Search
Important contacts
Technical
support
support
How not to get our fingers burnt: Selection of switches for a company network
8/19/2009
In what manner should an upgradable, already existing network system including switches be re-established so as to meet the increasing requirements of a company´s applications and operating systems? What are the key advantages and disadvantages of the possible solutions? Which features are important for trouble-free functionality of the network and applications?
At the start, it is useful to address several key questions related to the selection of suitable equipment. Ensure that it has exactly those functions that you need, and none that are unnecessary or costly beyond your requirements, and you should succeed in achieving the proverbial standard of reasonable quality.
Will multimedia applications be used in the network? Will some users be mobile, i.e. will they use CDT (Connectionless Data Transmission) during their work? Will applications that are sensitive to power glitches be used in the network? In those cases, it is not entirely suitable to use standard Wi-Fi, but rather Enterprise Wi-Fi, the 4th generation solution. Such solutions offer the possibility of minimal or even null roaming between access points. In light of its data flow capacity, Wi-Fi technology is very limiting, hence the following is true: The more the network succeeds in getting into optical or metallic network cable, the better!
Are you suffering due to your costs? If so, you should only use your optical network cable on backbone, taking into consideration places where there is danger of interference. You should utilize a metallic network cable for distribution of the network to computers. Before we select a suitable switch, it is worthwhile to mention the security of the whole network against external attacks and also internal overload - e.g. excessive downloading of various applications from the internet. This security is ensured by the utilization of a proprietary solution - mostly on a Unix basis, or by usage of the services of the so-called L7 shapers by some manufacturers, of which the Israeli company Allot ranks among the best-selling on the Czech market. Such devices are able to monitor and evaluate all incoming and outgoing traffic, and to block or limit potentially unsuitable applications.
At the beginning of a purchase
There is a whole series of criteria for selection of the proper network switch. At first sight the hardware parameters, e.g. port number and their speed are most prominent. In light of future company network development, the ideal port occupancy is 60%. The remaining 40% would be prepared for possible changes in office hold-up or staff increases. The most used rate for working station connections is always 100 Mbit/s in the case of Ethernet, for which the backbone should be gigabit.
In what manner should the whole network be administered? Here SNMP (Simple Network Management Protocol) is very often used, ensuring communication between the switch and monitoring application. Predictably, this is under the assumption that the switch supports this protocol and you have at your disposal an application that can process such an SNMP. There are many such applications: from paid software up to freeware applications. In order to ensure trouble-free operation with SNMP, the manufacturer should state the MIB compatible table, and if the switch has a special function, he should provide the MIB table with these functions.
The number and quality of functions, and consequently of the switch itself, are then directly influenced by the chip set that is used by the device. One should make technical support the next selection criterion. One group of manufacturers offers after-sales support as an additional service paid for by the customer, while another group already includes this support in its sales price. It is mainly future modifications of switch firmware for which the manufacturer designs new functions, or repairs of bugs that may arise in the previous versions, that make up after-sales support. Functions in switches can be divided into several logical groups: influencing safety, network topology and service quality.
Switch safety aspect
The first step in security is the situation when a new device needs to be connected to the network. An ideal choice is access control according to the 802.1x standard, together with a Radius server. It is possible to secure it by means of the above stated L7 shaper. However, a switch within the management contains its own possibilities for security. The ACL (Access Control List) function ranks among the most utilized methods. Utilization of such a function means that only a device with a defined MAC address (Allow or Permit option) has access to the network, or conversely, a list of such devices which have a denied connection (DENY option) can be set up.
The use of an IP address instead of a MAC address, the binding of MAC and also an IP address when appropriate will increase security. In such cases it is an IP-MAC binding function, and only the device with a corresponding MAC address and IP will have access to the network. Utilization of such a function can substantially load the switch hardware, which can result in a direct effect on network instability in the case of poor-quality switch selection.
Some L3 switches even enable the setting of blockage for specific ports (http, ftp) in order to block unwanted communication, mainly P2P operations, which can dramatically influence the data net throughput. However, most P2P applications utilize cryptographic communication, and without DPI (Deep Packet Inspection) it is indistinguishable.
Functions influencing network topology
The setup of almost every network is associated with the use of virtual networks such as a two-level network (hardware and software). It interlinks user groups that have something in common (priority, limitation, connection rate, etc.). Switches marked WebSmart or Lite management are the most frequently used type for simple management, containing only a basic number of functions and only port VLANs. That means that VLAN groups can be set up only within one device. Even more common is the use of VLANs among several computers – in which case they are the so called marked or tagged VLANs.
