Network Computingwww.networkcomputing.com

During the past year, a number of new features should have made their way onto your routed network. Have you been keeping up with all the new QoS capabilities on Cisco Systems routers? Cisco's IOS 11 (Internetwork Operating System version 11) introduced new ways to manage the traffic on LAN and WAN links. Likewise, Nortel Networks' BayRS 13.2 offers many new QoS-specific commands. But it's a nightmare to understand, implement and track the configuration modifi- cations required to affect specific traffic flows on your network, and in many cases it's simply impossible. Policy-based network management (PBNM) software is vendors' answer for managing QoS and security on distributed networks.

We polled 13 vendors with an interest in policy-based networking and were pleasantly surprised to find that all had products in the works. Nine volunteered to bring their solutions to our Real-World Labs® at the University of Wisconsin-Madison for the first-ever roundup of policy-based network management products. We included both device vendors and independent management-system vendors that are trying to carve out a niche in the market. The device vendors included Allot Communications, Cisco, Extreme Networks, Lucent Technologies, Nortel and Spectrum Management (a wholly owned subsidiary of Cabletron Systems). Hewlett-Packard Co. is in the middle, with separate network-management and network-equipment divisions, and a product that is tailored to both halves. And two startups, IPHighway and Orchestream, are touting device-independent solutions.

Until recently, most of the hype around PBNM had more bluster than luster. But vendors have been quick to turn pipe dreams into product. The nine contenders we tested implemented the features we felt were necessary for a 1.0 policy management product (see our features chart). We tested each vendor's work-in-progress--generally unreleased beta software--and made an assessment of each overall product strategy. In the process, we saw that various vendors define "policy networking" differently. That's why we chose not to grade these products. Instead, we give two Editor's Choice awards: one to Orchestream for having the most mature PBNM solution to date, and one to Cisco, for having the most comprehensive long-term strategy.

Orchestream has been a trailblazer in policy-based management, and its 2.0 software, which was being prepared for shipment during our tests, reflects this. The software supports the widest range of devices and the most options of the products we tested.

We based our decision regarding the best bet for long-term strategy on factors such as how vendors planned to integrate with legacy tools for network management, what standards-based protocols the vendors claimed to embrace (see "PBNM: A Matter of Protocol,"), their multivendor story and our best guess at the vendor's chance of delivering on the strategy. We chose Cisco, despite its rather checkered past in network management. Cisco's solution, based on the COPS (Common Open Policy Server) protocol, builds a foundation that will let the vendor integrate not only its own products, but also most other products on the network. Active network monitoring, network service-level-agreement management, and integration with multiple network operating systems for user-based policies are all part of its picture. Bringing all these components together is no easy task, but we think Cisco has the best chance to do it first.

Caveat Emptor
In our lab, we rolled out these solutions in a matter of hours. Most of them are well-thought-out and operated flawlessly from the start. We installed each product, pointed it at the three or four routers in the vendor's test bed, and saw it all work. But that was in the lab, where we're talking about a handful of routers and a tightly controlled environment. Several vendors wanted to point their policy management solutions at the University of Wisconsin's production network. "Not on my production network!" was our network administrator's emphatic response. And this illustrates perhaps one of the most important things to remember about policy management: While this technology is powerful and alluring, it's also generally untested and unproven. This is the kind of technology you roll out in the lab today for eventual production use six months to a year from now.

Worse, this area still suffers from a lack of standards. There are two key issues that remain to be addressed: First, how the vendor will access and control the hardware, and second, how these systems glean information about an organization's users and resources. Device configuration can be accomplished only by employing a combination of CLI (command-level interface), SNMP, COPS and LDAP. We'd feel much better if we had a single standardized access transport and nomenclature.