You are on page 1of 116

Architecting

Next-Generation
Networks

Produced Exclusively for Broadcom by

Table of Contents
Chapter 1: Introduction ....................................................................................................................1
Why Your Network Isnt Good Enough..........................................................................................1
The Changes Add Up...........................................................................................................2
The Internet..............................................................................................................2
Voice and Video ......................................................................................................4
B2B E-Commerce....................................................................................................6
More and More Users ..............................................................................................7
A Device in Every Pocket........................................................................................9
The Problems Pile On ..........................................................................................................9
Network Efficiency................................................................................................10
Management and Design........................................................................................11
Security ..................................................................................................................11
The Evolving Network...................................................................................................................12
Bigger, Better, Faster, More ..............................................................................................13
Open Standards, Open Protocols .......................................................................................14
Designed for Mobility and Connectivity ...........................................................................14
Embedded Security ............................................................................................................15
Next-Generation Networking.........................................................................................................15
GbE ....................................................................................................................................16
Wireless..............................................................................................................................16
Switches .............................................................................................................................16
Servers................................................................................................................................17
Security ..............................................................................................................................17
Getting Ready ................................................................................................................................17
Education ...........................................................................................................................17
Future-Proofing Your Network..........................................................................................18
Summary ........................................................................................................................................18
Chapter 2: Gigabit Ethernet Migration ..........................................................................................19
GbE Technology Primer ................................................................................................................20
Switches .............................................................................................................................20
Aggregation........................................................................................................................21
Duplex................................................................................................................................21
GbE Products .................................................................................................................................22

Table of Contents
GbE Deployment Strategy .............................................................................................................24
GbE Emerging Technologies.........................................................................................................30
TOE....................................................................................................................................30
RDMA................................................................................................................................31
iSCSI ..................................................................................................................................32
iSCSI Extensions for RDMA.............................................................................................34
Looking Ahead...............................................................................................................................35
Summary ........................................................................................................................................35
Chapter 3: Extending Enterprise Networks with Wi-Fi ...............................................................36
A Brief History of Wireless Networking .......................................................................................37
802.11 Legacy....................................................................................................................37
802.11b...............................................................................................................................37
802.11a...............................................................................................................................38
802.11g...............................................................................................................................38
802.11 Everything Else......................................................................................................39
How Wireless Networking Works .................................................................................................40
Basic Operations ................................................................................................................40
802.11 Legacy Specifics ....................................................................................................42
802.11b Specifics...............................................................................................................42
802.11a Specifics ...............................................................................................................43
802.11g Specifics...............................................................................................................43
Broadcom Xpress Frame Bursting Technology.................................................................43
Radios Matter.....................................................................................................................45
Mixed 802.11b and 802.11g Environments.......................................................................46
Building Wireless LANs................................................................................................................47
The Wired Connection.......................................................................................................47
802.11b Architecture..........................................................................................................48
802.11a and 802.11g Architecture .....................................................................................48
Wireless Security Concepts ...........................................................................................................49
WEP ...................................................................................................................................49
802.11i ...............................................................................................................................50
WPA...................................................................................................................................50
AES ....................................................................................................................................50

ii

Table of Contents
802.1X................................................................................................................................50
Putting It All Together .......................................................................................................51
The Wired Weak Point.......................................................................................................52
Architecting Secure, Next-Generation Wireless LANs .................................................................52
Prerequisites.......................................................................................................................52
Client Software Support.....................................................................................................52
Hardware Support ..............................................................................................................53
Management and Maintenance Concerns ..........................................................................53
Summary ........................................................................................................................................54
Chapter 4: Switching Intelligence in the Enterprise ......................................................................55
What Is a Switch? ..........................................................................................................................56
Intelligent Switching......................................................................................................................57
Key Functionality of Intelligent Switches .........................................................................59
Quality of Service ..................................................................................................59
Security ..................................................................................................................60
Management...........................................................................................................60
Scalability ..............................................................................................................61
VoIP ...................................................................................................................................61
Video..................................................................................................................................62
Wireless LAN Switching ...................................................................................................62
ROI/Convergence ..................................................................................................65
Implementing Intelligent Switching ..............................................................................................65
Summary ........................................................................................................................................70
Chapter 5: Server Migration and Optimization: Maximizing ROI for Existing Assets and Future
Growth ...........................................................................................................................................71
Server Technologies.......................................................................................................................71
File and Print Servers.........................................................................................................71
Database Servers................................................................................................................71
Application Servers............................................................................................................72
Email Servers .....................................................................................................................72
Storage Servers ..................................................................................................................72
Web Servers .......................................................................................................................72
Blade Servers .....................................................................................................................74
Defining the Cutting Edge..........................................................................................................74
iii

Table of Contents
Understanding Performance-Oriented Technologies.........................................................76
Core I/O Components ........................................................................................................76
North Bridge ..........................................................................................................76
South Bridge ..........................................................................................................76
Storage ...............................................................................................................................77
IDE/ATA................................................................................................................77
SATA .....................................................................................................................78
SCSI .......................................................................................................................78
Serial Attached SCSI .............................................................................................78
RAID..................................................................................................................................79
GbE ....................................................................................................................................80
TOE........................................................................................................................80
RDMA....................................................................................................................80
iSCSI ......................................................................................................................81
Technology Integration......................................................................................................81
Technology Convergence ..............................................................................................................82
Converged Network Interface Cards .............................................................................................83
Scalable and Configurable I/O.......................................................................................................84
Interconnects ......................................................................................................................84
HyperTransport ......................................................................................................84
PCI-X .................................................................................................................................85
PCI-Express .......................................................................................................................85
CPU Support ......................................................................................................................85
IA-32 ......................................................................................................................86
AMD Opteron ........................................................................................................86
AMD Athlon 64 and Athlon 64-FX.......................................................................88
EM64T ...............................................................................................................................88
Summary ........................................................................................................................................89
Chapter 6: End-to-End Security: How to Secure Todays Enterprise Network ............................91
Securing from the Outside In.........................................................................................................92
Software or Hardware Security?....................................................................................................94
Identity Management: Identifying Who and What is on the Network...........................................96
Managing the Proliferation of Client Devices ...................................................................98

iv

Table of Contents
Secure Devices...................................................................................................................99
Who You Are vs. Who You Say You Are.......................................................................100
Minimizing Performance Impact .....................................................................................101
Securing VoIP Applications ............................................................................................102
Securing Wireless Networks and Applications................................................................106
Enabling Convergence and the Four-Function Box.........................................................108
Summary ......................................................................................................................................109

Chapter 1

Chapter 1: Introduction
Its a term youre starting to hear more and morenext-generation networks. Depending on how
long youve been in the industry, you might have heard it in the past, too: The move from coaxial
10Base-T and 2Base-T networks to modern 10Base-T twisted-pair networks (as well as Token
Ring networks) was a major leap forward. As corporate networks began to roll out larger and
larger Ethernet LANs, user productivity increased. Users had easier access to files, printers, and
other resources; networks were easier to manage and troubleshoot; and connections, based on
easier-to-wire CAT3 and CAT5 cabling, were more reliable. Another generation of networks was
created when Ethernet switches hit the market, making networks faster and more efficient.
What came before, however, is no match for whats ahead. Forget about simple speed increases,
lower latency, and a new type of infrastructure device. This time, next-generation network means
a tenfold or better increase in network throughput. It also means an entirely new range of
connectivity options, including wireless disconnected connectivity. Next generation means
intelligent devices capable of improving network performance and reliability. Finally, it means
security built right into the infrastructure, for the first time ever. Its an exciting time to be a
networking professionalprovided youre ready.

Why Your Network Isnt Good Enough


Simply put, todays networks are barely sufficient for what companies are asking of them, and
the networks are completely inadequate for the demands of the future. Think about itmany
companies are running 100Base-T networks at best, perhaps with 11Mbps wireless connectivity
for some users. These are more or less the same networks theyve been running for half a decade
or more, and yet the number of additional demands that have been placed on the network since
then is truly staggering.
To appreciate the improvements provided by the next generation of networks, you need a firm
grasp of how current networks and technologies developed to the present. In the following
sections, well explore the Internet, voice and video technologies, business-to-business (B2B) ecommerce, handheld devices, and more. This background information will provide evidence of
the need for the latest technologies and how they will address current networking concerns. We
will then build on this foundation in the rest of the book:

Chapter 2The important elements of next-generation networksspecifically Gigabit


Ethernet (GbE)

Chapter 3Strategies for wireless deployment and security

Chapter 4The importance of switching intelligence in the infrastructure

Chapter 5Server migration and optimization, paying special attention to return on


investment (ROI)

Chapter 6How to secure your next-generation network

Chapter 1

The Changes Add Up


Five years ago, the Internet was still just beginning to take off as a major vehicle for commercial
communications and interaction. Nobody had a camera connected to a computer, very few
people had anything like a handheld personal digital assistant (PDA), cellular phones did not
have digital cameras and built-in General Packet Radio Service (GPRS) transmitters, and many
companies still had users who didnt have email. In 5 short years, everything has changed.
The Internet
Todays users double the amount of data they work with every 18 months. Much of that data
comes from the Internet. To date, companies have dealt primarily with maximizing the efficiency
of their relatively low-bandwidth wide area network (WAN) connections; with the average
company connecting to the Internet via a T1 lineeven an old 10Base-T local area network
(LAN) offers almost seven times the speed of a WAN connection. Companies have addressed
the WAN bottleneck primarily by using both firewalls and proxy servers (see Figure 1.1) and by
increasing pipe capacity through T3, OC3, and OC12 and higher-speed connections.

Figure 1.1: Maximizing Internet efficiency with proxies and firewalls.

Chapter 1
Proxy servers increase efficiency by aggregating multiple client connections. The proxy server
retrieves content from the Internet, then saves it for future internal requests rather than retrieving
the same content over and over. Some proxies and firewalls can improve efficiency by
eliminating wasteful traffic, such as Web surfing to game sites and other non work-related sites.
This focus on the WAN pipe, however, has left the LAN, which is where bottlenecks are starting
to appear, largely ignored. Users are working with a lot of data, and much of that data now
originates on the LAN in the form of enormous data warehouses, databases, files, and more.
Networks are becoming hard-pressed to transport all of that data.
Think about the average size of a Word, Excel, or PowerPoint document that contains pictures
and graphics. File sizes continue to increase in most applications from version to version as users
take advantage of new features to create more creative documents. Even the default image file
from a 5 mega pixel digital camera is more than 3MB. The networkwhich isnt gaining speed
as quickly as the files gain sizestill has to move all the bits from the file server to client
computers and back again.
Productivity is also affecting the network. Despite recent corporate restructuring and downsizing,
most companies in the United States increased their overall output. How? Everyone is doing
more with less. Thus, each worker has become more productive, and they didnt get to be more
productive by dealing with less data; the corporate network bears the brunt of this increased
productivity. Unfortunately, overburdened networks are easy to ignore. Users may complain that
things are slow in the mornings, but they gradually begin to accept the status quo and the
network remains a hidden efficiency problem.
Even worse for current network bandwidth is the trend towards collaborative computing.
Products, such as Microsoft SharePoint Portal Server, which are designed to allow real-time
collaborative computing between network users, cause not only an increased load on the network
infrastructure but also highlight any latency problems, which become immediately noticeable
and annoying to users.
Network bandwidth hogs can be many and varied including:

Storage and backupslarger drives mean more to back up

Educational training and videoconferencingvideo being accessed by a large number of users

Collaborative applications

CRM tools

Help desk software

Richer content (voice, video, mp3)

Now consider the massive increase in data throughput that companies will see in the next 18
months to 3 years. Networks simply must become faster, more efficient, and much more
intelligent in order to keep up. Raw speed is part of the answer, but more efficient and intelligent
use of that speed is also an important component. Next-generation networks will provide this
speed and intelligence.

Chapter 1
Such networks are not a distant phenomenon; they are a current reality. For example, if you are
building a network starting with a clean slate, you can use GbE to ensure that your network
infrastructure is ready to benefit from emerging technologies. For existing networks, the
migration to GbE means reduced wire time, less buffer congestion, and relieved flow control
mechanismsall of which add up to a better user experience and a less harried IT staff.
Well explore GbE in detail in Chapter 2.

Voice and Video


As companies seek to reduce travel expenses and improve employee productivity, network-based
voice and videoconferencing have become more popular. Many companies are saving tens of
thousands of dollars a year by piggybacking voice communications onto their data networks.
Voice over IP (VoIP) is a popular suite of technologies that provides high-quality voice
transmission over IP networks.
Unfortunately, voice and video, in particular, are harsh on the corporate network. Few networks
are engineered to carry a normal share of data as well as decent streaming video. Network
engineers and videoconferencing designers have been forced to make a number of concessions
and compromises to make videoconferencing feasible. One primary technology is multicasting,
enabling a conferencing server to send a single transmission for a video signal. Clients subscribe
to the multicasts IP address and pick up the traffic sent to that address off the network. This
technique is much more efficient than unicasting, in which the server must transmit an individual
video feed to each client. With multicasting, multiple clients can receive the same transmission,
conserving bandwidth. Even multicasting isnt always enough to make videoconferencing
possible, however; some networks are so overburdened that the video traffic must be limited to a
portion of the network. Figure 1.2 shows how routers can be programmed with multicast
boundaries, creating a multicast domain that contains the videoconference traffic. Outside the
multicast domain, users cannot subscribe to the feed.

Chapter 1

Figure 1.2: Creating a multicast domain with router multicast boundaries.

In the world of networking, the inability of a network to handle its traffic loadparticularly
when the applications generating that traffic provide monetary savings and increases in
productivity to the organizationis an unforgivable offense. Multicasting is an excellent
technology that was designed to increase the efficiency of a network, but networks that cant
even carry a share of multicast traffic across the entire corporation are clearly not engineered to
serve the business best interests. Next-generation networks need to offer the ability to extend
cost-saving, productivity-boosting technologies to every corner of the corporate LAN. They will
do so by providing additional raw bandwidth, more efficient routing of traffic, and better
management of specialized traffic.

Chapter 1
B2B E-Commerce
Networks built 5 years ago carried almost no B2B traffic. Such systems basically didnt exist; the
closest systems to displaying B2B characteristics were the value-added networks (VANs)
provided for electronic document interchange (EDI) customerssort of a private equivalent of
the Internet.
Today, there are few companies that dont run some form of B2B application on their networks,
even if it is as simple as ordering office supplies from a Web site. Many companies rely heavily
on B2B communications, placing an even greater burden on the corporate network. There is no
denying the ways that B2B improves efficiencyinventory systems can place orders with
vendors automatically, and entire classes of retailers now exist that dont even carry an
inventory; they simply take orders from customers, pass those orders on to distributors through
B2B systems, and process payments on both sides. Many companies utilize e-procurement
systems for internal procurement of everything from office supplies to contractors.
The infrastructure required to support these B2B efforts is significant. Figure 1.3 shows a typical
B2B infrastructure, including multiple firewalls, application servers, B2B processing platforms,
database servers, internal and external clients, Web servers, and more.

Figure 1.3: A typical B2B infrastructure.

Chapter 1
What effect does this burden have on the network? Imagine that the population of the United
States increased by a factor of ten over 2 or 3 yearshow would the postal service feel the effect
of this increase? Like a Los Angeles freeway at rush hourwhich is pretty much how many
corporate networks look these days. In addition, B2B functions arent limited to server-to-server
or external B2B connections. Internal clients will be using automated ordering, data entry,
catalog management, and all sorts of high-bandwidth applications that deliver results to external
clients or vendors but generate a great deal of activity between LAN clients and servers.
Next-generation networks need additional speed, intelligence, and security to segment and
manage the traffic for these important B2B functions and to provide them with additional
bandwidth.
More and More Users
The rapid pace of business growth also has an effect on networks. Obviously, networks must
grow to support the business, but rapid change often means unplanned growth that lacks any
cohesive, logical design. For example, consider the simple network that Figure 1.4 shows, which
looks a lot like most networks that are just starting out. The network was over-engineered for the
number of users it needed to support, providing plenty of room for growthnotice the router
used to connect two segments, each containing a small number of usersor so it probably
seemed at the time.

Figure 1.4: A typical network in the beginning.

As the business grows, users are added until the network cant support any more. Then the
emergency growth patterns begin, with new segments added here and there, segments cascaded
from one to the other, and so forth. Before long, the network is out of controland the business
is so busy growing that nobody has the time to redesign it. Figure 1.5 shows how a networks
growth can be like that of a cancer celluncontrolled and ultimately detrimental to the host.
Routers connect segments in a complex chain rather than through any logical topology.
Segments are now more crowded with users and other devices, reflecting the networks rapid
growth. Segments containing servers are at least dedicated to that task, but are haphazardly
spread across the architecture rather than being centrally accessible to all segments containing
client computers. In short, it is a mess.
7

Chapter 1

Figure 1.5: Uncontrolled growth is common in todays corporate networks.

Although this type of network design might not create huge performance issues, it definitely
creates management issues. Problems, when they occur, are more difficult to troubleshoot.
Managing change and finding bottlenecks is next to impossible. In short, the network works fine,
but it is harder and harder to rein in. Next-generation networks must allow for easily controlled
growth, making it so easy to expand the network in any direction that administrators dont need
to think about it. In addition, such networks must ensure that manageability and security remain
tight.

Chapter 1
A Device in Every Pocket
Were used to thinking about networks in terms of users: How many users per segment? How
many users on the LAN? How many videoconferencing users? But todays users are acquiring a
staggering array of wired and wireless devices, meaning each user can easily represent three or
four actual devices, as Figure 1.6 illustrates.

Figure 1.6: Users are beginning to represent multiple devices apiece.

Each device requires bandwidth, has security implications, and has network addresses. Multiply
the number of users in your environment by even a conservative number like 1.5 devices, and
youll see that it is no wonder that networks are beginning to show a little strain. Next-generation
networks must provide the raw bandwidth for these additional devices. They also need to support
open protocols for management and security, allowing this vast range of devices to participate in
the network in a secure, controllable fashion.
The Problems Pile On
All of these factorsthe Internet, increased data processing, new voice and video services, B2B
e-commerce, rapid growth, and a diversity of devicestend to result in three problem areas:
efficiency, management, and security.

Chapter 1
Network Efficiency
Network engineers often speak of network utilization in percentages. Our network runs at 70
percent utilization. What many dont realize, and even more dont discuss, is that networks
cant achieve 100 percent efficiency. Ethernet networks, in particular, become less efficient the
more traffic they carry, primarily as a result of the shared-medium, collision-detection nature of
Ethernet.
To set up our discussion in later chapters, well quickly review switches to ensure a baseline
vocabulary. Switches are the primary methodology used to improve network efficiency. They
create an individual physical segment with each switch port while allowing IP addressing to
remain the samein effect creating a virtual subnet that spans many physical segments. As
Figure 1.7 illustrates, switches can permit multiple simultaneous conversations because they
separate the actual traffic.

Figure 1.7: Switches make networks more efficient.

However, even switches have their limits. Switches can become saturated, at which point they
simply cant carry any more traffic. Bargain-basement switches are the most likely to become
saturatedeven before they are carrying all the traffic that they should be able to handle
creating an instant bottleneck in your network.
Next-generation networks will help solve this problem by providing faster raw bandwidth, which
will require a more robust switching fabric. If computers can transmit the information they have
and then get off the line, another computer will be able to transmit much sooner. Next-generation
switches will operate at higher speeds and will be able to handle the full load of traffic that the
network can generate.
Well discuss these concepts, including switching fabric, in detail in Chapter 4.

10

Chapter 1
Management and Design
As networks have become more complex to suit business needs, they have also become more
difficult to manage. The sheer variety of devicesrouters, switches, hubs, gateways, firewalls,
proxies, servers, desktop and notebook computers, and other network-attached devices (such as
printers)has, in many cases, become a management nightmare. Pile on the complexity of
application-specific managementmanaging VoIP, videoconferencing protocols and gateways,
and so forthand it is a wonder that administrators dont simply quit in frustration.
The next generation of networks needs to offer more intelligence and self-management
capabilities. Switches must be able to talk to one another more effectively, allowing groups of
devices to be managed as a single unit. Devices need to take more responsibility for handling
todays special-purpose traffic, such as VoIP, videoconferencing, and next-generation
applications including TCP/IP Offload Engine (TOE), Internet Small Computer System Interface
(iSCSI), and Remote Direct Memory Access (RDMA).
Well discuss each of these emerging technologies in detail in Chapter 2.

The next generation of networks must also build on the intelligence in todays networks
particularly in regard to tolerating rapid growth. Networks must readily adapt to changing
business conditions without requiring complex redesigns. For next-generation network
topologies to succeed, there will need to be even more intelligence and performance built-in to
the switches that control the flow of traffic on the network. The combination of better software
combined with more advanced hardware is the key to making these critical network
infrastructure components a success.
Security
A little more than 2 years ago, network security was something a few industry gurus preached,
but nobody seriously practiced. Security was an add-on, something you implemented if you had
some free time. And who has ever had free time? Today, security is an overriding concern in
every field of information technology (IT) and communications. It is no longer sufficient to add
security to a network by adding a monitoring tool or antivirus softwaresecurity has to be builtin starting at the physical network level.
Todays networks offer only a modicum of built-in security. For example, on wireless networks,
the Wired Equivalent Privacy (WEP) standard provides little more than a veneer of security due
to the ease with which the wireless network traffic can be probed and the availability of tools to
crack the simplified encryption scheme used. In addition, wired networks are limited to
transport-level encryption protocols such as IP Security (IPSec) to provide security. Practically
no physical security exists, making it easy for intruders to simply plug-in to a spare LAN jack
anywhere in an office to begin sniffing traffic from the network. Even when the network
hardware supports the ability to route traffic only to an approved list of MAC addresses (thereby
preventing a random LAN jack from allowing access to your entire network enterprise) few
network administrators take the steps necessary to implement this degree of security.

11

Chapter 1
Next-generation networks will include security in every aspect of their design. Already, network
adapters with built-in IPSec capabilities are enabling all-encrypted networks that are transparent
to the client and server operating system (OS). These adapters use high-speed onboard
processors to reduce or eliminate additional overhead on the computers CPU. Support for the
802.1x protocol is becoming available, requiring network devices to authenticate themselves
before theyre even allowed to pass other trafficeffectively stopping the plug-in attacker. In
addition, support for new security standards that provide powerful authentication and data
encryption functionalitysuch as Wi-Fi Protected Access (WPA) and Advanced Encryption
Standard (AES)are being built-in to next-generation wireless devices.

The Evolving Network


The next generation of networks promises, when properly designed and deployed, to solve most
of todays problems, as well as, perhaps for the first time ever, look ahead to bypass future
networking problems. Network engineers are thinking more about the future applications of
networks and designing networks that support open protocols and standards to provide the best
possible compatibility with technologies that dont yet exist. As Figure 1.8 shows, the next
generation of networks will provide seamless connectivity for a range of devices, both wired and
wireless, with built-in security, a diverse range of connection speeds, and more.

Figure 1.8: Next-generation networks focus on easy connectivity, security, and open standards and
protocols.

12

Chapter 1

Bigger, Better, Faster, More


Next-generation networks will provide better mid-range connectivity. Rather than relying on
expensive, complex Synchronous Optical Network (SONET) connectionsa form of high-speed
connectivity generally used for WAN connectivity that provides speeds in excess of 2.8Gbps
metropolitan area networks (MANs) will be able to rely on massive 10GbE connections. As
Figure 1.9 shows, these MANs will allow end-to-end Ethernet connectivity, providing better
security (because the traffic wont have to pass thorough protocol gateways), design, and
bandwidth. In addition, an Ethernet MAN provides the benefit of using only a single technology,
Ethernet, rather than multiple technologies and the equipment necessary to bridge between many
different protocols at every location (that is, you are not doing expensive protocol conversion;
you are connecting an Ethernet LAN to an Ethernet LAN rather than converting to Frame Relay
or ATM then back to Ethernet).

Figure 1.9: 10GbE provides an exciting new opportunity for MANs.

13

Chapter 1
Internal server I/O has always been measured in megabytes per second, while network I/O has
always been measured in megabits per second. Hard disk I/O has continued to grow, however,
GbE is the first major jump in network performance in recent memory. Thus, while GbE is now
capable of reducing the performance bottleneck on servers (especially when multiple NICs are
being aggregated), the introduction of 10GbE will take us to the point at which the bottleneck
between server and network begins to disappear. GbE clients will also see significant latency
improvements as they will be able to take full advantage of the bandwidth and reduced latency
that GbE promises. Hence, the real promise of next-generation network is to remove the network
as a limitation to business.
Read more about 10GbE and its applications at
http://searchstorage.techtarget.com/tip/1,289483,sid5_gci870890,00.html, as well as in Chapter 2 and
Chapter 4.

Open Standards, Open Protocols


Past networking technologies have often relied on proprietary or complex protocols, such as
SONET, Integrated Services Digital Network (ISDN), and others. As an open standard, Ethernet
and wireless fidelity (Wi-Fi) offer a broader range of support and, thanks to the competitive
marketplace for such devices, lower prices. Because next-generation networks will support open
standards for security, traffic management, and device management, you will be able to easily
mix and match devices to achieve exactly the type of network your company requires.
Designed for Mobility and Connectivity
The remaining limitation of the network is the wireand that limitation will be short lived.
Wireless technologies, such as 802.11b Wi-Fi, have already had a major impact, enabling
disconnected connectivity everywhere from the office conference room to the neighborhood
coffee shop. The next generation of that technology802.11g Wi-Fiis quickly becoming the
new mainstream wireless LAN standard. Even advances in cellular technologies, such as 1X and
3G, promise ubiquitous wireless connectivity.
Read more about 802.11g at
http://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci783003,00.html, as well as in
Chapter 3.

