Itโs been said that Microsoft Word users only exploit 10 per cent of the softwareโs capabilities.
The same might be true of those managing local-area network switches and routers, a habit that might be costing organizations in unnecessary purchases and manpower at a time when every penny counts. An informal canvass of some leading switch and router vendors found that customers use less than half of the systemsโ capabilities. Among the more overlooked features are specific functions within network management and security, vendors say.
โEighty to 90 per cent of users use about 10 per cent to 15 per cent of switch features, maybe 20%,โ says Ananda Rajagopal, director of switch product management at Brocade. โIt is true that a lot of the capabilities are often not used by customers.โ
In many cases, itโs a lack of awareness of those capabilities, Rajagopal says. And at times, this lack of awareness and implementation could have dramatic effect on the network, he says, in terms of security levels and visibility into traffic behavior.
Some of the ones most overlooked features are:
* IEEE 802.1x for user identification and authentication
* NetFlow or sFlow traffic sampling
* IPv6
* LLDP-MED, for dynamically provisioning power levels to devices
* Ethernet OA&M, for troubleshooting Layer 2 Ethernet networks, a feature that โ99% of customers are not aware of,โ Rajagopal says.
Overlooking 802.1x
The IEEE standard 802.1x is defined for port-based network access control (NAC). It provides user and device authentication for LAN access, and is commonly used for 802.11 wireless access points.
It is not commonly used for wired network access, vendors say, even though it can be. Some vendors are perplexed as to why it is not and say they have to enlighten users to its applicability when they wish to enhance NAC authentication for wired networks.
โItโs second nature in the wireless world but not in the wired world,โ says William Choe director of the Ethernet switching technology group at Cisco.
A Gartner survey last year found that customers are increasingly willing to use 802.1x-bassed NAC, but that inhibitors include a large installed base of switches that donโt support the standard. Those customers will wait out 802.1x until they upgrade their switches, the survey found.
NetFlow, sFlow not tracking
NetFlow is a Cisco-developed method for collecting IP traffic information. This information can then be used to visualize traffic flows and traffic volume in a network to help with capacity planning, pinpoint usual or malicious behavior, billing and other tasks.
โIt tells you by user, by application, whatโs consuming all of your network resources,โ says Trent Waterhouse, vice president of marketing at Enterasys.
Yet despite its promised benefits, NetFlow is the โmost overlooked capabilityโ on Enterasys switches, Waterhouse says. He adds that 17 per cent of the companyโs support center calls are related to features and functionality already embedded in Enterasys switches for security or policy management.
โWe donโt want to be like Microsoft Word, where only 10 per cent of our features are used,โ Waterhouse says. โWe want to make the management software facilitate the feature usage so you get that built in priority and security protection.โ
Enterasys customer the University of North Carolina uses 50 per cent of the features on its switches, says Mike Hawkins, associate director of networking at the college. Though he did not quantify the dollar savings, Hawkins says using half or more of the available switch features โ such as role-based network access policies, or remote port-based RMON packet capture, or MIBs that maintain a history of everything broadcast on a switch port โ does reduce costs for UNC via increased uptime, automated operation and decreased manpower.
โWe use more of the features so we donโt have to have as many peopleโ operating and managing the network, he says.
โI know when I solve problems quicker, a user is back online quicker,โ Hawkins says. โHow much is that userโs time worth? Thatโs the money I save. And I donโt have to send anyone out into the field.โ
One of the capabilities UNC does not use on the Enterasys switches is flow setup throttling, which allows a user to take action โ such as slowing down traffic or shutting off a port โ on a certain number of flows on a link or port if those flows are determined suspicious or potentially malicious. Hawkins says he may use it as more video traffic traverses the UNC network.
Another traffic monitoring feature, the IETF specification sFlow, is also commonly overlooked or not enabled, vendors say. The sFlow capability captures traffic data by using a sampling technology to collect statistics from switches and routers.
Sampling makes it applicable to gigabit and higher speed networks, vendors say. And like NetFlow, it provides more granular visibility into network behavior, they say.
Yet sFlow โhas a lot of benefit potential but not being fully utilized,โ says Mark Hilton, director of technical product marketing at HP ProCurve.
Hilton says there are a couple reasons for this: there may not be a compliance requirement or mandate from the company or governmental agency to turn up the feature; and the feature may have appealed to users when they first bought the switch, but forgot or found they didnโt need to enable it.
โUnless you have a mandate or compliance issue, sometimes itโs something you say youโll get to when you have time,โ Hilton says. โAnd they never quite get to that point. We have a lot of customers who say, โWe love that feature, we bought it for that,โ but two years later, they havenโt actually used it.โ
Few takers for IPv6
IPv6 โ the long-anticipated upgrade to the Internetโs main protocol โ is a feature thatโs mandated by the U.S. government. Among other things, IPv6 promises improved network security and management. But it has been largely ignored by private-sector enterprises even though the protocol is incorporated into a switch or routerโs software license.
Users have found other ways to handle IPv4 address depletion, such as network address translation, vendors say.
Its lack of use is โa little bit surprising because of the cost of managing IP addresses,โ says Ciscoโs Choe. He says one reason it isnโt used more is that client operating systems, like Windows Vista, provide other methods for managing IPv4 address shortages even though they incorporate IPv6.
Those that have embraced IPv6, such as Google, say implementing the technology is not that difficult and that it will pay off in easier network management.
Not that IPv6 doesnโt have its shortcomings. A recent Internet Society report survey found that business incentives are lacking. Concerns remain about backward compatibility issues with IPv6 and IPv4 as well, according to the IETF.
Few discover LLDP-MED, Ethernet OA&M Other standards, like ANSI/TIAโs LLDP-MED and the IEEEโs 802.3ah for Ethernet OA&M, may be overlooked due to their relative unfamiliarity or specific niche function. LLDP-MED, which was defined to discover, configure and provision power to Power over Ethernet devices such asIP phones according to policy, was approved and published in 2006.
But wide adoption of a standard discovery or registration protocol for phones is limited.
The Ethernet OA&M aspect of the 802.3ah โ or Ethernet in the First Mile โ standard, attempts to bring carrier-like management to Ethernet access networks, such as discovery, link monitoring, remote fault indication and loopback detection.
Vendors say they are working to better educate their customers on the full breadth of features in their switches and routers before they spend money unnecessarily โ on a competitorโs solution.
โThereโs a lot of misunderstanding,โ HP ProCurveโs Hilton says. โAnother vendor might say, โYou need this feature,โ but weโll show them how to configure it on the switch.โ