Internet Network Security Blog

The evolution of the WLAN industry has been a curious, somewhat flip-floppy study in design philosophy. Stand alone, intelligent access points got the party started over a decade ago, and somewhere along the line lost favor to controller-based super systems. Now the big, expensive controller has become a target for frequent criticism as a growing number of vendors present innovative alternatives to funneling all WLAN traffic back to a central processing point. Bluesocket is among the latest to de-emphasize the importance of the controller, while also adding management of wired users with its recently introduced vWLAN 2.1 platform.

Now part of ADTRAN, Bluesocket is one of those interesting wireless companies currently listed by Gartner in the “Visionary” section of the Magic Quadrant. I love following the vendors in this space, where all manner of innovative approaches are used to try to drive TCO down while meeting or exceeding feature sets offered by the market leaders. I am a Bluesocket customer in that I use BSC controllers for guest access duty on my own Cisco-based wireless network at Syracuse University, and as the wireless core in networks I support in Haiti. While I don't use Bluesocket APs in my current deployments, I have laid hands on them numerous times in test. Right now I am kicking the tires on two Bluesocket 1800 smart access points while I get my feet wet on vWLAN 2.1 and get familiarized with the premise of Bluesocket’s distributed access control for both the wired and wireless sides of the network..

As I follow developments from the likes of Meraki (I run a Meraki network in London) and Aerohive (watch for developments from their acquisition of Pareto Networks), I do like the simplicity and capability that comes with “single pane of glass” administration of both wired and wireless client environments. With vWLAN 2.1, Bluesocket joins a field that offers turn-key wired security and client control alongside with scalable wireless networking, and does it without requiring new network hardware.

Which brings us to the “how it's done” part of the story. Customers familiar with Bluesocket's UI should ease into learning vWLAN 2.1, as the new capabilities fit nicely with existing config pages for the wireless environment. Using BlueSecure smart access points as a distributed boundary between the controlled and untrusted parts of the network, standard 802.1q VLANing is used to direct untrusted traffic into the nearest capable AP for policy enforcement. The APs do double duty for both wireless access and unified wired and wireless security management in a framework that provides client authentication flexibility, system resiliency, and a scalable architecture. Given that vWLAN is a software-based solution that capitalizes on basic VLAN capabilities of existing network switches and a licensed feature set on Bluesocket 802.11n access points, many existing customer environments already have all of the physical building blocks they need to get started with vWLAN 2.1. Add a few licenses and VLAN configs, and a wireless network becomes much more with vWLAN 2.1.

As mentioned earlier, Bluesocket's vWLAN solution downplays the importance of the controller, but does not eliminate it. The vWLAN appliance is still required as the mothership for all policy and intelligence in force throughout the distributed topology, but not as a central plane that all client traffic must pass through. Also, the appliance can be virtualized, which I'd like to see as an option for any wireless solution as a hedge against what is often the most expensive single piece of WLAN hardware. As wireless networks continue to grow and get more sophisticated and enterprises no longer see the wired and wireless spaces as distinct, vWLAN 2.1 is certainly an example of evolution. For Bluesocket customers in need of a wired client security solution, it just may be a revolution.

WildPackets Inc. has announced a new version of its WatchPoint network monitoring and reporting product. Version 2.0 now includes support for Simple Network Management Protocol (SNMP), which means that users could conceivably use the software and appliances for most typical SNMP monitoring requirements, rather than having to buy a separate product to provide that functionality. WatchPoint 2.0 now offers flow-based network monitoring and reporting functions as well. This is in addition to providing the packet-based network monitoring and reporting that the previous version had already supported, which also enables IT administrators to drill down to the packet level when problems are discovered.

WildPackets has been finding that its users are buying additional network monitoring products, but that even when they do so, they still end up discovering that they require the sort of deep packet inspection and root cause analysis that WatchPoint can provide, says Jay Botelho, director of product management for the Walnut Creek, Calif., company. Having packet, netflow, and SNMP functionality, all built in together into a single product, makes it easier for IT administrators to layer solutions, and perhaps even enables them to replace ones they already have, he says. Providing all the functionality in one program, with one web-based interface, also reduces costs by being easier to deploy and maintain, as well as reducing training costs, the company says.

