An Overview of the Trapeze Networks Wireless LAN Mobility System
Enterprise IT demands for an integrated wireless mobility infrastructure span both technical and financial concerns. A wireless LAN (WLAN) system must meet stringent security requirements, deliver the required mobility functions, and at the same time be easy and cost-effective to install and operate. The WLAN Mobility System from Trapeze Networks meets these seemingly disparate requirements by delivering best-in-class secure mobility, the broadest range of services, and the lowest total cost of ownership of any WLAN system. Best-in-Class Secure Mobility While all WLAN systems purport to bring you mobility, only the Trapeze Mobility System has an architecture that lets users roam securely anywhere in the network, over any topology whether it s at headquarters, branch offices, campuses or multi-tenant/multi-use facilities. The Mobility System does not require changes to your current infrastructure. It simply makes your existing network, with all of its structure and services, available wirelessly. With Trapeze, you just deploy the WLAN equipment, link to your wired network, and the Mobility System automatically provides roaming users with secure access to their existing network resources and only those appropriate resources. Trapeze gives users complete mobility without forcing you to distribute VLANs throughout your network, add a new VLAN, or change your client infrastructure. The Trapeze Mobility System applies the toughest security measures available today to ensure that only authorized people can access your network s resources. Using strong standards-based authentication and encryption, the Trapeze Mobility System protects against misuse and eavesdroppers and isolates traffic between multiple private groups. When the Mobility System authenticates users, it tracks their individual identities as they roam throughout the WLAN, enabling fast secure handoffs and eliminating the need for users to reauthenticate as they roam. As a result, users enjoy passport-free mobility, with no need to reconfirm their identity, and they gain access to a consistent set of services. Broadest Range of Services The architecture of the Trapeze Mobility System supports the broadest range of wireless services of any WLAN system. It integrates with authentication, authorization, and accounting (AAA) servers to provide user services based on identity a feature Trapeze calls Identity-Based Networking. With Identity-Based Networking, you can centralize policies for network access, traffic prioritization, and mobility services in the AAA server, which provides consistent controls wherever users roam. The Trapeze Mobility System also provides you with crucial security and network administration services such as a robust Intrusion Detection System (IDS) and resiliency capabilities. Identity-Based Networking enables you to define for a user or user group their virtual private group, time of day access, encryption type, quality of service (QoS) level, traffic filtering, roaming profiles, and location-specific policies. Page 1
The system also excels in its delivery of voice-over-wireless-ip (VoWIP) services, with Wi-Fi Multimedia (WMM) for QoS and per-user queuing. Only the Trapeze Mobility System relies on standard mechanisms to provide such fine-grained control to network resources and enforces those policies consistently as users roam. In addition to user-based services, the Trapeze Mobility System also provides important IT-oriented services. These services include intrusion detection and location, denial-of-service alerts, user monitoring and location, and high-availability and network-resiliency mechanisms. The Trapeze Mobility System s comprehensive Intrusion Detection System provides a strong line of defense against denial-of-service and other attacks, while intelligent countermeasure take direct aim at disabling rogue devices. Many of these capabilities are derived from the award-winning Trapeze RingMaster tool suite, which enables you to plan, deploy, configure, and manage your WLAN. Trapeze also offers industry-leading resiliency capabilities. The system relies on standard, interoperable techniques such as spanning tree and per VLAN spanning tree (PVST+) to support redundant connections to the backbone and within the WLAN system. Trapeze is unique in supporting two Ethernet ports on each Mobility Point (MP ) access point, enabling data path and power-over-ethernet (PoE) redundancy from the wired infrastructure. For more details on rogue and intrusion detection, resiliency and other Trapeze Mobility System functions, see the Key Functions of the Trapeze Integrated Mobility System section that follows. Lowest Total Cost of Ownership The Trapeze Mobility System offers unparalleled operational advantages. It remains the easiest WLAN to plan and run and therefore offers the lowest total cost of ownership in the industry. To a large extent, the powerful RingMaster tool suite is responsible for these operational gains, which have provided Trapeze customers with a return on investment of less than one year. RingMaster is a full WLAN lifecycle tool. It includes all the features you need to plan, deploy, configure, and manage the WLAN. RingMaster yields an accurate plan for the WLAN through its use of measured attenuation factors for building obstacles. The tool automatically calculates how many MPs you need and places them in your building for optimal radio-frequency (RF) coverage and capacity. No other WLAN system tool includes building attenuation, so no other tool can pinpoint the optimal location for access points (APs). As you re building the plan, behind the scenes RingMaster is building the configuration files that support that plan. When you verify that the plan is complete, RingMaster provides a work order to simplify deployment, and then in a single step, RingMaster automatically configures the WLAN equipment. International support ensures that RingMaster will use the appropriate channel settings and power levels allowed by each country s regulations. If an MP detects radar or Dynamic Frequency Selection (DFS), which identifies the presence of radar on a channel, it switches to another channel and does not attempt to use the channel where the radar was detected for 30 minutes. You ll enjoy the greatest operational savings during the actual running of the Trapeze Mobility System. The system automates such time-consuming tasks as rogue detection, user monitoring, user location, roaming history, RF monitoring, security enforcement, and troubleshooting. Using RingMaster, Trapeze s customers have achieved operational savings of 50%-70% over other WLAN architectures. Page 2