Now, full-size desktop and notebook computers are among the minority in the world of
connected devices. Cellular phones, wireless PDAs, tablet PCs, and convergence devices such as
the popular BlackBerry personal communicator all rely on cellular, GPRS, and Wi-Fi
connections to access the Internet, corporate networks, and emaileither through direct
connection to the corporate net or VPN connections that use the Internet to reach back to the
home office.
Even wired networks are seeing an enormous amount of growth in device diversity. Not that long
ago, the network contained servers, client computers, and printers. Today, even the mailroom fax
machine and copier are connected, allowing users to utilize these devices right from their
desktops. Webcams allow parents to peek in on daycare centers while at work. Even the office
soda machine may be Internet-connected, allowing 30 workers to check the available selections
over the Web and to bill purchases to their company accounts.

14

Chapter 1
Wired networks will also become a medium for storage area networks (SANs). Rather than using
expensive, dedicated fiber-based connections, the iSCSI standard allows directly connected
storage devices to be accessed by servers over 1GbE, 10GbE, 100GbE, and 1000GbE
connections. Microsofts iSCSI implementation for Windows 2000 (Win2K), Windows Server
2003, and Windows XP Professional allows iSCSI use on any form of standard Ethernet, not just
GbE and faster technologies. The LAN now provides an infrastructure for building out vast,
fault-tolerant SANs at a lower cost than many fiber-based solutions, using reliable, wellunderstood Ethernet technologies.
Read more about iSCSI at http://whatis.techtarget.com/definition/0,,sid9_gci750136,00.html and in
Chapter 2.

Next-generation networks will provide appropriate connectivity options for all of these
devicesfrom slower 100Base-T wired connections to the fastest new Ethernet connectionsas
well as seamless roaming between wireless LAN and wireless WAN connections.
Embedded Security
Next-generation networks build security into every layer. 802.1x support, which includes
embedded Extensible Authentication Protocol (EAP) capabilities, authenticates devices at the
LAN port, disallowing unknown devices and locking down the physical network. Run wiresor
wireless signalsanywhere you like; only authorized users will be able to attach. These
networks will also include embedded IPSec capabilities, transparently encrypting traffic and
preventing even authorized connections from eavesdropping on the networks traffic. Security
wont be something you add to these networks, it will be something that is built-in from the very
start, providing, for the first time in the history of networks, a truly integrated, secure
infrastructure on which to build business applications and services. A highly secure OS will
finally become a less important consideration as the underlying infrastructure begins to take
responsibility for security.
Read more about 802.1x at
http://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci787174,00.html as well as in
Chapter 6.

Next-Generation Networking
What are the technologies that will deliver on all of these wonderful new promises? Surprisingly,
nothing new. Instead, the next generation of networking technologies builds upon the solid,
reliable foundation of technologies that youve been using for years. Starting with this
foundation enables lower upgrade costs, easier architecture design, and easier integration with
your existing infrastructuremeaning you can ease into the next generation of networks
without throwing away all of todays investment.

15

Chapter 1

GbE
Described in the Institute of Electrical and Electronics Engineers (IEEE) 802.3ab standard, GbE
is available now. Also named 1000Base-T, this new networking technology is ten times faster
than 100Base-T Ethernet and backward-compatible with 10Base-T and 100Base-T networks.
Also available, although still fairly expensive, is 10GbE, as specified in the IEEE 802.3ae
standard. Currently designed primarily for trunking (between offices, for example) applications,
10GbE switches and other devices are on the market, allowing companies to create end-to-end
Ethernet networks at lower acquisition and support costs than previous technologies permitted.
Wireless
Wireless access points (WAPs) now support a variety of protocols. In addition to bridging to
10Base-T, 100Base-T, and 1000Base-T wired networks, WAPs support wireless clients using
11Mbps 802.11b, 54Mbps 802.11g, and even 54Mbps 802.11a. 802.11a is currently being used
primarily in areas of high user density, as it provides lower range than 802.11b and 802.11g.
802.11a operates in a higher frequency band (5GHz) than 802.11b/g (which operates at 2.4GHz),
making the two sets of standards inherently incompatible.
Read more about the 802.11 family of wireless protocols at
http://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci341007,00.html as well as in
Chapter 3.

European networks are more likely to feature 5GHz-based HiperLAN technology, which is similar to
the 802.11x family of protocols. A newer version, HiperLAN/2, offers as fast as 54Mbps operation in
the same frequency.

Switches
Switches supporting 1000Base-T, 100Base-T, and 10Base-T connections are widely available,
and switches offering 10GbE connections for office-to-office connections are also entering the
market. Most of these devices are fully compatible with slower network devices, allowing you to
deploy the central infrastructure of a faster network and slowly migrate individual devicessuch
as clients, servers, and other connection devicesas feasible or necessary within your
organization. Switches have finally killed the hubfew companies are offering new Ethernet
hubs, recognizing that a fully-switched architecture is a more efficient and practical way to build
the next generation of networks.

16

Chapter 1

Servers
Servers are already shipping with dual 1000Base-T network adapters integrated into their
motherboards, and a variety of server-quality GbE adapter cards are available to upgrade older
equipment. As you begin to purchase new computers, look for machines that offer a built-in or
bundled GbE network adapter. Many hardware vendors include GbE NICs as standard in their
business computing lines; if it isnt standard, youll likely pay as little as $40 for the upgrade
with a new computer (but youll pay three or four times that amount to upgrade the computer
later). Because of its complete backward-compatibility with existing Ethernet standards (such as
100Base-T), trickling GbE into your environment is an affordable, slow-paced way to build the
next generation of networks without a complete redesign of what youve got and without the
need to throw away existing equipment. Upgrading existing server hardware to GbE when you
have the box open for another upgrade, such as disk or memory, gives you a very inexpensive
way to move your servers to GbE, because the cost is in the downtime, not the upgraded NIC.
Security
802.1x and IPSec are the latest rage in network security, and youll find them available in higherend network adapters and devices, such as wired switches and WAPs. IPSec is available in
hardware network adapters for most major OSs, allowing you to completely offload the
otherwise considerable burden of encrypting large quantities of network data onto a dedicated
hardware processor, making network security completely transparent and easier to manage.
Newer versions of the Windows OS include an 802.1x client, allowing those computers to
participate in 802.1x-secured networks. WPA and AES are part of the upcoming IEEE wireless
LAN security standard 802.11i, which will provide powerful wireless LAN security. Some
vendors offer these technologies today: Microsoft offers support for WPA on a select subset of
the available wireless hardware in a OS upgrade for Windows XP.

Getting Ready
The building blocks of the next-generation networks are available and prices are falling rapidly.
Youll need to start planning to introduce them into your environment, but before you do, what
steps should you take? What can you do today to prepare yourself, your peers and employees,
and your equipment for the new network?
Education
Take the time to learn all you can about these new networking protocolshow they differ from
past versions and how theyll affect your environment. Focus on the leading edge: 1GbE and
10GbE, 802.1x security, iSCSI SANs, and 802.11a/g wireless connections. Vendor white papers,
magazine articles, and an increasing number of books are available to explain these new
technologies and give suggestions for how to approach them in your environment.

17

Chapter 1

Future-Proofing Your Network


How can you get your network ready to be a next-generation network? The following list
highlights tipswell explore these topics in more detail throughout the rest of this book:

Consider the next-generation network in all new hardware purchases. Provision new
computers with 1GbE, and buy new switches that support 1GbE and potentially even
10GbE for MAN connections.

Make all of your new wired NIC purchases 1000Base-T adapters. The backwardcompatibility with your existing Ethernet technology makes the eventual transition to
GbE completely transparent to users.

Migrate server backbones to 1000Base-T infrastructure devices (switches, routers, and so


on).

Root out the old voice-quality CAT3 cabling that is hiding in your walls1000Base-T is
designed to run over existing CAT5 and CAT5e or better wiring. Use high-quality
CAT5e, CAT6, or better cables, and ensure that cable runs dont run along
electromagnetic sources such as ceiling lights and electrical lines. Check wall jacks to
ensure cable terminations meet CAT5, CAT5e, or better standards; improperly terminated
wall jacks are the leading cause of electromagnetic noise in high-speed networks. If
youre running new wires, go with CAT6, which will provide the best long-term
investment in your physical infrastructure.

Take a hard look at where your network is going. Many next-generation networking
technologiessuch as GbE and iSCSIare relying more on less-expensive copper
wiring (CAT5, CAT5e, and CAT6) than on fiber. GbE over CAT5 and iSCSI will give
you plenty of performance at a much lower cost than implementing a fiber networking
technology.

Summary
The network that youve been working with for the past decade is likely showing its age.
Fortunately, the next generation of networking technologies is here: GbE, solid wireless
networks, smarter switches, and built-in security. These are the building blocks of the nextgeneration networks that companies will rely on to enhance productivity, lower costs, raise
security, and improve connectivity. So how do you get started?
In the next chapter, well explore GbE, including network adapters and switches, introducing you
to the key improvements in addition to the speed of this technology. Well discuss how to
migrate your current network to support GbE. In each subsequent chapter, well cover the
additional technologies that form next-generation networks so that you have the resources in
place to make decisions that will result in an optimized next-generation network in your
environment.

Wi-Fi and Wi-Fi Protected Acess are trademarks of the Wi-Fi Alliance. BlackBerry is a
trademark of Research In Motion Limited. All other trademarks are the property of their respective
owners.

18

Chapter 2

Chapter 2: Gigabit Ethernet Migration


The move to Gigabit Ethernet (GbE), or Gigabit, has already begun. In fact, across the IT
industry, Gigabit adoption has been on the rise since mid-2002 when Broadcom introduced the
first single-chip GbE controllers. Today, nearly every type of networking equipmentfrom
routers and switches to servers and desktop computersis offered with GbE either built-in or as
an inexpensive upgrade option.
Administrators of existing networks are deploying GbE in the same way that they deployed
100Base-Tthey buy new hardware that comes standard with the GbE hardware. GbE is
transparent to users because it is fully backward-compatible with the previous standard, in this
case, 100Base-T.
However, the fact that GbE is needed now differentiates this migration from the previous move
to 100Base-T. User demand on network resources has grossly exceeded the networks ability to
efficiently support the modern-day functions businesses perform. 100Base-T applicationssuch
as email (particularly email attachments), system back up, and video conferencingas well as
other enhanced uses of the network that enable a flexible workplace require the adoption of GbE
now.
Is GbE on your corporate radar? It should be. The last chapter described how networks are
fighting an escalating battle to keep up with corporate applications such as voice and video
conferencing, increased data retrieval, and much more. It also pointed to emerging technologies
such as TOE, RDMA, and iSCSI, which are solving business problems while placing an even
greater burden on the network. The 100Mb Ethernet networks adopted since 1997 are no longer
adequate, particularly for network segments containing servers.
In this chapter, well explore how GbE brings the user one step closer to real-time computing.
When deployed on a client, GbE delivers the same relative performance as a PC hard drive.
Given this performance, GbE enables a seamless network, transparent among the other large data
subsystem in the PCthe hard drive. Lets begin by developing a foundation of GbE knowledge
through a primer on this technology.
As a whole, corporate networks have gotten a lot of mileage from Fast Ethernet (100Base-T), but not
entirely due to its speed. 100Base-T was introduced before switches were very common, and
networks were upgraded to 100Base-T and switching over a long period of time. As a result, the
lifespan of 100Base-T was one of small increases every month or so. With GbE, however,
corporations have a much stronger reason to upgrade faster. The additional speed is useful, but the
additional business processes that GbE can support make it well worth the priceespecially
considering that the price is transparentPCs carrying GbE bring little to no additional cost.

19

Chapter 2

GbE Technology Primer


GbE is based on Ethernet, a tried-and-true networking protocol that has been around for decades.
However, using the term based on Ethernet isnt quite accurate because it implies that GbE is
Ethernet plus something else. GbE is pure Ethernet, through and through, offering the reliability,
low cost and easy maintenance that Ethernet networks have always enjoyed. To clarify the
differences between Ethernet and GbE, reference the comparison in Table 2.1.
Feature

100Base-T

GbE

Speed

100Mbps

1000Mbps

Frame format

802.3 Ethernet

802.3 Ethernet

MAC layer

802.3 Ethernet

803.3 Ethernet

Flow control

802.3x Ethernet

802.3x Ethernet

Primary mode

Full duplex

Full duplex

Table 2.1: Comparison of Fast Ethernet and GbE.

Is older better? Ethernet is decades old, and you might be wondering why such an old protocol is the
best choice for the future. Ethernet is the most stable networking protocol in the world. The entire
global Internet is built primarily from Ethernet connections on local networks. Nearly every imaginable
problem with the Ethernet protocol was worked out years and years ago, leaving us with a technology
that offers true dial-tone reliabilitymeaning you just turn it on and it works. What better technology
could be used to build next-generation networks?

Switches
In Ethernets early days, all devices were connected directly to one another or to a central hub.
When any one device transmitted, all the connected devices saw the signal. A hubs entire job, in
fact, was to receive transmissions and retransmit them to every connected device on the hub. As
a result of this methodology, collisions became an issue. As the number of connected devices
increased, more collisions would occur. But a solution became evident and available to solve the
Ethernet-collision problemswitching. 100Base-T switches are logically similar to hubs,
providing a central connection point for all devices on the network. However, when one device
transmits and the switch receives the transmission, the switch doesnt necessarily retransmit that
signal to all other attached devices. Instead, the switch looks at the destination MAC address to
determine the next action:

If the MAC address is a special broadcast address, the transmission is intended for all
devices, and the switch rebroadcasts the signal to all attached devices.

If the MAC address is not one that the switch has seen before, the signal is broadcast to
all attached devices. However, the switch watches for a reply from that MAC address.
When it sees a reply, it associates that MAC address with the port on which the reply was
seen, making future traffic more efficient.

If the MAC address is one that the switch has seen before, the signal is only rebroadcast
out the port that is associated with the MAC address.

20

Chapter 2

Switches are complicated devices. Ethernet switches must actively watch traffic and take action
based on the traffics destination. Thus, switches require onboard memory to remember MAC-to-port
mappings. Initially, such devices were expensive. However, with the advent of single-chip Ethernet
switch controllers, such as those produced by Broadcom, switches have become less expensive. The
result is that switches have almost completely replaced less-efficient hubs on most Ethernet
networks.

Originally, switches were used as a form of central backbone device. One switch would provide
connections to several hubs, and the hubs would, in turn, provide connections to several devices.
The hubs each represented a collision domain, meaning every device connected to a hub would
be competing for transmission bandwidth with the other devices on the same hub. The switch
separated these collision domains, reducing the number of devices that were competing with one
another.
By the year 2000, switches became so inexpensive that most companies simply attached devices
directly to switch ports and eliminated hubs altogether. Doing so helped reduce the collision
domain to one computer per domain. Of course, collisions still occur: broadcast traffic and other
fairly common types of traffic result in collisions between transmitting devices. Switch fabrics
have become efficient and inexpensive enough to make the standardization on switched networks
a non-issue at any price point.
Aggregation
The first 10/100 switches enabled a new type of network efficiencyaggregation. Multiple
client segments running at 10Base-T were connected to the switch along with one or two
100Base-T server segments. Incoming traffic from clients was running at 10Mbps, so the servers
could receive 100Mbps and one client conversation occupied only one-tenth of the available
server segment bandwidth. The switch, then, could aggregate as many as 10 client connections
onto the server segment at once, vastly increasing network efficiency.
Although it would seem that faster clients have caused more network congestion in recent years,
such isnt really the case. Calculations and test reports that make use of the total available
bandwidth and the maximum bandwidth utilization of the network clients are generally red
herrings; that is, they simply draw attention away from the actual issues, the most common of
which is client response time.
What about when clients catch up again? Of course, clients will eventually catch up and be running
GbE. That is where 10GbE switching comes into play, offering the ability to aggregate GbE
connections between data centers, buildings, and so forth; retaining a high-speed edge; and
maintaining network efficiency. We will explore 10GbE switching later in this chapter.

Duplex
Ethernet can operate in one of two duplex modes: half and full. Half-duplex is a lot like CB
(Citizens Band) radio communications between truckers: you can talk or listen but you cant do
both at the same time. In fact, the collisions that occur when two truckers try to transmit at once
are similar to the way that Ethernet collisions occur. Half-duplex is a pretty inefficient mode, but
when network devices are connected to a hub, it is generally the only choice. Half-duplex is
necessary to manage collisions.

21

Chapter 2
When connected to a switch, however, full-duplex becomes possible, which basically means that
a device can send and receive data at the same timemore like a telephone conversation in
which both parties can talk at once. This mode is obviously more efficient and is another reason
that companies replace hubs with switches. GbE, in most instances, usually operates only in fullduplex mode, maximizing the potential of each client connection.
Baseband vs. Broadband
The 1000Base-T designator for GbE stands for 1000Mbps, Baseband, Twisted pair. This term is an
indication of the protocols basic speed, its bandwidth utilization (baseband), and the wiring used (twisted
pair CAT5 wiring or better).
Other designations have existed in Ethernets past. For example, the earliest Ethernet was 10Base-2,
running a 10Mbps baseband over coaxial cabling. 10Base-5 used a thicker coaxial cable. A term that you
dont often encounter is the basebase designation, which simply means that each transmission utilizes
the entire bandwidth that can be carried by the wiring.
The alternative is broadband communications, through which transmissions are divided into channels,
and each channel can carry traffic independent of the others. The most common form of broadband is
cable TV, which is capable of carrying hundreds of channels of programming as well as voice and data
services over a single wire.
Which begs the question: Why doesnt Ethernet switch to broadband? Something like 1000Broad-T would
be incredibly efficient, assigning one dedicated channel to each connected device and eliminating
collisions altogether.
The problem is that todays CAT5 wiring cant carry broadband transmissions. Those signals require highquality, heavily shielded wiring, such as the coaxial wires connected to your cable TV box at home.
Companies would have to spend millions to replace their existing wiring. Another problem is getting traffic
from one channel to another. When two computers want to talk to one another, some sort of switching
device would have to bridge traffic across their two individual channels. These switching devices would
act a lot like a telephone switch, which connects two phone lines for a conversation. However, these
network switches would have to operate at incredible speeds and carry incredible amounts of data. Its
uncertain whether they could be built to operate with the required speeds.

Weve established a base understanding of GbE technology. With this foundation of knowledge,
we can begin to explore how GbE products will affect next-generation networks.

GbE Products
All GbE products are not created equal. The actual products you buyfrom Hewlett-Packard
(HP), IBM, Dell, and so forthare generally built using Ethernet chipsets from companies such
as Broadcom and Intel. These chipsets create and process the Ethernet frames and are the major
factor in determining the networking functions speed and efficiency.
For example, in a database test conducted by Broadcom, a client PC using Broadcoms
NetXtreme GbE controller outperformed a similarly equipped client PC utilizing a competitive
brand GbE controller by 300 percent. The Broadcom-equipped machine was able to achieve
more than 6200 transactions per secondwhereas the system equipped with the competitive
brand reached only 2083 transactions per second, in both transmit and receive operations. In a
similar test, the Broadcom-equipped system was used to measure Active Directory (AD) logins,
and beat the competitive brand-equipped machine by 260 percent, processing more than 710
logins per second versus the competitive brand-equipped systems 275.

22

Chapter 2
Another test utilizing Microsofts Exchange Server software provided excellent results as well.
The Broadcom-equipped system handled 5432 sent messages per second, the competitive brandequipped machine handled 2777. Thus, the system running Broadcom was about 196 percent
faster. Again, these client PCs were all equipped with similar-seeming hardware: GbE
controllers, the same processors, fast SCSI storage, and morethe different GbE controllers
made all the difference.
GbE Performance
GbE has rapidly become the standard network technology that connects todays business users and is
the next logical step in Ethernet technology. It provides users with an enhanced computing experience
that increases network performance and productivity and reduces CPU utilization and network
congestion. Tests conducted by the Ziff-Davis Media Companys eTesting Labs (http://www.veritest.com)
show that GbE connections can provide as much as a 341 percent performance and productivity
improvement over 10/100 Fast Ethernet connections running everyday business applications on client
systems such as email, Web browsing, databases, and disk backup.

GbE Performance

7000
6000
5000
4000
3000
2000
1000

AD

Exchange

ve

e
m
tre
t
tX
uc
Ne
od
Pr

i
tit
pe

Datbase Rx

m
co

m
Co

Database Tx

d
oa
Br

Figure 2.1: The GbE controller manufacturer of a GbE device makes a big difference in performance
numbers.

23

Chapter 2
GbE Network Adapters and Switches that use Broadcom GbE Controllers
Most major manufacturers embed Broadcoms proven, high-performance GbE controllers into their
notebooks, desktops, and servers. These manufacturers also offer add-in NICs featuring Broadcom
technologies. When making your next purchase, confirm the product has Broadcom GbE controllers.
In addition, most first-tier infrastructure devices, including switches, utilize Broadcom technology. For a
complete list of network adapters and switches that incorporate Broadcoms high-performance GbE
controllers, visit http://www.broadcom.com.

GbE Deployment Strategy


So how do you begin implementing GbE into your environment? GbE offers an easy approach to
deployment thanks to its built-in backward-compatibility with 10/100Base-T. As a first step in
your deployment, start specifying client computers that include GbE NICs. Major computer
hardware vendors are already standardizing on GbE for the client computers they sell. Because
clients tend to be upgraded more easily then servers, simply specify that anytime a client
computer is upgraded, there should be a GbE NIC somewhere in the mix. For example, if you are
opening the case to upgrade memory in preparation for migrating a computer to Windows XP,
take that opportunity to see that a GbE NIC is installed as well.
The same situation applies to servers. Any new server that is purchased should include multiple
GbE controllers, either built-in or through NIC cards (to be able to take advantage of bandwidth
aggregation, failover capabilities, and the technological improvements of GbE). As existing
servers are physically upgraded, they too should have multiple GbE NICs added. When
purchasing GbE NICs, be sure to specify a GbE NIC that will seamlessly integrate into your
existing servers. NICs, such as those based on Broadcom-based controllers, work seamlessly
with all other branded NICs in important functions such as teaming, failover capabilities, and
link aggregation.
As Figure 2.2 shows, clients and servers will automatically fall back to 100Base-T while talking
to your legacy network components, such as switches. Note that the orange lines in the figure
indicate GbE connectivity. The switches, shown in gray, do not support GbE, so the servers will
auto-negotiate to the highest speed the switch supports, likely 100Base-T.
This adoption method is a great technique, and almost all major brands of servers are offered with
built-in GbE or have an option for a GbE upgrade from the factory.

24

Chapter 2

Figure 2.2: The first step in deploying GbE is to acquire GbE servers and clients.

When youre ready to make a major improvement in network performance, upgrade


infrastructure components such as routers and switches to GbE, as Figure 2.3 shows. Instantly,
your GbE servers and clients will switch to 1000Base-T.

25

Chapter 2

Figure 2.3: The next deployment step is to upgrade infrastructure components.

As Figure 2.4 shows, the GbE adoption process is the same for client computers and
workstations that have built-in GbE NICs. In this figure, both the switch and the router have been
upgraded to support GbE (shown in orange).
As the orange lines indicate, the client computers have now been upgraded, although they are
connected to a legacy switch and will therefore negotiate to a slower speed. Because they will be
connected to legacy switches, they will fall back to 100Base-T; however, youll have complete
compatibility along with a built-in, ready-to-go upgrade for the future.

26

Chapter 2

Figure 2.4: Upgrade older client computers and acquire new systems that have GbE built-in.

As Figure 2.5 shows, the last switch has now been upgraded. The only client still running at
10Base-T or 100Base-T will negotiate the proper speed with the switch.
When buying a notebook, ask for built-in GbE integration right on the motherboard. Add-in GbE will
either use the PC Card/PCMCIA slot or a USB port, neither of which are really capable of managing
1000Mbps traffic. Unfortunately, notebooks continue to be the most difficult-to-upgrade kind of
computer, so your switch to GbE may not be complete until youve phased out all your older
notebooks.

27

Chapter 2

Figure 2.5: Upgrade the remaining infrastructure devices/

Finally, when youre ready, you can replace any devices and systems that are still running at
slower 10/100Base-T speeds. The infrastructure is already in place, so you can conduct this
phase of the upgradelike the other phasesat your leisure. Figure 2.6 shows the final all-GbE
network.

28

Chapter 2

Figure 2.6: The final step is to have GbE on every device.

Unlike other networking technologies, which dont offer the its all Ethernet compatibility,
GbE allows you to conduct your upgrade as slowly or as quickly as you like. Begin by acquiring
new devices with built-in GbE, and gradually replace infrastructure components as required by
your business needs. Or conduct an over-the-weekend upgrade of specific types of bandwidth,
such as server-switch or router-switch. The decision is yours and GbE offers the flexibility to
support whatever plans you might have.

29

Chapter 2

Depending on how your network is designed, it contains many categories of bandwidth such as clientswitch bandwidth, which carries traffic from a switch to client computers; router-switch bandwidth,
which carries traffic between switches and routers; switch-switch bandwidth, which carries traffic
between switches, often between buildings on a corporate campus; and server-switch bandwidth,
which carries traffic between servers and switches. If you have created dedicated segments for
networked printers, the switch-printer bandwidth category will be an important consideration in your
GbE-deployment plan. You might also want to independently consider the bandwidth used on
perimeter networks (DMZs), extranets, and other specialized subnets.

Getting to the end of your GbE deployment? When youre down to the last few devices and systems,
use a hardware inventory system such as Microsoft Systems Management Server (SMS) or Intel
LANDesk to inventory your server and client computers and pick up the last few 100Base-T models.
Add-in PCI adapters can be used to upgrade these computers. And dont forget about other networkattached devices, such as networked printers and copiers. Contact their manufacturers for
information about upgraded network connection modules.

