ConSentry Networks
   
 

Compare us to Cisco Switching

     
   

Comparing ConSentry and Cisco Edge Switches
   

Many Cisco customers, happy with Cisco switches at the core, have standardized on ConSentry LANShield Switches at the edge. Rather than a switch that thinks in terms of only IP addresses and Layer 4 ports, the ConSentry intelligent switch natively understands user identity, device, role, application, and destination server. Having that business context makes it much simpler for IT to apply user and application control compared to trying to configure the right VLANs and ACLs on a Cisco switch. Plus, having that intelligence embedded directly in the access switch makes deployment much easier for IT and provides the tightest controls.

Since edge switches have an average lifespan of four to six years, they must not only satisfy today’s requirements but also be flexible and extensible to handle tomorrow’s needs.

Your next switch upgrade provides the ideal opportunity to add intelligence directly into the switch. This next-generation switch must satisfy the basic edge switch requirements but also have the additional intelligence needed to make it easier for IT to achieve broader corporate directives. These comparison charts illustrate the benefits of the intelligent switch architecture that ConSentry switches offer vs. the limitations of the legacy switch architecture at the heart of Cisco’s switches.

See also Legacy Switch Architecture vs. Intelligent Switch Architecture comparison.
   

 
   

Edge Switch Ethernet Features

Feature
ConSentry
Cisco
Gigabit Ethernet ports

24/48

24/48
Redundant 10 Gbps uplinks
Yes
Yes
Power over Ethernet
Yes
Yes
Redundant power
Yes
Yes
Wire-speed L2/L3 forwarding
Yes
Yes
Microsecond latency
Yes
Yes
QoS/Rate limiting
Yes
Yes
IPv6 support in hardware
Yes
Yes
 
Supporting Key Corporate Directives
 
Feature
ConSentry
Cisco
ConSentry Benefits
User authentication
  • passive authentication by watching Windows login or RADIUS authentication
  • active authentication via captive portal or 802.1X
  • integrated support for authentication over VPN connections
  • active authentication via captive portal or 802.1X
  • no passive authentication
  • authentication of VPN users is separate

 
  • no requirement for 802.1X or any change to user login behavior
  • authentication covers both managed and unmanaged PCs
  • single access policy spans wired, wireless, and VPN
User, role, application identification and tracking
  • full L2 – L7 statistics by username, role, application, and destination server at Layer 7, including L7 attributes such as file name or URL
  • sampled L3/L4 data, tied to IP address
  • enables granular audit trail of all user activity for compliance or tracking employee productivity
  • L7 vs. L4 tracking correctly identifies even port-hopping applications
  • aggregates user- and role-based statistics for top applications, URLs, and policy violations

Role derivation and access policies
  • automatic role derivation by querying identity stores (Active Directory, eDirectory, Sun One, Open LDAP)
  • link role to time, location, and access method to apply access policies
  • requires move to role-based VLANs and development of new ACLs
  • requires separate NAC Appliance for VLAN assignment
  • requires proprietary identity store (Cisco ACS)
  • enables customers to leverage existing identity store
  • supports access control without new VLANs or ACLs
File transfer and access auditing
  • captures file-level access details for Windows (CIFS/SMB), FTP, and Instant Messenger programs
  • limited to byte-level statistics for source and destination IP address
  • port mirroring to a separate appliance can provide some L7 data
  • full understanding of all users who accessed particular files
  • full tracking of all file transfers across multiple protocols and applications (such as IM)
  • consolidated views of what files a given user has accessed
Protect and control non-user devices
  • automatic device recognition through reverse DNS or MAC whitelisting
  • automatic role assignment to protect the device and the network
  • limited to MAC or IP address whitelisting
  • automates discovery of devices such as printers, VoIP phones, cameras, card readers, factory robots
  • simplifies role assignment for devices
Endpoint scanning
  • integrated, without the need for client software
  • available in separate appliance
  • requires client software
  • integrated support simplifies deployment
  • spans managed and unmanaged desktops

Compare us to Cisco NAC    Request a 20 minute Demo

Network Access Control  |  LAN Segmentation  |  Network Visibility and Control  |  Intelligent Control
Home  |  Products  |  Solutions  |  Partners  |  News  |  Support  |  Site Map  |  Privacy  |  En Garde Blog
Copyright © 2008, ConSentry Networks. All rights reserved.  |  1690 McCandless Drive, Milpitas, CA 95035  |  +1 408-956-2100  |  1-866-841-9100