Key Functions of the Trapeze Integrated Mobility System 1) Planning and Scaling Pre-Deployment The first step in planning a Trapeze deployment is to import building plans in standard file formats typically as a DWG or DXF file. These files are generally available from the Facilities department or building owner. Alternatively, a standard JPEG or.gif file of the floor plan can be used. With the plans loaded into the tool, RingMaster allows IT staff to assign pre-set RF attenuation factors to walls, doors, cubes, windows, ceilings, and other objects on the floor plan, based on the building materials. RingMaster will use this information as the foundation for all planning, verification, deployment, and management. RingMaster operates three dimensionally to consider both the horizontal (on the floor) and vertical (between floors) transmission and attenuation of wireless signals. Next, IT specifies an area where they want to provide wireless coverage. RingMaster will calculate the appropriate number of MPs or third-party APs based on either the minimum count needed to provide RF coverage in that area or capacity parameters if IT has chosen to note the number of users and bandwidth per user in that area. RingMaster places the MPs places them on the floor plan, though managers can choose to manually move them to more convenient locations to simplify installation. RingMaster lets you import an AutoCAD drawing of your floor to simplify planning and management. RingMaster assigns power levels, channels, and minimum data association rates for each MP. The power levels and association rates are set to optimize cell sizes for the coverage area. RingMaster shows expected coverage via an offline verification process, in which it models the RF environment. For installation, IT can then print a work order directly from RingMaster that shows the MP placement. In centralized deployments, the MXs can be installed anywhere in the network and connect to the MPs through the existing infrastructure of switches and routers. In distributed deployments, Trapeze Mobility Exchange (MX ) WLAN switches can be deployed in wiring closets and connect directly to MPs. Workers can install MPs, pulling Category 5 unshielded twisted-pair (UTP) cable as needed from wiring closets to the MP locations that are specified by two-dimensional coordinates on the work order. Future scaling requirements are easily met. IT can implement capacity planning at any time and add or change metrics about the user count and bandwidth amount. The system then generates an updated floor plan, showing the new MPs. To make the updates as easy as possible, RingMaster will preserve existing MP locations and add new ones around them to increase bandwidth, coverage area, or both, and RingMaster will automatically make any needed adjustments to the channel settings or power levels of the existing MPs. Page 3
RingMaster shows the contours of RF coverage. 2) Installation, Configuration, and Verification Post-Deployment RingMaster includes a policy feature that allows IT to create configuration templates. The templates quickly replicate configuration details across dozens to thousands of MXs and MPs. With one click of the mouse, the system verifies the configurations. A second click pushes the configurations to the MXs via secure HTTP. This process is a transaction-based communication, so if any part of it fails, the system will abort the entire operation and roll back to the previous known good configuration. After the equipment is installed and configurations are pushed to the MXs, the MPs will automatically selfconfigure, either obtaining their configuration from a directly attached MX or using DHCP to get an IP address and subsequently learn the MX which hosts its configuration. After the system is deployed, RingMaster can perform online topology verification. In this process, the system uses the RF statistics collected by the Mobility System Software (MSS ) on the MXs and MPs to compare actual coverage to the design goals outlined in the planning phase. 3) Secure Virtual Private Groups The Trapeze Mobility System secures network access on a per-user basis and makes it very easy for IT to The Trapeze Mobility System secures network access on a per-user basis and makes it very easy for IT to define multiple secure Virtual Private Groups (VPGs ). The Trapeze system is the only WLAN architecture that allows IT to retain the same user groups on the wireless network as exist on the wired network and will dynamically link users to those groups wherever they roam on the network. IT does not have to modify the wired network to distribute those groups in advance, nor does a new wireless group need to be defined. IT simply configures the groups to exist on the backbone ports of an MX and they re accessible across the Trapeze system. The Trapeze Mobility System works with the back-end AAA infrastructure to assign users to the appropriate VPG, and IT can define a host of additional attributes associated with that group, including encryption type, time of day access, QoS levels, filtering, and roaming profiles. 4) Roaming The Trapeze Mobility System simplifies IT s ability to enable secure roaming on the WLAN. The MXs authenticate users and then maintain session tables for the users, which they communicate with each other to share information about authenticated users and their MP associations. MXs know the existence and whereabouts of all MXs and MPs in the system, enabling secure roaming throughout the deployment. As a user roams, the MX moves user information, such as authentication, pairwise master keys for encryption, access control, and secure private group membership, to the appropriate location on the same or another MX. Page 4
Because the MXs share this data, users are not required to request re-authentication or re-authorization from the AAA back-end while roaming. The MXs maintains statistics for the complete session, even when the user changes location, keeping the roaming history updated for help in troubleshooting. In addition, because users traffic is dynamically linked to the appropriate secure private group on the wired infrastructure, enabling roaming is very easy for IT. While most WLAN switches require IT to define new wireless groups or to replicate existing wired groups everywhere on the wired network, Trapeze in contrast requires just that IT extend existing wired groups into an MX somewhere in the network. From there, the MXs take care of dynamically instantiating the required VPG wherever a user roams. 