Cisco's dominance in enterprise networking doesn't necessarily mean it is the only game in town — or that you jeopardise job security by bypassing Cisco.

Indeed, the old adage goes, no one ever got fired for buying Cisco. But can someone get fired for staying with Cisco?

Two educational institutions are not waiting to find out. They are replacing Cisco switches with other vendors' gear due to what they say is greater feature/functionality from competitive offerings, and lower prices.

Fayetteville State University (FSU) in North Carolina is replacing more than 50 of its 280 Cisco switches with ConSentry equipment because of the embedded network access control (NAC) capabilities of those switches. And a high school in Mountain View, California, is replacing 27 Cisco switches with HP ProCurve systems due to ProCurve's lifetime warranty, equal or better functionality, lower price and wireless capabilities, a school official says.

A Cisco spokesman says the company can't comment on the Mountain View project without the customer's permission. With regard to FSU, Cisco says the 50 or so switches being replaced include non-Cisco switches, but FSU counters that it was a "100 percent Cisco shop" before installing the ConSentry gear.

CNAC problems

FSU's decision to change out about 20 percent of its Cisco infrastructure came when the university encountered problems with Cisco's Clean Access NAC appliance. The Cisco platform kept going down, students weren't properly downloading the desktop agent, and the IT team had no visibility into what was happening on the network.

The Cisco solution depended on Cisco desktop software to provide that endpoint verification. Clean Access verifies whether users are running updated anti-virus and anti-spyware software, but it doesn't scan users' computers for the actual presence of malware on that machine.

As a result, Trojans, denial-of-service attacks and other malware entered the FSU network and brought down the Clean Access platform. Also, bad traffic from users could hit the Clean Access server even if they had not authenticated or passed the EPV check, because that server was set up as the default gateway, according to FSU.

"We were having all kinds of problems," said Joseph Vittorelli, director of systems and infrastructure at the university. "One of the biggest problems was the fact that students would come on in the evening after classes and start downloading music, movies, whatever. And then the viruses and infections they had would start hammering the NAC clients and it would just freeze up. It got to the point where we had to write scripts to reboot the thing every night so that people could get on in the morning."

Cisco was largely unresponsive to FSU's dilemma, Vittorelli says.

"Throw more money at it - that'll fix it," was Cisco's response, Vittorelli says.

FSU first looked at just replacing Clean Access with ConSentry's LANShield Controller NAC appliance and have that work with the Cisco Catalyst 3750 switches in dormitories to combat the intrusions and crashes. But then FSU learned that ConSentry had switches with embedded NAC capabilities that provided port-level security.