If switching is critical to the enterprise, routing is the rule in the WAN and wherever a network crosses organizational boundaries, such as to the Internet or a private-cloud provider. Of course, each site will have its own switching infrastructure, but all interbuilding traffic across large distances (more than 30 miles) should be routed rather than switched.
This requires edge routers, but not every edge router is designed the same way. Some are focused on meeting the needs of branch offices. Others are equipped to handle the problem of many WAN interfaces or virtual private network (VPN) tunnels coming into a central site. And some are more focused on handling Internet connections, which usually come with very large Border Gateway Protocol (BGP) routing tables.
The general idea behind pure routing devices is easy: Route packets, reliably and quickly. In the past, these devices may have had various WAN interface cards, such as T1/E1/T3/E3, or fiber connections designed to connect to carriers.
WAN interfaces are falling out of fashion as carriers increasingly turn to Ethernet as their demarcation service delivery technology for connections of up to 10Gbps. In any case, pure routing devices are generally optimized to handle large routing tables and bridge between organizational networks and the general WAN.
Increasingly, these enterprise edge routers include VPN capabilities, as many organizations are turning to the Internet for their WAN connectivity, either as the primary connection or as a backup. In some cases, the device of choice for enterprise edge connections isn’t a traditional router at all, but a firewall/VPN concentrator, which also has routing functionality available.
Choosing between firewalls that route (or routers that can serve as firewalls) can be difficult and a source of never-ending debate and argument between network and security teams. The pro-router side of the house will overemphasize the VPN and firewall capabilities and manageability of their favorite router vendor, while the pro-firewall side of the house will overemphasize the routing capabilities of their favorite firewall vendor. There’s no right answer; the choice should be based on experience in the field, pilot projects and an impartial evaluation.
While a branch office could use individual devices for network functions, such as bandwidth management, URL filtering and WAN optimization, many network managers are choosing feature-rich routers or firewalls at the edge of the branch office that integrate these features into a single platform. These devices generally have a core focus, such as routing or firewall, along with a large set of add-on services, which can reduce the hardware footprint and management costs in branches.
Many vendors offer very broad features, including security services (firewall, VPN, remote access, proxy, URL filtering, antispam and antimalware), network optimization services (WAN optimization, caching, load balancing and bandwidth management), and routing and switching services. In some cases, branch edge routers can become virtualization hosts for branch email, file and print services, switching platforms for data and voice traffic, and wireless controllers.
Although the idea of a single integrated platform is appealing, clear trade-offs are involved. Despite marketing claims, no one has managed to make a single device that brings the best of what’s needed in branches together into one manageable device. Thus, when network and security managers consider branch office devices, they must plan for both in-lab and in-field evaluation and pilot testing of critical features.
Connecting enterprise networks to the Internet used to be an afterthought, but the rise of cloud computing on public networks makes highly reliable Internet connectivity more important than ever. Dynamic routing based on BGP is the most common approach, as it makes the enterprise independent of a particular Internet service provider and simplifies scaling up connectivity, when needed.
The Internet routing table is currently just below 500,000 entries and has seen steady growth. It will top 500,000 entries before the end of 2013 and likely will add more than 50,000 entries in 2014. Internet routing is generally separated from the enterprise network by firewalls, leaving special-purpose Internet routers to handle connectivity, failover and routing. Network managers should plan on handling large routing tables from multiple redundant connections (at least four connections to handle transitions during contract switchover) at the network edge, which requires maximizing memory and router CPU power in each edge device.
For environments in which cloud services are critical, network managers also should focus on performance, both of the routing device and the connection. This includes all aspects of performance — not just bandwidth, but also latency and packet loss to key sites. Many edge routers include some bandwidth management and traffic-shaping capabilities — key features to keep business-critical traffic from being crowded out by the latest YouTube video.
To learn more best practices, insights and strategies on routing and switching, read our "Ultimate Guide to Routing and Switching."