Enabling gigabit to the desktop - or to lots of desktops - is the name of the game for Extreme Networks' new Summit 400-48t, a 10G Ethernet workgroup switch.Enabling gigabit to the desktop - or to lots of desktops - is the name of the game for\u00a0Extreme Networks'\u00a0new Summit 400-48t, a\u00a010G Ethernet\u00a0workgroup\u00a0switch.In Network World's exclusive test, we pushed more than 70 million packets per second through the S400. Results were generally good. The switch delivered low, consistent delay under heavy loads, and it offers a long list of features, including\u00a0802.1X\u00a0authentication for\u00a0security.How we did itArchive of Network World reviewsSubscribe to the Product Review newsletterOn the downside, the S400's optional 10G Ethernet module is a bit pricey for a workgroup switch, although at about $4,000 per 10G Ethernet port (plus optics) it's still competitive. Also, the S400 posted subpar numbers in some tests of jumbo frames. On balance, though, the S400 is a more-than-capable performer: In fact, it's the fastest wiring closet switch we've tested.The S400 fits in 1U and offers 48 10\/100\/1000M bit\/sec copper ports, with an optional module for two 10G Ethernet interfaces. Features include support for major routing protocols, IPv4 multicast and up to 4,096\u00a0virtual LANs. External redundant power is also an option.Performance testsWe conducted separate tests of the S400's 10G Ethernet and\u00a0Gigabit Ethernet\u00a0handling. Because the 10G Ethernet interfaces fit in an optional module, users can buy the switch with 10\/100\/1000 copper interfaces and add 10G Ethernet later.Our 10G Ethernet tests measured how quickly the S400 could move traffic between 10G Ethernet uplink ports and Gigabit Ethernet downlink (edge) ports. We configured a\u00a0Spirent Communications\u00a0SmartBits traffic generator\/analyzer to send test frames to the S400's uplink and downlink portsIn a nutshell, the S400 delivered line-rate throughput in all the 10G Ethernet test cases we tried (see graphic, below). These included baseline tests at Layer 2 and Layer 3 and tests with one and two 10G Ethernet interfaces exchanging traffic with 10 and 20 edge gigabit interfaces. The S400 didn't drop a single frame in any of these tests.Access control lists (ACL), which can severely degrade performance on some switches, posed no problem for the S400, either. We reran the 10G Ethernet baseline tests with the maximum number of ACLs applied to every switch interface; for the S400, that is 124 ACLs per port on all 50 ports. Again, the switch delivered line-rate throughput.Delay was also low and constant across all our 10G Ethernet tests (see graphic, below). The average delay and jitter numbers we observed are comparable to other high-performing 10G Ethernet backbone switches we've tested. Even the highest maximum delay number we observed - 104.4 microsec when moving jumbo frames - is nowhere near enough to have an appreciable effect on application performance.Trying to get a GigThe S400's performance in gigabit-only tests, while generally good, didn't match the flawless levels in the 10G Ethernet events.Throughput was equivalent to 92% of line rate or better in all the tests we ran using standard Ethernet frame lengths. We observed a slight difference depending on whether we used random or non-random media access control (MAC) addresses; on production networks, random addresses are far more common. This won't necessarily harm application performance, because few (if any) production networks have sustained utilization over 90%.Handling\u00a0jumbo frames\u00a0was another story. When we offered the S400 repeated iterations of 9,000-byte frames with a random pattern of MAC addresses, throughput was zero. There was no rate at which the device would forward traffic without at least some loss. Throughput rose to the equivalent of 81% of line rate when we repeated the test using non-random MAC addresses. Again, random MAC addresses are the rule on production networks.More seriously, the S400 dropped frames of any length after we ran repeated iterations of the jumbo tests with random addresses. Rebooting the switch cleared the problem, but left us wondering whether the beta software we tested had issues with memory management and\/or MAC address hashing.Extreme acknowledged the issue, characterizing the result as "not acceptable." At press time, Extreme was working on a fix.It's important to note that these results are reproducible only in controlled lab conditions. Those conditions - repeated 60-second blasts of traffic at or near line rate on 48 ports in a fully meshed pattern - are highly unlikely to occur on production networks.Even with the jumbo and MAC address issues we saw, delay and jitter remained remarkably low. The worst-case delay number of close to 200 microsec with jumbo frames with random MAC addresses is nowhere near high enough to have an effect on application performance.Jitter was also remarkably low, which augurs well for VoIP and video\u00a0applications. With standard-sized frames and random MAC addresses, maximum jitter was about 3 microsec - at least an order of magnitude below the point where voice or video applications would suffer.Spanning Tree failoverWe assessed the S400's support for Layer-2 failover by setting up 802.1w rapid spanning tree on a pair of S400 switches. While offering traffic to one switch, we disconnected a primary link, forcing the switch to redirect traffic onto a secondary link. Over repeated trials, the S400 reconverged in an average of 1.091 seconds. That's not a bad result, but it's not near the tens-of-milliseconds numbers other 10G Ethernet backbone switch\/routers that typically use more powerful processors.Extreme showed off two security features in the S400: 802.1X authentication and Secure Shell (SSH) for remote access. Already widely used in\u00a0wireless LANs, 802.1X authentication can enforce access through essentially any device - including wiring closet switches.Extreme demonstrated basic port-based 802.1X authentication along with more extensive "network logon" features. With port-based authentication, the S400 granted access to any user that requested authentication on a given port (provided that user's credentials existed on an authentication server).For MAC-based authentication to happen, a user's request had to originate not only from a given port, but also froma given MAC address. This safeguard prevents gaming or other cases of unauthorized access where a user might attach a hub and multiple devices to a switch port.Summit 400-48tOVERALL RATING4.4Company: Extreme Networks Cost: Base switch with 48 10\/100\/1000 ports, $8,995; advanced software license, $995; two-port 10G bit Ethernet XENPAK module, $7,995; 10G XENPAK optics, $4,995 each; external power suply and rack unit, $990; system as tested, $26,980. Pros: High port density; line-rate 10G Ethernet performance; security features. Con: Problems handling jumbo frames.The breakdown\u00a0\u00a010G Ethernet baseline performance (covers througput, delay and jitter) 20%5Gigabit Ethernet baseline performance (covers throughput, delay and jitter) 20%3Performance with maximum ACLs (covers throughput, delay and jitter with maximum ACLs applied) 10%5Rapid spanning tree performance (measures failover time using 802.1W rapid spanning tree) 10%3SSH and 802.1x support 15%5Features 25%5TOTAL SCORE\u00a04.4Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subparThe final authentication feature we tested was a captive-portal mode. Here, the switch intercepts any URL headed for a server on the internal network. If the user hasn't yet been authenticated, the S400 performs "URL hijacking" by returning a logon screen to the user. If the user's credentials check out, only then will the S400 return the URL the user requested. The S400 handled all authentication modes with no problems.When it comes to secure remote access for management, the S400 is a standout. The device supports SSH Version 2 only, and not the vulnerable first version of the SSH protocol. Furthermore, enabling SSH disables unsecure access methods such as telnet or HTTP. We also checked the S400's version of SSH against multiple databases of security vulnerabilities. SSH support on the S400 had no known vulnerabilities at press time.Even considering the relatively minor issue of jumbo handling on gigabit links, the S400 continues Extreme's tradition of building high-performance Ethernet switches. The switch's high port density, rich feature set and good performance make it a strong candidate for network managers looking to add more capacity to their wiring closets.