So, do you want to go for standalone access points, or a fully managed system? Try this novel idea from Zyxel, and you could do both with the same kit!
With the arrival of the 802.11n standard, Wi-Fi is fast enough to consider as an exclusive network for all the users in an office. But it is still not cheap – or at least, business versions of it are not. Zyxel has a new approach that could bridge that gap.
The smallest businesses use dedicated wireless gateways or standalone access points, but when you need more than one, it is a fiddle reconfiguring them all, picking channels and power levels so they all work nicely alongside each other.
Traditionally, the answer has been a dedicated wireless controller, from a company like Cisco, Aruba, Meru or Trapeze/Belden, that manages “thin” access points (APs) throughout the building, handling issues of coverage, interference, and security.
Those systems, with a big investment in the controller, have normally been for larger companies. They have started to come down in price, and other vendors such as Ruckus have been pitching less complex devices at the smaller business. Aerohive produced a solution where management is distributed amongst the access points, but even that turned out to be aimed at fairly large users.
APs with a double identity
Now Zyxel’s 3000 series has arrived with a different approach – very cheap “hybrid” access points. Each one can work as a standalone device – and at not £226 (the price from October) they are affordable as standalone APs.
But when you have two or three of them, you can simply turn one of them into a controller, and the others can become thin APs. The new controller can manage up to 24 access points Zyxel claims – and can even even control them remotely, over a VPN connection, if they are at different sites.
That is massively cheaper than other managed AP approaches, And the idea is that small businesses can get hold of one device, and when they decide to manage them, there is no big step to buy a controller.
It’s intended for smaller (and growing) businesses, and it is not a replacement for Zyxel’s existing enterprise NXC-8160 wireless LAN controller, I was assured by Hugh Simpson, Zyxel’s technical director for the UK.
I can see his point. The NXC-8160 uses a clever “channel blanket” to cover a building with wireless APs on the same radio channel, with no handovers. But it’s not Zyxel technology. It’s made by another company called Extricom.
The NWA-3000 range is made by Zyxel, and is pretty robust and clever enough to merit the “enterprise” label which Zyxel puts on it. I wouldn’t be at all surprised to see this range expanding and ultimately replacing the Extricom kit.
So far, the range includes a number of different access points, including the 3550, an outder 802.11a/g access point, and NWA-3500, an 802.11a/g AP which has two radios to operate in the 2.4GHz and 5GHz Wi-Fi bands at the same time.
They can also act as bridges between wired networks, using WDS (wireless distribution system), whilst still acting as APs – and they have some ability to detect “rogue” APs on your network.
You can even set up two APs as controllers, for redundancy.
Zyxel sent me the NWA-3166 device. It’s a straightforward single-radio AP that can use either 2.4GHz or 5GHz, but it can also be a controller – so Zyxel sent me two to play with.
Setting up one AP
The NWA-3166 comes with a quick set-up guide, and a 332-page manual on CD. To get into the controller functions, you have to use the CD manual, which is thorough, reasonably well-organised, and has an index. It also has diagrams that makes sense and – wonder of wonders – it is written in English English!
The first thing to say is that this is definitely business grade, not a jumped-up consumer gateway. It supports up to 16 SSIDs (effectively 16 distinct Wi-Fi networks) and multiple security profiles. You can run a guest network for visitors, or one for VoIP devices.
The multiple SSIDs feature is very full. The manual gives plenty of detail on how to even give individual wireless networks to different people in the company, and then restrict their access to specific resources on the wired network. The guest network comes preconfigured to limit access to other devices using Layer 2 isolation.
The box is also happy in a world of RADIUS, and 802.1x, which very few consumer-grade devices can handle, so it will fit in with pretty much any corporate authentication you want to throw at it.
Wireless can be managed to the extent of adjusting the output wireless power, and using advanced features such as Short GI. It has the full range of security options.
It can scan for other wireless APs whose signals penetrate your office. You can classify the ones you know as “friendly”, and then you’ll get an email alert whenever a new one pops up. In a shared office building in Soho, that would be pretty often.
Setting up: this is no consumer box
With all these abilities, this box is a bit more forbidding than the consumer-grade wireless gateway device that a one-AP office might get away with. It doesn’t have its own DHCP server, because it assumes your office will have one already.
Setting it up is more of a faff than a consumer box too, because it’s got business-grade security. The wireless can’t be turned on except through a wired connection (so no-one can hijack it over Wi-Fi before you’ve got security working). And that first connection has to use a fixed IP address (remember, there’s no DHCP).
All this means that before you can connect this to your network, you have to hook it up to a PC with Ethernet, change that PC’s IP address, point a browser at the Zyxel’s address, and set up the password and security there. You then then set up the NWA’s IP so it will be happy on your office network (probably just turn on DHCP), and turn on the Wi-Fi
Then you unplug the NWA from your PC (remember to change the IP address of your PC back!), and plug the NWA into its eventual home on your office network, and you have wireless!
Moving on to Controller mode
In controller mode, the NWA uses CAPWAP, a standard communication protocol that goes between controllers and wireless APs. Developed by Cisco (Airespace) and others, CAPWAP never delivered what you might hope for, from such a standard. Unless I’m wrong, there’s no open market in CAPWAP APs, and controller-based installations are pretty much all single-vendor.
Apparently CAPWAP requires the AP that you designate as a controller to have a fixed IP address, while managed APs have to have DHCP-given addresses.
So, I set one AP to take its IP address from DHCP, and put it into Managed mode; I took the other AP, gave it a fixed IP address and made it into a controller. Then I plugged them both into the office LAN and set about introducing them.
Managed APs broadcast a request for a controller. An NWA in controller mode can either accept all CAPWAP access points plugged into the broadcast domain, or be set to list the requests, and accept them manually. The management screen gives you a list of all the managed and unmanaged CAPWAP APs in your network vicinity.
It’s also possible to manage APs in other domains, using DHCP jiggery-pokery,
Each AP can be given a “radio profile” – ie have its radio set to a specific channel and power level – to avoid interference. This is a fairly manual procedure compared with the automatic process offered in dedicated controllers, by something like Trapeze/Belden’s Ringmaster software, but it’s a lot easier than manually setting up completely standalone APs.
Radio profiles can be edited and re-used on different APs throughout the company. And all those features we played with on an AP in standalone mode – such as Guest SSIDs and permissions – can be controlled remotely.
Conclusions – SMBs should have a look
Zyxel has come up with a flexible and creative idea, that presents great value for money, and could be a great solution for small-to-medium size firms wanting to roll out wireless. Like other Zyxel kit I’ve tried, this device provides a very sensible set of functions,
The management screens might be a bit forbidding to those used to consumer APs, but should be a doddle for anyone who’s been exposed to enterprise kit. The functions are well supported by documentation, too.
The NWA-3000 series sets out to be a good middle way between standalone access points, and a full-blown controller-based system – effectively providing a sufficient part of the controller functions, at the price of standalone APs.
The management, security and wireless channel-planning is not as complete, or as automated as you’d expect in a Cisco, Aruba, Meru or Trapeze controller, but it’s massively cheaper, and way,way better than messing with standalone access points!