At a glance | |
---|---|
Product | Zyxel 802.11 a/b/g/n Dual-Radio Business AP (NWA3560-N) [Website] |
Summary | Simultaneous dual-band (N600) business access point that can function standalone AP, managed AP and AP controller. |
Pros | • Controller, Standalone AP, Managed AP modes • Built-in RADIUS server • 802.3af / 802.3at PoE |
Cons | • Runs a bit hot • So-so performance • Controller mode does not also provide AP function |
Typical Price: $310 Buy From Amazon
Introduction
Updated 8/31/2012: Corrected Ethernet speed
The ZyXEL NWA3560-N is a 802.11n Access Point (AP) designed to scale from a single AP up to 24 APs and 500 wireless end devices. It has two flexible dual-stream, dual-band radios that each can run on either 2.4 or 5.0 GHz band, support up to 8 SSIDs per radio and provides a host of other wireless network features.
The NWA3560-N can be configured to run as a standalone AP (= default), managed AP or as a controller. I’ll first cover features and functionality of a single NWA in standalone mode. I’ll then review two NWAs, one in controller mode and another in managed mode.
The NWA is housed in white plastic and measures 7.8” L x 5.5” D x 1.9” H. There are four indicator lights on the top of the device for power, Ethernet, and on/off status of the two wireless radios. It has no cooling fans so runs completely silent. I noticed it does get quite warm to the touch, though.
There are four hinged dual-band antennas that come with the device. Simply screw the antennas onto the RP-SMA connectors and position them as desired. The NWA has four plastic feet so it can sit on a desk or shelf. It also is wall-mountable with two holes in the back of the chassis for hanging the device. The NWA comes with a power brick, but the device can also be powered by a standard PoE switch (both 802.3af and 802.3at are supported). I powered my test NWAs off a NETGEAR GS510-TP PoE capable smartswitch.
Feature Summary
The NWA3560-N is a feature-rich wireless device. I put together the below list from the ZyXEL data sheet and its configuration options.
- Dual Radio (AP+Bridge)
- Dual Band
- Standalone Mode
- Controller Mode (maximum APs = 24, maximum client = 500)
- Managed Mode
- High Availability
- PoE
- RADIUS/802.1x
- 8 SSIDs per radio
- WEP, WPA, WPA-2 Personal and Enterprise security
- SSID to VLAN mapping
- MAC address Filtering
- Rogue AP Detection
- Rogue AP Containment
- WMM QoS
- Load Balancing
- Dynamic Channel Selection
- Console/Telnet/SSH/WWW/FTP administration
Inside
Updated 8/31/2012
Figure 1 is a shot of the mainboard of the NWA3560-N. The main components include a Cavium OCTEON CN5020 (500MHz) processor, 32 MB Flash, 256 MB SDRAM and Qualcomm-Atheros AR9220 WLAN chipsets on Z-Com AN-622 mini-PCI modules. I couldn’t identify the Ethernet device used, but it is 10/100, not Gigabit 10/100/1000.
Figure 1: NWA3650-N board
Configuration
The NWA can be configured via web GUI, as well as via the command line (CLI). Table 1 below lists the various menu options available in the NWA web GUI with the device configured for Standalone mode.
Table 1: NWA3650-N menu summary
I found the menus on the NWA easy to navigate. The main web interface has a top bar with 6 choices. Bringing up the help option on the top bar provides an indexed and searchable copy of the NWA manual. Along the side of the web interface are four menu options where all the configuration and operation options reside.
CLI access to the NWA is via an IP connection or console port. By default, SSH access is enabled and Telnet is disabled. Common CLI tools such as “?”, command history, and tab-complete are available to simplify CLI configuration.
I’ve included a shot of the Dashboard in Figure 2 to give you the look and feel of the ZyXEL configuration screens. The Dashboard provides a nice look at key performance indicators, such as CPU, Memory, and Flash status, as well as number of connected APs (when in controller mode) and stations.
Figure 2: NWA3650-N Dashboard
Feature Tour
LAN
The Ethernet interface on the NWA can get its IP via DHCP or you can set it statically. For APs in standalone mode, I prefer to give them a static IP, which was simple on the NWA, as you can see in Figure 3.