5) Third-Party APs The Trapeze Mobility System goes to great lengths to retain IT s investment in existing APs. The system provides a broader set of services to third-party APs than any other WLAN system, making it easier for IT to plan, manage, and deploy services across them. Planning Integration The Trapeze RingMaster tool suite provides extensive planning and management of third-party APs. IT can denote on a floor plan the location, channel, and power setting of them, and RingMaster will plan the WLAN around those settings. The system will automatically select channels on surrounding MPs to avoid co-channel interference. This planning capability is crucial not just for accommodating an organization s existing APs but also for noting the location of neighbors APs. RF Modeling Not only can IT locate third-party APs on a floor plan in RingMaster and plan around them, but RingMaster also displays the wireless coverage of those radios in a particular environment. RingMaster is the only WLAN system tool that includes a library of RF attenuation factors, so it understands how RF will move through the facility. IT can view the RF contours of both MPs and third-party APs, instantaneously getting a snapshot of the radio signal propagation. The APs on the left side of the floor plan are third-party APs with their RF coverage modeled in RingMaster. The right side of the floor shows three Trapeze MPs. These visualizations are essential to understanding the coverage that APs from Trapeze and other vendors provide. These visualizations are also vital to modeling the impact of an AP failure, verifying the absence of co-channel interference, and seeing the 3D impact of APs above and below the floor you re modeling. Of all the WLAN infrastructure tools, only Trapeze s RingMaster incorporates an understanding of RF attenuation in a building, so only Trapeze can model MPs and third-party APs accurately. Page 5
Channel and Power Management In addition to noting the existing channel and power settings when first deploying the Trapeze Mobility System, RingMaster also enables IT to modify those settings in the future. As the WLAN system grows or as IT redeploys those third-party APs, the flexibility to control their settings from the Trapeze Mobility System is very helpful. Authentication The Trapeze system provide authentication and network access for users associated with third-party APs. Clients can be authenticated using 802.1X and its Extensible Authentication Protocol (EAP) variations, Media Access Control (MAC), WebAAA, or using the Mobility Exchange s local database or a RADIUS server group. Security The Trapeze system also lets IT control the security settings on third-party APs. IT can define packet filtering policies on the MX to set prioritization for QoS or to instantiate client access policies. IT can define, for example, that all traffic from a third-party AP must go to a certain network device or that traffic from particular applications can be sent only to one network device. Power over Ethernet The MX supplies industry-standard IEEE 802.3af PoE, so it can power third-party APs. This capability makes it easy for organizations to consolidate existing APs and new MPs on the same integrated device rather than needing the MX to power some radios and standalone PoE switches or power injectors to power others. 6) Authentication and Encryption Strong mutual authentication is a critical element in securing access to a WLAN. The Trapeze Mobility System supports a variety of authentication mechanisms including 802.1X, MAC address, and web authentication. WebAAA allows users to login security using a web browser, such as would be used for public or guest access, and this web page can be easily customized. WebAAA provides fast login by immediately placing the user in the appropriate subnet/vlan after authentication and authorization, and then enforces all authorized policies such as time of day/day of week, encryption type, and access control lists. Any of these approaches tie into AAA servers, which can host a set of authorizations associated with each user or user group. In the Trapeze Mobility System, the MXs play a major role in authentication. The MXs process EAP variants, such as PEAP, and so can offload that protocol processing from the AAA server (see Topic 11, AAA Integration and RADIUS Scaling ). Once the system authenticates a user associated with an MP or third-party AP, it maintains the information about that user, including the set of authorization attributes from the AAA server. The MXs store that information as part of the user session, and when a user roams, the next MX requests that user session from the previous MX. With this architecture, the Trapeze Mobility System does not require users to reauthenticate every time they roam, speeding the roaming hand-off time dramatically and preserving the user s secure connection to WLAN. Another critical security element is strong encryption to protect the data transmitted over the air so that other users cannot intercept and read it. The Trapeze Mobility System has distributed the key generation and authentication encryption functions to the MXs to further offload the AAA back-end. Trapeze supports a range of encryption options to meet the toughest security requirements, including dynamic Wired Equivalent Protocol (WEP) with rotating broadcast/multicast keys, Wi-Fi Protected Access (WPA) 1.0 based on the 802.11i Temporal Key Integrity Protocol (TKIP) or WPA 2.0 based on the 802.11i Advanced Encryption Standard (AES), which is the strongest encryption available today. The MX can generate the public key infrastructure (PKI) keys locally, which are needed for certificate creation and processing. The MX can either generate certificate signing requests to be sent to a third-party certificate authority, or the MX can generate self-signed certificates. Page 6
Certificate authority (CA) certificates may also be installed on the MX. This set of keys and certificates ensure the security of the client authentication process, as well as the communications channel to RingMaster and secure web browsers. The MX can also perform all public key/private key operations to encrypt the authentication channel between the MX and wireless clients. In addition, the MX can generate the session keying material to encrypt transmission between the MP and wireless clients. Hardware on the MX accelerates the computationally intense process of key generation, enabling the Trapeze Mobility System to scale with an increasing number of wireless users. The MX then delivers the appropriate keying material to the MP. The MP performs the actual session encryption in hardware, which significantly scales the WLAN because encryption horsepower increases every time another MP is added to the network. The hardware-based encryption and authentication protocol processing that happens in Trapeze equipment significantly offloads the burden that would otherwise fall on the AAA back-end. 