D-Link's upcoming announcement of a trio of unified wireless/wired LAN switches is the start of a major shift in the way wireless LANs will be deployed.
New silicon and software make it possible for Ethernet switches to process both 802.11 and 802.3 packets, and deliver services unique to wireless traffic, such as radio frequency management and roaming across access points. Wireless is poised to become a standard feature of the wired infrastructure, rather than a separate network, according to analysts and vendors.
Because the two networks are collapsed into one that supports wired and wireless access, the unified network promises to be easier to deploy, simpler to run and manage, and lower in total cost of ownership compared with WLANs that have separate switches and management systems, according to analysts.
"We have seen the cost of endpoint silicon and access points collapse," says Bob Egan, director of emergent technologies for Tower Group. "But the infrastructure costs associated with WLANs has just skyrocketed. Now people are finally starting to address the core infrastructure, where the key cost issues are."
Creating a unified network
Equipment makers face a range of choices on how to integrate wireless to create a unified network. D-Link's new product is a case in point.
There are three D-Link models, all Layer 2, stackable Gigabit Ethernet switches. One model has 24 ports, a second 48, a third has 24 ports with Power over Ethernet. Importantly, the switch supports the 802.1X port-based authentication standard, which increasingly is being used for wired as well as wireless clients.
But all also support the full range of expected wireless features and standards, such as wireless roaming between access points and switches, centralized access-point management, radio frequency management, rogue access-point detection and containment, and for security, the 802.11i-based Wi-Fi Protected Access and WPA2 specifications, as well as the older Wired Equivalent Privacy specification.
The switches come with a license bundle for 10 companion D-Link access points, which can be upgraded to 25 per switch.
The companion access points are key to D-Link's implementation. The wireless functions are handled by software licensed from NextHop (IP Infusion is another software maker in this market).
Part of the code runs on the switch and part on the access point, where the translation between 802.11 and 802.3 takes place. The access point sends pure 802.3 Ethernet packets back to the Layer 2 switch for processing. That processing is handled by a switch processor from Marvell, with the NextHop software, on a separate host processor, controlling wireless authentication, security and management functions, and coordinating with the NextHop code on the access point for radio frequency management, load balancing and other jobs.
Jennifer Wu, D-Link product manager, wasn't specific about future products, but she made it clear that D-Link intends to exploit a new generation of switch silicon that will support Layer 3 routing and handle both 802.11 and 802.3 data packets in the switch itself, instead of in the access point. Such a device "offers more security and can process packets faster," she says.
Those new chips are being created by start-ups such as SiNett as well as established chip makers such as Broadcom and Marvell. The new chips incorporate more logic to process the 802.11 data packets along with the standard Ethernet packets.
"To me, 'unified' means all packets are centrally processed by the switching processor in their native format," says Shrikant Sathe, SiNett cofounder and vice president of marketing and operations. "The switching silicon sorts these [packets] out and then does the right thing with them."
Such an approach gives the switch full visibility into all the information contained in the wireless packets, he says. Among other things, that visibility makes it easier for intrusion detection/prevention systems to deal with wireless traffic.
He says this native processing of wireless packets will become even more critical when 802.11n, which promises wireless throughput of better than 150Mbps, is implemented in products in late 2007 or 2008. "These [other] architectures will dead-end," Sathe says. "When 802.11n hits the market, you will run into limitations in terms of supporting large numbers of 802.11n access points."
Not everyone agrees
"I find it ironic that a vendor would claim this is the only scalable approach, because the speeds/feeds demands on [existing] wired infrastructure is orders of magnitude greater than 802.11, even with the introduction of 802.11n in 2008," says Pat Calhoun, CTO for Cisco's Wireless Business Unit. "Cisco looked at many chipset vendors that are building integrated wired and wireless chipsets. We found time and again that these vendors had nothing above and beyond what Cisco already has. We looked at SiNett, and I'll leave it at that."
Calhoun argues that the real value of a unified wireless/wired LAN lies not in the data processing plane but in the control plane: in a common set of policies for authentication, security and management, which can be applied to any client.
Cisco last year introduced the Wireless Services Module for the Catalyst 6500 switch. The module is, in essence, a WLAN switch that draws power from the 6500 chassis, uses the 6500 backplane and, most importantly, can make use of other modules in the same chassis, such as a firewall, or the Cisco Secure Access Control Server. "Translating 802.11 into 802.3 is a well-known science," Calhoun says. "Once you do that, you want to leverage the common infrastructure you've set up for your networks."
That means tying into the back-end management and authentication systems and the various network services. Asked to be specific, Calhoun hesitates. "A lot of innovation still needs to be done," he says. "Especially on the management side. That's an area where we will be innovating a lot more."
"You need one single management interface," D-Link's Wu agrees. D-Link's new switches have that, she says. "But hardware [design] is important. It can shift functions to the switch silicon, which is simpler and cheaper. [Unification] cannot all be software-based."
In the end, these apparent differences may not be substantive. "I define a unified switch in the enterprise context as 'no separate wireless switch,'" says Craig Mathias, principal for Farpoint Group. "You plug something into it, and the switch figures out what it is and how it should be treated."
Next-generation silicon from companies such as SiNett will become the standard hardware for such switches, even as the key differentiators are implemented in software, ranging from the chip level to the application level.
Enterprise network executives should be talking with their network vendors about the migration strategy to unified switches, about the road map to bring wired and wireless security together, and about switch capacities in the future, Tower Group's Egan says.
"Unifying management and security is going to define the winners and losers [among vendors] here," he says. "They all have to address this."