Meeting digital and technology standards in schools and colleges – Part Two

In our first post on this subject, we looked at the background of the DfE standards and went into some detail on the broadband elements.  In this article, we will cover the wired network requirements which cover both switch hardware and cabling standards.

Network switching

The standards for network switching covers four interrelated topics:

1. Switches should provide fast, reliable and secure connections
2. There should be a platform that can centrally manage the network switching infrastructure
3. The switches should have security features to protect users and data
4. Core switches should be connected to at least one UPS

The Hardware

To meet the standard there are a number of minimum specifications that must be met with any new hardware. The aim of the standard is to ensure that all standard-wired users receive a minimum 1Gb connection.

Where there are more specialist users, and this includes other systems such as servers, wireless etc (more on wireless in part three of this series) the devices should be capable of operating at higher bandwidth, either by dedicated ports or by port bonding or aggregation technologies.

To power wireless access points, CCTV and telephones the devices should conform to PoE standards and using PoE is preferred to separate power connections.

Where switches are arranged in stacks they should support 40Gb interconnects utilising dedicated stacking ports.

Where the design involves core and edge switches/stacks those should be connected via a minimum 2 x 10Gb links, where possible using diverse cable routes to maximise resilience (although this can be cost prohibitive in some locations) and this will further impact the design as the core will also need to have the redundancy/resilience built in to utilise multiple connections.

PoE switches should conform to 802.af/at/bt depending on endpoint requirements and have LLDP-Med enabled.

Switches should also comply as a minimum with 802.3az energy efficient ethernet standards.

Individual edge switches should have the following basic capabilities:

• minimum 512Mb core memory
• support minimum of 16,000 MAC addresses
• support spanning tree protocols
• use a non-blocking switch fabric

It is worth noting that despite the dump of technical information above, most modern switch hardware from vendors such as Cisco/Meraki, Aruba or Extreme networks will meet those requirements and standards although in some cases it may preclude the lowest tier of models.

The standard doesn’t differentiate between requirements for primary, secondary or college sites and while the latter may well have met the standard during any refresh anyway it is possible that for primary schools this may be above what would otherwise have been deemed a suitable solution. This decision may impact the financial viability of the upgrade and so a risk management based approach to determine the importance of fully meeting this standard would be recommended.

In terms of timing, the guidance is that this is the specification that should be achieved when the current infrastructure either underperforms or is unsupported. The latter is a key point to watch, although some manufacturers offer lifetime warranties on network hardware they don’t always continue to support them with updated software and/or security patches which can leave them vulnerable.

It is always worth reviewing your current setup to understand when the best time to replace would be. Not least because this may be a sizeable investment although the vendors mentioned above would all expect to get at least 8-10 years of use out of their devices.

If your current network hardware is in need of replacing, alongside a technical review and design it is worth checking the likely value of the replacement – many vendors now have annual costs for licences as part of their solutions alongside warranty options which when taken over the life of the contract can exceed the limits requiring a procurement exercise to comply with the Public Contracts Requirements 2015. If you are unsure or would like help with either the technical, procurement or wider project management requirements please get in touch.

Although the specification above is addressed as standard by many vendors, meeting the next two requirements may need an alternative solution design.

Central Network Management

The requirement states that there needs to be a central management tool that can be used to configure the switching, monitor performance and provide alerts in the event of a failure. Although we are looking here specifically at wired networks, it is worth considering whether any solution could/should also be able to perform the same services for the wireless network.

One of the key aspects of the tool is the ability to deploy updates and configuration changes to the network switches from a central point. Traditionally, many schools and colleges have deployed switches that are in effect standalone when it comes to their software and configuration – the worst case scenario would be that to affect any update to the software or make a change a physical visit to the switch would be needed. The result of this approach is that in many cases switches are running out of date, unpatched software which represents a security risk to the network. Configuration changes can also be time-consuming to deploy and can lead to errors.

Even if your network hardware meets the requirements, if you aren’t able to operate a central system to monitor and update the network then you should consider this as a key area for improvement.

Depending on the size and make-up of your organisation, you may not have the skills in-house to make use of such a tool and the standard recognises that and does allow for 3rd-party services to be used to fulfil the same aim.

The standard also requires switch hardware to be covered for a minimum 5-year period, reiterating the consideration of this as part of the procurement exercise.

Security

The requirement in this area starts from the premise that switches should be configured to include network segregation, security and quality of service features to ensure the best performance while protecting users and data.

As is standard security practice, administrative accounts should be secure, for example, remove any standard admin accounts and ensure that passwords are complex, and documented.

Switch software updates should where possible be automated with manual checks undertaken at intervals to ensure the automatic update service is working correctly.

The standard goes on to say that network access controls and policy management should be implemented to ensure that users, particularly guest users and mobile user devices, are authenticated to the network and granted the correct access rights.

The impact of the security measures should be that users and data are protected and that network traffic is protected from external and unauthorised internal interception.

Many of the tools for centralised management will also include the security arrangements listed here as part of their feature set. Once again, consideration should be given as to whether a tool can cover both wired and wireless networks and as before, this could be something that could be delivered by a 3rd-part as a service.

As with centralised management, even if your network broadly meets the technical specifications from a hardware perspective it is worth reviewing the configuration to ensure that features relating to security are on and working in an effective way.

UPS

The standards laid out in this section go further than just specifying that the core switches should be attached to an uninterruptible power supply (UPS). The requirements for a core switch are that as a minimum it should have:

• 2 x power supplies
• 2 x management modules
• 2 x connections to other critical systems such as routers, servers and other core switches

So in real terms, this means that any design for a replacement core would be looking to establish a resilient setup with no single point of failure. As noted earlier, the standards ask for two connections per stack back to the core as well.

