By Mike Fratto
Sooner or later, most IT pros land on the pointy end of a switch upgrade. But if you simply re-up with your existing vendor—especially if that's the market leader—you could miss a prime opportunity to enhance your network via cutting-edge technology at a price that beats the competition.
Of course, whiz-bang can't come at the expense of dependability: When we asked network admins why they're upgrading their switch architectures, 56% named reliability as the main driver, followed by more bandwidth at the core and access layer. This need for speed is reflected in a recent Infonetics report that predicts sales increases of 10% in Gigabit Ethernet ports and a doubling of 10 Gigabit Ethernet port sales. That doesn't surprise us: The 36% premium for a Gigabit Ethernet port over a 10/100 port, roughly $63, is chump change when you consider the extra bandwidth and network future-proofing.
While Cisco is the undisputed market leader in terms of units shipped, that doesn't mean it has a lock on new technologies, service and support, reliability, or cost. Switches from rival vendors, such as Alcatel-Lucent, Extreme Networks, Foundry Networks, Hewlett-Packard ProCurve and 3Com, compete feature for feature. HP's policy of free firmware upgrades for the ProCurve switch line, for example, is a huge benefit if you let your support contact lapse or purchase used equipment.
To examine what vendors are offering for switching gear, we created an RFI for a wholesale switch infrastructure upgrade. We based the request on our fictional fast-food purveyor, TacDoh, which debuted back in 2003 when it went in search of outsourced network management.
Like many enterprises, TacDoh has grown organically through mergers and acquisitions and comprises an eclectic mix of new gear and older equipment that's still chugging along. Devices have been replaced as needed, but this piecemeal approach means the company isn't taking advantage of the latest technology. That's a problem because bandwidth and security needs are rising like one of TacDoh's signature pastries.
We built an RFI laying out a five-year plan. First, we specified migrating to VoIP from existing Centrex service, mandating a robust, scalable network. We also want power over Ethernet and to take advantage of newer monitoring technology, like flow-based analysis. Finally, we're investigating network access control and other security features to mitigate the damage caused by worm outbreaks, rogue access points and DHCP servers, and other malicious activity. Of course, the ability to scale capacity to meet new demands and ensure resiliency is crucial.
Kid In A Doughnut Store
Today's switches have features that enhance everything from port configuration to traffic control. In fact, you'd be hard pressed to find a pure Layer 2 switch—Layer 3 routing replete with multiple protocols like RIP, OSPF and BGP is the norm. We would certainly consider replacing our core router, but we don't need routing at the distribution and access layers.
VLANs are an effective way to segment the network based on where employees are, however, statically assigning ports to a VLAN is only slightly less cumbersome than moving patch cables. We want to gain the efficiency inherent in a single switch architecture that can be managed via a central console, simplifying adds, moves and changes, not to mention deployment and backup configuration.
As part of our efficiency push, automation features like Link Layer Discovery Protocol (LLDP) and LLDP-Media Endpoint Discovery (LLDP-MED) will ease the transition to VoIP phones. Rather than having to manually map phone locations and configure switch ports as phones move to different locations on the network, LLDP-MED can discover endpoints, determine configuration parameters like VLAN assignment and power requirements, and gather the location information that is used to locate a phone in case of emergency.
Security features are being built into switches at a dizzying rate as well. Beyond 802.1X port-based authentication, new switches are capable of detecting anomalous traffic, like rapid increases in utilization, scan and worm activity, ARP spoofing, and other low-level ills. More importantly, some devices can dynamically map DHCP leases to MAC addresses and ports, even deny nodes host access if they didn't complete a DHCP exchange, thereby thwarting users who statically assign IP addresses to get around DHCP. In addition, 802.1X is being enhanced with the capability to authenticate multiple hosts on the same port, even have the switch port act as an 802.1X supplicant for MAC address authentication (see more on 802.1X).
We certainly want to avoid blocking legitimate access, but the more protection we can place out at the edge, the more effective our security will be.
Fancy features notwithstanding, redundant, hot swappable hardware is critical to ensure resiliency and flexibility. Network resiliency is enhanced by Layer 2 technologies like link aggregation, spanning tree and rapid spanning tree, to quickly reroute connections in case of link or switch failure.
Finally, we may need to support multiple hosts on a port where the downstream device, like a hub or older access switch, doesn't recognize 802.1X. Many vendors claim support for multiple authenticated hosts on a port, but that could mean the port state is based on the first successful authentication. Advanced features like per-host authentication and configuration via ACL, VLAN assignment, and QoS all offer granular control.
