ProCurve Networking by HP ProCurve 5406zl Networking Switch


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ProCurve Networking by HP ProCurve 5406zl Networking Switch

  1. 1. T H E TO L LY G R O U P No. 206141 August 2006 ProCurve Networking by HP ProCurve 5406zl Networking Switch Test Evaluation of Enterprise-Class Modular LAN Summary Switch Supporting Secure Converged Services Premise: There was a time when Gigabit Ethernet (GbE) and 10GbE switches were Test Highlights reserved exclusively for the core routes of enterprise networks. As convergence takes Delivers toll-quality voice in the presence of network congestion hold in corporate networks, enterprise Supports key multicasting protocols to assure users the switch can applications such as voice over IP (VoIP), handle multicast traffic transported across a converged services backbone video and others create the demand for high bandwidth delivered to the network Supplies power over Ethernet for PoE-compliant devices such as IP edge. Switches that deliver such capability phones, wireless access points and security cameras must also demonstrate support for a wide Dynamically load balances across multiple active redundant links to array of network standards, offer security increase available aggregate bandwidth from a plethora of threats and provide capa- bilities common to enterprise networks. Allows two devices to back up one another to create highly available Layer 3 switching environments P roCurve Networking by HP commis- sioned The Tolly Group to evaluate the ProCurve 5406zl, a six-slot modular Layer Provides multiple user authentication options per port; prevents piggybacking of authentication on another user 2/3 intelligent switch that supports Gigabit Ethernet (GbE) and 10GbE connections with ProCurve Switch 5406zl Voice Quality Performance integrated Power over Ethernet (PoE), Under Various Uplink Congestion 2 Scenarios extending high bandwidth from the enterprise as Reported by Agilent Voice Quality Tester (VQT) backbone to the network’s edge to meet the evolving needs of security, mobility and 4.50 convergence applications. 4.00 PESQ = 3.80 (Toll Quality)1 Voice quality score (PESQ) Tolly Group engineers examined features/ 3.50 functions of the ProCurve 5406zl pertaining to its support of a converged network envi- 3.00 ronment, and its ability to handle traffic on a 2.50 converged services backbone. The Tolly Group certified a number of converged ser- 2.00 vices capabilities under the auspices of the 1.50 company’s Tolly Verified program, which offers vendor-neutral independent validation 1.00 of key features and functions. 0.00 Engineers examined the ProCurve 5406zl’s Baseline Uplink congestion 2 Uplink congestion (no QoS on switch, no uplink congestion) without QoS enabled on the switch with QoS Enabled on ProCurve 5406zl support for voice quality, multimedia, Quality Test scenario of Service, enterprise-class security and 1 Any vendor that scores a 3.80 and above won’t impact the audible performance of a VoIP call. There are many more redundancy/reliability issues that demonstrate factors involved that can affect user experience, but a switch of this caliber will perform to business quality. the switch has been architected to anchor 2 GbE uplink between the ProCurve 5406zl and 3500yl switches was congested by sending 2 Gbps of low-priority IP traffic in addition to the voice traffic. Voice traffic was marked with DSCP Code point = 2E mandating Expedited Forwarding. converged services backbones. Testing was Source: The Tolly Group, June 2006 Figure 1 performed in June 2006. © 2006 The Tolly Group Page 1
  2. 2. The Tolly Group ProCurve 5406zl Switch Executive Summary agement data into high-priority queues oritization tags set in their headers. while directing other traffic to lower- Thus, voice and video traffic may be ProCurve’s Switch 5406zl offers an priority queues. afforded greater priority over less impressive range of functionality that latency-sensitive traffic. comes into play supporting con- VoIP Capable Infrastructure verged services. ProCurve’s 5406zl (Quality of Service), Tolly Layer 3 QoS Trusted Mode delivers robust Quality of Service Verified 10501 (DSCP), Tolly Verified 10837 (QoS), meaning the switch supports up to eight traffic queues for segre- Engineers verified that the ProCurve This certification verifies that the gating traffic on a priority basis and 5406zl’s QoS mechanism can