Skip Links

Juniper switch proves to be credible choice

Review shows the EX 4200 to be fast, feature-rich and manageable

By David Newman, Network World Lab Alliance, Network World
July 14, 2008 12:10 AM ET

Page 3 of 4

Authentication support

Considering Juniper's longtime advocacy of network access control (NAC), it's not surprising that the EX 4200 did well in our authentication tests. The switch passed all six scenarios, five of which used 802.1X. These tests examined authentication into a statically defined virtual LAN; authentication of multiple clients per port; authentication into a dynamically allocated VLAN; authentication with dynamically applied access control lists (ACL); and placement into a restricted VLAN upon authentication failure.

In the ACL test the switch applied rules previously defined on the switch; this is far less cumbersome than the approach taken by some other switches, where ACLs must be entered into the RADIUS server then returned to supplicants during authentication.

The switch also passed a sixth test involving authentication by a media access control (MAC) address; this scenario represents the case where an end-station, such as a printer, lacks 802.1X supplicant software. One catch here was that the switch's CLI did not display clients currently authenticated by MAC addresses, as it did with 802.1X-authenticated clients. Juniper says it expects an August software release to remedy that.

The Juniper switch passed all access control tests with minor configuration changes needed for each scenario. In comparison, Cisco’s Catalyst 3750E required no configuration changes for any of our scenarios except for multi-auth. Then again, the Cisco switch failed the multi-auth test, authenticating only the first user and forwarding unauthenticated traffic from the second and subsequent users. Few other switches we’ve tested (Extreme’s Summit X450 and Foundry’s FastIron Edge X448 are exceptions) passed all these test cases, with or without configuration changes.

Storm control

Like other enterprise switches deployed at the edge of corporate networks, the EX 4200 offers a "storm control" feature to limit rates of potentially malicious traffic. We tested this feature using two denial-of-service (DoS) attacks, a broadcast storm and a SYN flood, and found the switch blocked broadcasts but forwarded SYNs.

For both tests, we configured a Mu Dynamics Mu-4000 security analyzer to generate DoS attacks at 100,000 frames per second, and then configured the Juniper switch to restrict such traffic to 1% of line rate, or around 1,500 frames per second. Using Spirent TestCenter's real-time rate counters, we verified that the Juniper switch did rate-limit broadcast traffic.

However, the switch didn't control the rate of Mu's SYN flood attack. Juniper says the current JUNOS release imposes rate controls only on broadcast and unknown unicast traffic (that is, traffic with no existing entry in the switch's MAC address table). That makes storm control useful in thwarting "bot" attacks against random, unknown destinations. It's not useful in stopping an attacker targeting specific servers.

Manageability and usability

Assessing switch manageability is a two-part affair, with objective and subjective components. The objective part is easy, because it's based on empirical observations: We verified the EX 4200 supports management over IPv4 networks via SNMP, telnet, Secure Shell, Web, SSL and syslog. Commendably, none of these methods are enabled by default, and each (along with an FTP server) can be individually toggled on and off.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News