Aruba People - Tell me why you chose Aruba over another wlan
Last Post: January 24, 2010:
-
This is an important problem that is only going to get worse as more and more folks start filling up the airwaves. The number of true radar detects compared to ???¡é?¡é?????¡?¡°false detects???¡é?¡é???????? is miniscule. What we have here is a situation where due to having to put in [ necessary ] protection mechanisms to prevent interference with genuine radar systems [ and the chances of ???¡é?¡é?????¡?¡°meeting???¡é?¡é???????? those systems in normal daily use are low ] we have algorithms that are not discriminatory enough to TRULY differentiate between real radar signals and any old ???¡é?¡é?????¡?¡°energy???¡é?¡é???????? floating about. I???¡é?¡é?????¡é???¡éd like to see wide band spectrum analyzer plots of some of these false radar detects and compare them with real, actual radar signals. Unless these algorithms [ and I haven???¡é?¡é?????¡é???¡ét seen any technical details of how they operate ???¡é?¡é?????¡?¡°down to the bit level???¡é?¡é???????? ] can be made more ???¡é?¡é?????¡?¡°clever???¡é?¡é????????, this is going to cause a lot of pain for some folks.
We could have situations where low levels of non-radar inteference cause the DFS algorithm to kick in and say ???¡é?¡é?????¡?¡°Hey I think [ to the best of my abilities ] this is radar, so I???¡é?¡é?????¡é???¡ém going to start bumping you off to other channels???¡é?¡é????????. Problem is there might not be other channels available, or they may be heavily congested. It might just have been better to stay on the same original channel [ assuming that the ???¡é?¡é?????¡?¡°energy???¡é?¡é???????? is definitely non-radar ] and just deal with that as general interference as we do every day with fixed [ non-bouncing about ] channel selections.
It would be a complex task [ due to the number of different radar patterns ], but more work needs to be done by the manufacturers to ???¡é?¡é?????¡?¡°intelligent-up???¡é?¡é???????? these algorithms.
The extended band is a free luxury and this could put a lot of people off using it [ in some areas ] and go back to the already heavily congested 2.4 Ghz band.
Dave -
Hi bjwhite,
Aerohive also does role-based access control using a stateful firewall, which is integrated into every AP. Why have the traffic that's supposed to be filtered at the edge make it all the way into the network core, right?
Devinator -
devinator Escribi?3:
Hi bjwhite,
Aerohive also does role-based access control using a stateful firewall, which is integrated into every AP. Why have the traffic that's supposed to be filtered at the edge make it all the way into the network core, right?
Devinator
The other side of the coin is that some organizations like the fact that Aruba encrypts the data all the way to the controller. This is very good when looking at clients with high security requirements. On top of that, I've seen a bunch of customers that want their AP's to be as 'dumb' as possible to mitigate any risks of someone being able to pull useful data from the AP itself. Certainly, keeping all the keys and crypto locked in up the data center accomplishes this goal more effectively than pushing to the perimeter.
Both methods have their merits (as is usually the case) in different circumstances. Aruba can also be configured to filter out at the AP as well I believe (correct me if I'm wrong here people)...they just do the tunnelling as their default configuration.
Interesting topic! -
GTHill Escribi?3:
Thanks a lot for the comments on the video.
The Aruba logs look nice to detect radar. Not sure if I mentioned it in my video, but during the roadshow I told the audience that one way to survey for radar would be to implement a test network and look for CSA's (Channel Switch Announcements) in a packet capture. Just have Omnipeek filter on CSA's so it wouldn't fill up the buffer.
Looking at at the logs would also serve the same purpose and may be easier than my OmniPeek idea.
Right now many people that know about DFS are avoiding the UNII2 / 2e channels which I think is a mistake. It would be better to properly test for a radar event with your product and then make a decision as to what channels to use. Losing 7 bonded or 15 20 MHz channels is quite a lot without proper testing.
GT
GT
I know this thread says Aruba, but GT made me think of something. What would everyone think of running 20 mhz channels in the 5ghz, non-dfs but with an 11n phy? You could get good association rates, and good throughput with a decent amount of extra channels. Does everyone think that running 802.11n with 20mhz is a good idea, or no? Is the throughput too low?
It seems that if you even are using DFS channels, just the access point having to not transmit for awhile would create some sort of coverage hole; so DFS can be a drawback.