adequate- ProCurve 5406zl has the ability to ensuring that voice and video get the ly support latency-sensitive applications distinguish traffic with different pri- bandwidth and the priority they right- such as voice in a congested environ- orities based on the DSCP informa- ly deserve. The switch demonstrates ment by providing sufficiently low tion in the Layer 3 IP header and to that it can also transport voice at toll- latency, as well as voice quality scores be configured either to process traffic quality, which is essential for sup- that are deemed toll quality. according to its DSCP priority (i.e. porting converged services. “trust” the priority bits) or be config- Using the Perceptual Evaluation of ured to ignore (i.e. not “trust” the pri- ProCurve also bundled in support for Speech Quality (PESQ) metric, engi- ority bits) those settings. both major multicast protocols — neers examined how the ProCurve PIM Sparse Mode and PIM 5406zl maintained toll-quality voice MULTICAST SUPPORT Dense Mode. From a security stand- quality under various uplink conges- point, ProCurve delivers a level of tion scenarios. The ProCurve 5406zl PIM Sparse Mode — IP sophistication for supporting access achieved a PESQ score of 3.87 in the Multicasting Tolly control lists (ACLs) at both Layer 3 baseline test without any uplink con- Verified 10826 and Layer 4, surpassing the security gestion, and then achieved a PESQ capabilities commonly found in score of 3.84 with uplink congestion. Engineers confirmed the ProCurve workgroup switches. This broad sup- Scores of 3.80 to 4.50 indicate toll- 5406zl’s ability to host and join IP port for QoS, security, multicasting quality voice, implying a voice quali- multicast groups via PIM-Sparse and reliability makes the ProCurve ty that is deemed to be acceptable for Mode. This demonstrates that the 5406zl a well-rounded edge device business-class usage. That type of ProCurve 5406zl can provide IP for converged networks. toll-quality score emphasizes the Multicasting services using the PIM ability of the ProCurve 5406zl to Sparse Mode protocol. The Tolly Group awarded more than serve as a transport switch in a con- 40 Tolly Verified certifications to the verged services backbone network. PIM Dense Mode — IP ProCurve 5406zl. While these are too Multicasting Tolly numerous to detail in this report, we QoS Recognition (IEEE Verified 10827 have focused on those certifications 802.1p), Tolly Verified 10533 relevant to the switch’s ability to oper- Engineers confirmed the ProCurve ate in a converged services network. Engineers verified that the ProCurve 5406zl’s ability to host and join IP The full complement of Tolly Certified 5406zl distinguishes and prioritizes multicast groups via PIM-Dense listing may be viewed at: traffic based on the 802.1p Quality of Mode. This demonstrates that the Service standards. Devices earning this ProCurve 5406zl can provide IP ProductID=206 certification have demonstrated that Multicasting services using the PIM they can prioritize traffic accordingly. Dense Mode protocol. QUALITY OF SERVICE QoS — Eight Traffic Queues, ENTERPRISE-CLASS The depth of QoS support offered on Tolly Verified 10587 the ProCurve 5406 parallels the QoS SECURITY support normally found on larger The ProCurve 5406zl demonstrated ProCurve is bringing core-level devices. The switch can distinguish pri- that it is capable of segmenting QoS switch ACL functionality down to the ority packets and prioritize them based traffic into eight unique and separate edge. The ProCurve 5406zl can on the IEEE 802.1p QoS standard. priority queues. This is vitally impor- authenticate clients using both Layer Further, the switch supports the maxi- tant for a switch operating in a con- 3 and Layer 4 ACLs. Plus, the switch mum number of traffic queues — eight verged services network since it can communicate with a RADIUS — that is commonly found on core shows the switch has the capability to server to apply ACLs to a specific switches. This provides ample queues apportion bandwidth according to user. This shows that ProCurve is to segregate high-priority streams such application needs and recognize going the extra step with security as voice, video, multimedia and man- application streams according to pri- © 2006 The Tolly Group Page 2
