Your network must be unimpeachable

· Submitted · Read in about 4 min · (748 Words)
tags: · tech ·

When someone asks me for advice on computer parts, I tell them that there’s two components that you can’t afford to skimp on: power supply and motherboard. If you buy an off-brand video card, it will be pretty easy to figure out if it is causing any problems. If your hard drive dies, which all hard drives will, you’ll know immediately. The same isn’t true of a PSU or mobo. If one of them is being flaky, they can cause all sorts of issues that are tough and expensive to troubleshoot. ¬†They’re central components that everything else in the computer rely upon.

I feel the same way about networks. Everything in IT relies on the network. End-users connect to their applications over the corporate LAN, servers connect to their SANs via storage networks, and customers connect to web services via the WAN. If you are uncertain about your network’s stability, doubt will creep into your mind every time there’s a minor issue. You’ll start spending your time chasing network ghosts instead of focusing on building and maintaining your infrastructure. The network is the heart of your environment, and buying cheap equipment or running with a bad configuration can undermine its capabilities. Your network must be unimpeachable.

Nobody has an infinite budget, and networking is seen as “just a bunch of ports” instead of the core service that every devices relies upon. Networking is so crucial that it’s often taken for granted, as everyone assumes that it’s already in place, which makes it hard to see the value that it provides. Why would you spend thousands of dollars on expensive Juniper or Cisco equipment when you could spend hundreds of dollars on a Netgear or Linksys with all of the same features? The value of an enterprise-grade switch isn’t purely that it checks all of the important feature boxes, but rather that those features work in a consistent, dependable, and repeatable way.

A Netgear switch might say that it supports LACP and LAG groups, but you’ll find yourself wondering whether it really supports dynamic LACP and what your selection of traffic hashing algorithms will look like and if it will interconnect with your existing network gracefully and so on. When you buy an enterprise-grade switch, you know that it’ s going to pass all of the traffic you can throw at it, that it will have the logging and monitoring required to detect issues proactively, and that you won’t have to worry about half-implemented features or compatibility.

When it’s 4:30pm on a Friday and you get the call that your VoIP phones are down, do you really want to be wondering whether your trunk port forgot its VLANs again or whether a cheap switch got into a weird state and needs a reboot?

If networking is the heart of an infrastructure, then routers and firewalls are the heart of networking. When a SonicWall or Watchguard claims to have feature-parity with a Juniper or Palo Alto for a quarter the price, how could any rational decision-maker go with the more expensive options? The manufacturers of the second-tier networking gear do everything in their power to make the products appear capable and competitive. It’s not until you’re hours deep in troubleshooting a web app that randomly disconnects or a adjusting a VPN that just won’t negotiate or trying to build a NAT rule that the box can’t do that you realize that feature parity on paper is much easier to achieve than feature parity in practice.

I have a VPS through Linode (which is currently serving this post to you) that runs in a data center in Fremont. When I’m neck-deep in code and web server configuration, I don’t want to wonder if it’s the network that’s causing my site to have issues. I don’t want to wonder if a router is silently dropping every 15th packet, I don’t want to wonder if an over-aggressive ACL is rejecting my SYN-ACK packets, and I don’t want to wonder if maybe there’s a duplex mismatch issue somewhere that’s causing slowness. The network needs to work, or else I’m always going to be suspicious that it’s failing me in some way. A simple issue now requires digging into switch logs and doing packet captures. I love running Wireshark as much as the next guy and I’ve got my gigabit port-mirroring device for grabbing captures, but I’d much rather solve application issues without worrying that the pipe somewhere down the line is messing something up.