Manage 802.11ax Access Points
In addition to managing 802.11a/b/g/n/ac access points, the WX3800H series access controllers can work with H3C 802.11ax access points, providing wireless access at speeds several times faster than traditional 802.11a/b/g/n/ac networks. The increasing proliferation of 802.11ax devices will make the functionality of multimedia applications on wireless networks a reality.
A completely new operating system
The WX3800H series access controllers are based on the latest H3C V7 platform. The new system demonstrates significantly improved performance and reliability compared to the previous version and is capable of supporting increasingly complex network applications in enterprise networks. The V7 platform has the following advantages:
Multi-core control: The V7 platform allows you to adjust the ratio between the number of processor cores allocated to control functions and the number of cores allocated to functions forwarding to maximize the use of processor resources and achieve the desired balance between control and forwarding functions, providing powerful parallel multiprocessing capabilities.
Multitasking at the user level: in the platform V7 introduces a completely new software privilege management system in which most network applications are executed at the user level, allowing each application to run as a separate task. Each task is allocated its own resources, and failures in the execution of a task are isolated at the level of a separate space for this task, without affecting the execution of other tasks. This significantly increases the security and reliability of the system.
User task monitoring: The V7 platform provides a task monitoring function that allows you to track the execution of all tasks. If a user task fails, the system reboots it to restore the application as quickly as possible.
New independent application update mechanism: The V7 platform supports independent application update, allowing It is possible to update a separate application module, rather than the entire operating system. This significantly reduces the number of required system reboots compared to the previous version, without compromising the security of updates and maintaining network stability.
Capabilities for processing wired and wireless segments
The WX3800H series access controllers utilize the latest high-performance multi-core processors. The WX3840H access controller processor has 8 independent cores that support virtualization of up to 32 logical cores, while the WX3820H access controller processor has 4 independent cores that can virtualize up to 16 logical cores. High processing power allows devices to serve more users, more concurrent operations, and reduce latency for a better user experience.
High access port density
The WX3800H series access controllers feature high port density for external access. This allows for better unification of access control mechanisms for wired and wireless networks (through integrated user management of wired and wireless networks, including user access control, user authentication and charging management), meeting modern networking and access control requirements.
The WX3820H model is equipped with 8 combined GE ports and 2 SFP+ 10G ports;
The WX3840H features 8 combo GE ports, 2 SFP+ 10G ports, and 1 management port. The management port is designed to support out-of-band management.
IRF hot standby
The WX3800H series access controllers feature intelligent technology Intelligent Resilient Framework (IRF) architecture developed by H3C. The IRF model virtualizes multiple devices as a single distributed device, which provides the following benefits:
Easy network management: IRF does not require separate cables and stacking ports, stacking is created after connecting devices at layer 2.
Functional stacking: an IRF group is virtualized into one access controller, with the number of managed users and access points equal to the capacity of individual controllers access.
Easy to configure: configuration changes made to the virtual access controller are automatically synchronized with other physical access controllers.
Exceptionally reliable redundancy: supports 1+1 hot standby, which means hot standby of all applications, while the failure of one of the access controllers does not affect the functioning of the virtual access controller. The WX3800H series access controllers support stacking of up to two devices.
Flexibility of license management: A license installed on one of the devices in the IRF group can be used by other devices, while the number of access points connected to the virtual access controller , equal to the sum of licenses available on physical access controllers; despite the fact that licenses are installed and tied to a separate device, downloading and migrating licenses becomes more convenient.