If an access point falsely detects radar and generates a CSA, that is still a false positive. Would the presence of a CSA really definitively indicate that radar is present? Does radar generate CSAs?; I didn't think it did. What would sniffing for CSAs buy you? -
cjoseph Escribi?3:
GTHill Escribi?3:
Thanks a lot for the comments on the video.
The Aruba logs look nice to detect radar. Not sure if I mentioned it in my video, but during the roadshow I told the audience that one way to survey for radar would be to implement a test network and look for CSA's (Channel Switch Announcements) in a packet capture. Just have Omnipeek filter on CSA's so it wouldn't fill up the buffer.
Looking at at the logs would also serve the same purpose and may be easier than my OmniPeek idea.
Right now many people that know about DFS are avoiding the UNII2 / 2e channels which I think is a mistake. It would be better to properly test for a radar event with your product and then make a decision as to what channels to use. Losing 7 bonded or 15 20 MHz channels is quite a lot without proper testing.
GT
GT
I know this thread says Aruba, but GT made me think of something. What would everyone think of running 20 mhz channels in the 5ghz, non-dfs but with an 11n phy? You could get good association rates, and good throughput with a decent amount of extra channels. Does everyone think that running 802.11n with 20mhz is a good idea, or no? Is the throughput too low?
It seems that if you even are using DFS channels, just the access point having to not transmit for awhile would create some sort of coverage hole; so DFS can be a drawback.
If an access point falsely detects radar and generates a CSA, that is still a false positive. Would the presence of a CSA really definitively indicate that radar is present? Does radar generate CSAs?; I didn't think it did. What would sniffing for CSAs buy you?
If CSA's are present, that means that your hardware is detecting real or false radar. Either way, this is bad. Marcus's blog article goes into this as well. If you want to use the DFS required channels, then it is highly recommended to test your area with your vendor of choice and look at the logs or sniff for CSA's.
GT -
To answer the latter part first, the radar or other signal does not directly cause the CSA. Firstly the DFS algorithm senses something that it thinks is radar. Provided certain conditions are met [ I would imagine greater than x dBm of power for y amount of time ] the ???¡é?¡é?????¡?¡°rules???¡é?¡é???????? of the .11h DFS system will say ???¡é?¡é?????¡?¡°We have to get off this channel and move elswhere???¡é?¡é????????. The Channel Switch Announcement basically is just telling everyone in the area ???¡é?¡é?????¡?¡°Hey, I???¡é?¡é?????¡é???¡ém going to be moving away from this channel???¡é?¡é????????.
The original system [ when first set up under .11h ] had some problems and an Extended Channel Switch Announcement element was devised to overcome some of these problems. This element is sent in beacons and probe response frames. Basically, it provides a nice controlled method of letting everyone in the ???¡é?¡é?????¡?¡°neighborhood???¡é?¡é???????? know about when a channel switch will occur, in a manner a little like knowing when a TIM will be sent. The element contains the New Channel Number and a Channel Switch Count [ CSC ]. The CSC lets everyone know how many beacon transmissions will occur until the sender changes to the new channel [ a sort of ???¡é?¡é?????¡?¡°heads up???¡é?¡é???????? ].
Actually for .11n, this was an important feature even without radar. They wanted to have a ???¡é?¡é?????¡?¡°frequency agile system???¡é?¡é???????? i.e. one that allowed 20 Mhz and 40 Mhz systems to co-exist. The idea was that if you were transmitting on say 40 Mhz and you detected a lot of activity on either the primary or secondary channels, that you could switch to somewhere a bit less crowded.
I know of places running 20 Mhz .11n, but the factors of how crowded the spectrum in that area is comes into effect, as elsewhere. Even though DFS originally started out with the pupose of radar avoidance, parts of it have ???¡é?¡é?????¡?¡°evolved???¡é?¡é???????? into the highly complex mechanisms that .11n uses to allow co-existence between 20 Mhz and 40 Mhz channels. Basically the .11n folks said ???¡é?¡é?????¡?¡°Hey, this channel switching thing could be handy for 20 Mhz/40 Mhz co-existence issues???¡é?¡é????????.
When radar or another interfering signal is present, the CSA???¡é?¡é?????¡é???¡és will let us know that the system is reacting to that event.
The good thing about channel switching in .11n is that we don???¡é?¡é?????¡é???¡ét have that awful 30 min time out period as per radar !
Hope this makes some sort of sense.