7) Identity-Based Networking Networking systems to date have focused on physical and geographical elements for deployment and management. Wired switches, for example, use physical ports as the basis for VLAN assignment, authentication, and management. In the wireless realm, the importance of a physical port disappears since a user can be anywhere in the enterprise and will attach to the network at a variety of points. User A is in Area A User B is in Area B User A travels into Area B and is immediately denied network access User B travels into Area A and is immediately denied network access User A remains in Area B without network access User B returns to Area B and is automatically reconnected to the network The Trapeze Mobility System lets you decide who gets wireless LAN access and where they can get it. To provide the relevant information to the right location, a wireless system must rely on user identity instead of devices as its architectural focus. An MX then, as the heart of an enterprise-class wireless system, must coordinate with other MXs to provide the appropriate access rights, location information and data propagation based on a user s identity rather than ports. User attributes such as VLAN and subnet assignment, access control lists (ACLs), authentication information, usage tracking, and network statistics must follow users and remain consistent, independent of the attachment point to the network or the media (wired or wireless) used. 8) Voice Support The Trapeze Mobility System excels in its support for voice traffic. Whether using VoIP handsets or soft phones, workers can roam without worrying about dropped calls or poor voice quality. The Mobility System uses WMM to provide QoS. WMM maps priority information between wired and wireless packets, so that voice, video and other high-priority traffic receive priority treatment end-to-end throughout the network. Page 7
The system also includes a sophisticated classification and prioritization scheme for marking and treating traffic appropriately. The MX classifies traffic according to user and/or application and marks it using DiffServ conventions. The MP then places traffic marked as highest priority in the expedited queue of that user. Each MP hosts four queues per user, and expedited traffic for all users is always sent first. To further simplify customer s voice deployments, Trapeze supports 802.11 handsets and badges from a wide range of companies, including SpectraLink, and provides native support for SpectraLink Voice Priority (SVP). The system simultaneously supports SVP and WMM VoIP devices simply by configuring an access control list to set the class of service. The strong mobility features of the Trapeze system, with fast roaming and caching of encryption keys, enables the high quality of the voice connection to persist as phone users roam. 9) Intrusion Detection System and Denial-of-Service Alerts The Trapeze Mobility System includes a sophisticated RF Intrusion Detection System (IDS) that alerts IT to the presence and location of rogues or denial-of-service attacks. IT can use policies to enforce strict control over the type of wireless devices allowed on the network. IT can set policies to permit devices by their SSID or their manufacturer, or blacklist clients by their MAC addresses, preventing them from communicating. Trapeze first determines whether a device is permitted, interfering, or a rogue. An interfering device may belong to a neighboring business, and if it is not a threat then IT may choose to ignore it. IT can issue effective and fine-grained countermeasures against rogue and interfering devices on an attack list. Trapeze also detects denial-of-service attacks, flood attacks, and spoofed APs and immediately alerts IT of the intrusion. In addition, the RF IDS can detect RF jamming, weak WEP keys used by the client, and fake AP flooding. To prevent MAC address spoofing of MPs themselves, MPs insert a confidential signature in all management frames, which the MX uses to know if the MP really belongs to the Trapeze Mobility Domain. IT can define several kinds of rogue sweeps: Continuous, scheduled or on-demand. With continuous sweeps, radios in MPs can be designated to be in SentryScan mode, where all they do is scan for 802.11 transmissions. Or with ActiveScan, MPs fulfill a dual role, continuously scanning a single band to root out rogues while simultaneously providing wireless connectivity to mobile clients. For scheduled or on-demand sweeps, IT can define radios to listen during a sweep but serve the WLAN whenever no sweep is occurring. Only Trapeze offers this flexibility of having radios that typically serve WLAN users occasionally participate in a rogue detection sweep. If a rogue or interfering device is identified, intelligent countermeasures can neutralize the threat. RingMaster can correlate the collected RF data collected from the MPs and MXs and compare it against the RF topology in the plan. RingMaster notes discrepancies to identify and locate rogue APs and users, denial-ofservice attacks or 802.11 ad hoc client networks. RingMaster presents this information on the same floor layouts that were used for planning and configuration of the Trapeze Mobility System. 10) Redundancy and Failure Recovery The MX provides redundant, load-sharing links to the network and supports 802.1Q trunking, spanning tree 802.1D, PVST+ and IGMP snooping. The MPs provide two Ethernet ports, so IT can link them to two different MXs or other networking devices to ensure data path and PoE redundancy. MP Redundancy: RingMaster helps IT design for capacity rather than simply for coverage, so a well-designed plan will place more than one MP within range of users. When an MP is dual-homed to two MXs, two networking devices, or one of each, the MP has redundant services for both its data path and PoE. AP Failover: If an AP fails, users simply roam to another MP or third-party AP within range and the system seamlessly supports them. The MX supporting that failed MP notifies RingMaster of the failure and records the event in the system log and a system log server. Page 8