Another advantage of the product is that, compared with other flow-based solutions, it can store more data, meaning IT administrators can continue to store data using minute-by-minute granularity, for as long as six months to a year. With competing products, typically over time they end up having to average data together, resulting in granularity of an hour or even a day, Botelho says.

The SNMP support was particularly interesting to Jim Frey, managing research director for Enterprise Management Associates, because it was new for the vendor and is a great way to give additional value to existing WildPackets users because it will enable them to use a single tool rather than separate tools for packet monitoring, voice analysis, and SNMP monitoring, he says. “It’s not going to be anywhere near as sophisticated as a mature SNMP platform,” but if an IT administrator is just interested in keeping an eye on a few basic performance indicators for device monitoring, being able to check the health of devices during troubleshooting makes organizational workflow more efficient, he says. “It’s a good 80% of coverage of what you need to do,” he says. “It’s not trying to compete with standalone platforms. Shops may say, ‘This is enough of what I need now and, integrated with my packet-based tools, this will be an extra value for me.’”

The software is available now for a price that scales by the number of appliances, but which starts at $12,995. WildPackets products are sold in more than 60 countries and deployed in a number of industrial sectors. Existing customers include Boeing, Chrysler, Motorola, Nationwide, and more than 80 percent of the Fortune 1000.

See more on this topic by subscribing to Network Computing Pro Reports The New Analytics (subscription required).

On Sept. 28, QLogic extended its Adaptive Convergence Strategy by announcing a new portfolio of products, including FlexSuite adapters, Universal Access Point switches and iSR Intelligent Storage Routers. The strategy and new products represent some important advancements in converged networking.

For example, powering the new FlexSuite adapters is one chip which that the capabilities of a Fibre Channel host bus adapter (HBA) and a converged network adapter (CNA), functions that used to require two separate chips. Now, one card can be configured as a Fibre Channel HBA or a CNA, an example of what QLogic calls Adaptive Convergence.

The UA5900 Universal Access Point switch from QLogic represent a new class of top-of-rack (TOR) switch, with a set of features and a price that uniquely position the switches to sit TOR of any rack in a data center. Until now, Ethernet switches sat on top-of-server racks, while Fibre Channel switches sat on top-of-storage racks. Universal Access Switches support Fibre Channel switching, Fibre Channel over Ethernet switching and Ethernet LAN switching, all in one aggressively priced stackable switch. One switch can be configured as a TOR switch for a server rack or a TOR switch for a storage rack, another example of adaptive convergence.

New QLogic iSR routers are used to bridge servers and storage speaking different languages over a LAN in a data center or over a WAN in the cloud. QLogic iSR routers are especially valuable to IT professionals in large data centers who are constantly migrating data from old systems to new systems. With the ability to bridge Fibre Channel, iSCSI and Fibre Channel over Ethernet servers and storage, an iSR router accelerates and simplifies traditional methods of data migration, such as backup and restore.

In each product, support for Fibre Channel SANs is combined with what used to define a converged network device--support for 10 Gbit Ethernet LANs, Fibre Channel over Ethernet SANs and iSCSI SANs. That means the new definition for a full-featured converged networking adapter, or switch, now includes support for native Fibre Channel.

All of the new QLogic products feature support for 16-Gbit Fibre Channel, the latest and fastest generation of the SAN technology that has dominated large data centers since 2000. Three years ago, I argued that by 2011, Fibre Channel over Ethernet would surpass Fibre Channel as the SAN technology of choice in large enterprises. Today, FCoE has taken hold with early adopters, while 4-Gbit Fibre Channel and 8-Gbit Fibre Channel are shipping in approximately equal high volumes. Given that 16-Gbit Fibre Channel will maintain a performance advantage over 10-Gbit iSCSI and Fibre Channel over Ethernet SANs, QLogic has just added five years to the healthy life of Fibre Channel in large data centers.