Hierarchical architecture of access controllers
Hierarchical Access Controller Architecture is a new network configuration scheme developed by H3C engineers to solve the multi-layer networking challenge demanded by the market. The access controller hierarchy design uses a centralized management hierarchy similar to that used by large enterprises, where one access controller at the core network level communicates with several local access controllers at the access network level, which in turn communicate directly with the access points. Access controllers at the access network level serve primarily real-time applications, such as access to an access point and forwarding data, while access controllers at the core network level primarily perform non-real-time tasks, such as control plane control and centralized authentication, but can still perform the typical access point connectivity and data forwarding functions of standard access controllers. Core layer access controllers are high-performance access controllers that are located at the convergence layer; Access network level access controllers can include standard access controllers, all-in-one access controllers (combining router and deep packet analysis functions), and wired and wireless access controllers installed in parallel with the existing network. The hierarchical access controller model takes the integration of wired and wireless networks to a new level and can be used to create large wireless networks. The hierarchical access controller model is a natural fit for the headquarters-branch deployment design, with core network throughput and core access controller forwarding performance no longer being the bottleneck. The centralized management functions of core network layer access controller, access network layer access controllers and low-level access points can be conveniently updated and automatically synchronized, greatly simplifying system upgrades. Access network layer access controllers are responsible for switching access points and significantly improve roaming performance.
CUPID-based wireless location determination
H3C CUPID technology is a highly accurate location determination technology using wireless local area network WLAN. It has the following advantages and capabilities:
High accuracy strong>
Traditional triangulation and fingerprinting technology is based on received signal strength (RSSI), and its accuracy is inevitably affected by fluctuations in RSSI power level. Different types of interior decoration and the random nature of user traffic lead to changes in RSSI data. H3C’s CUPID location technology combines information from Atheros chips and the wireless network for more accurate positioning, overcoming the limitations of RSSI location systems. Under good conditions, the error in position determination can be only 3-5 meters.
Small latency
CUPID offers lower latency than traditional signal strength-based technology. Because it uses information actively received from access points, the latency in determining the location is less than 2 seconds, which significantly improves the efficiency of signal acquisition and data collection.
No preliminary collection samples
In traditional fingerprint-based location technologies, significant time and resources are spent collecting samples, while In this case, any change in the configuration of the deployed network, such as a change in the antenna or the position of the access point, requires repeating this procedure. This adversely affects the performance of the location system. CUPID-based location determination eliminates the need for sample collection, so that access points can be included in the location determination immediately using the existing network configuration. Additionally, CUPID supports deployment across multiple channels. Up to six spectral functions can be used in each channel, which allows you to suppress interference within the same spectrum and improve positioning accuracy.
Flexible forwarding modes
In a wireless network with With the centralized forwarding mode, all wireless network traffic is directed to the access controller for processing, and therefore the forwarding performance of the access controller may become a bottleneck. This is especially true in wireless network configurations in which access points are installed in branch offices and access controllers are installed in headquarters, while the connection between access points and access controllers is carried out over a distributed WAN network. In this configuration, distributed forwarding mode is better suited. The WX3800H series access controllers support both distributed and centralized forwarding modes, and can perform SSID-based forwarding as needed.
Carrier-grade wireless user access management and control functions
User-level access control is one of the main functions of the WX3800H series access controllers. The WX3800H series access controllers provide user profiles that can serve as configuration templates for predefined settings. Depending on the applications used, you can configure various settings in the user profile, such as guaranteed access rate (CAR) and quality of service (QoS) management policy.
During the authentication process, the authentication server assigns a user profile to the device. If the user is authenticated, the values set in the profile settings restrict the user’s access to resources. When a user is disconnected, the device locks the user profile. Thus, user profiles are applied to active connected users, rather than to disconnected users and users who are not authenticated.
Additionally, WX3800H series access controllers support MAC address-based access control, which allows you to configure and change access rights for groups of users or an individual user on the Authentication, Authorization, and Accounting (AAA) server. More fine-grained settings for user access rights provide enhanced options for assigning access rights to the wireless network and its resources.
Another powerful feature of the WX3800H series access controllers is VLAN binding based on MAC addresses. An administrator can group users (or MAC addresses) with the same attributes into one VLAN and assign a security policy to that VLAN on the access controller. This simplifies system configuration and allows user rights to be managed down to the individual user.
For security or accounting purposes, the administrator may need to control the physical location of wireless clients. The WX3800H series controllers solve this problem. During the authentication process, the access controller receives a list of allowed access points from the authentication server and then selects an access point for the connecting wireless client. Thus, the wireless client will be able to connect only to such an access point, which allows you to control its location.
