SEVEN MYTHS OF CONTROLLER- LESS WIRELESS LANS



Similar documents
Reasons to Choose the Juniper ON Enterprise Network

Reasons Enterprises. Prefer Juniper Wireless

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

Networks that know data center virtualization

Junos Space Virtual Control

TOPOLOGY-INDEPENDENT IN-SERVICE SOFTWARE UPGRADES ON THE QFX5100

JUNIPER CARE PLUS ADVANCED SERVICES CREDITS

Customer Benefits Through Automation with SDN and NFV

WHITE PAPER. Copyright 2011, Juniper Networks, Inc. 1

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Juniper Solutions for Turnkey, Managed Cloud Services

Build the Best UC&C Network for an Optimized Microsoft Lync Deployment

MIGRATING TO A 40 GBPS DATA CENTER

Transforming Service Life Cycle Through Automation with SDN and NFV

JUNIPER NETWORKS WIRELESS LAN SOLUTION

White Paper. Five Steps to Firewall Planning and Design

The Global Attacker Security Intelligence Service Explained

Juniper Care Plus Services

JUNOS PULSE APPCONNECT

Juniper Unite Cloud-Enabled Enterprise Reference Architecture

Service Automation Made Easy

Juniper Networks MetaFabric Architecture

Junos Space for Android: Manage Your Network on the Go

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN

Juniper Networks Secure

Juniper Networks Automated Support and Prevention Solution (ASAP)

Deploying a Secure Wireless VoIP Solution in Healthcare

Is Your Network Ready for the ipad?

ALTERNATIVES FOR SECURING VIRTUAL NETWORKS

Solution Brief. Secure and Assured Networking for Financial Services

Simplifying the Data Center Network to Reduce Complexity and Improve Performance

White Paper. Network Simplification with Juniper Networks Virtual Chassis Technology

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

This document describes how the Meraki Cloud Controller system enables the construction of large-scale, cost-effective wireless networks.

JUNIPER NETWORKS CLOUD SECURITY

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

Network Design Best Practices for Deploying WLAN Switches

SoLuTIoN guide. CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork

Junos Pulse Secure Access Service Enables Service Providers to Deliver Scalable and On-Demand, Cloud-Based Deployments with Simplicity and Agility

Simplify the Data Center with Junos Fusion

The High Availability and Resiliency of the Pertino Cloud Network Engine

MERAKI WHITE PAPER Cloud + Wireless LAN = Easier + Affordable

Juniper Networks, Ruckus Wireless Deliver Carrier-Class Performance for Enterprise Networks

Juniper Optimum Care. Service Description. Continuous Improvement. Your ideas. Connected. Data Sheet. Service Overview

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

EXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS

Demonstrating the high performance and feature richness of the compact MX Series

When SDN meets Mobility

White Paper. Protect Your Virtual. Realizing the Benefits of Virtualization Without Sacrificing Security. Copyright 2012, Juniper Networks, Inc.

Design and Implementation Guide. Apple iphone Compatibility

JUNIPER NETWORKS FIREFLY HOST ANTIVIRUS ARCHITECTURE

SIP Security Controllers. Product Overview

Preparing your network for the mobile onslaught

BYOD Networks for Kommuner

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Enterprise Network Solution

MSP Dashboard. Solution Guide

SECURE CLOUD CONNECTIVITY FOR VIRTUAL PRIVATE NETWORKS

Supporting Municipal Business Models with Cisco Outdoor Wireless Solutions

Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper

SonicWALL Corporate Design System. The SonicWALL Brand Identity

AN INTEGRATED SECURITY SOLUTION FOR THE VIRTUAL DATA CENTER AND CLOUD

Meru MobileFLEX Architecture

Juniper Networks Solution Portfolio for Public Sector Network Security

Enterprise Computing Solutions

How To Make A Cloud Service More Profitable

USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD ADOPTION

GMI CLOUD SERVICES. GMI Business Services To Be Migrated: Deployment, Migration, Security, Management

NETWORK AUTOMATION AND ORCHESTRATION

THE VX 9000: THE WORLD S FIRST SCALABLE, VIRTUALIZED WLAN CONTROLLER BRINGS A NEW LEVEL OF SCALABILITY, COST-EFFICIENCY AND RELIABILITY TO THE WLAN

ADDING STRONGER AUTHENTICATION for VPN Access Control

Meru MobileFLEX Architecture

The top 3 network management challenges

When is Cloud-managed WLAN a Good Fit?