While these requirements are good in terms of best practice they do present a challenge financially, particularly for primary schools, as developing a fully resilient network will be more costly than one that would meet the other elements of the requirements but using a single core.

The UPS element of the standard does throw up an interesting discussion point because while it specifically identified the core switches as needing protection it also refers to “critical switches” which should be identified and protected. How much of the infrastructure is considered critical and what systems would you want to ensure continued to function in the event of a power outage is not directly specified and would I suspect differ between establishments.

Once again, this discussion probably sits as part of a wider business continuity conversation, for example if a site or part of a site loses power, desktop devices wouldn’t work even if the network was running on UPS, however laptop devices could continue to work. However, on-premise servers are often configured to undertake an orderly shutdown in the event that they revert to UPS power so would that render the laptops inoperable? Also, if you are without lightning due to a power cut would you keep the site open?

In addition to working out what to protect you also need to consider how long you need the UPS to run for, a major factor in the cost of the solution will be the size and number of batteries which dictate the length of time they can provide power. Is it, as mentioned above just to protect against short, transient breaks in power and then shutdown in longer outages are experienced or do you want to maintain some services for much longer, for example phone systems to ensure you can contact parents to inform them of what is going on.

The timing of these recommendations is as with most of the network ones for when a current system is no longer effective or supported. For budgeting purposes, it is always worth noting that a change to the network, particularly the core, will change the power requirements and may therefore require a change of UPS even if the current on is in support. It is also worth checking estimates of battery replacement lifespan and cost of replacement as UPS batteries, like all batteries, will degrade over time and need replacement.

Network Cabling

The standard for network cabling is broken down into three distinct sections:

• Copper
• Fibre
• Installation and Testing

All three elements are to be met, according to the standards, when current solutions are underperforming or in new school or college building projects and, as mentioned in part one, these standards come out of the generic design brief for new buildings so should already be included in projects of this nature. This sadly is not my experience with a number of new builds still using older copper and fibre standards, often due to the choice of contractor not having staff accredited to install the newer ones.

However, the standard also says that new copper cabling should be installed when upgrading the wireless network which I assume means just the cabling to the access points rather than the whole site/building as that would render a wireless upgrade somewhat cost-prohibitive! Without spoiling for part three, the wireless standards do look at multi-gigabit connections which new cabling would better support.

Copper

The headline standard for copper installation is that it should use Category 6A cable. There are a number of other elements to the standard such as links not being more than 90m and no intermediate splices or patch panels used. In essence, meeting the standard would require schools and colleges to ensure that the installer was fully certified to install Cat 6A cable and that they design their runs in accordance with the manufacturer’s guidance to comply with elements such as bend radii and separation from other cables and interference sources.

Most schools and colleges will likely not have in-house expertise at this level and so when procuring service directly may benefit from having some expert input to ensure that the specification in the tender covers the elements of these specification.

As noted, it is also important in new build projects that the standards are being adhered to as often the data cabling package is through the prime contractor or their M&E sub-contractor and this can lead to compromises being made if the client side representative for M&E doesn’t push. Again, this is something that may benefit from an independent specialist to help with those elements of the build and this is something we are happy to do.

A final little area to note on copper cabling. When installing Cat 6A you will also need to ensure that any patch leads used to connect either devices or back to the switch are also Cat 6A. This is often something that is overlooked as there may be a ready supply of Cat 5/5e patch cables lying around and the temptation is to save money and use those. However, that standard specifically states that the same type and standard must be used.

Fibre

As with the copper standard, the main element of the fibre standard is that all new fibre installations should utilise OM4 cable, specifically a minimum of 16-core multi-mode OM4 fibre. Many current installations will be OM3 (and some even older) and as with the copper standards, there is a temptation on some new builds to continue with that cable.

Meeting the standard is again easy providing the installer is certified to install the OM4 fibres and complies with best practices in terms of length and routing. Fibre runs should be direct point to point without intermediate splicing or patch panels and where possible underground ducts should be used between buildings.

As with all of the cabling standards, the time to look would be when doing new builds but I would also suggest reviewing your existing fibre cabling and if you have anything older than OM3 then this would be a prime candidate for a replacement. Similarly, if any of the existing runs are not direct this may need attention and a review of why this was originally done as it may need a wider look at the network design.

Installation and Testing

The standard states that new cabling should be installed and tested in line with the manufacturer’s guidance, warranty terms and conditions.

As noted in both cable sections, meeting the standards should follow from the appointment of a fully accredited and certified installation company that is able to demonstrate that they meet the standards for installation, operation and maintenance of network cabling (BS6701, 50173 and 50174).

Where this becomes slightly more challenging is when an organisation uses their own internal teams to undertake data cabling work. While this has traditionally been the case in some colleges, it is important that anyone undertaking installation has been trained in the modern cable types and is able to not just install the cabling but also provide the appropriate testing.

The standard specifically requires the provision of a detailed test report based on the test limits defined in the BS50173 standard.

The standard also requires a minimum 20-year manufacturer’s performance warranty for the complete cable installation.

From experience, the testing and warranty requirements are often missed from new build projects and as always should be specified in the procurement process to ensure that they are provided at the end. As noted earlier, where new builds are sub-contracted to the prime contractor it is important that these requirements are fed in from the client side so that they come through with the other warranties that a contractor will provide as part of completion.

That concludes part two of the standards, in part three we will look at the final piece of the puzzle, wireless networking. As always, if there is anything that we can help you with in relation to meeting the standards or understanding where you are currently in relation to them, please get in touch.