Dave -
Dave1234,
Thanks for the concise explanation, as usual. My comments, made late at night, were not as clear, however:
I was trying to say:
- Access Points send CSAs when they detect radar, so the mere presence of CSAs do not suggest there is actual radar.
- The quiet time of the AP after switching off a radar frequency makes DFS very troublesome when there are problems. Depending on the bandwidth of the radar, the AP having to find a valid channel could cause a coverage hole for some time, especially if neighboring APs detect radar, as well.
- 20mhz in non-DFS might be enough spectrum at HT rates, without having to worry about DFS issues. -
Hi cjoseph
Yes, the presence of CSA's alone does not 100% mean that radar exists, but they are a great indication that some form of interference [ or in the case of .11n, just other folks transmitting as is their right on a primary or secondary channel - one man's "interference" is a another man's communication !! ].
You are right about the radar bandwidth. Some systems "sweep" all over the place and you might not even be able to find a spare channel !!
Well engineered, 20 Mhz can still give you very nice rates in .11n, but we WANT all our channels !!
This is the awful irony about the unlicensed spectrum. It giveth and it taketh away.
If you can get space on the non-DFS area that's great. Unfortunately, I can see times when there is so much interference on the DFS area that all parties jump over to non-DFS, and self-generate problems. This is a very tricky one.
Don???¡é?¡é?????¡é???¡ét know if anyone remembers the old Lynx spread spectrum radios ? One of the greatest things since sliced bread. You could have up to six folks all working on the same frequency at the same time [ point to point ] but all with different chipping codes. Inteference flying around in all directions, but they kept on ticking. Good stuff. I???¡é?¡é?????¡é???¡éve seen times when my little signal was buried under massive interference from someone transmitting at eneromous EIRP???¡é?¡é?????¡é???¡és, and yet they we still got a useable signal. This was due to people saying to themselves ???¡é?¡é?????¡?¡°Hey this is unlicensed, let me put in a 20 W amplifier prior to the antenna [ in areas where the max power at the IR was supposed to be a few hundred milliwatts !! ]???¡é?¡é???????|.Then they'd overdrive the amplifier casuing all sorts of spurious signals and harmonics...the horror???¡é?¡é???????|the horror???¡é?¡é???????|.
http://www.airlinx.com/products.cfm/product/1-162-390.htm
Dave -
One other factor is that if the signal is true radar, it may not even be in line of sight to your link. Airport radars put out a lot of power. Some of the signal could be reflected off a wall, building etc, and you could be picking it up on your sidelobes [ for point to point ]. In the opposite direction, the generally low EIRP Wi-Fi signal coming out of the sidelobes away from the antenna would be less likely to cause problems in the direction Wi-Fi to reflective surface to radar.
Interference can be the single most difficult problem area in radio engineering.
If you are using parabolic antennas on point to point, you can sometimes use a shield like the following [ sat link ] if the interference is not coming in on boresight [ straight down your main lobe ].
http://images.google.com/imgres?imgurl=http://www.dtvdish.com/kxpat2shield.jpg&imgrefurl=http://www.dtvdish.com/kxan.html&usg=__Dcdpn9PeGqQ_5Em_EPm88QQ2tjk=&h=600&w=800&sz=97&hl=en&start=15&um=1&itbs=1&tbnid=VGTnGkXcnLVrFM:&tbnh=107&tbnw=143&prev=/images%3Fq%3Dmicrowave%2Binterference%2Bshields%26hl%3Den%26rlz%3D1T4ADBS_enUS249US249%26sa%3DN%26um%3D1
Dave -
This is an interesting thread nontheless everyone.
Regarding DFS, GT and others...in my experience, end-users are avoiding the DFS bands because of client support, not false or true radar detects. While I agree it's important to test, if you have clients that don't support the DFS channels, then you effectively have RF coverage holes in your network. In my experience, this is the greater problem today....it will fade with time of course, and the problems you guys discuss (true and false radar) will still remain. But I don't think that's the reason end-users are avoiding DFS today...at least in my experience.
Devin, I don't see Aerohive listed on the ICSA Labs site. Have you not taken your firewall through certification?
And to others, yes Aruba can do either forwarding mode. There are some applications where you want this processing at the edge (think Remote Networking), but for the most part, in campus/enterprise type environments, the going back to the controller isn't a great overhead and has theoretical security advantages. It's one reason for the large amount of government work Aruba does--key and security data control. FIPS-140-2, Common Criteria and the like. Regardless, centralized encryption or distributed encryption--Aruba does both. So use what fits you best.