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

Introduction to Junos Space Network Director

CASE STUDY. NEXON ASIA PACIFIC Nexon Securely Onboards 25 Cloud Customers in Only Eight Months

Optimize Your Microsoft Infrastructure Leveraging Exinda s Unified Performance Management

Transcription:

White Paper SEVEN MYTHS OF CONTROLLER- LESS WIRELESS LANS Vendors of controller-less s are making extravagant claims for their products. But how much is reality and how much is hype? Copyright 2014, Juniper Networks, Inc. 1

Table of Contents Executive Summary...3 Introduction Controller-Less s: An Interesting but Ultimately Limited Architecture.............................3 Myth No. 1: Controller-less s are controller-less...3 Myth No. 2: Controller-less s are easier to deploy............................................................ 4 Myth No. 3: Controller-less s are as secure as controller-based s... 4 Myth No. 4: Controller-less s are cheaper... 5 Myth No. 5: Controller-less s are as reliable as controller-based s... 5 Myth No. 6: Controller-less and controller-based s offer equivalent performance... 6 Myth No. 7: Controller-less s are more flexible... 6 Conclusion Why Juniper... 6 About Juniper Networks...7 2 Copyright 2014, Juniper Networks, Inc.

Executive Summary Wi-Fi access isn t just an afterthought for businesses today. It is an imperative that keeps employees, customers, and partners productive. With organizations instituting liberal bring-your-own-device (BYOD) policies, users need Wi-Fi access from a broad range of mobile devices. And no matter which device they choose laptop, smartphone, tablet, or other they must securely and reliably access the systems and applications they need for work, research, and communication. Keeping up with this need for omnipresent, secure, and reliable wireless network access can be challenging, especially given the number of deployment options available today. In particular, a number of vendors have introduced controllerless wireless local area network () solutions that they claim will meet the requirements of enterprises, large and small. This white paper debunks seven myths in the marketplace about these claims, and shows why, for the majority of organizations, a controller-based solution is still the optimal one. Specifically, although the controller-less architecture eliminates the centralized physical controller, it nevertheless still requires controller functionality. Network elements that are not designed to be traffic aggregation points such as access points (APs) are used to control network traffic, potentially resulting in suboptimal performance and security lapses. Introduction Controller-Less s: An Interesting but Ultimately Limited Architecture As the market has evolved, smaller niche wireless LAN vendors have introduced a number of interesting ideas that were designed to make s more reliable, secure, and resilient. Although concepts like phased array antennas, Wi-Fi arrays, and single channel architecture initially seemed compelling, they don t meet the needs of most organizations today. More recently, controller-less solutions from Aruba and Aerohive have garnered considerable press, but the true merits and flaws of this architectural approach have been obscured by marketing hype. A completely controller-less solution may be viable for certain small- and mid-sized business (SMB) customers who expect their deployments to remain limited and static. However, as wireless networks grow and serve more complex needs, the advantages of centralized intelligence and single point of management offered by controller-based solutions continue to be essential to the successful operation of a network. In most use cases, organizations should continue to use controller-based s in their enterprise network architectures to ensure optimal security, ease of management, highest performance, increases in deployment flexibility, and reasonable cost. When evaluating architecture for deployment, organizations should be aware of the following seven myths about controller-less solutions. Myth No. 1: Controller-less s are controller-less As Wi-Fi networks grew in size and complexity, organizations didn t have the resources to continue configuring access points (APs) individually. That s why the introduction of the controller was welcomed so enthusiastically by the IT community; controller-based solutions streamlined and reduced the complexity of configuring and managing the multiple devices that comprise wireless networks. The enterprise market is one of the fastest growing segments in the networking world today. According to IDC s Worldwide Quarterly Wireless LAN Tracker, the enterprise market grew 14.8% year over year in the second quarter of 2013. Currently, almost all wireless networks are managed by controllers. So-called controller-less deployments have simply moved the controller function from a centralized appliance to other locations. In most cases, they have incorporated the controller functionality into the APs themselves or moved it to the cloud. For larger wireless networks, controller-less vendors offer management applications that essentially perform functions similar to those of a controller appliance. In essence, there s a controller even within a controller-less system you just don t have control of it. The point is, there is always a controller. It exists, one way or another. The controller just takes on different forms and is paid for in different ways. Vendors that embed the controller functionality in the APs have integrated the cost of the controller into that of the APs and in the service contracts for the APs. Cloud vendors include the controller costs in the price of the virtual AP subscriptions. Copyright 2014, Juniper Networks, Inc. 3

