Selecting the Right Enterprise LAN Hardware: Firewalls, Switches, APs and More

Network design isn’t for the faint-hearted – there’s a mountain of brainwork and diligence involved. But even when you’re not directly responsible for the implementation, it’s valuable to understand the basics. Knowing the considerations that impact hardware selection will save time (and confusion) when it comes to hardware procurement.

With this in mind, we’re following up our recent guide to selecting wide area network (WAN) equipment with…you guessed it, a guide to selecting local area network (LAN) equipment.

What Is a Local Area Network (LAN)?

Here’s a good, clear definition from the network giant Cisco:

A local area network (LAN) is a collection of devices linked in one physical location, such as a building, office, or home. A LAN can be small or large, ranging from a home network with one user to an enterprise network with thousands of users and devices in an office or school.

The single physical location is what distinguishes a LAN from a wide area network (WAN) or a metropolitan area network (MAN), which cover larger geographical areas. 

Here at Lightyear, we find it helpful to break LAN down into three zones – Zone A (the network edge, where the LAN hands off to the WAN), Zone B (the core network), and Zone C (the endpoints, or individual devices and users accessing the LAN).

Zone A – The Network Edge

The network edge equipment is commonly composed of routers, firewalls, and edge/access switches, though setups and topologies vary.

There are five main factors when selecting your Zone-A equipment.

High Availability (HA)

High availability is a network design strategy designed to protect your operations in the event of network-equipment failure. Using specially designed HA equipment in pairs, it ensures that should one device fail, the twinned device will instantly take over, avoiding any disruption to normal service. Not all network hardware features HA functionality, so check your device specs carefully.

If you’re looking to implement HA in your design, Zone A is usually the best place for it (although we’ve also seen it deployed in Zone B and C in some network scenarios). It’s worth remembering that you’re doubling your equipment costs every time you implement HA – and you’re doubling the associated costs, such as licensing and support, too.

You’re adding complexity to your system, so think carefully about how much HA you need, weighed against the cost and likelihood of potential business disruption due to hardware failure. 

Licensing

When it comes to edge-device licensing, you’ll want to read the fine print. Equipment licensing is a growth industry, and we’ve seen plenty of recent instances where the licensing costs more than the hardware.

Previously, the license was included in the cost of the device, without any expiration date (known as “perpetual licensing”), and now edge devices tend to run with termed licensing periods of one, three, or five years. 

There are a couple of reasons for this – it’s not just greedy manufacturers. In this new era of smart devices and IoT-enabled everything, the software and drivers embedded in the equipment have become increasingly sophisticated. 

Consequently, updating and maintaining licenses has become a more intensive job, often requiring centralized management portals and an extra layer of complexity. Sometimes, a single edge device (looking at you, firewalls) can require a fearsome array of separate licenses, depending on which of the device’s features you’ve enabled.

Support

If you’re looking for ongoing product support from equipment manufacturers (as the initial warranty has often expired by the time you have it out of the box), then there are usually two ways in which the support offered can differ.

Level of support. Your ongoing support plan might only include hardware troubleshooting services, or there may be a higher tier offered where configuration and software support are included.

RMA response time. Return merchandise authorization (RMA) in the event of hardware failure, can mean the difference between a few hours’ setback or half a week of chaos, depending on the RMA level you’ve chosen. For business-critical equipment, there's usually a 24x7x365 RMA response service that will guarantee your items are replaced within four hours. 

WAN Connections

It’s common for enterprise networks to be designed with multiple wide area network (WAN) connections now – diverse redundant circuits with multiple internet service providers allow organizations to ensure business continuity. Whatever equipment you choose for the edge of your LAN must be able to physically accommodate WAN connections for all these circuits.

What kind of WAN are you connecting to? If you’ve got private WAN connections handing off from a WAVE, Point-to-Point, or VPLS circuit, then you’ll be able to plug those directly into an edge/access switch. If you’re connecting to the public internet, there’ll likely be a firewall requirement first.

You’ll need to ensure that your edge device can cope with the amount of throughput your business wants – both now, and in the immediate future, as your bandwidth needs increase over time. Information on the throughput capabilities of a given device is usually available from the manufacturer.

Features

There’s an understandable attraction (of which manufacturers are aware) toward feature-heavy devices. However, before you pull the trigger on an all-singing, all-dancing edge device, you’ve got to weigh against the practicalities involved.

No matter how innovative your device is, it’s going to rely on conventional internal resources – CPU, RAM, and disk space. And each feature you enable is going to burden those resources.

Again, device manufacturers are usually good at providing guidance on the number of internal resources required to run each feature. But you’ll need to check that guidance against the throughput requirements of your own business.

You’ll also need to weigh up how any future network changes will affect every single feature you’re asking that device to provide. You might find yourself having to upgrade your edge devices sooner than you’d like, simply because your “all-in-one” device could no longer handle one of the features you’d assigned it.