GbE Emerging Technologies


Simply migrating your existing network infrastructure to GbE will bring both cost and
performance benefits to your network users. In addition, many new technologies will emerge
over the next year that build upon the networking platform that GbE brings to your computing
environment. These hardware, software, and application technologies combine to bring the next
generation of networking performance to your corporate environment.
TOE
Most Ethernet networks use the Internet protocol (IP) to handle the addressing and routing of the
packets through the network. IP was designed by the U.S. Department of Defense to allow
network packets to travel over various routes across a global network. If a particular part of the
global network were to become unavailable, the protocol would automatically steer the packets
on alternative routes. Although this implementation is very robust, its drawback is that packets
may arrive at their destination out of order and some may get lost along the way. The
Transmission Control Protocol (TCP) was developed to account for this possibility. TCP checks
each arriving packet to ensure that the packet is in order and has not been corrupted along the
way. Historically, networks have been slowrelative to the processing power of the CPUso
the TCP function has been handled by the CPU. However, network technology and traffic has
evolved much faster than the CPU to the point that processing TCP at Gigabit speeds can
overwhelm even the most modern CPUs. To address this shortcoming, companies are building
new devicesTCP/IP offload engines (TOEs).
However, an offload engine alone doesnt make for a networking performance solution. It is
simply the hardware upon which the solution is built. To build a reliable, cost-effective solution,
there needs to be a standard way to utilize the offload engine. Because the TCP/IP function is
tied tightly to a computers OS, it is important to develop TOE technology in partnership with
OS vendors.

30

Chapter 2
In an effort to encourage a consistent TOE implementation that is compatible with Microsoft
OSs, Microsoft has introduced the TCP Chimney offload architecture. This architecture is
designed to intelligently segment the TOE technology between the Microsoft OS and hardware.
TCP Chimney offload architecture was publicly introduced at the Windows Hardware
Engineering Conference (WinHEC) in May 2003. This partial offload technology is designed to
provide a standardized TOE access methodology that doesnt require a vendor-specific parallel
transport stack to hook the existing transport stack that ships with the Windows OS (the
Chimney technology is scheduled to be released with the next version of the Windows OS, codenamed Longhorn). Broadcom has been working closely with Microsoft on this technology from
the beginning.

Full offload vs. partial offload


Full offloadAll TCP/IP-related functionalityincluding the TCP/IP data path, TCP/IP packet creation
and breakdown, connection management, and state managementis offloaded to the hardware.
Partial offloadHigh-overhead activities, such as dealing directly with the TCP/IP packets, are
offloaded to the add-in hardware, and tasks such as connection and state management are handled
by OS drivers. With the partial offload Chimney approach, there is no additional third-party stack to
maintain or additional overhead in processing the duplicate stack. Microsoft claims significant benefits
with this Chimney approach, not the least of which is that it provides a standardized implementation
for TOE in the Windows OS environment.

RDMA
GbE and TOE technology will greatly increase the amount of network traffic possible between
servers and clients. This added traffic will place an additional burden on the memory and CPU
bus because the traffic needs to be moved from one location in the computers memory to the
other. One way to improve this situation is to point network traffic directly to the memory
location on the computer where its desired. Doing so will reduce the burden on the
CPU/memory subsystem and improve the time it takes (called latency) for information to get
from one computer to the next. This solution is called RDMA and has been standardized by the
RDMA Consortium (http://www.rdmaconsortium.org).
RDMA is a technology feature that allows one computer to place data in the memory of another
computer, thereby reducing the processing overhead and maximizing the efficient use of
available network bandwidth. RDMA uses a kernel bypass model in which the application talks
directly to the NIC, and the NIC takes the buffer content and transmits it to the target computer
using the RDMA write message, which contains both the data and the destination information.
The NIC on the target computer then writes the data contained in the RDMA write message
directly into the target applications memory buffer. These actions all take place with minimal
involvement of the CPUs on the originator and target computers. With TOE hardware in place,
the push for RDMA over TCP/IP, and technologies such as Microsoft Chimneywith its direct
hooks into the OSyou will be able to bring the benefits of these combined technologies
transparently to users and application development.

31

Chapter 2

Many OS and application vendors are working on new products that will take advantage of the
emerging RDMA infrastructure. RDMA requires specialized application support, which isnt very
widespread at the moment. Applications and OSs will need to be aware of the capabilities of RDMA
and will have to take special steps to utilize it. As RDMA matures and becomes more readily available
in network hardware, youll see OSs and applications begin to take advantage of it.

iSCSI
iSCSI is one of the most exciting technologies to emerge in the world of storage area networks
(SANs). The big player in the SAN marketplace is fibre channel (FC). Although FC is an
effective and enterprise-capable technology, it is a bit complicated and quite expensive. It also
makes the SAN a dedicated network, essentially requiring that servers be connected both to the
primary Ethernet network for client connectivity and to a dedicated FC network for SAN access.
Figure 2.7 illustrates this architecture.

Figure 2.7: Traditional FC SANs use a dedicated networking topology.

32

Chapter 2
iSCSI, however, tunnels normal SCSI commands over TCP/IP packets, making the traffic
suitable for a normal Ethernet network. Applications make normal calls to the OS, which, in
turn, generates normal SCSI commands through a SCSI device driver. With traditional, directly
connected SCSI storage, these SCSI commands are transported to a hardware device driver and
eventually to a SCSI controller card that is connected to the SCSI storage devices. In the case of
iSCSI, the driver software encapsulates the SCSI commands in TCP/IP packets and places them
onto the network. No special NIC hardware is required, and the packets simply travel to the
network-connected storage device.
Because iSCSI runs over existing networks without any special controller hardware in the server,
it offers many of the same benefits but at a much lower cost than traditional FC-based SANs. In
fact, iSCSI is already beginning to revolutionize the concept of SANs, placing these otherwise
expensive architectures well within the reach of small and midsized businesses. The benefits of a
SANcentralized storage management, better fault tolerance, and easier storage
reconfigurationare becoming available to organizations of every size. As Figure 2.8 shows,
iSCSI rides on your existing network topology, making the deployment easier than FC-based
SANs.

Figure 2.8: iSCSI-based SANs use your existing network.

To further simplify the deployment of iSCSI, Microsoft released iSCSI drivers for Windows 2000
(Win2K), Windows Server 2003, and Windows XP Professional in June 2003. In this first
implementation, the driver is built-in to the OS and works with the TCP/IP stack (supporting iSCSI
over TCP/IP). Support is provided for all standard Ethernet adapters, meaning that iSCSI solutions
can be implemented without a major hardware upgrade. This same transparency of support is what
will make the Microsoft Chimney TOE implementation so desirable with future versions of the
Microsoft OSs.

33

Chapter 2

You can find current details about Microsofts iSCSI support and announced future plans at
http://www.microsoft.com/windowsserversystem/storage/iscsi.mspx.

The trick, of course, is that your existing network must be able to support the additional traffic
that iSCSI imposes, and only GbE can offer that flexibility.
iSCSI vs. FC
The SAN debate is beginning to heat up and will likely rage for years. The thinking is that FC SANs
provide dedicated bandwidth for storage (which you can also achieve with iSCSI, of course) and a more
efficient, more stable, and higher-end set of technologies for creating SANs. Other emerging technologies
will run FC over IP, meaning you could potentially build FC-based SANs over Ethernet networks.
However, FC is undeniably expensive. The FC adapters required for servers and storage devices are
expensive, as is the fiber-optic cabling. iSCSI offers a much less expensive solution. It uses standard
Ethernet technologies and requires much less expensive hardware and cabling. Whether iSCSI will be
able to edge out FC remains to be seen, but iSCSI will likely represent a majority of the SAN market of
the future because iSCSI-based SANs are affordable enough for companies that would have never
otherwise considered SANs. It should also be noted that iSCSI and FC are not mutually exclusive
implementations.
In fact, iSCSI is being compared in many ways to Microsoft Windows Server in the early days. Although
Windows wasnt, at the time, the most feature-laden or stable server OS, it was cheap, easy to set up,
and ran on inexpensive commodity server hardware. These characteristics made it an attractive solution
to small companies and departments who couldnt afford more complex, expensive, and demanding
solutions like UNIX, Novell NetWare, and so forth. iSCSI is to FC what Windows was to Novellan
inexpensive, easy-to-maintain, easily deployed technology that will become very popular.

iSCSI Extensions for RDMA


iSCSI Extensions for RDMA (iSER) takes the robust iSCSI protocol and adds RDMA
capabilities. In short, iSER allows an application to request data through the SCSI layer and
allows the RDMA-enabled NIC (RNIC) to retrieve data from an external iSCSI storage device
and to place that data directly in the servers memory, where it becomes accessible to the
application. Much of this operation bypasses the computers processor, neatly offloading a great
deal of processing power onto the RNIC and relieving the processor bottleneck.
As with iSCSI and RDMA, iSER benefits from the fast, solid platform provided by GbEgiving
you yet another reason to ensure that GbE is implemented in your network. In fact, technologies
such as TOE, Microsoft Chimney, iSCSI, RDMA, and iSER are poised to offer significant,
innovative performance advantages to client/server applications. If the immediate cost and
performance benefits that GbE brings to the table arent enough to convince you to begin your
GbE migration now, these advanced technologies provide evidence of the value a GbE
implementation will ensuremaking your networking infrastructure a competitive advantage for
your business.

34

Chapter 2

The Financial Story


How much are your employees paid to kill time while their computers wait for a busy network to deliver
data? Suppose a GbE deployment managed to save your employees just 2 minutes per day. The reality
is that GbE will save much more time than that, but even saving 2 minutes a day for a $50,000 per year
employee is a $601 yearly savings for your company. For a $100,000 per year employee, your
organization would save $1202.
There are additional financial aspects of GbE to consider. For example, what is the actual cost of
upgrading to GbE? In many cases, new client PCs and servers come standard with GbE or offer a GbE
upgrade for as little as $40.

Looking Ahead
A number of emerging technologiesmany of which are beginning to be available right now
offer faster performance, easier management, and advanced functionality. Your next-generation
network isnt as far away as you might think.
One of the most exciting new developments is 10GbE switching. As GbE becomes more
prevalent at the desktop and server tiers, you will need a way to aggregate Gigabit speeds.
Traditionally, companies have used expensive fiber connections between buildings on a
corporate campus or on city-spanning MANs. In addition to the expensive fiber cabling, the fiber
controller modules can cost thousands of dollars. 10GbE offers a much less costly solution,
offering 10Gbps speeds over inexpensive, copper InfiniBand cabling. A single 10GbE
connection can aggregate many GbE connections over long distances and improve the ability of
servers to maintain multiple connections.

Summary
GbE represents the ideal upgrade to todays overburdened networksyou can deploy GbE as
quickly or as slowly as you like, and with the right purchasing decisions on new equipment, GbE
will effectively deploy itself invisibly throughout your enterprise. In addition to helping
bandwidth-hungry applications, such as voice and video conferencing, and meeting the demands
of data-hungry users, GbE offers additional bandwidth for exciting new technologies such as
TOE, iSCSI, RDMA, and iSER. These technologies offer more than just new functionality; they
offer serious solutions to performance bottlenecks that hamper high-end business applications.
When placed in the context of planning for your future business growth and development, GbE
implementation becomes a critical part of the future infrastructure for any business that plans to
be competitive, especially in light of the simplicity of deploying GbE in your current networking
enterprise.
In the next chapter, well explore wireless networking, considered by many to be the most
exciting development in the network arena since Ethernet. From a standing start just a few short
years ago, wireless networkingnow in its fourth generation of broad-audience technologiesis
revolutionizing the way people work and play, and the way networks are designed, secured, and
managed.

All product and service names and all trademarks are the property of their respective owners.

35

Chapter 3

Chapter 3: Extending Enterprise Networks with Wi-Fi


Wireless networking is arguably the most important advance in networking technology since
Ethernet. Today, wireless networking is enabling a whole new range of devices and
functionality. With wirelessly networked notebook computers and handheld devices, for
example, employees can stay connected whether they are attending a meeting across the building
or catching a plane across the country. And cell phones with built-in wireless networking are
emerging to help companies cut costs and improve productivity by using Voice over IP (VoIP).
The state of wireless networking has evolved rapidly over the past several years. The good news
for those who are considering implementing a wireless network is that the technology has
reached a state in which there are well-defined standards and a widely accepted seal of
interoperability to ensure that competing products work together. IEEE 802.11g has now
emerged as the mainstream wireless LAN standard and new advances in the physical layer of
wireless networking arent expected before 2005. Measures to secure wireless network
communications are also now well defined.
In addition, todays wireless LAN products are smarter and more flexible; thus, they will be able
to more easily adapt to emerging standards and features. The easiest decision you can make is to
buy portable devices that provide built-in wireless networking. For pocket-sized mobile devices
such as handhelds, choose 802.11b, because it is the most common wireless networking standard
and it enables lower power adapters than the higher-performance alternatives. Laptops and other
portable computers, however, will benefit from the higher raw data rates of 802.11g, 802.11a, or,
better yet, a dual-mode adapter that supports both 802.11a and 802.11g. Most manufacturers
already offer these technologies built-in to new laptops, and you can upgrade older units by using
PC Cards or USB adapters.
Innovations in CMOS technology have helped drive Wi-Fi performance up while driving costs
down. CMOS is the most widely used manufacturing technology in the world and the digital
portion of most wireless networking chip sets is built in CMOS. With radios now designed in
CMOS technology, chip-set suppliers are able to combine the entire wireless LAN solution onto
a single chip. This recent innovation squeezes all the functionality, including the analog radio,
onto a single piece of silicon. These devices enable wireless network-enabled handheld devices
that are smaller, use less power and are less expensive.
In this chapter, youll learn how wireless networking operates, why the technology is important,
and how to tell the difference between a stable, future-proof wireless network and proprietary
offerings that likely will not support your enterprise in the years to come.

36

Chapter 3

A Brief History of Wireless Networking


Before you can start selecting wireless networking technologies, it is useful to know a little bit
about where those technologies came from. Seeing the progression of wireless LAN technologies
makes it easier to predict where wireless networking is going in the future and to determine
which of todays technologies will provide the most stable, long-lasting solution for your
enterprise.
802.11 Legacy
802.11 is the family of Institute of Electrical and Electronics Engineers (IEEE) specifications
that address wireless networking. The first implementations of these technologies were capable
of achieving speeds of 1Mbps and 2Mbps. Popular primarily in vertical applications, these
original technologies didnt provide enough bandwidth for enterprise use. However, they did act
as a proof-of-concept for the viability and market interest of wireless networking in general, and
set the stage for significant advances.
Its doubtful that you will see much original 802.11 in use these days unless youre working in an
industry that has implemented a vertical solution based on the technology. Although 802.11 saw early
popularity in applications such as manufacturing and healthcare, it wasnt widely implemented in
mainstream enterprise environments.

802.11b
The IEEE approved two enhancements to the original 802.11 standard in 1999, 802.11a and
802.11b. 802.11b occupies the same 2.4GHz radio frequency as the original 802.11 specification,
extending raw data rates to 11Mbps. It was the first major commercial success for wireless
networking, primarily because it provided similar maximum data rates to 10Base-T Ethernet,
making it viable for corporate use. Many manufacturers quickly released commercial 802.11b
products, including 3Com, Apple, Cisco, Dell, Gateway, Hewlett-Packard and others.
The Wi-Fi CERTIFIED Designation
Although the IEEE created the 802.11 family of specifications, the organization doesnt enforce the
specification or ensure that manufacturers create products that precisely meet the specification. To
ensure that manufacturers produce implementations that are interoperable with other 802.11 devices, the
Wi-Fi Alliance provides interoperability testing and a seal of approval.
Currently comprised of more than 200 member companies, the Wi-Fi Alliances Wi-Fi CERTIFIED
designation ensures that products claiming to be 802.11b compatible are, in fact, fully interoperable with
other 802.11b devices. The Wi-Fi Alliance conducts rigorous tests of hardware and software to ensure
compatibility before issuing the designation, providing consumers with confidence that all Wi-Fi
CERTIFIED products will work with one another. Today, Wi-Fi CERTIFIED has been expanded to include
802.11g and 802.11a, and more than 1000 products have been Wi-Fi CERTIFIED to date.
Wi-Fi CERTIFIED has become so popular and widely recognized that its harder to find products that
dont carry the designation. Still, dont bother purchasing products that arent certified should you come
across anythe benefit of compatibility and specification adherence is worth looking for the Wi-Fi logo.
Wi-Fi CERTIFIED is your guarantee of interoperability between devices.

37

Chapter 3
802.11a
With 802.11a, the IEEE took the standard up to 5GHz, offering raw data rates up to 54Mbps. As
with 802.11b, 802.11a provides for lower data rates to compensate for coverage, offering speed
fallbacks to 48Mbps, 36Mbps, 24Mbps, 18Mbps, 12Mbps, 9Mbps and 6Mbps. 802.11a products
began appearing in 2001. The higher speed allows greater capacity, but the higher frequency
means shorter range. The biggest issue for 802.11a is that its different radio frequency makes it
incompatible with 802.11b, which has seen wide deployment throughout the world. These
limitations have hindered adoption of 802.11a. As the market continues to evolve, manufacturers
are releasing network adapters and wireless access points (APs) that support tri-mode
operationwhich means they support 802.11a, 802.11b, and 802.11gor dual-bandwhich
means they cover both 2.4GHz and 5GHz frequenciesallowing client devices to connect with
whichever form of wireless networking is best at the time.
The Wi-Fi CERTIFIED program requires manufacturers to indicate whether their certified product
operates at 2.4GHz or 5GHz, making it easier for consumers to buy the right equipment for their
needs.

802.11g
802.11g is the new mainstream wireless networking technology. Ratified by the IEEE in June
2003, 802.11g works in the same 2.4GHz range as 802.11b. 802.11g provides speeds of 54Mbps,
with fallback to speeds of 48Mbps, 36Mbps, 24Mbps, 18Mbps, 12Mbps, 11Mbps, 9Mbps,
6Mbps, 5.5Mbps, 2Mbps and 1Mbps, if necessary. Like 802.11a, 802.11g is nearly five times
faster than 802.11b. Its advantage is that it is fully backward compatible with 802.11b, making it
the logical successor to that protocol. In fact, to carry the Wi-Fi CERTIFIED designation,
802.11g products must provide full backward support for 802.11b, ensuring a smooth migration
to the new protocol.
54g
54g is Broadcoms implementation of the 802.11g standard, providing maximum performance in speed,
reach, and security. 54g products are fully 802.11g compatible and provide the fastest possible speeds
allowed by that specification. 54g-branded products offer extended ranges thanks to SmartRadio and
the standards-based Broadcom XpressTM technology, built-in Wi-Fi Protected Access (WPA) and
Advanced Encryption Standard (AES) security (which well discuss later in this chapter). 54g products
were the first to achieve Wi-Fi certification, and were included in the 802.11g Wi-Fi test bed that all other
products are tested against for interoperability.

The Wi-Fi Alliance recently announced a new brand, Wi-Fi ZONE. This brand is used to designate
public wireless LAN access that is built using Wi-Fi CERTIFIED hardware. If your client device contains
Wi-Fi CERTIFIED hardware, a Wi-Fi ZONE provides a place where youre ensured interoperability. You
can find a list of places offering Wi-Fi ZONE access at http://www.wi-fizone.org.

38

Chapter 3
It is becoming more common to find APs that support a variety of standards, including 802.11a
and 802.11g. These APs make it easy to get connected no matter which type of equipment you
have in your client device.
Dual-Band 802.11a/b/g
For the enterprise, dual-band is a compelling option when architecting your network. Client devices such
as laptops can automatically select 802.11g or 802.11a, depending on traffic and usage patterns. Near
the end of this chapter, well explore sample network architectures that leverage these devices to provide
the most robust, future-proofed wireless network possible.

802.11 Everything Else


The 802.11 specification includes the three physical layer extensions described earlier, 802.11a,
b, and g. In addition, each new extension to the standard must first be designed and approved by
an IEEE task group chartered with moving the standard forward. The IEEE task groups that are
working toward final specification include:

802.11dUsed in country-specific domains

802.11eEnhancements to the media access control (MAC) layer, including quality of


service (QoS) and packet bursting

802.11fThe Inter-Access Point Protocol (IAPP), which establishes communications


between access points in a network so that clients can roam between them

802.11hA 5GHz networking enhancement using dynamic channel/frequency selection


and transmit power control for European compatibility

802.11iSecurity enhancements

802.11jEnhancements for use in Japan

802.11nHigher throughput improvements

IEEE specifications typically require years of work and research and, sometimes, the specifications
goals turn out to be unreachable given current technologies, or those goals evolve enough that a new
specification is warranted. In addition, pieces of a specification are sometimes implemented in the
marketplace ahead of the full specification ratification. WPA and Broadcom Xpress technology, both
of which well cover later in this chapter, are examples of how the IEEE draft specifications can drive
product development even before full ratification.

Of these additional specifications, 802.11e and 802.11i provide the most important benefits to
wireless networking in general. 802.11i is of particular importance, as it deals with security in
wireless networkinga topic that has been a concern since the limitations and vulnerabilities of
Wired Equivalent Privacy (WEP) became clear.

39

Chapter 3

How Wireless Networking Works


Wireless networking occupies the same layer of the network as Ethernet. Whereas Ethernet
(spelled out in the 802.3 standard) specifies the physical characteristics of an electrical
transmission over copper wires, 802.11 specifies the physical characteristics of a radio
transmission through the air. The basic purpose of wireless networking is to translate digital
signals into an analog radio signal, then to receive that signal and convert it back into digital.
Like Ethernet, wireless networking doesnt care about upper-layer protocols carried over the
network and can transmit TCP/IP and IPX/SPX.
Basic Operations
There are two types of networks specified in the standardad-hoc and infrastructure networks.
Most wireless LAN adapters in client devices are capable of establishing an ad-hoc networka
point-to-point connection between two clients; however, most networks are set up in
infrastructure mode. In an infrastructure wireless LAN, , which Figure 3.1 shows, clients
transmit information to an AP. The AP acts much like a hub in a wired network, connecting
several wireless clients to one another. APs also connect the wireless clients to a wired network,
providing access to servers, printers, the Internet, and so forth.

Figure 3.1: Simple WLAN configuration.

Engineering a wireless network requires careful placement of these APs to provide complete
coverage. APs canand shouldhave an overlapping signal area; clients will automatically
select one AP, then select a new AP when moving out of range of the first. As Figure 3.2 shows,
you might need to provide significant overlap for high-density areas, increasing the total amount
of bandwidth available to the wired network.

40

Chapter 3

Figure 3.2: Overlapping APs provide more bandwidth for a larger number of clients.

Think of it this way: each 802.11g AP provides up to 54Mbps connectivity between wireless
clients and the wired network. However, each 802.11g AP must share its available bandwidth
with all the clients on the network. By adding a second AP in the same transmission area, some
clients will be able to utilize that APs connection to the wired network rather than the first APs
connection. A simple analogy is a highway: adding lanes wont increase the speed limit, but it
will allow more cars to travel at that top speed.
Shared Bandwidth
An AP can only provide its maximum throughput to a single wireless client at a time. If there are two
wireless clients within range, they will share that bandwidth, just as they would on a wired Ethernet
segment. In fact, APs provide a function logically similar to Ethernet hubs, connecting wireless clients and
allowing them to share the available bandwidth.

By contrast, Figure 3.3 shows what happens when APs dont provide sufficient coverage. Mobile
clients may travel out of range of one AP before reaching another AP, resulting in a loss of
connectivity. Its important to understand the transmission characteristics of your clients and APs
and to thoroughly test AP placement when deploying a full-coverage wireless network.

Figure 3.3: Insufficient coverage can cause a loss of connectivity.

41

Chapter 3

Hardware can make a big impact when it comes to coverage. Antenna design can be especially
important, and add-on third-party antennas can be used to increase the range of a wireless network.

802.11 Legacy Specifics


The original 802.11 standard specified products in the 2.4 GHz frequency band and allowed both
frequency-hopping spread spectrum (FHSS) and direct-sequence spread spectrum (DSSS)
technologies. Products operate in the unlicensed Industrial, Scientific and Medical (ISM) band,
which means that no license is required for operation, but they must accept interference from
other ISM-band devices. DSSS basically provides a means for structuring the signal to be
transmitted. The DSSS transmissions create a pseudo-random noise signal and add it to the
signal being transmitted. The receiverwhich knows the noise sequencecan filter out the
noise to retrieve the original signal.
The basic DSSS standard includes a 1Mbps and 2 Mbps mode of operation. To double the raw
data rates to 2Mbps, a technique called differential quadrature phase shift keying (DQPSK) is
specified. With DQPSK, phase shifts represent two-bit combinations instead of a single bit at
1Mbps, thus doubling raw data rates. The single-bit technique is called differential binary phase
shift keying (DBPSK).
The 2.4GHz radio frequency of 802.11 allows for a nominal range of about 350 feet. The band
allows for as many as 14 channels, depending on geography. With each channel reaching about
20MHz in each direction, there is only room for three non-overlapping channels in the 2.4GHz
band.
802.11b Specifics
The 802.11b specification sticks with DSSS and a refinement called HR-DSSS. To reach the
higher data rates, a scheme called complementary code keying (CCK) is used. CCK is basically a
set of algorithms that enables each bit to represent an even greater number of bits. At its
maximum, the raw data rate for 802.11b reaches 11Mbps with fallback to 5Mbps and the 2Mbps
and 1Mbps of the original 802.11 specification.
Coverage is a significant consideration for deploying wireless LANs. Radio signals are affected
by wallboard, metal, and other everyday materials. If a network cant hold a connection reliably
at 11Mbps, it will fall back to 5.5Mbps, 2Mbps and 1Mbps. As a result, it is important to
properly distribute wireless APs throughout a location to provide the best signal coverage.
All range measurements for wireless networking are theoretical ranges; actual operating range
depends on a number of factors, including antenna type, antenna location and orientation,
interference and environmental factors.