Myth No. 2: Controller-less s are easier to deploy This is one of the more persistent myths. Although it s true that initially, controller-less s appear easier to set up than those with a centralized controller, the situation changes very quickly once you begin to extend your network. In a controller-less system, you need to reconfigure your access layer with the addition of each new AP. Since it is necessary to configure all virtual LANs (VLANs) on the switch port that is needed by each new AP, your network administrator needs to configure the wiring closet switches that each new AP connects to. For example, you may have a VLAN for guest access, a VLAN for corporate access, and a VLAN for special access (such as VoIP). All these VLANs must be configured each time you add a new AP. With a controller-based system, it is infinitely easier to add APs. The access layer is configured once at the handoff to the controller and the system manages the rest. The centralized controller provides rich functionality for automating deployment complexity, eliminating the need for frequent, error-prone changes to the access layer. You simply plug in the AP and it automatically self-configures. Expansion of your network couldn t be simpler. Myth No. 3: Controller-less s are as secure as controller-based s Security is a top priority for network administrators. Monitoring and reacting to system-wide security events requires a holistic view of the network. This is best provided by a controller-based. Most organizations have security policies that determine how to treat untrusted wireless traffic. Controller-based s offer a very clean and elegant solution to comply with security mandates for isolating untrusted wireless traffic from the network. For instance, the architecture naturally lends itself to having all traffic terminated at the controller and transporting all guest traffic to a DMZ or firewall. In contrast, controller-less s have inefficient workarounds, such as forcing an AP to act as the approved handoff point for untrusted traffic. A controller is purpose-built for such a function. An AP, on the other hand, is specifically designed to be a single node on the network; it is not designed to function as an aggregation point. Using APs in this fashion can put an organization at risk and adversely impact performance. For example, in a typical enterprise wireless network deployment, secure corporate access is provided to employees, while limited access is granted to guest traffic. Many organizations, for security reasons, do not allow untrusted guest traffic to interact with their network. Controllers give organizations an easy way to manage network traffic. Untrusted traffic gets tunneled to the controller and fed out of a separate physical port to the firewall or other security mechanism for inspection. An AP can then put trusted traffic instantly on the network, preventing any potential bottlenecks. A controller-less system, on the other hand, needs to use one of the APs to provide that physical connection for guest access. Organizations need to create workarounds with the physical network to allow APs to act as tunnel termination points. Organizations frequently choose to place greater security restrictions around wireless network segments than on the wired segments. The controller-based model gives enterprises the ability to deploy APs in limited-access network segments. By leveraging AP-to-controller tunneling, organizations can prevent exposure through unprotected network ports. There may be regulatory needs to tunnel traffic to a specific place. For example, compliance with the Health Insurance Portability and Accountability Act (HIPAA) requires that all wireless traffic go through a central point. Organizations may also want to route traffic through a central location if they want to meter or control the bandwidth, or to shut down or disable individual APs. In a controller-less architecture, the lack of visibility into system-wide security events provided to APs may also expose this type of system to additional security risks. Similarly, physical compromise of an AP device can risk exposing sensitive configuration data. Since each device in a controller-less system is responsible for forwarding client traffic, a stolen AP can expose the network to an attack; for example, an attacker could open a network port and gain access to the wired network. This problem would be compounded if the controller-less device required a VLAN trunk to provide access to multiple VLANs. All of the above speaks to on-premise s. Deployment of cloud-based solutions often requires significant changes to perimeter security policies. (For more on this point, see Myth No. 6.) In addition to the security risk associated with these changes, there is also the inconvenience of having to manage security by exception. 4 Copyright 2014, Juniper Networks, Inc.