Here’s a typical list of features you might find within one edge device. It’s prudent not to enable all of them.

• WAN Utilization Monitoring

• Web Filtering

• Deep Packet Inspection

• VPN (Virtual Private Network)

• Malware and Virus Filtering

• IPS (Intrusion Prevention System)

• IDS (Intrusion Detection System)

• Identity Management / SSO (Single Sign On)

Zone B – Network Core

The network core equipment tends to consist mainly of aggregation/distribution/core switches, and wireless access points (WAPs).

Aggregation/Distribution/Core Switch

There are five main variables when it comes to choosing your Zone B switches.

• Port speed. Modern LAN networks can reach speeds of 10Gbps and higher. However, faster switch ports come at a higher cost.

• Number of devices supported. Make sure your switch is large enough to accommodate the number of ethernet interfaces you’ll need.

• Using multiple switches – “stacking” vs “trunking” vs “daisy chain.” It’s common practice to use multiple switches joined together. Some sections of your core network are likely to require more ports than one switch can provide. You’ll get different levels of performance and resilience depending on whether you employ stacking, trunking, or daisy chaining to get what you need. 

• Power Over Ethernet (POE). Kind of a dual Zone B/Zone C consideration – POE is used for several modern endpoint devices now (think Point of Sale equipment or biometric scanners), as well as powering the WAPs that are, strictly speaking, a Zone B thing. Different devices using POE have varying power requirements, and you’ll need to gather device-specific information to help you calculate the overall power consumption for your POE switch ports. While you’re adding it all up, make sure to leave a little headroom for fluctuation events like system reboots.

• LAN protocols. Your network is obviously going to be tailored to your business needs – so make sure your switches can support any additional protocols in your core network. This could include specific security features, any VLAN arrangements, or Layer-3 routing.

Wireless Access Points (WAPs)

WAPs play an increasingly important role in modern-enterprise networks. Despite the fact they live behind the switch, powered by POE ports, like many endpoint devices, their distribution role places them firmly in Zone B.

You’ll need to remember the following points when you’re choosing your WAP devices.

• Security. Make sure your WAP devices are enabled for the correct WiFi security protocols (i.e., WEP/WPA/WPA2)

• Coverage. Ensure your WAP devices can provide sufficient coverage for the physical area you need them to cover.

• Physical environment. Indoor or outdoor? Any physical barriers, like steel shutters or concrete walls? These all affect signal strength.

• Device number/density. How many endpoint devices will be using a WAP? High density areas like conference rooms will need a specialized device.

• Bring Your Own Device (BYOD) partition networking. Will you be expecting your WAP to serve the needs of company devices, personal devices – or both?

• Device prioritization. You might want to create routing protocols to allow business- critical devices and processes to be prioritized.

• Performance expectation. Is high-performance LAN WiFi essential, or a nice-to-have? Choose your WAP devices accordingly.

If you’re looking to assess your WiFi and WAP procurement needs systematically, it’s worth using heat maps to get a more complete measure of the situation.

Zone C – Endpoints

As a rule of thumb, the requirements here in Zone C are going to determine what you need in Zones A and B. Figure out your endpoints and work backwards.

Wireless Devices

Group these according to type – laptops, tablets, IoT devices, and so on.

Then count them up, work out how they’ll be physically distributed across your location, and you’ll be ready to answer those tricky Zone-B questions.

Wired Devices

How many desktop computers, network printers, and so on, will be in use? This will give you a good idea of the speed and number of switch ports you’re going to need.

POE Devices

As we mentioned, lots of modern endpoint devices use Power over Ethernet. These can include the following.

• Cameras

• Point of Sale devices

• VoIP phones

• Biometric scanners and other security hardware

The number and power consumption of these devices will determine your choice of switch – how many ports and how much power is available (per port and in total from the device).

Other Devices

• Servers. Servers are best dealt with on a case-by-case basis. There are many different purposes and varieties of implementation possible, they don’t easily fit into any of our Zones. A server can primarily be used for core network functions, such as Domain Controllers / Active Directory / DNS / DHCP. Alternatively, a server could be used for file sharing or application-based purposes. It’s worth noting that the way businesses integrate servers across both the local and wide area network has changed massively over the past few years, and will continue to change as services like private or public cloud become even more widely adopted.

• Industry-specific devices. Much like servers, there’s no easy formula to help you assess your network needs when it comes to tools specific to your industry. Whether you’re a healthcare provider using sophisticated medical equipment, or a manufacturer with industrial plant and conveyor belts, you’ll need to consult carefully with your specialized equipment suppliers to properly assess your LAN network needs.

Here at Lightyear, experienced network specialists, who have designed and implemented local area networks of all varieties, support our automated procurement platform. We’re right here if you need someone to help you figure it out.