Xirrus is rolling out technology to increase the range and capacity of WLANs and make them more programmable so they can expand as necessary. Xirrus’s XR Wireless Array product line includes a wireless modular switch that can replace the number of legacy radio access points by a ratio of as much as 8-to-1.

The XR Wireless Array line includes five models that feature four, eight, 12 or even 16 access points (APs) in one unit. The APs operate at either 2.4 GHz or 5 GHz, as do existing APs, but they can be programmed to change from one to the other on demand, says Steve Wastie, chief marketing officer for Xirrus. The number of APs active within a unit can also be throttled up or down as network demand changes, by either turning some APs off or adjusting the amount of power they use. The Xirrus solution also features directional antennas--versus the omni-directional antennas in legacy APs--to strengthen the signal in areas where it’s needed.

In addition, one or more of the antennas can be configured to act as a "threat sensor looking for attacks and so forth," says Wastie.

As mobile devices proliferate, end users come to expect wireless access to be available at work, at their hotels and at convention centers hosting a conference, he says. "[Wireless] is no longer kind of the exception, right? It’s kind of the new norm. They’ll expect to be able to connect wirelessly from whatever devices they’re using, and that’s a big shift."

To illustrate how much more area an XR array can cover, Wastie says that when Xirrus set up its Wi-Fi network for a technology conference at the Mandalay Bay Convention Center in Las Vegas recently, it deployed just 20 to 24 of its arrays, versus the 160 to 180 APs it would have had to deploy using earlier Wi-Fi technology.

A number of industry statistics identify the drivers of demand for improved wireless networks. By 2015 there will be 15 billion devices seeking wireless access, including smartphones, tablets and other machines, according to Cisco Systems, which also forecast that mobile data traffic volumes will grow at a compound annual growth rate of 92% between 2010 and 2015. The research firm Dell’Oro Group puts the size of the WLAN equipment market at $8 billion. And 60% to 80% of enterprise employees will rely on wireless connectivity to access business-critical software applications.

Xirrus’s approach to improving WLANs sets it apart from other players in the industry, says Rohit Mehra, director of the Enterprise Communications Infrastructure Group at IDC.

"Xirrus's multiradio Wi-Fi arrays are high-capacity wireless access systems that can be deployed for high-traffic, dense enterprise deployments," Mehra wrote in an email interview. "Their integrated multiradio solution with directional high-gain antenna is well-differentiated from other solutions in the industry."

Wi-Fi capacity needs to expand to accommodate the growing number of mobile devices seeking access, he added, and to offload traffic from cellular networks, which can also reach capacity quickly.

Xirrus arrays are currently configured to operate on 802.11n wireless networks, but the Xirrus platform is "future protected," says John Merrill, director of corporate marketing at Xirrus, to be compatible with forthcoming standards called 802.11ac and 802.11ad.

See more on this topic by subscribing to Network Computing Pro Reports Fundamentals: Wireless Mesh Networks (subscription required).

Cisco is refreshing its Wide Area Application Services (WAAS) appliances for Wide Area Network (WAN) applications. The company says the number of Internet-based applications is expected to reach 1 million this decade and it wants to help customers scale the delivery of rising volumes of applications and video traffic across networks to any user and device. The new solutions will 'substantially' improve application performance and user experience by providing up to five times the bandwidth and supporting up to three times the users compared to the previous generation, as well as reduce the hardware required by 66 percent.

There are fundamental changes reshaping the network infrastructure, says Cisco. 79 percent of organizations have adopted SaaS; 66 percent have adopted video; 90 percent will adopt bring your own device by 2014; and 25 billion devices and 7.2 billion people will be connected to the Internet by 2015. As such, WAN optimization will become even more important.

Supporting both branch and data center deployments, the Cisco 294, 594, and 694 appliances enable branch offices to deploy up to eight virtual services such as video, virtual desktop infrastructure (VDI) and Windows on WAAS, with five times the throughput. The Cisco 694, 7541, 7571, and 8541 appliances provide large branch offices and data centers with what are called the industry's most scalable 10GE-capable WAN optimization solution. The company is also announcing new software, WAAS v4.4, which brings together application and network optimization with Context-Aware DRE (Data Redundancy Elimination), doubling the effective throughput of those systems without decreasing the overall experience to any location.