Intelligent roaming functions
Supports roaming within an access controller, between access controllers and between Layer 3 VLANs
Information synchronization function when roaming through the portal: access controllers and access points provide portal users with seamless roaming between access controllers in large networks without involving a portal server that is triggered by MAC address. The wireless access controller can independently act as a server, triggered by MAC address. This reduces the load on the portal server so that it does not become a performance bottleneck. After the portal server has been processed, the connected terminal can roam without additional authentication between at least ten access controllers.
802.1X roaming information synchronization function: access controllers and access points provide 802.1X users with fast roaming between access controllers in large networks. Supports .1x authentication for fast roaming between access controllers. Terminals are not required to re-authenticate when roaming to another access controller. Reduced server load and fast access for terminals with support for fast roaming between more than 10 access controllers.
Support for 802.11k/v/r fast roaming protocols< /p>
Smart Channel Switching
In a wireless LAN, neighboring access points must operate on different channels to avoid channel interference. However, channels are a very scarce resource in wireless networks. There are very few channels for access points that do not overlap with each other. For example, in the 2.4 GHz band there are only three non-overlapping channels. Therefore, wireless applications depend on the access points’ ability to intelligently assign channels.
At the same time, there are many possible sources of interference that can disrupt the normal operation of access points in a wireless network, such as rogue access points, radars and microwave ovens. Intelligent channel switching technology helps ensure that each access point is assigned the optimal channel, which reduces minimize interference between channels, while real-time interference detection helps isolate access points from interfering sources such as radars and microwaves.
Intelligent load balancing of access points
n
In accordance with the IEEE 802.11 standard, roaming in wireless LANs is controlled by wireless clients. Typically, a wireless client selects an access point based on the received signal strength (RSSI). Because of this, many clients will choose the same access point with the highest RSSI value.Since all clients share a common wireless data medium, the link throughput to each client will be significantly reduced.
< p style="font-weight: 400;">Intelligent Access Point Load Balancing allows you to analyze the location of wireless clients in real time, dynamically identify access points that can be load-balanced in a specific location, and share the load between those access points. In addition to load distribution by the number of active sessions, the system also allows for load distribution by the volume of traffic of wireless clients.
Support for automatic SSID hiding function depending on the use of frequency resources . When radio resource utilization approaches or exceeds a preset threshold, the SSID is automatically hidden to provide users with stable and reliable wireless network services.
In-depth packet analysis at layers 4-7
The WX3800H Series Access Controllers allow you to identify and apply control policies to multiple applications, including prioritization, scheduling, blocking, and rate limiting to efficiently utilize bandwidth resources and improve network quality.
Wireless intrusion detection and prevention systems (WIDS/WIPS) at level 7
Controllers The WX3800H series supports blacklists, whitelists, anti-spoofing, corrupted packet detection, user disconnect protection, and media access level attack detection with an updated signature database (attacks aimed at denial of service, packet flooding attacks and man-in-the-middle attacks with countermeasures.
Thanks to the built-in database With the knowledge of the WX3800H Series controllers, administrators can make the right decisions regarding wireless network security in a timely manner. For source-local attacks, such as rogue access points or terminals, you can visually determine the physical location and physically disable ports on switches.
When using firewalls H3C’s intrusion prevention screens/systems can also implement Layer 7 security across a multi-building wireless network, covering both wired (802.11) and wireless (802.3) secure connections throughout.
n
New Wireless Intelligent Application Aware (WIAA) feature user role-based application layer security, quality of service (QoS) management, and forwarding policies for wired and wireless users. With WIAA, an administrator can determine the websites a user visits, the application protocols used (eg, HTTP, FTP), and the bandwidth allocated to them. H3C’s V7 access controllers support Deep Packet Inspection (DPI), which enhances application detection and detailed statistics. In the previous generation of access controllers, discovery was carried out based on layer 4 of the Ethernet protocol (for example, 80 corresponded to HTTP, 20/21 corresponded to FTP, etc.), and agents could easily bypass this mechanism, whereas in new access controllers on the V7 platform, discovery is carried out according to the characteristics of the Ethernet protocol at layer 7, as well as typical packet signatures in order to more accurately identify and apply restrictions. Thanks to DPI, instead of banning users from visiting all e-commerce sites, administrators can set restrictions at the individual site level. This simplifies setup and increases productivity.
