Extreme’s S400 raises the bar for workgroup switches

Enabling gigabit to the desktop – or to lots of desktops – is the name of the game for Extreme Networks’ new Summit 400-48t, a 10G Ethernet workgroup switch.

Enabling gigabit to the desktop – or to lots of desktops – is the name of the game for Extreme Networks’ new Summit 400-48t, a 10G Ethernet workgroup switch.

In Network World’s exclusive test, we pushed more than 70 million packets per second through the S400. Results were generally good. The switch delivered low, consistent delay under heavy loads, and it offers a long list of features, including 802.1X authentication for security.

Archive of Network World reviews

Subscribe to the Product Review newsletter

On the downside, the S400’s optional 10G Ethernet module is a bit pricey for a workgroup switch, although at about $4,000 per 10G Ethernet port (plus optics) it’s still competitive. Also, the S400 posted subpar numbers in some tests of jumbo frames. On balance, though, the S400 is a more-than-capable performer: In fact, it’s the fastest wiring closet switch we’ve tested.

The S400 fits in 1U and offers 48 10/100/1000M bit/sec copper ports, with an optional module for two 10G Ethernet interfaces. Features include support for major routing protocols, IPv4 multicast and up to 4,096 virtual LANs. External redundant power is also an option.

Performance tests

We conducted separate tests of the S400’s 10G Ethernet and Gigabit Ethernet handling. Because the 10G Ethernet interfaces fit in an optional module, users can buy the switch with 10/100/1000 copper interfaces and add 10G Ethernet later.

Our 10G Ethernet tests measured how quickly the S400 could move traffic between 10G Ethernet uplink ports and Gigabit Ethernet downlink (edge) ports. We configured a Spirent Communications SmartBits traffic generator/analyzer to send test frames to the S400’s uplink and downlink ports

In a nutshell, the S400 delivered line-rate throughput in all the 10G Ethernet test cases we tried (see graphic, below). These included baseline tests at Layer 2 and Layer 3 and tests with one and two 10G Ethernet interfaces exchanging traffic with 10 and 20 edge gigabit interfaces. The S400 didn’t drop a single frame in any of these tests.

Access control lists (ACL), which can severely degrade performance on some switches, posed no problem for the S400, either. We reran the 10G Ethernet baseline tests with the maximum number of ACLs applied to every switch interface; for the S400, that is 124 ACLs per port on all 50 ports. Again, the switch delivered line-rate throughput.

Delay was also low and constant across all our 10G Ethernet tests (see graphic, below). The average delay and jitter numbers we observed are comparable to other high-performing 10G Ethernet backbone switches we’ve tested. Even the highest maximum delay number we observed – 104.4 microsec when moving jumbo frames – is nowhere near enough to have an appreciable effect on application performance.

Trying to get a Gig

The S400’s performance in gigabit-only tests, while generally good, didn’t match the flawless levels in the 10G Ethernet events.

Throughput was equivalent to 92% of line rate or better in all the tests we ran using standard Ethernet frame lengths. We observed a slight difference depending on whether we used random or non-random media access control (MAC) addresses; on production networks, random addresses are far more common. This won’t necessarily harm application performance, because few (if any) production networks have sustained utilization over 90%.

Handling jumbo frames was another story. When we offered the S400 repeated iterations of 9,000-byte frames with a random pattern of MAC addresses, throughput was zero. There was no rate at which the device would forward traffic without at least some loss. Throughput rose to the equivalent of 81% of line rate when we repeated the test using non-random MAC addresses. Again, random MAC addresses are the rule on production networks.

More seriously, the S400 dropped frames of any length after we ran repeated iterations of the jumbo tests with random addresses. Rebooting the switch cleared the problem, but left us wondering whether the beta software we tested had issues with memory management and/or MAC address hashing.

Extreme acknowledged the issue, characterizing the result as “not acceptable.” At press time, Extreme was working on a fix.

It’s important to note that these results are reproducible only in controlled lab conditions. Those conditions – repeated 60-second blasts of traffic at or near line rate on 48 ports in a fully meshed pattern – are highly unlikely to occur on production networks.

Even with the jumbo and MAC address issues we saw, delay and jitter remained remarkably low. The worst-case delay number of close to 200 microsec with jumbo frames with random MAC addresses is nowhere near high enough to have an effect on application performance.

Jitter was also remarkably low, which augurs well for VoIP and video applications. With standard-sized frames and random MAC addresses, maximum jitter was about 3 microsec – at least an order of magnitude below the point where voice or video applications would suffer.

Spanning Tree failover

We assessed the S400’s support for Layer-2 failover by setting up 802.1w rapid spanning tree on a pair of S400 switches. While offering traffic to one switch, we disconnected a primary link, forcing the switch to redirect traffic onto a secondary link. Over repeated trials, the S400 reconverged in an average of 1.091 seconds. That’s not a bad result, but it’s not near the tens-of-milliseconds numbers other 10G Ethernet backbone switch/routers that typically use more powerful processors.

Extreme showed off two security features in the S400: 802.1X authentication and Secure Shell (SSH) for remote access. Already widely used in wireless LANs, 802.1X authentication can enforce access through essentially any device – including wiring closet switches.

Extreme demonstrated basic port-based 802.1X authentication along with more extensive “network logon” features. With port-based authentication, the S400 granted access to any user that requested authentication on a given port (provided that user’s credentials existed on an authentication server).

For MAC-based authentication to happen, a user’s request had to originate not only from a given port, but also from

a given MAC address. This safeguard prevents gaming or other cases of unauthorized access where a user might attach a hub and multiple devices to a switch port.

The final authentication feature we tested was a captive-portal mode. Here, the switch intercepts any URL headed for a server on the internal network. If the user hasn’t yet been authenticated, the S400 performs “URL hijacking” by returning a logon screen to the user. If the user’s credentials check out, only then will the S400 return the URL the user requested. The S400 handled all authentication modes with no problems.

When it comes to secure remote access for management, the S400 is a standout. The device supports SSH Version 2 only, and not the vulnerable first version of the SSH protocol. Furthermore, enabling SSH disables unsecure access methods such as telnet or HTTP. We also checked the S400’s version of SSH against multiple databases of security vulnerabilities. SSH support on the S400 had no known vulnerabilities at press time.

Even considering the relatively minor issue of jumbo handling on gigabit links, the S400 continues Extreme’s tradition of building high-performance Ethernet switches. The switch’s high port density, rich feature set and good performance make it a strong candidate for network managers looking to add more capacity to their wiring closets.