The five best router and switch features that you don't use
Data industry's best-kept secrets
By Jim Duffy | Network World US | Published: 09:51, 02 April 2009
It's often been said that Microsoft Word users only exploit 10 percent of the software's capabilities.
The same might be true of those managing enterprise LAN switches and routers, a habit that might be costing organizations in unnecessary purchases and manpower at a time when every penny counts.
An informal canvass of some leading switch and router vendors found that customers use less than half of the systems' capabilities. Among the more overlooked features are specific functions within network management and security, vendors say.
"Eighty to 90 percent of users use about 10 percent to 15 percent of switch features, maybe 20 percent," says Ananda Rajagopal, director of switch product management at Brocade. "It is true that a lot of the capabilities are often not used by customers." In many cases, it's a lack of awareness of those capabilities, Rajagopal says. And at times, this lack of awareness and implementation could have dramatic effect on the network, he says, in terms of security levels and visibility into traffic behaviour.
Some of the ones most overlooked features are:
- IEEE 802.1x for user identification and authentication
- NetFlow or sFlow traffic sampling
- LLDP-MED, for dynamically provisioning power levels to devices
- Ethernet OA&M, for troubleshooting Layer 2 Ethernet networks, a feature that "99 percent of customers are not aware of," Rajagopal says.
The IEEE standard 802.1x is defined for port-based network access control (NAC). It provides user and device authentication for LAN access, and is commonly used for 802.11 wireless access points.
It is not commonly used for wired network access, vendors say, even though it can be. Some vendors are perplexed as to why it is not and say they have to enlighten users to its applicability when they wish to enhance NAC authentication for wired networks.
"It's second nature in the wireless world but not in the wired world," says William Choe director of the Ethernet switching technology group at Cisco.
A Gartner survey last year found that customers are increasingly willing to use 802.1x-bassed NAC, but that inhibitors include a large installed base of switches that don't support the standard. Those customers will wait out 802.1x until they upgrade their switches, the survey found.
NetFlow, sFlow not tracking
NetFlow is a Cisco-developed method for collecting IP traffic information. This information can then be used to visualize traffic flows and traffic volume in a network to help with capacity planning, pinpoint usual or malicious behavior, billing and other tasks. "It tells you by user, by application, what's consuming all of your network resources," says Trent Waterhouse, vice president of marketing at Enterasys.
Yet despite its promised benefits, NetFlow is the "most overlooked capability" on Enterasys switches, Waterhouse says. He adds that 17 percent of the company's support centre calls are related to features and functionality already embedded in Enterasys switches for security or policy management.
"We don't want to be like Microsoft Word, where only 10 percent of our features are used," Waterhouse says. "We want to make the management software facilitate the feature usage so you get that built in priority and security protection."
Another traffic monitoring feature, the IETF specification sFlow, is also commonly overlooked or not enabled, vendors say. The sFlow capability captures traffic data by using a sampling technology to collect statistics from switches and routers.
Sampling makes it applicable to gigabit and higher speed networks, vendors say. And like NetFlow, it provides more granular visibility into network behaviour, they say.
Yet sFlow "has a lot of benefit potential but not being fully utilised," says Mark Hilton, director of technical product marketing at HP ProCurve.
Hilton says there are a couple reasons for this: there may not be a compliance requirement or mandate from the company or governmental agency to turn up the feature; and the feature may have appealed to users when they first bought the switch, but forgot or found they didn't need to enable it.
"Unless you have a mandate or compliance issue, sometimes it's something you say you'll get to when you have time," Hilton says. "And they never quite get to that point. We have a lot of customers who say, 'We love that feature, we bought it for that,' but two years later, they haven't actually used it."
Few takers for IPv6
IPv6 - the long-anticipated upgrade to the Internet's main protocol - is a feature that's mandated by the US, and other, governments. Among other things, IPv6 promises improved network security and management. But it has been largely ignored by private-sector enterprises even though the protocol is incorporated into a switch or router's software licence.
Users have found other ways to handle IPv4 address depletion, such as network address translation, vendors say.
Its lack of use is "a little bit surprising because of the cost of managing IP addresses," says Cisco's Choe. He says one reason it isn't used more is that client operating systems, like Windows Vista, provide other methods for managing IPv4 address shortages even though they incorporate IPv6.
Those that have embraced IPv6, such as Google, say implementing the technology is not that difficult and that it will pay off in easier network management. Not that IPv6 doesn't have its shortcomings. A recent Internet Society report survey found that business incentives are lacking. Concerns remain about backward compatibility issues with IPv6 and IPv4 as well, according to the IETF.
LLDP-MED, Ethernet OA&M
Other standards, like ANSI/TIA's LLDP-MED and the IEEE's 802.3ah for Ethernet OA&M, may be overlooked due to their relative unfamiliarity or specific niche function. LLDP-MED, which was defined to discover, configure and provision power to Power over Ethernet devices such as IP phones according to policy, was approved and published in 2006.
But wide adoption of a standard discovery or registration protocol for phones is limited. The Ethernet OA&M aspect of the 802.3ah - or Ethernet in the First Mile - standard, attempts to bring carrier-like management to Ethernet access networks, such as discovery, link monitoring, remote fault indication and loopback detection.
Vendors say they are working to better educate their customers on the full breadth of features in their switches and routers before they spend money unnecessarily - on a competitor's product.
"There's a lot of misunderstanding," HP ProCurve's Hilton says. "Another vendor might say, 'You need this feature,' but we'll show them how to configure it on the switch."