  3. 3. The Tolly Group ProCurve 5406zl Switch what is normally bundled into an Management edge distribution device. Further- ProCurve Authentication via RADIUS more, the device’s support for user Tolly Verified 10536 Networking by HP authentication via 802.1x means that multiple user identities can be Engineers verified that the ProCurve ProCurve Switch authenticated at a single port. This is 5406zl provides functionality that vital in converged networks where a 5406zl allows network mangers to limit user, for instance, might have a lap- management access to users that top PC and an IP phone sharing the complete authentication with a back- Converged same port. end RADIUS server with which the Services Support ProCurve Networking by HP ProCurve 5406zl Networking Switch Product Specifications* Features OSPF: (requires Premium Edge Per-Port Access Control Lists (ACLs): This list reflects a portion of the capabilities license) Includes ECMP to provide link Provides IP Layer 3 filtering based on of the ProCurve 5400 series. For a full list redundancy and scalable bandwidth the IP field, source/destination IP of features, please visit: IP multicast routing (requires Premium address/ subnet, and source/destina- Edge license): includes PIM Sparse and tion TCP/UDP port number es/ProCurve_Switch_3500yl- Dense modes Identity-driven ACL: Enables imple- 5400zl_Series/features.htm. Virtual Router Redundancy Protocol mentation of a highly granular and (requires Premium Edge license) flexible access security policy specific Connectivity to each authenticated network user Layer 3 services 802.3af Power over Ethernet: Port security: Prevents unauthorized Provides up to 15.4 W per port to UDP helper function: UDP broad- access using MAC address lockdown power-compliant PoE devices, like IP casts can be directed across router MAC address lockout: Prevents con- phones, wireless access points and interfaces to specific IP unicast or figured particular MAC addresses security cameras subnet broadcast addresses and from connecting to the network Pre-standard PoE support: Detects prevent server spoofing for UDP Source-port filtering: allows only services such as DHCP specified ports to communicate with and provides power to pre-standard each other PoE devices Security Jumbo frames Ports ProCurve/IEEE Auto-MDIX: Switch CPU protection: Provides Six open module slots Automatically adjusts for straight- automatic protection against malicious Supports a maximum of 24 10GbE through or crossover cables on all network traffic trying to shut down the ports or 144 10/100/1000 ports and 10/100/1000 ports switch 144 mini-GBICs, or a combination Virus throttling: Detects traffic patterns Memory: 256 MB of RAM Layer 2 switching typical of WORM-type viruses and 1 RS-232C DB-9 console port ProCurve switch meshing: Dynamically either throttles or entirely prevents the load-balances across multiple active ability of the virus to spread across the Physical Unit redundant links to increase available routed VLANs, without requiring external appliances Dimensions: 17.75 x 17.5 x 6.9 in. aggregate bandwidth (45.09 x 44.45 x 17.53 cm), 4U height VLAN support and tagging: Supports ICMP throttling: Defeats ICMP denial-of-service attacks by enabling Weight: 23.55 lbs. (10.68 kg) complete 802.1Q standard and 2,048 VLANs simultaneously any switch port to automatically throttle ICMP traffic For more information contact: 802.1v protocol VLANs: Isolate select non-IPv4 protocols automati- Multiple user authentication methods: Hewlett-Packard Co. cally into their own VLANs 3000 Hanover Street IEEE 802.1X Palo Alto, CA 94304-1185 Group VLAN Registration Protocol Web-based authentication (GVRP): Allows automatic learning U.S.A. MAC-based authentication Phone: (650) 857-1501 and dynamic assignment of VLANs Authentication flexibility: Fax: (650) 857-5518 Layer 3 routing Multiple 802.1X users per port URL: Concurrent 802.1X and Web or Static IP routing: Provides basic routing *Vendor-supplied information not MAC authentication schemes RIP: Provides RIPv1 and RIPv2 verified by The Tolly Group per port routing at media speed © 2006 The Tolly Group Page 3
