically have just a single radio interface, running either 802.11g or 802.11a. The former is more common in residential devices because the 2.4 GHz frequency used by 802.11g has greater coverage. Residential networks are typically limited by their uplink to the Internet, and do not need to be built with small coverage areas for dense, high-bandwidth coverage.
As this book was written, residential gateways typically cost $35 to $100. Common manufacturers are D-Link, Linksys, and Netgear. Apple's AirPort is sometimes placed in this category as well, although it is priced significantly higher and has more features.
For the office: enterprise access points
Enterprise gateways, which often go by many other names that imply the buyer values features over cost, provide everything residential gateways do, plus additional features useful for larger-scale environments. Enterprise gateways generally share the following characteristics:
- The area over which mobility is required is much larger and requires several access points working in concert. Enterprise products support some sort of protocol to move sessions between access points.
- Enterprise products are built around upgradeability to offer a service life as long as possible. They are typically built on relatively high-powered generic hardware, and implement a great deal of higher-layer functionality in software that can be easily upgraded. They may have radios that are easy to swap out. Early enterprise APs used PC Card radios, so a switch from 802.11b to 802.11a involved changing a card, and possibly a software upgrade. As the price of components has fallen, radio cards are typically no longer upgradeable, but the software is.
- One of the advantages to the high level of software control of an enterprise-grade AP is that new security developments can often be added in with a software update. Any serious enterprise-grade AP will support WPA, and most vendors promised easy software upgrade paths to 802.11i. As new security features are standardized, they can be added on to an existing network without changing hardware. Enterprise-grade APs often add security in layers, so new security mechanisms can be used in conjunction with older mechanisms. Hardware-based enhancements to security often appear in more expensive devices first, too. When chipsets started supporting AES acceleration in hardware, it appeared on high-end devices first. Some enterprise APs can support multiple security standards simultanously.
- Enterprise-type deployments are frequently intended to create a coverage blanket throughout a relatively large area. Power is not always convenient to the location of an access point, but it is typically abundant in the wiring closet. All enterprise-grade APs support drawing power over Ethernet using IEEE 802.3af.
- The radio side of a high-end AP is frequently much more sophisticated than a low-cost AP. Most enterprise APs have an antenna connector that allows the attachment of a variety of external antennas to tailor the coverage area and coverage quality to your needs. Some APs are beginning to incorporate highly advanced antenna technology that allows very fine control over transmission patterns, or allows a single antenna to be used by multiple MAC chips. Transmission power can usually be adjusted to enlarge or shrink the coverage area as desired. Many enterprise APs can also support multiple virtual radio networks over the antenna.
- In addition to radio tunability, enterprise APs can support some form of virtual access points. Multiple SSIDs can be configured, and each can be assigned its own authentication and encryption settings. This feature is often used to create parallel networks with different security settings to accommodate older equipment while offering maximum security for newer equipment.
- Enterprise APs are designed to integrate into an existing network. On the security side, that means that they often must integrate into an existing security architecture, usually by plugging in to an existing user database. Once users are successfully authenticated to the network, though, they must take advantage of network services. A second integration point is the way that an enterprise AP extends existing access control and user privileges that may already be present on the wired network.
- Integration with an existing network also extends to the data plane as well. Most enterprise-grade APs are designed to perform dynamic VLAN assignment based on user attributes from the authentication server.
- Frequently, site survey tools come bundled with enterprise-class products so network managers can plan large deployments by directly assessing coverage quality. These tools vary greatly in their sophistication. Some site survey tools are little more than a historical statistical readout, while extremely advanced tools can derive a network layout from the physical environment.
- Reflecting the administrative demands, configuration of enterprise-class devices is done with easily scripted command-line interfaces or SNMP, and monitoring and management capabilities are far more extensive than in residential gateways. Some products are also controlled through large-scale management frameworks that enable a single administrator to monitor and change configuration on hundreds or even thousands of access points.
- Enterprise gateways are often deployed in packs. Aesthetic requirements in typical office space may require unobtrusive mounting, so these devices offer flexibility in the way that they mount in the building. Many are designed to be mounted above ceilings, and may be plenum rated.[*] Devices installed in air ducts and air-handling spaces must meet strict smoke emission requirements for safety reasons. Plenum-rated APs can be installed nearly everywhere; devices that lack the necessary certifications may be restricted in possible mounting locations.
[*] For information on flame tests, see http://www.houwire.com/catalog/technical/cable_flame.asp.
Naturally, these additional capabilities do not come without a price. Most enterprise-grade APs list for $500 to 1,000, though they are often available at significant discounts. Over time, the price of high-end APs does fall, but it is not subject to the same downward pressure as residential-class products. The canonical example of an enterprise-grade AP is the Cisco 1200 or Cisco 1100. Both are built on relatively generic hardware, run a full-blown version of the Internetwork Operating System, and are given new features on a regular basis. Proxim, Symbol, 3Com, and HP produce competing products with similar feature sets.
For the large office: wireless switches
One of the biggest changes in the time since the first edition of this book was published is the emergence of the "wireless switch" or "thin AP" architecture, in which relatively lightweight access points are controlled by a centralized switch. The driver behind the thin AP or wireless switch architecture is increased efficiency over first-generation products. Part of the efficiency is based on the technology itself. Thin AP architectures remove processing from the AP and move it to an aggregation device. Eliminating processing at the AP removes components and cost from the AP, increasing service lifetime. If configuration is removed from the AP as well, there are fewer managed elements in the network.
Centralizing capabilities in the controller can also lead to increased flexibility. For the same cost, concentrated hardware in the controller can provide more processing power than distributed processing at the access point. Coordinating activity between access points allows network managers to load-balance clients between APs, monitor radio activity centrally, and extend the existing network more easily.
The cost of a wireless switch-based solution may depend a great deal on its size. Most vendors offer a variety of controllers, which may range from just a few APs up to hundreds of APs. The original switch solution was Symbol's Mobius product; solutions were later built from the ground up by Airespace, Aruba, and Trapeze.