Cisco expects the new appliances to appeal not only to current customers who won't have to rip and replace their existing solutions, but also to organizations that have yet to embrace WAN optimization. It will also appeal to organizations whose point solutions are not working at scale, says the company.

This round of WAN optimization improvements make Cisco much more competitive in the market, giving it an edge in new RFPs or Greenfield opportunities (as well as among its installed base), where that kind of capacity is required, and where enterprises are struggling with the increased demands placed on WANs by the BYOD phenomena and increased use of video, agrees Paula Musich, senior analyst, Current Analysis. However, there are other considerations when it comes to moving from one WAN optimization supplier to another, she cautions.

"There's a lot of expertise invested in deploying and managing the overlay networks that WAN optimization deployments represent. Any enterprise that has a significant WAN optimization deployment already in place would have to think long and hard about switching suppliers. It would be a more complex business case to make to switch suppliers."

Musich gives Cisco full marks from a performance – 2 Gbps of optimized WAN capacity and up to 150,000 TCP connections – perspective. "Market leader Riverbed in its Steelhead 7050 appliance – their largest – claims it can scale to 1 Gbps of optimized WAN capacity and 100,000 optimized TCP connections. So Cisco supports twice the WAN capacity of the market leader, and 50 percent more TCP connections in a single appliance. That helps to lower costs by requiring fewer appliances to scale to that level of capacity in large data centers."

IDC analyst Rohit Mehra, director, enterprise communications infrastructure, also credits Cisco for its improvements in raw performance but has his own concerns. "I think the best approach is to evaluate performance of WAN application delivery solution(s) in actual enterprise deployments which can vary based on several factors including applications, infrastructure and network design."

He adds that the market for WAN application delivery is growing rapidly and pretty dynamic, so enterprise IT does have a shorter buying cycle for these solutions compared to traditional networking equipment. "With its revamped WAAS portfolio, Cisco does have an opportunity to go out and improve its competitive positioning in the market."

Hear what your peers think about WAN optimization vendors, check out our IT Pro Ranking: WAN Optimization Appliances [registration required].

While Nemertes Research recommends that enterprises should already have started planning for an IPv6 transition, the reality is that it's not even on the radar for almost 80% of respondents to the company's 2011-2012 benchmark. IT professionals at 78% of companies said that their organization has no transition plan yet.

F5 Networks, Inc., which focuses on application delivery networking (ADN), is looking to lend a helping hand with a professional services offering intended to help organizations address their need to establish a presence on the IPv6 Internet. Its BIG-IP solutions are deployed in the Network Operations Center (NOC) at this week's Interop New York, where IPv6 is a big part of the event.

The existing IPv4-powered Internet is running out of address space for the explosive demand in connected devices, says F5, but because IPv6, which has address space to spare, is incompatible with Ipv4, organizations must eventually transition to or provide support for IPv6 to ensure that their web-based services and applications are available to the broadest range of Internet users. The company says it is seeing many enterprises struggle to transition their public-facing websites to IPv6 networks, deliver reliable services for new IPv6 client devices, comply with stringent new regulatory requirements, and adjust to the exhaustion of IPv4 addresses. Its new services provide the support and best practice guidance customers need to make these transitions as easy as possible, whatever their unique requirements are, it says.

F5 BIG-IP Local Traffic Manager (LTM) provides customers a clear and seamless method for staging their migration to IPv6 without making wholesale network and application upgrades all at once. The IPv6 Solution Services support a range of IPv6 initiatives, whether customers want to transition internal infrastructure from IPv4 to IPv6, support dual stack implementations, or provide continued support for legacy IPv4 applications. Each engagement includes an architecture review, base connectivity, BIG-IP IPv6 gateway configuration, and knowledge transfer.

There is little interest now and it's mostly an industry led party to move to IPv6, but there is growing awareness by customers to make the move, says Mike Sapien, principal analyst – enterprise, Ovum. The IPv6 transition movement is getting warmer but this announcement does do several things, he says. It adds to the increasing awareness of IPv6 migration (among many), provides professional services to help the customers plan and make the move; and encourages the IT groups to at least plan for it.