Figure 3: NWA3650-N IP address setting
Wireless
The NWA has two radios. Each can be independently enabled or disabled. When enabled, each can run in AP mode using either the 2.4 or 5.0 GHz band. Alternatively, one of the radios can run in MON mode, again on either band.
In AP mode, the selected radio functions as a traditional AP, supporting a wireless network with end devices. In MON mode, the selected radio scans for SSIDs within its range and can actually block or interfere with foreign wireless networks.
NWA configuration is object oriented, meaning you create objects and then apply them within other configuration options. I find object oriented configuration useful, especially in larger networks. The trick is creating intuitive names for the objects you create so you can find and apply them in other configurations.
Usually, I just poke my way through configs, figuring them out as I go. With the NWA and the multitude of objects, I found it best to create configs in a sequential manner and take notes of my settings. While trying multiple configurations and making a few errors, I think I confused the NWA, requiring a reboot to get both radios back on line.
Each object in the NWA is called a profile. I found the following configuration sequence made it easier for me to understand the NWA’s object oriented configurations.
- Create user names and passwords if you’re going to use 802.1x authentication. The NWA supports both local and external RADIUS authentication.
- Create list(s) of MAC addresses if you’re going to permit or deny devices on your network by MAC address.
- Create a MON profile if you’re going to use one of the NWA’s radios to monitor for other wireless networks. Note, a radio in MON mode does not provide connectivity to end devices. I’ll cover MON functionality in a bit.
- Create a security profile. In this object, you select the wireless security protocol (none, WEP, WPA, WPA2, WPA2-Mixed) and set your wireless key or enable 802.1x.
- Create an SSID profile. In this object, you create the SSID and bind it to a previously created MAC address list and a previously created security profile. From there, you can select wireless QoS options (more on this later), set VLAN ID, and select hidden SSID and intra-SSID traffic blocking.
- Create a radio profile. In this object, you choose between MBSSID or AP+Bridge mode, a frequency setting of 2.4 or 5.0 GHz, wireless channel, 802.11 mode (a/b/g/n), and then bind these choices to an SSID profile. Up to 8 SSID profiles can be applied to a radio profile.
- Select radio mode (AP or MON) for each of the NWA radios.
- Apply a radio profile or MON profile to each radio, depending on the radio mode selected.
To set up a basic wireless network using WPA2 with a simple pre-shared key (PSK), 2.4 GHz band and 802.11n, I created a security profile with WPA2 and my PSK. I then created an SSID profile with my wireless SSID and selected my security profile. I next created a radio profile with the MBSSID option, frequency 2.4 GHz and 802.11n and selected my SSID profile. Finally, I configured radio 1 in AP mode and selected my radio profile.
I had no problem connecting multiple wireless devices to the NWA, including laptops, iPads, and an iPhone. The NWA’s wireless monitor menu provides a station list showing devices connected to the NWA by MAC, SSID, and connection strength, shown in Figure 4.
Figure 4: NWA3650-N IP station list
QoS
Wireless QoS options are applied by SSID. QoS options on the NWA include none, WMM, WMM_VOICE, WMM_VIDEO, WMM_BEST_EFFORT, and WMM_BACKGROUND. WMM, or Wi-Fi Multimedia is a standard for QoS on Wi-Fi networks. If the WMM option is selected, the NWA makes its best guess to traffic type, such as voice or video, tags and prioritizes the traffic based on the determined type. Voice and video are given higher priority, while best effort traffic, such as web surfing, is given normal priority, and background traffic is given low priority. Note that all tagging is WMM based. 802.1p Layer 2 tagging is not applied. So traffic leaving the AP has no QoS tagging applied.
Selecting the other four options (VOICE, VIDEO, BEST_EFFORT, and BACKGROUND) means all traffic on that SSID will be tagged on the AP per the selected option. For example, if you have Wi-Fi based VoIP devices, it might be a good idea to create a separate SSID for the VoIP devices, connected to a separate VLAN on the wired network, and utilize WMM_VOICE to ensure the wireless traffic from the VoIP devices is given priority access over other wireless devices.
It was unclear whether the NWA just tagged packets or actually prioritized traffic. ZyXEL clarified that the AP tags traffic internally as voice, video or best-effort and prioritizes it accordingly using an internal queue to maintain the set priority.
