Manage 802.11ax Access Points
In addition to managing 802.11a/b/g/n/ac access points, the WX5860H access controllers can manage access points H3C access standard 802.11ax, which provide several times higher wireless access speeds over a larger area. This significantly improves the user experience and allows wireless multimedia applications that require high speeds to be used over the network.
Advanced operating system
WX5860H controllers run on the latest Comware 7 network operating system from H3C. This system provides significantly better performance and reliability and is capable of running increasingly complex network applications in enterprise networks. The system offers the following advantages:
Multi-core processing plane control – the Comware V7 platform allows you to adjust the ratio between the number of processor cores allocated to control functions , and the number of cores allocated to forwarding functions to achieve the optimal balance to suit specific requirements and significantly increase the control and processing capabilities of the system, while providing powerful parallel multiprocessing functionality.
Multitasking in user b> mode – on the Comware 7 platform, most network applications are executed at the user level. When an application is launched, the system creates a task for this application and separate resources are allocated to this task. If there is an error in a task, this error will only affect this task and will not affect other applications and the operating system.
Monitoring tasks in user mode – on the Comware 7 platform, all tasks executed at the user level are monitored. If an error is detected, the system will restart the task to quickly restore the application.
Independent update applications – on the Comware 7 platform, individual modules can be updated independently and do not require updating the system as a whole, which significantly increases the security of updates and network stability.
Powerful processing capabilities for wired and wireless segments
n
With powerful hardware, the WX5860H controllers provide powerful parallel processing capabilities and industry-leading wireless packet processing capabilities:
The latest high-performance multi-core processors, including 8 independent cores and supporting virtualization of up to 32 logical cores
High-bandwidth switch chips
High performance programmable FPGA card
High access port density
The WX5860H access controllers offer a variety of port types and high port density, greatly simplifying wired and wireless network access and providing additional network connectivity flexibility.
License synchronization
H3C’s license synchronization technology improves network availability with multiple access controllers and provides flexibility in network deployment.
The following two modes of license synchronization are provided:
Reservation mode with two channels (two access controllers) – two access controllers reserve each other’s licenses. If an access controller fails, service is transferred to another access controller, and the access points are associated with the backup access controller.
N+1 redundancy mode (N ≤ 4) – the access controller reserves licenses of other access controllers. If one or more other controllers fail, service is transferred to the backup access controller, and the access points are associated with the backup access controller.
Intelligent Resiliency Technology (IRF)
n
H3C IRF intelligent fault-tolerant architecture technology allows two WX5860H access controllers to be virtualized into a single logical device called an IRF fabric, providing the following benefits:
Topology simplification – to configure the IRF matrix, access controllers can be connected directly to each other or through a switch. No separate cables or ports are required.
Simplified configuration – device configurations in the IRF (master access controller) matrix are automatically synchronized with other access controllers in the matrix.
Redundancy according to the 1+1 scheme – failure of one of the access controllers does not affect the operation of the IRF matrix.
Flexible license management – access controller licenses within the IRF matrix are shared. The number of access points that can be connected to the IRF matrix is determined by the amount of licenses installed on the access controllers. Licenses installed on the access controller can be easily downloaded or transferred.
Hierarchical architecture of access controllers
Hierarchical architecture of access controllers represents is a new networking model developed by H3C engineers to solve the problem of creating hierarchical networks that is in demand in the market. In a network with a hierarchy of access controllers, there is a central access controller, local access controllers and access points. The central access controller manages all local access controllers, and the local access controllers provide network access to the access points and process client traffic.
The central access controller has a high processing power power and is set at the distribution level. It primarily supports global services such as network management and control, as well as centralized authentication. In addition, it can also provide network access to access points and process client traffic.
Standard access controllers, access controllers can be used as local access controllers all-in-one type (with support for routing and deep packet analysis functions), as well as unified switches for wired and wireless networks.
Hierarchical controller architecture access is well suited for deploying large wireless networks. It provides support for network applications for headquarters and branch offices. At the same time, the channel capacity at the network core level and the forwarding performance of the central access controller cease to be a bottleneck. With centralized management on a central access controller, this architecture provides convenient, automatic mechanism for updating versions and synchronizing configurations on local access controllers and access points. Local access controllers are responsible for switching access points and significantly improve roaming performance.
Location by CUPID
WX5860H access controllers support the CUPID location function, which works on the principle of sensing and provides high positioning accuracy. With this technology, access points actively forward probe packets to the client and determine the client’s location by calculating the time between sending probe packets and receiving response packets.
CUPID is superior to RF technology fingerprints in the following aspects:
Characteristics
Description
CUPID
Characteristic fingerprints of radio interfaces
Obstacles | For example, moving people | Virtually no effect | Significant reduction in signal strength |
Multipath effect | For example, reflections and scattering of the signal during transmission | No effect | Has a significant effect |
Labor intensity | On-site surveys and study of signal features | Low labor intensity | High labor intensity. It is required to create a database of characteristic fingerprints by collecting information about the signal strength and location of clients. |
Accuracy | Location accuracy | 2 m (6.56 ft) | 5 .. 15 m (16.40 .. 49.21 ft), typical 10 m (32.81 ft) |
Stability | Stability of location determination in conditions of interference and environmental factors | Stable location results | Location results vary depending on obstacles, multipath effects, network density, and changing environmental conditions. |
Next-Generation Wireless Application Intelligent Awareness
Wireless Intelligent Application Aware (WIAA) implements user role-based application layer security, quality of service (QoS) management, and forwarding policies for wired and wireless users. With wIAA, you can control user access and define the networks available to applications such as HTTP and FTP, specifying the bandwidth allowed.