42

Chapter 3

802.11a Specifics
802.11a also uses a different transmission structure than 802.11borthogonal frequency division
modulation (OFDM), which is sometimes called discrete multitone modulation (DMT). The
technique has seen widespread use in other high-speed networking applications, namely a form
of asynchronous digital subscriber line (ADSL). OFDM is highly resistant to noise and jamming
and can be combined with other techniques to resist signal dispersion, burst noise, fading, and
other transmission problems. Because 802.11a uses 5GHz radio frequencies, it has a shorter
operating range than 802.11b. However, 802.11a is well suited for high traffic locations because
it can support as many as 12 non-overlapping channels, so there are more channels available to
support client devices.
802.11g Specifics
802.11g uses the same DSSS, HR-DSSS as 802.11b and adds the same OFDM modulation
method as 802.11a. Like the original 802.11 and 802.11b, 802.11g supports a range of about 350
feet and three non-overlapping channels because it resides on the same 2.4GHz radio frequency.
Broadcom Xpress Frame Bursting Technology
There is growing demand for more bandwidth, yet a wireless LAN standard for data rates beyond
54Mbps is at least a year away. In the meantime, there are technologies available to improve
efficiency, thereby increasing the effective bandwidth of todays data rates.
One such technique is called frame bursting. Frame bursting, an extension of a feature in an
original version of the 802.11 specification, is included in drafts of the upcoming 802.11e QoS
standard. Frame bursting improves wireless LAN performance by eliminating some overhead
traffic. As a result, more of the limited bandwidth is available to send and receive data.
Broadcom is one of the first wireless LAN chip set suppliers to offer frame bursting, and markets
the feature as Broadcom Xpress technology.
Wireless networking provides a shared medium; all wireless clients within range of an AP share
that APs bandwidth, and the more clients you place on the AP, the less bandwidth each
individual client will receive. More devices are going wirelessin fact, according to
TechKnowledge Strategies, by 2007, 75 percent of the wireless networking chip sets produced
will go into something other than notebook computers. Wireless VoIP phones, PDAs, notebooks,
MP3 players, digital cameras and other applications will all compete for wireless bandwidth.
In addition, wireless clients never achieve the full speed of their network (wired networks dont
either, though wireless networking overhead is more substantial). For example, in an 11Mbps
802.11b network, clients cant usually exceed 6Mbps actual speed due to networking overhead
(there is also a difference between the data rate and the throughput, which well explore later in
this chapter). Every packet transmitted incurs a small amount of overhead. Unfortunately, to
maintain compatibility with older standards, overhead doesnt change much even as data
transmission speeds increase. For example, an 802.11g network takes less time to transmit a data
packet than an 802.11b network requires, but both networks incur about the same overhead in
doing so.

43

Chapter 3
Frame bursting is designed to help address this problem. The original 802.11 standard requires
wireless LAN devices to pause after each transmitted frame, which is basically a packet prepared
for wireless transmission. These pauses allow other devices a chance to signal their intention to
transmit, keeping the network working smoothly. With frame bursting, the client that is sending
data is allowed to send several frames in a row without pausingthus decreasing the total
overhead while transmitting a data packet. Figure 3.4 illustrates this process.

Figure 3.4: Unbursted vs. network traffic with frame bursting.

Note that transferring the data frames in 802.11g requires less time even though they contain the
same amount of data; this benefit is one of the major features of 802.11g that allows it to achieve
higher throughput.

Imagine a conversation in which youre required to pause for one second after every word to see
whether anyone else wants to talk. If you wanted to say nice weather were having, it might
only take half a second per word, but the entire phrase would require five seconds due to the
pauses. In frame bursting, you would be allowed to get out as long as 1.5 seconds of words
before pausing, meaning your phrase would only require 3 secondsa savings of 2 seconds (a
40 percent savings).
The early 802.11 specification includes a feature called fragment bursting that essentially
provided this savings for single packets that were divided into sub packets. Frame bursting is a
standards-based technology that extends and implements this feature for multiple data packets.
Frame bursting is also included in the draft 802.11e specification (in which it is called
continuation transmit opportunityCTXOP), which focuses on QOS issues such as prioritizing
certain frames of time-sensitive traffic (such as streaming media). Industry leaders such as
Broadcom and Microsoft are creating the Wi-Fi Multimedia Enhancements (WME), a subset of
802.11e that should be brought to market sooner than the full 802.11e specification. WME also
includes frame bursting technologies.

44

Chapter 3
As you can see in Figure 3.4, the performance improvement offered by Broadcom Xpress frame
bursting is significant. Broadcom Xpress technology includes specific features to deal with
mixed-mode environments (networks with both 802.11b and 802.11g clients). For example, in an
environment with only one 802.11g client, Broadcom Xpress technology can result in an
aggregate of as much as 23 percent performance improvement. With two clients, Broadcom
Xpress technology shows as much as a 27 percent improvement, reflecting the savings of both
clients eliminating some of their transmission overhead. With one 802.11g and one 802.11b
client, as much as 61 percent performance improvement is possibleassuming only the 802.11b
client is using Broadcom Xpress technology. In a mixed environment in which an 802.11g and
802.11b client both use Broadcom Xpress technology, the performance improvement is close to
75 percent simply by eliminating wasted transmission time.
Broadcom has introduced Broadcom Xpress technology through its OneDriver software,
which makes frame bursting available for Broadcoms entire family of AirForce wireless
networking products. These solutions are used in many of the major network and notebook
brands.
One advantage of Broadcom-based solutions is that the entire AirForce family (found in wireless LAN
products from Apple, Dell, Hewlett-Packard, Linksys/Cisco, and others) utilizes a single software
driver. This makes it easier for enterprises to maintain a single OS software image as product
updates are deployed.

Radios Matter
Remember that GI Joe walkie-talkie you had as a kid? If your friend ran halfway down the block,
you couldnt talk anymore, and you just couldnt imagine how the real military got by with such
shoddy equipment. Obviously, the real military had better equipment, so the message is simple:
all radios are not created equal. For that matter, not all digital signal processor (DSP) algorithms
and antennas are created equal, and they all play an important role in the performance of wireless
network hardware. One reason some notebooks seem to perform so well is that their wireless
antenna is embedded in the notebooks housing and extends around the circumference of the
displayproviding a large antenna that tends to rise above desktop-level signal blockages.
CMOS radios are also an important technology. Because CMOS manufacturing techniques are
designed for precision and reliability, CMOS radios lend themselves to consistently better
performance than other chip-manufacturing technologies. First introduced in 2002, CMOS radios
are the most common type of radio found in 54Mbps products. CMOS has a host of other
advantages, including lower power and a smaller form factor, which helps to increase portable
devices battery life and make the technology easier to implement in a wider range of devices.
Competing, more exotic technologies such as silicon germanium (SiGe) and gallium arsenide
(GaAs) provide less sensitivity and higher power consumption and are typically more expensive
to produceincreasing the price of the wireless LAN product you buy.
Experts predict that, eventually, all wireless LAN radios will be CMOS. The cost savings, reliability
and ease of manufacturing of the CMOS process is simply too significant. In the meantime, you can
save yourself money and increase reliability by choosing wireless networking products that already
incorporate CMOS radios, such as those from Broadcom.

45

Chapter 3
When selecting radios, you should also look for features such as self-calibration, which enables
the radio to adapt more readily to deal with walls, extended ranges and other conditions,
providing consistently higher data rates without forcing the network adapter to fall back to a
slower rate. Bluetooth, a short-range wireless technology, uses the same 2.4GHz band as
802.11b and 802.11g, providing potential for interference, particularly when both technologies
exist in the same device, as is becoming more common. Selecting solutions that are designed to
work together, and ideally, integrated, allows them to cooperate rather than compete.
Mixed 802.11b and 802.11g Environments
If your goal is to build the fastest wireless network possible, you should be aware of a
performance limitation imposed on an 802.11g network when 802.11b clients are present.
802.11g can only operate in its fastest mode when there is no need to support 802.11b devices;
even a single 802.11b device will force the network into a slightly slower mode. 802.11g devices
will continue to function at much higher data rates than 802.11b, but they wont reach their full
throughput potential. This protocol for providing backward compatibility in mixed-mode
environments is called protection mechanism, and it is part of the 802.11g standard.
Consider the network that Figure 3.5 shows, which includes two APs running on a single channel
and four wireless clients. Three of the clients are 802.11g, and one is 802.11b. Because the two
APs are on the same channel, they must activate protection mechanism to accommodate the
802.11b client, thereby providing support for both the 802.11b and 802.11g clients.

Figure 3.5: A single 802.11b client activates protection mechanism which slows the network.

Many industry observers expect that wireless networks will need to be prepared to deal with
802.11b traffic for years to come, as handheld devices that dont require the bandwidth of
802.11g can instead take advantage of inexpensive, lower-power 802.11b technology. However,
if you want to provide maximum speed to your 802.11g clients, youll need to build overlapping
wireless networks on different channels, with one dedicated to serving only 802.11g clients.
Figure 3.6 shows this setup.

46

Chapter 3

Figure 3.6: Different channels help maximize performance in mixed environments.

In this example, clients using the channel one and six APs will be able to run at full, native
802.11g speeds. Clients using the channel eleven APs will run either at 11Mbps (802.11b clients)
or the slightly slower mixed-mode speeds (802.11g clients).
Dont expect 802.11b to go away just because 802.11g is available. Many devices, including PDAs
and cell phones, simply have lower bandwidth needs and can do just fine with 802.11b. 802.11b is
also less expensive to add to these devices, is available in single-chip implementations from
manufacturers such as Broadcom, and has a long life ahead of it. Make sure your wireless network
plans include 802.11b support.

Building Wireless LANs


Building a wireless network isnt totally different from building a wired one. Obviously, the key
players in the wireless network are the APs, which provide a connection between your wired
network and your wireless clients. Specific architecture strategies for the different modes and
frequencies are a bit different, though, depending on your needs. In the next few sections, well
discuss the major design factors and decision points for building a wireless network.
The Wired Connection
APs function as physical layer bridges, providing connectivity between disparate physical
networksspecifically, wireless 802.11a/b/g networks and Ethernet wired networks. Some APs
can also be configured to act as repeaters, simply picking up wireless signals and relaying them
back to a wired AP, increasing the range of the wireless network.

47

Chapter 3

Ad-hoc vs. Infrastructure


Wireless network adapters support a built-in ad-hoc mode designed to connect two adapters directly to
one another. The wired equivalent of ad-hoc mode is an Ethernet crossover cable, and the mode is useful
when you simply need to transfer a few files from place to place. Ad-hoc mode doesnt utilize APs.
Infrastructure mode comes into play with APs, allowing multiple wireless clients to connect to the AP,
thereby connecting to the wired corporate LAN. Infrastructure mode is more like using an Ethernet hub.
Windows XP built-in wireless networking software will automatically detect APs that are advertising
themselves, and generally requires users to take extra steps to establish an ad-hoc connection. The idea
is that most users, most of the time, will want to use infrastructure mode to access the resources of a
wired network (such as the Internet).

802.11b Architecture
Many corporations have already rolled out 802.11b wireless connectivity within their offices,
and a large number of public hot spots are available that provide free or inexpensive wireless
access. The networks providing this connectivity are generally simple. In most corporate
environments, APs are placed near major areas of wireless LAN need: conference rooms,
lobbies, cafeterias, employee lounges, and other areas in which mobile client devices are
typically used. APs are wired back to the nearest Ethernet switch, providing connectivity to the
wired network. Figure 3.6 is a simplified illustration of a typical 802.11b deployment. Note that
a single 802.11b AP provides a maximum of 11Mbps data rate (not throughput), shared between
all wireless clients within range.
To allow for a higher density of users and because 802.11b allows for three distinct nonoverlapping channels, a configuration could be set up in which each AP handles one channel
apiece. This setup provides an aggregate 33Mpbs data rate shared in 11Mpbs chunks with each
802.11b client on a particular channel. This type of configuration is appropriate for large
conference rooms in which additional high-capacity users may be online at the same time. Many
companies place APs so that their coverage areas overlap significantly around high-density areas
such as large conference rooms, engineering labs, and so forth.
802.11a and 802.11g Architecture
801.11a and 802.11g each provide a maximum of 54Mbps shared bandwidth per AP. Like
802.11b, 802.11g provides for three non-overlapping channels, meaning a coverage area served
equally by three APs can provide up to 162Mbps aggregate capacity. When architecting your
network, however, be aware that any 802.11b clients within a channel will cause that channel to
enable protection mechanisms that will result in lower bandwidth for the 802.11g clients
(although they will still get better than 802.11b bandwidth).
802.11a, however, provides as many as 12 non-overlapping channels in a shorter, 180-foot range.
This feature makes 802.11a ideal for especially high-density areas; as many as 12 APs can
service a single coverage area, providing an aggregate raw data rate of 648Mbps. Although it is
unlikely that many organizations will need that much bandwidth in such a small area, there are
certainly applicationssuch as videoconferencing and other streaming media applicationsthat
might make the additional dedicated bandwidth worthwhile.

48

Chapter 3
One way to structure wireless networks is to deploy 802.11g (which also provides 802.11b
support) to areas of normal usage, such as office spaces, smaller conference rooms, employee
lounges, and so forth. You can then deploy multiple dual-band 802.11a/b/g APs to higher-density
areas, such as cafeterias, larger conference rooms, or anyplace in which higher density may be
required in the future. To begin, you can simply deploy one AP to each of these areas. As the
need for additional aggregate bandwidth becomes evident, you can add more APs to the
coverage area. If you adopt this strategy, make sure youre investing in tri-mode 802.11a/b/g
clients, as well, so that your clients will be able to connect to the networks within range. You can
then switch your high-density areas to provide primarily 802.11a coverage, because your clients
will be able to roam between networks fairly easily.
Where Do You Need Coverage?
Your first big decision, of course, is to decide where you need wireless networking. Conference rooms,
lobbies, and other meeting areas are obvious choices. Employee cafeterias and lounges may be other
choices. Some companies go so far as to provide wireless LAN coverage in nearby public areas, such as
an outdoor courtyard or picnic area. Large companies may also provide access at a nearby shopping
malls food court so that employees can check email while at lunch. This access may be in the form of a
sponsored public hot spot or an extension of the companys own, authentication-required wireless
network.
Youll also need to decide how much wireless coverage you need in your regular office spaces. Some
companies figure that their desktop and other office computers are all wired, so theres no need to invest
in additional APs. However, employees coming back from a conference may not plug their laptops into a
dock or other network connection right away; providing at least minimal AP coverage in the office areas
will ensure that these employees can continue to work without interruption.

Wireless Security Concepts


The idea of broadcasting your data into the air can be a little scary. After all, even though wired
networks are far from immune to attack, they at least have the advantage of being physically
difficult for outsiders to access. Wireless networks send your data outside your walls, where any
passerby could easily eavesdrop. Another new problem brought by wireless networks is war
driving, through which less-than-scrupulous individuals look for unsecured wireless networks
and hijack bandwidth, wasting your corporate resources for their own uses. Fortunately, wireless
LAN security has come a long way and is able to address these problems.
WEP
The original 802.11 specification included WEP. The intent of WEP was to make the wireless
LAN connection secure through an encryption scheme. WEP required an encryption key to
participate in the network. As it turned out, there were two critical flaws with WEP. First, the
encryption key was static and shared by the entire network, so it proved to be easy for a
computer to crack. Second, WEP provided no means of authenticating users who were approved
for network access.
It was clearly time to improve upon WEP, and the IEEE created the 802.11i project to address
the two shortcomings. IEEE specifications can take a long time to come to completion, so the
Wi-Fi Alliance stepped in. Together with the IEEE, the Wi-Fi Alliance created Wi-Fi Protected
Access (WPA), which addresses both of WEPs shortcomings and is available today.

49

Chapter 3
802.11i
Currently in draft status with the IEEE, 802.11i is designed to shore up wireless LAN security
with a comprehensive specification. 802.11i is being built around 802.1X port-based
authentication, which well explore later in this chapter. 802.11i is nearing completion and
should be ratified in mid-2004 according to the current pace of work. Two critical components of
802.11i are AES, a new cryptographic standard created by the United States government, and
WPAs authentication scheme.
Prior to 802.11is ratification, however, the Wi-Fi Alliance announced WPA, a new part of the
Wi-Fi CERTIFIED program. The alliance requires WPA support for new products to earn the
Wi-Fi CERTIFIED designation.
WPA
WPA uses the Temporal Key Integrity Protocol (TKIP), which is a bundle of data encryption
features. Keys are derived differently than with WEP and are rotated frequently to prevent any
one key from becoming overused and potentially compromised. WPA also adds message
integrity checks to prevent forged packets.
AES
AES is a new cryptographic standard supported by the National Institute of Standards and
Technology (NIST). It supports key sizes of 128, 192, and 256 bits, and serves as a replacement
for the aging Data Encryption Standard (DES), which supports 56-bit keys. AES is a faster
encryption algorithm than the now-common Triple-DES; a DES enhancement that basically
encrypts data three times for better security. NIST describes AES as a symmetric block
cipher that can encrypt and decrypt information. The estimated time required for modern
computing equipment to crack an AES-encrypted block is 149 trillion years, compared with 4.6
billion years for Triple-DES.
AES is a significant component of 802.11i, and encrypting and deciphering every packet that
comes in or out of a wireless client device or AP is a significant task. Fortunately, AES can be
implemented in hardware, where it is extremely fast and places virtually no overhead on the
client OS. Broadcom networking products carrying the 54g logo include complete onhardware AES for full compatibility with future standards and high performance.
802.1X
An IEEE standard based on Extensible Authentication Protocol (EAP), 802.1X provides portlevel authentication for networks, especially wireless networks. The idea is to only allow
authenticated users on the network, both to ensure privacy and to protect corporate network
resources from being wasted by outsiders.
802.1X is designed to leverage corporations existing centralized authentication resources,
primarily through the use of the Remote Authentication Dial-In User Service (RADIUS). 802.1X
takes EAP and ties it to the physical mediumEthernet or wireless LAN. EAP messages are
encapsulated in 802.1X messages and referred to as EAP over LAN (EAPOL).

50

Chapter 3
For wireless networks, 802.1X has three primary components:

The supplicant, which is the client software trying to be authenticated

The authenticator, which is the AP (or, on an Ethernet network, a hub or switch)

The authentication server, which is usually a RADIUS server, although 802.1X doesnt
specifically require RADIUS

The supplicant attempts to connect to the AP, which detects the client and enables its port for
communications. The port is placed into an unauthorized state so that only 802.1X-related traffic
is accepted and forwarded to the wired network. The supplicant is then required to send an EAPstart message.
The AP responds with an EAP-request identity message, asking to obtain the clients identity.
The supplicant then sends an EAP-response message containing the clients identity, which is
forwarded to the authentication server. The authentication server uses whatever means it wants to
authenticate the client. For example, in an all-Microsoft environment, the authentication server
might be a RADIUS front-end to Active Directory (ADMicrosoft provides such a front-end,
called the Internet Authentication Server, with Windows 2000 and Windows Server 2003).
The result is the authentication server sending an accept or reject packet back to the AP.
A reject packet will cause the supplicants port to be shut down. An accept packet will cause the
port to be placed into an authorized state in which all traffic is accepted and placed onto the
wired network to which the AP is connected. The last bit of 802.1X comes at logoff, when the
client sends an EAP-logoff message to shift the port back to an unauthorized state.
Putting It All Together
So where does it all fit together? The acronyms alone can be hard to keep up with; the following
list provides a summary:

WEP is the original, outdated, and less-than-secure data encryption technique featured in
the original 802.11 standard. WEP does not address user authentication.

802.11i is the IEEE draft specification addressing wireless LAN security from both a data
encryption and user authentication standpoint.

802.1X is a port-level authentication scheme used to authenticate clients to a wireless


network. 802.11X provides the foundation for 802.11i.

AES is the new encryption standard created by the United States government, replacing
the older DES. AES is also referenced in the 802.11i standard.

WPA is a subset of the 802.11i draft standard that IEEE and the Wi-Fi Alliance ordained
to provide an immediate replacement to WEP, while the standards-setting body hammers
out the final 802.11i standard. WPA includes most of the major pieces of 802.11i,
including 802.1X, TKIP encryption, and the improved message integrity check (MIC).

RADIUS is an authentication protocol often used in conjunction with 802.1X. RADIUS


can be built as a front-end to other existing authentication services, such as AD.

EAP is a generic authentication protocol. 802.1X builds on EAP to create a port-level


authentication protocol. Several specific authentication protocols, built on EAP, already
exist; more are forthcoming.
51

Chapter 3
The Wired Weak Point
Keep in mind that all of these features only protect communication between wireless clients and
their APs; as soon as the data hits the wired network, its completely unprotected by wireless
LAN security measures. If youre concerned about the security of your wired networka valid
concern especially for traffic transmitted over the Internetyou will need to continue to employ
higher-level encryption mechanisms, such as IPSec, virtual private networks (VPNs) and Secure
Sockets Layer (SSL).

Architecting Secure, Next-Generation Wireless LANs


The next-generation wireless network is at your fingertips. All the technology pieces are in place,
and the products are available now, you just need to deploy them to start taking advantage of
faster speeds, higher client densities, better security and more privacy.
Prerequisites
Youll need to have a few extra pieces available on your network in order to build tomorrows
wireless network. The first prerequisite is planning today for future wireless LAN
implementations. Many new notebooks come with built-in wireless LAN capabilities. Be sure
that all new notebook purchases include built-in 802.11g, an inexpensive option that is five times
faster than 802.11b. Doing so will ensure connectivity in any 802.11b or 802.11g environment
you implement. If budget permits, specify a/g clients. Adding wireless LAN connectivity later
can be time consuming and expensive. The following list highlights prerequisites for an efficient
and successful wireless network implementation:

A good plan is the first thing youll need. Know your business requirements, where APs
are needed, and what type of wireless LAN devices you will be supporting. Understand
your users wireless LAN bandwidth needs and make plans to meet them. Also make
plans to grow the wireless network as utilization increases.

RADIUS is almost a must in a larger business environment. Fortunately, RADIUS


implementations are available for almost any environment and can leverage your existing
enterprise directory, if you have one.

Central provisioning capabilities are useful. You will want to be able to centrally
configure all your wireless LAN hardware from a single desktop, if possible.

Client Software Support


More and more client devices are being built to include 802.11b, 802.11a, and 802.11g
hardware; make sure your OS can handle such hardware. Windows 2000 Professional and
Windows XP include support for wireless networks as do Linux, UNIX variants, Mac and
more. Wireless is becoming more popular in portable devices too, such as Microsoft Pocket
PCs and Palms. The next wave of portable devices to include wireless LAN will be digital
cameras, MP3 players and VoIP phones.

52

Chapter 3
Hardware Support
Although it has been mentioned several times, it is worth repeating: the quality of the wireless
LAN hardware you select can be critical to your wireless LAN implementationif not today,
then tomorrow. Here are some tips:

Look for AES that is integrated into the wireless networking hardware. Simply
supporting AES isnt enough; implementing AES in a software driver will place
additional unnecessary processing overhead on your client computers and APs, resulting
in significantly degraded performance.

Standardize on equipment that uses lower-powered, inexpensive and reliable CMOS


radios. They will be the only choice a few years from now, so there is no reason not to
make the smart choice today.

Select equipment that rigorously complies with IEEE standards. Look for the 54g logo
for maximum performance 802.11g, and Wi-Fi CERTIFIED logos to ensure the broadest
possible range of compatibility, reliability, quality, and future-proofing.
Where Can You Get the Right Wireless Hardware?

Broadcoms pioneering wireless networking products provide a completely standards-based, forwardlooking approach to wireless networking. In addition, Broadcom is the power behind many of the leading
brands of wireless LAN products, including Apple, Belkin, Buffalo, Compaq, Dell, eMachines, Fujitsu,
Gateway, Hewlett-Packard, Linksys/Cisco, Microsoft and Motorola.
Broadcoms hardware and associated software offers everything you need for a secure, stable wireless
LAN solution: single-chip 802.11b components for small-device and low-power scenarios, integrated
CMOS radios, AES embedded in the hardware, a universal software driver across a product family,
superior radio technologies and much more.

Management and Maintenance Concerns


Wireless networks can bring a new level of management and maintenance concerns if youre not
careful. The following list highlights tips for making your deployment easier to manage now and
in the long term:

Use centralized provisioning whenever possible. Some tools can provision compatible
clients with wireless encryption keys, network settings and more, making it easy to
configure clients without a trip to each one.

Use your existing central directory for 802.1X. Most directories provide RADIUS
compatibility.

Select network hardware that can utilize a single software driver for an entire family of
products, such as Broadcoms AirForce family of products. You will be able to maintain
fewer OS images and lower your support costs by reducing environment variables.

53

Chapter 3

Summary
While youre building your wireless network of today, take the time to build the wireless
network of tomorrow as well. Future-proofing is possible, particularly when you select wireless
LAN equipment that is designed to be forward-looking. The following list highlights specific
considerations for wireless networking equipment:

Standards-basedLook for Wi-Fi CERTIFIED equipment as well as equipment carrying


the 54g logo. Wi-Fi CERTIFIED equipment meets the stringent specifications created
by the IEEE and provides the best interoperability between varying brands of equipment.
54g equipment supports WPA.

Dual-bandLook for 802.11a/b/g equipmentboth APs and clientsthat provides the


most flexibility for a variety of networking situations. You will be able to continue to
leverage any existing 802.11b investment while taking advantage of the unique strengths
of both 802.11a and 802.11g.

802.11e implementationLook for equipment that implements early drafts of the


802.11e specification, including frame bursting. This equipment is designed with the
future in mind, so future software updates can provide complete 802.11e compatibility.

AES encryption in hardwareLook for equipment that includes AES capabilities built-in
to the hardwaresuch as devices carrying the 54g brandbecause hardware AES
support provides better performance with less overhead on client computers.

Today, wireless networking is one of the most exciting areas of networking. Wireless networks
are becoming more secure than wired networks, as few wired networks today offer 802.1X portlevel authentication and continuous encryption. Architecting wireless networks isnt difficult,
and you can build a future-proofed network by choosing equipment that is built to todays
standards while looking forward to tomorrows developments.

Broadcom, the pulse logo, Connecting everything, 54g, the 54g logo, AirForce, Broadcom
Express, OneDriver and SmartRadio are trademarks of Broadcom Corporation and/or its
affiliates in the United States and certain other countries. Wi-Fi, Wi-Fi CERTIFIED, Wi-Fi
Protected Access and Wi-Fi ZONE are trademark of the Wi-Fi Alliance. Bluetooth is a
trademark of Bluetooth SIG. Windows, Windows XP, Windows 2000 and Windows Server
are trademarks of Microsoft Corporation. Linux is a trademark of Linus Torvalds. UNIX is a
trademark of Unix System Laboratories, Inc. All other trademarks or trade names are the property of
their respective owners.

