H3C WX5500H Access Controller
The H3C WX5500H series wireless access controller is the latest generation of unified wired and wireless access controller featuring high performance, large capacity, high reliability and versatile business services and is targeted at enterprise networks. The WX5500H series AC equips with a high performance multi-core CPU and several FPGA cards and enable CAPWAP all-size packets line-rate forwarding. It adopts the innovative Comware V7 platform (referred to as V7 hereafter). V7 comes with the standard granular user control management, comprehensive RF resource management, 7x24 wireless security control, fast layer-2 and layer-3 roaming, strong QoS and IPv4/IPv6 dual stack. V7 adds in various novel wireless technologies such as multi-core control plane, next generation CUPID wireless positioning technology, Bonjour and Hotspot 2.0.
WX5500H series AC supports multiple network configurations such as cloud computing management, layered AC and IRF. Also, it offers converged access of wired and wireless, which enables converged configuration and management in the same system on wired and wireless features to enhances manageability.
H3C WX5500H series AC consists of two models: WX5540H and WX5560H. When paired with H3C Fit Access Point (AP), it serves as an ideal access control solution for WLAN access of medium to large enterprise campus networks and wireless MAN coverage.
802.11ac AP Wave2 AP Management
In addition to 802.11a/b/g AP management, the WX5500H series AC can work together with H3C 802.11ac-based APs to provide wireless access speed several times faster than a traditional 802.11a/b/g network. With 802.11ac large proximity which makes WLAN multimedia applications deployment a reality.
Brand New Operating System
WX5500H series AC is developed based on the latest H3C V7 platform. The new system sports significantly improvements in performance and reliability over the previous version, and is able to run the increasingly complicated network applications in the enterprise market. V7 features the following advantages:
Multi-core control: V7 can adjust the ratio of control cores to the forwarding cores in the CPU to make the most out of CPU computing power and strike the balance between control tasks and forwarding tasks, while providing strong concurrent computing power
User mode multi-tasking: V7 adopts a completely new software privilege level system, where most network applications are executed in user mode, and allow each application runs a different task. Each task has its own dedicated resource and when a task fault occurs which will be isolated at its own space avoiding interruption of other tasks. This makes system run more securely and reliably
User task monitoring: V7 comes with task monitoring feature, in which all tasks are monitored. When a user task goes wrong, system will reload and application will quickly recover
New independent application upgrade: V7 supports independent application upgrade, where a single application module is upgraded instead of the whole operating system. This greatly reduces the number of system reboots compared with the previous version, keeping the upgrade secure and sustaining the network stability
Strong Wired and Wireless Processing Capability
WX5500H series AC adopts the latest high performance multicore CPU. WX5500H AC CPU possesses 8 independent cores that can be virtualized to 32 logical cores. The strong computing power allows the devices to handle more users, more concurrent transactions, decrease latency in order to improve user experience.
High Port Density for Access
WX5500H series AC provides high port density for external access. This results in better unified wired and wireless access (integrated wired and wireless user management including user access, user authentication and billing management) and satisfies network construction and access requirements.
Star IRF Support
WX5500H series AC supports a new star IRF (Intelligent Resilient Framework) developed by H3C. Compared with traditional IRF models, new star model employs layer 2 network (virtualized as a central node) to connect multiple devices, which makes network construction more flexible. The rationale behind the star IRF model is to connect multiple devices in a star topology and virtualized as a single distributed device, which possesses the following advantages:
Simple network configuration: star IRF does not require dedicated stack cables and ports, the stack is created once they are connected in layer 2
Capability stacks: star IRF appears to be a single virtualized AC, with the number of users and APs managed equal to individual ACs’ capacity added together
Simple configuration: configuration changes made to the virtual AC will automatically synchronized to all physical ACs
Highly reliable backup: supports M+N hot backup, meaning all applications have backups, and a single AC failure will not affect the functioning of virtual AC. WX5500H series AC supports a maximum of four-device stack
Flexible license control: A license installed in one device of a star IRF can be shared by other devices, number of APs that can be connected to the virtual AC is the sum of licenses possessed by all physical ACs; although licenses are installed and tied to individual device, unload and migration becomes more convenient
Layered AC Architecture
Layered AC architecture is the brand new network configuration engineered by H3C to cater for the need of multi-layer network construction in the market. Layered AC employs the centralized management hierarchy similar to the large enterprise, where one core layer management AC associates with multiple local access layer ACs, and access layer ACs directly connects with underlying APs. Access layer ACs’ mainly serve real-time applications such as AP access and data forwarding, while core layer ACs’ mainly focus on non-realtime tasks such as management control and centralized authentication, and still retain the functions of connecting APs and forwarding data that typical ACs have. Core layer ACs are high performance ACs and are deployed in the convergence layer; access layer ACs can be comprised of standard ACs, all-in-one ACs (with router and DPI features), or wired and wireless ACs, and are deployed in parallel with existing network. Layered AC network construction model puts wired and wireless integration to the next level, and is applicable to large scale wireless network construction. Layered AC model maps naturally to the head quarter and branch deployment scenario, where core link bandwidth and core AC forwarding power no longer become a bottleneck. Core layer AC centralized control, access layer AC and lower level APs can be conveniently upgraded and synchronized automatically, and greatly simplifies version upgrade tasks. Access layer AC will be responsible for AP switching and significantly improves roaming performance.