“The F5 services does provide for the four phases just as the customers should think about making the move,” says Sapien. “Ovum has suggested that customers plan for it now so they can implement when they are ready to make the move. It will be more than just F5 services as, similar to HDTV, it is the device, the service provider, the production and the content that has to all be HD to provide the total HD experience. This F5 offer allows customers to make the transition in the phases that they will go through. It is both phased for natural consumption by customers and allows them to take the leap when they are ready.” Ovum sees this taking hold more in mid-2012 with the AP region moving a little faster.

See more on this topic by subscribing to Network Computing Pro Reports Best Practices: IPv6 Transition (subscription required).

I discussed in a previous article the necessity of abandoning IPv4 thinking when creating IPv6 address designs, and how our deeply ingrained need to conserve addresses can muddle our thinking. Nowhere does this conservative aversion to address waste snarl at us as menacingly as when we consider – completely compliant with the recommendations of ARIN and other RIRs – assigning /64 subnets to point-to-point links.

"You want me to allot a subnet with 18 million trillion addresses to a link that will only ever use two of them? Are you kidding me?" We know all the arguments for what we get in exchange for squander: Easier address management with one-size-fits-all subnets; simpler address interpretation; scaling; flexibility.

But still. Only using two addresses out of 18 million trillion? (Saying "million trillion" is a lot of fun if you imitate Carl Sagan’s voice.) Well, ask yourself when a /64 is acceptable.

Most people would say they can accept it on a regular LAN or VLAN segment. All righty then. To be fair, let’s take a really big LAN. Say, 5000 devices. Is a /64 acceptable there? Yes, you say? So we’re wasting (1.8 x 10¹⁹) – 5000 addresses instead of (1.8 x 10¹⁹) – 2 addresses. The difference between 5000 and 2 relative to 18 million trillion is miniscule. It diminishes to practically nothing. If it were any smaller it would be the amount I’m being paid to write this.

And yet a /64 on a LAN is acceptable and a /64 on a point-to-point link is not. IPv4 thinking can twist our reason. All of this does not mean there are not reasons to use a prefix other than /64 on point-to-point links – it only means address waste is not one of them. In fact, there are dueling RFCs on the topic.

RFC 3627 makes its case right in the title: "Use of /127 Prefix Length Between Routers Considered Harmful." The central argument in the document, however, is not as striking as the title suggests. Here it is:

When you use a /127 prefix on a point-to-point link, you have exactly two addresses available: PREFIX::0/127 and PREFIX::1/127. The problem the RFC cites is that the router being assigned PREFIX::1/127 might add the Subnet-Router Anycast address, which would be PREFIX::0/127. Then the router on the other end of the link, configured with PREFIX::0/127 will fail the Duplicate Address Detection test.

The reason this issue is not really much of a concern is that the Subnet-Router Anycast address should not be needed or used on a point-to-point link. In fact, the RFC itself states that this problem has not been observed in general, probably because the Subnet-Router Anycast address is not widely used.

At the same time, the mandated use of /64 subnets to support such functions as Stateless Address Autoconfiguration, PIM-SM with embedded RP addresses, and various Neighbor Discovery functions are not relevant to point-to-point links where these functions are not used. That’s not to say that there will never be a case where some underlying support function needed on a point-to-point link will require a /64 to work; the base IPv6 specification does expect to see a 64-bit Interface ID. But this is speculative, and not really a compelling reason to make an address design choice.

The real argument for using /64 on point-to-point links remains what I have already stated: The simplicity, consistency, and flexibility of using a single subnet size throughout your network.

This usage is also supported in the standards. Section 3 of RFC 5375, “IPv6 Unicast Address Assignment Considerations,” plainly states: “Using /64 subnets is strongly recommended, also for links connecting only routers. A deployment compliant with the current IPv6 specifications cannot use other prefix lengths.” There you have it in black and white, ladies and gentlemen.