54

Chapter 4

Chapter 4: Switching Intelligence in the Enterprise


Switched networks are a ubiquitous part of the corporate networking environment. Previously
used primarily on network backbones, switches are now commonly found at the workgroup
level, having replaced the simple network hub at only a slightly higher price but with
significantly greater return on investment (ROI).
Networks do not remain static. As business needs change and evolve, so must the corporate
network. However, for business to grow unconstrained by technology roadblocks, the corporate
network infrastructure must stay two steps ahead of the current corporate networking demands.
Fortunately, the current generation of intelligent switching technologies, coupled with the cutting
edge advances in network performance, enables smart network administrators to spend their
dollars on intelligent Gigabit Ethernet (GbE) hardware (both switches and network interface
cardsNICs) to provide the technology growth path that the business enterprise needs.
These days, technology is rarely the primary driving force behind network upgrades. In a tighter
economy, it is critical that infrastructure updates result in an evident positive impact on the
bottom line. Although the phrase do more for less sends shudders down the spine of most IT
managers, the reality is that dollars need to be more carefully spent. The challenge with IT
spending is to find products that either improve the overall performance of the enterprise in a
quantifiable fashion or reduce overall costs.
Surprisingly, a migration to a fully switched GbE infrastructure can do both. Given that newly
purchased client and server hardware will include GbE as the standard network interface, it
makes sense to take advantage of the significant performance advantages that GbE will bring to
the network. To do so, network administrators must plan to implement an end-to-end GbE
topology.
Intelligent switching makes it possible to improve network performance and reduce network
complexity while making the network easier to manage. Switching offers the advantages of
network consolidation and bringing network resources under more direct control, as well as
provides the additional benefit of a more secure computing environment. Switching solutions are
available for every application, from desktop workgroup switches to Internet/Core routers, and
provide recognizable benefits to each level of the network. Even a single intelligent switch in the
right place within the network architecture can bring immediate improvement to the behavior of
the network environment.
Environments that are running applications that can show a direct benefit from improved
network performance and securitysuch as e-commerce, remote call center support, and
multimedia broadcasting (interactive video and video streaming) applicationsare ideally suited
to intelligent switching in the GbE environment. Adding these intelligent switches to the network
will enable you to take advantage of the latest technologies that require bandwidth and network
control such as Voice over IP (VoIP). Implementing intelligent switching is the path to the future
for the network computing environment.

55

Chapter 4

What Is a Switch?
At the most basic level, a switch is a device that controls signals going from one side of the
device to the other. In networking terms, a switch handles the signals coming in across either a
copper or fiber connection, and directs the signals to the other side of the switch. Multi-port
switches are able to route inbound traffic across any supported media and send the traffic
outbound on any other port. Intelligent switches provide additional capabilities. In a switched
environment, each port on the switch has a dedicated full-bandwidth connection available to it;
in a more traditional hub, each connection shares the available bandwidth and must attend to the
various network contention issues inherent in the Ethernet design (see Figure 4.1).

Figure 4.1: The basic switch architecture has not changed, but the performance of the network has increased
tenfold.

Todays typical switch will offer one or two high-speed ports (usually GbE) for connecting back
to a network backbone or directly to a server, and 24 to 48 lower speed (10/100) ports are
provided for connection to client devices. Although most network backbones are being upgraded
to GbE, only a small percentage of those upgraded backbones are attached to upgraded switches
for the client connections; an overwhelming majority of those client switches are still based on
100Mb Ethernet. The current generation of GbE switches will offer 10/100/1000GbE
connectivity to each client. Clearly, a migration to GbE for all the client connections is the next
step in corporate network evolutionespecially given the minimal incremental costs involved to
achieve this configuration.
Adding intelligent switching to a network is a simple process. Even if the current networking
infrastructure is comprised of an antique backbone and hub configuration, the migration to
intelligent switches will be transparent to end users. Regardless of the level of sophistication of
the current network configuration, the benefits that intelligent switching presents to the network
administrator as well as the potential competitive business advantages enabled by this technology
far outweigh the incremental cost of the migration.

56

Chapter 4

Intelligent Switching
An intelligent switch is one that, at the very least, knows something about the traffic that it is
passing through the network. It has the capability to examine each packet as it passes through, so
the switch has the ability to make decisions about each packet. The most common decision it
makes is usually related to the routing of each packet. These routing and forwarding decisions
are applied to each packet based on the type of traffic contained within the packet and the
priority that has been assigned to that type of data.
Intelligent switches are usually referred to by their position in the Open Systems Interconnect
(OSI) network model. For example, a Layer 2 switch refers to Layer 2 in the OSI model (see
Figure 4.2), which is the Data Link Layer. As such, the Layer 2 switch is always aware of a data
packets media access control (MAC) address, which is unique to each network device in your
network. The unique identification available through MAC addresses enabled the transition from
shared media networkingin which information was broadcast to every network nodeto
switched networkingin which information is only transmitted to the target node.

Figure 4.2: The OSI model is used as a standard definition of a network.

All switches must be able to forward packets to the appropriate client; basic Layer 2 switches
include the ability to understand and utilize the Layer 2 priority settings and virtual LAN
connections. This enhanced feature is important because the virtual LAN (VLAN) capability
allows network designers to create virtual networks with the existing wiring infrastructure
without rewiring. As a result, physical proximity no longer becomes a requirement for clients
when attached to a specific network. The network administrator simply must ensure that the
switch port is identified with the configured VLAN.

57

Chapter 4

A VLAN network is created by making the logical grouping of two or more network nodes. These
nodes need not reside on the same network segment or even be attached to the same switch. All the
nodes in a VLAN share the same IP network address. For VLAN standards information, refer to the
IEEE 802.1q resources.

The more advanced intelligent switches can also make use of the IP address information in Layer
3 and port information in Layer 4 to prioritize applications, giving higher priority to critical
traffic or applications or simply guaranteeing that the network port to which the CEO is
connected always has a high priority. Some classes of intelligent switches can also make use of
the packet data that relates to Layers 5, 6, and 7 to perform tasks such as content filtering and
spam detection.
With the utilization of intelligent switches, network administrators have detailed control over the
traffic within their network. Thus, the fact that switches can improve network performance isnt
their primary selling point; their detailed control and management capabilities make these
switches a valuable addition to a network infrastructure. These multi-layer switches (those that
can deal with traffic on more than just the Data Link Layer) can not only read the addressing
information in each packet to determine which type of data the packet contains, but also can,
when properly configured, apply business-derived policies to the network traffic such as rate
limiting and load balancing.
The OSI model uses seven layers to identify a network; the TCP/IP model uses four layers to define
the IP structure. These TCP/IP layers map as follows:
TCP/IP Application Layer maps to OSI Transport Layer 4
TCP/IP Transport Layer maps to OSI Network Layer 3
TCP/IP Internet Layer maps to OSI Data Link Layer 2
TCP/IP Network Interface Layer maps to OSI Physical Layer 1
For example, the Data Link Layer of the OSI model (Layer 2) has the MAC address information
needed to deliver a packet to the correct destination. The IP address header information is contained
in the OSI Network Layer (Layer 3), while the TCP/UDP header information and the data packet are
contained in the OSI Transport Layer (Layer 4).

Layer 4 switches can identify the application that is transmitting and receiving data through the
TCP/IP port from which the application traffic is being switched, while a Layer 7 switch is able
to read the application layer information in the packet to determine the actual application.
Although the information found at Layer 7 will allow for a more accurate determination of the
application that is transmitting and receiving the packet, the vast majority of identification
performed by the Layer 4 switch is sufficient for most purposes (because it uses well-known
TCP/IP ports and are identified by such). Layer 7 switches are therefore used in more specialized
applications for which reading the packet data at the application level is necessary.

58

Chapter 4

Key Functionality of Intelligent Switches


The following sections cover some of the key features that set intelligent switches apart from
simple Layer 2 switches. These sections provide basic reasons why intelligent switching in the
enterprise is the appropriate method to begin future proofing your network investments.
Quality of Service
Quality of service (QoS) is the ability to make the best use of available bandwidth by prioritizing
and coordinating network traffic. Certain types of applicationssuch as VoIP, video, and
applications that require real-time speedneed to have their priority set higher than normal data
traffic. These applications are delay sensitive, and if the application cant get the bandwidth and
network availability it needs, the application will fail.
QoS does not mean giving those time-sensitive applications priority over all other traffic, as the
goal is for the network to continue functioning for all required purposes (even if bandwidth
intensive applications are running). The traffic with the highest priority is given that priority,
while less-critical applications still get the bandwidth they need to function.
Prioritization means that critical applications dont get shortchanged on bandwidth, even when
there are sudden increases in network utilizationsuch as that 9AM burst when all of the
network users log on for the day. Without QoS controls, it would be difficult, if not impossible,
to maintain service level guarantees that IT departments make to their business units.
Conversely, QOS controls allow the IT department to monitor the network behavior relative to
bandwidth needs on a very granular basis.
Most QoS solutions operate under what is called best efforts. That is, the attempt is made to provide
the level of service that is requested. Combining QoS with prioritization services gives the traffic
management the best possible chance of achieving the desired service level. Bandwidth and traffic
management tools are still going to be a necessary part of determining whether your network
bandwidth is being used most efficiently and whether there is sufficient bandwidth available for your
networking needs.

Proper implementation of QoS requires an end-to-end implementation of intelligent switching,


which, in turn, will improve the efficiencies of existing networks beyond that which could be
achieved by simply adding bandwidth. A fat pipe is well and good; a well-managed fat pipe with
QoS control is even better.

59

Chapter 4

Security
Intelligent switches are able to control access on a port-by-port basis. Issues of authorization (is
the user allowed to do this) and authentication (is the user permitted access) are the bread and
butter of switch security. ACLs on a per-port basis can quickly limit the access of any intruder
that manages to penetrate your perimeter security. Multi-layer switches have the ability to
analyze the contents of network traffic more closely; thus, the signature pattern of a hacker attack
can be recognized, network viruses can be detected, denial of service (DoS) attacks can be
caught early, and the switch network can be configured to address these threats after a security
breach has been discovered. Certain types of network applications that require enhanced security
modelssuch as e-commercegain an instant level of additional security when run across
intelligent switching infrastructures by identifying and classifying traffic and/or monitoring ports
and addresses.
All of the perimeter security in the world doesnt prevent security issues created within the
network domain. Studies have shown that the single largest threat to network security is
computer viruses, followed closely by employee abuses of network resources. Intelligent
switches are critical to limiting the unauthorized use of network resources by otherwise
authorized employees. As a result, the end-to-end intelligent switching infrastructure provides
improved security for critical corporate data and yields a higher level of confidence relating to
the safety and security of the corporate network. Entire departments that should be off-limits to
most userssuch as finance and human resourcescan still be connected to the same
networking infrastructure with complete security.
By using VLANs, geographic proximity is not a requirement for departmental users. Different
business units can have their own finance departments that are all connected to the regular
corporate network as well as to any shared financial resources. As security is built-in to the basic
architecture of the intelligent switch, there are cost savings in both the short and long term
associated with the deployment of intelligent switching technologies.
Management
The complexity and intelligence built-in to the current generation of intelligent switches make
them incredibly easy to use for network administrators. Even with the detailed control over the
network environment that an end-to-end intelligent switch infrastructure provides, the ability to
manage that infrastructure from a single interface makes network administrators tasks
significantly simpler. For example, providers of semiconductor solutions such as Broadcom offer
customers a single API set that works across its family of switch products so that OEMs can
build custom applications that provide end-to-end management across the networking
infrastructure. As new products are added to the family, they can be easily integrated into the
network to support the custom applications already created.
OEMs will offer dedicated switch-management software tools along with industry-standard SNMP
MIBS that allow information to be provided to enterprise-management consoles. Depending upon the
vendor, direct add-in modules for those enterprise-class consoles may also be available.

60

Chapter 4
Scalability
The ability to stack intelligent switches and provide a high-bandwidth connection between the
switches enables administrators to provide an easily scalable network infrastructure that can be
expanded by simply adding switches to the network. The improved manageability of these
intelligent switches results in minimal effort to add a switch to the network. As a result, network
expansion becomes an almost effortless task.
Additionally, the high-performance interconnects between the switches allow for a fair level of
resiliency. For example, a switchs ability to control another switch provides a level of highavailability and prevents a failed piece of silicon from bringing down the connections to that
switch. Depending upon the type of failure and the configuration of the switches, a failover that
not detectable to end users could occur, preventing a data center switch failure from bringing
down the entire network.
Many intelligent switches currently on the market give network administrators deployment
options of 10Mb Ethernet, 100Mb Ethernet, 1GbE, and 10GbE, allowing the switches to be
installed at both the core and departmental infrastructure levels without needing to migrate
clients simultaneously.
VoIP
One of the driving forces behind the acceptance and use of high-performance intelligent
switching is VoIPnot simplistic PC-to-PC voice communication, but telephony-quality voice
connections running over the same networking infrastructure that is carrying data. The major
stumbling block in the widespread deployment of VoIP has been the lack of reliable end-to-end
QoS in the corporate enterprise. For VoIP to work, end-to-end control of the connection is
required to ensure that a useable voice connection is maintained. Although not as susceptible to
latency issues as video connections, VoIP still has stringent requirements for latency and
dropped packets. As a result, reliable VoIP use has two requirements: latency and bandwidth.
From the bandwidth perspective, voice is very compressible, and, as such, a single conversation
doesnt require much bandwidth; however, the bandwidth needs to be available throughout the
conversation (high-volume uncompressed voice communication can be very bandwidthintensive).
A congested network would then have both latency and bandwidth issues that would prevent the
deployment of VoIP. If the switches that reside within the network are replaced with intelligent
switches that are traffic aware and support QoS, the implementation of VoIP becomes much
simpler.
Go to http://www.iptelephony.org to keep up with what is happening in the VoIP marketplace.
Deploying a VoIP solution within your corporate enterprise requires far more than just a switching
architecture to be added to your network. A significant investment in IP telephony client hardware is
necessary as well as ensuring that you have the bandwidth available to support the telephony
functionality. The end-to-end QoS solution provided by intelligent switching is an enabling technology
for VoIPnot a solution to all VoIP issues.

61

Chapter 4

Video
The same technology that is critical for VoIP is needed to stream real-time video across your
network. Weve all seen what network-based video looks likejerky movements, dropouts, outof-sync voices, and so on. The reason for this level of performance is the lack of a QoS
mechanism to guarantee that the video stream arrives and the packets that make up the stream are
in the correct order.
When switches in an end-to-end solution can examine the packets that are being transmitted and
determine that there is a video feed contained within it, the switches can negotiate for the
necessary bandwidth to ensure a good video experience for users. Such technology takes the
multimedia network experience far beyond what users are accustomed to (current technologies
such as Microsoft NetMeeting over a non-switched network).
Wireless LAN Switching
Wireless networking has become a fact of life and the flexibility that wireless network access
provides has made it a key part of the networking model for many corporate businesses. The
ability to provide security on wireless networks has proven to be somewhat more difficult than
implementing the wireless infrastructure.
Network administrators have tended to take a brute-force approach to providing network security
and still allowing wireless access. In many cases, they simply treat the wireless user like a
remote user, configuring the wireless connection to use a VPN and IP tunneling with RADIUS
authentication for access to corporate resources. However, technology designed for use by lowspeed dial-up users doesnt always transition well to a high-speed network. Thus, networks that
support many wireless users have suddenly found their remote networking resources severely
taxedand they still arent completely addressing the security needs of their network.
In a switched network, network administrators can aggregate the network switch ports to which
wireless APs are attached into a VLAN. This VLAN is then configured to be outside of the
normal corporate network, requiring the aforementioned remote authentication mechanisms for
users to access corporate networking resources. These solutions have their own problems and
dont address the issues that arise from users who move from docked (wired) to undocked
(wireless) work locations within the network.
WLAN switches dont eliminate the need for standard network authentication methods such as
RADIUS servers, they simply make client configuration simpler and can allow featuressuch as a
tunneling IP connectionthat still enable users to move across APs without losing the connection.
Strict security practices must still be followed, even in the inherently more secure intelligent switch
environment.

The concept behind wireless LAN switching is to move the intelligence found in the wireless
APs back to a wired multi-layered switch that is optimized for handling 802.11 clients (see
Figure 4.3). The wireless APs become extensions of the switched network ports to which they
are connected. Thus, problems such as rogue APs are no longer an issue as the AP alone no
longer provides access to the network. An unauthorized AP attached to a switch port would,
therefore, not be authenticated to the wired network.

62

Chapter 4

Figure 4.3: Wireless LAN switches reduce the security exposure of wireless APs and simplify the associated
management tasks by moving the higher-level functions associated with wireless access back to an
intelligent switch.

As a result, the security functionality is moved to the switch with authentication and ACLs
adapted to follow wireless users as they move around within the wireless network. Multi-layer
switches allow wireless users to roam between APs, subnets, and VLANs, and provide the
wireless user with smooth access into the wired network infrastructure.
As it is impossible to secure the transmission model where the wireless network operates, a very
secure and robust security model must be in place. In this scenario, administrators need to be
able to prevent three things from occurring: unauthorized access, rogue APs (unauthorized APs
attached to the network), and unauthorized APs that might overlap with the networks wireless
infrastructure. With a wireless LAN switch, administrators can take several steps at the switch
level to combat these security problems. Unauthorized users can be locked out of the network,
rogue APs can be quarantined or blocked completely, and unauthorized APs can be prevented
from any user associations. These actions are performed at the switch level using the same
switch-management tools used to run the wired network.
Wireless LAN intelligent switches also integrate wireless network management with standard
switch-management tools. The integration of wireless and wired switches within the same
network, or even in the same chassis, allows IT departments to provide the same level of service
to their wired and wireless users.
Management issues also become much simpler as APs become antennas that give wireless users
access to a secure networking environment with the wired networks entire security model in
place (plus any additional security that the administrators choose to apply to wireless
connections). Wireless encryption can then be performed at the wireless LAN switch (rather than
at the APs). Thus, as the encryption algorithms are changed, improved, and updated, it is only
necessary to update the wireless LAN switches without worrying about upgrading or replacing
possibly hundreds of wireless APs.

63

Chapter 4

In a wireless LAN environment, the APs serve as antennas and air monitoring devices that provide
connectivity and network environment information back to the wireless LAN switch.

By moving the intelligence back to the switch, intelligent APs make for far simpler management
and deployment and a much more secure environment. Adding APs to the network no longer
becomes a manageability concernwhether you add 10 or 1000 APs, configuration isnt an
issue because you can easily apply the appropriate policies that configure the wireless APs at the
switch level.
An interesting feature that wireless LAN switches support is the ability to assign different
wireless connection rates to different users. Users who do basic office automation might only
access through 11Mbps connection speeds, while a user attending an online demo might be given
54Mbps. Multi-layer intelligent switches can make decisions based on applications, so these
connection speeds can be determined and assigned automatically. Obviously, the maximum
connection speed is dependent upon the actual wireless networking standards implemented
(802.11a, 802.11b, 802.11g). This functionality helps with the lowest common denominator
issue that plagues wireless networksthe entire wireless network ends up slowing to the speed
of the slowest device connected via the AP.
All of these features will make wireless networking a more practical and acceptable alternative.
For business units that can make do with the overall performance limitations that wireless
networks currently have, users who do not need high-bandwidth connections can be set up with
wireless network access. Entire departments that perform low-bandwidth tasks, such as data
entry, will no longer need an expensive cable plant to provide secure connectivity. Deploying
shared devices, such as network printers, will lose any physical connectivity requirements; the
printer can be placed anywhere in range of an AP that has an electrical outlet. Less complexity in
managing, deploying, and maintaining your wireless networks means less strain on IT resources
and a strong ROI for wireless LAN switches.
Wireless LAN switches are appropriate for deployment in both wiring closet and data center network
architecture models.

With secure wireless LAN switching in place, the potential for wireless VoIP becomes apparent.
Currently, wireless VoIP is used primarily in niche vertical markets, such as the healthcare
industry, in which wireless handheld devices can be extended by adding VoIP capabilities. The
ability of a multi-layered switch to examine the traffic that is contained within each packet
makes it easier to address wireless VoIP concerns. The future for wireless VoIP, however, isnt
limited to handheld devices. Mobile telephony providers are looking towards wireless VoIP as a
method to allow seamless mobility for cellular users between their wide-area cellular networks
and the users corporate VoIP network.
Intelligent switching is critical in making this transition because the security and authentication
mechanisms native to the intelligent switch architecture are a requirement for the successful
implementation of wireless VoIP. Security and authentication can be maintained for every
wireless user and device, giving different capabilities to users based on device, location, and
other parameters, anywhere within the users network enterprise.

64

Chapter 4
ROI/Convergence
The utilization of intelligent switches makes the existing network infrastructure significantly
more efficient. Thus, the incremental costs associated with a migration to GbE intelligent
switches can be quickly recovered even as the network begins moving the client infrastructure to
GbE and before the cost savings can be derived from the GbE infrastructure.
Intelligent switches provide detailed information to network administrators about the traffic
passing through their networks and allow decisions to be made about routing, prioritizing, access
control, bandwidth allocation, QoS, high availability, security, VoIP, and more. In addition, none
of these decisions need be static. For example, quality-management tools provide choices that
can be conditional based on such factors as time of day, network load, load balancing, and
destination addresseswhichever features the administrator feels are appropriate for the
networking environment in order to deliver an integrated data transmission model with voice,
data, and video optimized to deliver real-time business communications.
Intelligent switching makes it possible to support all of the previously mentioned technologies on
a single, unified, networking infrastructure. The result is a converged networking infrastructure
with fully implemented support for voice, video, wireless, and data networking within that single
integrated infrastructure. This converged network can result in not only an improved ROI on
dollars spent on the networking infrastructure but also a better bottom line due to a more efficient
IT infrastructure.

Implementing Intelligent Switching


As was pointed out earlier in this chapter, to get the full benefits of an intelligent switched
network architecture, an end-to-end solution is required. A gradual migration to a fully switched
infrastructure will provide significant benefits to the corporate network. In fact, a comprehensive
deployment plan must be evaluated with realistic management expectations applied. It is also
possible to use intelligent switching to support specific applications.
Starting from a traditional backbone router and hub configuration, data center servers are
connected to a networking backbone that is available throughout the corporate enterprise. In
most cases, the physical network layout either aggregates everything back to the data center or
uses a local wiring closet model in which the corporate backbone is extended to a location in
closer physical proximity to its clients.
Regardless of the topology of your networking architecture, consider using multiple NICs in any
server that is in active use within your enterprise. You can do so in many ways. The simplest way is
to have more than a single NIC installed in the server. Many servers now come standard with two
NICs on the motherboard, the latest of which are 10/100/1000-capable devices. That second NIC,
connected to another port on the hub or switch, effectively doubles the network bandwidth available
to the server.
There are also dedicated aggregate NIC interfaces, some of which include as many as four network
interfaces on a single PCI card. This solution was practical with 10/100 Ethernet, but with GbE, it is a
more efficient solution to add multiple NICs to the server box. Even with the order of magnitude
increases in network bandwidth, the network is still the most significant bottleneck in a well-designed
server system.

65

Chapter 4
In either case, the ports that are connected to client computers and servers will need to be
replaced because they are probably attached to older technology hubs, routers, and switches.
After the intelligent switches are implemented, it is not requirement that any other network
components be upgraded. Replacing the connection equipment in the data center and/or wiring
closets with GbE intelligent switches will be completely transparent to users.
With no other changes to the network, significant capabilities to traffic management and
bandwidth control functions will be added. In addition, the following security benefits will result
from the new switching architecture:

Access controlNetwork administrators will now be able, on a per-port basis, to


authenticate the user that is accessing the network via the associated port. ACLs let these
administrators create groups of users with permissions. Authentication for network access
will be handled at the switch level, regardless of the network OS. Secure tunneling and
VPN connections will now be easier to support and maintain.

DoS protectionWell-known DOS attacks will be trapped at the switch level and not
allowed to disrupt users on the network.

Virus attack protectionMany viruses can be identified and blocked.

All of these features make use of functionality that is built-in to the switches. Existing security
protections are further enhanced by making use of the security functions of the switched
infrastructure.
Traffic-management functionality within the switches provides more efficient use of the existing
network bandwidth with features such as bandwidth management and rate limiting. For example,
users who are surfing the Web will have less bandwidth than users who are performing internal
database queries. Management tools enable administrators to configure such features to have
dynamic behavior, changing as the network conditions change.
Traffic-redirection capabilities enable specific application traffic to be routed directly to the
servers running the applications. In most cases, these capabilities are used to share Web servers
that are high-traffic sites so that the traffic generated by the Web site doesnt slow the
performance of the local network. Depending upon the capabilities of the multi-layer switch,
administrators could also add firewall, VPN, network load-balancing, application load-balancing,
server load-balancing, and a wealth of other features.
As mentioned earlier, stacking the switches achieves resiliency and adds a measure of highavailability to the network infrastructure. Dont confuse resiliency with redundancy. In a
redundant environment, there is backup hardware that duplicates the primary hardware and is
available in case of a catastrophic failure. The goal of a resilient network infrastructure is to have
a network that maximizes uptime without requiring that every piece of critical equipment be
duplicated.
Once Layer 4 switching is implemented, switch intelligence has the ability to load-balance
applications and traffic across multiple servers and monitor and health-check applications. The
switching architecture is now working in a way that improves network and application
availability without the need to invest in specific high-availability solutions. Once again, if you
already have an investment in high-availability devices, the switched architecture will enhance
the reliability and availability of those devices.

66

Chapter 4

Resilient hardware can be made up of redundant components. A complete set of duplicate intelligent
switches would provide complete redundancy. When you are focused on resiliency, you would want
certain functions of your core switches to be redundant, such as chassis with dual hot-swappable
power supplies and support for hot-swappable switch blades. This minimal redundancy improves the
resiliency of the network infrastructure without requiring the expense of duplicate hardware, yet it still
provides the additional reliability that characterizes a high-availability working environment.

Stacked switches can also be considered hot-swappable in the sense that additional ports (or
replacement ports) can be added without bringing down the network. In the event of a switch
failure, a newly added switch can obtain the configuration information of the switch it needs to
replace from the server, then be placed in the existing stack where the logical architecture of the
stack will be rebuilt automatically without affecting the stacks normal operation.
Managing the stack is also simplified by the fact that there is a single IP address for the entire
stack (in-band management) and all of the switches in the stack are treated as if they are a single
switch. Management instructions are passed to the top of the stack and redistributed through the
stacked switches without direct action by the systems administrator.
In Figure 4.4, each switch has twelve 10/100/1000Mb Ethernet ports that support copper or fiber
connections. These connections can be routed to individual clients or servers. Each switch in this
diagram has high-speed expansion ports that allow the switches to be daisy-chained together
(that is, stacked). The top switch is then connected via the high-performance uplink interface to
the bottom switch, completing a connection loop that allows redundancy and reliability
improvements.

Figure 4.4: Three stackable multi-layer switches.

67

Chapter 4
Upgrading your backbone to 10GbE will provide significantly more bandwidth to play with on
the network; however, to fully realize the benefits of this increased bandwidth, the clients need to
be upgraded. As discussed in Chapter 2, adding GbE client NICs is a small incremental cost over
10/100 NICs and most desktop computer vendors are moving towards making GbE connectivity
standard in their line of computers targeted directly at business consumers. To maximize the
benefits of intelligent switching, an end-to-end implementation is required.
While researching intelligent multi-layer switches, you will often run into the term switch fabric. The
switch fabric is the software and hardware combination that handles the data traffic that moves into a
switch node by moving it to the correct outgoing port. There are multiple switch units (the actual
integrated circuitry that handles the data manipulation) in a switch fabric and software that controls
the switching paths.
An example of a switch fabric is the Broadcom StrataXGS BCM5670. The 5670 is an 8-port, nonblocking, 160Gbps switch fabric that supports eight high-speed ports. This fabric would be combined
with other hardware and software to build an actual intelligent switch. The switch would then be part
of a chassis or a standalone switching product with or without stacking capability.

Fortunately, the switches will support legacy Ethernet architectures, not just GbE. While the
performance benefits of GbE wont be realized by legacy clients, the other benefits of the switch
are available. Because the switch is intelligent, there is an awareness of whether a port is running
with sufficient bandwidth to service the requests that the attached computer is making for
network resources.
Figure 4.5 shows a good example of a stackable switch. The Nortel BayStack 5510 family of
switches offers 24 or 48 10/100/1000Mbps ports for desktop switching and provides high-density
wiring closet connectivity to GbE desktops. The user can stack as many as eight discrete
switches and a maximum of 384 ports in a single stack.

Figure 4.5: The Nortel BayStack 5510 stackable Layer 3 switch uses the Broadcom StrataXGS switch fabric.

Using technology based on the Broadcom StrataXGS BCM5670 switch fabric, the BayStack
5510 not only offers a wealth of GbE client ports but also a 40Gbps full-duplex stacking
architecture on each switch. This means that each switch can be communicating with other
adjacent switches in the stack at 40Gbps, simultaneously transmitting and receiving data at that
speed, for a total of 80Gbps stacking bandwidth per switch or 640Gbps total bandwidth for a
fully configured eight-switch stack. These are meaningful numbers considering that the Layer 3
routing for that switch is performed at wire speed.
68

Chapter 4
The block diagram in Figure 4.4 and the example in Figure 4.5 demonstrate discrete switching
hardware products. You are just as likely to encounter chassis-mounted products, especially
given the port densities allowed by the Broadcom switching fabric products. Chassis blades with
48 ports are possible (see Figure 4.6), giving very high densities with multiple switch blades in a
single chassis. Data center switch installations can benefit from these high-density switches.

Figure 4.6: IBM eServer BladeCenter technology.

The consolidation is made possible by these rack-mounted chassiswith the combination of


blade servers and multi-layer switches in a single packageis quite impressive (Figure 4.6).
Communication between all of the devices in the chassis, by means of the ultra-high
performance switch backplane, give the same sort of resiliency provided by the external
connections on the stacked switches.
The Broadcom switch fabric chipsets that are prevalent among the top switch vendors offer an
important capabilitythey support both copper and fiber connections. Thus, the vendors building
these switches are able to offer both connectivity types in the same product, increasing the flexibility
of these switches in the data center or workgroup role.

The IBM eServer pictured in Figure 4.6 combines both blade servers and blade switches to
provide a compact and powerful networking host for your data center. These chassis offer both
resiliency and the necessary redundant components to keep networks up and running with
availability.
The blade model also offers easier scalability than the stacking model. With hot-swappable
blades, it is only necessary to add another blade to the chassis to expand network resources.
There is no need to connect a separate stacking connection and there is no need to find the space
to put another stackable switch or another power outlet. Simply insert the new blade in the
chassis and configure it as required. There is also greater flexibility with the chassis model if a
Layer 3 intelligent switch or a full-blown Layer 7 switch need be added. The functionality can be
added while obtaining the redundancy and resiliency that the chassis provides.
Many corporate networking environments are already built around rack-mounted servers in the
data center. Consolidating server and multi-layer switches into the same chassis will, according
to an IDC estimate, show a reduction in the cost of ownership of 48 percent over 3 years. IBM
has gone a step further, including a Layer 2 through 7 switch with all of the performance and
configuration potential that the added switch intelligence offers. The IDC report claims that such
an environment will realize a total reduction in the cost of ownership of 65 percent over 3 years.

69

Chapter 4

Summary
Intelligent switching is the core technology to enable next-generation networking. It is the
enabling technology that will allow dynamic networks to support fully implemented and reliable
wireless networking, security, VoIP, video-on-demand, Web services, and many of the nextgeneration technologies that will provide a competitive business advantage for the network users.
It is important to consider that one of the major intangible benefits of a well-designed intelligent
switching architecture is an improved user experience. Better response time for network
applications, fewer network slowdowns for general use, and the availability of networking
resources for users who need those resources when they need them all contribute to this
improvement.
Decisions made about the design of your networking infrastructure will have long-term effects
that can disrupt or enhance the future growth of your business. Dollars spent on IT infrastructure
investments today should be as future-proof as possible, and intelligent switches are the place to
start.
Intelligent switching is one of the few technologies applicable to future networking
improvements that brings immediate tangible benefits to an existing network infrastructure and is
the key starting point for networking professionals looking to improve their corporate network
environments. It is the logical place to start to build a high-reliability, high-availability
networking infrastructure that will allow your business to grow as necessary and offer the
functionality to allow IT administrators to add the latest state-of-the-art technologies to enhance
their line-of-business applications.
Given the cost of defending your networks from external and internal threatssuch as DoS
attacks, widespread virus propagation, and unauthorized internal user accessthe incremental
costs of moving to intelligent switching could be justified on that one feature set alone.
High-performance intelligent switches such as those from Broadcom are capable of maintaining
wire-speed performance regardless of the additional tasks that the switch is accomplishing. Thus,
adding critical features such as content filtering and spam blocking can be done without
impacting the end-user experience.
Stack switches enable administrators to add capacity as necessary without additional
management headaches because the unified switch management application is as simple to use
with one switch as it is with a full stack. Thus, adding capacity doesnt mean that you need to
add staff to support the growing network infrastructure. This realization helps to simplify your
overall management structure and expand your network infrastructure without spending money
on staffing. Broadcom is dedicated to building high-performance, high-availability, scalable,
robust networking infrastructures that are cost effective and provide the IT professional with the
best tools for the job.

Broadcom, the pulse logo, Connecting everything, the Connecting everything logo, and
StrataXGS are trademarks of Broadcom Corporation and/or its affiliates in the United States and
certain other countries. Windows and NetMeeting are, trademarks of Microsoft Corporation.
BackStack is a trademark of Nortel Networks. EServer is a trademark of International Business
Machines Corporation. All other trademarks or trade names are the property of their respective
owners.

70

Chapter 5

Chapter 5: Server Migration and Optimization: Maximizing


ROI for Existing Assets and Future Growth
It is difficult to overstate the importance of servers in your network. If the networking
infrastructure is the circulatory system, the servers are the organs: there are critical ones, such as
the brain and heart, and even a few in every network that are removable, just like the appendix.
In any case, the network would have little reason to exist without the servers that populate it,
offering up all sorts of services to the network users. Servers are also the point at which Gigabit
Ethernet (GbE) and state-of-the-art storage technologies meet. The convergence between server,
networking and storage technologies has the potential to change the way that servers and storage
are treated in the corporate networking environment.
In this chapter, we are talking about complete, full-featured server technologies, not the small
dedicated hardware devices that provide network services, such as print servers.

Server Technologies
Servers have evolved over the past two decades from those that offer the simple file and print
services available in the early generations of PC networking to the complex multiprocessor
boxes that are so common today. But its not just the hardware that has changed; the evolution of
servers has spawned specific server technologies designed to fill specific environmental niches.
Lets take a look at the server landscape of today.
File and Print Servers
Much like the early days of network file serving, todays file and print servers fill almost exactly
the same role. However, the technology of the multipurpose file and print server these days tends
to be relegated to either very small organizations or to small departments in larger organizations.
In either case, the basic file and print server is being supplanted by network devices that fill those
same roles but dont require a full-blown dedicated server. Print services can easily be handled
by dedicated print server devices, which work as Plug-and-Play (PnP) network devices to which
any printer may be attached, and rarely cost more than $200. Storage can be handled by
dedicated networked attached storage, which supports access controls that the client PCs
understand and work in a PnP fashion to attach to a network. Dedicated computers acting as file
and print servers are relics of the early days of computer networking. Each organization needs to
evaluate whether it wants to use file servers as print servers.
Database Servers
If there was ever a business need that drove server technologies forward it was the need for a
database server. Dedicated boxes that run everything from small local database applications to
large corporate enterprise applications that were once the domain of big iron mainframes,
database servers are usually the point at which the cutting edge of server hardware technology
meets the realities of the business process. In this space, large multiprocessor boxes with
gigabytes of memory and direct channel access to fast storage are the bread and butter of the
corporate computing world.

71

Chapter 5
Application Servers
Plenty of business applications are best served by dedicated hardware. These application servers
have a broad range of requirements that depend on their specific role and can range from
enterprise resource planning (ERP) to customer relationship management (CRM) to customdeveloped in-house applications. These critical, line of business (LOB) applications are
sufficiently important to have their own hardware dedicated to them, and the expense of the
dedicated hardware is no longer a barrier to the adoption of these application software
technologies. Some application servers, such as fax servers, combine both server and client
software plus a dedicated hardware component installed in the server itself.
Email Servers
Fitting in the space right between database servers and application servers, email servers share
the attributes of both. Running a dedicated email application such a Microsoft Exchange Server
in a large corporate environment requires the processing power usually associated with database
servers, yet they also fit the application server model, as email is probably the most common
business application that gets dedicated servers.
Storage Servers
One of the newest dedicated server technologies, the storage server, such as Microsofts
Windows Storage Server 2003, provides the manageability of the network operating system
(OS) as well as the ability to handle the concatenation of multiple external storage devices by
using technologies such as iSCSI. This advance brings the type of storage environment formerly
found only in dedicated fiber channel SAN environments to any IP-based network. This
development gives businesses the ability to add the advantages of dedicated storage networking
without the expense and aggravation of needing to add a second, parallel, dedicated storage
network. GbE and its support for technologies such as TCP/IP Offload Engine (TOE) and
Remote Direct Memory Access (RDMAboth TOE and RDMA were described in detail in
earlier chapters), will make IP-based storage networking a common application found in
corporate networks.
Web Servers
Web servers, while once thought of as just server applications, have evolved enough to even
have dedicated OSs. Although many Web farms run on versions of UNIX or Linux OSs,
even Microsoft sees the needs of the Web server OS as being different from the companys
general-purpose OSs, shipping a product called Windows Server 2003, Web Edition. A
dedicated Web server will usually be running a stripped-down version of the selected OS, with
hardware focused on supplying data or serving Web requests as quickly as possible. Usually, if
the task runs beyond serving Web pages, the Web servers, as Figure 5.1 shows, will be sitting in
front of a bank of dedicated servers that offer the actual back-end processing necessary for the
business purposes of the front-end Web farm.

72

Chapter 5

Figure 5.1: In a Web farm scenario, the traffic from the Internet is routed to one or more Web servers, which
themselves connect to multiple back-end servers that offer the appropriate response to the Web request.

73

Chapter 5

Blade Servers
The other server types weve discussed so far are differentiated primarily by software, but blade
servers represent a specific hardware technology. These servers pack multiple individual servers
on blades within a single chassis. They offer advantages to any server room that requires many
servers, a certain amount of interchangeability with the hardware, and simplified management
and architectural considerations. Server virtualization, partitioning, and other cutting-edge
technologies are well served by the blade server model. However, the hardware technologies that
can be applied to blade servers have specific criteria that might not need to be addressed in more
traditional server hardware. As a result, the selection of blade servers requires an even greater
amount of attention than that paid to the purchasing decisions used for normal server boxes.
The average network will include multiple types of servers. Even a small business environment is
likely to have file and print servers and email servers. Large corporate environments will include many
or all of the types of servers described; multiples of each server type; and infrastructure, such as
clustering and grid computing, that make use of special types of server technologies.

Servers are where most of the newest computing technology undergoes its baptism of fire. Some
dedicated client PC applications really tax the system hardware (for example, video subsystems
on desktop computers), but the toughest test of any technology will usually be in the server
environment.
A look at the processes on a desktop computer will show you that, even on a heavily used
system, the CPU is sitting idle most of the time. In a server, that just isnt the case; there is
always some task that needs attention, from serving direct requests to system housekeeping
demands. In a perfect world, all software is well written and works cooperatively to maximize
the performance of the computer on which it is running; in the real world, that just isnt the case.
Software designers, even for server applications, often write their programs as if their software is
the only thing running on the computer. As this is rarely the case, you end up with a situation in
which the hardware needs to make up for the softwares deficiencies. Thus, the server hardware
needs to be up to the task; it needs to be able to run efficiently when pushed to the limit of the
hardwares capabilities.

Defining the Cutting Edge


It is very important for IT managers to be aware of the technologies that drive the server
marketplace. Determining which products to use and getting the greatest return on their server
investment while applying as much future-proofing as possible to the server environment can
only be achieved by having a clear understanding of the technologies that make up a server and
the impact of those technologies on overall server performance.
Although understanding the capabilities of the individual components that make up a server system is
important in the server-selection process, dont underestimate the expertise required to build servers
and combine a selection of components from a wide variety of vendors to offer customers the best
performance value at any given price point.

74

Chapter 5
By overall performance, we are referring not just to the speed of the hardware components but
also to the entire list of critical evaluation points required by IT professionals: performance,
reliability, availability, serviceability, scalability, and security. Lets define each of these terms
for the purposes of this publication:

PerformancePerformance in this instance describes the traditional measure of hardware


performance: how fast are the individual hardware components that make up the
complete server? These basic components include the CPU, motherboard chipset,
embedded I/O devices, network interface cards (NICs), and hard drives.

ReliabilityReliability describes not only the reliance that can be placed on the server
but also the expectation that the hardware is suitable to task; that it can be counted on to
run the necessary business applications.

AvailabilityAvailability refers to how much downtime can be expected with any given
configuration. The target of many high-end systems is often referred to as five 9s of
availability or 99.999% up time. But every extra 9 past that first one increases the cost of
the server. IT managers need to understand the technologies to get the greatest number of
9s without spending their dollars in the wrong places.

ServiceabilityServiceability refers not only to the measure of how difficult it is to


service and replace components of the server system, such as drives, cards, and memory,
but also to remote management and alerting technologies offered in the server platform.
How much information is available about the health of the system without opening the
case? Are their dedicated software applications that keep an eye on the component
hardware?

ScalabilityScalability is the capability of the server to grow to meet the expanding


needs of the business environment as well as the ability to be right-sized or configured
appropriately for the defined server task in the first place. The inability to scale server
capabilities (memory, storage, and networking) can relegate an expensive piece of
hardware to the junk pile if the application software needs of the organization expand.

SecurityThese days, it might have been best to put security as the first priority for any
technology decision. With servers, we are talking not just about the security options
offered by the OS but also the security offered by the hardware, which ranges from the
password-protected BIOS to chip-level antivirus scanning and protection

It is also important to note that these six measures of suitability to task for server computing are
not separate and discrete components. Every component of the server system, from the basic core
logic to the application software running on the selected OS, should be subject to an evaluation
based on these six criteria.
The explicit combination of software and hardware features chosen by the IT manager will have
a direct impact on which of these criteria is most important. The IT manager should weigh these
criteria based on the business needs the server will be addressing, and understand the tradeoffs
that need to be made in terms of cost versus capability. Based on this evaluation, the IT manager
can then spend his or her money where it will do the most good.

75

Chapter 5
Understanding Performance-Oriented Technologies
There are many technologies that combine to offer the performance and reliability that users
demand in their server products. From the core I/O logic of the computer to the network
connections, each component within the server system plays its own role in providing the user
experience demanded by IT departments.
Remember that desktop computers and servers are designed with different duty cycles in mind.
Although desktop computers have often been used in the server role with success, a desktop
computer is designed with the expectation that it will not be stressed in a 24 7 role. Servers are
designed to operate with the stresses and duty cycles expected in a high-usage role and still provide
high availability.

Core I/O Components


Users tend to think about server performance in terms of CPU speeds, hard drive access times,
and availability of memory, but it is the system I/O core logic that ties all of these components
together and makes high-performance servers possible. The core logic chipset determines the
capabilities of the server, controlling the amount and speed of available memory and CPU,
determining the bandwidth capabilities of the system bus and CPU support, and defining the
aggregate bandwidth available to the system from both external and internal buses. This core
logic of a server is generally defined by two sets of components, referred to as the North Bridge
and the South Bridge.
North Bridge
The North Bridge is the chipset that controls the connection of the systems CPUs and the access
to the systems memory. Products such as Broadcoms ServerWorks Grand Champion
Enterprise Quad Processor SystemI/O Platform take full advantage of the Intel architecture
and manage the flow of data with support for as many as four Intel Xeon processors, 64GB of
main memory, and 6.4Gbps memory bandwidth. The chipset also offers three I/O channels, each
of which supports as many as 1.6Gbps bandwidth. Broadcom offers extensive RAS features
with the term RAS standing for reliability, availability, serviceability. These RAS features
include 128-bit ECC support, memory mirroring, memory hot swap, and spare memory
capabilities. This ServerWorks core I/O chipset even supports the Chipkill technology, which
allows a server to recover from the failure of an entire bank of memory (see Figure 5.2).
South Bridge
The South Bridge links the North Bridge to the I/O components in the system. To do so, the
South Bridge needs to connect to the North Bridge as well, and ideally can aggregate bandwidth
over the available North Bridge connections (in the case of the example ServerWorks chipset,
the three 1.6Gbps channels described in the North Bridge section). There are multiple types of
I/O connections in every server, which can include the AGP bus, ATA/IDE, Serial ATA
(SATA), SCSI, USB, IEE 1394, InfiniBand, and PCI Express (see Figure 5.2).

76

Chapter 5

Figure 5.2: The relationship of the North and South Bridges to CPU, memory, and I/O subsystems.

Storage
The internal storage subsystems of the computer will always play an important role in overall
server performance. Despite the movement of network storage to external devices and storage
networking, a server loads its OSs from local storage and is required to use that same storage for
the operation of the OSs; swapping data from memory to disk, memory virtualization, page files,
and so on. There are a variety of common storage technologies found in server hardware;
IDE/ATA, SATA, SCSI, and Serial attached SCSI.
IDE/ATA
IDE, or integrated drive electronics, makes use of the advanced technology attachment (ATA)
implementation that places the drive controller electronics on the drive itself. ATA has gone
through no less than seven revisions over its life cycle with ATA/133 being the current highperformance version of the specification. Despite the high speed of the data transfers, ATA
drives are suitable only for low-end servers as a result of the limitations of the technology that
limit cable lengths, number of drives, and overall throughput. This technology is now often
referred to as Parallel ATA so as to avoid confusion with the newer and faster SATA technology.

77

Chapter 5
SATA
SATA offers faster data transfer rates (150MBps in its initial implementation, 300MBps for the
second generation), lower voltage requirements, and thinner cables requiring fewer connections
(just two data channels, allowing a 3-meter long thin cable rather than the flat 40/80 18 wire
ribbon cables used by Parallel ATA). Rather than the master/slave configuration of two drives on
each cable for Parallel ATA, SATA treats each of the two drives on the cable as if each were the
master drive on its own port. Although Parallel ATA was evolved for desktop computers, SATA
was designed to be used in entry-level servers offering a low-cost, high-performance storage
solution for entry-level and nonmission-critical servers.
SCSI
SCSI, or small computer systems interface, is a parallel interface standard that has gone through
almost a dozen iterations and currently supports speeds as fast as 320MBps in its fastest
incarnation. It is the standard drive interface for high-performance computing both in
workstations and servers. SCSI devices do not have the two device maximum limitation that
ATA and SATA devices share, supporting as many as 15 devices per channel, and the maximum
cable length is measured in meters, not inches. SCSI devices are able to process instructions in
parallel, meaning that greater throughput is possible than in ATA devices that must process a
single instruction at a time. The peak performance of SCSI devices is critical for applications
such as heavily used databases, streaming audio and video, and any other bandwidth-intensive
application that draws directly from disk storage. The instruction processing capability of SCSI
means that OSs that offer full SCSI support will run faster on SCSI drives than on ATA drives
rated for equivalent performance. The only downside to SCSI is that drives with SCSI command
a premium price over ATA drives and, at this time, ATA drives offer higher capacities (which
results in a lower cost per megabyte).
Serial Attached SCSI
Serial attached SCSI is a full, dual-ported implementation that supports a maximum of 4032
devices at speeds as fast as 3Gbps. Rather than the shared-loop technology used by standard
SCSI, serial attached SCSI uses dedicated point-to-point connections for each device. Serial
attached SCSI was designed to support three distinct protocols: the Serial Management Protocol,
used to manage the point-to-point connections; the Serial SCSI Protocol, used to leverage
existing SCSI devices; and, most important, the Serial ATA Tunneling Protocol, which allows a
seamless interface between Serial ATA and serial attached SCSI technologies. Both technologies
use the same connector configuration, and with the correct electronic support (in the core I/O
logic), offer an upgrade path to users. The goal is to allow SATA drives to be connected to serial
attached SCSI interfaces, providing a lower-cost storage alternative. (SATA drives will attach to
serial attached SCSI connectors; the reverse, however, is not true, with the connector on the
serial attached SCSI drive having an extra hump to prevent its attachment to a SATA connector.
SATA drives, lacking this hump, will still connect to serial attached SCSI connectors.).

78

Chapter 5

RAID
One common server technology that applies to all forms of storage is the Redundant Array of
Inexpensive Disks. RAID storage is a de facto standard in server implementations. RAID
currently has no less than nine standard levels of implementation:

RAID 0RAID 0 is the striping of data across multiple drives, which provides the
highest possible performance but offers no fault tolerance. If one drive in the stripe set
fails, all data is lost.

RAID 1RAID 1 is the mirroring of data across pairs of disks. Data is written to both
drives simultaneously. The primary downside is that RAID 1 requires a 100 percent
duplication of disk drives.

RAID 2RAID 2 is very rare and involves an ECC striping of data to the drives at the
bit level to improve fault tolerance related to data corruption.

RAID 3RAID 3 uses byte-level striping with a dedicated parity disk. Unfortunately,
this configuration is unable to service simultaneous requests, and as such, is rarely used.

RAID 4RAID 4 is basically RAID 1 plus a dedicated parity disk. There are
performance advantages to the multiple disk stripe set, but they can be offset by write
bottlenecks on the single parity drive.

RAID 5RAID 5 performs striping of data at the byte level and of ECC information
across all the drives in the stripe set, which results in a combination of good performance
with excellent data protection. RAID 5 is the most popular fault-tolerant RAID
implementation.

RAID 6RAID 6 performs block-level (as opposed to byte level) striping of data and
parity information across all the disks in the stripe set.

RAID 0+1RAID 0+1 creates a RAID 0 stripe set, then uses a RAID 1 mirror of the
initial stripe stet to provide fault tolerance.

RAID 10RAID 10 creates a RAID 1 mirror set, then creates a RAID 0 stripe set over
the mirrors.

RAID sets can be created in both hardware and software. For example, Windows Server (all
versions) can perform RAID 0 and RAID 1 functions using the facilities built-in to the OS.
However, doing so adds to the OS overhead, as the OS is now responsible for managing the disk
hardware in a way that is much more CPU intensive than just accessing the file system. For this
reason, hardware RAID controllers are the standard for server (and workstations). In this case,
the RAID configuration is handled by the firmware and processing of a dedicated RAID
controller with the OS seeing just a standard, high-performance hard drive. In this way, no
additional overhead is required by the server OS.

79

Chapter 5

GbE
GbE is the current standard version of the Ethernet technology that has existed since the 1970s.
100Base-T is the standard for GbE over copper wiring (Category 5 Unshielded Twisted Pair).
Chapter 2 provided you with an overview of the current state of the industry for GbE. For the
purposes of this chapter, it is important to consider GbE an enabling technology. The highperformance of GbE (and eventually 10GbE) makes considerations using related technologies
such as TOE, RDMA, and iSCSIpractical business choices for the IT professional.
TOE
TOE engines allow the NIC to handle the processing of the network transport protocol instead of
relying on the OS and the server CPU to perform this work. All transactions with the host
processor are handled at the session layer, which leverages an application use of large files to
reduce the number of interactions the host CPU needs to have with the data. TOEs can offer
either full or partial offload. The full offload completely removes the responsibility for dealing
with the IP protocol stack and its contents from the host NIC. The partial offload handles the data
transmission/reception information and relies on the host NIC IP stack to handle the
transmission, termination, and error handling for connections.
There are many server applications that are communication-centric, rather than compute-centric,
such as email and Web servers. The tight integration of TOE with GbE and the core chipset
technology allows for significant performance improvements. Especially with GbE, these
communication-focused applications can consume far more CPU cycles than you would
generally think, bottlenecking the server at the CPU; the use of TOE, especially if it is tightly
integrated with the core logic, will prevent the communication aspects of the computers
application from causing the CPU to be the bottleneck. This doesnt mean that the CPU will
never run out of resources, but with TOE, the cause wont be the creation of the traffic that
comes and goes over the NIC.
As Chapter 2 discussed, industry-standard TOE implementations, such as the Microsoft TCP
Chimney initiative, means that TOE will be an industry standard that can be used to replace nonstandard proprietary network co-processor technologies. The inclusion of TOE support in core
logic chipsets can only make this standard implementation simpler.
RDMA
RDMA is a technique that allows the data in the memory of one computer to be transmitted to
the memory of another computer without involving the host CPU or host OS on either computer.
RDMA can provide sufficient performance over GbE networks with sufficiently low latency to
be suitable for use designing cluster applications that formerly required dedicated connections.
RDMA is a more important technology than you might think; the push for grid/utility computing,
and high-performance computing that uses resources spread over multiple computers means that
the features offered by RDMA are critical to the successful implementations of these
technologies. Using RDMA allows applications to exchange data, bypassing the CPU and the
OS, which, in turn, results in drastic reduction in latency. Zero-copy receive and transmit
operations write directly into the applications buffers. Doing so relieves the strain on the
servers memory subsystem because the extra data copies that are maintained in more traditional
networking stacks are no longer there.
80

Chapter 5
iSCSI
iSCSI is a standard for using SCSI commands over IP-based networks. By supporting GbE at the
physical layer, iSCSI can be used to build storage networks over standard Ethernet networking.
The OS interaction with iSCSI is basically the same as interacting with local SCSI devices with
the exception that the SCSI commands are transmitted over the GbE connection to the target
device (see Figure 5.3). Although not as fast as a dedicated fiber channel storage network, iSCSI
simplifies implementation and adoption by lowering the complexity and cost of storage
networking.
The inclusion of iSCSI support means that users will be able to create storage networks as
necessary, without the need for dedicated networking hardware. iSCSI will allow users to place
storage resources wherever they are needed in a GbE network. The iSCSI support will result in
lower costs for storage networking and greater utilization of existing Ethernet networking.

Figure 5.3: iSCSI storage networking runs on the same network infrastructure as the standard network,
functioning as remote SCSI drives available to any OS that can provide an iSCSI initiator. Applications
running on servers with iSCSI initiators send SCSI commands to the storage servers.

Technology Integration
The future (and present) of servers is the integration of these technologies that improve
performance along with reliability, availability, and serviceability. For example, the integration
of GbE into the server means that the applications that can take advantage of it will naturally
evolve and become more common. A look at the Windows Server 2003 (WS2K3) market in midto-late 2004 will show a huge number of iSCSI-based products being released. The adoption of
GbE is rapidly making this technology the standard for Ethernet networking.

81

Chapter 5
As this technology becomes more widely accepted, the next generation of server purchases will
reflect that, meaning that technologies such as GbE and the infrastructure to support highperformance computing will become the standard for networks in the immediate future. Chip
vendors will be providing greater integration in their board-level products and vendors such as
Broadcom, with its large variety of chip and board-level products, will make high-performance
servers cost effective for even the small-to-mediumsized business market, as Table 5.1 shows.
Technology

Benefit

Integrated core I/O technologies

More efficient server operations

GbE

Faster networking with backward compatibility

TOE

Reduced CPU utilization

Reduced CPU utilization

Improved application performance

iSCSI

Storage networking without a dedicated network

RDMA

Clustering support

Table 5.1: Technology benefits to the server and networking environment.

Which components are found on a motherboard or server blade? Common components found on the
system boards of both servers and desktops include:
CPU and CPU sockets (from one to four on a single motherboard; 8-way systems are a special case)
I/O PortsExternal and internal
Storage connectorsATA/SATA/SCSI for both hard drives and CD/DVD drives
Memory sockets
Add-in card slots (PCI, PCI-X, PCI-Express, AGP) or backplane
North Bridge
South Bridge
Battery, BIOS, power supply connector

Technology Convergence
As the marketplace moves forward, many of the technologies that make up a good server wont
just be integrated into the server product, there will be a convergence on the Ethernet and
integration with the system core logic that will reduce costs while increasing the performance
and tightening the integration of the various subsystems. An example of this technology is the
Broadcom CIOB-E Grand Champion Dual Gigabit Ethernet (Copper)/PCI-X SystemI/O
Bridge.
The Champion I/O Bridge-E (CIOB-E) is an example of the way that Broadcom is integrating
GbE into the core I/O subsystems of a server. Containing dual GbE MAC controllers, dual
physical layer controllers, and a 64-bit PCI-X, the CIOB-E is tying networking and computing
technologies together and is eliminating the need for a discrete GbE interface, reducing the
necessary board real estate and facilitating the use of GbE in space-constrained server systems
such as the current state-of-the-art blade server systems. The CIOB-E was the first integrated
core logic GbE technology to hit the market in late 2002.

82

Chapter 5
The integration of GbE into the core logic also reduces the end-user cost of the servers and aids
in making GbE the networking standard in the corporate environment. An additional benefit is
that the CIOB-E still uses the same software drivers as standalone Broadcom GbE controllers.
This software commonality makes it possible to implement Broadcom GbE technology across
the enterprise, using products such as the add-in boards equipped with the Broadcom Converged
Network Interface Controller (C-NIC) in computers that lack embedded GbE.
GbE is fully backward compatible with the previous 100Base-T Ethernet standard. Thus, there is no
technical issue in adding servers with embedded GbE support to your existing Ethernet networks. No
special accommodations are needed, and when you upgrade your switch infrastructure to GbE, your
servers will be poised for immediate performance gains.

Converged Network Interface Cards


In May 2004, Broadcom opened the door for Ethernet convergence products with the
NetExtreme II C-NIC, a product that combines four separate technologies: TOE, RDMA,
iSCSI, and embedded in-band management pass-through into a single chip that allows for remote
control of the server over a single network connection. This combination of features means quite
a bit in the server environment in terms of improved efficiencies in server utilization, usability,
and manageability.
The dedicated controller is able to offload network operations from the host CPU and supports
technologies that go beyond basic Ethernet networking. The TOE, RDMA, and iSCSI support
mean that complex management and storage networks can be configured with the addition of
special hardware. Servers that make use of the C-NIC can be dropped into a network that uses
iSCSI for remote storage and be ready to run. RDMA means that the server is cluster ready for
OSs that support the technology.
This new class of C-NIC products ushers in an era: It is time to start thinking about converging your
storage traffic, cluster traffic and networking traffic over one IP network. Consider new server
technologies that enable IP convergence, such as:
OSs that can accommodate TCI/IP offload
iSCSI for block-level storage networking
Clustering x86 servers for complex computing applications

Benefits of the converged technology presented by the C-NIC:


Reduction in network latency
Significantly lower CPU utilizationTests using the NTTTCP benchmark showed that use of the CNIC, running Microsofts TCP Chimney software improved CPU utilization as much as five times over
a standard GbE controller
Performance gains across all mainstream server applications
Virtual always on remote management eliminates the need for dedicated network management

83

Chapter 5
In the blade server environment, this single-chip solution does more than just save space on the
PCB; it also minimizes the complexity of the backplane due to the need for a single set of paths
that make for simpler routing and a reduction in crosstalk. The single switch fabric for these
networking technologies makes development simpler, and the common management capabilities
are supported by all widely used management tools.

Scalable and Configurable I/O


This chapter started by discussing the system I/O bus. If youve asked yourself why this is
important, its as simple as this: overall, the I/O subsystem has a greater impact on total system
performance than the CPU. Low-end I/O chipsets dont allow the CPU to perform at its fullest
potential. The core logic chipsets interface directly with the CPU front-side bus, the memory
subsystem, and with external components via various interconnect technologies, some of which
are described earlier in this chapter. The ultimate purpose of these chipsets is to facilitate the
transfer of data without any bottlenecks so that the processors, memory, and the various
peripheral components can do their jobs without interruption.
Core logic must be designed to take advantage of the different types of interconnects available as
well as to provide support for the CPUs commonly in use in the business environment. The right
core logic components are critical to cost-effective server design and utilization.
Properly designed and implemented core logic results in the following benefits:
More impact on performance and functionality than other system components
More impact on reliability, availability, and scalability than other parts of the system
More flexibility to integrate additional functionality in the core logic

Interconnects
Current implementations of core logic have to make choices about the interconnect technologies
they support. There are currently three interconnect technologies commonly found in servers:
HyperTransport, Peripheral Component Interconnect Extended (PCI-X), PCI-Express.
HyperTransport
Originally proposed by AMD and turned over to the HyperTransport Consortium,
HyperTransport is a direct, high-speed, high-performance, point-to-point link for integrated
circuits. It supports a dual bus with unidirectional point-to-point links operating at a data
throughput speed of as fast as 22.4GBps. This is an aggregate bandwidth and there currently can
be a maximum of three HyperTransport links per system. The link width can be 2, 4, 8, 16, or 32
bits and the bandwidth, in each direction, can range from 100MBps to 11.2GBps. It provides
multiprocessor support and supports both the coherent and non-coherent memory models.
The HyperTransport Release 2.0 specification includes the ability to map PCI, PCI-X, and, new
to this version, PCI-Express, providing broad technology support. Release 2.0 is backward
compatible with HyperTransport Specification 1.x.

84

Chapter 5
PCI-X
Developed jointly by IBM, Hewlett-Packard, and Compaq, PCI-X doubled the data rate of the
PCI bus. The current architecture supports one 64-bit PCI-X slot running at 133MHz with the
rest running at 66MHz allowing for a total aggregate bandwidth of 1.06GBps or exactly double
the 532MBps of the standard PCI bus. The PCI-X bus is backward compatible with the original
PCI bus, but if PCI cards are used, the entire bus slows down to PCI speeds, negating the
advantages of PCI-X. PCI-X does offer fault-tolerance features not found in PCI, allowing the
bus to reinitialize a card or to shut a card down before it fails completely. At this point, PCI-X
can definitely be considered old technology, having been first introduced in 1988.
PCI-Express
PCI-Express is the latest in a series of I/O interconnect standards. The standard more than
doubles the data transfer rate of the original PCI bus. Unlike the single parallel data bus of the
original PCI specification, which was designed for desktop computers, the PCI-Express standard
uses two sets of point-to-point data lanes. In addition, PCI-Express was designed to offer support
to all types of computing environments, from embedded devices to high-end servers.
Early motherboard designs with PCI used the PCI connection to link the North Bridge and the
South Bridge; current implementations use dedicated high-speed interconnects between the two
bridges, which results in much faster communications between the core logic and the peripheral
chipsets. For example, initial implementations of PCI-Express support speeds as fast as
200MBps (PCI offers 133MBps). Because PCI-Express is a point-to-point connection, there is
no bus sharing (as found in PCI); each device gets a dedicated connection. This setup
significantly reduces the chance of contention that causes an overall performance degradation in
the computer.
PCI-Express also includes support for such high-end features as hot swapping/hot plugging,
isochronous data transfer, error handling at the link level, and quality of service policy
management. Multiple virtual channels per physical link are also supported. Because PCIExpress provides software compatibility with PCI, existing OS drivers will still function.
Hardware compatibility is provided by extending the PCI bus slot, adding a connector that sits
behind the PCI slot on the motherboard, so additional hardware is needed for full support, but
legacy devices with drivers for the current OS will function as if the PCI-Express interface was
not there.
CPU Support
In the x86 universe, there are a number of CPU types that need to be supported. These include
the Intel IA-32 and Extended Memory 64-bit Technology (EM64T) architectures, and the AMD
64 architecture as represented by the Athlon and Opteron processors.

85

Chapter 5

IA-32
The term IA-32 is basically interchangeable with the current generation of x86 processors from
both Intel and AMD that have been on the market since the release of Intels first 32-bit
processor. It defines the 32-bit instruction set used by these families of processors.
The current server class IA-32 CPU from Intel is the Xeon processor. The Xeon processor differs
from the desktop Intel P4 processor primarily in the size of the L1 and L2 cache and support for
multiprocessor systems. Entry-level single processor servers may use P4 processors rather than
Xeon server-class CPUs.
AMD Opteron
The Opteron processor is AMDs eighth generation of x86 CPU and its first generation to
support the AMD 64-bit introduction set, allowing the CPU to access more than 4GB of system
memory. The processor can run both 32-bit and 64-bit applications and suffers no performance
penalty when running 32-bit applications.
Unlike Intel processors, the CPU contains an integrated DDR SDRAM memory controller, as
Figure 5.4 shows, which negates the need for a North Bridge and significantly reduces the
latency experienced when the CPU accesses memory. This on-chip controller can be disabled to
allow the use of different memory technologies (with a traditional North Bridge), but then the
advantages of the built-in memory controller are lost. Future memory technologies will require
their own specific Opteron releases. In multiprocessor motherboard configurations (as many as
eight processors), inter-processor communication occurs via HyperTransport links.

86

Chapter 5

Figure 5.4: Compared with the architecture that Figure 5.2 shows, the AMD architecture uses the on-CPU
memory controller to bypass the North Bridge and improve the speed of memory access and overall system
performance.

HyperThreading is a multithreading technology supported by Intel that allows OSs that support
multiprocessing to treat a single Xeon or P4 CPU as if it were a dual-processor computer. This
functionality is found only in the more recent iterations of Intel Xeon and P4 processors. At this point,
AMD is just beginning to release a dual-core version of the Opteron Server CPUs, which also appear
to the OS as two independent CPUs. The Intel HyperThreading technology is available in both client
and server CPU products. Currently, AMD is offering this capability only in its Opteron line of server
CPUs.

87

Chapter 5

AMD Athlon 64 and Athlon 64-FX


Also built with the eight-generation AMD processor technology, the Athlon processors share
many features with the Opteron, such as the AMD 64 instruction set, but do not support
multiprocessor computing. The 64-FX shares more of the Opterons features, such as support for
dual-channel DDR RAM, and offers higher clock speeds than the standard Athlon 64.
AMD does not use the actual clock speed of its processor in the processor names, unlike Intel. The
AMD names represent performance when compared with a pre-established standard system.

EM64T
EM64T is Intels extended architecture 64-bit implementation of the AMD 64 architecture (it
could be said that Intel CPUs that support this technology are AMD compatible). Although the
initial release is not identical in function to the AMD 64, future versions are expected to be 100
percent compatible. Microsoft Windows XP for 64-bit computing will run on either the Intel or
AMD 64-bit extension technologies to the x86 architecture.
Complete details about the Microsoft Windows XP 64-bit Edition can be found at
http://www.microsoft.com/windowsxp/64bit/default.mspx.

What about IA-64 and the Itanium processor? IA-64 is Intels 64-bit CPU architecture that was
introduced with the Itanium processor. IA-64 CPUs do not directly execute x86 code; instead they
virtualize the x86 instruction set, resulting in a significant performance penalty when compared with
execution of native IA-64 code. The chipset technologies discussed herein apply only to x86
architecture CPUs. The future development of the IA-64 processor family will determine the
availability of non-Intel core logic components for system board design.

88

Chapter 5

Checklist for Buying Next-Generation Servers for Your Networks


Use the following general checklist when looking to purchase next-generation server technologies for
your organizations networks:

Determine the role of the server within the network. Different roles will require you to apply different
weights to the server selection criteria.

Determine the minimal requirements for the server in the needed role. Calculate processor, memory,
and storage needs based on the role and/or applications that the server will be using.

Determine the networking requirements of the server. Will it need a single NIC or multiple NICs? At
this point in time, select only servers with support for GbE. There is little cost difference, and it will
work in existing 100Base-T networks.

Single or multiprocessing CPUsif SMP is required, is Intel HyperThreading or AMD dual-core


Opteron technology sufficient or will multiple physical CPUs be required?

Determine where the server bottlenecks are likely to occur. Will the server likely be I/O bound?
Network bound? CPU bound? Size the server accordingly and select components that will minimize
the chances of server bottlenecks.

Will storage be local or remote? If local, what type of hard disk support is appropriate for the server?
If remote, will iSCSI be required or be a future-growth path?

Does the server role require specialized server technologies such as blade servers or utility
computing? If so, determine what the requirements are for the device application.

Dont neglect the manageability aspects of the server choice. Does the server need to integrate with
an existing network management tool? If so, make sure adequate support is available on your
selected hardware.

Are there specific availability requirements for the server? Consider the advantages of products that
combine functions in terms of performance and reliability.

Does your selected hardware have a sufficient degree of future-proofing? If you have maxed out
your selected server platform, you run the risk of having it become obsolete immediately upon
installation. Make sure that your choices have overhead to support your planned (or unplanned)
growth.

Summary
All of the technologies discussed in this chapter are being integrated into current and futuregeneration network server and high-performance networking products. It is no longer just a case
of searching out the fastest CPU and expecting that to overcome any other deficiencies in the
products; server core logic is a much more critical component of next-generation server design.
Selecting your next server platform is not a trivial task. The expense of setting up new servers
and allowing for network growth that can accommodate business growth can seem to require a
bit of a magic at times. Understanding the technologies that are being deployed and advanced
with the next generation of products is an important part of the evaluation process that your
server purchases need to go through.

89

Chapter 5
Its no longer enough to commit to a vendor because the vendor offers you the best price on its
current technology; finding yourself in rip and replace mode is something that no IT
professional desires, and a detailed understanding of the technology you are purchasing
especially if it is something that might have already been pushed in the mundane category, such
as serverscan only help you make better choices for your next selection. The technology is
constantly changing and you dont want to be caught off guard.
Broadcom has taken the leading edge in designing and creating the next-generation products and
has taken the industry lead in engineering the cutting-edge technologies that leverage standards
and provide optimal performance. Its products are CPU-agnostic with support for AMD and Intel
server CPUs along with support for the three major interconnect technologies currently available.
Broadcom is also the leader in the convergence space, building more functionality into the
critical components that are the building blocks of your next server purchase. These investments
in convergence technologies bring the user increased reliability, improved efficiency, and a
higher return on investment for products that make use of these technologies. Because of its
broad product portfolio and exposure to a wide variety of markets, Broadcom is driving the
convergence of voice, video, and data services over both wired and wireless networks. The
company is integrating its broad range of networking and communications innovations into nextgeneration products that bring breakthrough technologies to a much broader audience. The
company continues to create solutions that make next-generation networking affordable for even
midsized businesses, making the latest in technology available to a larger marketplace.

Broadcom, the pulse logo, Connecting everything, the Connecting everything logo,
ServerWorks, NetXtreme, Champion, Grand Champion, and SystemI/O are trademarks of
Broadcom Corporation and/or its affiliates in the United States and certain other countries. Intel,
Intel Xeon, and Itanium are trademarks of Intel Corporation. UNIX is a trademark of Unix System
Laboratories, Inc. Linux is a trademark of Linus Torvalds. Chipkill is a trademark of International
Business Machines, Inc. InfiniBand is a trademark of InfiniBand Trade Association Corporation. PCI
Express and PCI-X are trademarks of PCI-SIG. HyperTransport, AMD 64, Athlon, and
Opteron are trademarks of Advanced Micro Devices, Inc. Microsoft, Windows, and Windows
XP are trademarks of Microsoft Corporation. Any other trademarks or trade names mentioned are
the property of their respective owners.

90

Chapter 6

Chapter 6: End-to-End Security: How to Secure Todays


Enterprise Network
Security is a concept and responsibility that in some way touches on almost every decision made
about corporate network environments. Whether it is a primary concern or simply a check box
item on a list, the security consequences of every action that affects your networks must, at some
point, be considered and, in most cases, acted on. A comprehensive end-to-end security model is
not just a good idea; it is an absolute necessity.
As network security has become more critical, it has also, unfortunately for the network
administrator, become increasingly more complex. It is no longer enough to simply lock down
the perimeter of your network (though that is still a critical task). Lets consider some of the
additional issues that affect the security of the network:

User/client issuesConsider the nature of how all of the client computers access the
network. Its no longer the simple matter of wired network clients; there will be wireless
access, remote access (via VPN or Internet access), and the occasional visitor to the
business who needs access to network resources. Additionally, consider the fact that
networks on the other side of the remote access connection may not, of themselves, be
secure.

VoIP and wireless capabilities and their associated applicationsAlthough the issues
regarding securing wireless networks are well documented (and will be addressed later in
this chapter), adding VoIP capabilities to your networking infrastructure brings its own
set of security complications. Additionally, applications that make use of wireless
networking and VoIP may require specific configurations for your security model
(control over specific IP ports, and so on) in order to operate correctly.

Management issuesAs additional clients and devices are added to the network, security
management becomes more complex. Complexity increases the cost of providing security
and demonstrates the need for centralized management (of devices and security) to
reduce expenses.

91

Chapter 6

Cryptographic issuesStrong cryptographic protection can be an integral part of


securing your environment. If this route is chosen, however, it is important to select a
managed solution that has as little impact on overall network performance as possible,
while still offering the level of cryptographic protection deemed advisable for your
environment. The cost of such protection must also be factored into the decision.

Return on investment (ROI) issuesROI considerations relating to the general expenses


of securing the network and its devices must be considered. You must examine the costs
associated with securing client devices and assuring that they can be authenticated to the
network and have some level of tamper resistance.

Compliance issuesIt is basically impossible these days to build any sort of network and
not have some concern about government regulations. Such compliance could range from
a completely Federal Information Processing Standards (FIPS)-compliant security model
or minimal protection that incorporates government-approved encryption standards such
as AES or 3DES. There might also be other regulatory standards that affect the security
of information on the network, such as the Health Insurance Portability and
Accountability Act (HIPAA) of 1996, the Sarbanes-Oxley Act of 2002, SEC Rule 17-4a,
or any industry-specific requirements that will need to be addressed.

Securing from the Outside In


As Figure 6.1 shows, the traditional security model starts with securing the perimeter of the
network.

Figure 6.1: A simplified view of the edge security model.

92

Chapter 6
These edge security devices can range from hardware appliances that are specifically designed to
perform tasks such as providing a firewall, content filtering, spam and virus suppression, or any
operation that should be performed on traffic before it enters the network perimeter. Software is
also available to provide these same services, ranging from comprehensive productssuch as
Microsofts ISA Server, which combines different tasks on the same hardwareto singlesolution products, such as CheckPoints firewall software. Although combination devices (those
that combine different types of security products) are often used, there are still many solutions
best served by dedicated devices, such as the VPN server that Figure 6.2 shows. By not using
combination devices to provide perimeter security, the network doesnt get locked into a
particular technology offering.
On the macro level, for example, although it might be tempting to roll all of your edge security
into a single device that combines firewall, content filtering, email scanning, IP management,
and so on, the reality is that the technologies advance at their own pace and there is no reason to
be locked into a trailing edge solution because changing a single aspect of your perimeter
security design means ripping it out completely. Dedicated, application-specific appliances (at
the server level) tend to offer the best way to future-proof your network security, upgrading each
technology as necessary without impacting the others.

Figure 6.2: In the traditional remote access scenario, remote users connect to a VPN server that
authenticates by using a RADIUS server.

What we find ourselves with today is a mix of software and hardware components without a
network security model. Although this situation isnt likely to change any time soon, there are
noticeable advantages to hardware-based security over a pure software approach.

93

Chapter 6

Software or Hardware Security?


In the software-only security model, all of the authentication, confirmation, and processing of
security information is handled by software running on top of the client device operating system
(OS). If the software is doing a relatively simple task, such as client authentication, there isnt
much overhead on the computer; if the task is more complex, yet even as simple as scanning
email for spam or an antivirus application, the end user tends to notice a decrease in performance
while the application is executing. And if the task is a complex one at the packet level, which
involves handling the IP stack and dealing with individual packets, it is a task that can prevent
the computer from doing any other processing while it runs. Server-based security software can
be written to thread as much of its activity as possible and minimize the impact on foreground, or
primary server, applications, but by the time you get to the point where the data is being
processed sufficiently quickly, you probably find yourself dedicating the server to the security
process.
The current security trend is to add security within the network as well as on the perimeter. This
trend usually entails distributed firewalls (if not a firewall on each client), identity management
for every network device, strong authentication for every user, and comprehensive security
management tools to coordinate all of these independent security solutions. Key and certificate
management solutions offer the network security administrator the ability to maintain an
overview of all of the certificate key pairs issued in their networking environment.
At this point in time, for many people, security means nothing more than having a good
password. But simple password-based authentication systems may soon be found only in the
most basic of networks. Strong authentication methodologies such as smart cards, hardware
tokens, USB tokens, and biometrics are all major areas of growth in the security marketplace.
Administrators want a greater level of confidence that users and devices attaching to their
networks and network resources are who they actually claim to be. For this reason, server-class
OSs provide direct support for additional authentication methods such as smart cards or
biometrics.
A hardware-based security option in which the security information is embedded into the client
device, has quite a few advantages over a software security system. It is far more difficult to
hack into a hardware-based cryptography system. Software, by its very nature, is accessible;
there will always be a need to upgrade or modify software solutions. But the flexibility that the
software offers is offset by the need to protect the access to the software, which makes it
inherently less secure.
As Figure 6.3 illustrates, a security system is only as secure as its root layer. With a hardwarebased encryption system, it is much more difficult for the root of your security system to be
compromised by hacking or any form of unauthorized access. The creation of trusted client
devices that can be added to your network and incorporated directly into your security model
requires the implementation of embedded hardware for cryptography in each of your client
devices.

