Future-proof your network

Try these 10 tips for squeezing a long life from infrastructure investments.

If you've ever done a tricky remodeling project at home, you might be familiar with the urge to just level the place and start over. But on your corporate network, no one wants to have to explain the need for a forklift upgrade where large parts of the infrastructure must be overhauled. How can you maximize the longevity of your IT investments in a world of ever-changing protocols and constantly evolving security dangers? Beyond thinking carefully about scalability and capacity, here's a look at some key tasks for your future-proofing to-do list. Keep these considerations in mind as you evaluate and purchase new gear.

1. Stick to modular equipment, centralized management.

To avoid rip-out upgrades later, follow this advice whether you're planning your wireless or wired LAN. On the wireless side, this usually means buying a centralized wireless LAN (WLAN) switch that will let you upgrade access points easily. "Stand-alone fat [access points] exclusive architectures are out, but some companies are deploying a mix of thin and thick," for example, using thick access points to support branch-office locations, says Ellen Daley, principal analyst at Forrester Research. On the wired side, this means selecting equipment that is as modular as possible in the wiring closets and the core data center. Even then, consider keeping about 20% of the expansion room open.

With management tools, the fewer pieces you have to snap together, the better. "Ensure that you are managing your WLAN network like you manage your LAN . That means centralized help desk support, centralized management tools, and a clear support Web site," Daley says.

2. Navigate the wireless standards waters.

Are you waiting for a set list of wireless standards before doing any more WLAN planning? Bad news: You can't wait that long. These standards - such as the up-and-coming 802.11n for higher bandwidth, 802.11r for fast roaming, and 802.11e for QoS - will remain in flux for a while. "802.11n is coming, but given the standards fight going on, don't plan to wait for 802.11n. It may be a few years before there is ratified equipment," Daley says.

However, knowing how vendors address fast roaming and QoS is important. At minimum, you want to stay below 50 millisec for roaming between access points. For QoS, confirm the vendor supports the Wireless Multimedia standard, or will shortly. Also, make sure the vendor can articulate how it will make products compliant with the future 802.11r and 802.11e standards, and any associated costs, Daley says.

3. Make way for 10G and avoid bottlenecks.

In the Gigabit vs. 10G bit/sec Ethernet debate, how should you play it smart? "Prices are still pretty high," says David Newman , president of Network Test, a benchmarking and network design firm, and a member of the Network World Lab Alliance. But playing it cheap might not be prudent if your current backbone can't keep up later.

"10G is the automatic choice today in data centers. The place where it's time to start thinking about it is the wiring closet," he says. Current wiring closet switches have one or more uploads to the corporate backbone; today that's 1G bit, but we're starting to see boxes with 10G uplinks. Remember, virtually every new PC now has a 1G bit Ethernet adapter included, Newman says. Put all these PCs on your network and you're putting a heavy burden on the backbone. "With 10G, you're not going to have bandwidth bottlenecks. Plan today and avoid congestion," he says.

4. Keep an eye on new Ethernet specs.

While new Ethernet specifications continue to pop up, many of them pertain to switching and security aimed at service provider networks. The one that could be an intriguing option for the enterprise LAN is 802.1AB, or Link Layer Discovery Protocol (LLDP). You'll see this mostly in switches, routers and IP telephones, though you won't see it often, for now. This discovery protocol helps a switch learn about an endpoint device such as a VoIP phone and helps simplify configuration.

Extreme Networks recently introduced the first edge switch with LLDP capability, and Extreme's telephony partner Avaya plans to introduce LLDP-compliant phones later this year. LLDP could make VoIP rollouts more plug and play and simplify policy management. LLDP's network troubleshooting and management possibilities might widen, but you'll have to wait and see whether more vendors implement the technology in edge switches.

5. Cross IPv6 off your worry list - mostly.

Next-generation IPv6 makes important improvements. But should you be investing in it today? "It's not that important in North America yet, with two exceptions," Network Test's Newman says.

The first exception: Asian companies with U.S. operations or U.S. companies with Asian operations. In Asia, branch offices, customers and suppliers already are building and using IPv6 networks. If this describes your company, don't wait to create a deployment plan, Newman says. In the other exception, the U.S. Department of Defense has committed to IPv6, so its would-be contractors need IPv6 on their radar screens.

Otherwise, you can wait. "There's no compelling driver for a small or medium business to go to IPv6 today," Newman says. But do look for IPv6 support in the routers you buy, he advises. "The potential you're going to need that v6 support is only going to increase over time."

