Wireless Water Cooler

I have been task to see if Aerohive is more cost effective then Aruba and would they have a better Wifi. I have a 3400 controler and 9 105 AP and installing 20 more AP 220. We are going to a 1:1 in the school. I have had only great exprances with Aruba support and never had an issue with the WiFi besides server issues that effected the WiFi. I would like to stay Aruba but I need good input that would make since to nonIT personal making the desion. all the switchs are aruba.thank you for any input you can give me

#3400

In Arubas setup some of the key things to note:

No subscription fees (if you stop paying for support on your controller or even if you had instant the system still functions)

In a controller based setup you don't need to worry about VLANs at the edge so in a non-technical manner it requires less management and work when adding new APs as everything is simply tunneled back to your controller.

You'll find that when doing RF Optimization Aruba's ARM solution does a far better job. It also isn't sending all if this data across your Internet link to be analyzed. This results in better performance on the wireless by optimizing the available airtime and not wasting your Internet bandwidth by sending data such as this across it.

Those are just a few of the things I can think of. I'm sure some others will chime in as I'd love to hear some additional comparisons.

your the first to help me stay arube but if i do not enoughn i will have to change and i love aruba networks

One major limitation with Aerohive compare with Aruba is that it is not possible to block broadcast and multicast traffic, which can have a major impact on overall performance.

 

Even if you put in a firewall rule to block multicast, it will still get through.  It is simply not possible to block broadcasts.

 

On Aruba, it is a simple tick box.....job done.  And yes, in my experience with Aerohive, the Aruba ARM management is much better.

 

As tsd25108 mentioned, with Aerohive you have to consider all the port configs on the edge and also add all those individual aps as nas clients to the radius server as well.  As an Aerohive deployment gets larger, it can be quite cumbersome.

No subscription fees (if you stop paying for support on your controller or even if you had instant the system still functions)

This doesn't apply to Aerohive.  I believe you are getting confused between Aerohive and Meraki.

You'll find that when doing RF Optimization Aruba's ARM solution does a far better job. It also isn't sending all if this data across your Internet link to be analyzed. This results in better performance on the wireless by optimizing the available airtime and not wasting your Internet bandwidth by sending data such as this across it.

 

 

The Aerohive ASCP protocol doesn't send the RF data across Internet links either unless the wireless system has been set up incorrectly but you can't blame the wireless vendor for that.

Here are a couple of blogs with some things to consider when switching. I agree with the previous posts points as well. 

 

http://community.arubanetworks.com/t5/Technology-Blog/The-Good-the-Bad-and-the-Ugly-What-Happens-When-Cloud-Services/ba-p/134995

 

http://www.securedgenetworks.com/secure-edge-networks-blog/bid/101874/4-Dangers-of-Cloud-Managed-Wireless-Solutions

 

My question to you is why would you replace a perfectly viable and reliable installation for one that would not afford you anything better?

 

You already have an investment in a controller and access points which are still usable and dependable. You controller has the capacity for 64 APs so you have some room to grow. Figure out what your wireless network capacity needs to be based on the number of client devices that the 1:1 initiative will introduce. Make sure you have a minimum of -65 dB in classrooms for the devices and that you have enough APs to cover the capacity requirements. 

 

Capacity planning - https://dl.dropboxusercontent.com/u/8644251/WLAN%20Capacity%20Planning%20Overview%20and%20Worksheets.pdf

 

I have been designing, selling, installing and supporting Aruba Networks installation in k-12 environments for 9 years. We have evaluated Aerohive on a number of occasions and have never found a compelling reason to move away from Aruba. They (Aruba) consistently provide solutions that our customers require and have provided options to cover the offerings that Aerohive feels differentiates them from the market i.e. - controller-less with Instant. 

 

Good luck on your endeavour and I hope you make the right choice (Aruba). 

 

 

I came across this thread late but to put my two cents in:

 

The quoted cloud services threads seem to apply to Meraki more than Aerohive.  Meraki is cloud controlled while Aerohive is cloud managed.  If the cloud is inaccessible for whatever reason Meraki is dead in the water (this comes from experience) while Aerohive just keeps working.  Also when Aerohive comes out of support it just keeps working while, as the threads showed, Meraki shut the entire wireless network down.

 

If you went to the Aerohive forums and asked the same question there you would get very different answers.  Both Aerohive and Aruba make excellent products with different strengths and weaknesses but I don't believe that one is "better" than the other although one may be better suited to the requirements for a particular customer.  Obviously you look at each deployment on a case by case basis.