MX Redundancy: RingMaster allows IT to design the wireless system with redundant MXs, where the MPs are connected to two different MXs either directly or indirectly over the wired network. This level of redundancy is unique to the Trapeze MP other APs have only a single port, making the switch to which they are connected a single point of failure. In addition, the MX has dual load-sharing, hot-swappable power supplies. WLAN Switch Failover: If a switch fails, the MPs connected to it use their redundant links to connect to another MX, providing a resilient data path for the attached users. Network Infrastructure Redundancy: The MXs offer several redundancy options for network connectivity, so administrators can connect an MX to two different network core or distribution layer switches. Ports configured as uplink ports support dual-homing, load sharing via link aggregation, as well as spanning tree and per-vlan spanning tree. 11) AAA Integration and RADIUS Scaling (AIRS ) With AAA Integration and RADIUS Scaling (AIRS), the MX performs the role of an active 802.1X authenticator for all of its attached MPs. As an active authenticator, the MX terminates and processes EAP authentication requests and challenges, reducing the processing burden on the AAA back-end by as much as 75%. In addition the MX has hardware acceleration for processing public key/private key operations and master key, session key generation. Unlike the MX, standalone APs and other WLAN switches are passive authenticators. Passive authenticators simply encapsulate and pass all EAP authentication requests and challenges to the AAA back-end, which must support a new heavyweight EAP protocol. Therefore, standalone APs and basic WLAN switches generate a burdensome authentication load on the AAA back-end. In the Trapeze system, the MX reduces the number of AAA clients by as much as 100 to 1. Because the AAA back-end is so critical to the operation of the wireless users, IT typically configures multiple RADIUS servers or server groups. The Trapeze Mobility System allows IT managers to assign different RADIUS server groups to different users for resiliency and/or to perform load-sharing within server groups. In addition, the MXs track session statistics and accounting per user and delivers that information to the AAA back-end for charge-back purposes, for example. The Trapeze Mobility System helps scale WLANs for large enterprises by performing several functions on behalf of the AAA back-end. The MX offloads 802.1X EAP processing, provides AAA server load-balancing, and supports multiple AAA server groups. Because the MX is identity-aware, different types of users and user groups may be authenticated to different AAA domains while utilizing the same WLAN infrastructure. 12) User Tracking, Monitoring and Management The Trapeze Mobility System is identity aware, so it can find and provide user names associated with active sessions throughout the system. IT can query RingMaster to learn a user s identity, location, and roaming history, all by searching by user name. RingMaster also tracks user statistics such as bandwidth consumption and average system performance. This tracked information can help IT optimize the network. They can determine areas with a high density of roaming users and locate under-utilized network locations. RingMaster lets them quickly update the network plan to better serve user needs and network changes. RingMaster provides extensive user and network management capabilities to a Trapeze Mobility System. IT can see topology views showing Trapeze network elements, user locations, rogue devices, and ad hoc user groups. They can review user statistics of network usage and roaming history. They can also have RingMaster integrate with the Hewlett-Packard OpenView Network Node Manager. Page 9
Trapeze has taken special precautions to ensure that the data stored in RingMaster and the actual network configuration information are always synchronized. RingMaster checks the configuration information on Trapeze hardware on a time interval that IT defines. These checks alert IT to any changes made on the hardware via another RingMaster user or the command line interface (CLI) and will prompt IT to either accept or reject them. RingMaster s sophisticated dashboard-like monitoring window provides detailed WLAN performance and fault information. To promote scaling, resiliency and non-stop 24-x-7 operation, RingMaster is based on a client/server architecture with distributed monitoring servers. Information about network topology, fault and performance data, the RF environment and client activity is collected and stored by the monitoring servers so that large networks with thousands of mobile devices can be effectively monitored. This feature offers unprecedented visibility into the myriad activities and performance metrics of their Trapeze WLAN. Comprehensive configuration reports keep IT abreast of what s happening on the network. The Trapeze Mobility System can periodically check the status of the network, and the status is portrayed visually in layout views and summary reports. When a status change occurs for example, an MX or MP goes offline or comes back up the Mobility System automatically sends an e-mail with a consolidated report. Web-based configuration and monitoring reports include Mobility Domain configuration, WLAN security switch configuration, equipment installation work order, inventory, client sessions, and rogues. The MSS offers a variety of management attributes. It supports secure connections to the RingMaster interface, a telnet/cli interface, a secure web interface, SNMP with enterprise traps, and multiple syslog servers. The Mobility System Elements The Trapeze Mobility System includes Mobility System Software, the Mobility Exchange, the Mobility Point and the RingMaster tool suite. Mobility System Software The Mobility System Software drives all functions of the Trapeze system. Running on all Trapeze equipment, it enables all MXs and MPs to operate as a single mobility system. The software is tightly coupled to the RingMaster tool suite, seamlessly integrating the planning and management capabilities with system deployment and operation. Because the MSS coordinates all system behavior, it enables MXs and MPs to reside anywhere in the network, providing the topology independence that makes the Trapeze Mobility System so flexible to deploy. MXs and MPs can be separated by both Layer 2 and Layer 3 network devices, yet they operate in such an integrated fashion that the MPs behave as extensions of the MXs. The MSS also tightly integrates with the AAA back-end, allowing the Trapeze Mobility System to deliver services based on user identity rather than devices and ports. The MSS maintains a record of all authenticated users and controls their network authorization by enforcing their attributes wherever they roam in the WLAN. Enforced attributes include VLAN/subnet membership, roaming policies, access control lists, and class of service. The Trapeze Mobility System also supports dynamic VLAN policies so that all 802.1X client devices are authenticated and assigned to a subnet/vlan. Non-802.1X devices can be authenticated and assigned to a VLAN based on their MAC address. A device that cannot authenticate to the network can be automatically placed on a guest VLAN to ensure secure traffic isolation while still providing access. Page 10