In the latest generation of wIAA Packets were identified based on the port number at layer 4 (eg port number 80 for HTTP, 20/21 for FTP). At the same time, users could bypass access restrictions by setting up a proxy.
The new generation of wIAA solutions have built-in deep packet inspection (DPI) capabilities, which allows for better identification of applications and use statistics collection functions. By leveraging typical Layer 7 Ethernet packet characteristics as well as typical packet signatures, next-generation wIAA features provide more accurate recognition and enforcement of restrictions. With DPI, you can set up rules that restrict access to certain types of Internet sites, rather than blocking each site individually. This feature simplifies network configuration and improves efficiency.
Flexible forwarding modes
Traditional access controllers typically use a centralized forwarding mode. The access controller provides centralized control and security monitoring, with all user data sent from the access points to the access controller for processing and forwarding. As a result, forwarding efficiency may decrease. Backbone interface throughput and access controller forwarding performance can become a bottleneck, especially in cases where access points are installed in branch offices and the access controller is located at headquarters, and the connection between the access points and the access controller is over a distributed WAN.< /p>
The WX5860H access controller supports centralized forwarding, distributed forwarding and policy-based forwarding, and users can flexibly select the forwarding mode according to service requirements and network conditions .
In addition, the WX5860H supports local forwarding combined with centralized authentication. It is capable of authentication using 802. 1X and portal authentication for data streams forwarded locally.
Carrier-grade wireless network access management and control functions
WX5860H controllers support the following access control methods:
Control < strong>access in dependency on strong> profile user
A user profile is a configuration template that stores predefined parameters for clients, such as guaranteed access rate (CAR) and quality of service (QoS) management policies. Once the client is authenticated, the authentication server forwards the appropriate user profile to the access controller. The access controller uses the configuration from the user profile to limit the user’s access to network resources. When a client disconnects, the access controller locks the user profile. You can configure multiple user profiles for different clients to implement access control at the individual user level.
Management< /b> access with use authentication by MAC- address
MAC address authentication allows you to configure and modify access rights for groups of clients or an individual client on the authentication and authorization server and accounting (AAA). More fine-grained access control settings provide expanded options for assigning access rights to the wireless network and its resources.
Control access s < b>usingVLANin bindingtoMAC-address
The administrator can combine users (or MAC addresses) with the same attributes into one VLAN and assign a security policy on the access controller for this VLAN. This simplifies system configuration and allows user rights to be managed down to the individual user.
Control access at level < b>points access
Access controller receives a list of allowed access points from the authentication server during the client authentication process and then selects the optimal access point for the client. This allows you to control the access points to which wireless clients can connect for security or accounting purposes.
Smart Roaming Features
Supports roaming within an access controller, between access controllers and between Layer 3 VLANs
Information synchronization function when roaming through the portal: access controllers and points access systems provide portal users with seamless roaming between access controllers in large networks without involving a portal server that is triggered by MAC address. The wireless access controller can independently act as a server, triggered by MAC address. This reduces the load on the portal server so that it does not become a performance bottleneck. After the portal server has been processed, the connected terminal can roam without additional authentication between at least ten access controllers.
802.1X roaming information synchronization function: access controllers and access points provide 802.1X users with fast roaming between access controllers in large networks. Support for dot1x authentication for fast roaming between access controllers. Terminals are not required to re-authenticate when roaming to another access controller. Reduced server load and fast access for terminals with support for fast roaming between more than 10 access controllers.
Support for 802.11k/v/r fast roaming protocols< /p>
Dynamic Frequency Selection (DFS)
In a wireless LAN, neighboring access points must operate on non-overlapping channels to avoid channel interference. However, the number of non-overlapping channels in wireless networks is very limited. For example, in the 2.4 GHz band there are only three non-overlapping channels. At the same time, there are many possible sources of interference, such as radars and microwave ovens, which can disrupt the normal operation of access points in a wireless network.
DFS technology allows you to ensure assigning each access point the optimal channel, which minimizes interference between channels. Moreover, real-time interference detection allows you to isolate access points from sources of interference.
Intelligent load balancing across access points
In wireless LANs, clients prefer to connect through access points with the highest RSSI signal strength. As a result, a large number of clients may be associated with the same access point due to its stronger signal. Since all clients share a common wireless transmission medium, the throughput for each client will be reduced.
The WX5860H controller provides load balancing mechanisms depending on the number of sessions and depending on traffic load. They analyze the load on access points, identify access points that can share part of each other’s load, and dynamically redistribute the load between access points in order to achieve adequate throughput for each client.