There is also no need to worry that the addressing bodies are going to penalize you for being wasteful. Here’s what ARIN says in its IPv6 Address Plan General Guidelines: “No subnets will use prefixes longer than /64.” And later on the same page: “The IETF expects that you will assign a /64 for point-to-point links.”

So is there a case to be made for using /127 subnets? Well, yes.

In the other corner is RFC 6164, “Using 127-Bit IPv6 Prefixes on Inter-Router Links.” This document starts off saying pretty much what I said above about the concerns of RFC 3627: That Subnet-Router Anycast addresses shouldn’t be a problem on point-to-point links. Then it gets to a more valid concern: Ping-pong attacks.

A ping-pong attack exploits implementations which follow the now obsolete RFC 2463 specification of ICMPv6. That RFC says that if an IPv6 interface receives a packet that belongs to the subnet to which the interface is attached, but not to an address of that interface, forward the packet back onto the subnet. So an attacker can flood a bunch of packets to unused addresses on a link and the packets will bounce back and forth (ping-pong) between the two routers, using up bandwidth and router resources.

One way to guard against such an attack, and the position of RFC 6164, is to insure that there are no unused addresses on the point-to-point link – use a /127, so there are only two addresses. But there is a better way to guard against the ping-pong vulnerability, and that is to use routers that support the modern version of ICMPv6. RFC 4443 corrects the error in the earlier specification, requiring an interface to drop a packet addressed to an address on the subnet rather than forward the packet back onto the subnet.

RFC 4443 has been around since March of 2006. There is no reason for a vendor to continue to support a version of ICMPv6 that has been obsolete for five years. And it is, in my opinion, absurd for a vendor to advocate using a /127 subnet on point-to-point links, in violation of all other IPv6 recommendations, simply to avoid updating their ICMPv6 code. Rather than bend your IPv6 address design to accommodate a vendor inadequacy, pressure your vendor to modernize.

There is another potential vulnerability citied in RFC 6164: If a point-to-point link supports Neighbor Discovery Protocol (NDP), a packet to an unused IPv6 address on the subnet will cause an Incomplete entry in the routers’ neighbor cache and cause a Neighbor Solicitation message to be sent on the link. A flood of packets to many unused addresses might fill up a neighbor cache, and congest the link with NS messages, constituting a DoS action. RFC 6164 recommends preventing such an attack by, again, using /127 prefixes.

But there is an easier way to prevent these neighbor cache depletion attacks. Only point-to-point Ethernet links should have the capability to support NDP (a protocol designed for use on LANs). So the solution is to simply disable NDP on point-to-point Ethernet links.

So. Use of /127s on point-to-point links violates recommended IPv6 subnet usage. They put a band-aid on an obsolete version of ICMPv6 so that some vendors do not have to modernize their code. They prevent neighbor cache depletion attacks, but disabling NDP on point-to-point Ethernet links is a simpler prevention of those attacks.

Which brings us back around to using /127s for address conservation. And we’ve seen already that the reasoning for this when we are happily wasting just as many addresses on LANs with /64 addresses is shaky reasoning.

All in all, I don’t have strong convictions against using /127s on point-to-point links. /127s on point-to-points and /64 on everything else is still comfortably close to one-size-fits-all. I tell my clients the pros and cons I’ve presented here, and emphasize that the supposed address conservation achieved with /127s is illusory and based on shaky logic. If they insist on using them anyway, well, okay. I’m fine with that.

But there is one prefix that you should not use.

What About /126?

Some networkers are designating /126 prefixes for subnets rather than /127, on the misguided assumption that they should use an IPv6 equivalent of an IPv4 /30: four addresses per point-to-point subnet, two for the interfaces, one as the “subnet address” (host bits all zero) and one as the broadcast address (host bits all one).

One more time: IPv4 thinking. Not only that, it’s old even for IPv4 thinking. On a point-to-point link neither the subnet address nor the broadcast address is used for anything. And in IPv6, there is not a broadcast address at all, so the all-ones host address is functionally meaningless. It’s just another address.

If you insist on conserving IPv6 addresses on router to router links use /127. A /126 wastes two whole addresses, and we can’t have that for heaven’s sake.