CUPID Wireless Positioning
H3C CUPID is a highly precise wireless positioning technology based on WLAN environment. It has the following advantages and features:
High precision
Traditional triangular and fingerprint positioning is based on Received Signal Strength Indicator (RSSI) power, and its precision is inevitably affected by RSSI power level fluctuation. Indoor decorations and the random nature of customer traffic will cause perturbation in RSSI data. H3C CUPID based positioning technology integrates information from Atheros chips and WLAN to make indoor positioning more precise, and overcome the limitation of RSSI based positioning systems. The positioning error could be as little as 3-5 meters under good conditions
Low latency
CUPID has lower latency compared with traditional signal based positioning technology. As it is based on active information compiled from the Access Point, its delay can be limited to within 2 seconds, and significantly improve the efficiency in signal and data collection
No pre-sampling
Traditional fingerprint based positioning requires substantial time and resource in sampling, and re-sampling is needed whenever changes are made to the deployment configuration, such as AP antenna or position. This creates considerable impact to the positioning system performance. CUPID positioning can skip the sampling process and the AP can start positioning right away with existing deployment configurations. CUPID also supports cross-channel deployment. Each channel could be deployed in up to six spectra, which would suppress interfaces in the same spectrum and improve positioning precision.
Flexible Forwarding Modes
In a wireless network of centralized forwarding modes, all wireless traffic is sent to an AC for processing. Therefore, the forwarding capability of the AC may become a bottleneck. This is especially true on wireless networks where APs are deployed at branches, ACs are deployed at the headquarters, and APs and ACs are connected over a WAN. However, distributed forwarding cannot provide traffic control as good as the centralized forwarding mode does. The WX5500H series AC supports both forwarding modes allowingSSID based forwarding to be set as needed.
Carrier-Class Wireless User Access Control and Management
User-based access control is a key feature of WX5500H series AC. The WX5500H series AC comes with a user profile that serves as a configuration template as predefined configurations. For different application scenarios, you can configure different items in a user profile, such as Committed Access Rate (CAR) and QoS policies.
During authentication, an authentication server assigns a user profile to the device. If the user passes authentication, the device uses the configuration contents in the user profile to restrict the accessibility of resources of the user. When the user goes offline, the device disables the user profile. Thus, user profiles are applicable to online users rather than offline users and users that fail to pass authentication.
The WX5500H series AC also supports MAC-based access control, which allows you to configure and modify the access rights of a user group or a particular user on an AAA server. The refined user rights control method enhances the availability of WLANs and facilitates access right assignment.
MAC-based VLAN is another strong feature of the WX5500H series AC. The administrator can assign users (or MAC addresses) with the same attributes into the same VLAN and configure a VLAN-based security policy on the AC. This simplifies system configuration and refines user management to the per-user granularity.
For security or accounting, the administrator may need to control the physical positions of wireless clients. The WX5500H series can satisfy this requirement. During authentication, the AC gets a list of permitted APs from the authentication server and then selects an AP for the requesting wireless client. In this way, the wireless client can only associate with that AP and thus its position is controlled.
Intelligent AP Load Sharing
In a WLAN, adjacent wireless APs should work in different channels to avoid channel interference. However, channels are very rare resources for a WLAN. There are a small number of non-overlapping channels for APs. For example, there are only three non-overlapping channels for the 2.4GHz network. Therefore, the key to wireless applications is how to allocate channels for APs intelligently.
Meanwhile, there are many possible interference sources that can affect the normal operation of APs in a WLAN, such as rogue APs, radars and microwave ovens. The intelligent channel switching technique can ensure the allocation of an optimal channel to each AP, thereby minimizing adjacent channel interference. Besides, the real-time interference detection function can help keeping APs away from interference sources such as radars and microwave ovens.
Intelligent AP Load Sharing
According to IEEE 802.11, wireless clients control wireless roaming in WLANs. Usually, a wireless client chooses an AP based on the Received Signal Strength Indication (RSSI). Therefore, many clients may choose the same AP with a high RSSI. As these clients share the same wireless medium, the throughput of each client is reduced greatly.