  4. 4. The Tolly Group ProCurve 5406zl Switch device under test communicates. This ProCurve Switch 5406zl Tolly Verified Certifications Awarded isn’t a necessary feature of edge switches, but still is a convenient fea- Tolly Verified Tolly Verified Certification Category ture to use when managing a con- Number 10513 10/100/1000 Auto Negotiation LAN connectivity verged network. 10744 Link Aggregation (IEEE 802.3ad) Cross Blade LAN Switch - High Availability User Authentication via 10501 VoIP Capable Infrastructure (Quality of Service) LAN Switch Core IEEE 802.1X Tolly Verified 10503 Jumbo Frame Support 9,000+ Byte Frames LAN Switch Core 10559 10511 Link Aggregation Support Manual Configuration LAN Switch Core 10514 Auto MDI/MDIX LAN Switch Core The ProCurve 5406zl demonstrated 10515 Port Mirroring LAN Switch Core that users can be authenticated using 10529 Access Control List (ACL) Functionality Bound to Specified VLAN LAN Switch Core the industry-standard 802.1X proto- 10564 Virtual Router Redundancy Protocol (VRRP) LAN Switch Core col to communicate between a “sup- 10583 User authentication via Layer 3 (IP) based Access Control List LAN Switch Core plicant” (i.e., client), the switch (an User authentication via Layer 4 (TCP/UDP) “authenticator”) and a back-end 10584 based Access Control List LAN Switch Core “authentication server.” 10587 QoS Eight Traffic Queues LAN Switch Core 10639 Power over Ethernet Provider LAN Switch Core User Authentication via Multiple Spanning Tree Protocol (MSTP) Support (IEEE 802.1s) LAN Switch Core 10834 Layer 3 (IP) based Access 10533 QoS Recognition (IEEE 802.1p) LAN Switch Core Control List, Tolly 10837 Layer 3 QoS Trusted Mode (DSCP) LAN Switch Core Verified 10583 10847 VLAN Database Support: 250+ VLANs LAN Switch Core 10850 MAC Database Capacity: 5,000 MAC Addresses LAN Switch Core This certification verifies that the 10855 QoS Control: Weighted Fair Queue Algorithm LAN Switch Core ProCurve 5406zl is capable of authoriz- ing client access using local ACLs via 10821 IPv4 RIP v1 Routing Protocol Support Layer 3 (IP) Functionality Layer 3 IP addresses. This is important 10822 IPv4 RIP v2 Routing Protocol Support Layer 3 (IP) Functionality in converged networks because it 10823 IPv4 OSPF Routing Protocol Support Layer 3 (IP) Functionality allows only authorized users onto the 10826 PIM Sparse Mode IP Multicasting Layer 3 (IP) Functionality network and lets voice and video be 10827 PIM Dense Mode IP Multicasting Layer 3 (IP) Functionality routed out of certain switch ports and High-Availability Core 10516 Redundant Power Supply have QoS applied to those ports. (Product-type Independent) High-Availability Core 10594 Redundant Power Supply Hot-Swappable (Product-type Independent) User authentication via High-Availability Core Layer 4 (TCP/UDP) based 10719 Dynamic, Variable-speed Fan (Product-type Independent) Access Control List, 10502 Non-destructive Code Upgrade System Management Tolly Verified 10584 10518 Dual Firmware Images System Management 10519 Dual Configuration Images System Management This certification verifies that the 10555 System Upgrade via Trivial File Transfer Protocol (TFTP) System Management ProCurve 5406zl is capable of authoriz- 10559 User Authentication via IEEE 802.1X System Security and User Management ing client access using local ACLs via 802.1x Single Port, "Per MAC" Authentication System Security and User Management Layer 4 TCP/UDP ports. This is impor- 10746 tant in converged networks because it 10536 Management Access Authentication via RADIUS System Security and User Management allows only authorized users onto the 10569 User Authentication via local MAC Address Table System Security and User Management network and lets voice and video be 10575 Secure Shell (SSH) remote access System Security and User Management routed out of certain switch ports and 10747 Dynamic VLAN Assignment after Authentication System Security and User Management have QoS applied to those ports. 10748 Web Browser-based Authentication System Security and User Management 10787 Management Access Authentication via Local User Database System Security and User Management 802.1X — Single port, 10854 Automatic ACL Assignment after Authentication System Security and User Management “Per-MAC” Authentication Source: The Tolly Group, June 2006 Figure 4 Tolly Verified 10746 the port to all traffic once a single This test demonstrated that users can This test verified that the ProCurve user has authenticated. be allowed or denied network access 5406zl offers a granular authentica- based on Layer 2 (MAC) entries resi- tion process that allows a per-user User Authentication via dent in the ProCurve 5406zl and con- (Layer 2 MAC address) level of Local MAC Address Table figurable by the network manager. authentication rather than opening Tolly Verified 10569 © 2006 The Tolly Group Page 4