If, despite all my ranting, you still just cannot decide whether a /64 or a /127 is best to use, you might consider a compromise: Reserve a /64 for each point-to-point link, but then configure a /127 out of the /64. If future best practice falls on the side of /127, you’re all set and can use the rest of the /64s elsewhere. If it remains on the side of /64s, you can do a simple prefix length change on your link addresses to bring your network into compliance. Whether you use 64-bit subnets or 127-bit subnets on your point-to-point links, be sure you are making your decision based on sound engineering reasons and not on outdated IPv4 design principles.

And remember that ARIN and the other RIRs support using /64s on all subnets. If you find that your IPv6 allocation does not support enough subnets for your network, you do not need to begin subnetting down into the Interface-ID. You need to ask your RIR for a larger allocation. I made that statement in a presentation a few weeks ago, and someone from ARIN stood up and affirmed it. They want you to use /64s, and they will allocate to be sure you can.

Juniper has announced a new go to market strategy for the enterprise LAN called Simply Connected. The strategy has two connotations, according to Juniper. Users simply want to connect to the network easily and quickly and IT wants easy to manage networking extending from the user to the core.

Go to market strategies like Junipers are not new and do provide a way for vendors to frame their product sets into "solutions" rather than SKUs, and provides insight into the focus of the vendor. Cisco’s Borderless Networks, for example, focuses on providing users a seamless networking experience regardless of where they are.

Juniper is big on vision and for the past several years has been building both its messaging and product integration to support the promises it makes. With the go to market strategy, Juniper is also announcing three new campus switches, a WLAN controller, and updates to Junos Pulse, their mobile client.

Juniper wasn’t the first to talk about a unified OS across it’s switch lines but it is the loudest, I think Extreme Networks was most likely first when they announced XOS across their EX switch line. Couplec with their data center strategy, Project Stratus, Juniper is covering both the data center and campus LAN.

While Juniper doesn’t have the same product breadth as Cisco or HP, they also don’t have the baggage that a long product history carries. The new product announcements fills out Juniper's campus LAN switch line and extends from small to large installations.

The three new switches range from wiring closet aggregation in the 14U EX6200, which can support up to 432 10/100/1000 copper ports, 384 10/100/1000 ports with dual SRE management modules, and can supply PoE+, 30 watts per port, across all ports with four 5000 watt power supplies. Juniper is also announcing the EX-3300 family of six fixed form factor switches ranging from 24 to 48 port 10/100/1000 models and two that support PoE and PoE+.

The EX3300-24P will support 24 ports of 15.4 watts and 13 ports of 30 watts while the EX3300-48P offers 48 ports of 15.4 watts and 24 ports of 30 watts. The compact EX2200-C is a fanless , compact switch targeted at remote locations such as point of sale terminals. The EX2200-C can support six ports of 15.4 watts and three ports of 30 watts.

The new mid-range WLC8800 WLAN controllers fill a gap in Juniper's wireless offering, supporting up to 256 access points including Junipers Spectrum Management. Missing from Juniper's lineup compared to Cisco’s Borderless networks are the features that enable branch office server consolidation like WAN optimization or VM capabilities in the branch office equipment.

Juniper also enhanced their Junos Pulse client with new capabilities for Apple’s iPhone and iPad as well as Android phones and tablets. The new version enables enterprises to lock and wipe devices, set Exchange policies, and manage the device's VPN and Wi-Fi settings as well as inventory the device and restrict applications. For Android, administrators can revoke applications and remove malware. Juniper’s enhancements should be welcome to organizations that are wrestling with mobile device management.

EX6200: starts at $35k for 96 port system and each 48 port card ( up to a maximum of 432 ports) costs: $5500 for data and $8000 for PoE+ and will be available in October, 2011. EX 3300: starts at $4500 for 24 port data and can cost up to $8800 for 48 port with PoE+ and is available today. The EX 2200-C: starts at $1295 and $1895 for PoE+ and is available today. The WLC880: starts at $9,995 and will be available in October, 2011.

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Unified Computing Stack Wars (subscription required).