The intelligent AP load sharing function can analyze the locations of wireless clients in real time, dynamically determine which APs at the current location can share load with one another, and implement load sharing among these APs. In addition to load sharing based on the number of online sessions, the system also supports load sharing based on the traffic of online wireless users
Layer 7 Wireless Intrusion Detection and Prevention Systems (wIDS / wIPS)
The WX5500H series AC supports the blacklist, whitelist, rogue device defense, bad packet detection, illegal user removal, upgradeable Signature MAC layer attack detection (DoS attack, Flood attack or man-in-the-middle attack) and counter measures
With the built-in knowledge base in WX5500H, you can perform timely and accurate wireless security decisions. For determined attack sources such as rogue AP or terminals, you can perform visible physical location monitoring and switch physical port removing
With H3C firewall/IPS device, network infrastructure can also implement layer 7 security defense in wireless campus, covering wired (802.11) and wireless (802.3) secure connections on an end-to-end basis
New Wireless Intelligent Application Aware (wIAA)
Wireless Intelligent Application Aware Feature (wIAA) provides a user role based application layer security, QoS and forwarding policy for wired and wireless users. With wIAA, administrator can specify websites users’s browsing, application protocols (HTTP, FTP)and allocates their bandwidth. Compared with V5 AC, the V7 AC comes with Deep Packet Inspection (DPI) capability, expanding application detection and detailed statistics. Previous V5 AC detection was based on layer 4 Ethernet protocol (e.g. 80 maps to HTTP, 20/21 maps to FTP, 8000 maps to QQ and so on), which can be easily circumvented by agents, while the new V7 AC is based on layer 7 characteristics of Ethernet protocols, as well as the typical packet signature to implement a more precise recognition and complete restriction. With DPIadministrator can instead of prohibiting user visit all e-commerce websites but to set restriction on a per-website basis (such as JD, Taobao, Yihaodian). This simplifies configuration and improves productivity.
Hardware specifications
Item | WX5540H | WX5560H |
Dimensions (WxDxH) | 440mm×480mm×88.1mm | |
Weight | 13.3kg | 12.86kg |
Throughput | 40G | 100G |
Port | 12 GE 12 SFP 4 SFP+ 1 console 1 OOBM | 8 GE 12 SFP/SFP+ 4 QSFP+ 1 console 1 OOBM 1 USB |
Power supplies | Swappable power supply, 1+1 redundant backup, AC or DC (separately ordered) | |
Max power consumption | <300W | |
Operating and storage temperature | 0℃~45℃/-40℃~70℃ | |
Operating and storage relative humidity | 5%~95% | |
Safety Compliance | UL 60950-1 CAN/CSA C22.2 No 60950-1 IEC 60950-1 EN 60950-1/A11 AS/NZS 60950 EN 60825-1 EN 60825-2 EN60601-1-2 FDA 21 CFR Subchapter J | |
EMC | ETSI EN 300 386 V1.3.3:2005 EN 55024: 1998+ A1: 2001 + A2: 2003 EN 55022 :2006 VCCI V-3:2007 ICES-003:2004 EN 61000-3-2:2000+A1:2001+A2:2005 EN 61000-3-3:1995+A1:2001+A2:2005 AS/NZS CISPR 22:2004 FCC PART 15:2005 GB 9254:1998 GB/T 17618:1998 | |
MTBF | ≥38 years |
Software specifications
Item | Feature | WX5540H | WX5560H |
Basic functions | Number of managed APs by default | 0 | |
Size of license | 1/8/16/32/128/512/1024 | ||
Maximum number of managed APs | 3072 | 6144 | |
Maximum configurable number of APs | 12288 | 24576 | |
802.11MAC | 802.11 Protocols | √ | |
SSID hiding | √ | ||
11G protection | √ | ||
11n only | √ | ||
Use number limit | Supported: SSID based, per RF based | ||
Keepalive | √ | ||
Idle | √ | ||
Multi-country code assignment | √ | ||
Wireless user isolation | Supported: VLAN based wireless users 2-layer isolation SSID based wireless user 2-layer isolation | ||
20MHz/40MHz auto-switch in 40MHz mode | √ | ||
Local forwarding | Local forwarding based on SSID+VLAN | ||
CAPWAP | Auto AP serial number entry | √ | |
AC discovery (DHCP option43, DNS) | √ | ||
IPv6 tunnel | √ | ||
Clock synchronization | √ | ||
Jumbo frame forwarding | √ | ||
Assign basic AP network parameter through AC | Supported: Static IP, VLAN, connected AC address | ||