MBSSID or AP+Bridge
An NWA radio given a profile with the MBSSID (Multiple Basic Service Set) mode will function as an AP that supports up to 8 SSIDs connecting to wireless devices. A radio given a profile with the AP+Bridge mode will function as both an AP to wireless devices, as well as a wireless network bridge to establish a wireless link with one or more other APs via WDS.
Wireless and VLANs
The NWA has the option to define whether the management interface is on the native VLAN (untagged) or another VLAN (tagged). Interestingly, the NWA can only have one IP address, there isn’t an option to assign different IP addresses to different VLANs.
A common enterprise practice with WLANs is to create different SSIDs for different VLANs. The NWA can support up to eight simultaneous SSIDs, each on a different VLAN. I tested this feature by creating a second SSID and assigning it to VLAN 2 on the NWA. I then connected the NWA’s Ethernet port to a switch port configured as an 802.1q trunk configured for VLAN 1 (untagged) and VLAN 2 (tagged). VLAN 1 and 2 on the switch were connected to different routers on different subnets.
The NWA performed as expected. Connecting to the SSID assigned to VLAN 1 on the NWA gave me an IP address from Router 1, and connecting to the SSID assigned to VLAN 2 on the NWA gave me an IP address from Router 2.
Figure 5 below shows the station list output from the NWA’s monitor menu. As you can see, I’ve got four devices connected to SSID MDC10, which is mapped to VLAN1 and one device connected to SSID ZyXel3, which is mapped to VLAN2. The devices connected to MDC10 are getting IP addresses from Router 1, while the devices connected to ZyXel3 are getting IP addresses from Router 2.
Figure 5: NWA3650-N station list from Monitor
MON (monitor) mode
With one of the NWA’s radios in MON Mode, the selected radio scans for other wireless networks and allows you to mark them as rogue or friendly networks. Note that selecting this mode on a radio means that radio will be used only to scan and possibly send interference to other wireless networks. As you can see in Figure 6, my NWA detected 19 other wireless SSIDs.
Figure 6: Devices detected by Monitor mode
Rogue AP Handling
To discourage the use of other wireless network within range of your approved wireless networks, an NWA radio in MON mode has an option to interfere with other networks by broadcasting dummy packets at rogue SSIDs. These dummy packets essentially prevent the rogue AP from maintaining consistent connections or capturing packets from wireless clients.
I set up a NETGEAR FVS318N as my rogue AP. I then connected a laptop to the NETGEAR’s wireless network. You can see the FVS’s SSID as FVS318N_1 toward the bottom of Figure 7. Next, I ran a continuous ping from the laptop to the FVS to see if the NWA would interrupt that traffic. Finally, I configured the NWA to recognize the FVS’s SSID as a rogue network and enabled rogue AP containment on the NWA, as shown below.
Figure 7: Enabling rogue AP containment
Wow, I immediately started seeing packet loss on the FVS wireless network! Take a look at the command line output below. You can see the pings to 192.168.2.1 were consistently at 1ms at the top of the output before I enabled containment, then they start dropping when I applied the containment option on the NWA. Clearly, this type of performance would render a rogue wireless network difficult to use.
Figure 8: Packet loss from rogue containment
The NWA also has options for Load Balancing wireless clients, as well as Dynamic Channel Selection (DCS). Wireless load balancing, applied only when the AP is overloaded, can be performed by either delaying wireless client connections when overloaded, forcing the clients to wait or connect to another AP, or dropping wireless client connections until the AP is no longer overloaded. The NWA’s DCS feature enables the NWA to scan for wireless channels in use in the nearby area and automatically use a different channel.
System Options
The system options menu on the NWA provides the ability to set the host name, adjust time settings, select options for console / HTTP / HTTPS / SSH / telnet / FTP access, configure SNMP and RADIUS server options. For example, Network Time Protocol (NTP) is supported, with a couple nice conveniences. First, it has pre-defined time servers, saving you the hassle of adding a time server. Of course, you can change or add a time server as desired. Second, daylight savings is configurable so you can define when it starts and ends.
I set up the NWA3560-N with the North American Daylight Saving rules to start at 2 AM on the second Sunday of March and end on the first Sunday of November. Once configured properly, the device should have the accurate time continuously and shouldn’t need the time reconfigured again.