Support for automatic SSID hiding depending on the use of frequency resources. When radio resource utilization approaches or exceeds a preset threshold, the SSID is automatically hidden to provide users with stable and reliable wireless network services.
Wireless Intrusion Detection and Prevention System (WIDS/ WIPS)
The WX5860H controller provides the following WIDS/WIPS functions: black list, white list, rogue access point detection, malformed packet detection , detection of unauthorized client disconnections and media layer attacks, as well as countermeasures using predefined signatures. Media layer attacks include denial of service (DoS) attacks, packet flooding attacks, and man-in-the-middle attacks.
With a huge intelligent database of expert information built into the wireless application center, the access controller allows you to visually track and control the physical location of attackers and disable the corresponding physical ports.
When paired with H3C’s professional firewall/intrusion prevention systems, the access controller is capable of providing full Layer 1 to Layer 7 protection, meeting the end-to-end security requirements of 802.11 and 802.3 standards.
802.1X Authentication, MAC Address Authentication, and Portal Authentication
The WX5860H controllers support the following authentication methods:
802.1X Authentication – The WX5860H supports 802.1X local and remote authentication and multiple 802.1X authentication methods such as TLS, PEAP, TTLS, MD5, and SIM cards. In local authentication mode, the access controller acts as an authentication server, without using a separate authentication, authorization, and accounting (AAA) server. In addition, the WX5860H controller supports dynamic VLAN and ACL assignment using predefined user profiles.
MAC Address Authentication – WX5860H Controller Supports MAC address authentication to authenticate portable terminals such as Wi-Fi phones and hand-held mobile terminals. On the WX5860H controller or AAA server, you can specify the MAC addresses that will be allowed to access the wireless LAN. MAC addresses not included in the allowed list will be considered rogue and will not be able to access the WLAN. This feature simplifies the operation of some wireless network applications, such as the wireless network in a healthcare facility, where using MAC address authentication, access to a dedicated wireless network can be limited to hospital staff’s communicators, prohibiting it from patient devices.
n
Portal Authentication – The WX5860H controller has a built-in portal server. With this authentication method, users can initiate authentication through a browser, without installing client software. After authentication, the access controller redirects the client to the specified Internet site and simultaneously starts the authorization and accounting procedures. Custom portal pages can also be forced to be displayed on clients for advertising or message delivery purposes. These mechanisms are widely used in various scenarios, such as multi-building wireless networking, metropolitan wireless networking, and guest access.
Dual IPv4/IPv6 protocol stack (standard IPv6 support)
WX5860H controllers support both IPv4 and IPv6 client access. If the access controller is installed on an IPv4 network, then access points connected to the controller can identify IPv6 packets and match IPv6 priorities to tunnel priorities. When receiving packets from access points, the access controller can also use access control lists (ACLs) to control and filter IPv6 packets. When you install an access controller on an IPv6 network, it will automatically negotiate with access points and establish IPv6 tunnels to each access point, but will still correctly identify and process IPv4 packets from wireless clients.
With superior IPv4/IPv6 adaptability, the WX5860H access controllers can support a variety of services in a variety of complex scenarios during the IPv4 to IPv6 migration process.
The WX5860H controller also supports IPv6 Source Address Validation (SAVI) to combat new IPv6 spoofing attacks on multi-building networks. Through address assignment protocol filtering and tracking, the access controller obtains clients’ IP addresses and ensures that clients use the correct addresses when connecting, eliminating the possibility of IP address spoofing and ensuring the reliability of source IP address information. SAVI for IPv6, combined with portal authentication, further ensures the integrity and security of network packets.
QoS parameters for the full connection
Built on H3C’s industry-leading Comware 7 operating system, the WX5860H access controller ideally supports the Diff-Serv differentiated service model using QoS parameters. In addition, it supports QoS mechanisms for IPv6.
The Diff-Serv QoS model mainly offers traffic classification, traffic rate limiting policies, queuing management, and Queue scheduling with full support for six types of PHB services: EF, AF1-AF4 and BE. Thanks to this, service providers can provide services with different quality parameters to customers, providing simultaneous integrated transmission of data, voice and video traffic over the Internet.
Fast roaming at level 2 and level 3
n
The WX5860H Access Controller’s H3C Dependent Access Point and Access Controller architecture significantly improves roaming performance at both Layer 2 and Layer 3, with cross-subnet roaming capabilities. This benefit greatly simplifies early wireless network planning and reduces network planning costs.
The WX5860H controller uses key caching to enable fast roaming for clients. The key caching feature allows clients to quickly switch from one access point to another without going through full 802.1X authentication, but retaining information about the user identity and keys used. Thanks to fast roaming, switching within the same access controller is carried out within no more than 50 ms, without disrupting the transmission of speed-sensitive voice traffic.
Remote access for branches
WX5860H controllers can be installed to implement the following network access functionality for remote branches:
Improving the performance of various services, such as print services and communication between terminals on the branch local network by selecting a centralized forwarding mode or a local forwarding mode.
Ensuring client access to local resources in the event failure of the distributed network connection or access controller, as well as the function of working without a controller.
Communication between the access controller and access points in a private network with passage through NAT .