NAT traversal between AP and AC | √ | ||
Roaming | Intra-AC, Inter-AP L2 and L3 roaming | √ | |
Inter-AC, Inter-AP L2 and L3 roaming | √ | ||
Access control | Open system, Shared-Key | √ | |
WEP-64/128, dynamic WEP | √ | ||
WPA,WPA2 | √ | ||
TKIP | √ | ||
CCMP | √ (11n recommended) | ||
WAPI | √ (optional) | ||
SSH v1.5/v2.0 | √ | ||
Wireless EAD (End-point Access Domination) | √ | ||
Portal authentication | Supported: Remote Authentication, external server | ||
Portal page redirection | Supported: SSID based, AP Portal page push | ||
Portal by-pass Proxy | √ | ||
802.1x authentication | EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-MD5, EAP-SIM, LEAP, EAP-FAST, EAP offload (TLS, PEAP only) | ||
Local authentication | 802.1X, Portal, MAC authentication | ||
LDAP authentication | 802.1X and Portal EAP-GTC and EAP-TLS supported by 802.1X login | ||
AP location-based user access control | √ | ||
Guest Access control | √ | ||
VIP channel | √ | ||
ARP attack detection | Supported: Wireless SAVI | ||
SSID anti-spoofing | SSID+user name binding | ||
AAA server selection based on SSID and domain | √ | ||
AAA server back up | √ | ||
Local AAA server for wireless user | √ | ||
TACACS+ | √ | ||
QoS | Priority mapping | √ | |
L2-L4 packet filtering and traffic classification | √ | ||
Rate limit | Supported with granularity of 8Kbps | ||
802.11e/WMM | √ | ||
Access control based on user profile | √ | ||
Intelligent bandwidth limit (equal bandwidth share algorithm) | √ | ||
Intelligent bandwidth limit (user specific) | √ | ||
Intelligent bandwidth guarantee | Supported: Free flow for packets coming from every SSID When traffic is not congested, and guarantee a minimum bandwidth for each SSID when traffic is congested | ||
QoS Optimization for SVP phone | √ | ||
CAC(Call Admission Control) | Supported: based on user number/bandwidth | ||
End-to-end QoS | √ | ||
AP upload speed limit | √ | ||
RF management | Country code lock | √ | |
Static channel and power configuration | √ | ||
Auto channel and power configuration | √ | ||
Auto transmission rate adjustment | √ | ||
Coverage hole detection and correction | √ | ||
Load balancing | Supported: based on traffic, user & frequency (dual-frequency supported) | ||
Intelligent load balancing | √ | ||
AP load balancing group | Supported: auto-discovery and flexible setting | ||
Security | Static blacklist | √ | |
Dynamic blacklist | √ | ||
White list | √ | ||
Rogue AP detection | Supported: SSID based, BSSID, device OUI and more | ||
Rouge AP countermeasure | √ | ||
Flooding attack detection | √ | ||
Spoof attack detection | √ | ||
Weak IV attack detection | √ | ||
wIPS | Supported: 7-layer mobile security | ||
Layer 2 protocol | ARP (gratuitous ARP) | √ | |
802.1p | √ | ||
802.1q | √ | ||
802.1x | √ | ||
Broadcast storm suppression | √ | ||
IP protocol | IPv4 protocol | √ | |
Native IPv6 | √ | ||
IPv6 SAVI | √ | ||
IPv6 Portal | √ | ||
Multicast | MLD Snooping | √ | |
IGMP Snooping | √ | ||
Multicast group | 256 | ||
Multicast to Unicast (IPv4, IPv6) | Supported: Set unicast limit based on operating environment | ||
Redundancy | 1+1 failover between ACs | √ | |
Intelligent AP sharing among ACs | √ | ||
Remote AP | √ | ||
Management and deployment | Network management | WEB, SNMP v1/v2/v3, RMON and more | |
Network deployment | WEB, CLI, Telnet, FTP and more | ||
WiFi location | CUPID location | √ | |
Green features | Scheduled shutdown of AP RF interface | √ | |
Scheduled shutdown of wireless service | √ | ||
Per-packet power adjustment (PPC) | √ | ||
WLAN Application | RF Ping | √ | |
Remote probe analysis | √ | ||
RealTime Spectrum Guard (RTSG) | √ | ||
Wireless Intelligent Application Aware (wIAA) | Supported/ Stateful Inspection Firewall | ||
Packet forwarding fairness adjustment | √ | ||
802.11n packet forwarding suppression | √ | ||
Access based traffic shaping | √ | ||
Co-AP channel sharing | √ | ||
Co-AP channel reuse | √ | ||
RF interface transmission rate adjustment algorithm | √ | ||
Drop wireless packet with weak signal | √ | ||
Disable user access with weak signal | √ | ||
Disable multicast packet caching | √ | ||
Status blink(limited to some AP) | √ |