Blog

What’s the Best Ethernet Cable to Install

So you want to wire up your home or office. That’s a great idea. Using a wired connection for devices that never move will improve your network because:

• the wired network performance will be better and more reliable than Wi-Fi in most circumstances,

• fewer wireless devices on your Wi-Fi network may allow the mobile devices to have better Wi-fi performance.

There are many choices when it comes to ethernet cable. Can’t I just buy the best one? Well, which is best depends on your installation environment and your performance requirements. Installing what might be technically “best” may not be the best choice for your situation.

Category Level

Twisted pair ethernet cable is rated by category. You’ve seen cat 5 and cat 6, etc. Generally, the higher the category level number, the more twists there are per cable length. More twists provide more resilience to cross-talk and other signal interference. These days, category 3 through 8 are available.

Cat 3 – Don’t ever install cat 3 for ethernet. You might find cat 3 cable existing in some situations, and it should be replaced if you need ethernet there. Cat 3 cable is limited to 100 Mb speeds, and in practicality may not even achieve that. Cat 3 cable is only suitable for telephone cable, so-called POTS, plain old telephone service.

Cat 5/5e – Cat 5 is the bare minimum for today’s typical ethernet of 1 Gigabit (1000baseT). Cat 5 might not be available — you’ll probably only find cat 5e cable, which is the same thing but built to a stricter standard. Installing new cable in a residential environment, cat 5e is perfectly adequate for over 90% of the cases. If you are cost conscious, cat 5e is your best choice.

Cat 6 – You want cat 6 or higher only if you currently have the need for speeds higher than 1 Gb, or you want to allow for that in the future. Since cat 6 cable is only about 15% more expensive than cat 5e, and it really isn’t any more time consuming to terminate, cat 6 is a good investment for most projects. Keep in mind, to achieve the higher speeds the cable length is limited to about half. A Gigabit cable can be 100 meters. However, to run at 10 Gig speeds, it can’t be more than 55 meters. And of course you need 10 Gig equipment at both ends. Cat 6 cable is your best choice for 99% of the cases.

Cat 6a – This similar to cat 6 cable, but can run 10 Gig to the full 100 meter length. However, here is where the price starts to jump. Cat 6a cable is 60% more expensive than cat 6 cable and over 80% more expensive than cat 5 cable. Cat 6a will be your best choice if you need 10 Gig in the relatively near future and 55 meters isn’t long enough.

Cat 7 – Most importantly, cat 7 cable only comes shielded, not unshielded, which we talk about next. Cat 7 is rated for 10 Gig, which is not any faster than cat 6a, but in practical scenarios you are likely to get better throughput. Cat 7 cable is nearly twice as expensive as cat 6a and more than 4 times as expensive as cat 6. Because it only comes shielded, all the connecting parts are also much more expensive and 4 times more time consuming to connect properly, which can translate to significantly higher install labor costs. The huge jump in price make cat 7 unnecessary overkill except in very specific situations that need the shielding and the higher performance.

Cat 8 – This can provide speeds up to 40 Gb in very specialized situations and short cable lengths. Cat 8 is not appropriate for general cable runs to wall jacks.

Keep in mind that while you want the best performance, typical computers and network switches support only Gigabit ethernet, not 10 Gig or higher. Most laptops don’t have ethernet ports at all, but Gigabit adapters are commonly available for a little as $10. Installing Cat 6a, 7, or 8 cable will not give your computer 10-40 Gigabit speeds through a single Gigabit port. Special network adapters are required to support 10 Gig or higher and they are $250 and up. Switches capable of 10 Gb are expensive and have few ports. It will be a several years before 10 Gb is the baseline port speed available on typical end-user devices.

Shielding

Do I get shielded twisted pair or not shielded? Cat 5e, 6, and 6a cables are available as either unshielded twisted pair (UTP) or shielded twisted pair (STP). Shielding protects the low level signals on the cable from interference. So shielding is best, and I want the best, right? Not so fast.

In order for shielding to do its job and not become a big antenna actually creating interference, the shielding must be grounded at one end. Proper installation requires that every coupling and terminating connector be shielded, the connectors installed correctly so the shielding is connected, and the network switch be compatible and provide the grounding. Improper installation is not only a waste of money but could create networking issues.

The other consideration with shielding is that RJ45 plug ends are much harder to terminate. I’ve been putting ends on cables for 30 years. It’s something I actually enjoy doing. I get a little OCD serotonin rush getting the colored wires in the right order. However, it still takes me 2-4 times longer to terminate a shielded cable than an unshielded one. Cat 7 has three levels of shielding, and is a larger gauge wire than cat 5e, and make calluses on my thumbs.