Myth No. 4: Controller-less s are cheaper At first glance, controller-less s especially cloud-based ones appear less costly than controller-based s. Certainly, the initial price tag indicates that this is the case. But doing a detailed total cost of ownership (TCO) analysis quickly refutes that claim. When comparing the Juniper Networks JunosV Wireless LAN Controller to an equivalent controller-less cloudbased solution, we arrived at the following numbers: Other vendor cloud based controller-less Juniper controllerbased Initial investment $572,000 $588,110-3% Third year $717,000 $618,330 16% Fifth year $862,000 $648,550 33% Savings by going with a controller-based solution This comparison is based on a 500 access point deployment using 3x3, 3 spatial stream 802.11n gear. The other vendor s controller-less solution includes cloud controller and enterprise support subscriptions. The Juniper controllerbased solution employs a JunosV Wireless LAN Controller subscription, Juniper Networks Junos Space Network Director for management, and an enterprise support subscription. The following comparison is based on an on-premise controller-less solution from the same other vendor, again for 500 access points for an 802.11n wireless network: Other vendor onpremise controller-less Juniper controllerbased Initial investment $600,999 $588,110 2% Savings by going with a controller-based solution This includes licenses for the vendor s on-premise manager software and an enterprise support subscription. The Juniper cost remains the same as the previous configuration. Controller-less systems can be more costly for the following reasons: The cost of the controller functionality is slipped in elsewhere in a controller-less system (in the cost of required service contracts, for example). The cloud model, where the management functionality is located in the cloud, requires a subscription that must be continuously renewed. Over the long haul, this model is much more expensive than simply purchasing a controller from the start. For non-cloud models, purchase and management of the server system for management software adds cost to the controller-less solution. Myth No. 5: Controller-less s are as reliable as controller-based s In mission-critical wireless networks, the ability to coordinate the failover and failback behavior of a complex system is critical. Ensuring high availability is a top priority of any deployment, especially on wireless networks that carry latency-sensitive traffic such as voice data. Organizations need to be confident that if an AP fails, network traffic won t be impacted. All this is best achieved by a centrally managed controller with complete visibility into the entire system. With a controller-based model, the controller acts as a single point of coordination for all APs. In case of a failure, the controller can orchestrate in failure mode to minimize latency. Because all session information for all wireless users is stored in the centralized controller, in the event that an AP fails, users are immediately transferred to a different AP, which can get all necessary information about those user sessions from the centralized controller. However, in the controller-less model, the individual APs don t have a centralized location to get the necessary user information. In an outage or AP failure in controller-less systems, cached credentials, identifiers, or client context information may be lost and would need to be reestablished on a new AP. As a result, latency can increase. Different vendors have taken different approaches to manage this problem, but no workaround can completely eliminate this weakness in the controller-less architecture. Copyright 2014, Juniper Networks, Inc. 5