The MSS running on all MXs forms the Mobility Domain, throughout which users can roam freely and securely, with all the appropriate permissions. The MXs communicate records detailing user identity, attributes, and roaming history as users roam. Because the MSS maintains these user records, the Trapeze Mobility System can provide users with a single, persistent login, preventing the application disruption that can occur when users roam. The integration of these user records also allows network managers to know a user s location across the entire network and their 802.11 state and RF statistics, allowing IT to locate and troubleshoot user problems. The MSS, in conjunction with RingMaster, also plays a crucial role in intrusion and denial-of-service detection. IT can enforce strict control over the type of devices allowed and may classify permitted devices by SSID, manufacturer or other characteristics. IT can classify devices as permitted, interfering, and rogue, and issue effective, fine-grained countermeasures against unwanted clients and APs. The MSS collates RF statistics that detail who is on the air either legally in the Trapeze system or trespassing as rogue APs or users. Those RF statistics also provide IT with insight into the coverage and performance of the wireless system. Key MSS Features The MSS drives all network system functions: Forms a Mobility Domain across an administrator-defined collection of MXs and MPs Distributes MX and MP topology information between MXs Distributes user information, including authentication, VLAN membership, and roaming history Enforces location policies that determine where, if, and how a user can access the wireless LAN Coordinates Virtual Private Groups over the air Forms isolated, encrypted broadcast domains on-demand across single or multiple MPs using one SSID Fully integrates with AAA to enable Identity-Based Networking All user services are provided based on user identity Maintains records for authenticated users as they roam Locates users and their information anywhere on the network Can perform all AAA authentication functions, including 802.1X locally Offloads 802.1X certificate processing Re-directing of AAA requests based on username content Load-balanced AAA groups; redundant AAA servers Manages encryption to ensure secure communications WPA 2.0/AES, WPA/TKIP and dynamic WEP with rotating broadcast/multicast keys Coordinates the generation of master and session keys Controls packet encryption between MXs and MPs Lets MXs and MPs work together s a single entity, regardless of location Sets up connection between MXs to link users to their Virtual Private Group, even across IP router boundaries Supports roaming for IP and non-ip protocols The Mobility Exchange The Trapeze Networks Mobility Exchange (MX ) switch is the platform for executing the Mobility System Software, and maintains the intelligence of the Trapeze Mobility System. In addition to managing users identities as they roam, MXs configure and control all aspects of Trapeze Mobility Points (MPs) and third-party access points (APs). Multiple MXs function as a peer-to-peer system to support mobility and enforce security. For example, one MX can support a mobile user s connection to a subnet even though the actual attachment to that subnet is through a different MX. This MX-to-MX exchange requires no changes to existing IP backbones. Page 11
With Identity-based Networking, MXs provide user-based services such as Virtual Private Group membership, personal firewall filters, time-of-day/day-of-week access, encryption, authentication, usage tracking, location tracking, and associated network statistics. Authorizations stay with users wherever they roam because MXs share the information, ensuring secure access and connectivity to the right services. MXs control third-party APs and configure and manage Trapeze MPs whether they are directly attached or indirectly connected across the wired infrastructure. The MX is available in a variety of platforms the MXR-2, MX-8, MX-200, MX-216 and MX-400 but all provide the same core features of Identity-Based Networking, systemwide roaming functions, multiple private groups, and AAA offload and integration. In addition to performing Layer 2 forwarding, MXs come with extensive with Layer 3-4 and identity-tracking capabilities. They integrate seamlessly with wired infrastructures and offers redundant load-sharing links, 802.1Q trunking, spanning tree and per-vlan spanning tree (PVST+). It also supports IGMP snooping, which is vital to supporting IP multicast streams. Quality of service (QoS) is done with Layer 3-4 application information on a per-user or per-group basis, while class of service (CoS) utilizes IP DiffServ code points. MXs are equipped with the Trapeze Web Quick Start for fast configuration of basic connectivity requirements or they can be configured through WebView or the CLI. Alternatively, the Trapeze RingMaster planning and management tool suite enables MXs to obtain their configurations locally or from a remote location. MXs can also use an onboard DHCP client to quickly and automatically obtain their IP configurations. The compact MXR-2 delivers wireless LAN services to branch offices using automatic, no-touch deployment and remote configuration and management, eliminating the need for onsite IT expertise. It supports up to 3 Trapeze MPs or third-party APs as well as PoE. The MX-8 includes eight 10/100 Mbps ports and provides PoE. It s designed for distributed deployments in the wiring closet and can support 12 MPs or third-party APs. The MX-200 has two Gigabit Ethernet ports. Designed for data center deployment, it supports up to 32, 64, 96 or 128 managed MPs simultaneously, depending on the licensing option. The MX-216 has 16 10/100 Mbps port, all with integrated power-over-ethernet (PoE), plus two Gigabit Ethernet ports, and is equally suited for distributed wiring closet and centralized data center deployments. The MX-216 also supports up to 32, 64, 96 or 128 managed MPs simultaneously, depending on the licensing option. The MX-400, designed for data center deployment, includes four Gigabit Ethernet ports and supports 120 MPs or third-party APs. Key MX Features The MX delivers a range of unique features: The Trapeze Mobility Exchange switches: From top to bottom, the MXR-2, MX-8, MX-216, MX-200 and MX-400 Tracks and maintains user authentication, authorization and RF statistics information as users roam across multiple MXs Page 12