So do I even need shielded cabling? In most cases the answer is no. The electromagnetic interference (EMI) in a residential environment is very unlikely to be consequential enough to warrant shielding, even if you have a dozen microwave ovens that your cable runs across. There is no electromagnetic field emanating from ethernet cable, so shielding is not protecting people from the ethernet wires. In most business environments, EMI is also inconsequential. Shielding is really only needed for installation environments that have significant EMI: radio stations, airports, some audio production, manufacturing plants with large turbines or high-voltage lines, or similar situations. If you are curious about what your EMI environment actually looks like, rent an EMF meter.

During installation, there are simple precautions that can be taken to reduce interference for unshielded cable. These tips are good for all low voltage cable installations such as phone lines or alarm sensors.

• run cables perpendicular to any electrical power cables (110/120V or higher)

• if ethernet has to run parallel to electrical power, the runs should be 18” apart or more

• avoid cable near florescent light fixtures

• avoid cable near motors

Solid or Stranded core

You will find cable available which offers a choice of solid copper core or stranded copper core. Which one is best? Again, it depends. Solid core cable is less flexible and the wires inside can actually crack if flexed too much or too often. So once it is installed, it should stay put. Stranded core cables are more flexible, but they don’t make reliable connections in some situations.

Use solid core cable to install between your switch and wall jacks, connecting to a punch-down block at either end. Wall jacks have punch-down block termination on the back. So if you are cabling to wall jacks, you want solid core cable. Never use stranded cable in a punch-down block as it will not make and keep a reliable connection.

Use stranded core cable for patch cables (between devices and patch panels) or “drop” cables from the wall jack to your computer. It’s most effective to get stranded core cable pre-made with the connector plugs already attached.

Plenum or Riser or Outdoor Rating and Conduit

Do I need plenum or riser rated cable? This is a fire rating of the outer sheath of the cabling. Fire rated cable is only needed for runs that go from one floor to another or through the spaces between floors. A plenum or riser rated cable is fire resistant. In a multi-story commercial building where a bundle of cable is run from one floor to the next, riser rated cable is required so the cable is not a path for a fire to spread between floors. In offices with a dropped ceiling, the space above the ceiling is the plenum, which is an HVAC air return space. In the plenum, plenum rated cable is required so that the cables are again not a path for the spread of fire. You may see the abbreviations CM, CMP, CMR, CMX. CM cable is not fire-rated and is not suitable for plenum or riser. Use CM cable only in-wall, residential 1-2 floors, or inside a fire-proof shaft. CMP and CMR are fire-rated for plenum or riser respectively. CMP and CMR cables are interchangeable. CMX is fire-rated for residential greater than 2 floors. Note that CMP/CMR is a higher rating than CMX, so they can be use in residential environments in place of CMX, which might be hard to find.

Outdoor rated cable is exactly what it sounds like – the sheath is made to withstand the elements, both water and U/V. It can be buried without conduit. Note that I’ve seen critters take a liking to outdoor cable. My recommendation is that if you are going to take the time to lay cable outside, put in conduit even if you don’t bury the conduit. It will keep out the elements and the critters and the errant weed whacker. Your outdoor installation will last 10 times longer with conduit than without. Any outdoor coupling requires a waterproof RJ45 coupler or inside a weatherproof box. Don’t scrimp here because it will fail otherwise, within a year.

Indoors, you might consider flex conduit through areas that could be frequented by rodents, especially in areas which are difficult to reach.

Connectors and Patch Panels

I’ve decided which type of cable to use, do I have to match the connectors? This answer is easy, yes! Ensure that you use all connecting parts that are of the same category rating, shielding, core — all three need to be compatible. You might think if you have cat 5 wire you can use cat 6 connectors because cat 6 is better. But cat 6 cable is actually a larger wire gauge so the cat 5 connector will not fit properly. The reverse is of course also true. Cat 6 and 6a are the same wire gauge, so their connectors are the same basic size. However, using cat 6 connectors on cat 6a cable may compromise the certification to full speed/length. Since cat 7 is shielded every which way from Sunday, cat 7 shielded connectors are required.

