Cisco's dominance in enterprise networking doesn't necessarily mean it is the only game in town — or that you jeopardise job security by bypassing Cisco.

Indeed, the old adage goes, no one ever got fired for buying Cisco. But can someone get fired for staying with Cisco?

Two educational institutions are not waiting to find out. They are replacing Cisco switches with other vendors' gear due to what they say is greater feature/functionality from competitive offerings, and lower prices.

Fayetteville State University (FSU) in North Carolina is replacing more than 50 of its 280 Cisco switches with ConSentry equipment because of the embedded network access control (NAC) capabilities of those switches. And a high school in Mountain View, California, is replacing 27 Cisco switches with HP ProCurve systems due to ProCurve's lifetime warranty, equal or better functionality, lower price and wireless capabilities, a school official says.

A Cisco spokesman says the company can't comment on the Mountain View project without the customer's permission. With regard to FSU, Cisco says the 50 or so switches being replaced include non-Cisco switches, but FSU counters that it was a "100 percent Cisco shop" before installing the ConSentry gear.

CNAC problems

FSU's decision to change out about 20 percent of its Cisco infrastructure came when the university encountered problems with Cisco's Clean Access NAC appliance. The Cisco platform kept going down, students weren't properly downloading the desktop agent, and the IT team had no visibility into what was happening on the network.

The Cisco solution depended on Cisco desktop software to provide that endpoint verification. Clean Access verifies whether users are running updated anti-virus and anti-spyware software, but it doesn't scan users' computers for the actual presence of malware on that machine.

As a result, Trojans, denial-of-service attacks and other malware entered the FSU network and brought down the Clean Access platform. Also, bad traffic from users could hit the Clean Access server even if they had not authenticated or passed the EPV check, because that server was set up as the default gateway, according to FSU.

"We were having all kinds of problems," said Joseph Vittorelli, director of systems and infrastructure at the university. "One of the biggest problems was the fact that students would come on in the evening after classes and start downloading music, movies, whatever. And then the viruses and infections they had would start hammering the NAC clients and it would just freeze up. It got to the point where we had to write scripts to reboot the thing every night so that people could get on in the morning."

Cisco was largely unresponsive to FSU's dilemma, Vittorelli says.

"Throw more money at it - that'll fix it," was Cisco's response, Vittorelli says.

FSU first looked at just replacing Clean Access with ConSentry's LANShield Controller NAC appliance and have that work with the Cisco Catalyst 3750 switches in dormitories to combat the intrusions and crashes. But then FSU learned that ConSentry had switches with embedded NAC capabilities that provided port-level security.

Switching to switch NAC

The school determined that switch-based NAC would alleviate the flooding and crashing problem it was having with the server-based NAC implementation of Clean Access.

FSU then decided to use money from next year's network revamp budget to purchase 70 ConSentry LANShield switches for dormitories now. ConSentry NAC appliances, meanwhile, will work with Cisco switches in administrative offices and laboratories, Vittorelli says.

So despite the significant change-out, FSU remains a Cisco shop. The university spent $1.1 million on Cisco gear this year, compared with $500,000 on ConSentry equipment.

"I wouldn't give up Cisco, especially at the core," Vittorelli says. "I don't think there's anything out there that could beat a Cisco router and a lot of the core switches. But when you get down to it, a switch is pretty much a switch. So you're shopping for bells and whistles at that point."

Once Cisco learned that FSU was replacing a good chunk of its switches, the company finally responded, Vittorelli says - but by then, it was too late.

"They knew that they had kind of failed us," Vittorelli says. "They're trying to make amends now," with regular visits and invitations to educational lunch sessions.

FSU plans to trade in most of the Catalyst 3750s and retain others for spares.

More NAC losses

Cisco may be losing other businesses in the education market based on NAC, security and policy management requirements. Rival Enterasys claims it has outbid or replaced Cisco in at least five institutions of higher education, including the University of North Carolina, Chapel Hill, based on the multivendor security and policy-based management capabilities of its switches.

And last year, Sam Houston State University dumped Cisco and Nortel voice products in favour of open source VoIP from Asterisk.

While FSU plans to remain predominantly a Cisco shop, St Francis High School is replacing virtually all of its Cisco equipment with HP ProCurve gear. The school is swapping out Catalyst 4000, 2900XL, 2980G, and 3500XL switches for HP ProCurve's 5300, 2800 and 2600 switches, says Larry Steinke, director of technology at the school. The 4000, 2900XL and 3500XL have reached end-of-life status anyway, Steinke notes.

"It basically came down to pricing, warranty and industry compatibility," Steinke says.

Three years ago, St Francis began evaluating what its needs were in terms of future technologies — things like VoIP, QoS and virtual LAN tagging, Steinke says. The school realised that ProCurve supported the same capabilities as the Cisco equipment but that important features, such as Power over Ethernet, were industry standard — not proprietary.

"So we could plug any phone into these switches," Steinke says.

St. Francis also noted that the HP ProCurve warranties were lifetime warranties, which meant the school would not have to be locked into any maintenance agreements in order to maintain service on the devices, Steinke says. Lastly, pricing on the products the school eventually chose were 5 percent to 10 percent less than comparable Cisco products.

Another factor playing into St Francis' decision was wireless support. The school, which requires support for 40 access points, was evaluating Cisco, Trapeze Networks and Aruba Networks in a competitive bidding arrangement before being made aware of HP's Wireless Edge Services module for the 5300 switches.

"At that point, that made the whole ProCurve solution discussion begin," Steinke says. "All of these things could tie together and create a complete solution that would apply to both our wired and our wireless network."

And the HP ProCurve wireless implementation was 10 percent to 20 percent lower in cost than Cisco's, Steinke said. St Francis will be "95 percent HP" in about two years, Steinke says. The school is conducting a piecemeal swap-out on an as-needed basis vs a wholesale replacement.

The four-year project will cost the school less than $100,000, Steinke says.