You can visually determine physical location and physically disable ports on switches.
When using H3C firewalls/intrusion prevention systems, you can also implement Layer 7 security across a multi-building wireless network that will span both wired (802.11) and wireless (802.3) secure connections throughout.
New Wireless Intelligent Application Awareness (WIAA)
Wireless Intelligent Application Aware (WIAA) implements user role-based application layer security, quality of service (QoS) management and forwarding policies for wired and wireless users. With WIAA, an administrator can determine the websites a user visits, the application protocols used (eg, HTTP, FTP), and the bandwidth allocated to them. H3C’s V7 access controllers support Deep Packet Inspection (DPI), which enhances application detection and detailed statistics. In the previous generation of access controllers, discovery was carried out based on layer 4 of the Ethernet protocol (for example, 80 corresponded to HTTP, 20/21 corresponded to FTP, etc.), and agents could easily bypass this mechanism, whereas in new access controllers on the V7 platform, discovery is carried out according to the characteristics of the Ethernet protocol at layer 7, as well as typical packet signatures in order to more accurately identify and apply restrictions. Thanks to DPI, instead of banning users from visiting all e-commerce sites, administrators can set restrictions at the individual site level. This simplifies setup and increases productivity.
You can visually determine physical location and physically disable ports on switches.
When using H3C firewalls/intrusion prevention systems, you can also implement Layer 7 security across a multi-building wireless network that will span both wired (802.11) and wireless (802.3) secure connections throughout.
New Wireless Intelligent Application Awareness (WIAA)
Wireless Intelligent Application Aware (WIAA) implements user role-based application layer security, quality of service (QoS) management and forwarding policies for wired and wireless users. With WIAA, an administrator can determine the websites a user visits, the application protocols used (eg, HTTP, FTP), and the bandwidth allocated to them. H3C’s V7 access controllers support Deep Packet Inspection (DPI), which enhances application detection and detailed statistics. In the previous generation of access controllers, discovery was carried out based on layer 4 of the Ethernet protocol (for example, 80 corresponded to HTTP, 20/21 corresponded to FTP, etc.), and agents could easily bypass this mechanism, whereas in new access controllers on the V7 platform, discovery is carried out according to the characteristics of the Ethernet protocol at layer 7, as well as typical packet signatures in order to more accurately identify and apply restrictions. Thanks to DPI, instead of banning users from visiting all e-commerce sites, administrators can set restrictions at the individual site level. This simplifies setup and increases productivity.
Application layer protocols used (for example, HTTP, FTP) and the bandwidth allocated to them. H3C’s V7 access controllers support Deep Packet Inspection (DPI), which enhances application detection and detailed statistics. In the previous generation of access controllers, discovery was carried out based on layer 4 of the Ethernet protocol (for example, 80 corresponded to HTTP, 20/21 corresponded to FTP, etc.), and agents could easily bypass this mechanism, whereas in new access controllers on the V7 platform, discovery is carried out according to the characteristics of the Ethernet protocol at layer 7, as well as typical packet signatures in order to more accurately identify and apply restrictions. Thanks to DPI, instead of banning users from visiting all e-commerce sites, administrators can set restrictions at the individual site level. This simplifies setup and increases productivity.
Application layer protocols used (for example, HTTP, FTP) and the bandwidth allocated to them. H3C’s V7 access controllers support Deep Packet Inspection (DPI), which enhances application detection and detailed statistics. In the previous generation of access controllers, discovery was carried out based on layer 4 of the Ethernet protocol (for example, 80 corresponded to HTTP, 20/21 corresponded to FTP, etc.), and agents could easily bypass this mechanism, whereas in new access controllers on the V7 platform, discovery is carried out according to the characteristics of the Ethernet protocol at layer 7, as well as typical packet signatures in order to more accurately identify and apply restrictions. Thanks to DPI, instead of banning users from visiting all e-commerce sites, administrators can set restrictions at the individual site level. This simplifies setup and increases productivity.