Juniper Networks' EX switches announced this week -- the company's first for the enterprise market -- support a homemade version of network-access control that may be a helpful selling point, industry experts say.

"You can't come into the LAN switch market and say, "I've got something that's just as good as everybody else," says Phil Hochmuth, an analyst with the Yankee Group. "You need something to set it apart. I think it's the NAC integration."

"If Juniper wants to displace the current vendors -- Cisco and HP ProCurve in particular -- then it needs an equally strong access-control story," says Rob Whiteley, an analyst with Forrester Research. "I think Juniper's UAC [Unified Access Control] delivers that, especially with the standards-based emphasis Juniper has been pushing for a while now." (Learn more about Switch Products from our Switch Buyer's Guide.)

Juniper's UAC policy-control server already could use any 802.1X-standard switches as enforcement points that set access rights via virtual LAN (VLAN) assignment. Now, with its own switches, the company can impose Layer 4 restrictions on access, not just Layer 2, the company says. So, the switches can enforce policies linked to a user's role in a company using access-control lists in addition to VLAN assignments.

The switches can define QoS as part of a user's access rights, making it possible to assign guests a lower QoS than full-time employees receive, for example.

With Juniper EX edge and core switches in a network, edge switch traffic can be mirrored via generic routing encapsulation tunnels to a data center where it can be monitored by Juniper's intrusion-detection gear to provide a form of postadmission NAC.

To this end, Juniper says it plans to evolve its NetScreen Security Manager software into a central policy-control platform. Users would set policies centrally and have them distributed throughout the network infrastructure. This will put UAC in perspective as an element of a coordinated network-security deployment that takes into account users' machines, identities, roles and access methods.

This echoes to some degree Cisco's recently announced TrustSec architecture for identity- and role-aware networks that impose access policies. Products to support TrustSec completely are still rolling out.