Considering Juniper's longtime advocacy of network access control (NAC), it's not surprising that the EX 4200 did well in our authentication tests. The switch passed all six scenarios, five of which used 802.1X. These tests examined authentication into a statically defined virtual LAN; authentication of multiple clients per port; authentication into a dynamically allocated VLAN; authentication with dynamically applied access control lists (ACL); and placement into a restricted VLAN upon authentication failure.
In the ACL test the switch applied rules previously defined on the switch; this is far less cumbersome than the approach taken by some other switches, where ACLs must be entered into the RADIUS server then returned to supplicants during authentication.
The switch also passed a sixth test involving authentication by a media access control (MAC) address; this scenario represents the case where an end-station, such as a printer, lacks 802.1X supplicant software. One catch here was that the switch's CLI did not display clients currently authenticated by MAC addresses, as it did with 802.1X-authenticated clients. Juniper says it expects an August software release to remedy that.
The Juniper switch passed all access control tests with minor configuration changes needed for each scenario. In comparison, Cisco's Catalyst 3750E required no configuration changes for any of our scenarios except for multi-auth. Then again, the Cisco switch failed the multi-auth test, authenticating only the first user and forwarding unauthenticated traffic from the second and subsequent users. Few other switches we've tested (Extreme's Summit X450 and Foundry's FastIron Edge X448 are exceptions) passed all these test cases, with or without configuration changes.
Like other enterprise switches deployed at the edge of corporate networks, the EX 4200 offers a "storm control" feature to limit rates of potentially malicious traffic. We tested this feature using two denial-of-service (DoS) attacks, a broadcast storm and a SYN flood, and found the switch blocked broadcasts but forwarded SYNs.
For both tests, we configured a Mu Dynamics Mu-4000 security analyzer to generate DoS attacks at 100,000 frames per second, and then configured the Juniper switch to restrict such traffic to 1% of line rate, or around 1,500 frames per second. Using Spirent TestCenter's real-time rate counters, we verified that the Juniper switch did rate-limit broadcast traffic.
However, the switch didn't control the rate of Mu's SYN flood attack. Juniper says the current JUNOS release imposes rate controls only on broadcast and unknown unicast traffic (that is, traffic with no existing entry in the switch's MAC address table). That makes storm control useful in thwarting "bot" attacks against random, unknown destinations. It's not useful in stopping an attacker targeting specific servers.