6. Don't hang up on VoIP.

If you haven't deployed VoIP yet, leave the door open to the possibility, says Abner Germanow, enterprise networking research manager at IDC. Start with insisting on modular switches, he says. Depending on your network topology, you also might need to consider routers that can serve as backup for the voice traffic if the wide-area link goes down, he says. Consider a more expensive router with this kind of capacity, or realize you're going to need some other type of redundancy plan. "Be sure you'll be ready to solve this problem," Germanow says.

You've probably heard some buzz about VoWi-Fi, but should you worry about it yet? "If you're only using WLAN in conference rooms today, probably not," Germanow says. "But if your company has a mind-set toward mobility, voice will be part of that." Hospitals, for example, have led the charge with VoWi-Fi.

In this case, keep roaming and future dual-mode Wi-Fi/cellular handsets in mind. Because those standards are not set, ensure that vendors will commit to future IEEE standards.

7. Buy flexibility with Power over Ethernet.

For added and future deployments of VoIP handsets, wireless access points and security cameras, Power over Ethernet (PoE) technology gives generous flexibility with regard to where the devices can live. In a few years, you'll see even more devices taking advantage of PoE, such as laptop computers. Luckily, it's not hard to keep this option open because PoE doesn't mandate any change to Ethernet cabling. At a basic level, all you need is Category 5e wiring.

If you want to enable PoE later, you won't necessarily have to buy a new switch, because you can add a midspan product that connects PoE to legacy network switches. (Midspans also prove useful if you have just a small number of ports that will need PoE.) However, to be more forward-looking, make sure edge switches have built-in PoE capability. The only standard you need to worry about is the current IEEE standard, 802.3af .

The IEEE is working on a higher-power successor to 802.3af, which will offer more than today's 12 watts of power to individual devices. Expected to be ratified in about two years, this future standard will offer backward compatibility with today's access points and client phones, says PowerDsine CEO Igal Rotem, whose company is helping shape the standard.

8. SSL-based VPNs score for mobility, security.

Your company's need for mobility will only increase. In planning VPNs for remote workers, choose an SSL-based VPN instead of one using IPSec . An SSL-based VPN gives more scalability and flexibility to add users and applications, says Forrester Research analyst Robert Whiteley. Johnson Matthey, a London specialty metals company, deployed its Netilla SSL VPN appliance about three years ago for e-mail and Microsoft Office, then easily moved up to about 60 applications, says Randy Colone, technical services manager at U.S. headquarters in Wayne, N.J. The VPN provides tight security for work with contract programmers. "They get access to the VPN for certain time frames," Colone says. "I have total control." The contractors no longer have to be on-site and the VPN even provides access to production-related data living in an old AS400.

More companies also are using SSL-based VPNs to secure applications on the LAN, making office workers log on via the VPN's strong authentication technology, just like remote employees. With dedicated appliances from vendors such as Juniper or Netilla (now part of AEP Networks), consider the entire potential remote workforce, not just the current one. (Appliance prices reflect the number of estimated concurrent VPN users.)

"Make sure you buy a box with headroom, so it is just an issue of buying licenses," Whiteley says. Another important option: Vendors such as Cisco have begun offering cost-effective SSL VPN modules that snap into switches such as the Catalyst 6500.

9. Stay nimble on security.

Security proves a particularly tough planning challenge because the threats constantly change. "Recognize that security is different," says cryptography expert and Counterpane Internet Security founder and CTO Bruce Schneier. "It's not about features or performance, so you can't really future-proof your network against future attacks. Make sure you can install new security quickly and efficiently."

In the wireless world, one key option you can take now is 802.1x authentication. "You're taking an inherently insecure technology like WLAN and adding very strong authentication technology," Network Test's Newman says. "Plus 802.1x also carries into the wired world." By extending 802.1x authentication to your LAN switches, you add a good layer of protection, he says.

At minimum you'll need an authentication server such as a RADIUS server. Overall, look for strong encryption on every link of the network. Also remember that single-sourcing from a software vendor increases your risk. "It doesn't make sense to be an all-Linux shop, an all-Windows shop," he says.

10. Consider the big picture more often.

To truly future-proof your network, it's not enough to stay on top of port counts and protocols. Future-minded network planning also means understanding where your company's business is heading and what that in turn means to the network.

Multi-casting protocols, for example, aren't a concern for many businesses outside of financial services yet, Newman says. But you need to consider whether your company's goals might take you there later. In a similar vein, it's worth the time to keep closely tuned to your network vendors' future product and business strategies. You certainly want vendors that are committed to upgrading hardware/firmware/software and whose product lines won't need full replacements.

McLaughlin is a freelance writer in the Boston area. She can be reached at laurianne@mindspring.com.

Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies