Professional Documents
Culture Documents
Next-Generation
Networks
Table of Contents
Chapter 1: Introduction ....................................................................................................................1
Why Your Network Isnt Good Enough..........................................................................................1
The Changes Add Up...........................................................................................................2
The Internet..............................................................................................................2
Voice and Video ......................................................................................................4
B2B E-Commerce....................................................................................................6
More and More Users ..............................................................................................7
A Device in Every Pocket........................................................................................9
The Problems Pile On ..........................................................................................................9
Network Efficiency................................................................................................10
Management and Design........................................................................................11
Security ..................................................................................................................11
The Evolving Network...................................................................................................................12
Bigger, Better, Faster, More ..............................................................................................13
Open Standards, Open Protocols .......................................................................................14
Designed for Mobility and Connectivity ...........................................................................14
Embedded Security ............................................................................................................15
Next-Generation Networking.........................................................................................................15
GbE ....................................................................................................................................16
Wireless..............................................................................................................................16
Switches .............................................................................................................................16
Servers................................................................................................................................17
Security ..............................................................................................................................17
Getting Ready ................................................................................................................................17
Education ...........................................................................................................................17
Future-Proofing Your Network..........................................................................................18
Summary ........................................................................................................................................18
Chapter 2: Gigabit Ethernet Migration ..........................................................................................19
GbE Technology Primer ................................................................................................................20
Switches .............................................................................................................................20
Aggregation........................................................................................................................21
Duplex................................................................................................................................21
GbE Products .................................................................................................................................22
Table of Contents
GbE Deployment Strategy .............................................................................................................24
GbE Emerging Technologies.........................................................................................................30
TOE....................................................................................................................................30
RDMA................................................................................................................................31
iSCSI ..................................................................................................................................32
iSCSI Extensions for RDMA.............................................................................................34
Looking Ahead...............................................................................................................................35
Summary ........................................................................................................................................35
Chapter 3: Extending Enterprise Networks with Wi-Fi ...............................................................36
A Brief History of Wireless Networking .......................................................................................37
802.11 Legacy....................................................................................................................37
802.11b...............................................................................................................................37
802.11a...............................................................................................................................38
802.11g...............................................................................................................................38
802.11 Everything Else......................................................................................................39
How Wireless Networking Works .................................................................................................40
Basic Operations ................................................................................................................40
802.11 Legacy Specifics ....................................................................................................42
802.11b Specifics...............................................................................................................42
802.11a Specifics ...............................................................................................................43
802.11g Specifics...............................................................................................................43
Broadcom Xpress Frame Bursting Technology.................................................................43
Radios Matter.....................................................................................................................45
Mixed 802.11b and 802.11g Environments.......................................................................46
Building Wireless LANs................................................................................................................47
The Wired Connection.......................................................................................................47
802.11b Architecture..........................................................................................................48
802.11a and 802.11g Architecture .....................................................................................48
Wireless Security Concepts ...........................................................................................................49
WEP ...................................................................................................................................49
802.11i ...............................................................................................................................50
WPA...................................................................................................................................50
AES ....................................................................................................................................50
ii
Table of Contents
802.1X................................................................................................................................50
Putting It All Together .......................................................................................................51
The Wired Weak Point.......................................................................................................52
Architecting Secure, Next-Generation Wireless LANs .................................................................52
Prerequisites.......................................................................................................................52
Client Software Support.....................................................................................................52
Hardware Support ..............................................................................................................53
Management and Maintenance Concerns ..........................................................................53
Summary ........................................................................................................................................54
Chapter 4: Switching Intelligence in the Enterprise ......................................................................55
What Is a Switch? ..........................................................................................................................56
Intelligent Switching......................................................................................................................57
Key Functionality of Intelligent Switches .........................................................................59
Quality of Service ..................................................................................................59
Security ..................................................................................................................60
Management...........................................................................................................60
Scalability ..............................................................................................................61
VoIP ...................................................................................................................................61
Video..................................................................................................................................62
Wireless LAN Switching ...................................................................................................62
ROI/Convergence ..................................................................................................65
Implementing Intelligent Switching ..............................................................................................65
Summary ........................................................................................................................................70
Chapter 5: Server Migration and Optimization: Maximizing ROI for Existing Assets and Future
Growth ...........................................................................................................................................71
Server Technologies.......................................................................................................................71
File and Print Servers.........................................................................................................71
Database Servers................................................................................................................71
Application Servers............................................................................................................72
Email Servers .....................................................................................................................72
Storage Servers ..................................................................................................................72
Web Servers .......................................................................................................................72
Blade Servers .....................................................................................................................74
Defining the Cutting Edge..........................................................................................................74
iii
Table of Contents
Understanding Performance-Oriented Technologies.........................................................76
Core I/O Components ........................................................................................................76
North Bridge ..........................................................................................................76
South Bridge ..........................................................................................................76
Storage ...............................................................................................................................77
IDE/ATA................................................................................................................77
SATA .....................................................................................................................78
SCSI .......................................................................................................................78
Serial Attached SCSI .............................................................................................78
RAID..................................................................................................................................79
GbE ....................................................................................................................................80
TOE........................................................................................................................80
RDMA....................................................................................................................80
iSCSI ......................................................................................................................81
Technology Integration......................................................................................................81
Technology Convergence ..............................................................................................................82
Converged Network Interface Cards .............................................................................................83
Scalable and Configurable I/O.......................................................................................................84
Interconnects ......................................................................................................................84
HyperTransport ......................................................................................................84
PCI-X .................................................................................................................................85
PCI-Express .......................................................................................................................85
CPU Support ......................................................................................................................85
IA-32 ......................................................................................................................86
AMD Opteron ........................................................................................................86
AMD Athlon 64 and Athlon 64-FX.......................................................................88
EM64T ...............................................................................................................................88
Summary ........................................................................................................................................89
Chapter 6: End-to-End Security: How to Secure Todays Enterprise Network ............................91
Securing from the Outside In.........................................................................................................92
Software or Hardware Security?....................................................................................................94
Identity Management: Identifying Who and What is on the Network...........................................96
Managing the Proliferation of Client Devices ...................................................................98
iv
Table of Contents
Secure Devices...................................................................................................................99
Who You Are vs. Who You Say You Are.......................................................................100
Minimizing Performance Impact .....................................................................................101
Securing VoIP Applications ............................................................................................102
Securing Wireless Networks and Applications................................................................106
Enabling Convergence and the Four-Function Box.........................................................108
Summary ......................................................................................................................................109
Chapter 1
Chapter 1: Introduction
Its a term youre starting to hear more and morenext-generation networks. Depending on how
long youve been in the industry, you might have heard it in the past, too: The move from coaxial
10Base-T and 2Base-T networks to modern 10Base-T twisted-pair networks (as well as Token
Ring networks) was a major leap forward. As corporate networks began to roll out larger and
larger Ethernet LANs, user productivity increased. Users had easier access to files, printers, and
other resources; networks were easier to manage and troubleshoot; and connections, based on
easier-to-wire CAT3 and CAT5 cabling, were more reliable. Another generation of networks was
created when Ethernet switches hit the market, making networks faster and more efficient.
What came before, however, is no match for whats ahead. Forget about simple speed increases,
lower latency, and a new type of infrastructure device. This time, next-generation network means
a tenfold or better increase in network throughput. It also means an entirely new range of
connectivity options, including wireless disconnected connectivity. Next generation means
intelligent devices capable of improving network performance and reliability. Finally, it means
security built right into the infrastructure, for the first time ever. Its an exciting time to be a
networking professionalprovided youre ready.
Chapter 1
Chapter 1
Proxy servers increase efficiency by aggregating multiple client connections. The proxy server
retrieves content from the Internet, then saves it for future internal requests rather than retrieving
the same content over and over. Some proxies and firewalls can improve efficiency by
eliminating wasteful traffic, such as Web surfing to game sites and other non work-related sites.
This focus on the WAN pipe, however, has left the LAN, which is where bottlenecks are starting
to appear, largely ignored. Users are working with a lot of data, and much of that data now
originates on the LAN in the form of enormous data warehouses, databases, files, and more.
Networks are becoming hard-pressed to transport all of that data.
Think about the average size of a Word, Excel, or PowerPoint document that contains pictures
and graphics. File sizes continue to increase in most applications from version to version as users
take advantage of new features to create more creative documents. Even the default image file
from a 5 mega pixel digital camera is more than 3MB. The networkwhich isnt gaining speed
as quickly as the files gain sizestill has to move all the bits from the file server to client
computers and back again.
Productivity is also affecting the network. Despite recent corporate restructuring and downsizing,
most companies in the United States increased their overall output. How? Everyone is doing
more with less. Thus, each worker has become more productive, and they didnt get to be more
productive by dealing with less data; the corporate network bears the brunt of this increased
productivity. Unfortunately, overburdened networks are easy to ignore. Users may complain that
things are slow in the mornings, but they gradually begin to accept the status quo and the
network remains a hidden efficiency problem.
Even worse for current network bandwidth is the trend towards collaborative computing.
Products, such as Microsoft SharePoint Portal Server, which are designed to allow real-time
collaborative computing between network users, cause not only an increased load on the network
infrastructure but also highlight any latency problems, which become immediately noticeable
and annoying to users.
Network bandwidth hogs can be many and varied including:
Collaborative applications
CRM tools
Now consider the massive increase in data throughput that companies will see in the next 18
months to 3 years. Networks simply must become faster, more efficient, and much more
intelligent in order to keep up. Raw speed is part of the answer, but more efficient and intelligent
use of that speed is also an important component. Next-generation networks will provide this
speed and intelligence.
Chapter 1
Such networks are not a distant phenomenon; they are a current reality. For example, if you are
building a network starting with a clean slate, you can use GbE to ensure that your network
infrastructure is ready to benefit from emerging technologies. For existing networks, the
migration to GbE means reduced wire time, less buffer congestion, and relieved flow control
mechanismsall of which add up to a better user experience and a less harried IT staff.
Well explore GbE in detail in Chapter 2.
Chapter 1
In the world of networking, the inability of a network to handle its traffic loadparticularly
when the applications generating that traffic provide monetary savings and increases in
productivity to the organizationis an unforgivable offense. Multicasting is an excellent
technology that was designed to increase the efficiency of a network, but networks that cant
even carry a share of multicast traffic across the entire corporation are clearly not engineered to
serve the business best interests. Next-generation networks need to offer the ability to extend
cost-saving, productivity-boosting technologies to every corner of the corporate LAN. They will
do so by providing additional raw bandwidth, more efficient routing of traffic, and better
management of specialized traffic.
Chapter 1
B2B E-Commerce
Networks built 5 years ago carried almost no B2B traffic. Such systems basically didnt exist; the
closest systems to displaying B2B characteristics were the value-added networks (VANs)
provided for electronic document interchange (EDI) customerssort of a private equivalent of
the Internet.
Today, there are few companies that dont run some form of B2B application on their networks,
even if it is as simple as ordering office supplies from a Web site. Many companies rely heavily
on B2B communications, placing an even greater burden on the corporate network. There is no
denying the ways that B2B improves efficiencyinventory systems can place orders with
vendors automatically, and entire classes of retailers now exist that dont even carry an
inventory; they simply take orders from customers, pass those orders on to distributors through
B2B systems, and process payments on both sides. Many companies utilize e-procurement
systems for internal procurement of everything from office supplies to contractors.
The infrastructure required to support these B2B efforts is significant. Figure 1.3 shows a typical
B2B infrastructure, including multiple firewalls, application servers, B2B processing platforms,
database servers, internal and external clients, Web servers, and more.
Chapter 1
What effect does this burden have on the network? Imagine that the population of the United
States increased by a factor of ten over 2 or 3 yearshow would the postal service feel the effect
of this increase? Like a Los Angeles freeway at rush hourwhich is pretty much how many
corporate networks look these days. In addition, B2B functions arent limited to server-to-server
or external B2B connections. Internal clients will be using automated ordering, data entry,
catalog management, and all sorts of high-bandwidth applications that deliver results to external
clients or vendors but generate a great deal of activity between LAN clients and servers.
Next-generation networks need additional speed, intelligence, and security to segment and
manage the traffic for these important B2B functions and to provide them with additional
bandwidth.
More and More Users
The rapid pace of business growth also has an effect on networks. Obviously, networks must
grow to support the business, but rapid change often means unplanned growth that lacks any
cohesive, logical design. For example, consider the simple network that Figure 1.4 shows, which
looks a lot like most networks that are just starting out. The network was over-engineered for the
number of users it needed to support, providing plenty of room for growthnotice the router
used to connect two segments, each containing a small number of usersor so it probably
seemed at the time.
As the business grows, users are added until the network cant support any more. Then the
emergency growth patterns begin, with new segments added here and there, segments cascaded
from one to the other, and so forth. Before long, the network is out of controland the business
is so busy growing that nobody has the time to redesign it. Figure 1.5 shows how a networks
growth can be like that of a cancer celluncontrolled and ultimately detrimental to the host.
Routers connect segments in a complex chain rather than through any logical topology.
Segments are now more crowded with users and other devices, reflecting the networks rapid
growth. Segments containing servers are at least dedicated to that task, but are haphazardly
spread across the architecture rather than being centrally accessible to all segments containing
client computers. In short, it is a mess.
7
Chapter 1
Although this type of network design might not create huge performance issues, it definitely
creates management issues. Problems, when they occur, are more difficult to troubleshoot.
Managing change and finding bottlenecks is next to impossible. In short, the network works fine,
but it is harder and harder to rein in. Next-generation networks must allow for easily controlled
growth, making it so easy to expand the network in any direction that administrators dont need
to think about it. In addition, such networks must ensure that manageability and security remain
tight.
Chapter 1
A Device in Every Pocket
Were used to thinking about networks in terms of users: How many users per segment? How
many users on the LAN? How many videoconferencing users? But todays users are acquiring a
staggering array of wired and wireless devices, meaning each user can easily represent three or
four actual devices, as Figure 1.6 illustrates.
Each device requires bandwidth, has security implications, and has network addresses. Multiply
the number of users in your environment by even a conservative number like 1.5 devices, and
youll see that it is no wonder that networks are beginning to show a little strain. Next-generation
networks must provide the raw bandwidth for these additional devices. They also need to support
open protocols for management and security, allowing this vast range of devices to participate in
the network in a secure, controllable fashion.
The Problems Pile On
All of these factorsthe Internet, increased data processing, new voice and video services, B2B
e-commerce, rapid growth, and a diversity of devicestend to result in three problem areas:
efficiency, management, and security.
Chapter 1
Network Efficiency
Network engineers often speak of network utilization in percentages. Our network runs at 70
percent utilization. What many dont realize, and even more dont discuss, is that networks
cant achieve 100 percent efficiency. Ethernet networks, in particular, become less efficient the
more traffic they carry, primarily as a result of the shared-medium, collision-detection nature of
Ethernet.
To set up our discussion in later chapters, well quickly review switches to ensure a baseline
vocabulary. Switches are the primary methodology used to improve network efficiency. They
create an individual physical segment with each switch port while allowing IP addressing to
remain the samein effect creating a virtual subnet that spans many physical segments. As
Figure 1.7 illustrates, switches can permit multiple simultaneous conversations because they
separate the actual traffic.
However, even switches have their limits. Switches can become saturated, at which point they
simply cant carry any more traffic. Bargain-basement switches are the most likely to become
saturatedeven before they are carrying all the traffic that they should be able to handle
creating an instant bottleneck in your network.
Next-generation networks will help solve this problem by providing faster raw bandwidth, which
will require a more robust switching fabric. If computers can transmit the information they have
and then get off the line, another computer will be able to transmit much sooner. Next-generation
switches will operate at higher speeds and will be able to handle the full load of traffic that the
network can generate.
Well discuss these concepts, including switching fabric, in detail in Chapter 4.
10
Chapter 1
Management and Design
As networks have become more complex to suit business needs, they have also become more
difficult to manage. The sheer variety of devicesrouters, switches, hubs, gateways, firewalls,
proxies, servers, desktop and notebook computers, and other network-attached devices (such as
printers)has, in many cases, become a management nightmare. Pile on the complexity of
application-specific managementmanaging VoIP, videoconferencing protocols and gateways,
and so forthand it is a wonder that administrators dont simply quit in frustration.
The next generation of networks needs to offer more intelligence and self-management
capabilities. Switches must be able to talk to one another more effectively, allowing groups of
devices to be managed as a single unit. Devices need to take more responsibility for handling
todays special-purpose traffic, such as VoIP, videoconferencing, and next-generation
applications including TCP/IP Offload Engine (TOE), Internet Small Computer System Interface
(iSCSI), and Remote Direct Memory Access (RDMA).
Well discuss each of these emerging technologies in detail in Chapter 2.
The next generation of networks must also build on the intelligence in todays networks
particularly in regard to tolerating rapid growth. Networks must readily adapt to changing
business conditions without requiring complex redesigns. For next-generation network
topologies to succeed, there will need to be even more intelligence and performance built-in to
the switches that control the flow of traffic on the network. The combination of better software
combined with more advanced hardware is the key to making these critical network
infrastructure components a success.
Security
A little more than 2 years ago, network security was something a few industry gurus preached,
but nobody seriously practiced. Security was an add-on, something you implemented if you had
some free time. And who has ever had free time? Today, security is an overriding concern in
every field of information technology (IT) and communications. It is no longer sufficient to add
security to a network by adding a monitoring tool or antivirus softwaresecurity has to be builtin starting at the physical network level.
Todays networks offer only a modicum of built-in security. For example, on wireless networks,
the Wired Equivalent Privacy (WEP) standard provides little more than a veneer of security due
to the ease with which the wireless network traffic can be probed and the availability of tools to
crack the simplified encryption scheme used. In addition, wired networks are limited to
transport-level encryption protocols such as IP Security (IPSec) to provide security. Practically
no physical security exists, making it easy for intruders to simply plug-in to a spare LAN jack
anywhere in an office to begin sniffing traffic from the network. Even when the network
hardware supports the ability to route traffic only to an approved list of MAC addresses (thereby
preventing a random LAN jack from allowing access to your entire network enterprise) few
network administrators take the steps necessary to implement this degree of security.
11
Chapter 1
Next-generation networks will include security in every aspect of their design. Already, network
adapters with built-in IPSec capabilities are enabling all-encrypted networks that are transparent
to the client and server operating system (OS). These adapters use high-speed onboard
processors to reduce or eliminate additional overhead on the computers CPU. Support for the
802.1x protocol is becoming available, requiring network devices to authenticate themselves
before theyre even allowed to pass other trafficeffectively stopping the plug-in attacker. In
addition, support for new security standards that provide powerful authentication and data
encryption functionalitysuch as Wi-Fi Protected Access (WPA) and Advanced Encryption
Standard (AES)are being built-in to next-generation wireless devices.
Figure 1.8: Next-generation networks focus on easy connectivity, security, and open standards and
protocols.
12
Chapter 1
13
Chapter 1
Internal server I/O has always been measured in megabytes per second, while network I/O has
always been measured in megabits per second. Hard disk I/O has continued to grow, however,
GbE is the first major jump in network performance in recent memory. Thus, while GbE is now
capable of reducing the performance bottleneck on servers (especially when multiple NICs are
being aggregated), the introduction of 10GbE will take us to the point at which the bottleneck
between server and network begins to disappear. GbE clients will also see significant latency
improvements as they will be able to take full advantage of the bandwidth and reduced latency
that GbE promises. Hence, the real promise of next-generation network is to remove the network
as a limitation to business.
Read more about 10GbE and its applications at
http://searchstorage.techtarget.com/tip/1,289483,sid5_gci870890,00.html, as well as in Chapter 2 and
Chapter 4.
Now, full-size desktop and notebook computers are among the minority in the world of
connected devices. Cellular phones, wireless PDAs, tablet PCs, and convergence devices such as
the popular BlackBerry personal communicator all rely on cellular, GPRS, and Wi-Fi
connections to access the Internet, corporate networks, and emaileither through direct
connection to the corporate net or VPN connections that use the Internet to reach back to the
home office.
Even wired networks are seeing an enormous amount of growth in device diversity. Not that long
ago, the network contained servers, client computers, and printers. Today, even the mailroom fax
machine and copier are connected, allowing users to utilize these devices right from their
desktops. Webcams allow parents to peek in on daycare centers while at work. Even the office
soda machine may be Internet-connected, allowing 30 workers to check the available selections
over the Web and to bill purchases to their company accounts.
14
Chapter 1
Wired networks will also become a medium for storage area networks (SANs). Rather than using
expensive, dedicated fiber-based connections, the iSCSI standard allows directly connected
storage devices to be accessed by servers over 1GbE, 10GbE, 100GbE, and 1000GbE
connections. Microsofts iSCSI implementation for Windows 2000 (Win2K), Windows Server
2003, and Windows XP Professional allows iSCSI use on any form of standard Ethernet, not just
GbE and faster technologies. The LAN now provides an infrastructure for building out vast,
fault-tolerant SANs at a lower cost than many fiber-based solutions, using reliable, wellunderstood Ethernet technologies.
Read more about iSCSI at http://whatis.techtarget.com/definition/0,,sid9_gci750136,00.html and in
Chapter 2.
Next-generation networks will provide appropriate connectivity options for all of these
devicesfrom slower 100Base-T wired connections to the fastest new Ethernet connectionsas
well as seamless roaming between wireless LAN and wireless WAN connections.
Embedded Security
Next-generation networks build security into every layer. 802.1x support, which includes
embedded Extensible Authentication Protocol (EAP) capabilities, authenticates devices at the
LAN port, disallowing unknown devices and locking down the physical network. Run wiresor
wireless signalsanywhere you like; only authorized users will be able to attach. These
networks will also include embedded IPSec capabilities, transparently encrypting traffic and
preventing even authorized connections from eavesdropping on the networks traffic. Security
wont be something you add to these networks, it will be something that is built-in from the very
start, providing, for the first time in the history of networks, a truly integrated, secure
infrastructure on which to build business applications and services. A highly secure OS will
finally become a less important consideration as the underlying infrastructure begins to take
responsibility for security.
Read more about 802.1x at
http://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci787174,00.html as well as in
Chapter 6.
Next-Generation Networking
What are the technologies that will deliver on all of these wonderful new promises? Surprisingly,
nothing new. Instead, the next generation of networking technologies builds upon the solid,
reliable foundation of technologies that youve been using for years. Starting with this
foundation enables lower upgrade costs, easier architecture design, and easier integration with
your existing infrastructuremeaning you can ease into the next generation of networks
without throwing away all of todays investment.
15
Chapter 1
GbE
Described in the Institute of Electrical and Electronics Engineers (IEEE) 802.3ab standard, GbE
is available now. Also named 1000Base-T, this new networking technology is ten times faster
than 100Base-T Ethernet and backward-compatible with 10Base-T and 100Base-T networks.
Also available, although still fairly expensive, is 10GbE, as specified in the IEEE 802.3ae
standard. Currently designed primarily for trunking (between offices, for example) applications,
10GbE switches and other devices are on the market, allowing companies to create end-to-end
Ethernet networks at lower acquisition and support costs than previous technologies permitted.
Wireless
Wireless access points (WAPs) now support a variety of protocols. In addition to bridging to
10Base-T, 100Base-T, and 1000Base-T wired networks, WAPs support wireless clients using
11Mbps 802.11b, 54Mbps 802.11g, and even 54Mbps 802.11a. 802.11a is currently being used
primarily in areas of high user density, as it provides lower range than 802.11b and 802.11g.
802.11a operates in a higher frequency band (5GHz) than 802.11b/g (which operates at 2.4GHz),
making the two sets of standards inherently incompatible.
Read more about the 802.11 family of wireless protocols at
http://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci341007,00.html as well as in
Chapter 3.
European networks are more likely to feature 5GHz-based HiperLAN technology, which is similar to
the 802.11x family of protocols. A newer version, HiperLAN/2, offers as fast as 54Mbps operation in
the same frequency.
Switches
Switches supporting 1000Base-T, 100Base-T, and 10Base-T connections are widely available,
and switches offering 10GbE connections for office-to-office connections are also entering the
market. Most of these devices are fully compatible with slower network devices, allowing you to
deploy the central infrastructure of a faster network and slowly migrate individual devicessuch
as clients, servers, and other connection devicesas feasible or necessary within your
organization. Switches have finally killed the hubfew companies are offering new Ethernet
hubs, recognizing that a fully-switched architecture is a more efficient and practical way to build
the next generation of networks.
16
Chapter 1
Servers
Servers are already shipping with dual 1000Base-T network adapters integrated into their
motherboards, and a variety of server-quality GbE adapter cards are available to upgrade older
equipment. As you begin to purchase new computers, look for machines that offer a built-in or
bundled GbE network adapter. Many hardware vendors include GbE NICs as standard in their
business computing lines; if it isnt standard, youll likely pay as little as $40 for the upgrade
with a new computer (but youll pay three or four times that amount to upgrade the computer
later). Because of its complete backward-compatibility with existing Ethernet standards (such as
100Base-T), trickling GbE into your environment is an affordable, slow-paced way to build the
next generation of networks without a complete redesign of what youve got and without the
need to throw away existing equipment. Upgrading existing server hardware to GbE when you
have the box open for another upgrade, such as disk or memory, gives you a very inexpensive
way to move your servers to GbE, because the cost is in the downtime, not the upgraded NIC.
Security
802.1x and IPSec are the latest rage in network security, and youll find them available in higherend network adapters and devices, such as wired switches and WAPs. IPSec is available in
hardware network adapters for most major OSs, allowing you to completely offload the
otherwise considerable burden of encrypting large quantities of network data onto a dedicated
hardware processor, making network security completely transparent and easier to manage.
Newer versions of the Windows OS include an 802.1x client, allowing those computers to
participate in 802.1x-secured networks. WPA and AES are part of the upcoming IEEE wireless
LAN security standard 802.11i, which will provide powerful wireless LAN security. Some
vendors offer these technologies today: Microsoft offers support for WPA on a select subset of
the available wireless hardware in a OS upgrade for Windows XP.
Getting Ready
The building blocks of the next-generation networks are available and prices are falling rapidly.
Youll need to start planning to introduce them into your environment, but before you do, what
steps should you take? What can you do today to prepare yourself, your peers and employees,
and your equipment for the new network?
Education
Take the time to learn all you can about these new networking protocolshow they differ from
past versions and how theyll affect your environment. Focus on the leading edge: 1GbE and
10GbE, 802.1x security, iSCSI SANs, and 802.11a/g wireless connections. Vendor white papers,
magazine articles, and an increasing number of books are available to explain these new
technologies and give suggestions for how to approach them in your environment.
17
Chapter 1
Consider the next-generation network in all new hardware purchases. Provision new
computers with 1GbE, and buy new switches that support 1GbE and potentially even
10GbE for MAN connections.
Make all of your new wired NIC purchases 1000Base-T adapters. The backwardcompatibility with your existing Ethernet technology makes the eventual transition to
GbE completely transparent to users.
Root out the old voice-quality CAT3 cabling that is hiding in your walls1000Base-T is
designed to run over existing CAT5 and CAT5e or better wiring. Use high-quality
CAT5e, CAT6, or better cables, and ensure that cable runs dont run along
electromagnetic sources such as ceiling lights and electrical lines. Check wall jacks to
ensure cable terminations meet CAT5, CAT5e, or better standards; improperly terminated
wall jacks are the leading cause of electromagnetic noise in high-speed networks. If
youre running new wires, go with CAT6, which will provide the best long-term
investment in your physical infrastructure.
Take a hard look at where your network is going. Many next-generation networking
technologiessuch as GbE and iSCSIare relying more on less-expensive copper
wiring (CAT5, CAT5e, and CAT6) than on fiber. GbE over CAT5 and iSCSI will give
you plenty of performance at a much lower cost than implementing a fiber networking
technology.
Summary
The network that youve been working with for the past decade is likely showing its age.
Fortunately, the next generation of networking technologies is here: GbE, solid wireless
networks, smarter switches, and built-in security. These are the building blocks of the nextgeneration networks that companies will rely on to enhance productivity, lower costs, raise
security, and improve connectivity. So how do you get started?
In the next chapter, well explore GbE, including network adapters and switches, introducing you
to the key improvements in addition to the speed of this technology. Well discuss how to
migrate your current network to support GbE. In each subsequent chapter, well cover the
additional technologies that form next-generation networks so that you have the resources in
place to make decisions that will result in an optimized next-generation network in your
environment.
Wi-Fi and Wi-Fi Protected Acess are trademarks of the Wi-Fi Alliance. BlackBerry is a
trademark of Research In Motion Limited. All other trademarks are the property of their respective
owners.
18
Chapter 2
19
Chapter 2
100Base-T
GbE
Speed
100Mbps
1000Mbps
Frame format
802.3 Ethernet
802.3 Ethernet
MAC layer
802.3 Ethernet
803.3 Ethernet
Flow control
802.3x Ethernet
802.3x Ethernet
Primary mode
Full duplex
Full duplex
Is older better? Ethernet is decades old, and you might be wondering why such an old protocol is the
best choice for the future. Ethernet is the most stable networking protocol in the world. The entire
global Internet is built primarily from Ethernet connections on local networks. Nearly every imaginable
problem with the Ethernet protocol was worked out years and years ago, leaving us with a technology
that offers true dial-tone reliabilitymeaning you just turn it on and it works. What better technology
could be used to build next-generation networks?
Switches
In Ethernets early days, all devices were connected directly to one another or to a central hub.
When any one device transmitted, all the connected devices saw the signal. A hubs entire job, in
fact, was to receive transmissions and retransmit them to every connected device on the hub. As
a result of this methodology, collisions became an issue. As the number of connected devices
increased, more collisions would occur. But a solution became evident and available to solve the
Ethernet-collision problemswitching. 100Base-T switches are logically similar to hubs,
providing a central connection point for all devices on the network. However, when one device
transmits and the switch receives the transmission, the switch doesnt necessarily retransmit that
signal to all other attached devices. Instead, the switch looks at the destination MAC address to
determine the next action:
If the MAC address is a special broadcast address, the transmission is intended for all
devices, and the switch rebroadcasts the signal to all attached devices.
If the MAC address is not one that the switch has seen before, the signal is broadcast to
all attached devices. However, the switch watches for a reply from that MAC address.
When it sees a reply, it associates that MAC address with the port on which the reply was
seen, making future traffic more efficient.
If the MAC address is one that the switch has seen before, the signal is only rebroadcast
out the port that is associated with the MAC address.
20
Chapter 2
Switches are complicated devices. Ethernet switches must actively watch traffic and take action
based on the traffics destination. Thus, switches require onboard memory to remember MAC-to-port
mappings. Initially, such devices were expensive. However, with the advent of single-chip Ethernet
switch controllers, such as those produced by Broadcom, switches have become less expensive. The
result is that switches have almost completely replaced less-efficient hubs on most Ethernet
networks.
Originally, switches were used as a form of central backbone device. One switch would provide
connections to several hubs, and the hubs would, in turn, provide connections to several devices.
The hubs each represented a collision domain, meaning every device connected to a hub would
be competing for transmission bandwidth with the other devices on the same hub. The switch
separated these collision domains, reducing the number of devices that were competing with one
another.
By the year 2000, switches became so inexpensive that most companies simply attached devices
directly to switch ports and eliminated hubs altogether. Doing so helped reduce the collision
domain to one computer per domain. Of course, collisions still occur: broadcast traffic and other
fairly common types of traffic result in collisions between transmitting devices. Switch fabrics
have become efficient and inexpensive enough to make the standardization on switched networks
a non-issue at any price point.
Aggregation
The first 10/100 switches enabled a new type of network efficiencyaggregation. Multiple
client segments running at 10Base-T were connected to the switch along with one or two
100Base-T server segments. Incoming traffic from clients was running at 10Mbps, so the servers
could receive 100Mbps and one client conversation occupied only one-tenth of the available
server segment bandwidth. The switch, then, could aggregate as many as 10 client connections
onto the server segment at once, vastly increasing network efficiency.
Although it would seem that faster clients have caused more network congestion in recent years,
such isnt really the case. Calculations and test reports that make use of the total available
bandwidth and the maximum bandwidth utilization of the network clients are generally red
herrings; that is, they simply draw attention away from the actual issues, the most common of
which is client response time.
What about when clients catch up again? Of course, clients will eventually catch up and be running
GbE. That is where 10GbE switching comes into play, offering the ability to aggregate GbE
connections between data centers, buildings, and so forth; retaining a high-speed edge; and
maintaining network efficiency. We will explore 10GbE switching later in this chapter.
Duplex
Ethernet can operate in one of two duplex modes: half and full. Half-duplex is a lot like CB
(Citizens Band) radio communications between truckers: you can talk or listen but you cant do
both at the same time. In fact, the collisions that occur when two truckers try to transmit at once
are similar to the way that Ethernet collisions occur. Half-duplex is a pretty inefficient mode, but
when network devices are connected to a hub, it is generally the only choice. Half-duplex is
necessary to manage collisions.
21
Chapter 2
When connected to a switch, however, full-duplex becomes possible, which basically means that
a device can send and receive data at the same timemore like a telephone conversation in
which both parties can talk at once. This mode is obviously more efficient and is another reason
that companies replace hubs with switches. GbE, in most instances, usually operates only in fullduplex mode, maximizing the potential of each client connection.
Baseband vs. Broadband
The 1000Base-T designator for GbE stands for 1000Mbps, Baseband, Twisted pair. This term is an
indication of the protocols basic speed, its bandwidth utilization (baseband), and the wiring used (twisted
pair CAT5 wiring or better).
Other designations have existed in Ethernets past. For example, the earliest Ethernet was 10Base-2,
running a 10Mbps baseband over coaxial cabling. 10Base-5 used a thicker coaxial cable. A term that you
dont often encounter is the basebase designation, which simply means that each transmission utilizes
the entire bandwidth that can be carried by the wiring.
The alternative is broadband communications, through which transmissions are divided into channels,
and each channel can carry traffic independent of the others. The most common form of broadband is
cable TV, which is capable of carrying hundreds of channels of programming as well as voice and data
services over a single wire.
Which begs the question: Why doesnt Ethernet switch to broadband? Something like 1000Broad-T would
be incredibly efficient, assigning one dedicated channel to each connected device and eliminating
collisions altogether.
The problem is that todays CAT5 wiring cant carry broadband transmissions. Those signals require highquality, heavily shielded wiring, such as the coaxial wires connected to your cable TV box at home.
Companies would have to spend millions to replace their existing wiring. Another problem is getting traffic
from one channel to another. When two computers want to talk to one another, some sort of switching
device would have to bridge traffic across their two individual channels. These switching devices would
act a lot like a telephone switch, which connects two phone lines for a conversation. However, these
network switches would have to operate at incredible speeds and carry incredible amounts of data. Its
uncertain whether they could be built to operate with the required speeds.
Weve established a base understanding of GbE technology. With this foundation of knowledge,
we can begin to explore how GbE products will affect next-generation networks.
GbE Products
All GbE products are not created equal. The actual products you buyfrom Hewlett-Packard
(HP), IBM, Dell, and so forthare generally built using Ethernet chipsets from companies such
as Broadcom and Intel. These chipsets create and process the Ethernet frames and are the major
factor in determining the networking functions speed and efficiency.
For example, in a database test conducted by Broadcom, a client PC using Broadcoms
NetXtreme GbE controller outperformed a similarly equipped client PC utilizing a competitive
brand GbE controller by 300 percent. The Broadcom-equipped machine was able to achieve
more than 6200 transactions per secondwhereas the system equipped with the competitive
brand reached only 2083 transactions per second, in both transmit and receive operations. In a
similar test, the Broadcom-equipped system was used to measure Active Directory (AD) logins,
and beat the competitive brand-equipped machine by 260 percent, processing more than 710
logins per second versus the competitive brand-equipped systems 275.
22
Chapter 2
Another test utilizing Microsofts Exchange Server software provided excellent results as well.
The Broadcom-equipped system handled 5432 sent messages per second, the competitive brandequipped machine handled 2777. Thus, the system running Broadcom was about 196 percent
faster. Again, these client PCs were all equipped with similar-seeming hardware: GbE
controllers, the same processors, fast SCSI storage, and morethe different GbE controllers
made all the difference.
GbE Performance
GbE has rapidly become the standard network technology that connects todays business users and is
the next logical step in Ethernet technology. It provides users with an enhanced computing experience
that increases network performance and productivity and reduces CPU utilization and network
congestion. Tests conducted by the Ziff-Davis Media Companys eTesting Labs (http://www.veritest.com)
show that GbE connections can provide as much as a 341 percent performance and productivity
improvement over 10/100 Fast Ethernet connections running everyday business applications on client
systems such as email, Web browsing, databases, and disk backup.
GbE Performance
7000
6000
5000
4000
3000
2000
1000
AD
Exchange
ve
e
m
tre
t
tX
uc
Ne
od
Pr
i
tit
pe
Datbase Rx
m
co
m
Co
Database Tx
d
oa
Br
Figure 2.1: The GbE controller manufacturer of a GbE device makes a big difference in performance
numbers.
23
Chapter 2
GbE Network Adapters and Switches that use Broadcom GbE Controllers
Most major manufacturers embed Broadcoms proven, high-performance GbE controllers into their
notebooks, desktops, and servers. These manufacturers also offer add-in NICs featuring Broadcom
technologies. When making your next purchase, confirm the product has Broadcom GbE controllers.
In addition, most first-tier infrastructure devices, including switches, utilize Broadcom technology. For a
complete list of network adapters and switches that incorporate Broadcoms high-performance GbE
controllers, visit http://www.broadcom.com.
24
Chapter 2
Figure 2.2: The first step in deploying GbE is to acquire GbE servers and clients.
25
Chapter 2
As Figure 2.4 shows, the GbE adoption process is the same for client computers and
workstations that have built-in GbE NICs. In this figure, both the switch and the router have been
upgraded to support GbE (shown in orange).
As the orange lines indicate, the client computers have now been upgraded, although they are
connected to a legacy switch and will therefore negotiate to a slower speed. Because they will be
connected to legacy switches, they will fall back to 100Base-T; however, youll have complete
compatibility along with a built-in, ready-to-go upgrade for the future.
26
Chapter 2
Figure 2.4: Upgrade older client computers and acquire new systems that have GbE built-in.
As Figure 2.5 shows, the last switch has now been upgraded. The only client still running at
10Base-T or 100Base-T will negotiate the proper speed with the switch.
When buying a notebook, ask for built-in GbE integration right on the motherboard. Add-in GbE will
either use the PC Card/PCMCIA slot or a USB port, neither of which are really capable of managing
1000Mbps traffic. Unfortunately, notebooks continue to be the most difficult-to-upgrade kind of
computer, so your switch to GbE may not be complete until youve phased out all your older
notebooks.
27
Chapter 2
Finally, when youre ready, you can replace any devices and systems that are still running at
slower 10/100Base-T speeds. The infrastructure is already in place, so you can conduct this
phase of the upgradelike the other phasesat your leisure. Figure 2.6 shows the final all-GbE
network.
28
Chapter 2
Unlike other networking technologies, which dont offer the its all Ethernet compatibility,
GbE allows you to conduct your upgrade as slowly or as quickly as you like. Begin by acquiring
new devices with built-in GbE, and gradually replace infrastructure components as required by
your business needs. Or conduct an over-the-weekend upgrade of specific types of bandwidth,
such as server-switch or router-switch. The decision is yours and GbE offers the flexibility to
support whatever plans you might have.
29
Chapter 2
Depending on how your network is designed, it contains many categories of bandwidth such as clientswitch bandwidth, which carries traffic from a switch to client computers; router-switch bandwidth,
which carries traffic between switches and routers; switch-switch bandwidth, which carries traffic
between switches, often between buildings on a corporate campus; and server-switch bandwidth,
which carries traffic between servers and switches. If you have created dedicated segments for
networked printers, the switch-printer bandwidth category will be an important consideration in your
GbE-deployment plan. You might also want to independently consider the bandwidth used on
perimeter networks (DMZs), extranets, and other specialized subnets.
Getting to the end of your GbE deployment? When youre down to the last few devices and systems,
use a hardware inventory system such as Microsoft Systems Management Server (SMS) or Intel
LANDesk to inventory your server and client computers and pick up the last few 100Base-T models.
Add-in PCI adapters can be used to upgrade these computers. And dont forget about other networkattached devices, such as networked printers and copiers. Contact their manufacturers for
information about upgraded network connection modules.
30
Chapter 2
In an effort to encourage a consistent TOE implementation that is compatible with Microsoft
OSs, Microsoft has introduced the TCP Chimney offload architecture. This architecture is
designed to intelligently segment the TOE technology between the Microsoft OS and hardware.
TCP Chimney offload architecture was publicly introduced at the Windows Hardware
Engineering Conference (WinHEC) in May 2003. This partial offload technology is designed to
provide a standardized TOE access methodology that doesnt require a vendor-specific parallel
transport stack to hook the existing transport stack that ships with the Windows OS (the
Chimney technology is scheduled to be released with the next version of the Windows OS, codenamed Longhorn). Broadcom has been working closely with Microsoft on this technology from
the beginning.
RDMA
GbE and TOE technology will greatly increase the amount of network traffic possible between
servers and clients. This added traffic will place an additional burden on the memory and CPU
bus because the traffic needs to be moved from one location in the computers memory to the
other. One way to improve this situation is to point network traffic directly to the memory
location on the computer where its desired. Doing so will reduce the burden on the
CPU/memory subsystem and improve the time it takes (called latency) for information to get
from one computer to the next. This solution is called RDMA and has been standardized by the
RDMA Consortium (http://www.rdmaconsortium.org).
RDMA is a technology feature that allows one computer to place data in the memory of another
computer, thereby reducing the processing overhead and maximizing the efficient use of
available network bandwidth. RDMA uses a kernel bypass model in which the application talks
directly to the NIC, and the NIC takes the buffer content and transmits it to the target computer
using the RDMA write message, which contains both the data and the destination information.
The NIC on the target computer then writes the data contained in the RDMA write message
directly into the target applications memory buffer. These actions all take place with minimal
involvement of the CPUs on the originator and target computers. With TOE hardware in place,
the push for RDMA over TCP/IP, and technologies such as Microsoft Chimneywith its direct
hooks into the OSyou will be able to bring the benefits of these combined technologies
transparently to users and application development.
31
Chapter 2
Many OS and application vendors are working on new products that will take advantage of the
emerging RDMA infrastructure. RDMA requires specialized application support, which isnt very
widespread at the moment. Applications and OSs will need to be aware of the capabilities of RDMA
and will have to take special steps to utilize it. As RDMA matures and becomes more readily available
in network hardware, youll see OSs and applications begin to take advantage of it.
iSCSI
iSCSI is one of the most exciting technologies to emerge in the world of storage area networks
(SANs). The big player in the SAN marketplace is fibre channel (FC). Although FC is an
effective and enterprise-capable technology, it is a bit complicated and quite expensive. It also
makes the SAN a dedicated network, essentially requiring that servers be connected both to the
primary Ethernet network for client connectivity and to a dedicated FC network for SAN access.
Figure 2.7 illustrates this architecture.
32
Chapter 2
iSCSI, however, tunnels normal SCSI commands over TCP/IP packets, making the traffic
suitable for a normal Ethernet network. Applications make normal calls to the OS, which, in
turn, generates normal SCSI commands through a SCSI device driver. With traditional, directly
connected SCSI storage, these SCSI commands are transported to a hardware device driver and
eventually to a SCSI controller card that is connected to the SCSI storage devices. In the case of
iSCSI, the driver software encapsulates the SCSI commands in TCP/IP packets and places them
onto the network. No special NIC hardware is required, and the packets simply travel to the
network-connected storage device.
Because iSCSI runs over existing networks without any special controller hardware in the server,
it offers many of the same benefits but at a much lower cost than traditional FC-based SANs. In
fact, iSCSI is already beginning to revolutionize the concept of SANs, placing these otherwise
expensive architectures well within the reach of small and midsized businesses. The benefits of a
SANcentralized storage management, better fault tolerance, and easier storage
reconfigurationare becoming available to organizations of every size. As Figure 2.8 shows,
iSCSI rides on your existing network topology, making the deployment easier than FC-based
SANs.
To further simplify the deployment of iSCSI, Microsoft released iSCSI drivers for Windows 2000
(Win2K), Windows Server 2003, and Windows XP Professional in June 2003. In this first
implementation, the driver is built-in to the OS and works with the TCP/IP stack (supporting iSCSI
over TCP/IP). Support is provided for all standard Ethernet adapters, meaning that iSCSI solutions
can be implemented without a major hardware upgrade. This same transparency of support is what
will make the Microsoft Chimney TOE implementation so desirable with future versions of the
Microsoft OSs.
33
Chapter 2
You can find current details about Microsofts iSCSI support and announced future plans at
http://www.microsoft.com/windowsserversystem/storage/iscsi.mspx.
The trick, of course, is that your existing network must be able to support the additional traffic
that iSCSI imposes, and only GbE can offer that flexibility.
iSCSI vs. FC
The SAN debate is beginning to heat up and will likely rage for years. The thinking is that FC SANs
provide dedicated bandwidth for storage (which you can also achieve with iSCSI, of course) and a more
efficient, more stable, and higher-end set of technologies for creating SANs. Other emerging technologies
will run FC over IP, meaning you could potentially build FC-based SANs over Ethernet networks.
However, FC is undeniably expensive. The FC adapters required for servers and storage devices are
expensive, as is the fiber-optic cabling. iSCSI offers a much less expensive solution. It uses standard
Ethernet technologies and requires much less expensive hardware and cabling. Whether iSCSI will be
able to edge out FC remains to be seen, but iSCSI will likely represent a majority of the SAN market of
the future because iSCSI-based SANs are affordable enough for companies that would have never
otherwise considered SANs. It should also be noted that iSCSI and FC are not mutually exclusive
implementations.
In fact, iSCSI is being compared in many ways to Microsoft Windows Server in the early days. Although
Windows wasnt, at the time, the most feature-laden or stable server OS, it was cheap, easy to set up,
and ran on inexpensive commodity server hardware. These characteristics made it an attractive solution
to small companies and departments who couldnt afford more complex, expensive, and demanding
solutions like UNIX, Novell NetWare, and so forth. iSCSI is to FC what Windows was to Novellan
inexpensive, easy-to-maintain, easily deployed technology that will become very popular.
34
Chapter 2
Looking Ahead
A number of emerging technologiesmany of which are beginning to be available right now
offer faster performance, easier management, and advanced functionality. Your next-generation
network isnt as far away as you might think.
One of the most exciting new developments is 10GbE switching. As GbE becomes more
prevalent at the desktop and server tiers, you will need a way to aggregate Gigabit speeds.
Traditionally, companies have used expensive fiber connections between buildings on a
corporate campus or on city-spanning MANs. In addition to the expensive fiber cabling, the fiber
controller modules can cost thousands of dollars. 10GbE offers a much less costly solution,
offering 10Gbps speeds over inexpensive, copper InfiniBand cabling. A single 10GbE
connection can aggregate many GbE connections over long distances and improve the ability of
servers to maintain multiple connections.
Summary
GbE represents the ideal upgrade to todays overburdened networksyou can deploy GbE as
quickly or as slowly as you like, and with the right purchasing decisions on new equipment, GbE
will effectively deploy itself invisibly throughout your enterprise. In addition to helping
bandwidth-hungry applications, such as voice and video conferencing, and meeting the demands
of data-hungry users, GbE offers additional bandwidth for exciting new technologies such as
TOE, iSCSI, RDMA, and iSER. These technologies offer more than just new functionality; they
offer serious solutions to performance bottlenecks that hamper high-end business applications.
When placed in the context of planning for your future business growth and development, GbE
implementation becomes a critical part of the future infrastructure for any business that plans to
be competitive, especially in light of the simplicity of deploying GbE in your current networking
enterprise.
In the next chapter, well explore wireless networking, considered by many to be the most
exciting development in the network arena since Ethernet. From a standing start just a few short
years ago, wireless networkingnow in its fourth generation of broad-audience technologiesis
revolutionizing the way people work and play, and the way networks are designed, secured, and
managed.
All product and service names and all trademarks are the property of their respective owners.
35
Chapter 3
36
Chapter 3
802.11b
The IEEE approved two enhancements to the original 802.11 standard in 1999, 802.11a and
802.11b. 802.11b occupies the same 2.4GHz radio frequency as the original 802.11 specification,
extending raw data rates to 11Mbps. It was the first major commercial success for wireless
networking, primarily because it provided similar maximum data rates to 10Base-T Ethernet,
making it viable for corporate use. Many manufacturers quickly released commercial 802.11b
products, including 3Com, Apple, Cisco, Dell, Gateway, Hewlett-Packard and others.
The Wi-Fi CERTIFIED Designation
Although the IEEE created the 802.11 family of specifications, the organization doesnt enforce the
specification or ensure that manufacturers create products that precisely meet the specification. To
ensure that manufacturers produce implementations that are interoperable with other 802.11 devices, the
Wi-Fi Alliance provides interoperability testing and a seal of approval.
Currently comprised of more than 200 member companies, the Wi-Fi Alliances Wi-Fi CERTIFIED
designation ensures that products claiming to be 802.11b compatible are, in fact, fully interoperable with
other 802.11b devices. The Wi-Fi Alliance conducts rigorous tests of hardware and software to ensure
compatibility before issuing the designation, providing consumers with confidence that all Wi-Fi
CERTIFIED products will work with one another. Today, Wi-Fi CERTIFIED has been expanded to include
802.11g and 802.11a, and more than 1000 products have been Wi-Fi CERTIFIED to date.
Wi-Fi CERTIFIED has become so popular and widely recognized that its harder to find products that
dont carry the designation. Still, dont bother purchasing products that arent certified should you come
across anythe benefit of compatibility and specification adherence is worth looking for the Wi-Fi logo.
Wi-Fi CERTIFIED is your guarantee of interoperability between devices.
37
Chapter 3
802.11a
With 802.11a, the IEEE took the standard up to 5GHz, offering raw data rates up to 54Mbps. As
with 802.11b, 802.11a provides for lower data rates to compensate for coverage, offering speed
fallbacks to 48Mbps, 36Mbps, 24Mbps, 18Mbps, 12Mbps, 9Mbps and 6Mbps. 802.11a products
began appearing in 2001. The higher speed allows greater capacity, but the higher frequency
means shorter range. The biggest issue for 802.11a is that its different radio frequency makes it
incompatible with 802.11b, which has seen wide deployment throughout the world. These
limitations have hindered adoption of 802.11a. As the market continues to evolve, manufacturers
are releasing network adapters and wireless access points (APs) that support tri-mode
operationwhich means they support 802.11a, 802.11b, and 802.11gor dual-bandwhich
means they cover both 2.4GHz and 5GHz frequenciesallowing client devices to connect with
whichever form of wireless networking is best at the time.
The Wi-Fi CERTIFIED program requires manufacturers to indicate whether their certified product
operates at 2.4GHz or 5GHz, making it easier for consumers to buy the right equipment for their
needs.
802.11g
802.11g is the new mainstream wireless networking technology. Ratified by the IEEE in June
2003, 802.11g works in the same 2.4GHz range as 802.11b. 802.11g provides speeds of 54Mbps,
with fallback to speeds of 48Mbps, 36Mbps, 24Mbps, 18Mbps, 12Mbps, 11Mbps, 9Mbps,
6Mbps, 5.5Mbps, 2Mbps and 1Mbps, if necessary. Like 802.11a, 802.11g is nearly five times
faster than 802.11b. Its advantage is that it is fully backward compatible with 802.11b, making it
the logical successor to that protocol. In fact, to carry the Wi-Fi CERTIFIED designation,
802.11g products must provide full backward support for 802.11b, ensuring a smooth migration
to the new protocol.
54g
54g is Broadcoms implementation of the 802.11g standard, providing maximum performance in speed,
reach, and security. 54g products are fully 802.11g compatible and provide the fastest possible speeds
allowed by that specification. 54g-branded products offer extended ranges thanks to SmartRadio and
the standards-based Broadcom XpressTM technology, built-in Wi-Fi Protected Access (WPA) and
Advanced Encryption Standard (AES) security (which well discuss later in this chapter). 54g products
were the first to achieve Wi-Fi certification, and were included in the 802.11g Wi-Fi test bed that all other
products are tested against for interoperability.
The Wi-Fi Alliance recently announced a new brand, Wi-Fi ZONE. This brand is used to designate
public wireless LAN access that is built using Wi-Fi CERTIFIED hardware. If your client device contains
Wi-Fi CERTIFIED hardware, a Wi-Fi ZONE provides a place where youre ensured interoperability. You
can find a list of places offering Wi-Fi ZONE access at http://www.wi-fizone.org.
38
Chapter 3
It is becoming more common to find APs that support a variety of standards, including 802.11a
and 802.11g. These APs make it easy to get connected no matter which type of equipment you
have in your client device.
Dual-Band 802.11a/b/g
For the enterprise, dual-band is a compelling option when architecting your network. Client devices such
as laptops can automatically select 802.11g or 802.11a, depending on traffic and usage patterns. Near
the end of this chapter, well explore sample network architectures that leverage these devices to provide
the most robust, future-proofed wireless network possible.
802.11iSecurity enhancements
IEEE specifications typically require years of work and research and, sometimes, the specifications
goals turn out to be unreachable given current technologies, or those goals evolve enough that a new
specification is warranted. In addition, pieces of a specification are sometimes implemented in the
marketplace ahead of the full specification ratification. WPA and Broadcom Xpress technology, both
of which well cover later in this chapter, are examples of how the IEEE draft specifications can drive
product development even before full ratification.
Of these additional specifications, 802.11e and 802.11i provide the most important benefits to
wireless networking in general. 802.11i is of particular importance, as it deals with security in
wireless networkinga topic that has been a concern since the limitations and vulnerabilities of
Wired Equivalent Privacy (WEP) became clear.
39
Chapter 3
Engineering a wireless network requires careful placement of these APs to provide complete
coverage. APs canand shouldhave an overlapping signal area; clients will automatically
select one AP, then select a new AP when moving out of range of the first. As Figure 3.2 shows,
you might need to provide significant overlap for high-density areas, increasing the total amount
of bandwidth available to the wired network.
40
Chapter 3
Figure 3.2: Overlapping APs provide more bandwidth for a larger number of clients.
Think of it this way: each 802.11g AP provides up to 54Mbps connectivity between wireless
clients and the wired network. However, each 802.11g AP must share its available bandwidth
with all the clients on the network. By adding a second AP in the same transmission area, some
clients will be able to utilize that APs connection to the wired network rather than the first APs
connection. A simple analogy is a highway: adding lanes wont increase the speed limit, but it
will allow more cars to travel at that top speed.
Shared Bandwidth
An AP can only provide its maximum throughput to a single wireless client at a time. If there are two
wireless clients within range, they will share that bandwidth, just as they would on a wired Ethernet
segment. In fact, APs provide a function logically similar to Ethernet hubs, connecting wireless clients and
allowing them to share the available bandwidth.
By contrast, Figure 3.3 shows what happens when APs dont provide sufficient coverage. Mobile
clients may travel out of range of one AP before reaching another AP, resulting in a loss of
connectivity. Its important to understand the transmission characteristics of your clients and APs
and to thoroughly test AP placement when deploying a full-coverage wireless network.
41
Chapter 3
Hardware can make a big impact when it comes to coverage. Antenna design can be especially
important, and add-on third-party antennas can be used to increase the range of a wireless network.
42
Chapter 3
802.11a Specifics
802.11a also uses a different transmission structure than 802.11borthogonal frequency division
modulation (OFDM), which is sometimes called discrete multitone modulation (DMT). The
technique has seen widespread use in other high-speed networking applications, namely a form
of asynchronous digital subscriber line (ADSL). OFDM is highly resistant to noise and jamming
and can be combined with other techniques to resist signal dispersion, burst noise, fading, and
other transmission problems. Because 802.11a uses 5GHz radio frequencies, it has a shorter
operating range than 802.11b. However, 802.11a is well suited for high traffic locations because
it can support as many as 12 non-overlapping channels, so there are more channels available to
support client devices.
802.11g Specifics
802.11g uses the same DSSS, HR-DSSS as 802.11b and adds the same OFDM modulation
method as 802.11a. Like the original 802.11 and 802.11b, 802.11g supports a range of about 350
feet and three non-overlapping channels because it resides on the same 2.4GHz radio frequency.
Broadcom Xpress Frame Bursting Technology
There is growing demand for more bandwidth, yet a wireless LAN standard for data rates beyond
54Mbps is at least a year away. In the meantime, there are technologies available to improve
efficiency, thereby increasing the effective bandwidth of todays data rates.
One such technique is called frame bursting. Frame bursting, an extension of a feature in an
original version of the 802.11 specification, is included in drafts of the upcoming 802.11e QoS
standard. Frame bursting improves wireless LAN performance by eliminating some overhead
traffic. As a result, more of the limited bandwidth is available to send and receive data.
Broadcom is one of the first wireless LAN chip set suppliers to offer frame bursting, and markets
the feature as Broadcom Xpress technology.
Wireless networking provides a shared medium; all wireless clients within range of an AP share
that APs bandwidth, and the more clients you place on the AP, the less bandwidth each
individual client will receive. More devices are going wirelessin fact, according to
TechKnowledge Strategies, by 2007, 75 percent of the wireless networking chip sets produced
will go into something other than notebook computers. Wireless VoIP phones, PDAs, notebooks,
MP3 players, digital cameras and other applications will all compete for wireless bandwidth.
In addition, wireless clients never achieve the full speed of their network (wired networks dont
either, though wireless networking overhead is more substantial). For example, in an 11Mbps
802.11b network, clients cant usually exceed 6Mbps actual speed due to networking overhead
(there is also a difference between the data rate and the throughput, which well explore later in
this chapter). Every packet transmitted incurs a small amount of overhead. Unfortunately, to
maintain compatibility with older standards, overhead doesnt change much even as data
transmission speeds increase. For example, an 802.11g network takes less time to transmit a data
packet than an 802.11b network requires, but both networks incur about the same overhead in
doing so.
43
Chapter 3
Frame bursting is designed to help address this problem. The original 802.11 standard requires
wireless LAN devices to pause after each transmitted frame, which is basically a packet prepared
for wireless transmission. These pauses allow other devices a chance to signal their intention to
transmit, keeping the network working smoothly. With frame bursting, the client that is sending
data is allowed to send several frames in a row without pausingthus decreasing the total
overhead while transmitting a data packet. Figure 3.4 illustrates this process.
Note that transferring the data frames in 802.11g requires less time even though they contain the
same amount of data; this benefit is one of the major features of 802.11g that allows it to achieve
higher throughput.
Imagine a conversation in which youre required to pause for one second after every word to see
whether anyone else wants to talk. If you wanted to say nice weather were having, it might
only take half a second per word, but the entire phrase would require five seconds due to the
pauses. In frame bursting, you would be allowed to get out as long as 1.5 seconds of words
before pausing, meaning your phrase would only require 3 secondsa savings of 2 seconds (a
40 percent savings).
The early 802.11 specification includes a feature called fragment bursting that essentially
provided this savings for single packets that were divided into sub packets. Frame bursting is a
standards-based technology that extends and implements this feature for multiple data packets.
Frame bursting is also included in the draft 802.11e specification (in which it is called
continuation transmit opportunityCTXOP), which focuses on QOS issues such as prioritizing
certain frames of time-sensitive traffic (such as streaming media). Industry leaders such as
Broadcom and Microsoft are creating the Wi-Fi Multimedia Enhancements (WME), a subset of
802.11e that should be brought to market sooner than the full 802.11e specification. WME also
includes frame bursting technologies.
44
Chapter 3
As you can see in Figure 3.4, the performance improvement offered by Broadcom Xpress frame
bursting is significant. Broadcom Xpress technology includes specific features to deal with
mixed-mode environments (networks with both 802.11b and 802.11g clients). For example, in an
environment with only one 802.11g client, Broadcom Xpress technology can result in an
aggregate of as much as 23 percent performance improvement. With two clients, Broadcom
Xpress technology shows as much as a 27 percent improvement, reflecting the savings of both
clients eliminating some of their transmission overhead. With one 802.11g and one 802.11b
client, as much as 61 percent performance improvement is possibleassuming only the 802.11b
client is using Broadcom Xpress technology. In a mixed environment in which an 802.11g and
802.11b client both use Broadcom Xpress technology, the performance improvement is close to
75 percent simply by eliminating wasted transmission time.
Broadcom has introduced Broadcom Xpress technology through its OneDriver software,
which makes frame bursting available for Broadcoms entire family of AirForce wireless
networking products. These solutions are used in many of the major network and notebook
brands.
One advantage of Broadcom-based solutions is that the entire AirForce family (found in wireless LAN
products from Apple, Dell, Hewlett-Packard, Linksys/Cisco, and others) utilizes a single software
driver. This makes it easier for enterprises to maintain a single OS software image as product
updates are deployed.
Radios Matter
Remember that GI Joe walkie-talkie you had as a kid? If your friend ran halfway down the block,
you couldnt talk anymore, and you just couldnt imagine how the real military got by with such
shoddy equipment. Obviously, the real military had better equipment, so the message is simple:
all radios are not created equal. For that matter, not all digital signal processor (DSP) algorithms
and antennas are created equal, and they all play an important role in the performance of wireless
network hardware. One reason some notebooks seem to perform so well is that their wireless
antenna is embedded in the notebooks housing and extends around the circumference of the
displayproviding a large antenna that tends to rise above desktop-level signal blockages.
CMOS radios are also an important technology. Because CMOS manufacturing techniques are
designed for precision and reliability, CMOS radios lend themselves to consistently better
performance than other chip-manufacturing technologies. First introduced in 2002, CMOS radios
are the most common type of radio found in 54Mbps products. CMOS has a host of other
advantages, including lower power and a smaller form factor, which helps to increase portable
devices battery life and make the technology easier to implement in a wider range of devices.
Competing, more exotic technologies such as silicon germanium (SiGe) and gallium arsenide
(GaAs) provide less sensitivity and higher power consumption and are typically more expensive
to produceincreasing the price of the wireless LAN product you buy.
Experts predict that, eventually, all wireless LAN radios will be CMOS. The cost savings, reliability
and ease of manufacturing of the CMOS process is simply too significant. In the meantime, you can
save yourself money and increase reliability by choosing wireless networking products that already
incorporate CMOS radios, such as those from Broadcom.
45
Chapter 3
When selecting radios, you should also look for features such as self-calibration, which enables
the radio to adapt more readily to deal with walls, extended ranges and other conditions,
providing consistently higher data rates without forcing the network adapter to fall back to a
slower rate. Bluetooth, a short-range wireless technology, uses the same 2.4GHz band as
802.11b and 802.11g, providing potential for interference, particularly when both technologies
exist in the same device, as is becoming more common. Selecting solutions that are designed to
work together, and ideally, integrated, allows them to cooperate rather than compete.
Mixed 802.11b and 802.11g Environments
If your goal is to build the fastest wireless network possible, you should be aware of a
performance limitation imposed on an 802.11g network when 802.11b clients are present.
802.11g can only operate in its fastest mode when there is no need to support 802.11b devices;
even a single 802.11b device will force the network into a slightly slower mode. 802.11g devices
will continue to function at much higher data rates than 802.11b, but they wont reach their full
throughput potential. This protocol for providing backward compatibility in mixed-mode
environments is called protection mechanism, and it is part of the 802.11g standard.
Consider the network that Figure 3.5 shows, which includes two APs running on a single channel
and four wireless clients. Three of the clients are 802.11g, and one is 802.11b. Because the two
APs are on the same channel, they must activate protection mechanism to accommodate the
802.11b client, thereby providing support for both the 802.11b and 802.11g clients.
Figure 3.5: A single 802.11b client activates protection mechanism which slows the network.
Many industry observers expect that wireless networks will need to be prepared to deal with
802.11b traffic for years to come, as handheld devices that dont require the bandwidth of
802.11g can instead take advantage of inexpensive, lower-power 802.11b technology. However,
if you want to provide maximum speed to your 802.11g clients, youll need to build overlapping
wireless networks on different channels, with one dedicated to serving only 802.11g clients.
Figure 3.6 shows this setup.
46
Chapter 3
In this example, clients using the channel one and six APs will be able to run at full, native
802.11g speeds. Clients using the channel eleven APs will run either at 11Mbps (802.11b clients)
or the slightly slower mixed-mode speeds (802.11g clients).
Dont expect 802.11b to go away just because 802.11g is available. Many devices, including PDAs
and cell phones, simply have lower bandwidth needs and can do just fine with 802.11b. 802.11b is
also less expensive to add to these devices, is available in single-chip implementations from
manufacturers such as Broadcom, and has a long life ahead of it. Make sure your wireless network
plans include 802.11b support.
47
Chapter 3
802.11b Architecture
Many corporations have already rolled out 802.11b wireless connectivity within their offices,
and a large number of public hot spots are available that provide free or inexpensive wireless
access. The networks providing this connectivity are generally simple. In most corporate
environments, APs are placed near major areas of wireless LAN need: conference rooms,
lobbies, cafeterias, employee lounges, and other areas in which mobile client devices are
typically used. APs are wired back to the nearest Ethernet switch, providing connectivity to the
wired network. Figure 3.6 is a simplified illustration of a typical 802.11b deployment. Note that
a single 802.11b AP provides a maximum of 11Mbps data rate (not throughput), shared between
all wireless clients within range.
To allow for a higher density of users and because 802.11b allows for three distinct nonoverlapping channels, a configuration could be set up in which each AP handles one channel
apiece. This setup provides an aggregate 33Mpbs data rate shared in 11Mpbs chunks with each
802.11b client on a particular channel. This type of configuration is appropriate for large
conference rooms in which additional high-capacity users may be online at the same time. Many
companies place APs so that their coverage areas overlap significantly around high-density areas
such as large conference rooms, engineering labs, and so forth.
802.11a and 802.11g Architecture
801.11a and 802.11g each provide a maximum of 54Mbps shared bandwidth per AP. Like
802.11b, 802.11g provides for three non-overlapping channels, meaning a coverage area served
equally by three APs can provide up to 162Mbps aggregate capacity. When architecting your
network, however, be aware that any 802.11b clients within a channel will cause that channel to
enable protection mechanisms that will result in lower bandwidth for the 802.11g clients
(although they will still get better than 802.11b bandwidth).
802.11a, however, provides as many as 12 non-overlapping channels in a shorter, 180-foot range.
This feature makes 802.11a ideal for especially high-density areas; as many as 12 APs can
service a single coverage area, providing an aggregate raw data rate of 648Mbps. Although it is
unlikely that many organizations will need that much bandwidth in such a small area, there are
certainly applicationssuch as videoconferencing and other streaming media applicationsthat
might make the additional dedicated bandwidth worthwhile.
48
Chapter 3
One way to structure wireless networks is to deploy 802.11g (which also provides 802.11b
support) to areas of normal usage, such as office spaces, smaller conference rooms, employee
lounges, and so forth. You can then deploy multiple dual-band 802.11a/b/g APs to higher-density
areas, such as cafeterias, larger conference rooms, or anyplace in which higher density may be
required in the future. To begin, you can simply deploy one AP to each of these areas. As the
need for additional aggregate bandwidth becomes evident, you can add more APs to the
coverage area. If you adopt this strategy, make sure youre investing in tri-mode 802.11a/b/g
clients, as well, so that your clients will be able to connect to the networks within range. You can
then switch your high-density areas to provide primarily 802.11a coverage, because your clients
will be able to roam between networks fairly easily.
Where Do You Need Coverage?
Your first big decision, of course, is to decide where you need wireless networking. Conference rooms,
lobbies, and other meeting areas are obvious choices. Employee cafeterias and lounges may be other
choices. Some companies go so far as to provide wireless LAN coverage in nearby public areas, such as
an outdoor courtyard or picnic area. Large companies may also provide access at a nearby shopping
malls food court so that employees can check email while at lunch. This access may be in the form of a
sponsored public hot spot or an extension of the companys own, authentication-required wireless
network.
Youll also need to decide how much wireless coverage you need in your regular office spaces. Some
companies figure that their desktop and other office computers are all wired, so theres no need to invest
in additional APs. However, employees coming back from a conference may not plug their laptops into a
dock or other network connection right away; providing at least minimal AP coverage in the office areas
will ensure that these employees can continue to work without interruption.
49
Chapter 3
802.11i
Currently in draft status with the IEEE, 802.11i is designed to shore up wireless LAN security
with a comprehensive specification. 802.11i is being built around 802.1X port-based
authentication, which well explore later in this chapter. 802.11i is nearing completion and
should be ratified in mid-2004 according to the current pace of work. Two critical components of
802.11i are AES, a new cryptographic standard created by the United States government, and
WPAs authentication scheme.
Prior to 802.11is ratification, however, the Wi-Fi Alliance announced WPA, a new part of the
Wi-Fi CERTIFIED program. The alliance requires WPA support for new products to earn the
Wi-Fi CERTIFIED designation.
WPA
WPA uses the Temporal Key Integrity Protocol (TKIP), which is a bundle of data encryption
features. Keys are derived differently than with WEP and are rotated frequently to prevent any
one key from becoming overused and potentially compromised. WPA also adds message
integrity checks to prevent forged packets.
AES
AES is a new cryptographic standard supported by the National Institute of Standards and
Technology (NIST). It supports key sizes of 128, 192, and 256 bits, and serves as a replacement
for the aging Data Encryption Standard (DES), which supports 56-bit keys. AES is a faster
encryption algorithm than the now-common Triple-DES; a DES enhancement that basically
encrypts data three times for better security. NIST describes AES as a symmetric block
cipher that can encrypt and decrypt information. The estimated time required for modern
computing equipment to crack an AES-encrypted block is 149 trillion years, compared with 4.6
billion years for Triple-DES.
AES is a significant component of 802.11i, and encrypting and deciphering every packet that
comes in or out of a wireless client device or AP is a significant task. Fortunately, AES can be
implemented in hardware, where it is extremely fast and places virtually no overhead on the
client OS. Broadcom networking products carrying the 54g logo include complete onhardware AES for full compatibility with future standards and high performance.
802.1X
An IEEE standard based on Extensible Authentication Protocol (EAP), 802.1X provides portlevel authentication for networks, especially wireless networks. The idea is to only allow
authenticated users on the network, both to ensure privacy and to protect corporate network
resources from being wasted by outsiders.
802.1X is designed to leverage corporations existing centralized authentication resources,
primarily through the use of the Remote Authentication Dial-In User Service (RADIUS). 802.1X
takes EAP and ties it to the physical mediumEthernet or wireless LAN. EAP messages are
encapsulated in 802.1X messages and referred to as EAP over LAN (EAPOL).
50
Chapter 3
For wireless networks, 802.1X has three primary components:
The authentication server, which is usually a RADIUS server, although 802.1X doesnt
specifically require RADIUS
The supplicant attempts to connect to the AP, which detects the client and enables its port for
communications. The port is placed into an unauthorized state so that only 802.1X-related traffic
is accepted and forwarded to the wired network. The supplicant is then required to send an EAPstart message.
The AP responds with an EAP-request identity message, asking to obtain the clients identity.
The supplicant then sends an EAP-response message containing the clients identity, which is
forwarded to the authentication server. The authentication server uses whatever means it wants to
authenticate the client. For example, in an all-Microsoft environment, the authentication server
might be a RADIUS front-end to Active Directory (ADMicrosoft provides such a front-end,
called the Internet Authentication Server, with Windows 2000 and Windows Server 2003).
The result is the authentication server sending an accept or reject packet back to the AP.
A reject packet will cause the supplicants port to be shut down. An accept packet will cause the
port to be placed into an authorized state in which all traffic is accepted and placed onto the
wired network to which the AP is connected. The last bit of 802.1X comes at logoff, when the
client sends an EAP-logoff message to shift the port back to an unauthorized state.
Putting It All Together
So where does it all fit together? The acronyms alone can be hard to keep up with; the following
list provides a summary:
WEP is the original, outdated, and less-than-secure data encryption technique featured in
the original 802.11 standard. WEP does not address user authentication.
802.11i is the IEEE draft specification addressing wireless LAN security from both a data
encryption and user authentication standpoint.
AES is the new encryption standard created by the United States government, replacing
the older DES. AES is also referenced in the 802.11i standard.
WPA is a subset of the 802.11i draft standard that IEEE and the Wi-Fi Alliance ordained
to provide an immediate replacement to WEP, while the standards-setting body hammers
out the final 802.11i standard. WPA includes most of the major pieces of 802.11i,
including 802.1X, TKIP encryption, and the improved message integrity check (MIC).
Chapter 3
The Wired Weak Point
Keep in mind that all of these features only protect communication between wireless clients and
their APs; as soon as the data hits the wired network, its completely unprotected by wireless
LAN security measures. If youre concerned about the security of your wired networka valid
concern especially for traffic transmitted over the Internetyou will need to continue to employ
higher-level encryption mechanisms, such as IPSec, virtual private networks (VPNs) and Secure
Sockets Layer (SSL).
A good plan is the first thing youll need. Know your business requirements, where APs
are needed, and what type of wireless LAN devices you will be supporting. Understand
your users wireless LAN bandwidth needs and make plans to meet them. Also make
plans to grow the wireless network as utilization increases.
Central provisioning capabilities are useful. You will want to be able to centrally
configure all your wireless LAN hardware from a single desktop, if possible.
52
Chapter 3
Hardware Support
Although it has been mentioned several times, it is worth repeating: the quality of the wireless
LAN hardware you select can be critical to your wireless LAN implementationif not today,
then tomorrow. Here are some tips:
Look for AES that is integrated into the wireless networking hardware. Simply
supporting AES isnt enough; implementing AES in a software driver will place
additional unnecessary processing overhead on your client computers and APs, resulting
in significantly degraded performance.
Select equipment that rigorously complies with IEEE standards. Look for the 54g logo
for maximum performance 802.11g, and Wi-Fi CERTIFIED logos to ensure the broadest
possible range of compatibility, reliability, quality, and future-proofing.
Where Can You Get the Right Wireless Hardware?
Broadcoms pioneering wireless networking products provide a completely standards-based, forwardlooking approach to wireless networking. In addition, Broadcom is the power behind many of the leading
brands of wireless LAN products, including Apple, Belkin, Buffalo, Compaq, Dell, eMachines, Fujitsu,
Gateway, Hewlett-Packard, Linksys/Cisco, Microsoft and Motorola.
Broadcoms hardware and associated software offers everything you need for a secure, stable wireless
LAN solution: single-chip 802.11b components for small-device and low-power scenarios, integrated
CMOS radios, AES embedded in the hardware, a universal software driver across a product family,
superior radio technologies and much more.
Use centralized provisioning whenever possible. Some tools can provision compatible
clients with wireless encryption keys, network settings and more, making it easy to
configure clients without a trip to each one.
Use your existing central directory for 802.1X. Most directories provide RADIUS
compatibility.
Select network hardware that can utilize a single software driver for an entire family of
products, such as Broadcoms AirForce family of products. You will be able to maintain
fewer OS images and lower your support costs by reducing environment variables.
53
Chapter 3
Summary
While youre building your wireless network of today, take the time to build the wireless
network of tomorrow as well. Future-proofing is possible, particularly when you select wireless
LAN equipment that is designed to be forward-looking. The following list highlights specific
considerations for wireless networking equipment:
AES encryption in hardwareLook for equipment that includes AES capabilities built-in
to the hardwaresuch as devices carrying the 54g brandbecause hardware AES
support provides better performance with less overhead on client computers.
Today, wireless networking is one of the most exciting areas of networking. Wireless networks
are becoming more secure than wired networks, as few wired networks today offer 802.1X portlevel authentication and continuous encryption. Architecting wireless networks isnt difficult,
and you can build a future-proofed network by choosing equipment that is built to todays
standards while looking forward to tomorrows developments.
Broadcom, the pulse logo, Connecting everything, 54g, the 54g logo, AirForce, Broadcom
Express, OneDriver and SmartRadio are trademarks of Broadcom Corporation and/or its
affiliates in the United States and certain other countries. Wi-Fi, Wi-Fi CERTIFIED, Wi-Fi
Protected Access and Wi-Fi ZONE are trademark of the Wi-Fi Alliance. Bluetooth is a
trademark of Bluetooth SIG. Windows, Windows XP, Windows 2000 and Windows Server
are trademarks of Microsoft Corporation. Linux is a trademark of Linus Torvalds. UNIX is a
trademark of Unix System Laboratories, Inc. All other trademarks or trade names are the property of
their respective owners.
54
Chapter 4
55
Chapter 4
What Is a Switch?
At the most basic level, a switch is a device that controls signals going from one side of the
device to the other. In networking terms, a switch handles the signals coming in across either a
copper or fiber connection, and directs the signals to the other side of the switch. Multi-port
switches are able to route inbound traffic across any supported media and send the traffic
outbound on any other port. Intelligent switches provide additional capabilities. In a switched
environment, each port on the switch has a dedicated full-bandwidth connection available to it;
in a more traditional hub, each connection shares the available bandwidth and must attend to the
various network contention issues inherent in the Ethernet design (see Figure 4.1).
Figure 4.1: The basic switch architecture has not changed, but the performance of the network has increased
tenfold.
Todays typical switch will offer one or two high-speed ports (usually GbE) for connecting back
to a network backbone or directly to a server, and 24 to 48 lower speed (10/100) ports are
provided for connection to client devices. Although most network backbones are being upgraded
to GbE, only a small percentage of those upgraded backbones are attached to upgraded switches
for the client connections; an overwhelming majority of those client switches are still based on
100Mb Ethernet. The current generation of GbE switches will offer 10/100/1000GbE
connectivity to each client. Clearly, a migration to GbE for all the client connections is the next
step in corporate network evolutionespecially given the minimal incremental costs involved to
achieve this configuration.
Adding intelligent switching to a network is a simple process. Even if the current networking
infrastructure is comprised of an antique backbone and hub configuration, the migration to
intelligent switches will be transparent to end users. Regardless of the level of sophistication of
the current network configuration, the benefits that intelligent switching presents to the network
administrator as well as the potential competitive business advantages enabled by this technology
far outweigh the incremental cost of the migration.
56
Chapter 4
Intelligent Switching
An intelligent switch is one that, at the very least, knows something about the traffic that it is
passing through the network. It has the capability to examine each packet as it passes through, so
the switch has the ability to make decisions about each packet. The most common decision it
makes is usually related to the routing of each packet. These routing and forwarding decisions
are applied to each packet based on the type of traffic contained within the packet and the
priority that has been assigned to that type of data.
Intelligent switches are usually referred to by their position in the Open Systems Interconnect
(OSI) network model. For example, a Layer 2 switch refers to Layer 2 in the OSI model (see
Figure 4.2), which is the Data Link Layer. As such, the Layer 2 switch is always aware of a data
packets media access control (MAC) address, which is unique to each network device in your
network. The unique identification available through MAC addresses enabled the transition from
shared media networkingin which information was broadcast to every network nodeto
switched networkingin which information is only transmitted to the target node.
All switches must be able to forward packets to the appropriate client; basic Layer 2 switches
include the ability to understand and utilize the Layer 2 priority settings and virtual LAN
connections. This enhanced feature is important because the virtual LAN (VLAN) capability
allows network designers to create virtual networks with the existing wiring infrastructure
without rewiring. As a result, physical proximity no longer becomes a requirement for clients
when attached to a specific network. The network administrator simply must ensure that the
switch port is identified with the configured VLAN.
57
Chapter 4
A VLAN network is created by making the logical grouping of two or more network nodes. These
nodes need not reside on the same network segment or even be attached to the same switch. All the
nodes in a VLAN share the same IP network address. For VLAN standards information, refer to the
IEEE 802.1q resources.
The more advanced intelligent switches can also make use of the IP address information in Layer
3 and port information in Layer 4 to prioritize applications, giving higher priority to critical
traffic or applications or simply guaranteeing that the network port to which the CEO is
connected always has a high priority. Some classes of intelligent switches can also make use of
the packet data that relates to Layers 5, 6, and 7 to perform tasks such as content filtering and
spam detection.
With the utilization of intelligent switches, network administrators have detailed control over the
traffic within their network. Thus, the fact that switches can improve network performance isnt
their primary selling point; their detailed control and management capabilities make these
switches a valuable addition to a network infrastructure. These multi-layer switches (those that
can deal with traffic on more than just the Data Link Layer) can not only read the addressing
information in each packet to determine which type of data the packet contains, but also can,
when properly configured, apply business-derived policies to the network traffic such as rate
limiting and load balancing.
The OSI model uses seven layers to identify a network; the TCP/IP model uses four layers to define
the IP structure. These TCP/IP layers map as follows:
TCP/IP Application Layer maps to OSI Transport Layer 4
TCP/IP Transport Layer maps to OSI Network Layer 3
TCP/IP Internet Layer maps to OSI Data Link Layer 2
TCP/IP Network Interface Layer maps to OSI Physical Layer 1
For example, the Data Link Layer of the OSI model (Layer 2) has the MAC address information
needed to deliver a packet to the correct destination. The IP address header information is contained
in the OSI Network Layer (Layer 3), while the TCP/UDP header information and the data packet are
contained in the OSI Transport Layer (Layer 4).
Layer 4 switches can identify the application that is transmitting and receiving data through the
TCP/IP port from which the application traffic is being switched, while a Layer 7 switch is able
to read the application layer information in the packet to determine the actual application.
Although the information found at Layer 7 will allow for a more accurate determination of the
application that is transmitting and receiving the packet, the vast majority of identification
performed by the Layer 4 switch is sufficient for most purposes (because it uses well-known
TCP/IP ports and are identified by such). Layer 7 switches are therefore used in more specialized
applications for which reading the packet data at the application level is necessary.
58
Chapter 4
59
Chapter 4
Security
Intelligent switches are able to control access on a port-by-port basis. Issues of authorization (is
the user allowed to do this) and authentication (is the user permitted access) are the bread and
butter of switch security. ACLs on a per-port basis can quickly limit the access of any intruder
that manages to penetrate your perimeter security. Multi-layer switches have the ability to
analyze the contents of network traffic more closely; thus, the signature pattern of a hacker attack
can be recognized, network viruses can be detected, denial of service (DoS) attacks can be
caught early, and the switch network can be configured to address these threats after a security
breach has been discovered. Certain types of network applications that require enhanced security
modelssuch as e-commercegain an instant level of additional security when run across
intelligent switching infrastructures by identifying and classifying traffic and/or monitoring ports
and addresses.
All of the perimeter security in the world doesnt prevent security issues created within the
network domain. Studies have shown that the single largest threat to network security is
computer viruses, followed closely by employee abuses of network resources. Intelligent
switches are critical to limiting the unauthorized use of network resources by otherwise
authorized employees. As a result, the end-to-end intelligent switching infrastructure provides
improved security for critical corporate data and yields a higher level of confidence relating to
the safety and security of the corporate network. Entire departments that should be off-limits to
most userssuch as finance and human resourcescan still be connected to the same
networking infrastructure with complete security.
By using VLANs, geographic proximity is not a requirement for departmental users. Different
business units can have their own finance departments that are all connected to the regular
corporate network as well as to any shared financial resources. As security is built-in to the basic
architecture of the intelligent switch, there are cost savings in both the short and long term
associated with the deployment of intelligent switching technologies.
Management
The complexity and intelligence built-in to the current generation of intelligent switches make
them incredibly easy to use for network administrators. Even with the detailed control over the
network environment that an end-to-end intelligent switch infrastructure provides, the ability to
manage that infrastructure from a single interface makes network administrators tasks
significantly simpler. For example, providers of semiconductor solutions such as Broadcom offer
customers a single API set that works across its family of switch products so that OEMs can
build custom applications that provide end-to-end management across the networking
infrastructure. As new products are added to the family, they can be easily integrated into the
network to support the custom applications already created.
OEMs will offer dedicated switch-management software tools along with industry-standard SNMP
MIBS that allow information to be provided to enterprise-management consoles. Depending upon the
vendor, direct add-in modules for those enterprise-class consoles may also be available.
60
Chapter 4
Scalability
The ability to stack intelligent switches and provide a high-bandwidth connection between the
switches enables administrators to provide an easily scalable network infrastructure that can be
expanded by simply adding switches to the network. The improved manageability of these
intelligent switches results in minimal effort to add a switch to the network. As a result, network
expansion becomes an almost effortless task.
Additionally, the high-performance interconnects between the switches allow for a fair level of
resiliency. For example, a switchs ability to control another switch provides a level of highavailability and prevents a failed piece of silicon from bringing down the connections to that
switch. Depending upon the type of failure and the configuration of the switches, a failover that
not detectable to end users could occur, preventing a data center switch failure from bringing
down the entire network.
Many intelligent switches currently on the market give network administrators deployment
options of 10Mb Ethernet, 100Mb Ethernet, 1GbE, and 10GbE, allowing the switches to be
installed at both the core and departmental infrastructure levels without needing to migrate
clients simultaneously.
VoIP
One of the driving forces behind the acceptance and use of high-performance intelligent
switching is VoIPnot simplistic PC-to-PC voice communication, but telephony-quality voice
connections running over the same networking infrastructure that is carrying data. The major
stumbling block in the widespread deployment of VoIP has been the lack of reliable end-to-end
QoS in the corporate enterprise. For VoIP to work, end-to-end control of the connection is
required to ensure that a useable voice connection is maintained. Although not as susceptible to
latency issues as video connections, VoIP still has stringent requirements for latency and
dropped packets. As a result, reliable VoIP use has two requirements: latency and bandwidth.
From the bandwidth perspective, voice is very compressible, and, as such, a single conversation
doesnt require much bandwidth; however, the bandwidth needs to be available throughout the
conversation (high-volume uncompressed voice communication can be very bandwidthintensive).
A congested network would then have both latency and bandwidth issues that would prevent the
deployment of VoIP. If the switches that reside within the network are replaced with intelligent
switches that are traffic aware and support QoS, the implementation of VoIP becomes much
simpler.
Go to http://www.iptelephony.org to keep up with what is happening in the VoIP marketplace.
Deploying a VoIP solution within your corporate enterprise requires far more than just a switching
architecture to be added to your network. A significant investment in IP telephony client hardware is
necessary as well as ensuring that you have the bandwidth available to support the telephony
functionality. The end-to-end QoS solution provided by intelligent switching is an enabling technology
for VoIPnot a solution to all VoIP issues.
61
Chapter 4
Video
The same technology that is critical for VoIP is needed to stream real-time video across your
network. Weve all seen what network-based video looks likejerky movements, dropouts, outof-sync voices, and so on. The reason for this level of performance is the lack of a QoS
mechanism to guarantee that the video stream arrives and the packets that make up the stream are
in the correct order.
When switches in an end-to-end solution can examine the packets that are being transmitted and
determine that there is a video feed contained within it, the switches can negotiate for the
necessary bandwidth to ensure a good video experience for users. Such technology takes the
multimedia network experience far beyond what users are accustomed to (current technologies
such as Microsoft NetMeeting over a non-switched network).
Wireless LAN Switching
Wireless networking has become a fact of life and the flexibility that wireless network access
provides has made it a key part of the networking model for many corporate businesses. The
ability to provide security on wireless networks has proven to be somewhat more difficult than
implementing the wireless infrastructure.
Network administrators have tended to take a brute-force approach to providing network security
and still allowing wireless access. In many cases, they simply treat the wireless user like a
remote user, configuring the wireless connection to use a VPN and IP tunneling with RADIUS
authentication for access to corporate resources. However, technology designed for use by lowspeed dial-up users doesnt always transition well to a high-speed network. Thus, networks that
support many wireless users have suddenly found their remote networking resources severely
taxedand they still arent completely addressing the security needs of their network.
In a switched network, network administrators can aggregate the network switch ports to which
wireless APs are attached into a VLAN. This VLAN is then configured to be outside of the
normal corporate network, requiring the aforementioned remote authentication mechanisms for
users to access corporate networking resources. These solutions have their own problems and
dont address the issues that arise from users who move from docked (wired) to undocked
(wireless) work locations within the network.
WLAN switches dont eliminate the need for standard network authentication methods such as
RADIUS servers, they simply make client configuration simpler and can allow featuressuch as a
tunneling IP connectionthat still enable users to move across APs without losing the connection.
Strict security practices must still be followed, even in the inherently more secure intelligent switch
environment.
The concept behind wireless LAN switching is to move the intelligence found in the wireless
APs back to a wired multi-layered switch that is optimized for handling 802.11 clients (see
Figure 4.3). The wireless APs become extensions of the switched network ports to which they
are connected. Thus, problems such as rogue APs are no longer an issue as the AP alone no
longer provides access to the network. An unauthorized AP attached to a switch port would,
therefore, not be authenticated to the wired network.
62
Chapter 4
Figure 4.3: Wireless LAN switches reduce the security exposure of wireless APs and simplify the associated
management tasks by moving the higher-level functions associated with wireless access back to an
intelligent switch.
As a result, the security functionality is moved to the switch with authentication and ACLs
adapted to follow wireless users as they move around within the wireless network. Multi-layer
switches allow wireless users to roam between APs, subnets, and VLANs, and provide the
wireless user with smooth access into the wired network infrastructure.
As it is impossible to secure the transmission model where the wireless network operates, a very
secure and robust security model must be in place. In this scenario, administrators need to be
able to prevent three things from occurring: unauthorized access, rogue APs (unauthorized APs
attached to the network), and unauthorized APs that might overlap with the networks wireless
infrastructure. With a wireless LAN switch, administrators can take several steps at the switch
level to combat these security problems. Unauthorized users can be locked out of the network,
rogue APs can be quarantined or blocked completely, and unauthorized APs can be prevented
from any user associations. These actions are performed at the switch level using the same
switch-management tools used to run the wired network.
Wireless LAN intelligent switches also integrate wireless network management with standard
switch-management tools. The integration of wireless and wired switches within the same
network, or even in the same chassis, allows IT departments to provide the same level of service
to their wired and wireless users.
Management issues also become much simpler as APs become antennas that give wireless users
access to a secure networking environment with the wired networks entire security model in
place (plus any additional security that the administrators choose to apply to wireless
connections). Wireless encryption can then be performed at the wireless LAN switch (rather than
at the APs). Thus, as the encryption algorithms are changed, improved, and updated, it is only
necessary to update the wireless LAN switches without worrying about upgrading or replacing
possibly hundreds of wireless APs.
63
Chapter 4
In a wireless LAN environment, the APs serve as antennas and air monitoring devices that provide
connectivity and network environment information back to the wireless LAN switch.
By moving the intelligence back to the switch, intelligent APs make for far simpler management
and deployment and a much more secure environment. Adding APs to the network no longer
becomes a manageability concernwhether you add 10 or 1000 APs, configuration isnt an
issue because you can easily apply the appropriate policies that configure the wireless APs at the
switch level.
An interesting feature that wireless LAN switches support is the ability to assign different
wireless connection rates to different users. Users who do basic office automation might only
access through 11Mbps connection speeds, while a user attending an online demo might be given
54Mbps. Multi-layer intelligent switches can make decisions based on applications, so these
connection speeds can be determined and assigned automatically. Obviously, the maximum
connection speed is dependent upon the actual wireless networking standards implemented
(802.11a, 802.11b, 802.11g). This functionality helps with the lowest common denominator
issue that plagues wireless networksthe entire wireless network ends up slowing to the speed
of the slowest device connected via the AP.
All of these features will make wireless networking a more practical and acceptable alternative.
For business units that can make do with the overall performance limitations that wireless
networks currently have, users who do not need high-bandwidth connections can be set up with
wireless network access. Entire departments that perform low-bandwidth tasks, such as data
entry, will no longer need an expensive cable plant to provide secure connectivity. Deploying
shared devices, such as network printers, will lose any physical connectivity requirements; the
printer can be placed anywhere in range of an AP that has an electrical outlet. Less complexity in
managing, deploying, and maintaining your wireless networks means less strain on IT resources
and a strong ROI for wireless LAN switches.
Wireless LAN switches are appropriate for deployment in both wiring closet and data center network
architecture models.
With secure wireless LAN switching in place, the potential for wireless VoIP becomes apparent.
Currently, wireless VoIP is used primarily in niche vertical markets, such as the healthcare
industry, in which wireless handheld devices can be extended by adding VoIP capabilities. The
ability of a multi-layered switch to examine the traffic that is contained within each packet
makes it easier to address wireless VoIP concerns. The future for wireless VoIP, however, isnt
limited to handheld devices. Mobile telephony providers are looking towards wireless VoIP as a
method to allow seamless mobility for cellular users between their wide-area cellular networks
and the users corporate VoIP network.
Intelligent switching is critical in making this transition because the security and authentication
mechanisms native to the intelligent switch architecture are a requirement for the successful
implementation of wireless VoIP. Security and authentication can be maintained for every
wireless user and device, giving different capabilities to users based on device, location, and
other parameters, anywhere within the users network enterprise.
64
Chapter 4
ROI/Convergence
The utilization of intelligent switches makes the existing network infrastructure significantly
more efficient. Thus, the incremental costs associated with a migration to GbE intelligent
switches can be quickly recovered even as the network begins moving the client infrastructure to
GbE and before the cost savings can be derived from the GbE infrastructure.
Intelligent switches provide detailed information to network administrators about the traffic
passing through their networks and allow decisions to be made about routing, prioritizing, access
control, bandwidth allocation, QoS, high availability, security, VoIP, and more. In addition, none
of these decisions need be static. For example, quality-management tools provide choices that
can be conditional based on such factors as time of day, network load, load balancing, and
destination addresseswhichever features the administrator feels are appropriate for the
networking environment in order to deliver an integrated data transmission model with voice,
data, and video optimized to deliver real-time business communications.
Intelligent switching makes it possible to support all of the previously mentioned technologies on
a single, unified, networking infrastructure. The result is a converged networking infrastructure
with fully implemented support for voice, video, wireless, and data networking within that single
integrated infrastructure. This converged network can result in not only an improved ROI on
dollars spent on the networking infrastructure but also a better bottom line due to a more efficient
IT infrastructure.
65
Chapter 4
In either case, the ports that are connected to client computers and servers will need to be
replaced because they are probably attached to older technology hubs, routers, and switches.
After the intelligent switches are implemented, it is not requirement that any other network
components be upgraded. Replacing the connection equipment in the data center and/or wiring
closets with GbE intelligent switches will be completely transparent to users.
With no other changes to the network, significant capabilities to traffic management and
bandwidth control functions will be added. In addition, the following security benefits will result
from the new switching architecture:
DoS protectionWell-known DOS attacks will be trapped at the switch level and not
allowed to disrupt users on the network.
All of these features make use of functionality that is built-in to the switches. Existing security
protections are further enhanced by making use of the security functions of the switched
infrastructure.
Traffic-management functionality within the switches provides more efficient use of the existing
network bandwidth with features such as bandwidth management and rate limiting. For example,
users who are surfing the Web will have less bandwidth than users who are performing internal
database queries. Management tools enable administrators to configure such features to have
dynamic behavior, changing as the network conditions change.
Traffic-redirection capabilities enable specific application traffic to be routed directly to the
servers running the applications. In most cases, these capabilities are used to share Web servers
that are high-traffic sites so that the traffic generated by the Web site doesnt slow the
performance of the local network. Depending upon the capabilities of the multi-layer switch,
administrators could also add firewall, VPN, network load-balancing, application load-balancing,
server load-balancing, and a wealth of other features.
As mentioned earlier, stacking the switches achieves resiliency and adds a measure of highavailability to the network infrastructure. Dont confuse resiliency with redundancy. In a
redundant environment, there is backup hardware that duplicates the primary hardware and is
available in case of a catastrophic failure. The goal of a resilient network infrastructure is to have
a network that maximizes uptime without requiring that every piece of critical equipment be
duplicated.
Once Layer 4 switching is implemented, switch intelligence has the ability to load-balance
applications and traffic across multiple servers and monitor and health-check applications. The
switching architecture is now working in a way that improves network and application
availability without the need to invest in specific high-availability solutions. Once again, if you
already have an investment in high-availability devices, the switched architecture will enhance
the reliability and availability of those devices.
66
Chapter 4
Resilient hardware can be made up of redundant components. A complete set of duplicate intelligent
switches would provide complete redundancy. When you are focused on resiliency, you would want
certain functions of your core switches to be redundant, such as chassis with dual hot-swappable
power supplies and support for hot-swappable switch blades. This minimal redundancy improves the
resiliency of the network infrastructure without requiring the expense of duplicate hardware, yet it still
provides the additional reliability that characterizes a high-availability working environment.
Stacked switches can also be considered hot-swappable in the sense that additional ports (or
replacement ports) can be added without bringing down the network. In the event of a switch
failure, a newly added switch can obtain the configuration information of the switch it needs to
replace from the server, then be placed in the existing stack where the logical architecture of the
stack will be rebuilt automatically without affecting the stacks normal operation.
Managing the stack is also simplified by the fact that there is a single IP address for the entire
stack (in-band management) and all of the switches in the stack are treated as if they are a single
switch. Management instructions are passed to the top of the stack and redistributed through the
stacked switches without direct action by the systems administrator.
In Figure 4.4, each switch has twelve 10/100/1000Mb Ethernet ports that support copper or fiber
connections. These connections can be routed to individual clients or servers. Each switch in this
diagram has high-speed expansion ports that allow the switches to be daisy-chained together
(that is, stacked). The top switch is then connected via the high-performance uplink interface to
the bottom switch, completing a connection loop that allows redundancy and reliability
improvements.
67
Chapter 4
Upgrading your backbone to 10GbE will provide significantly more bandwidth to play with on
the network; however, to fully realize the benefits of this increased bandwidth, the clients need to
be upgraded. As discussed in Chapter 2, adding GbE client NICs is a small incremental cost over
10/100 NICs and most desktop computer vendors are moving towards making GbE connectivity
standard in their line of computers targeted directly at business consumers. To maximize the
benefits of intelligent switching, an end-to-end implementation is required.
While researching intelligent multi-layer switches, you will often run into the term switch fabric. The
switch fabric is the software and hardware combination that handles the data traffic that moves into a
switch node by moving it to the correct outgoing port. There are multiple switch units (the actual
integrated circuitry that handles the data manipulation) in a switch fabric and software that controls
the switching paths.
An example of a switch fabric is the Broadcom StrataXGS BCM5670. The 5670 is an 8-port, nonblocking, 160Gbps switch fabric that supports eight high-speed ports. This fabric would be combined
with other hardware and software to build an actual intelligent switch. The switch would then be part
of a chassis or a standalone switching product with or without stacking capability.
Fortunately, the switches will support legacy Ethernet architectures, not just GbE. While the
performance benefits of GbE wont be realized by legacy clients, the other benefits of the switch
are available. Because the switch is intelligent, there is an awareness of whether a port is running
with sufficient bandwidth to service the requests that the attached computer is making for
network resources.
Figure 4.5 shows a good example of a stackable switch. The Nortel BayStack 5510 family of
switches offers 24 or 48 10/100/1000Mbps ports for desktop switching and provides high-density
wiring closet connectivity to GbE desktops. The user can stack as many as eight discrete
switches and a maximum of 384 ports in a single stack.
Figure 4.5: The Nortel BayStack 5510 stackable Layer 3 switch uses the Broadcom StrataXGS switch fabric.
Using technology based on the Broadcom StrataXGS BCM5670 switch fabric, the BayStack
5510 not only offers a wealth of GbE client ports but also a 40Gbps full-duplex stacking
architecture on each switch. This means that each switch can be communicating with other
adjacent switches in the stack at 40Gbps, simultaneously transmitting and receiving data at that
speed, for a total of 80Gbps stacking bandwidth per switch or 640Gbps total bandwidth for a
fully configured eight-switch stack. These are meaningful numbers considering that the Layer 3
routing for that switch is performed at wire speed.
68
Chapter 4
The block diagram in Figure 4.4 and the example in Figure 4.5 demonstrate discrete switching
hardware products. You are just as likely to encounter chassis-mounted products, especially
given the port densities allowed by the Broadcom switching fabric products. Chassis blades with
48 ports are possible (see Figure 4.6), giving very high densities with multiple switch blades in a
single chassis. Data center switch installations can benefit from these high-density switches.
The IBM eServer pictured in Figure 4.6 combines both blade servers and blade switches to
provide a compact and powerful networking host for your data center. These chassis offer both
resiliency and the necessary redundant components to keep networks up and running with
availability.
The blade model also offers easier scalability than the stacking model. With hot-swappable
blades, it is only necessary to add another blade to the chassis to expand network resources.
There is no need to connect a separate stacking connection and there is no need to find the space
to put another stackable switch or another power outlet. Simply insert the new blade in the
chassis and configure it as required. There is also greater flexibility with the chassis model if a
Layer 3 intelligent switch or a full-blown Layer 7 switch need be added. The functionality can be
added while obtaining the redundancy and resiliency that the chassis provides.
Many corporate networking environments are already built around rack-mounted servers in the
data center. Consolidating server and multi-layer switches into the same chassis will, according
to an IDC estimate, show a reduction in the cost of ownership of 48 percent over 3 years. IBM
has gone a step further, including a Layer 2 through 7 switch with all of the performance and
configuration potential that the added switch intelligence offers. The IDC report claims that such
an environment will realize a total reduction in the cost of ownership of 65 percent over 3 years.
69
Chapter 4
Summary
Intelligent switching is the core technology to enable next-generation networking. It is the
enabling technology that will allow dynamic networks to support fully implemented and reliable
wireless networking, security, VoIP, video-on-demand, Web services, and many of the nextgeneration technologies that will provide a competitive business advantage for the network users.
It is important to consider that one of the major intangible benefits of a well-designed intelligent
switching architecture is an improved user experience. Better response time for network
applications, fewer network slowdowns for general use, and the availability of networking
resources for users who need those resources when they need them all contribute to this
improvement.
Decisions made about the design of your networking infrastructure will have long-term effects
that can disrupt or enhance the future growth of your business. Dollars spent on IT infrastructure
investments today should be as future-proof as possible, and intelligent switches are the place to
start.
Intelligent switching is one of the few technologies applicable to future networking
improvements that brings immediate tangible benefits to an existing network infrastructure and is
the key starting point for networking professionals looking to improve their corporate network
environments. It is the logical place to start to build a high-reliability, high-availability
networking infrastructure that will allow your business to grow as necessary and offer the
functionality to allow IT administrators to add the latest state-of-the-art technologies to enhance
their line-of-business applications.
Given the cost of defending your networks from external and internal threatssuch as DoS
attacks, widespread virus propagation, and unauthorized internal user accessthe incremental
costs of moving to intelligent switching could be justified on that one feature set alone.
High-performance intelligent switches such as those from Broadcom are capable of maintaining
wire-speed performance regardless of the additional tasks that the switch is accomplishing. Thus,
adding critical features such as content filtering and spam blocking can be done without
impacting the end-user experience.
Stack switches enable administrators to add capacity as necessary without additional
management headaches because the unified switch management application is as simple to use
with one switch as it is with a full stack. Thus, adding capacity doesnt mean that you need to
add staff to support the growing network infrastructure. This realization helps to simplify your
overall management structure and expand your network infrastructure without spending money
on staffing. Broadcom is dedicated to building high-performance, high-availability, scalable,
robust networking infrastructures that are cost effective and provide the IT professional with the
best tools for the job.
Broadcom, the pulse logo, Connecting everything, the Connecting everything logo, and
StrataXGS are trademarks of Broadcom Corporation and/or its affiliates in the United States and
certain other countries. Windows and NetMeeting are, trademarks of Microsoft Corporation.
BackStack is a trademark of Nortel Networks. EServer is a trademark of International Business
Machines Corporation. All other trademarks or trade names are the property of their respective
owners.
70
Chapter 5
Server Technologies
Servers have evolved over the past two decades from those that offer the simple file and print
services available in the early generations of PC networking to the complex multiprocessor
boxes that are so common today. But its not just the hardware that has changed; the evolution of
servers has spawned specific server technologies designed to fill specific environmental niches.
Lets take a look at the server landscape of today.
File and Print Servers
Much like the early days of network file serving, todays file and print servers fill almost exactly
the same role. However, the technology of the multipurpose file and print server these days tends
to be relegated to either very small organizations or to small departments in larger organizations.
In either case, the basic file and print server is being supplanted by network devices that fill those
same roles but dont require a full-blown dedicated server. Print services can easily be handled
by dedicated print server devices, which work as Plug-and-Play (PnP) network devices to which
any printer may be attached, and rarely cost more than $200. Storage can be handled by
dedicated networked attached storage, which supports access controls that the client PCs
understand and work in a PnP fashion to attach to a network. Dedicated computers acting as file
and print servers are relics of the early days of computer networking. Each organization needs to
evaluate whether it wants to use file servers as print servers.
Database Servers
If there was ever a business need that drove server technologies forward it was the need for a
database server. Dedicated boxes that run everything from small local database applications to
large corporate enterprise applications that were once the domain of big iron mainframes,
database servers are usually the point at which the cutting edge of server hardware technology
meets the realities of the business process. In this space, large multiprocessor boxes with
gigabytes of memory and direct channel access to fast storage are the bread and butter of the
corporate computing world.
71
Chapter 5
Application Servers
Plenty of business applications are best served by dedicated hardware. These application servers
have a broad range of requirements that depend on their specific role and can range from
enterprise resource planning (ERP) to customer relationship management (CRM) to customdeveloped in-house applications. These critical, line of business (LOB) applications are
sufficiently important to have their own hardware dedicated to them, and the expense of the
dedicated hardware is no longer a barrier to the adoption of these application software
technologies. Some application servers, such as fax servers, combine both server and client
software plus a dedicated hardware component installed in the server itself.
Email Servers
Fitting in the space right between database servers and application servers, email servers share
the attributes of both. Running a dedicated email application such a Microsoft Exchange Server
in a large corporate environment requires the processing power usually associated with database
servers, yet they also fit the application server model, as email is probably the most common
business application that gets dedicated servers.
Storage Servers
One of the newest dedicated server technologies, the storage server, such as Microsofts
Windows Storage Server 2003, provides the manageability of the network operating system
(OS) as well as the ability to handle the concatenation of multiple external storage devices by
using technologies such as iSCSI. This advance brings the type of storage environment formerly
found only in dedicated fiber channel SAN environments to any IP-based network. This
development gives businesses the ability to add the advantages of dedicated storage networking
without the expense and aggravation of needing to add a second, parallel, dedicated storage
network. GbE and its support for technologies such as TCP/IP Offload Engine (TOE) and
Remote Direct Memory Access (RDMAboth TOE and RDMA were described in detail in
earlier chapters), will make IP-based storage networking a common application found in
corporate networks.
Web Servers
Web servers, while once thought of as just server applications, have evolved enough to even
have dedicated OSs. Although many Web farms run on versions of UNIX or Linux OSs,
even Microsoft sees the needs of the Web server OS as being different from the companys
general-purpose OSs, shipping a product called Windows Server 2003, Web Edition. A
dedicated Web server will usually be running a stripped-down version of the selected OS, with
hardware focused on supplying data or serving Web requests as quickly as possible. Usually, if
the task runs beyond serving Web pages, the Web servers, as Figure 5.1 shows, will be sitting in
front of a bank of dedicated servers that offer the actual back-end processing necessary for the
business purposes of the front-end Web farm.
72
Chapter 5
Figure 5.1: In a Web farm scenario, the traffic from the Internet is routed to one or more Web servers, which
themselves connect to multiple back-end servers that offer the appropriate response to the Web request.
73
Chapter 5
Blade Servers
The other server types weve discussed so far are differentiated primarily by software, but blade
servers represent a specific hardware technology. These servers pack multiple individual servers
on blades within a single chassis. They offer advantages to any server room that requires many
servers, a certain amount of interchangeability with the hardware, and simplified management
and architectural considerations. Server virtualization, partitioning, and other cutting-edge
technologies are well served by the blade server model. However, the hardware technologies that
can be applied to blade servers have specific criteria that might not need to be addressed in more
traditional server hardware. As a result, the selection of blade servers requires an even greater
amount of attention than that paid to the purchasing decisions used for normal server boxes.
The average network will include multiple types of servers. Even a small business environment is
likely to have file and print servers and email servers. Large corporate environments will include many
or all of the types of servers described; multiples of each server type; and infrastructure, such as
clustering and grid computing, that make use of special types of server technologies.
Servers are where most of the newest computing technology undergoes its baptism of fire. Some
dedicated client PC applications really tax the system hardware (for example, video subsystems
on desktop computers), but the toughest test of any technology will usually be in the server
environment.
A look at the processes on a desktop computer will show you that, even on a heavily used
system, the CPU is sitting idle most of the time. In a server, that just isnt the case; there is
always some task that needs attention, from serving direct requests to system housekeeping
demands. In a perfect world, all software is well written and works cooperatively to maximize
the performance of the computer on which it is running; in the real world, that just isnt the case.
Software designers, even for server applications, often write their programs as if their software is
the only thing running on the computer. As this is rarely the case, you end up with a situation in
which the hardware needs to make up for the softwares deficiencies. Thus, the server hardware
needs to be up to the task; it needs to be able to run efficiently when pushed to the limit of the
hardwares capabilities.
74
Chapter 5
By overall performance, we are referring not just to the speed of the hardware components but
also to the entire list of critical evaluation points required by IT professionals: performance,
reliability, availability, serviceability, scalability, and security. Lets define each of these terms
for the purposes of this publication:
ReliabilityReliability describes not only the reliance that can be placed on the server
but also the expectation that the hardware is suitable to task; that it can be counted on to
run the necessary business applications.
AvailabilityAvailability refers to how much downtime can be expected with any given
configuration. The target of many high-end systems is often referred to as five 9s of
availability or 99.999% up time. But every extra 9 past that first one increases the cost of
the server. IT managers need to understand the technologies to get the greatest number of
9s without spending their dollars in the wrong places.
SecurityThese days, it might have been best to put security as the first priority for any
technology decision. With servers, we are talking not just about the security options
offered by the OS but also the security offered by the hardware, which ranges from the
password-protected BIOS to chip-level antivirus scanning and protection
It is also important to note that these six measures of suitability to task for server computing are
not separate and discrete components. Every component of the server system, from the basic core
logic to the application software running on the selected OS, should be subject to an evaluation
based on these six criteria.
The explicit combination of software and hardware features chosen by the IT manager will have
a direct impact on which of these criteria is most important. The IT manager should weigh these
criteria based on the business needs the server will be addressing, and understand the tradeoffs
that need to be made in terms of cost versus capability. Based on this evaluation, the IT manager
can then spend his or her money where it will do the most good.
75
Chapter 5
Understanding Performance-Oriented Technologies
There are many technologies that combine to offer the performance and reliability that users
demand in their server products. From the core I/O logic of the computer to the network
connections, each component within the server system plays its own role in providing the user
experience demanded by IT departments.
Remember that desktop computers and servers are designed with different duty cycles in mind.
Although desktop computers have often been used in the server role with success, a desktop
computer is designed with the expectation that it will not be stressed in a 24 7 role. Servers are
designed to operate with the stresses and duty cycles expected in a high-usage role and still provide
high availability.
76
Chapter 5
Figure 5.2: The relationship of the North and South Bridges to CPU, memory, and I/O subsystems.
Storage
The internal storage subsystems of the computer will always play an important role in overall
server performance. Despite the movement of network storage to external devices and storage
networking, a server loads its OSs from local storage and is required to use that same storage for
the operation of the OSs; swapping data from memory to disk, memory virtualization, page files,
and so on. There are a variety of common storage technologies found in server hardware;
IDE/ATA, SATA, SCSI, and Serial attached SCSI.
IDE/ATA
IDE, or integrated drive electronics, makes use of the advanced technology attachment (ATA)
implementation that places the drive controller electronics on the drive itself. ATA has gone
through no less than seven revisions over its life cycle with ATA/133 being the current highperformance version of the specification. Despite the high speed of the data transfers, ATA
drives are suitable only for low-end servers as a result of the limitations of the technology that
limit cable lengths, number of drives, and overall throughput. This technology is now often
referred to as Parallel ATA so as to avoid confusion with the newer and faster SATA technology.
77
Chapter 5
SATA
SATA offers faster data transfer rates (150MBps in its initial implementation, 300MBps for the
second generation), lower voltage requirements, and thinner cables requiring fewer connections
(just two data channels, allowing a 3-meter long thin cable rather than the flat 40/80 18 wire
ribbon cables used by Parallel ATA). Rather than the master/slave configuration of two drives on
each cable for Parallel ATA, SATA treats each of the two drives on the cable as if each were the
master drive on its own port. Although Parallel ATA was evolved for desktop computers, SATA
was designed to be used in entry-level servers offering a low-cost, high-performance storage
solution for entry-level and nonmission-critical servers.
SCSI
SCSI, or small computer systems interface, is a parallel interface standard that has gone through
almost a dozen iterations and currently supports speeds as fast as 320MBps in its fastest
incarnation. It is the standard drive interface for high-performance computing both in
workstations and servers. SCSI devices do not have the two device maximum limitation that
ATA and SATA devices share, supporting as many as 15 devices per channel, and the maximum
cable length is measured in meters, not inches. SCSI devices are able to process instructions in
parallel, meaning that greater throughput is possible than in ATA devices that must process a
single instruction at a time. The peak performance of SCSI devices is critical for applications
such as heavily used databases, streaming audio and video, and any other bandwidth-intensive
application that draws directly from disk storage. The instruction processing capability of SCSI
means that OSs that offer full SCSI support will run faster on SCSI drives than on ATA drives
rated for equivalent performance. The only downside to SCSI is that drives with SCSI command
a premium price over ATA drives and, at this time, ATA drives offer higher capacities (which
results in a lower cost per megabyte).
Serial Attached SCSI
Serial attached SCSI is a full, dual-ported implementation that supports a maximum of 4032
devices at speeds as fast as 3Gbps. Rather than the shared-loop technology used by standard
SCSI, serial attached SCSI uses dedicated point-to-point connections for each device. Serial
attached SCSI was designed to support three distinct protocols: the Serial Management Protocol,
used to manage the point-to-point connections; the Serial SCSI Protocol, used to leverage
existing SCSI devices; and, most important, the Serial ATA Tunneling Protocol, which allows a
seamless interface between Serial ATA and serial attached SCSI technologies. Both technologies
use the same connector configuration, and with the correct electronic support (in the core I/O
logic), offer an upgrade path to users. The goal is to allow SATA drives to be connected to serial
attached SCSI interfaces, providing a lower-cost storage alternative. (SATA drives will attach to
serial attached SCSI connectors; the reverse, however, is not true, with the connector on the
serial attached SCSI drive having an extra hump to prevent its attachment to a SATA connector.
SATA drives, lacking this hump, will still connect to serial attached SCSI connectors.).
78
Chapter 5
RAID
One common server technology that applies to all forms of storage is the Redundant Array of
Inexpensive Disks. RAID storage is a de facto standard in server implementations. RAID
currently has no less than nine standard levels of implementation:
RAID 0RAID 0 is the striping of data across multiple drives, which provides the
highest possible performance but offers no fault tolerance. If one drive in the stripe set
fails, all data is lost.
RAID 1RAID 1 is the mirroring of data across pairs of disks. Data is written to both
drives simultaneously. The primary downside is that RAID 1 requires a 100 percent
duplication of disk drives.
RAID 2RAID 2 is very rare and involves an ECC striping of data to the drives at the
bit level to improve fault tolerance related to data corruption.
RAID 3RAID 3 uses byte-level striping with a dedicated parity disk. Unfortunately,
this configuration is unable to service simultaneous requests, and as such, is rarely used.
RAID 4RAID 4 is basically RAID 1 plus a dedicated parity disk. There are
performance advantages to the multiple disk stripe set, but they can be offset by write
bottlenecks on the single parity drive.
RAID 5RAID 5 performs striping of data at the byte level and of ECC information
across all the drives in the stripe set, which results in a combination of good performance
with excellent data protection. RAID 5 is the most popular fault-tolerant RAID
implementation.
RAID 6RAID 6 performs block-level (as opposed to byte level) striping of data and
parity information across all the disks in the stripe set.
RAID 0+1RAID 0+1 creates a RAID 0 stripe set, then uses a RAID 1 mirror of the
initial stripe stet to provide fault tolerance.
RAID 10RAID 10 creates a RAID 1 mirror set, then creates a RAID 0 stripe set over
the mirrors.
RAID sets can be created in both hardware and software. For example, Windows Server (all
versions) can perform RAID 0 and RAID 1 functions using the facilities built-in to the OS.
However, doing so adds to the OS overhead, as the OS is now responsible for managing the disk
hardware in a way that is much more CPU intensive than just accessing the file system. For this
reason, hardware RAID controllers are the standard for server (and workstations). In this case,
the RAID configuration is handled by the firmware and processing of a dedicated RAID
controller with the OS seeing just a standard, high-performance hard drive. In this way, no
additional overhead is required by the server OS.
79
Chapter 5
GbE
GbE is the current standard version of the Ethernet technology that has existed since the 1970s.
100Base-T is the standard for GbE over copper wiring (Category 5 Unshielded Twisted Pair).
Chapter 2 provided you with an overview of the current state of the industry for GbE. For the
purposes of this chapter, it is important to consider GbE an enabling technology. The highperformance of GbE (and eventually 10GbE) makes considerations using related technologies
such as TOE, RDMA, and iSCSIpractical business choices for the IT professional.
TOE
TOE engines allow the NIC to handle the processing of the network transport protocol instead of
relying on the OS and the server CPU to perform this work. All transactions with the host
processor are handled at the session layer, which leverages an application use of large files to
reduce the number of interactions the host CPU needs to have with the data. TOEs can offer
either full or partial offload. The full offload completely removes the responsibility for dealing
with the IP protocol stack and its contents from the host NIC. The partial offload handles the data
transmission/reception information and relies on the host NIC IP stack to handle the
transmission, termination, and error handling for connections.
There are many server applications that are communication-centric, rather than compute-centric,
such as email and Web servers. The tight integration of TOE with GbE and the core chipset
technology allows for significant performance improvements. Especially with GbE, these
communication-focused applications can consume far more CPU cycles than you would
generally think, bottlenecking the server at the CPU; the use of TOE, especially if it is tightly
integrated with the core logic, will prevent the communication aspects of the computers
application from causing the CPU to be the bottleneck. This doesnt mean that the CPU will
never run out of resources, but with TOE, the cause wont be the creation of the traffic that
comes and goes over the NIC.
As Chapter 2 discussed, industry-standard TOE implementations, such as the Microsoft TCP
Chimney initiative, means that TOE will be an industry standard that can be used to replace nonstandard proprietary network co-processor technologies. The inclusion of TOE support in core
logic chipsets can only make this standard implementation simpler.
RDMA
RDMA is a technique that allows the data in the memory of one computer to be transmitted to
the memory of another computer without involving the host CPU or host OS on either computer.
RDMA can provide sufficient performance over GbE networks with sufficiently low latency to
be suitable for use designing cluster applications that formerly required dedicated connections.
RDMA is a more important technology than you might think; the push for grid/utility computing,
and high-performance computing that uses resources spread over multiple computers means that
the features offered by RDMA are critical to the successful implementations of these
technologies. Using RDMA allows applications to exchange data, bypassing the CPU and the
OS, which, in turn, results in drastic reduction in latency. Zero-copy receive and transmit
operations write directly into the applications buffers. Doing so relieves the strain on the
servers memory subsystem because the extra data copies that are maintained in more traditional
networking stacks are no longer there.
80
Chapter 5
iSCSI
iSCSI is a standard for using SCSI commands over IP-based networks. By supporting GbE at the
physical layer, iSCSI can be used to build storage networks over standard Ethernet networking.
The OS interaction with iSCSI is basically the same as interacting with local SCSI devices with
the exception that the SCSI commands are transmitted over the GbE connection to the target
device (see Figure 5.3). Although not as fast as a dedicated fiber channel storage network, iSCSI
simplifies implementation and adoption by lowering the complexity and cost of storage
networking.
The inclusion of iSCSI support means that users will be able to create storage networks as
necessary, without the need for dedicated networking hardware. iSCSI will allow users to place
storage resources wherever they are needed in a GbE network. The iSCSI support will result in
lower costs for storage networking and greater utilization of existing Ethernet networking.
Figure 5.3: iSCSI storage networking runs on the same network infrastructure as the standard network,
functioning as remote SCSI drives available to any OS that can provide an iSCSI initiator. Applications
running on servers with iSCSI initiators send SCSI commands to the storage servers.
Technology Integration
The future (and present) of servers is the integration of these technologies that improve
performance along with reliability, availability, and serviceability. For example, the integration
of GbE into the server means that the applications that can take advantage of it will naturally
evolve and become more common. A look at the Windows Server 2003 (WS2K3) market in midto-late 2004 will show a huge number of iSCSI-based products being released. The adoption of
GbE is rapidly making this technology the standard for Ethernet networking.
81
Chapter 5
As this technology becomes more widely accepted, the next generation of server purchases will
reflect that, meaning that technologies such as GbE and the infrastructure to support highperformance computing will become the standard for networks in the immediate future. Chip
vendors will be providing greater integration in their board-level products and vendors such as
Broadcom, with its large variety of chip and board-level products, will make high-performance
servers cost effective for even the small-to-mediumsized business market, as Table 5.1 shows.
Technology
Benefit
GbE
TOE
iSCSI
RDMA
Clustering support
Which components are found on a motherboard or server blade? Common components found on the
system boards of both servers and desktops include:
CPU and CPU sockets (from one to four on a single motherboard; 8-way systems are a special case)
I/O PortsExternal and internal
Storage connectorsATA/SATA/SCSI for both hard drives and CD/DVD drives
Memory sockets
Add-in card slots (PCI, PCI-X, PCI-Express, AGP) or backplane
North Bridge
South Bridge
Battery, BIOS, power supply connector
Technology Convergence
As the marketplace moves forward, many of the technologies that make up a good server wont
just be integrated into the server product, there will be a convergence on the Ethernet and
integration with the system core logic that will reduce costs while increasing the performance
and tightening the integration of the various subsystems. An example of this technology is the
Broadcom CIOB-E Grand Champion Dual Gigabit Ethernet (Copper)/PCI-X SystemI/O
Bridge.
The Champion I/O Bridge-E (CIOB-E) is an example of the way that Broadcom is integrating
GbE into the core I/O subsystems of a server. Containing dual GbE MAC controllers, dual
physical layer controllers, and a 64-bit PCI-X, the CIOB-E is tying networking and computing
technologies together and is eliminating the need for a discrete GbE interface, reducing the
necessary board real estate and facilitating the use of GbE in space-constrained server systems
such as the current state-of-the-art blade server systems. The CIOB-E was the first integrated
core logic GbE technology to hit the market in late 2002.
82
Chapter 5
The integration of GbE into the core logic also reduces the end-user cost of the servers and aids
in making GbE the networking standard in the corporate environment. An additional benefit is
that the CIOB-E still uses the same software drivers as standalone Broadcom GbE controllers.
This software commonality makes it possible to implement Broadcom GbE technology across
the enterprise, using products such as the add-in boards equipped with the Broadcom Converged
Network Interface Controller (C-NIC) in computers that lack embedded GbE.
GbE is fully backward compatible with the previous 100Base-T Ethernet standard. Thus, there is no
technical issue in adding servers with embedded GbE support to your existing Ethernet networks. No
special accommodations are needed, and when you upgrade your switch infrastructure to GbE, your
servers will be poised for immediate performance gains.
83
Chapter 5
In the blade server environment, this single-chip solution does more than just save space on the
PCB; it also minimizes the complexity of the backplane due to the need for a single set of paths
that make for simpler routing and a reduction in crosstalk. The single switch fabric for these
networking technologies makes development simpler, and the common management capabilities
are supported by all widely used management tools.
Interconnects
Current implementations of core logic have to make choices about the interconnect technologies
they support. There are currently three interconnect technologies commonly found in servers:
HyperTransport, Peripheral Component Interconnect Extended (PCI-X), PCI-Express.
HyperTransport
Originally proposed by AMD and turned over to the HyperTransport Consortium,
HyperTransport is a direct, high-speed, high-performance, point-to-point link for integrated
circuits. It supports a dual bus with unidirectional point-to-point links operating at a data
throughput speed of as fast as 22.4GBps. This is an aggregate bandwidth and there currently can
be a maximum of three HyperTransport links per system. The link width can be 2, 4, 8, 16, or 32
bits and the bandwidth, in each direction, can range from 100MBps to 11.2GBps. It provides
multiprocessor support and supports both the coherent and non-coherent memory models.
The HyperTransport Release 2.0 specification includes the ability to map PCI, PCI-X, and, new
to this version, PCI-Express, providing broad technology support. Release 2.0 is backward
compatible with HyperTransport Specification 1.x.
84
Chapter 5
PCI-X
Developed jointly by IBM, Hewlett-Packard, and Compaq, PCI-X doubled the data rate of the
PCI bus. The current architecture supports one 64-bit PCI-X slot running at 133MHz with the
rest running at 66MHz allowing for a total aggregate bandwidth of 1.06GBps or exactly double
the 532MBps of the standard PCI bus. The PCI-X bus is backward compatible with the original
PCI bus, but if PCI cards are used, the entire bus slows down to PCI speeds, negating the
advantages of PCI-X. PCI-X does offer fault-tolerance features not found in PCI, allowing the
bus to reinitialize a card or to shut a card down before it fails completely. At this point, PCI-X
can definitely be considered old technology, having been first introduced in 1988.
PCI-Express
PCI-Express is the latest in a series of I/O interconnect standards. The standard more than
doubles the data transfer rate of the original PCI bus. Unlike the single parallel data bus of the
original PCI specification, which was designed for desktop computers, the PCI-Express standard
uses two sets of point-to-point data lanes. In addition, PCI-Express was designed to offer support
to all types of computing environments, from embedded devices to high-end servers.
Early motherboard designs with PCI used the PCI connection to link the North Bridge and the
South Bridge; current implementations use dedicated high-speed interconnects between the two
bridges, which results in much faster communications between the core logic and the peripheral
chipsets. For example, initial implementations of PCI-Express support speeds as fast as
200MBps (PCI offers 133MBps). Because PCI-Express is a point-to-point connection, there is
no bus sharing (as found in PCI); each device gets a dedicated connection. This setup
significantly reduces the chance of contention that causes an overall performance degradation in
the computer.
PCI-Express also includes support for such high-end features as hot swapping/hot plugging,
isochronous data transfer, error handling at the link level, and quality of service policy
management. Multiple virtual channels per physical link are also supported. Because PCIExpress provides software compatibility with PCI, existing OS drivers will still function.
Hardware compatibility is provided by extending the PCI bus slot, adding a connector that sits
behind the PCI slot on the motherboard, so additional hardware is needed for full support, but
legacy devices with drivers for the current OS will function as if the PCI-Express interface was
not there.
CPU Support
In the x86 universe, there are a number of CPU types that need to be supported. These include
the Intel IA-32 and Extended Memory 64-bit Technology (EM64T) architectures, and the AMD
64 architecture as represented by the Athlon and Opteron processors.
85
Chapter 5
IA-32
The term IA-32 is basically interchangeable with the current generation of x86 processors from
both Intel and AMD that have been on the market since the release of Intels first 32-bit
processor. It defines the 32-bit instruction set used by these families of processors.
The current server class IA-32 CPU from Intel is the Xeon processor. The Xeon processor differs
from the desktop Intel P4 processor primarily in the size of the L1 and L2 cache and support for
multiprocessor systems. Entry-level single processor servers may use P4 processors rather than
Xeon server-class CPUs.
AMD Opteron
The Opteron processor is AMDs eighth generation of x86 CPU and its first generation to
support the AMD 64-bit introduction set, allowing the CPU to access more than 4GB of system
memory. The processor can run both 32-bit and 64-bit applications and suffers no performance
penalty when running 32-bit applications.
Unlike Intel processors, the CPU contains an integrated DDR SDRAM memory controller, as
Figure 5.4 shows, which negates the need for a North Bridge and significantly reduces the
latency experienced when the CPU accesses memory. This on-chip controller can be disabled to
allow the use of different memory technologies (with a traditional North Bridge), but then the
advantages of the built-in memory controller are lost. Future memory technologies will require
their own specific Opteron releases. In multiprocessor motherboard configurations (as many as
eight processors), inter-processor communication occurs via HyperTransport links.
86
Chapter 5
Figure 5.4: Compared with the architecture that Figure 5.2 shows, the AMD architecture uses the on-CPU
memory controller to bypass the North Bridge and improve the speed of memory access and overall system
performance.
HyperThreading is a multithreading technology supported by Intel that allows OSs that support
multiprocessing to treat a single Xeon or P4 CPU as if it were a dual-processor computer. This
functionality is found only in the more recent iterations of Intel Xeon and P4 processors. At this point,
AMD is just beginning to release a dual-core version of the Opteron Server CPUs, which also appear
to the OS as two independent CPUs. The Intel HyperThreading technology is available in both client
and server CPU products. Currently, AMD is offering this capability only in its Opteron line of server
CPUs.
87
Chapter 5
EM64T
EM64T is Intels extended architecture 64-bit implementation of the AMD 64 architecture (it
could be said that Intel CPUs that support this technology are AMD compatible). Although the
initial release is not identical in function to the AMD 64, future versions are expected to be 100
percent compatible. Microsoft Windows XP for 64-bit computing will run on either the Intel or
AMD 64-bit extension technologies to the x86 architecture.
Complete details about the Microsoft Windows XP 64-bit Edition can be found at
http://www.microsoft.com/windowsxp/64bit/default.mspx.
What about IA-64 and the Itanium processor? IA-64 is Intels 64-bit CPU architecture that was
introduced with the Itanium processor. IA-64 CPUs do not directly execute x86 code; instead they
virtualize the x86 instruction set, resulting in a significant performance penalty when compared with
execution of native IA-64 code. The chipset technologies discussed herein apply only to x86
architecture CPUs. The future development of the IA-64 processor family will determine the
availability of non-Intel core logic components for system board design.
88
Chapter 5
Determine the role of the server within the network. Different roles will require you to apply different
weights to the server selection criteria.
Determine the minimal requirements for the server in the needed role. Calculate processor, memory,
and storage needs based on the role and/or applications that the server will be using.
Determine the networking requirements of the server. Will it need a single NIC or multiple NICs? At
this point in time, select only servers with support for GbE. There is little cost difference, and it will
work in existing 100Base-T networks.
Determine where the server bottlenecks are likely to occur. Will the server likely be I/O bound?
Network bound? CPU bound? Size the server accordingly and select components that will minimize
the chances of server bottlenecks.
Will storage be local or remote? If local, what type of hard disk support is appropriate for the server?
If remote, will iSCSI be required or be a future-growth path?
Does the server role require specialized server technologies such as blade servers or utility
computing? If so, determine what the requirements are for the device application.
Dont neglect the manageability aspects of the server choice. Does the server need to integrate with
an existing network management tool? If so, make sure adequate support is available on your
selected hardware.
Are there specific availability requirements for the server? Consider the advantages of products that
combine functions in terms of performance and reliability.
Does your selected hardware have a sufficient degree of future-proofing? If you have maxed out
your selected server platform, you run the risk of having it become obsolete immediately upon
installation. Make sure that your choices have overhead to support your planned (or unplanned)
growth.
Summary
All of the technologies discussed in this chapter are being integrated into current and futuregeneration network server and high-performance networking products. It is no longer just a case
of searching out the fastest CPU and expecting that to overcome any other deficiencies in the
products; server core logic is a much more critical component of next-generation server design.
Selecting your next server platform is not a trivial task. The expense of setting up new servers
and allowing for network growth that can accommodate business growth can seem to require a
bit of a magic at times. Understanding the technologies that are being deployed and advanced
with the next generation of products is an important part of the evaluation process that your
server purchases need to go through.
89
Chapter 5
Its no longer enough to commit to a vendor because the vendor offers you the best price on its
current technology; finding yourself in rip and replace mode is something that no IT
professional desires, and a detailed understanding of the technology you are purchasing
especially if it is something that might have already been pushed in the mundane category, such
as serverscan only help you make better choices for your next selection. The technology is
constantly changing and you dont want to be caught off guard.
Broadcom has taken the leading edge in designing and creating the next-generation products and
has taken the industry lead in engineering the cutting-edge technologies that leverage standards
and provide optimal performance. Its products are CPU-agnostic with support for AMD and Intel
server CPUs along with support for the three major interconnect technologies currently available.
Broadcom is also the leader in the convergence space, building more functionality into the
critical components that are the building blocks of your next server purchase. These investments
in convergence technologies bring the user increased reliability, improved efficiency, and a
higher return on investment for products that make use of these technologies. Because of its
broad product portfolio and exposure to a wide variety of markets, Broadcom is driving the
convergence of voice, video, and data services over both wired and wireless networks. The
company is integrating its broad range of networking and communications innovations into nextgeneration products that bring breakthrough technologies to a much broader audience. The
company continues to create solutions that make next-generation networking affordable for even
midsized businesses, making the latest in technology available to a larger marketplace.
Broadcom, the pulse logo, Connecting everything, the Connecting everything logo,
ServerWorks, NetXtreme, Champion, Grand Champion, and SystemI/O are trademarks of
Broadcom Corporation and/or its affiliates in the United States and certain other countries. Intel,
Intel Xeon, and Itanium are trademarks of Intel Corporation. UNIX is a trademark of Unix System
Laboratories, Inc. Linux is a trademark of Linus Torvalds. Chipkill is a trademark of International
Business Machines, Inc. InfiniBand is a trademark of InfiniBand Trade Association Corporation. PCI
Express and PCI-X are trademarks of PCI-SIG. HyperTransport, AMD 64, Athlon, and
Opteron are trademarks of Advanced Micro Devices, Inc. Microsoft, Windows, and Windows
XP are trademarks of Microsoft Corporation. Any other trademarks or trade names mentioned are
the property of their respective owners.
90
Chapter 6
User/client issuesConsider the nature of how all of the client computers access the
network. Its no longer the simple matter of wired network clients; there will be wireless
access, remote access (via VPN or Internet access), and the occasional visitor to the
business who needs access to network resources. Additionally, consider the fact that
networks on the other side of the remote access connection may not, of themselves, be
secure.
VoIP and wireless capabilities and their associated applicationsAlthough the issues
regarding securing wireless networks are well documented (and will be addressed later in
this chapter), adding VoIP capabilities to your networking infrastructure brings its own
set of security complications. Additionally, applications that make use of wireless
networking and VoIP may require specific configurations for your security model
(control over specific IP ports, and so on) in order to operate correctly.
Management issuesAs additional clients and devices are added to the network, security
management becomes more complex. Complexity increases the cost of providing security
and demonstrates the need for centralized management (of devices and security) to
reduce expenses.
91
Chapter 6
Compliance issuesIt is basically impossible these days to build any sort of network and
not have some concern about government regulations. Such compliance could range from
a completely Federal Information Processing Standards (FIPS)-compliant security model
or minimal protection that incorporates government-approved encryption standards such
as AES or 3DES. There might also be other regulatory standards that affect the security
of information on the network, such as the Health Insurance Portability and
Accountability Act (HIPAA) of 1996, the Sarbanes-Oxley Act of 2002, SEC Rule 17-4a,
or any industry-specific requirements that will need to be addressed.
92
Chapter 6
These edge security devices can range from hardware appliances that are specifically designed to
perform tasks such as providing a firewall, content filtering, spam and virus suppression, or any
operation that should be performed on traffic before it enters the network perimeter. Software is
also available to provide these same services, ranging from comprehensive productssuch as
Microsofts ISA Server, which combines different tasks on the same hardwareto singlesolution products, such as CheckPoints firewall software. Although combination devices (those
that combine different types of security products) are often used, there are still many solutions
best served by dedicated devices, such as the VPN server that Figure 6.2 shows. By not using
combination devices to provide perimeter security, the network doesnt get locked into a
particular technology offering.
On the macro level, for example, although it might be tempting to roll all of your edge security
into a single device that combines firewall, content filtering, email scanning, IP management,
and so on, the reality is that the technologies advance at their own pace and there is no reason to
be locked into a trailing edge solution because changing a single aspect of your perimeter
security design means ripping it out completely. Dedicated, application-specific appliances (at
the server level) tend to offer the best way to future-proof your network security, upgrading each
technology as necessary without impacting the others.
Figure 6.2: In the traditional remote access scenario, remote users connect to a VPN server that
authenticates by using a RADIUS server.
What we find ourselves with today is a mix of software and hardware components without a
network security model. Although this situation isnt likely to change any time soon, there are
noticeable advantages to hardware-based security over a pure software approach.
93
Chapter 6
94
Chapter 6
It should be noted that we are discussing embedded hardware security, not simply a security
appliance. With an appliance, you basically have a dedicated server device, running an OS, with
an application running on top of the OS that provides the security functionality of the appliance.
With the embedded hardware security model, the secure devices include chip-level security that
is at a level below that of any OS or application. Thus, the security model isnt able to be
compromised by problems or bugs in the application or OS, nor are they susceptible to malicious
attacks focused on the OS that an appliance would run.
Figure 6.3: In the key-based cryptography scenario, all security functions are dependent upon the root key
remaining secure. Because each layer is enclosed within the next layer, only that root failure can easily
compromise the security model.
As Figure 6.4 shows, embedded hardware encryption technology enables you to use a single
security methodology to authenticate all sorts of different network-connected devices ranging
from wireless access points to VoIP phones to desktop computers. All of these devices are the
common everyday components that are found in networks; the embedded hardware security
technology means that the implementation of the key-based cryptographic security model will
guarantee that the devices are what they claim to be, adding security to the network
infrastructure. With a strong embedded security standard in place, it should be possible to mix
and match devices even if the chip-level security is being provided by multiple vendors (or
rather, that there are multiple vendors offering products that implement this technology using
different OEM chip providers).
95
Chapter 6
Figure 6.4: The key management server handles the authentication of the network devices equipped with
embedded hardware security devices.
96
Chapter 6
Figure 6.5: FIM software gives the user access across corporate network boundaries without the need for
creating an account for the same user on each network.
Software identity management, however, doesnt assure the network administrator that the
device being connected is supposed to be allowed access. Simply being able to authenticate the
user of a device doesnt mean that the device is one that should be allowed to access network
resources. Hardware embedded identity provides advantages that are difficult for software
identity to match. For example, its much more difficult to spoof hardware identity than software
identity. Also, as hardware identity is included in the production of the network device, it is, in
the long term, cheaper than any software technique.
There are many things at the hardware level that can specifically identify a computer to the network.
The most commonly used item is the media access control (MAC) address of the network interface
card (NIC) in the computer. Because most NICs are embedded these days, the MAC address is a
fairly reliable ID.
The idea of embedded hardware security takes the concept a bit further; not only is there an identity
to the device that is unique, specific to the device, and stored in hardware, but the same chip also
includes part of the security engine that authenticates devices.
This hardening of the actual devices also makes for simplified identity management, allowing a
more mechanized approach to managing the workload of handling domain access, passwords,
and all the security-related actions relative to users and devices.
97
Chapter 6
An inexpensive hardware security module that can be incorporated by OEMs directly into
hardware client devices.
Though the clients require an embedded hardware identity module (which could presumably be
added to a PC via an add-in card so that it is possible to include legacy computers in this security
model, but would need to be designed into most devices), the key management server is a
standard network server that has had a hardware security module (as Figure 6.6 shows) installed
in it.
Although the thought of an add-in card to provide embedded security might seem contradictory, it
actually isnt, for a number of reasons. The first is that the card will primarily be there to provide
authentication to network resources; if the card is removed, there is no authentication. Second, if the
card is providing local authentication, applications at the OS level can be written so that if the card
isnt present, the applications or OS simply will not run. Third, if you dont have physical security for
your desktop computers, youve got problems beyond that which a simple hardware security option
can solve.
The security concerns over an add-in card to provide legacy support are a client-side issue. The
hardware security module that would be installed on the key server is a requirement to allow the
authentication system to run and gives you the ability to use any type of server you have
available as the head-end key server. As mentioned earlier, if you cant provide physical security
for your critical servers, you have more problems than can be solved by computer hardware or
software solutions.
98
Chapter 6
Figure 6.6: A hardware security module PCI card includes the embedded silicon functions necessary to
support key management in the head-end server.
Secure Devices
The concept of securing network attached devices is a simple one; any client on the network is
both a target for attack and a potential vector for infection. Embedded hardware authentication
means that the client device cannot attach to the network without passing through the
authentication process.
In some situations, the value of this type of authentication is quite clear. Consider all of the wellknown issues with controlling wireless access and limiting that access only to approved client
devices. In terms of current security, the administrator might be required to enter a MAC address
for any client device that is approved for access. With hundreds of wireless devices, this task is
not simple. An issue also arises if a device needs to have limits placed on its access to the
network or if its access privileges need to be revoked. In addition, and especially in the case of
wireless networking, the MAC address may not actually refer to the computing device attached
to the network but only to a notebook computer with a wireless adapter in a PC Card slot or a
USB connected wireless adapter attached to any supported device.
Trusted client identification means that with embedded hardware identification in that notebook,
you know that not only is the connection allowed, but the device on the other end of that
connection is also trusted. The embedded authentication hardware offers not only a higher degree
of trust (when compared with a software solution) but also a significantly greater degree of
tamper resistance than a software solution. It is far more difficult to mess with the silicon
embedded on a circuit board in the hardware than to crack a software authentication scheme.
99
Chapter 6
The BroadSAFE technology is not limited to use with Broadcom technologies; it uses security
functionality that is compatible with industry standards such as those created by the Trusted
Computing Group and Microsofts Next Generation Secure Computing Base (a PC specification
that is compatible with current PC implementations but offers enhanced security and privacy
features).
Who You Are vs. Who You Say You Are
The point of the BroadSAFE system is to provide a strong cryptographic authentication system
that lets your security determine not just who you say you are but actually who you really
are for every device on your network with embedded hardware security. This distinction is one
which is often overlooked in todays security models.
In the BroadSAFE model, none of the security management messaging is sent in the clear (see
Figure 6.7). All communications between client devices with hardware security and the head-end
server with the hardware security module (HSM) is done over encrypted links. Nothing ever
leaves the tamper resistant hardware in clear text.
Figure 6.7: The Key Management Server maintains an encrypted link to devices with hardware security via
the HSM in the server.
BroadSAFE includes support for Automatic Device Enrollment. This functionality reduces the
need for IT staff involvement in the deployment and management of trusted clients such as VoIP
phones, network switches and desktop computers. This feature saves administrators the time
involved in identifying new devices to the network; it does not prevent them from controlling the
authentication of these devices. The key functionality enabled in the BroadSAFE devices is also
available for use in cryptographic acceleration such as Public Key and Symmetric Key
Acceleration.
100
Chapter 6
101
Chapter 6
Figure 6.8: In the software-based security model, the client system CPU needs to handle not only the
operation of the computer and its applications but also the encryption/de-encryption of all network traffic. A
hardware solution offloads the CPU intensive security encryption and leaves the CPU free to do other tasks,
reducing the impact of the security upon the end-user.
The integration of an embedded hardware system has additional performance advantages that
should be considered. For example, your traditional server-centric network model is unaffected;
there is no requirement for changes to your networking infrastructure beyond adding the key
management capabilities to an existing server (or adding a dedicated key management server
head-end). The hardware security component will not need to have security patches distributed to
it to counter new threats, nor will its management require the installation of additional software.
Securing VoIP Applications
As technology has progressed, it has become an accepted fact that networks are converging. The
most obvious point of convergence is voice/data networking with the inclusion of VoIP
capabilities in most high-end network switches. But simply providing a VoIP architecture is only
part of the story; supporting and securing VoIP brings its own set of problems to the network
administrator.
Its not that adding VoIP to your networking environment brings additional security problems
beyond that of any new application that needs to talk to the outside world; it is just that VoIP has
its own particular areas of vulnerability. These vulnerabilities break down into four areas:
Access controlYou want to be sure that only authorized VoIP devices are connected to
your network. As mixed-mode cell phones hit the market (cell phones that operate as
normal cellular phones unless they recognize a wireless network, in which case they do
VoIP), it becomes much more important to only allow authorized VoIP devices to access
your network.
Data controlYour VoIP infrastructure must share the network peacefully with your
data network. QoS controls need to reserve sufficient bandwidth to allow telephony to
operate without impacting the users data communications needs and still permit
acceptable voice quality phone calls.
102
Chapter 6
EavesdroppingIn a much more realistic way than the potential for eavesdropping on
data communications, voice communications are inherently less secure. This area might
need to be addressed.
With voice calls, there is an expectation of privacy that users have. Users expect the same level of
security they get on a plain-old telephone system (POTS) line for calls made through a VoIP
infrastructure.
What the administrator must keep in mind is that all server, media gateways, gatekeepers, and IP
voice terminals are susceptible to attack. There are a variety of common security threats that the
VoIP network must face; lets take a look at the most common and ways to avoid them.
Figure 6.9 shows a basic network model configured for use with VoIP. The addition of PBX
equipment into the networking mix introduces another point of potential attack on your network
and needs to be considered in your planning for secure networking.
The security problem that users tend to worry most about is packet sniffing or call interception.
The easiest way to resolve this issue is to make sure that all of your telephony devices are on a
secure switched LAN infrastructure to limit the potential for sniffing or interception problems. In
this way, VoIP traffic is always limited to a specific link and not broadcast over the entire
network.
Figure 6.9: Adding VoIP to your existing network infrastructures combines both the advantages and
problems of the Telco network with the data network. Site-to-site telephony need never enter the public
telephone network infrastructure, which provides additional security for intra-corporate phone calls. It does
require a secure link to the Internet or a dedicated mesh topology network connection between sites.
103
Chapter 6
Virus or Trojan Horse applications that are designed to capture or redirect voice traffic are a
potential problem that should be dealt with by your existing antivirus solution. If you are heavily
investing in VoIP, it makes sense to use a gateway appliance (or application) that filters traffic
and watches specifically for virus, Trojan Horse, and malware attacks on your network.
The potential for unauthorized access to your voice network can be greatly limited by using inline intrusion prevention systems and application access controls. If a user doesnt have the right
to make use of the VoIP infrastructure, you should be able to stop the user by using standard
controls for preventing unauthorized access to network resources.
Application-layer attacks on your infrastructure can usually be prevented by keeping your OSs
updated with the latest security fixes. These attacks are generally in the form of exploits against
security flaws in the client OS or common applications that access the Internet. Keeping your
software patched and updated will prevent most of these attacks.
It is extremely important that you keep all applications and OSs patched and updatedthis idea
cannot be stressed enough!
The potential of falsifying caller identity, also known as identity spoofing, can be limited by
utilizing software utilities that notify the administrator of unknown devices attaching to the
network. They can also be limited by using personal authentication mechanisms that use
embedded hardware security. Ideally, you want to develop an infrastructure in which unknown
devices attaching to the network get no services provided until the device and/or its user are
authenticated. And, of course, you will want to do so with as little IT staff interaction as possible.
One of the most basic attacks found on telephone networks is toll fraud, with many stories of the
tricks that are used by non-employees to acquire access to lines to make illicit long distance
phone calls. VoIP, although not immune to those attacks, does have the advantage of being able
to use a software gatekeeper that can prevent unauthorized toll calls from being placed.
Network Denial of Service (DoS) attacks are especially nasty if your voice communications are
carried over your data networks, giving the potential for all communications capabilities to be
disrupted by a network DoS attack. As Figure 6.10 illustrates, one of the ways to minimize a
DoS attack is to segregate voice and data traffic on their own network segments.
Although congestion issues at the network switch level would still be a potential issue, network
traffic management applications would also be useful in making sure that network attacks dont
cause problems with your VoIP connectivity. QoS and other technologies go a long way to
making VoIP a practical option in mixed data/voice networking.
104
Chapter 6
Figure 6.10: Using the VLAN capabilities of your network switches to separate the voice and data traffic onto
their own network segments minimizes the chances of both voice and data communication being affected
simultaneously by a DoS attack on your network.
Although not strictly a technical issue, repudiation of a call (denying it was made) is a problem
that can be completely eliminated by making sure that you authenticate users before they access
a telephony device, thereby guaranteeing that a call was made and determining the identity of the
caller. This feature can make tracking the business process simpler, and give the business
manager ideas on how to improve the process workflow. This doesnt necessarily mean that you
will need to log on to your phone before each phone call; it could be something as simple as
entering a passcode into your phone system at the beginning of the business day (or using any
common user authentication mechanismPIN, password, biometrics, and so on). Or with future
integration, your VoIP phone network can be linked to your data network authentication
mechanisms. Common Telco attacks that rely on fooling the human element of the equation
(known as trust exploits) can be minimized by using a restrictive trust model that links calls to
users (and makes the user aware of that) using private VLANs to limit trust-based attacks.
In addition to the techniques previously outlined, integration of media encryption into IP
telephones and media gateways is also highly recommended to prevent sniffing/eavesdropping of
voice and signaling packets. Several encryption algorithms such as DES, 3DES, AES, RC4, and
RC5 are commonly used in these devices. Wherever possible, the use of endpoints with hardware
acceleration for these functions is recommended over software implementations.
105
Chapter 6
106
Chapter 6
Moving the device with the embedded hardware authentication technology from location to
location within your network does not add to the administrative workload. There would be no
need, for example, to reconfigure a VLAN when moving a wireless access point; the
authentication of the WAP would not require any user interaction; it would be automated
between the key management server and the end point device. Unless other steps were taken, that
WAP would be an authenticated device regardless of where it was attached to the network.
Clearly, this setup presents a huge security problem to the network administrator.
Figure 6.11: The embedded hardware solution to the wireless security problem makes it easier to integrate
wireless networking into your secure computing environment without additional wireless-specific hardware.
107
Chapter 6
Remote Users
One of the biggest concerns IT has is with remote users. This problem has become exacerbated by the
use of wireless networking in the home. The problem is that home users rarely correctly set up security on
their home networks. As a result, when a remote user at home logs on to the corporate network via a
VPN, the user is potentially opening the corporate network to anyone who can find that home users
wireless network.
Broadcom, which produces more than 70 percent of the chipsets used for wireless networking adapters,
has come up with a solution called SecureEasySetup. SecureEasySetup turns on wireless security by
default, but automates the process to make sure that the end user actually implements wireless security.
The setup wizard asks only two questions of the user, and the answers are used to generate the Wi-Fi
Protected Access (WPA) key. Thus, if the user needs to add devices or reinstall a device, the user only
needs to answer the same two questions with the same two answers rather than remembering a
randomly generated key that the user most likely would have had to write down somewhere (and perhaps
lost).
The setup wizard configures the Service Set Identifier and WPA security for both the client and the home
network access point. The wizard uses WPA rather than the less secure WEP security model. WPA is an
interim implementation of the upcoming IEEE 802.11i wireless security model. Forcing the user to
configure the wireless network with security is a solution that can only help prevent unauthorized access
to networks. The method that Broadcom has chosen has little impact on the end user, a key to any
successful security tool.
108
Chapter 6
Summary
With the increasing rate of targeted attacks on corporate networks, its important for IT
professionals to keep their network infrastructure secureprotecting valuable intellectual
property and sales data while keeping networking uptime to a maximum and minimizing any
potential disruption to ongoing operations. Network security is needed at many layers, and is
complicated by the addition of mobile networking with remote access, WLAN, employee needs,
external contractors, guest visitors and unscrupulous deviant hackers.
Knowing that IT managers need a flexible method of providing individual security policies to
adapt to the ever-changing requirements of enterprise networks, Broadcom is committed to
offering top-notch security without the high price tag normally associated with hardware-based
security solutions. Because of its broad product portfolio, which includes processors, controllers,
switches, storage, VoIP and wireless, the company is one of the few companies that can fulfill
this kind of commitment. Broadcoms market dominance in many of these areas also makes it
possible for the company to drive the acceptance of standards that benefit the secure hardware
user.
As a result of BroadSAFE-enabled client silicon, OEM customers now have the option of
including a factory-installed identity that is stored securely within the device. Once a product has
an identity, a security system can be built around it through a management server with an HSM
installed in it. Because the product has an identity stored in hardware, the product itself can now
be managed remotely.
BroadSAFE is an extremely cost-effective certificate and key management solution that can be
extended to other client devices within the network such as IP phones, NICs, cable modems,
switches and wireless devices. The keys that are stored in hardware, as described in this chapter,
are essentially the private component of an identity certificate. Hence, the advantage is in the
embedded key management module that utilizes these private keys. The result is better security
at a lower cost, with centralized key management services in the HSM.
Even current software-based security technologies, such as biometrics, will benefit from the
addition of embedded hardware security. Hardware security adds another level of security
enhancement, and when implemented properly, will not affect end-user performance. In fact,
this additional security is actually transparent to end-users.
Security systems such as BroadSAFE will become an important addition for next-generation
security devices; hardware security offers advantages in attaching a broad variety of devices into
secure environments with fewer problems than developing compatible software solutions for
many different technologies, and hardware-based security is significantly more difficult to hack
into than software-based security.
Gigatbit Ethernet technologies, improved wireless designs, converged NICs, LAN-on-amotherboard and secure network devices are all examples of the next-generation networking
components that users can expect to have in their environments. These are some of the leadingedge technologies that can be invested in right now to help future-proof the corporate IT buyers
purchasing process.
109
Chapter 6
The next-generation of cutting edge advanced networking devices are likely to be Broadcom
components, software, and system designs, as manufacturers look for new and innovative means
of communication and move more deeply into the convergence of voice, video, and data
services. Broadcoms broad product portfolio enables the company to drive these convergence
technologies over both wired and wireless networks, while bringing value to the OEMs and
consumers of these devices.
The hardware security modules in Broadcoms new Gigabit IP phone chipsets perform voice
encryption and authentication and elevate the phones system security using a unique identifier
embedded in each chip that is virtually impossible to decode, hack, or steal, thereby providing
assurance that the identity of each phone in the network is genuine. These advanced security
features allow IT managers to ensure the integrity of corporate voice communications.
Broadcom has responded to the need for resilient secure networking by integrating a wealth of
security-based intelligence into its next-generation Ethernet switch chips, raising the bar and
setting the standard for security in switching silicon. Security starts with Broadcoms exclusive
wire-speed Layer 2 to Layer 7 application-aware security processor. Multiple engines enable
users to enforce secure policies based on a wide variety and combination of programmable rules.
Intelligent packet parsing and metering are combined to yield rich contextual information about
the traffic flows through the switch. The IT professional is empowered through management
software to control all flows through the switch, and dynamically reconfigure policy and take
action as needed.
In addition to the application-aware security processor, Broadcom has integrated a hardwarebased DoS attack prevention engine into its switches. The DoS engine is critical to providing
continuity of uninterruptible service to users of a converged network. Harmful DoS attacks are
blocked by the switches, allowing voice and data traffic communication to continue during an
attack. This level of predictability is the key to building highly reliable resilient networks.
Price/performance is just one part of the advantage Broadcom brings with its technology
breakthroughs that are created with fast time-to-market efforts; board-level products, chipsets,
RAID-on-a-chip and converged NIC technologies move quickly from vendor to customer
installations. The convergence technologies will improve performance and reliability of devices
and drive down the costs of next-generation networks, resulting in faster ROIs.
Broadcom, the pulse logo, Connecting everything, the Connecting everything logo, BroadSAFE
and SystemI/O are trademarks of Broadcom Corporation and/or its affiliates in the United States,
EU and/or certain other countries. Wi-Fi Protected Access is a trademark of Wi-Fi Alliance
Corporation. Any other trademarks or trade names mentioned are the property of their respective
owners.
110