In case of securing network backbone redundancy, it is possible to use double backbones. In this case, the switches on the L2 backbone link will be equipped with a LACP (Link Aggregation Control Protocol) function, which in case of a first circuit failure will automatically redirect the data stream to a redundant line. The backbone is most frequently built up on optical ports with a speed of 1 Gbit/s. But switches enable usage of backbone connections such as port pairs, when during the connection of one port, a paired port called a Combo port is automatically deactivated. It is a matter of the combination of an RJ45 metallic port and an SFP optical port.
STA (Spanning Tree Algorithm) is the next necessary function, particularly its high speed version Rapid STA which complies with 802.1w. If VLANs are utilized in the network, then it is possible to set up special RSTA parameterization for each VLAN. This functionality will be secured by Multiple Spanning Tree support in compliance with 802.1s. In case it is necessary to define the next level in a VLAN group, it is possible to utilize VLAN in VLAN, designated by manufacturers as Q-in-Q.
Necessary support for PoE (Power over Ethernet) in accordance with 802.3af is the next switch feature to be considered. This support consists of a remote power supply by metallic cable. It should be used in situations where no device can be connected to the network, and it is necessary to bring power to the device together with data. Two versions of these devices exist - PSE (Power Source Equipment) and PD (Powered Device). The former manages the power supply, i.e. "merging" data and power supply into one metallic cable, while the latter manages to process this power supply and let itself power up with it.
From multi-media to industry
The third group of important switch functions are those which influence service quality. In the case of multimedia utilization in the network, it is necessary that the switch should adequately work with a Multicast/Unicast transfer. Thus the device will support IGMP (Internet Group Management Protocol) functions (IGMP snooping, leaving, join). IGMP Snooping handles group creation for multicast communication. DHCP Option 82, which is used for the transfer of DHCP queries from networks without a DHCP server to networks with a DHCP server, is the next useful function. No less important is MVR (Multicast VLAN Registration), which secures the safe spreading of Multicast among several VLAN groups.
QoS quality can be defined by means of the following parameters: Dropped packets, Delay or Jitter. The parameter for securing higher service quality is also the number of queues to the switch port (4 queues are the minimum). Various regulations in processing can be used here, e.g. WRR (Weighted Round Robin). The management messages of the 2nd layer followed by management messages of the 3rd layer and then multimedial flow have the top priority. The common data flow, called best effort, has the lowest priority.
Some routing protocols can be used in the case of utilization of L3 switches. There are two options: RIP (Routing Information Protocol) or OSPF (Open Shortest Path First). The former protocol is more suitable for use in smaller networks, the latter for wide area networks.
If the switch is to be located in an environment with extreme temperatures (- 40°C up to + 80°C), then it would be necessary to select an industrial switch - a device that would be resistant to these temperatures. An industrial switch, e.g. with IP 65 protection, will also overcome increased dustiness or moisture. In this case, the interface for the power supply is mostly in the form of a terminal block. Furthermore, it is interesting that contact instability information or a power supply error can be sent directly to the IT administrator. Moreover, the device can also contain a management or redundant power supply option.
The article was published in Connect! in March 2009. Martin Doušek is Product Manager of the company Intelek. He specializes in network solutions and services.
Will multimedia applications be used in the network? Will some users be mobile, i.e. will they use CDT (Connectionless Data Transmission) during their work? Will applications that are sensitive to power glitches be used in the network? In those cases, it is not entirely suitable to use standard Wi-Fi, but rather Enterprise Wi-Fi, the 4th generation solution. Such solutions offer the possibility of minimal or even null roaming between access points. In light of its data flow capacity, Wi-Fi technology is very limiting, hence the following is true: The more the network succeeds in getting into optical or metallic network cable, the better!
Are you suffering due to your costs? If so, you should only use your optical network cable on backbone, taking into consideration places where there is danger of interference. You should utilize a metallic network cable for distribution of the network to computers. Before we select a suitable switch, it is worthwhile to mention the security of the whole network against external attacks and also internal overload - e.g. excessive downloading of various applications from the internet. This security is ensured by the utilization of a proprietary solution - mostly on a Unix basis, or by usage of the services of the so-called L7 shapers by some manufacturers, of which the Israeli company Allot ranks among the best-selling on the Czech market. Such devices are able to monitor and evaluate all incoming and outgoing traffic, and to block or limit potentially unsuitable applications.