Figure 9: Date time daylight savings adjust
Further, an NWA, even in standalone mode, can serve as a centralized RADIUS server for multiple other APs. To use this feature, the client NWAs must enter the IP address and password for the NWA running the RADIUS server in a security profile. The NWA running the RADIUS server must have user names and passwords entered for all wireless clients to be authenticated, plus have the IP addresses and passwords of the client NWAs entered in the Authentication Server configuration.
Log & Report
The NWA can send system log messages to two different email address, as well as send normal and/or debug log messages to four different syslog servers. Log messages are also stored locally on the NWA. Log messages can be filtered and viewed locally via the monitoring menu.
In addition, the NWA can email reports on a scheduled basis reporting on CPU, memory and port usage, as well as station counts and TX/RX statistics.
This concludes the feature tour for standalone AP mode. Next, I’ll look at the NWA3560-N when set as a controller and managed AP.
Controller and Managed Mode
Controller and managed AP mode on the NWA3560-N requires at least two devices—one configured as the controller, the other configured in managed mode. Up to 24 NWAs can be managed by a single controller.
I discovered a few notable things about controller and managed mode. First, changing the device into controller or managed mode causes the NWA to factory reset itself, so all previous configurations are lost. Second, if you put an NWA into managed mode, the only way to get it out of managed mode is to perform a physical factory reset. Third, a device in controller mode is no longer an AP and functions solely as a controller of APs. My clue on this was that I noticed the indicator lights for the two radios do not light up when the device is in controller mode.
I gave the controller AP a static IP on VLAN1 on my network and let the managed AP use DHCP. ZyXEL uses the Control and Provisioning of Wireless AP (CAPWAP, RFC 5415) protocol for communication between the controller and managed APs. Thus, connecting the controller to the managed AP is automatic as long as both devices are on the same VLAN. Figure 10 is from the controller AP. It shows the controller has discovered the managed AP
Figure 10: Controller managed AP discovery
Controller Mode Configuration
The menus in controller mode are nearly identical to the menus in standalone mode. Creating the security, SSID, and radio objects is exactly the same. This is the where you see the value in dedicating one device to be the controller. You’ll save a lot of time configuring your APs!
The key differences in the menu between standalone and controller mode are an additional menu for Device High Availability (HA) and a submenu for configuring each of the radios on the individual managed APs.
Device HA provides valuable redundancy for deployments with multiple managed APs, all dependent on the controller for their configurations. If you’re using 802.1x wireless authentication, with a database of user names and passwords in the main controller, there is even more reason to use HA. To utilize Device HA, an additional NWA in controller mode is required. Remember, devices configured as controllers do not function as APs.
Configuring Device HA involves configuring a second NWA in controller mode, specifying one device as master and the other as backup. Once the two devices see each other, the configuration from the master can by synchronized to the backup. Further, a shared IP address, called a virtual IP, can be configured, allowing for managing both the master and backup via a single IP address.
Wireless Configuration
Using the same steps I used in standalone mode, I was able to recreate my standalone wireless configurations. The only difference is steps 7 and 8 from need to be applied to the desired radio(s) on each managed AP.
Since I only had two devices for my test, I configured only one SSID on one radio, on one managed AP. If had a dozen APs throughout my business, though, I can see it would be quite easy to apply the same SSID configuration to all the APs in my network. With the NWA, it would be a simple point and click task in a single device to extend a common wireless network throughout my entire space.
802.1x
The 802.1x standard allows for individual authentication on a wireless network. The NWA supports 802.1x wireless authentication in both standalone and controller mode. Using 802.1x authentication on the NWA is a matter of:
- updating the default security certificate
- creating user names and passwords
- creating a security profile that uses 802.1x authentication
- applying that security profile to an SSID profile
- applying that SSID profile to a radio profile
- and finally applying that radio profile to one or more active radios on the managed AP network.
Below is a screenshot of a security profile using 802.1x. You can see I’ve selected the NWA’s internal RADIUS server. Optionally, the NWA supports a primary and secondary external RADIUS server, useful if you already have an authentication database on your network.
Figure 11: 8021.x security profile
I tried to test 802.1x, but I couldn’t get it to work. I am not sure if it there was an error on my part, a fault on my PC or something else. This might be a good topic for an application note.
