After years of making a go of it with a patchwork network built of discontinued and secondhand networking gear,...
Oral Roberts University (ORU)'s networking team had its fair share of network policy management disaster stories.
For instance, have you heard the one about the janitor who found a crossover cable while cleaning an office? Instead of throwing it away or bringing it to IT, he plugged each end into separate ports and created a traffic loop that crashed the network. Having a simple spanning tree protocol up and running on the network would have given the school the network policy management capabilities to protect against such a crash, said Tannie Olsen, ORU's systems architect.
But because of their interoperability woes, network engineers couldn't get a spanning tree protocol up without bringing the network down, Olsen said. Instead, engineers were forced to unplug modules on a Catalyst 6509 one at a time to see where the excess traffic was, and then they had to further isolate the issue to the specific campus port that was causing the loop.
"It's a really archaic way of troubleshooting," he said.
ORU staff could have avoided the whole mess if they had had the ability to implement network policy management at an edge port level, with switches smart enough to determine that such a traffic loop represented rogue behavior and to just shut down the port.
When ORU, a small private university in Tulsa, Okla., received a donation last year earmarked for a complete overhaul of the school's legacy network, centralized and simplified network policy management rose to the top of the team's wish list, Olsen said.
A hodgepodge legacy network with limited network policy management
The budget-strapped networking team at ORU had spent the past few years spinning its wheels trying to manage a hodgepodge of outdated and discontinued switches assembled over the course of a decade.
"Trying to get everything to talk together was at best a challenge and at worst impossible," said Olsen. "Passing any form of quality of service, trying to classify services, trying to get a spanning tree actually up and running on the network -- it was a real challenge. Being able to … get one single platform was vital for us."
The "workhorses" of ORU's network had been its decade-old Cisco Systems' Catalyst 5000 and 5500 switches, which were discontinued by Cisco last year. But Olsen had found it difficult to find service and support for the past seven years as more sophisticated Catalyst switches entered the market.
The ORU network also included a smattering of first-generation Catalyst 6590s and 15-year-old Catalyst 1900s, along with various gear from Dell, Nortel and 3Com. "We started out our network with no money, and if we had a little bit of money, we'd say, 'OK, we'll buy a switch,'" Olsen said. "Most of our equipment came from [bankruptcy] auctions or from eBay."
Network policy management was a top requirement
Olsen's team considered the usual suspects when the time came to rip and replace the network: Cisco, Hewlett-Packard (HP) ProCurve, and Brocade. But he said Cisco was too expensive for ORU's modest budget, and his staff wasn't satisfied with the network management software provided by ProCurve and Brocade. Eventually, ORU chose Enterasys Networks.
"The thing that really sold us on Enterasys was policy. Not just policy-based routing, but policy-based switching -- the ability to, on a port level, make decisions about traffic," Olsen said. "With the Enterasys network, we're able to reach out and say, 'If an IP address is issued from any of the student ports, just drop that traffic right there.' It doesn't make it past the switch port."
Some network policy management software makes those decisions at the router, allowing the unwanted traffic to move into the distribution or core layers, according to Eric Stinson, director of product management for Enterasys' Network Management Suite (NMS) software.
"If [policy] control is being done at the router, it isn't being controlled at the edge of the network," Stinson said. "A router interface could have 50 switches on it, and users only hit those policies when they hit the router. So anybody plugged into that edge switch gets hit with the policy."
That port-level shutdown is part of NMS's Automated Security Manager (ASM), which complements the platform's Policy Manager feature, Stinson said. Alerted to rogue devices or suspect network activity by an intrusion detection system (IDS), ASM can disable the user or the port -- either by alerting an administrator, or automatically, if an administrator doesn't respond to an alert after a set amount of time.
This network policy management capability meant Olsen and his team would finally be able to deal with some of their biggest campus LAN headaches: performance problems, troubleshooting delays and a lack of insight into spotting rogue devices or misconfigurations. ORU's 3,700 students were always presenting the networking team with configuration and rogue device problems.
"If the two ports that we provide in each dorm room aren't enough, [students] will bring their own splitter and plug in their own wireless hub or router and get as many ports as they like," Olsen said. "But sometimes they'll plug it in and have a device issue DHCP requests on our network. We'll start getting calls from students saying [they] can't get on the network and [asking] what's wrong, and we have to [manually track down the cause]."
Let us know what you think about the story; email: Jessica Scarpati, News Writer