 

If there is one thing I would like to see improved with Aruba it is the WLC's GUI.  Currently it is a bit of a mess.  It looks like what a group of university physics students would come up with in a lab where they are testing radio signals.   The wizards and "all profiles" sections help but there is no single place that shows how an access point or role is configured.  I would like to see:

 

• A "network overview" section where you can see all the SSIDs, authentication types, roles, VLANs, etc. listed on a single screen.  You should be able to click on any of the objects and go to their configuration area.
• If you click on an access point in the "network overview" section you should be able to see and adjust that access point's settings (channel, transmit power, SSIDs assigned, protocols assigned (802.11v,k,r, etc.))
• A "roles" section where all the roles are listed and every attribute (firewall settings, rate limiting, VLAN assignement, etc) applied to that role is accessible.

Aruba has an excellent role based access control system but if you put a junior wireless engineer infront of the Aruba WLC they wouldn't be able to find most of it and this, I believe, is an disservice to the Aruba system.

 

I would challenge Michael's comment re Aruba's Instant products.  Having tested the Instant OS against the HiveOS (Aerohive) it is very obvious that HiveOS has far more functionality than the Instant OS.  That said, the new IAP103 gives cost sensitive customers a large number of enterprise features (layer seven firewall, radio management, WIPs, spectrum analysis, etc.) at the same price point as SOHO products like Ubiquiti.  Aerohive do not have an access point at this price point.

 

In terms of your existing customers you would need a very good reason to change from Aruba as they have a large amount of money invested in the access points, WLCs, etc.  Do you have such a reason?

New to this community and stumbled on this via google.

Disclaimer : I have never used Aruba  , long time user of Aerohive.

 

I am intrigued by how Aruba works in a WAN environment with extensive APs and Radius Authentication - from above replies, it would seem that there may be some manner of proxy authentication built into the platform ? 

Anyways;if use of Aruba depends on a controller - dose'nt this create a single point of failure and a bottleneck ? Or is this not the case?

How does the licensing work ? Is this similar to Cisco?

 

 

 

If you looked at controller based solutions five years ago the controller did considerably more work than they do now.  As the cost of processing power and memory has dropped the controller based wireless vendors have implemented more features in the access points reducing the workload of the controllers.  For example, the CPUs commonly used in lower end Aruba access points are from the same family that some "more cost focused" vendors still power their controllers with.  As an example, Aruba access points enforce the firewall rules rather than the controller higely reducing the load on the controller.

 

On the "bottleneck" issue it is always important, as it is with firewalls, to correctly "size" your controller for your customer's deployment.  If you get this wrong and tunnel all the traffic back to the controller (does anybody do this anymore?) with every bell and whistle enabled then you may have an issue.  I believe that the line that a controller is always a "bottleneck" is an over simplification.  In some configurations the controller is an advantage.  For example, if you had 1,000 Aerohive AP230 access points deployed across a university campus and you needed to fault find issues with the integrated firewall rules how would you do it?  You can't go to a single place in the HiveManager (whether on-premise or HMOL) and fault find it.  If you are tracking a moving device in real time you have to move from access point to access point executing "show log buffed | include <IP Address>" commands via SSH (or the integrated HiveManager client).

 

If you are looking for a single major advantage of Aruba over Aerohive look at advanced authentication.  Aerohive has a mix of cloud based solutions (ID Manager and Client Management) that don't really feel like one solution.  The integrated Aerohive RADIUS server is very basic and is really designed for small remote sites.  If you compare those to Aruba's ClearPass solution, which can be deployed as a VM in a private cloud, there is just no comparison.

 

If you have a small deployment and just want a few access points then the Aruba Instant range is a good option.  There is no hardware controller as one of the Instant access points acts as a "virtual controller".  The Instant functionality is not as fully featured as HiveOS but it does have wizard-based configuration, integrated layer seven firewall, WIPS, role based access control, spectrum analysis, bonjour gateway, etc.  Instant access points can also rate limit a specific protocol or application, such as Microsoft Update, which HiveOS currently cannot do without affecting other protocols or applications.  One major advantage of HiveOS over ArubaOS/Instant is Private PSK.  I know Cisco call it a "one trick pony" but it is a really, really useful function of HiveOS.

 

I noticed that HiveOS 6.6r1 includes the ability to block broadcast and multicast traffic which is a feature I requested a while ago.

Thanks for the explanation.