At the beginning of a purchase
There is a whole series of criteria for selection of the proper network switch. At first sight the hardware parameters, e.g. port number and their speed are most prominent. In light of future company network development, the ideal port occupancy is 60%. The remaining 40% would be prepared for possible changes in office hold-up or staff increases. The most used rate for working station connections is always 100 Mbit/s in the case of Ethernet, for which the backbone should be gigabit.
The number and quality of functions, and consequently of the switch itself, are then directly influenced by the chip set that is used by the device. One should make technical support the next selection criterion. One group of manufacturers offers after-sales support as an additional service paid for by the customer, while another group already includes this support in its sales price. It is mainly future modifications of switch firmware for which the manufacturer designs new functions, or repairs of bugs that may arise in the previous versions, that make up after-sales support. Functions in switches can be divided into several logical groups: influencing safety, network topology and service quality.
Switch safety aspect
The first step in security is the situation when a new device needs to be connected to the network. An ideal choice is access control according to the 802.1x standard, together with a Radius server. It is possible to secure it by means of the above stated L7 shaper. However, a switch within the management contains its own possibilities for security. The ACL (Access Control List) function ranks among the most utilized methods. Utilization of such a function means that only a device with a defined MAC address (Allow or Permit option) has access to the network, or conversely, a list of such devices which have a denied connection (DENY option) can be set up.
The use of an IP address instead of a MAC address, the binding of MAC and also an IP address when appropriate will increase security. In such cases it is an IP-MAC binding function, and only the device with a corresponding MAC address and IP will have access to the network. Utilization of such a function can substantially load the switch hardware, which can result in a direct effect on network instability in the case of poor-quality switch selection.
Some L3 switches even enable the setting of blockage for specific ports (http, ftp) in order to block unwanted communication, mainly P2P operations, which can dramatically influence the data net throughput. However, most P2P applications utilize cryptographic communication, and without DPI (Deep Packet Inspection) it is indistinguishable.
Functions influencing network topology
The setup of almost every network is associated with the use of virtual networks such as a two-level network (hardware and software). It interlinks user groups that have something in common (priority, limitation, connection rate, etc.). Switches marked WebSmart or Lite management are the most frequently used type for simple management, containing only a basic number of functions and only port VLANs. That means that VLAN groups can be set up only within one device. Even more common is the use of VLANs among several computers – in which case they are the so called marked or tagged VLANs.
STA (Spanning Tree Algorithm) is the next necessary function, particularly its high speed version Rapid STA which complies with 802.1w. If VLANs are utilized in the network, then it is possible to set up special RSTA parameterization for each VLAN. This functionality will be secured by Multiple Spanning Tree support in compliance with 802.1s. In case it is necessary to define the next level in a VLAN group, it is possible to utilize VLAN in VLAN, designated by manufacturers as Q-in-Q.
Necessary support for PoE (Power over Ethernet) in accordance with 802.3af is the next switch feature to be considered. This support consists of a remote power supply by metallic cable. It should be used in situations where no device can be connected to the network, and it is necessary to bring power to the device together with data. Two versions of these devices exist - PSE (Power Source Equipment) and PD (Powered Device). The former manages the power supply, i.e. "merging" data and power supply into one metallic cable, while the latter manages to process this power supply and let itself power up with it.
From multi-media to industry
The third group of important switch functions are those which influence service quality. In the case of multimedia utilization in the network, it is necessary that the switch should adequately work with a Multicast/Unicast transfer. Thus the device will support IGMP (Internet Group Management Protocol) functions (IGMP snooping, leaving, join). IGMP Snooping handles group creation for multicast communication. DHCP Option 82, which is used for the transfer of DHCP queries from networks without a DHCP server to networks with a DHCP server, is the next useful function. No less important is MVR (Multicast VLAN Registration), which secures the safe spreading of Multicast among several VLAN groups.
Some routing protocols can be used in the case of utilization of L3 switches. There are two options: RIP (Routing Information Protocol) or OSPF (Open Shortest Path First). The former protocol is more suitable for use in smaller networks, the latter for wide area networks.
If the switch is to be located in an environment with extreme temperatures (- 40°C up to + 80°C), then it would be necessary to select an industrial switch - a device that would be resistant to these temperatures. An industrial switch, e.g. with IP 65 protection, will also overcome increased dustiness or moisture. In this case, the interface for the power supply is mostly in the form of a terminal block. Furthermore, it is interesting that contact instability information or a power supply error can be sent directly to the IT administrator. Moreover, the device can also contain a management or redundant power supply option.
The article was published in Connect! in March 2009. Martin Doušek is Product Manager of the company Intelek. He specializes in network solutions and services.
Related articles
If not specified prices are without VAT in EUR.