Maintains a user s membership in the right virtual private group based on the user s authenticated identity Dynamically enables virtual private groups as needed to support roaming users, even across router boundaries Provides scaled, resilient, integrated AAA back-end infrastructure Terminates and processes the Extensible Authentication Protocol (EAP) for 802.1X users Reduces AAA clients by 20:1 Supports complete local AAA authentication, including 802.1X, as primary or backup to a centralized AAA server Supports multiple AAA server groups and can load share across multiple AAA servers or within a server group Offloads Transport Layer Security (TLS) operations from AAA server, reducing the traffic load by 80% Generates and manages X.509 digital certificates Assigns and enforces per-user authorization policies that are managed centrally from the AAA back-end Authorizations include virtual private group membership, personal firewall filters, time-of-day/day-of- week access, encryption type, and location-specific policies Performs local cryptographic functions WPA 2.0/AES, WPA/TKIP and dynamic WEP with rotating broadcast/multicast keys Generates master and session keys Provides key management for each encryption technique Provides detailed per-user session RF accounting statistics and management Tracks the location, roaming history, virtual private group, network addresses, state, activity, errors, usage and other attributes by user name, session, VLAN, user group or other categories selected by IT Provides per-user audit trail and charge-back capability through the accounting component of AAA Configures and controls MPs; controls third party APs The boot, configuration and management model is compliant with the IETF Architecture for Control and Provisioning of Wireless Access Points (CAPWAP). The MX is categorized as an access controller (AC) that supports direct, switched, and routed connections. Controls all data forwarding, configuration and images of MPs Multiple MXs provide resilient control Enables resilient network operation EtherChannel load-shared, redundant links Spanning tree and per-vlan spanning tree (PVST+) Resilient network attachment via any MX port N:1 redundant MX capabilities Trapeze Web Quick Start simplifies the deployment of new MXs Provides management access Web access using HTTPS Telnet server, client SSL, XML interface to RingMaster SSH v2 (command line interface) SNMP v1 v2c, v3 Page 13
Trapeze Mobility Points. The Mobility Point An integral part of Trapeze Mobility System, the Trapeze Networks Mobility Point (MP ) provides wireless LAN (WLAN) access to the network while enabling secure mobility, quality of service (QoS) for vital applications, and seamless roaming. The MP also provides client access to a wide range of features on the Trapeze Mobility Exchange (MX ) WLAN switch. Trapeze MPs can link to MXs directly or can be deployed anywhere throughout an existing wired network. MPs use 802.3af power over Ethernet (PoE) from directly connected MXs or third-party PoE injectors. MPs have two 10/100BASE-T Ethernet ports for resilient power and data paths. Planning, configuring and deploying Trapeze MPs is simple. The Trapeze RingMaster tool suite automates the entire process. It determines how many MPs are needed, where they should be installed on a floor plan, generates configuration details for each MP, and creates a work order for installers. Designed by Trapeze, these plenum-rated MPs intentionally resemble smoke detectors to minimize visibility. With no protruding rabbit ears and no obvious hallmarks of an AP, MPs are less likely to be tampered with. Trapeze MPs also feature a built-in Kensington locking system for added physical security. Trapeze MPs are controlled by centrally located MXs throughout a Trapeze Mobility Domain. APs have no local store of data so they can be safely installed in unsecured areas without fear of hacking or theft. Trapeze offers a safer alternative to access points (APs) that store vital network and user information. The Trapeze MXs automatically configure MPs. At installation, no pre-configuration of any type is needed. If an MP needs to be replaced, the newly installed MP will automatically inherit the necessary MP configuration for that deployment from the MX. Trapeze MPs play a key role in rogue and intrusion detection as well as denial-of-service (DoS) attack detection. ActiveScan allows MPs to fulfill a dual role. They continuously scan all 802.11 bands, channels and VLANs while simultaneously providing wireless connectivity to mobile clients. MPs can also act as dedicated sentries, providing nonstop scanning. The Trapeze WLAN Mobility System lets you create policies that determine what, where and when RF countermeasures are launched. This prevents interfering with WLANs in adjacent businesses, while allowing scanning in areas of the WLAN that require policing and ensuring prompt corrective action if a rogue, intruder or DoS attack is detected. When it comes to RF, Trapeze MPs take RF Auto-Tuning to where it should be to the user. MPs automatically calculate the data integrity and signal strength of the WLAN channel and continually tune for optimal RF channel and transmit power. Using intelligent queuing, Trapeze MPs enforce the prioritization of delay-sensitive voice and other critical applications. Wi-Fi Multimedia (WMM) or SpectraLink Voice Priority (SVP) can be configured to ensure optimal QoS for voice traffic. Policies allow per user, protocol or class-of-service (CoS) mapping. MPs always prioritize time-sensitive traffic, such as voice calls, over other traffic types. Page 14
Key Features The MP shares some features with other APs, but is unique in many ways: Dual radios Dual-radio 802.11a and 802.11b/802.11g Granular Transmit Power Setting (1 dbm) and channel selection to support international requirements and control the RF cell size ActiveScan rogue and DoS detection Scan all bands, associated channels and VLANs, while simultaneously providing wireless connectivity to mobile clients SentryScan Scan the air nonstop on both bands and their associated channels, while other MPs support WLAN clients Rogue detection, Intrusion Detection System (IDS) and RF countermeasures Determines whether devices seen on the air are merely interfering or truly rogue As policy dictates, if a rogue AP or client is detected, the most appropriate MP spoofs appropriate 802.11 control messages Prevents clients from communicating associating and authenticating with rogue APs and clients, discovers information about them and discovers information about both Intrusion Detection System (IDS) provides alerts in the event of DoS attacks, flood attacks and AP spoofing Intelligent RF countermeasures avoid the shoot-first-ask-questions-later approach to disabling suspected rogue devices RF Auto-Tuning Continuous self-tuning for optimal channel and transmit power in response to environmental changes Self-tuning factors-in