If we get everything we want, then it comes down to price and support as TacDoh looks to balance feature sets with capital costs and maintenance—cheaper upfront isn't always the best long-term deal when you factor in support and costs for hot-spare parts. We asked for list price to keep our analysis on an even footing, but switching is by and large a commoditized market; the days of paying list for hardware have long since passed. From talking to administrators, expect to lop 15% to 25% off list, depending on your purchasing power.
Mike Fratto is Lead Analyst for the NAC Immersion Center and is Managing Editor/Labs for InformationWeek.
Sidebar: Playing Nice With 802.1X
While 802.1X port authentication ensures that only authenticated users can access the network, it's not without its headaches and can, in fact, be the bane of automation. In a perfect world, you'd be able to plug any device into any port and the port would respond properly. However, an 802.1X port in an unauthenticated state, by default, denies all traffic. Protocols like LLDP and LLDP-MED, the link layer discovery protocols that are used by IP phones to request configuration information, can't pass LLDP traffic unless they authenticate first, for example, and other protocols, like Wake-On-LAN and the PXE boot agents used to automate desktop deployments, are equally affected.
Several strategies can enable automation in an 802.1X environment. In smaller networks where you control physical access, you can manually define which ports are 802.1X-enabled and which aren't, and ensure that hosts are connected appropriately. However, ensuring physical connections is difficult when you have a lot of hosts. Most switches can be configured to place a port into a default VLAN if a supplicant isn't responding to 802.1X, or a port may be moved to a VLAN and opened if 802.1X fails authentication. Alternatively, MAC-based authentication can be used to get an IP phone online.
If you plan to roll out network access control, 802.1X is often a good choice for enforcing control. As more companies upgrade their switching and gain experience with 802.1X, we expect to see broader adoption. However, there's no guarantee that guests will have 802.1X supplicants installed, so alternative authentication measures like a Web portal or redirect that forces a user to authenticate to the switch is useful.
THE INVITATION:
TacDoh is a worldwide purveyor of deep-fried delights sold through major retail outlets. Our corporate office contains sales support, marketing, R&D, and centralized IT. Three branch offices provide localized support for sales. Employee productivity is a critical TacDoh competitive advantage and is fueled by a well-connected network and application infrastructure. Our LAN served TacDoh's data needs well, but has grown overtime with infrastructure sourced from multiple vendors. The need to leverage network dollars mandates a complete network redesign. TacDoh is searching for a new strategy and design and is very interested in the flexibility, quality of service, availability, and security features in new enterprise switches.
Change and growth are key elements the new network will have to support. Maintaining site connectivity and application support are crucial; in addition, the winning RFI will support the increasing changes forced onto the TacDoh network. We upgraded our cabling to Cat-5E a few years ago and are unlikely to perform another upgrade for a few more years. Generally speaking each desk has a single network port for a user's PC. We will run fiber between wiring closets and the data center if needed.
We have pilot projects which will be moved into deployment in the next six months. We want to prepare our LAN network in advance by:
• Replacing our PBX with VoIP to all desktops in corporate and remote offices.
• Embracing unified communications to better manage meetings and collaboration. This includes more use of real-time media, both broadcast and point-to-point.
• Adding network access control. We haven't decided product or technology, but we want our infrastructure to support whatever we choose.
• Centralizing all servers into the data center, eliminating departmental application servers.
The network supports voice, video, SAP transactions and Lotus Notes. Voice includes IP trunking as well as telephony for call processing. Voice is accomplished using SIP-based phones at each desk. Video streaming has been used for companywide broadcast events, but we are exploring adding video for collaboration. Application sharing is also a high priority; TacDoh's customer-facing applications are located in the data center. Additionally, the company runs its own instant messaging server and supports employee access to the Internet. Internet traffic, however, is filtered and monitored, in accordance with corporate policy.
Our data center consolidation project is driven by a need to reduce costs and centralize data for management and regulatory reasons. That makes data center availability critical to our IT plans. The chosen network design must increase the fault tolerance of our data center. In addition, we measure service levels for network performance, defined by availability, jitter, error rate and throughput. Network performance is used to assess the effectiveness of our IT infrastructure. The vendor should provide a network design and explain how its solution will maximize performance.
Our Objectives
We want our new network to support our IT plans for the next five years. We are adding more employees and more applications that are consuming bandwidth on the network. Equally important, our real-time media initiatives must have good response times across the LAN. We are not, however, planning on adding more IT staff, so automation and integration into our support systems are critical. We want to achieve the following goals:
• Unify our infrastructure to simplify management and deployment.
• Better support real-time media like voice and video.
• Support network access control so that security isn't compromised by roaming users.
• Leverage enhanced switch services to realize an easily managed network.
• Support capacity increases as we centralize our data center and as more data is pushed across the network. • Plan for growth. We expect to double our workforce in 24 months as we expand our product line and branch out into related ventures.
0 comments:
Post a Comment