Highly-distributed businesses have long faced a choice of evils: ship skilled staff out to install pricey enterprise APs or let small branch and home office workers install their own consumer plug-n-play APs. For organizations with hundreds of storefronts or thousands of teleworkers, the former is prohibitively expensive. But for secure multimedia WLANs, the latter is unthinkable.
According to Aruba Networks, Virtual Branch Networks (VBNs) are a more palatable solution. Interop LV09 judges were impressed, awarding Best of Show in the Wireless/Mobile category to VBN. During our own test drive, we found VBN extremely promising—but we spotted a few rough edges that could use bit more honing.
Virtualizing remote WLANs
Aruba's VBN is an architecture that enables centralized control over a large number of small remote office WLANs, up to 100 clients apiece. In the VBN architecture, every Remote Access Point (RAP) operates as a remotely-managed VPN gateway, enforcing role-based access policies and tunneling only permitted traffic back to the corporate network.
Sure, branch office VPNs can be built using many enterprise wireless routers. What differentiates Aruba's VBNis entry-level gear with "zero-touch" provisioning. Aruba can drop-ship factory-default $99 RAPs to hundreds of destinations on your behalf. On first power-up, each RAP tunnels over the Internet to a user-designated Aruba controller. When the controller hears from a whitelisted RAP, it installs and activates IT-defined firmware and policies over a secure boot-strap tunnel. The end result: a business-grade WLAN, provisioned in less than ten minutes, with almost no end-user or IT assistance.
Eliminating advance or on-site IT provisioning from an otherwise lengthy, error-prone process speeds new site activation and reduces per-site investment. And, because RAPs are managed over that tunnel throughout their life, IT can remotely assert relatively sophisticated, dynamic role-based access controls. While RAPs are ultimately constrained by inexpensive hardware, the policies they can enforce are far from consumer-grade.
Putting VBN into action
This architecture can be implemented using any combination of the following new VBN RAPs.
- The RAP-2WG is a fist-sized single-radio 802.11b/g AP with two 10/100 Ethernet ports, targeted for use by "fixed telecommuters" and home offices with up to five users. (Pictured above.)
- The RAP-5WN is a desktop/wall-mount dual-band 802.11a/b/g/n AP with five 10/100 Ethernet ports, slated for small branch offices with up to 256 users. (Picture below.)
- The RAP-5 is a wired-only RAP-5WN, to incorporate small branches that require authenticated, secure Ethernet, but not wireless VBN access.
Older (non-VBN) Aruba RAPs can be added to the same network manually—for example, the dual-radio AP-125 for a branch requiring simultaneous dual-band operation. However, the zero-touch feature that appealed to us is only available in new VBN RAPs. To road-test VBN, we therefore installed an RAP-2WG and an RAP-5WN in over a dozen home and small office networks.
