The new network switch

Click to see: Network-switch artwork

The traditional LAN switch is poised for an extreme makeover, and the focus is decidedly on brains, not beauty.

Next-generation switches will not only feature embedded intelligent security functions, such as firewall, intrusion-detection systems (IDS), intrusion-prevention systems (IPS) and SSL VPN, but also the ability to handle a variety of application optimization duties, such as Web acceleration, server load balancing/buffering and WAN optimization.

For IT executives, the real questions are: How integrated will these functions be, and when will they offer a performance level and price that make it worth the upgrade?

"The true next-generation switches won't be coming in the next year," says Joel Conover, principal analyst for enterprise infrastructure at Current Analysis. "You might see it as a module, but it won't be part of every switch port everywhere. It's too expensive, it's too processor-intensive and it's too special-purpose."

But during the next 24 to 36 months, real changes will start to make their way onto next-generation switching platforms, he says. "At that point, you'll see a lot of the security processing, like the deep packet inspection, move right onto the line cards," he says. "You'll probably see a new generation of line cards that fit into existing switches that add a much deeper level of understanding as to what's going on in the network."

Go with the flows

This deeper level of understanding within the device goes by a variety of names depending on the vendor - 3Com's control blade, Cisco's application-aware networking, Juniper's application fluency and Enterasys' context networking.

But what it really means is vendors are working to make the switch better able not only to examine packets and deliver them appropriately, but also examine whole application streams, or flows of packets, and take appropriate action on them. This capability can then be leveraged for better security or application performance, experts say.

"Switches and routers of the future will be aware of the conversation flows and not just the individual packets," says John Roese, CTO of Enterasys. "Their concern will not be just if this packet is good or bad. It's more whether this sequence of packets do not fit the overall conversation, and if there are anomalies, to be able to take corrective action on that."

The end of the appliance conga line

These new sets of features fall into two distinct buckets: security and application optimization, both of which are handled now by a bevy of network appliances.

Click to see: Control Plane Scenario graphic

The problem is that appliances tend to be purchased by different groups within the organization - for example, the server group for load balancing or Web acceleration, the security group for firewalls and IDS, or the network group for VPN.

"Someone may put in a compression device for the Web servers, but what if you have a similar service running on your switch?" says Abner Germanow, program manager for enterprise networks at IDC. "Those two devices may end up in conflict with each other." This can lead to political battles that have nothing to do with technology (see "Politics sometimes trumps technology").

Appliance creep also can create management nightmares, especially in remote branch offices. "In the branch office, you start to see what a lot of people refer to as the conga line of appliances," Germanow says. "Consolidating those appliances into a switch or a smaller number of devices makes sense from a management and technology perspective."