Monitor Menu
The Monitor menu, not to be confused with MON mode, is available on both standalone and controller mode. This tab shows a picture of LAN Status, Wireless AP and Station information, rogue APs and lists Legacy Device information. Interestingly, the NWA can perform as a controller for not only other NWA3560-Ns, but several other models of ZyXEL APs.
The list of other ZyXEL APs that can be controlled by the NWA3560-N is:
- NWA-3160
- NWA-3163
- NWA-3500
- NWA-3550
- NWA-3166
Wireless Performance
Testing and Analysis by Tim Higgins
The NWA3560-N is Wi-Fi Certified and defaults to the same SSID (ZyXEL) in both bands. The 2.4 GHz band supports only 20 MHz bandwidth mode while the 5 GHz band supports both 20 MHz and Auto (20/40) mode, the latter being its default. Since this is a business-class access point, Wi-Fi Protected Setup (WPS) is not supported.
The NWA is an Access Point, so you’ll find its performance results in our Wireless Charts instead of our Router Charts. All testing was performed with 2.23(UJC.1) firmware in the AP using our standard test process. The test client was our standard Intel Centrino Ultimate-N 6300 with Win7 13.5.0.6 driver.
There are three-other business-class APs in the Charts database. So I created the comparison chart below including the Cisco WAP121, WAP321 and EnGenius EAP-300.
Figure 12 shows throughput averaged over all four test locations and the NWA performing about the same as two out of the three comparison APs.
Figure 12: 2.4 GHz downlink performance comparison
A 5 GHz downlink performance comparison shows only the WAP321 since the EAP-300 and WAP121 are not dual-band. The NWA again comes in second, although not by as wide a margin.
Figure 13: 5 GHz downlink performance comparison
For the detail behind the averages, we need the Performance Tables. The 2.4 GHz table shows the NWA isn’t particularly strong at our weakest test location F, but turns in respectable, but not exceptional, numbers in the other downlink test locations. It is the best of the bunch running uplink, however in our strongest signal location A. There are no results for 40 MHz mode because, as mentioned previously, it is not supported.
Throughput stability is generally ok as shown in the IxChariot plot in Figure 14. But you can see some big multi-second dips and ramp-ups in the plot below.
Figure 14: IxChariot plot – 2.4 GHz, 20 MHz, downlink
You’ll see the same behavior in the other plots linked below.
As might be expected from the overall average chart in Figure 13, the 5 GHz table shows similar performance for the NWA and Cisco WAP321 running downlink in 20 MHz mode. Uplink numbers are even better, with the NWA beating the Cisco in two out of three location tests.
Downlink tests in 40 MHz mode show virtually no throughput gain from eating up more bandwidth. In comparison, the Location A uplink result of 138 Mbps seems entirely at odds with the NWA’s otherwise workman-like, but unexceptional performance.
Throughput stability looks a tad better than 2.4 GHz was, as shown in the IxChariot plot in Figure 15.
Figure 15: IxChariot plot – 5 GHz, 20 MHz, downlink
High variation seems to be theme in the other 5 GHz plots linked below.
- 5 GHz / 20 MHz uplink
- 5 GHz / 20 MHz up and downlink
- 5 GHz / 40 MHz downlink
- 5 GHz / 40 MHz uplink
- 5 GHz / 40 MHz up and downlink
Closing Thoughts
I think the biggest strength of the NWA3560-N is its ability to scale to larger networks. Once you get the hang of the object oriented menus, configuring multiple devices through a single controller is quite efficient. I also liked its monitor mode and ability to not only detect rogue wireless networks, but contain them as well.
Compared the Cisco WAP321, the NWA is on the pricey side if you’re only going to use it as a standalone AP. Pricegrabber lists the ZyXEL NWA3560-N for $344.63, while the Cisco WAP321 is only $205.12. So a managed AP network of two APs and a NWA-turned-controller will set you back under $1100, complete with rogue AP detection / mitigation and built-in RADIUS authentication.
In contrast, the cheapest Cisco wireless controller—the 2504—will by itself set you back over $1300. A manageable simultaneous dual-band AP like the Cisco Aironet 600 costs $300.
In my mind, it comes down to a question of price versus efficiency. If you’re running a small IT staff with several hundred wireless users, you may have your hands full with day to day end user issues. The efficiency of a single interface for managing the wireless network might just warrant the higher price tag.