After sending group membership (join) messages and waiting at least twice the switch's IGMP query interval, TestCenter's ScriptMaster software then offered multicast traffic to the switch's first 10-Gigabit port, destined for all multicast groups. Per RFC 3918, if all groups received at least one frame, the test iteration was considered a pass. If loss or flooding occurred, the iteration was considered a failure. Using a binary search algorithm, we repeated this procedure to determine multicast group capacity.
In the L2 multicast performance tests, we configured all switch ports to join a single VLAN, to use IGMP snooping, and to act as an IGMP querier. Then TestCenter's 48 gigabit ports joined 500 IGMPv2 groups (or fewer, depending on results from the group capacity test). The Juniper switch did not support IGMPv3 at test time, requiring the use of IGMPv2; this is the one significant departure from earlier tests of access switches.
至少等待了两次交换机的IGMP查询间隔后,TestCenter的ScriptMaster软件则提供多播流量到交换机的第一个10千兆端口,发往所有组播组。使用二进制搜索算法,TestCenter的确定的吞吐率。在一个单独的试验中,在TestCenter的吞吐率测量的平均和最大等待时间。
In the L3 multicast throughput and latency tests, we configured each switch port to use a separate VLAN and IP subnet, enabled protocol independent multicast-sparse mode routing on each port, and set the switch to act as a PIM rendezvous point. The test setup and traffic pattern was similar to the L2 multicast test. We again determined the throughput rate and measured average and maximum latency at that rate.
To assess 802.1X/NAC support, we developed six scenarios that describe roles a switch might play as part of the NAC infrastructure. In this case we attached the switch to a Windows 2003 server running Juniper Steel-Belted Radius Enterprise Edition 6.1 (SBR). The SBR configuration used Windows Active Directory credentials to authenticate users.
In the first scenario, the switch places an authenticated client (in all cases, a PC running Windows XP Professional and Juniper Odyssey client software) into a previously configured VLAN. The second case is like the first, but requires authentication of multiple clients attached to a single port. In the third case, the switch dynamically assigns a VLAN after authentication. In the fourth case, the switch dynamically applies an access control list after authentication. In the fifth case, the switch places a client into a guest or restricted VLAN upon authentication failure. Finally, the sixth case determines whether a switch port concurrently supports 802.1X and media access control authentication support.
To assess storm control, we used common attack techniques such as broadcast and TCP SYN flooding as generated by a Mu Dynamics Mu-4000 security analyzer and by Spirent TestCenter. We configured the Juniper switch to limit forwarding rates of attack traffic, and verified these limits using real-time rate counters in Spirent TestCenter.
We measured power consumption using Fluke 322 and Fluke 335 clamp meters. This test involved three measurements: AC line voltage; AC amperage when idle; and AC amperage when fully loaded. We fully loaded the switch control and data planes by configuring Spirent TestCenter to offer traffic at line rate to all ports consisting of IPv4 packets with IP options set. We derived wattage by multiplying voltage and amperage.
我们的开关可管理性,安全性和可用性的测试,有客观和主观成分。在客观成分,我们确定它的管理方法在支持IPv4和IPv6的交换机,以及其以符合最佳安全实践的能力(例如,通过禁用易受攻击的服务,如telnet和实现安全服务,如SSHv2的)。我们还确定哪些管理方法是默认启用的,并且可以为enabled /用户禁用。此外,我们确定是否擦除配置文件将删除所有个人身份信息,监管要求和安全最佳实践。
The subjective part of our assessment consisted of our judgments on ease of accomplishing these and all other tests described here.
To assess the final area, switch features, we asked vendors to complete a detailed questionnaire. We did not verify every answer to this questionnaire.
This story, "Juniper switch proves to be credible choice" was originally published byInfoWorld .