 

Whilst I now  understand the concept of a ClearPass as a  VM to authenticate, I am led to understand that Aerohive's model of proxy APs (not necessarily ideal but works) would scale up to any level  as required negating the need for a separate vm to roll this on. Well , if one was to deploy a solution based on authentication a clean model would be to host external radius servers anyway.  Just my thinking.

 

I was expecting Aruba to have a version of PPSK  but then this is a playing catch up with Aerohive at the moment.  

 

If I am forced to buy a controller with X AP licenses and I buy X+1 AP  at a later - that does place me in a quandary with buying and managing another bit of  hardware ..

 

Yes, Aerohive may not have a version of AP-controlling-AP (They used use in the beginning where one AP could manage upto 11 others without a Hivemanager )  but really, if one  has less than a dozen APs to rollout then there may other other solutions which are more value for money. 

 

Contoller based approach in my view will always be a bottleneck  and especially so for multisite deployments.If an  integrated firewall rule is applied on the edge and it updates all AP, it would be normally viewed   on the Hivemanager console . Not that I would use the firewall on Aerohive for reasons of my own (namely keeping it simple) . If firewall and IPS was key to deployment why not invest in  better kit  down the pipe with more visibility (yes at the cost of more ingress traffic on the edge) ? Or use integrated third party filtering with Aerohive. Not sure of integrated tracking since we use other methods outside Aeorhive to do so. 

 

Presumably Aruba does Mesh,VPN tunneling and the rest  ?  It would seem that with HP's acquisition, the Aruba product line would be set for better integration with rest of the family and interesting days ahead. 

 

 

 

The requirment for ClearPass is not able the scale but about how complex it is now becoming to authenticate all wireless devices in a large deployment.  For example, how do you securely authenticate corporate managed iPads onto the domain? 

 

With Aerohive you really need an AirWatch or JAMF Software MDM as you Private PSKs are vulnerable to offline dictionary attacks and you can't use DHCP Option 55 operating system identification anymore as Apple is making the iOS and Mac OS DHCP Option 55 responses identical so you will not be able to tell an iPad apart from a Mac OS laptop.  You could deploy Client Management but this means another cloud based authentication service; which may be an issue if the client is a financial, legal or healthcare facility and prefer on-premise deployments; so you have i. Aerohive access points ii. HiveManager (on-premise or cloud) iii. RADIUS server (on-premise or cloud) iv. Client Management (cloud).

 

With the same deployment requirements Aruba can do i. Aruba Instant access points ii, ClearPass server.  For a larger deployment you might also include iii. AirWave management server.

 

The important thing to understand is that Aruba is not better than Aerohive, or vice versa, and both vendors have strengths and weaknesses.  As a wireless engineer your job is to determine the customer's requirements and match the vendor whose strengths and weaknesses best fit that customer.

Thanks again for the details. As a basic IT support chap (rather than an wireless engineer) I would quite like to get to the facts quick and easy from a frontline perspective - which perhaps is not happening here. I mean , If Clear Pass needs an appliance ( separate from the Controller) how different can this be with other solutions that are bolted by other vendors? Nor is the licensing model very clear .
Appreciate the details but I think in the absence of schematics or pointers the only way to find out is actually go out and test the kit. Intrigued much by the Marketing of the product but yet to get a grasp of underlying engineering concepts. Hope to gain more and perhaps contribute in the days ahead.

From a licensing point of view:

 

1.  Size an appropriate controller for your requirements.

2.  Purchase an AP license for each access point.

3.  Purchase a security license for each access point.  The security license enables RBAC and the layer seven firewall functionality.

 

If you have remote sites you don't necessarily need to deploy a controller at each site.  You can deploy remote access points (RAPs) and these tunnel back to the offsite controllers.  In Aerohive speak think of AP230s at the remote site tunneling back to a CVG at the head office.  It really depends on how many access points are required at each site.  If you need four or five, for example, you could just deploy Instant access points, which are not controller based, and these will run independently of the controller without an issue.

 

The ClearPass server replaces the external RADIUS server (generally a Microsoft server in most deployments I see) and adds:

 

* Advanced RADIUS functionality

* Certificate management (really, really useful if you need to deploy client certificates)

* Guest management (optional)

 

The fault finding capabilities of ClearPass far exceed the HiveOS RADIUS and Microsoft Network Policy Server.

 

Now there is nothing stopping you deploying Aerohive access points (this gives you the Private PSK functionality that I find very useful) utililising a ClearPass server to handle RADIUS, certificates, etc.  This is actually quite a common deployment where I am from.