Wireless LAN Forum

Content Specialist
IT Central Station
May 02 2018
One of the most popular comparisons on IT Central Station is Aruba Wireless vs Cisco Meraki Wireless LAN. People like you are trying to decide which one is best for their company. Can you help them out? Which of these two solutions would you recommend for Wireless LAN? Why? Thanks for helping your peers make the best decision! --Rhea
Akshay BalaganurWe are authorised to sell both Aruba and Meraki. Being a consultant myself, I give a honest comparison of both the products and let the customers take a well informed decision based on their priorities. Meraki ------- PROS + Pure play Cloud controller. + Easy to deploy and configure + Easy to manage geographically distributed locations with single Dashboard + Simpler learning curve with a very simple GUI + Supports most standard business needs w.r.t WiFi viz PSK, 802.1x, Guest WiFi, Presence Analytics, heatmapping, Basic L7awareness etc + Single Dashboard for configuring and managing Access switches, MX firewall and IP cameras. Cons - YoY mandatory subscription ( which includes support BTW ) - Limited interms of Advanced features like Roles based Dynamic Vlans, Device profiling, RF related features, BLE Beacons etc. - No On Prem OR Virtual Controller architecture. Some Financial companies are concerned about having Mgmt on Cloud. They prefer everything OnPrem Suitable for Businesses with distributed small branches/locations like Retail outlets, Food chains, Enterprises with simpler use cases. Business that prefer fully cloud management with small IT teams, that manage global/ geographically distributed stores/branches. Specially advantageous if end-end Meraki is deployed for each branch viz, FIrewall, Switch, WiFi , Camera ( optional) Aruba ------ + Supports 3 Architectures Virtual Controller ( Everyone loves this ! ) On Prem Controller Cloud- Controller ( Aruba Central ) + Fairly simple to deploy with friendly GUI. A Cisco only engineer may require basic training. + If deployed as On Prem - Virtual controller or Hardware controller, then Cloud based dashboard can be achieved through Aruba Airwave deployed on cloud. If Aruba Central Controller is deployed, then its cloud management is right out of the box. + Supports all advanced Enterprise features right out of box, without additional licensing. Suitable for all Enterprises of all sizes. + Has a tight integration with Aruba ClearPass, which is industry leading NAC solution. However, Aruba ClearPass can be beautifully integrated multi-vendor environment including Meraki and traditional Cisco Aironet. + Has tight Integration with HPE Aruba Switches. Features like Zero touch AP deployment, Rogue AP detection can be configured on switching to ease large WiFi deployment and operations. + Provides easy scalability or migration with no subscription Lockins + Has Inbuilt Bluetooth Beacons for Location based services like In-door navigation, Proximity awareness, Proximity based notifications, Asset tracking Cons ------ - Although Airwave/ Central can manage the Aruba Switches, its not as advanced/detailed as Meraki controlled switches. - Like Meraki MX firewalls, Aruba doesn't have WAN solution yet like a firewall/router. From what I know, there is a SD-WAN box in the roadmap. - Involves a bit learning curve for a Cisco only IT teams. However I personally ( from Cisco background) had no challenge getting used to the Aruba GUI. Suitable for Most Enterprises and other verticals with complex use cases Business with Guest WiFi, User Analytics , Proximity marketing etc Enterprises for value added services over WiFi infra like Asset tracking, Indoor Navigation etc Hope it helps .. Cheers ! Akshay https://www.airowire.com
Michael NewmanBoth have their merits. Aruba has taken the brand of all the hp procure hardware. Excellent Customer service. I liked Meraki when they were just Meraki. Cisco has given them autonomy in development and products mix. They are simple as is Aruba is to configure. As another responder indicated its a license world now. Everyone wants a piece of the monthly operational pie. The dashboard is easy to understand and configure but so is everyone else. It sometime comes down to who is going to support it how easy is it to deploy and manage and what are the operational costs. Honestly I prefer Ruckus :-) unleashed is free (zone director is built into it). Also as enterprises have embraced mobil look down the road a bit 3-5 years you may see enterprise wireless also include cellular microcell boosters. You could to a POC between the 2 and see who wins based on your criteria for what your requirements are. Don't loose focus on what you are working to accomplish. Hopefully that help and does not muddy the waters.