Myth No. 6: Controller-less and controller-based s offer equivalent performance Controller-based solutions provide options to distribute data processing to the local APs, while maintaining the benefits of centralized command and control. By removing the controller from the data path, potential performance bottlenecks are eliminated. Although the controller-less architecture provides a similar optimized data-forwarding path, there is a sacrifice in performance, since all individual APs must also perform controller functions that are typically performed by a centralized controller. Additionally, s are heavily dependent on other components in the network: the authentication server to authenticate users, network switching to give access to VLANs, and other network management elements. Once the number of APs reaches a certain threshold, the complexity of coordinating all these components can take a performance toll, even though the user interface may mask the complexity of the tasks. A larger number of APs also results in a greater possibility of errors and increased complexity for network administrators to manage. For example, in a controller-less system, the AP that is used as the proxy authentication server acts as the aggregation point for client authentication and must interact with every other AP in the system, resulting in less than optimal performance. Because every AP has a portal page while also negotiating other types of traffic, there is the possibility of introducing latency into the system. The larger the environment, the greater the complexity and the possibility that performance will suffer. Taking s to the cloud introduces even more complications, as many of the network elements are on-premise. For example, Active Directory data will most likely to be located in the data center. If the controller is in the cloud, how does that controller communicate through the public Internet, firewalls, and security policies so that users can be authenticated? The way that the control process is implemented can have very real performance implications. Then there are the performance implications of tunneling traffic to APs, devices that were not purpose-built for moving data. APs were not designed to support high-scale tunnel traffic. In contrast, centralized controllers have dedicated hardware that makes them extremely efficient at moving traffic through the network. Performance can also be impacted when users roam across multiple access points on a campus. In a controller-less model, APs are grouped into pods to streamline roaming. If these pods get too large and unwieldy, organizations will see performance degradations. Moreover, individual AP pods may be efficient at managing roaming, but when users cross pod boundaries, additional performance issues arise; the session will not be seamless for the user and their connection to the will likely be interrupted. Managing roaming in a controller-less is simply not as efficient as in a centralized controller environment where users can be moved transparently, from one AP to another, with no impact to performance. Myth No. 7: Controller-less s are more flexible Finally, one size does not fit all when it comes to s. Choose an architecture that fits your deployment. A controllerbased solution offers more choices, and thus more flexibility, than a controller-less model. With a controller, organizations can choose to forward traffic locally at the APs (similar to the method used in controller-less s), or they can choose to tunnel certain types of traffic back to the controller for security reasons. With a controllerbased, organizations have the flexibility to mix and match these approaches as appropriate. A controller-based architecture also gives enterprises the ability to attach tunneling and local switching to user identities and roles. With controller-based solutions, organizations also have the flexibility to adapt to many different network topologies and network layouts precisely because the controller, rather than the individual APs, is the central point of control. Conclusion Why Juniper The Juniper Networks wireless LAN solution has been a leader in controller-based since the architecture was introduced in 2002. The product line was first to market with many of the innovations associated with the thin AP architecture. Today, Juniper offers a broad range of deployment options for enterprises of all sizes (see Figure 1) giving you the flexibility to tailor wireless LAN service to meet all of your business needs. 6 Copyright 2014, Juniper Networks, Inc.

Centralized Central Control, Overlay Data Path Remote Office Centralized Configuration Resilient/Controller-less Private Cloud Centralized Configuration Distributed Data Plane Converged * Converged wired/wireless WLC WLC VPN VPN EX9200 Typical enterprise, hospital Traditional WLC model Mostly N-S traffic Compliance, accounting Branch office/teleworker Centralized control/ distributed forwarding Mostly local traffic Remote AP feature set JunosV WLC in cloud High E-W traffic, chatty Some schools, university control Integrated into core switch data Integrated into line card Converged control and data Content Data Figure 1: Juniper Networks controller-based deployment options *Roadmap Visit www.juniper.net/wireless to learn more about Juniper s wireless LAN portfolio. About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or +1.408.745.2000 Fax: +1.408.745.2100 www.juniper.net APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700 Fax: +31.0.207.125.701 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at +1-866-298-6428 or authorized reseller. Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 2000551-002-EN Mar 2014 Copyright 2014, Juniper Networks, Inc. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information