94

Chapter 6
It should be noted that we are discussing embedded hardware security, not simply a security
appliance. With an appliance, you basically have a dedicated server device, running an OS, with
an application running on top of the OS that provides the security functionality of the appliance.
With the embedded hardware security model, the secure devices include chip-level security that
is at a level below that of any OS or application. Thus, the security model isnt able to be
compromised by problems or bugs in the application or OS, nor are they susceptible to malicious
attacks focused on the OS that an appliance would run.

Figure 6.3: In the key-based cryptography scenario, all security functions are dependent upon the root key
remaining secure. Because each layer is enclosed within the next layer, only that root failure can easily
compromise the security model.

As Figure 6.4 shows, embedded hardware encryption technology enables you to use a single
security methodology to authenticate all sorts of different network-connected devices ranging
from wireless access points to VoIP phones to desktop computers. All of these devices are the
common everyday components that are found in networks; the embedded hardware security
technology means that the implementation of the key-based cryptographic security model will
guarantee that the devices are what they claim to be, adding security to the network
infrastructure. With a strong embedded security standard in place, it should be possible to mix
and match devices even if the chip-level security is being provided by multiple vendors (or
rather, that there are multiple vendors offering products that implement this technology using
different OEM chip providers).

95

Chapter 6

Figure 6.4: The key management server handles the authentication of the network devices equipped with
embedded hardware security devices.

Identity Management: Identifying Who and What is on the Network


In the current context of network security management, identity management is a software
technology designed to simplify access to network resources, thereby improving efficiency of
network-based tasks. The biggest push right now in identity management is a technique known
as federated identity management (FIM).
In FIM, software is used to authenticate users across networks with the goal of allowing
unrelated networks to share resources with users who need access that may, for example, cross
company boundaries in an environment in which more than a single vendor is working on a
project (see Figure 6.5). The goal is to make the necessary resources available from each partys
network without needing to create user accounts for every user involved in the project on all of
the disparate networks that might be involved.
The concept can also be considered a single sign-on methodology for multi-network projects.
At this point in time, FIM software is available from several vendors who offer complete
solutions ranging from FIM-enabled management to software developer kits for adding FIM
capabilities.
Identity management is not the same as a meta directory. In the case of FIM, there is no allencompassing directory service; rather, there is a credential authentication mechanism that allows for
foreign users to get credentials on a network without the need to create a new account for that device
or user on the host network.

96

Chapter 6

Figure 6.5: FIM software gives the user access across corporate network boundaries without the need for
creating an account for the same user on each network.

Software identity management, however, doesnt assure the network administrator that the
device being connected is supposed to be allowed access. Simply being able to authenticate the
user of a device doesnt mean that the device is one that should be allowed to access network
resources. Hardware embedded identity provides advantages that are difficult for software
identity to match. For example, its much more difficult to spoof hardware identity than software
identity. Also, as hardware identity is included in the production of the network device, it is, in
the long term, cheaper than any software technique.
There are many things at the hardware level that can specifically identify a computer to the network.
The most commonly used item is the media access control (MAC) address of the network interface
card (NIC) in the computer. Because most NICs are embedded these days, the MAC address is a
fairly reliable ID.
The idea of embedded hardware security takes the concept a bit further; not only is there an identity
to the device that is unique, specific to the device, and stored in hardware, but the same chip also
includes part of the security engine that authenticates devices.

This hardening of the actual devices also makes for simplified identity management, allowing a
more mechanized approach to managing the workload of handling domain access, passwords,
and all the security-related actions relative to users and devices.

97

Chapter 6

Managing the Proliferation of Client Devices


One of the major advantages of hardware-embedded identity technology is that, in protecting
network clients against attacks, it offers network administrators a less-expensive and more secure
client management system. When implementing this security model, you really need to have an
end-to-end solution available for the security infrastructurethis is not something that you want
to piece together from multiple vendors.
An example of a complete security-based client management system technology is Broadcoms
BroadSAFE system. BroadSAFE, a certificate and key management solution, consists of three
components:

A key management server capable of handling millions of managed devices

Key management software to direct and manage clients

An inexpensive hardware security module that can be incorporated by OEMs directly into
hardware client devices.

Though the clients require an embedded hardware identity module (which could presumably be
added to a PC via an add-in card so that it is possible to include legacy computers in this security
model, but would need to be designed into most devices), the key management server is a
standard network server that has had a hardware security module (as Figure 6.6 shows) installed
in it.
Although the thought of an add-in card to provide embedded security might seem contradictory, it
actually isnt, for a number of reasons. The first is that the card will primarily be there to provide
authentication to network resources; if the card is removed, there is no authentication. Second, if the
card is providing local authentication, applications at the OS level can be written so that if the card
isnt present, the applications or OS simply will not run. Third, if you dont have physical security for
your desktop computers, youve got problems beyond that which a simple hardware security option
can solve.

The security concerns over an add-in card to provide legacy support are a client-side issue. The
hardware security module that would be installed on the key server is a requirement to allow the
authentication system to run and gives you the ability to use any type of server you have
available as the head-end key server. As mentioned earlier, if you cant provide physical security
for your critical servers, you have more problems than can be solved by computer hardware or
software solutions.

98

Chapter 6

Figure 6.6: A hardware security module PCI card includes the embedded silicon functions necessary to
support key management in the head-end server.

Secure Devices
The concept of securing network attached devices is a simple one; any client on the network is
both a target for attack and a potential vector for infection. Embedded hardware authentication
means that the client device cannot attach to the network without passing through the
authentication process.
In some situations, the value of this type of authentication is quite clear. Consider all of the wellknown issues with controlling wireless access and limiting that access only to approved client
devices. In terms of current security, the administrator might be required to enter a MAC address
for any client device that is approved for access. With hundreds of wireless devices, this task is
not simple. An issue also arises if a device needs to have limits placed on its access to the
network or if its access privileges need to be revoked. In addition, and especially in the case of
wireless networking, the MAC address may not actually refer to the computing device attached
to the network but only to a notebook computer with a wireless adapter in a PC Card slot or a
USB connected wireless adapter attached to any supported device.
Trusted client identification means that with embedded hardware identification in that notebook,
you know that not only is the connection allowed, but the device on the other end of that
connection is also trusted. The embedded authentication hardware offers not only a higher degree
of trust (when compared with a software solution) but also a significantly greater degree of
tamper resistance than a software solution. It is far more difficult to mess with the silicon
embedded on a circuit board in the hardware than to crack a software authentication scheme.

99

Chapter 6
The BroadSAFE technology is not limited to use with Broadcom technologies; it uses security
functionality that is compatible with industry standards such as those created by the Trusted
Computing Group and Microsofts Next Generation Secure Computing Base (a PC specification
that is compatible with current PC implementations but offers enhanced security and privacy
features).
Who You Are vs. Who You Say You Are
The point of the BroadSAFE system is to provide a strong cryptographic authentication system
that lets your security determine not just who you say you are but actually who you really
are for every device on your network with embedded hardware security. This distinction is one
which is often overlooked in todays security models.
In the BroadSAFE model, none of the security management messaging is sent in the clear (see
Figure 6.7). All communications between client devices with hardware security and the head-end
server with the hardware security module (HSM) is done over encrypted links. Nothing ever
leaves the tamper resistant hardware in clear text.

Figure 6.7: The Key Management Server maintains an encrypted link to devices with hardware security via
the HSM in the server.

BroadSAFE includes support for Automatic Device Enrollment. This functionality reduces the
need for IT staff involvement in the deployment and management of trusted clients such as VoIP
phones, network switches and desktop computers. This feature saves administrators the time
involved in identifying new devices to the network; it does not prevent them from controlling the
authentication of these devices. The key functionality enabled in the BroadSAFE devices is also
available for use in cryptographic acceleration such as Public Key and Symmetric Key
Acceleration.

100

Chapter 6

The BroadSAFE technology can be used in several applications:


Key managementA secure key management environment
Identity managementManage multiple client identities and protect the integrity of digital certificates
AuthenticationFoolproof authentication that isnt subjected to the issues of protocol spoofing
Link securitySecure key distribution coupled with strong hardware encryption
Cryptographic compatibilityCan be used as a foundation for all standard cryptographic protocols

Minimizing Performance Impact


One of the serious concerns that administrators have about adding security features to their
network is the impact on the end-user experience. Adding procedures that impact the way that
end users work is rarely an acceptable action; even with the best of intentions and good
explanations and training for end users, they tend to feel put upon if they must actively
participate in network security processes.
Even when security that doesnt require the direct interaction of end users is implemented, there
are still issues to be considered. Implementing a software security scheme that uses encryption
has the potential to slow network traffic to the point that end users notice. Its possible to do
encryption at speeds that wont impact end user performance, but the more secure the encryption
is, the more processing overhead that will be introduced. As the processing workload increases,
processor cycles devoted to handling secure encryption can noticeably slow other applications.
Such is particularly the case if the security model includes using biometrics or other softwarebased personal identification methods.
Finding the proper tradeoff between user impact and security is a delicate tightrope for the
network administrator. It would be nice to say that nothing takes priority over securing the
network; however, a network that is so secure it has a negative impact on the workflow process
ends up costing the business money in terms of lost productivity and the opportunity to grow.
This is where embedded hardware security really can shine. With integrated hardware handling
the secure authentication of the client device, the bulk of the issues concerning securing the
device and its connection is offloaded from the client to the embedded hardware (as Figure 6.8
shows). Doing so truly helps to minimize the impact on the end users.

101

Chapter 6

Figure 6.8: In the software-based security model, the client system CPU needs to handle not only the
operation of the computer and its applications but also the encryption/de-encryption of all network traffic. A
hardware solution offloads the CPU intensive security encryption and leaves the CPU free to do other tasks,
reducing the impact of the security upon the end-user.

The integration of an embedded hardware system has additional performance advantages that
should be considered. For example, your traditional server-centric network model is unaffected;
there is no requirement for changes to your networking infrastructure beyond adding the key
management capabilities to an existing server (or adding a dedicated key management server
head-end). The hardware security component will not need to have security patches distributed to
it to counter new threats, nor will its management require the installation of additional software.
Securing VoIP Applications
As technology has progressed, it has become an accepted fact that networks are converging. The
most obvious point of convergence is voice/data networking with the inclusion of VoIP
capabilities in most high-end network switches. But simply providing a VoIP architecture is only
part of the story; supporting and securing VoIP brings its own set of problems to the network
administrator.
Its not that adding VoIP to your networking environment brings additional security problems
beyond that of any new application that needs to talk to the outside world; it is just that VoIP has
its own particular areas of vulnerability. These vulnerabilities break down into four areas:

Access controlYou want to be sure that only authorized VoIP devices are connected to
your network. As mixed-mode cell phones hit the market (cell phones that operate as
normal cellular phones unless they recognize a wireless network, in which case they do
VoIP), it becomes much more important to only allow authorized VoIP devices to access
your network.

Data controlYour VoIP infrastructure must share the network peacefully with your
data network. QoS controls need to reserve sufficient bandwidth to allow telephony to
operate without impacting the users data communications needs and still permit
acceptable voice quality phone calls.
102

Chapter 6

DisruptionAny disruption to your networking infrastructure or loss of connectivity to


the outside world can bring down your VoIP infrastructure.

EavesdroppingIn a much more realistic way than the potential for eavesdropping on
data communications, voice communications are inherently less secure. This area might
need to be addressed.

With voice calls, there is an expectation of privacy that users have. Users expect the same level of
security they get on a plain-old telephone system (POTS) line for calls made through a VoIP
infrastructure.

What the administrator must keep in mind is that all server, media gateways, gatekeepers, and IP
voice terminals are susceptible to attack. There are a variety of common security threats that the
VoIP network must face; lets take a look at the most common and ways to avoid them.
Figure 6.9 shows a basic network model configured for use with VoIP. The addition of PBX
equipment into the networking mix introduces another point of potential attack on your network
and needs to be considered in your planning for secure networking.
The security problem that users tend to worry most about is packet sniffing or call interception.
The easiest way to resolve this issue is to make sure that all of your telephony devices are on a
secure switched LAN infrastructure to limit the potential for sniffing or interception problems. In
this way, VoIP traffic is always limited to a specific link and not broadcast over the entire
network.

Figure 6.9: Adding VoIP to your existing network infrastructures combines both the advantages and
problems of the Telco network with the data network. Site-to-site telephony need never enter the public
telephone network infrastructure, which provides additional security for intra-corporate phone calls. It does
require a secure link to the Internet or a dedicated mesh topology network connection between sites.

103

Chapter 6
Virus or Trojan Horse applications that are designed to capture or redirect voice traffic are a
potential problem that should be dealt with by your existing antivirus solution. If you are heavily
investing in VoIP, it makes sense to use a gateway appliance (or application) that filters traffic
and watches specifically for virus, Trojan Horse, and malware attacks on your network.
The potential for unauthorized access to your voice network can be greatly limited by using inline intrusion prevention systems and application access controls. If a user doesnt have the right
to make use of the VoIP infrastructure, you should be able to stop the user by using standard
controls for preventing unauthorized access to network resources.
Application-layer attacks on your infrastructure can usually be prevented by keeping your OSs
updated with the latest security fixes. These attacks are generally in the form of exploits against
security flaws in the client OS or common applications that access the Internet. Keeping your
software patched and updated will prevent most of these attacks.
It is extremely important that you keep all applications and OSs patched and updatedthis idea
cannot be stressed enough!

The potential of falsifying caller identity, also known as identity spoofing, can be limited by
utilizing software utilities that notify the administrator of unknown devices attaching to the
network. They can also be limited by using personal authentication mechanisms that use
embedded hardware security. Ideally, you want to develop an infrastructure in which unknown
devices attaching to the network get no services provided until the device and/or its user are
authenticated. And, of course, you will want to do so with as little IT staff interaction as possible.
One of the most basic attacks found on telephone networks is toll fraud, with many stories of the
tricks that are used by non-employees to acquire access to lines to make illicit long distance
phone calls. VoIP, although not immune to those attacks, does have the advantage of being able
to use a software gatekeeper that can prevent unauthorized toll calls from being placed.
Network Denial of Service (DoS) attacks are especially nasty if your voice communications are
carried over your data networks, giving the potential for all communications capabilities to be
disrupted by a network DoS attack. As Figure 6.10 illustrates, one of the ways to minimize a
DoS attack is to segregate voice and data traffic on their own network segments.
Although congestion issues at the network switch level would still be a potential issue, network
traffic management applications would also be useful in making sure that network attacks dont
cause problems with your VoIP connectivity. QoS and other technologies go a long way to
making VoIP a practical option in mixed data/voice networking.

104

Chapter 6

Figure 6.10: Using the VLAN capabilities of your network switches to separate the voice and data traffic onto
their own network segments minimizes the chances of both voice and data communication being affected
simultaneously by a DoS attack on your network.

Although not strictly a technical issue, repudiation of a call (denying it was made) is a problem
that can be completely eliminated by making sure that you authenticate users before they access
a telephony device, thereby guaranteeing that a call was made and determining the identity of the
caller. This feature can make tracking the business process simpler, and give the business
manager ideas on how to improve the process workflow. This doesnt necessarily mean that you
will need to log on to your phone before each phone call; it could be something as simple as
entering a passcode into your phone system at the beginning of the business day (or using any
common user authentication mechanismPIN, password, biometrics, and so on). Or with future
integration, your VoIP phone network can be linked to your data network authentication
mechanisms. Common Telco attacks that rely on fooling the human element of the equation
(known as trust exploits) can be minimized by using a restrictive trust model that links calls to
users (and makes the user aware of that) using private VLANs to limit trust-based attacks.
In addition to the techniques previously outlined, integration of media encryption into IP
telephones and media gateways is also highly recommended to prevent sniffing/eavesdropping of
voice and signaling packets. Several encryption algorithms such as DES, 3DES, AES, RC4, and
RC5 are commonly used in these devices. Wherever possible, the use of endpoints with hardware
acceleration for these functions is recommended over software implementations.

105

Chapter 6

Defining Data Encryption Standards


DES (Data Encryption Standard)An ANSI standard that uses a 56-bit key and the block cipher
method, which encrypts data into 64-bit blocks.
3DES (3xData Encryption Standard, also known as Triple DES)A mode of the DES algorithm that
uses three 64-bit keys to create an overall key length of 192 bits. The first encryption is then
encrypted by the second encryption and that result is then encrypted again by the third 64-bit key.
AES (Advanced encryption standard)The successor to DES, this standard uses a symmetric 128bit block encryption technique.
RC4/RC5Symmetric encryption algorithms originally developed by RSA Security; they are used for
encrypting streaming data.

Securing Wireless Networks and Applications


Although wireless security has its own peculiar requirements and restrictions, it should not be
considered a separate entity for your overall network security model. Your fundamental security
structure should make allowances for wireless connectivity and be configured so as to add the
specific requirements of wireless security into the mix.
For example, in Chapter 4, we discussed implementing wireless VLANs. This technology has the
advantage of providing security controls for wireless access points as they are added to your
network. In a standard networking environment, a wireless access point could conceivably be
added anywhere that there is a network connection, creating the potential for rogue access points.
By using wireless VLAN technology, access points must be recognized and authenticated by the
wireless VLAN before they can be used to allow clients to connect to the network.
This is fundamentally a very secure architecture, but it makes no allowance for user
authentication and it requires the use of a specific piece of hardware (the wireless VLAN)
specifically for this purpose. Authentication is too important a piece of the security model for it
to be pushed down the pipe, as it were. Devices should be forced to authenticate before access to
any network resource is allowed. If a device cannot be authenticated, even its basic connectivity
to the network should be prevented, which is where technologies such as the VLAN excel.
As Figure 6.11 shows, using the embedded hardware security model we have discussed earlier in
this chapter allows you to add wireless access points and wireless clients and authenticate them
to your network by using the same security model for any device that has the embedded
hardware security. Thus, unlike the VLAN methodology, additional user or device authentication
beyond that provided by the embedded hardware may not be necessary. But the option to provide
it should also be considered.
Wireless VLAN technology provides several advantages. Thus, the concept of VLAN technology
makes as much sense in a wireless environment as it does in the wired environment. Even the ability
to put the various wireless technologies on their own wireless VLAN segments might be justification
enough in a large wireless environment. Such is especially true given the performance issues that are
encountered when mixing legacy 802.11b networking with the faster wireless technologies currently
being offered. Wireless VLANS also bring management benefits to your wireless networking
environment in the level of detailed control that they offer over the ability of wireless clients to access
the network; they provide the ability to limit access to specific segments and resources.

106

Chapter 6
Moving the device with the embedded hardware authentication technology from location to
location within your network does not add to the administrative workload. There would be no
need, for example, to reconfigure a VLAN when moving a wireless access point; the
authentication of the WAP would not require any user interaction; it would be automated
between the key management server and the end point device. Unless other steps were taken, that
WAP would be an authenticated device regardless of where it was attached to the network.
Clearly, this setup presents a huge security problem to the network administrator.

Figure 6.11: The embedded hardware solution to the wireless security problem makes it easier to integrate
wireless networking into your secure computing environment without additional wireless-specific hardware.

107

Chapter 6

Remote Users
One of the biggest concerns IT has is with remote users. This problem has become exacerbated by the
use of wireless networking in the home. The problem is that home users rarely correctly set up security on
their home networks. As a result, when a remote user at home logs on to the corporate network via a
VPN, the user is potentially opening the corporate network to anyone who can find that home users
wireless network.
Broadcom, which produces more than 70 percent of the chipsets used for wireless networking adapters,
has come up with a solution called SecureEasySetup. SecureEasySetup turns on wireless security by
default, but automates the process to make sure that the end user actually implements wireless security.
The setup wizard asks only two questions of the user, and the answers are used to generate the Wi-Fi
Protected Access (WPA) key. Thus, if the user needs to add devices or reinstall a device, the user only
needs to answer the same two questions with the same two answers rather than remembering a
randomly generated key that the user most likely would have had to write down somewhere (and perhaps
lost).
The setup wizard configures the Service Set Identifier and WPA security for both the client and the home
network access point. The wizard uses WPA rather than the less secure WEP security model. WPA is an
interim implementation of the upcoming IEEE 802.11i wireless security model. Forcing the user to
configure the wireless network with security is a solution that can only help prevent unauthorized access
to networks. The method that Broadcom has chosen has little impact on the end user, a key to any
successful security tool.

Enabling Convergence and the Four-Function Box


There are four common functions that client devices use to protect themselves and their networks
from malicious attacks: VPNs, firewalls, intrusion prevention systems, and antivirus solutions.
At this time, vendors are building appliances that combine all of these functions for both the
client and network sides of the equation. Although the issues brought up earlier regarding
multifunction devices are still applicable, primarily in the server environment, a simplified
hardware-based client security model holds a lot of attractions. The basic problem this model
faces is providing these services at performance close or equal to wire speed. If its performance
provides anything less, it will create a more complex issuehow to deal with the bottleneck that
the device can introduce into the network.
By building these devices using embedded hardware security, the devices are able to offload a
big part of the workload to silicon specifically designed to handle the cryptographic processing
that can significantly slow a general purpose CPU. Hardware acceleration, using dedicated
silicon, can increase the potential workload of the security device without adding additional
bottlenecks to performance. In smaller multifunction security devices, designed for the remote
office or home user, it will be possible to build hardware accelerated devices that have no visible
performance impact to the end user.
Secure hardware-based cryptography may well be the most efficient and strongest way to
provide security to your networks and devices. The nature of strong cryptography, however,
dictates that considerable processing power be available to make it work. Dedicated, embedded
cryptography processing engines are the only way to make this technology successful in broad
application use because the key to acceptance is ease of implementation and minimal impact on
the user environment.

108

Chapter 6

Summary
With the increasing rate of targeted attacks on corporate networks, its important for IT
professionals to keep their network infrastructure secureprotecting valuable intellectual
property and sales data while keeping networking uptime to a maximum and minimizing any
potential disruption to ongoing operations. Network security is needed at many layers, and is
complicated by the addition of mobile networking with remote access, WLAN, employee needs,
external contractors, guest visitors and unscrupulous deviant hackers.
Knowing that IT managers need a flexible method of providing individual security policies to
adapt to the ever-changing requirements of enterprise networks, Broadcom is committed to
offering top-notch security without the high price tag normally associated with hardware-based
security solutions. Because of its broad product portfolio, which includes processors, controllers,
switches, storage, VoIP and wireless, the company is one of the few companies that can fulfill
this kind of commitment. Broadcoms market dominance in many of these areas also makes it
possible for the company to drive the acceptance of standards that benefit the secure hardware
user.
As a result of BroadSAFE-enabled client silicon, OEM customers now have the option of
including a factory-installed identity that is stored securely within the device. Once a product has
an identity, a security system can be built around it through a management server with an HSM
installed in it. Because the product has an identity stored in hardware, the product itself can now
be managed remotely.
BroadSAFE is an extremely cost-effective certificate and key management solution that can be
extended to other client devices within the network such as IP phones, NICs, cable modems,
switches and wireless devices. The keys that are stored in hardware, as described in this chapter,
are essentially the private component of an identity certificate. Hence, the advantage is in the
embedded key management module that utilizes these private keys. The result is better security
at a lower cost, with centralized key management services in the HSM.
Even current software-based security technologies, such as biometrics, will benefit from the
addition of embedded hardware security. Hardware security adds another level of security
enhancement, and when implemented properly, will not affect end-user performance. In fact,
this additional security is actually transparent to end-users.
Security systems such as BroadSAFE will become an important addition for next-generation
security devices; hardware security offers advantages in attaching a broad variety of devices into
secure environments with fewer problems than developing compatible software solutions for
many different technologies, and hardware-based security is significantly more difficult to hack
into than software-based security.
Gigatbit Ethernet technologies, improved wireless designs, converged NICs, LAN-on-amotherboard and secure network devices are all examples of the next-generation networking
components that users can expect to have in their environments. These are some of the leadingedge technologies that can be invested in right now to help future-proof the corporate IT buyers
purchasing process.

109

Chapter 6
The next-generation of cutting edge advanced networking devices are likely to be Broadcom
components, software, and system designs, as manufacturers look for new and innovative means
of communication and move more deeply into the convergence of voice, video, and data
services. Broadcoms broad product portfolio enables the company to drive these convergence
technologies over both wired and wireless networks, while bringing value to the OEMs and
consumers of these devices.
The hardware security modules in Broadcoms new Gigabit IP phone chipsets perform voice
encryption and authentication and elevate the phones system security using a unique identifier
embedded in each chip that is virtually impossible to decode, hack, or steal, thereby providing
assurance that the identity of each phone in the network is genuine. These advanced security
features allow IT managers to ensure the integrity of corporate voice communications.
Broadcom has responded to the need for resilient secure networking by integrating a wealth of
security-based intelligence into its next-generation Ethernet switch chips, raising the bar and
setting the standard for security in switching silicon. Security starts with Broadcoms exclusive
wire-speed Layer 2 to Layer 7 application-aware security processor. Multiple engines enable
users to enforce secure policies based on a wide variety and combination of programmable rules.
Intelligent packet parsing and metering are combined to yield rich contextual information about
the traffic flows through the switch. The IT professional is empowered through management
software to control all flows through the switch, and dynamically reconfigure policy and take
action as needed.
In addition to the application-aware security processor, Broadcom has integrated a hardwarebased DoS attack prevention engine into its switches. The DoS engine is critical to providing
continuity of uninterruptible service to users of a converged network. Harmful DoS attacks are
blocked by the switches, allowing voice and data traffic communication to continue during an
attack. This level of predictability is the key to building highly reliable resilient networks.
Price/performance is just one part of the advantage Broadcom brings with its technology
breakthroughs that are created with fast time-to-market efforts; board-level products, chipsets,
RAID-on-a-chip and converged NIC technologies move quickly from vendor to customer
installations. The convergence technologies will improve performance and reliability of devices
and drive down the costs of next-generation networks, resulting in faster ROIs.

Broadcom, the pulse logo, Connecting everything, the Connecting everything logo, BroadSAFE
and SystemI/O are trademarks of Broadcom Corporation and/or its affiliates in the United States,
EU and/or certain other countries. Wi-Fi Protected Access is a trademark of Wi-Fi Alliance
Corporation. Any other trademarks or trade names mentioned are the property of their respective
owners.

110