Aruba simplifies WLAN control

Aruba Wireless Networks last week released software for its wireless LAN controllers, featuring changes designed to simplify administration of large-scale networks.

The new features let the powerful Aruba Mobility Controller take on additional tasks. First, the software simplifies the assigning of IP addresses for many mobile users through a technique called virtual LAN pooling. Second, it offloads authentication traffic from back-end RADIUS servers, minimizing the load on those servers.

VLAN pooling is Aruba's attempt to make VLAN administration and IP addressing on WLANs simpler for network professionals. Today mobile users log on and are assigned to a VLAN with a set of allocated IP addresses. Users moving to other wireless access points on different subnets need new IP addresses.

To assign new addresses using a traditional VLAN structure - especially for environments with many mobile users - is a painstakingly complex process, says Keerti Melkote, Aruba's co-founder and vice president of marketing. Aruba's software abstracts VLAN assignments from the switches and routers on the wired network, and the WLAN controller manages the entire process.

That's just what the University of Calgary, in Alberta, Canada, discovered as it deployed an Aruba-based campuswide WLAN. At one point, 600 students with wireless laptops might get online in a big auditorium, says Dean Berschl, senior security analyst with the university's IT group. Previously Berschl would have to guess how many students might be in the room and then preassign enough IP addresses in enough subnets.

Preallocating the right number of addresses to the right number of subnets in the right locations "becomes a managerial nightmare," Berschl says. With VLAN pooling as part of Aruba's software, the nightmare goes away.

"If I expect 5,000 wireless users on campus, I can simply assign 5,000 IP addresses divided up among the appropriate number of subnets, in this case 20, to cover all the users," he says. "The Aruba controller goes through that pool of subnets, assigning addresses on a round-robin basis [as each user logs in]."

"If we didn't have VLAN pooling, our network would be much more complex administratively," Berschl says.

The second Aruba update, dubbed AAA FastConnect, lets an Aruba controller's onboard encryption processor take over processing a big chunk of the 802.1X authentication traffic to and from a back-end RADIUS server. In the past, when a wireless user connected to an access point, the authentication process exchanged a set of messages - including sending the encryption key - directly between the client device and the RADIUS server, with the controller simply passing messages back and forth.

As the number of users increases, so does authentication traffic, which can overload the RADIUS server.

Berschl has been testing FastConnect. "When you have lots of users signing in, you have back-end RADIUS servers that have to process all these messages and key exchanges," he says, adding this overload would be especially felt by wireless VoIP traffic. "With FastConnect, the controller assists in this; it can be privy to the [authentication] conversation and assist in the key exchange, and do it much faster than any triple A server can ever handle it."