It’s been said that Microsoft Word users only exploit 10 per cent of the software’s capabilities.
The same might be true of those managing local-area network switches and routers, a habit that might be costing organizations in unnecessary purchases and manpower at a time when every penny counts. An informal canvass of some leading switch and router vendors found that customers use less than half of the systems’ capabilities. Among the more overlooked features are specific functions within network management and security, vendors say.
“Eighty to 90 per cent of users use about 10 per cent to 15 per cent of switch features, maybe 20%,” says Ananda Rajagopal, director of switch product management at Brocade. “It is true that a lot of the capabilities are often not used by customers.”
In many cases, it’s a lack of awareness of those capabilities, Rajagopal says. And at times, this lack of awareness and implementation could have dramatic effect on the network, he says, in terms of security levels and visibility into traffic behavior.
Some of the ones most overlooked features are:
* IEEE 802.1x for user identification and authentication
* NetFlow or sFlow traffic sampling
* LLDP-MED, for dynamically provisioning power levels to devices
* Ethernet OA&M, for troubleshooting Layer 2 Ethernet networks, a feature that “99% of customers are not aware of,” Rajagopal says.
The IEEE standard 802.1x is defined for port-based network access control (NAC). It provides user and device authentication for LAN access, and is commonly used for 802.11 wireless access points.
It is not commonly used for wired network access, vendors say, even though it can be. Some vendors are perplexed as to why it is not and say they have to enlighten users to its applicability when they wish to enhance NAC authentication for wired networks.
“It’s second nature in the wireless world but not in the wired world,” says William Choe director of the Ethernet switching technology group at Cisco.
A Gartner survey last year found that customers are increasingly willing to use 802.1x-bassed NAC, but that inhibitors include a large installed base of switches that don’t support the standard. Those customers will wait out 802.1x until they upgrade their switches, the survey found.
NetFlow, sFlow not tracking
NetFlow is a Cisco-developed method for collecting IP traffic information. This information can then be used to visualize traffic flows and traffic volume in a network to help with capacity planning, pinpoint usual or malicious behavior, billing and other tasks.
“It tells you by user, by application, what’s consuming all of your network resources,” says Trent Waterhouse, vice president of marketing at Enterasys.
Yet despite its promised benefits, NetFlow is the “most overlooked capability” on Enterasys switches, Waterhouse says. He adds that 17 per cent of the company’s support center calls are related to features and functionality already embedded in Enterasys switches for security or policy management.
“We don’t want to be like Microsoft Word, where only 10 per cent of our features are used,” Waterhouse says. “We want to make the management software facilitate the feature usage so you get that built in priority and security protection.”
Enterasys customer the University of North Carolina uses 50 per cent of the features on its switches, says Mike Hawkins, associate director of networking at the college. Though he did not quantify the dollar savings, Hawkins says using half or more of the available switch features — such as role-based network access policies, or remote port-based RMON packet capture, or MIBs that maintain a history of everything broadcast on a switch port — does reduce costs for UNC via increased uptime, automated operation and decreased manpower.
“We use more of the features so we don’t have to have as many people” operating and managing the network, he says.
“I know when I solve problems quicker, a user is back online quicker,” Hawkins says. “How much is that user’s time worth? That’s the money I save. And I don’t have to send anyone out into the field.”
One of the capabilities UNC does not use on the Enterasys switches is flow setup throttling, which allows a user to take action — such as slowing down traffic or shutting off a port — on a certain number of flows on a link or port if those flows are determined suspicious or potentially malicious. Hawkins says he may use it as more video traffic traverses the UNC network.
Another traffic monitoring feature, the IETF specification sFlow, is also commonly overlooked or not enabled, vendors say. The sFlow capability captures traffic data by using a sampling technology to collect statistics from switches and routers.
Sampling makes it applicable to gigabit and higher speed networks, vendors say. And like NetFlow, it provides more granular visibility into network behavior, they say.
Yet sFlow “has a lot of benefit potential but not being fully utilized,” says Mark Hilton, director of technical product marketing at HP ProCurve.
Hilton says there are a couple reasons for this: there may not be a compliance requirement or mandate from the company or governmental agency to turn up the feature; and the feature may have appealed to users when they first bought the switch, but forgot or found they didn’t need to enable it.
“Unless you have a mandate or compliance issue, sometimes it’s something you say you’ll get to when you have time,” Hilton says. “And they never quite get to that point. We have a lot of customers who say, ‘We love that feature, we bought it for that,’ but two years later, they haven’t actually used it.”
Few takers for IPv6
IPv6 — the long-anticipated upgrade to the Internet’s main protocol — is a feature that’s mandated by the U.S. government. Among other things, IPv6 promises improved network security and management. But it has been largely ignored by private-sector enterprises even though the protocol is incorporated into a switch or router’s software license.
Users have found other ways to handle IPv4 address depletion, such as network address translation, vendors say.
Its lack of use is “a little bit surprising because of the cost of managing IP addresses,” says Cisco’s Choe. He says one reason it isn’t used more is that client operating systems, like Windows Vista, provide other methods for managing IPv4 address shortages even though they incorporate IPv6.
Those that have embraced IPv6, such as Google, say implementing the technology is not that difficult and that it will pay off in easier network management.
Not that IPv6 doesn’t have its shortcomings. A recent Internet Society report survey found that business incentives are lacking. Concerns remain about backward compatibility issues with IPv6 and IPv4 as well, according to the IETF.
Few discover LLDP-MED, Ethernet OA&M Other standards, like ANSI/TIA’s LLDP-MED and the IEEE’s 802.3ah for Ethernet OA&M, may be overlooked due to their relative unfamiliarity or specific niche function. LLDP-MED, which was defined to discover, configure and provision power to Power over Ethernet devices such asIP phones according to policy, was approved and published in 2006.
But wide adoption of a standard discovery or registration protocol for phones is limited.
The Ethernet OA&M aspect of the 802.3ah — or Ethernet in the First Mile — standard, attempts to bring carrier-like management to Ethernet access networks, such as discovery, link monitoring, remote fault indication and loopback detection.
Vendors say they are working to better educate their customers on the full breadth of features in their switches and routers before they spend money unnecessarily — on a competitor’s solution.
“There’s a lot of misunderstanding,” HP ProCurve’s Hilton says. “Another vendor might say, ‘You need this feature,’ but we’ll show them how to configure it on the switch.”