client data integrity when adjusting and optimizing RF settings Eliminates dynamic and unplanned coverage holes where no APs are installed Virtualized APs Each radio can have multiple BSSID/SSIDs, to appear as multiple APs Virtual Private Groups (VPGs) Ability to have independently encrypted and isolated subnets or VLANs while using the same SSID Configuration Automated by RingMaster tool suite Downloaded to MP from MX, across the network as needed CAPWAP compatible The boot, configuration and management model is compliant with the IETF architecture for Control and Provisioning of Wireless Access Points (CAPWAP) Working Group Installation and ergonomics Zero configuration of the MP no staging required by installer Replacement MP inherits configuration from MX Highly inconspicuous, looks like a smoke detector Plenum rated to meet safety and insurance requirements for building deployments One-snap installation invisible attachment to ceiling grid True omni-antenna capability allows position-independent placement vertical or horizontal Page 15
RF and encryption Performs packet encryption over the air Hardware support for dynamic WEP, WPA/TKIP, and WPA 2.0/AES Communicates RF knowledge to MX, including statistics, counters, client status and other discovered devices Supports a variety of external high-gain directional antenna options Voice and quality of service (QoS) MP prioritizes traffic delivery by QoS model Per-user and/or per priority queuing Wi-Fi Multimedia (WMM) QoS SpectraLink Voice Priority (SVP) Poses no security risk No local data store No console port; no local access is possible Kensington security lock If stolen, no secure configuration data goes with it All data on the wired network goes only to and from the managing MX Not operational as a standalone device All security management handled by MX, including the generation of session keys Resiliency support Two 10/100BASE-T Ethernet ports for dual-honed switch connections Supports redundant 802.3af PoE links Maximizes wireless LAN availability MP outage resiliency planning through RingMaster Session load-balancing Prevents bug-light syndrome Won t accept user associations until MX successfully configures and enables the MP RingMaster RingMaster is a full-featured tool suite that enables IT managers to perform pre- and post-deployment planning, configuration, verification, management and optimization of the WLAN infrastructure. IT first imports standard building plan files in AutoCAD DXF, AutoCAD DWG, JPEG or GIF formats to design the WLAN offline. The wizard-based Trapeze Virtual Site Survey and capacity planning tools simplify device configurations. RingMaster s 3D awareness lets IT plan an entire building vs. just a floor, and the built-in library of measured attenuation factors ensures that RingMaster understands how RF will flow through the particular environment. The RingMaster tool suite automatically determines the number of MPs that need to be installed in any part of a building and can take into consideration the number of users and the level of traffic they re likely to generate if IT wants RingMaster to include capacity planning. Page 16
RingMaster also allows the IT manager to easily adjust WLAN capacity with minimal disruption. Once the plan is done, IT can print a work order that shows where to install Trapeze MXs and MPs. When that s done, IT can deploy hundreds of MP configurations in a single step. RingMaster shows you the location of roaming users and Mobility Points and access points they are associated with. With Trapeze, tight integration, automation and ease of use reduce operating costs, reducing the burden on the IT staff, eliminating configuration errors and delivering a faster response to problems. Key RingMaster Features Standalone Java application Runs on Windows 2000, Windows XP, Solaris 8 and 9, and Linux Can integrate with HP OpenView Network Node Manager Complete off-line and on-line configuration planning Eliminates expensive and time-consuming manual site surveys Design offline with AutoCAD and other standard file formats Applies RF attenuation factors to walls, doors, ceilings, windows, and other structures Optional capacity planning optimizes the performance of applications and services Allows what-if scenarios for planning, without needing any hardware Deployment tool leverages network plan Automatic MX and MP placement, power-level optimization, and RF channel assignment Generate work orders that show where to install Trapeze equipment Verify and synchronize configurations Configuration version archives One-click systemwide changes Deploys configurations to all MX and MP devices Systemwide MX and MP image management Centralized upgrades Easy network rollbacks Page 17
RF sweeps provide rogue and intrusion detection and wireless topology map - Supports continuous, scheduled, or on-demand RF sweeps - Single radio can sweep both 2.4 and 5.0 GHz bands - Detects and locates rogue APs and users and ad hoc networks - RF coverage verification and topology-mapping tools provide air awareness Locates users by identity - Tracks roaming history, bandwidth usage statistics Issues automatic alerts about rogue detection, any network changes - Wizard interface prompt for conflict resolution Sophisticated, context-sensitive rules engine Fault and event viewer for all MX and MP events Performance statistics - Tables, graphs with file export Page 18
Product Overview Americas 5753 W. Las Positas Blvd. Pleasanton, CA 94588 Phone 925.474.2200 Fax 925.251.0642 EMEA Olympia 3D-2 1213 NS Hilversum The Netherlands Phone +31 (0) 35.64.64.420 Fax +31 (0) 35.64.64.429 Asia-Pacific 275A, 2/F, Sui On Centre 8 Harbour Road Wanchai, Hong Kong Phone +852.2824.8961 Fax +852.2824.8381 Japan ARK Mori Bldg., West Wing 12F 12-32, Akasaka 1-chome Minato-ku, Tokyo 107-6024 Phone +81 (0) 3.4360.8400 Fax +81 (0) 3.4360.8447 Trapeze Networks, the Trapeze Networks logo, the Trapeze Networks flyer icon, Mobility System, Mobility Exchange, MX, Mobility Point, MP, Mobility System Software, MSS, RingMaster, AAA Integration and RADIUS Scaling, ActiveScan, AIRS, Bonded Auth, FastRoaming, Granular Transmit Power Setting, GTPS, Layer 3 Path Preservation, Location Policy Rule, LPR, Mobility Domain, Mobility Profile, Passport-Free Roaming, SentryScan, Time-of-Day Access, TDA, TAPA, Trapeze Access Point Access Protocol, Virtual Private Group, VPG, Virtual Service Set, Virtual Site Survey and WebAAA are trademarks of Trapeze Networks, Inc. Trapeze Networks SafetyNet is a service mark of Trapeze Networks, Inc. All other products and services are trademarks, registered trademarks, service marks or registered service marks of their respective owners. 2006 Trapeze Networks, Inc. All rights reserved. OV-MSO-206