Top Layer switch lives up to promises

AppSwitch 2500 is the first box to pass application-layer QoS muster in our testing.

By JOHN BASS
Network World, 10/18/99

When we first heard Top Layer Networks' claims about its new AppSwitch 2500, which began shipping last week, we were skeptical. The AppSwitch 2500 is a 10/100M bit/sec Ethernet switch that the company asserts can - in addition to handling basic switching and routing services at wire speed - guarantee a specific level of bandwidth and priority based on Layer 7 application information. Furthermore, the company claims that this box does application prioritization, acts as an application-level firewall and monitors application-level traffic information.

Our testing verified Top Layer's claims on almost every count. The AppSwitch 2500 can achieve wire-speed performance while handling Layer 2 and 3 bridging and routing functions. The switch's firewall services worked as advertised. And we were impressed with its ability to prioritize the flow of network traffic by application.

The AppSwitch 2500 monitors the well-known Layer 4 port address flows, determines which dynamic ports were negotiated between the end stations, and then applies a quality-of-service (QoS) policy to that flow. It's the first switch we've tested that implements QoS in a stateful fashion above Layer 4 in the Open Systems Interconnection model.

We first tested the AppSwitch's Layer 2 and Layer 3 throughput and latency. We found wire-speed throughput at Layer 2 and Layer 3 for all packet sizes we tested, with the exception of 64-byte packets at Layer 3. With small packets switched at Layer 3, we saw 99.4% of maximum throughput.

Latency, or the delay the box incurs when forwarding a packet, was low, at about 20 microseconds. The average figure for latency is somewhere between 25 and 30 microseconds. Our latency measurements for the AppSwitch 2500 were consistent for all packet sizes and for all loads ranging from 50% to 95% at Layer 2 and Layer 3, with the exception of all packet sizes at wire speed. At wire speed, we saw latency increase almost 200% to 380 microseconds.

Top Layer says these increased latency rates may be due to a slight discrepancy in the clock rates of the AppSwitch 2500 and the Netcom Systems Smartbits equipment used in our tests, which could cause the packets to back up in a queue at wire speed.

The firewall test went off without a hitch. There were no problems with the configuration of the firewall policy or in the execution of the test. We set up a policy that let FTP traffic pass through the AppSwitch 2500 if it originated from the private side of the firewall but reject FTP traffic coming from the public side. We didn't perform extensive firewall testing, preferring instead to concentrate on evaluating the main features for which network architects would purchase the product.

For our QoS test we sent two streams of data - an FTP stream, which runs over TCP, and a User Datagram Protocol (UDP) stream - to a single switch port. With both streams set for the same priority, a 7.5M-byte file transfer took about 2,800 seconds. This test indicates what would happen in a non-QoS network with this amount of congestion. When we changed the policy so that the FTP stream had the highest priority and the UDP stream had the lowest priority, the file transfer took a much more reasonable 2 seconds.

The AppSwitch 2500 monitors the FTP control session to determine what TCP port will carry the data. We have tested quite a few QoS implementations but have seen nothing that monitors the control port address for an application to find the negotiated data port address and then enforces a QoS policy over that flow.

The AppSwitch 2500 is also loaded with features that help you track the effectiveness of your QoS scheme across your network. Flow graphing features built into the box give you a look at how the policies are working. A Windows application included with the system software helps you explore the flow characteristics of the network and gives information on how policies should be defined. Top Layer supports SNMP management via Management Information Base (MIB) II, Bridge MIB, Ethernet MIB, Remote Monitoring MIB and IP Forwarding Table MIB.

The AppSwitch falls short in its lack of support for Open Shortest Path First (OSPF) or Border Gateway Protocol, which makes it more suitable as an edge switch than a core switch. Without support for these protocols, the AppSwitch 2500 can't take advantage of address summarization. Address summarization would let the AppSwitch 2500 minimize its routing table, thus increasing its scalability. Not being able to handle a large number of routes could create a nasty surprise for a growing campus network.

The AppSwitch 2500 also lacks a network address translation feature. Network address translation would give the box the ability to hide reserved IP addresses behind the device to conserve IP address space - a big concern for many campus network administrators. Fortunately, Top Layer expects to add this support to its AppSwitch line next spring.

Getting started

The AppSwitch 2500 arrived in our lab with a fixed configuration of 12 10/100 copper 100Base-T ports and two 100Base-Fx ports. The 10/100 ports can automatically negotiate configurations or can be set to any combination of 10M or 100M bit/sec and full or half duplex. The box has a default configuration with predefined policies to simplify the configuration process. But we were pleased to see the switch is configurable from a serial port, by telnet or by Web browser because there are always features that you must configure yourself.

We used a Netscape browser to configure the AppSwitch 2500. The box is configured with an IP address of 10.7.1.1 by default. If you have more than one AppSwitch 2500 to configure, you can physically connect them together and they will negotiate which will be the master unit that responds to 10.7.1.1. All the slave units can then be configured from the master's Web interface.

The browser-based interface is well thought out, but the sheer number of features you need to configure takes a bit of getting used to. The interface could use some improvements, as we'd like to be able to swap inbound and outbound policies and be able to make mass changes instead of individually editing entries in a table.

You can configure just about any kind of QoS scheme or firewall policy from the browser-based configuration interface. The policy configuration interface is easy to use once you understand the procedure. First, you have to link an application with a service class, which is a priority level with or without a bandwidth limit. The application and service-class pairs are then grouped into policy set templates. These templates are placed in an intersection between logical groupings of users, hosts and ports that Top Layer refers to as zones.

We found IP routing relatively easy to set up and use, but it is a bit unconventional. Instead of configuring an IP subnet on a physical port as many routers do, we had to enter all IP subnets into a table. The AppSwitch 2500 uses address resolution protocol (ARP) requests and listens to ARP replies to determine which IP hosts are connected to which ports.

Currently, the AppSwitch 2500 only listens to Routing Information Protocol for routing updates and not OSPF, but Top Layer plans to make OSPF available by the fall of 2000.

While Top Layer has done a good job explaining how to configure its product, its documentation offers little help troubleshooting ongoing problems. Once you've completed the installation, find a good speakerphone because you'll probably be spending a lot of time on the line with Top Layer's technical support staff.

Nevertheless, the AppSwitch 2500 successfully combines solid switching performance with useful Layer 7 QoS and firewall features. The unfortunate side effect of having so many features in one box is a relatively complex configuration process. Still, the AppSwitch 2500 is a product to watch.