In an exclusive IDG test, Cisco's Catalyst 4948-10GE delivered record low latency and line-rate throughput. Coupled with innovative security mechanisms and an extensive list of switching and routing features, this switch is outstanding.
The Catalyst 4948-10GE offers 48 copper Gigabit Ethernet and two 10G Ethernet ports, much like competing products from Extreme Networks, Force10 Networks and Foundry Networks.
Perhaps the biggest difference is Cisco's use of X2 transceivers for 10G Ethernet interfaces. These are about the size of Gigabit Ethernet transceivers, putting them about halfway between 10G Ethernet Transceiver Package (XENPAK) transceivers and smaller 10 Gigabit Small Form Factor Pluggable transceivers (XFP) in newer 10G switches from Force10, Foundry and Nortel, among others. One consideration for adopters of multiple transceiver types is that they'll have to keep multiple types of spares on hand, with prices well into the thousands of dollars for each.
X2 transceivers are functionally identical to XENPAK transceivers, while XFP transceivers offload the serialiser/deserialiser (Serdes) function to the switch's circuit board. Cisco says X2s boost reliability because a Serdes failure requires replacement of just a transceiver rather than an entire switch. We're not sure about that claim: While it's still relatively early for XFPs, we've yet to junk an XFP device because of a Serdes failure. We did verify that X2 transceivers interoperate with both XENPAK and XFP transceivers over single-mode fibre cabling.
We stress-tested the Catalyst 4948-10GE in various configurations, and it came up aces in all of them. These configurations involved Layer-2 and -3 switching, virtual LANs (VLAN) and Open Shortest Path First (OSPF) routing, all common tasks for an aggregation switch. We also measured the switch's buffering and unicast address learning capacity.
We pounded the switch with a traffic pattern that involved fully meshed traffic between all 48 Gigabit Ethernet ports, as well as traffic between the two 10G Ethernet ports.
The Layer-2 and -3 switching tests were simple, with only one media access control (MAC) and/or IP address per port. For the VLAN tests, we defined 28 VLANs on each Gigabit Ethernet port, for a total of 1,344 VLANs. For the OSPF tests, we used the Spirent SmartBits traffic generator/analyser to emulate 10,000 networks with 250 hosts on each.
In all tests, the Catalyst 4948-10GE delivered line-rate throughput of up to 101.19 million frames per second.
We also measured latency - the time needed by the switch to forward each frame at the throughput. Average latency hovered in the range of 4 microseconds (ms) for most frame lengths, a new low among Ethernet switches we've tested. All latency numbers we recorded are at least one order of magnitude below the point where they would affect even the most time-sensitive application. Latency and jitter were also remarkably low and constant for the Gigabit Ethernet interfaces.
We measured the switch's buffering capacity, or how long it holds up traffic when it's overloaded. With both two-to-one and 10-to-one overloads, the maximum delay we observed was about 1.4ms for 64-byte frames; 26ms for 1518-byte frames; and 128ms for 9000-byte frames. None of these worst-case results are likely to degrade application performance in production networks.
Cisco said the Catalyst 4948-10GE can keep track of 55,000 unicast MAC addresses without flooding. We verified that claim by offering 54,999 addresses of our own, which, added to the switch's own address, matches the data-sheet claim.
The Catalyst 4948-10GE has a well-stocked security arsenal. Like many other switches, it supports 802.1X user authentication, Secure Shell v2 for remote access, and access control lists. The switch offers many other security features, as well.
The port security feature allows the switch to learn the MAC addresses of attached hosts, even across reboots, preventing spoofing and boosting reliability.
DHCP snooping enables the switch to listen for and reject responses from rogue DHCP servers, thus preventing an attacker from misconfiguring hosts and redirecting traffic. DHCP snooping also can rate-limit traffic to legitimate DHCP servers, preventing denial-of-service attacks.
The IP source guard feature builds on DHCP snooping to prevent an attacker from using a legitimate user's IP address to inject spoofed traffic. The device builds a table that associates IP addresses with switch ports. If an attacker tries to send traffic with a source IP address already registered to another port, the switch drops the traffic.
Both DHCP snooping and IP source guard both work on 802.1Q trunks, 802.3ad link aggregation trunks (or Cisco EtherChannels), and private virtual LANs, as well as on individual ports.
The Dynamic ARP inspection (DAI) feature blocks attackers from using Address Resolution Protocol (ARP) cache poisoning, a relatively easy and common exploit for many other switches and routers. By sending gratuitous ARP messages to many switches and routers, an attacker can redirect traffic to and from a legitimate user's IP address, thus capturing passwords, email, VoIP calls or any other traffic. DAI thwarts this attack by maintaining a table of IP-MAC bindings, and dropping traffic to MAC addresses not listed in the binding table.
Our only complaints with the Catalyst 4948-10GE are minor: Its relatively high list price (often discounted in large deals); its lack of expandability; the possible need to stock multiple 10G transceiver types; and its lack of IPv6 support (which isn't yet a requirement for many network managers, anyway). In every other respect, the switch is a standout. It brings line-rate throughput, minimal latency and innovative security features to data centre networks.
How we did it
We assessed the Catalyst 4948-10GE in terms of performance, security and features. We tested performance in six areas: throughput/latency in L2, L3, Open Shortest Path First and virtual LAN configurations; buffering capacity during congestion; and unicast MAC address capacity.
To test throughput and latency, we configured a Spirent SmartBits traffic generator/analyzer to offer traffic to all 48-Gigabit Ethernet switch ports in a fully meshed traffic pattern, while simultaneously offering traffic to both 10 Gigabit Ethernet switch ports in a port-pair traffic pattern. We repeated this test with nine Ethernet frame lengths. In all cases, we configured Spirent's TRT Interactive 5.0 application to offer traffic for 60 seconds, and recorded throughput and average latency measurements.
We ran these tests with the Catalyst 4948-10GE in L2 (bridging) and L3 (IP forwarding) configurations. We then enabled 1344 virtual LANs on the Catalyst 4948-10GE and reran the same traffic pattern. We also tested with OSPF enabled. In the OSPF tests, we established one adjacency with each Gigabit Ethernet interface and advertised a total of 10,000 networks and offered traffic to 250 hosts on each network, for a total of 2.5 million flows.
To measure buffering capacity, we offered traffic at line rate to two Gigabit Ethernet switch ports, both destined to the same output port. We measured delay on the output port to determine buffer capacity. We then repeated the same test with a 10-to-1 overload.
To determine MAC address capacity, we used Spirent's SmartWindow application to offer various numbers of addresses in learning and test phases as described in RFC 2889.
Newman is president of Network Test, an independent engineering services consultancy. He can be reached at firstname.lastname@example.org.
Cisco Catalyst 4948-10GE
Distributed by Express Data, Ingram Micro and LAN Systems
RRP: About $29,000 to $42,000 depending on power supply and software features.