John Le BrunConfidentiality Integrity and Availability Or just CIA are the basic elements of security. How secure is your WLAN Infrastructure. Can you clone an AP (exposing AP's integrity), can you sniff on WLAN encrypted traffic (exposing client traffic confidentiality), or do you need a maintainance window to upgrade or a faliover time in case a controller failure (reducing WLAN availability). Let's find out why Aruba WLAN Infrastructure is more secure than Cisco Access Point integrity Every Aruba device like Controller or Access Point has a TPM (Trusted Platform Module). A TPM provides several advantages when it comes to an Access Point. One of them is to ensure AP integrity, such that no one can clone or tamper with the AP. Every AP is equipped with a factory-installed X.509 certificate. The common name (CN) of this certificate is the LAN MAC address and serial number of the AP. The private key of this certificate is installed on the TPM module. The TPM prohibits any malicious activity to extract the private key. Vendors that don’t have a TPM module like Cisco install the private key along with the factory certificate in the flash memory. Why is having a TPM important? The controller needs to identify the AP as a legitimate one before pushing the configuration onto it. Aruba does that by whitelisting AP’s MAC on the controller. The controller is sure that AP with MAC address X is the one who is claimed to be because the CN of the certificate is the MAC address. Then session keys are exchanged and a secure communication path for the control plane between AP and Controller is established. The configuration can now be pushed. However the story looks a bit different for Cisco that has the certificate private key stored in flash. The key can be extracted if someone has physical access to the AP (APs are usually placed in unsecured areas), which has also been demonstrated. Now a malicious user can obtain the configuration which contains information like Radius shared secrets, PSK passphrases and more as we will see later. Client Traffic Security The client WLAN traffic by Aruba is encrypted and decrypted on the controller. The AP will in no point of time come in touch with clear text client traffic. Exposing the AP to Clear-Text client traffic adds an additional risk by opening a door to Man-in-the-Middle attacks. Aruba provides end-end traffic encryption. Cisco does encrypt and decrypt WLAN traffic on the AP. The client traffic is then encrypted again in a proprietary protocol before it is sent to the controller. The AP comes in touch with Clear-Text client traffic. More tragically, if a malicious user exposes AP Integrity (cloning the AP for instance) as described before, the whole WLAN security is jeopardized. When Fast Roaming is configured, the PMK (Pairwise Master Key which is the key from which the WPA2 keys are derived) are pre-placed on the APs. If one can clone the AP that is authorized for a given network, one can then passively collect WPA2 keys for the entire network. Traffic Isolation In some scenarios the managed AP has to broadcast an SSID, but the traffic of this SSID is to be completely isolated from other traffic. Two use cases: Use Case 1: Guest Traffic needs to terminate to a controller in a DMZ and should not come in contact with the controller or any other device in the internal network. Use Case 2: An external organization (or internal division) needs to broadcast its SSID on my own APs. The traffic from this SSID should terminate directly to their controller. Aruba introduced a feature called MultiZone. It allows IT organizations to have multiple and separate secure networks while using the same Access Point. With MultiZone enabled, one AP can terminate to up to 5 different controllers or zones (under different management domains). The controller managing the AP is called the Primary Zone. Controllers on which the AP only terminates client traffic is called Data Zone. The data is encrypted from the client to the controller. When the data is flowing through the AP it is still encrypted. This means the networks are completely separate and secure even though the traffic runs through the same AP. mz.png For the uses cases before: Use Case 1: A separate controller is placed in the DMZ (Data Zone). The Guest SSID broadcasted on the AP is tunneled back to this controller and not to the Primary Zone controller. Use Case 2: The administrator allows the external organization to broadcast their SSID on his own AP. They act as a Data Zone, the traffic from their SSID is directly terminated to their controller. Cisco does not have a feature similar to MultiZone. Availability Compared to Cisco, Aruba enhances WLAN availability by providing: Ture Clustering, Live Upgrades and Loadable Service Modules. True Clustering Aruba provides true clustering. Controllers in a cluster (up to 12 controllers) have the client high-value sessions synchronized among them. Hi-value sessions are like FTP, SSH VoIP …, HTTP Sessions on the other hand are not high-value, reestablishing a HTTP session will have almost no impact. In a case of a controller failure, clients who were managed on the failed controller are moved to another controller and because their session table is already synced, the client applications will not notice. In other words if a client is having a VoIP call on WLAN and the controller on which the client traffic was terminated fails, the client traffic will terminate to another cluster member. The VoIP call will continue, the client will not notice any interruption. Live Upgrade Usually when updating the firmware of the controller a maintenance window has to be found and WLAN is not available (or with limited functionality) during this time. Aruba can upgrade clusters without the need for a maintenance window. This is done as following: One Cluster member is freed from APs, these APs are moved to other cluster members. This controller is upgraded to the newest firmware. Some APs at a time are freed from clients. These clients are transferred to adjacent APs without affecting their sessions. The freed APs are upgraded and moved to the already upgraded cluster member(s). This process is repeated until all APs and controller are upgraded. During the upgrade process clients will face minimal RF impact and client disruptions. Loadable Service Modules LSM feature allows customers to individually upgrade supported applications/service modules at the run-time without requiring an upgrade of the whole system or reboot. Such services that can be upgraded during run time are: AppRF: for application detection Airmatch: the process to assign the best channel, power and channel width for the AP WebCC: Web Categorization, the process of categorizing web pages. Last word: Security Certification Aruba and Cisco are equivalent from a WLAN security certification standpoint. However, the Aruba controller is a Common Criteria accredited firewall and VPN gateway, which Cisco's controller is not. That is a key reason why in high security networks, Aruba is approved to support guest + internal Wi-Fi access on the same equipment, because it has an accredited firewall that keeps those two network separate. Cisco has to rely on VLAN separation with an external firewall, which is not as secure.
ICT Consultant (Individual/Hired) at a consultancy with 1,001-5,000 employees
Feb 27 2018
Cisco Wireless Aironet 3802i vs ALE OmniAccess Stellar AP1230.Which one is the best product in terms of quality, performance, number of client capacity, field coverage, centralized controller and price?
Systems Engineer at FTD India
Feb 15 2018
The software developers in the organization should connect to wireless access points for internet by their active directory credentials. Is that possible with Cisco WLAN?
ICT Consultant (Individual/Hired) at a consultancy with 1,001-5,000 employees
Which model is the best WiFi (Wireless LAN) in terms of Quality, User Capacity, Signal Coverage, Security, Support service and Pricing compare between Cisco Wireless Aironet 3802i  and Alcatel-Lucent Wireless OmniAccess Stellar AP1230 Series with Hardware or Software controller? SEE: http://enterprise.alcatel-luce... VSSEE: http://www.cisco.com/c/dam/ass...

Sign Up with Email