RJ45 plug connectors can be compatible with wire core solid, stranded, or either. Ensure that you purchase RJ45 connectors that are compatible with the core of cable you will use. Using a solid core RJ45 connector on stranded cable will provide a poor connection prone to fail, and vice versa. Note that RJ45 connectors themselves are not labeled with the category rating or any other specification. So keep your connectors in labeled bags. If you have a mix of solid and stranded core cable for different uses in your project, you might want RJ45 connectors that work with either type of core because different baggies of connectors are likely to eventually get mixed up.

Much better than cable connectors (RJ45 plugs) are patch panels. If you are running cables from remote jacks to a central distribution, like a switch, install a patch panel. A patch panel has punch-down connections on one side and RJ45 jacks on the other. Your in-wall solid core cable will connect to the jack punch-down on the far end and to the patch panel punch-down at the distribution panel. The punch-down is very easy and quick to terminate reliably with solid core cable and makes a neat installation that is easy to manage. These cables can then be secured to protect them from flexing. The patch panel has spaces for labels too. Then use patch cables between the patch panel and your switch ports. Buy patch cables in pre-made lengths with stranded core to connect your patch panel ports to the switch ports. The patch cables can be flexed in tight spaces in your distribution panel. If you use a patch panel in this way, you can avoid having to crimp dozens of RJ45 connectors. Of course, ensure the category level of your patch panel matches your cable, especially not confusing cat 5e and 6/6a due to the different wire gauge.

Conclusion

For most installations, the best choice is cat 6 cable unshielded (UTP) that is fire-rated as needed for your situation. Cat 5e is a great choice for the budget conscious and cat 6a for those with high performance needs (not dreams) today or the future. Cat 7 is only for specialized situations and will dramatically increase the cost and could cause problems if not installed correctly. If you are reading this article, I’ll bet that you don’t need cat 8. Don’t get shielded cable unless you really need it because it makes your project unnecessarily expensive and more challenging to install. Use solid core cable for distribution runs and stranded core for patch cables. Whichever cable you choose, ensure that you use connectors and patch panels which are compatible with the type of cable, in category, shielding, and core. Use a patch panel at your distribution area for a faster, neater, and easier to manage installation.

Following these guidelines will significantly reduce your installation frustration and provide a reliable network. Network issues resulting from incompatible materials or improper installation create gremlins in your network, which are tough to identify and resolve.

Practical Impact of DNS over HTTP (DoH)

4/25/19

The tech news has been abuzz recently regarding DNS over HTTP, or DoH for short. Some articles portray it as the savior of personal privacy and security. Others paint a grim picture of DoH destroying all protections and ability to police the internet. The reality is of course a little of both.

Primer: DNS is the system which translates an internet server name, such as myspecificbank.com, to an address that can be found on the internet, which looks something like 242.253.1.59. Today, those requests are visible to any prying eyes and can be used to target hacking attacks or redirect users. HTTPS is a language that your web browser speaks to get web pages. It is encrypted, locked from prying eyes. The idea is to put DNS requests inside of HTTPS requests so they are hidden.

DoH will improve privacy in the form of hiding the names of sites you visit. It can also potentially improve security by reducing the possibility of getting fake information about a server address and being redirected instead to a hacker site stealing your data. These are both welcome and long-awaited improvements. However, there are limitations and downsides.

Limited Implementation

The initial implementation of DoH announced to-date is only in web browsers (Chrome & Firefox) and Google Android. Any DNS request made by any other application outside of your web browser or Android phone will not be using DoH. It’s unclear if or when Microsoft and Apple will implement DoH. If you are really concerned about privacy you can install a DoH proxy for PC or Mac. But as long as your router, which is usually a de-facto DNS server, still uses old-school DNS, any other devices you have won’t have their DNS requests private.

Speed of Implementation

These days, most internet traffic is web browsing. Google Chrome and Mozilla Firefox browsers are used for over 75% of all web surfing worldwide. By using the web browser to make DNS requests private, these two companies hold the power to effect this change very quickly. They are planning just that. DoH is already working in both Chrome and Firefox, it’s just not enabled by default. Mozilla could make DoH the default behavior in Firefox as early as summer 2019. This fast-track has those who spy on you for a living up in arms, that is, governments and internet providers who mine this data or use it to control what you see. (Hint: they won’t be able to anymore.)

Neutered Firewalls

Both home and business networks usually have some sort of firewall. It may be anything from as simple as the box that the internet provider gave you to a complex as a custom-managed and monitored enterprise firewall. In any case, the odds are that at least some part of that firewall expects to be able to see all DNS requests if not answer them directly. Today, no network access works without first sending a DNS request. So firewalls often take advantage of that to block sites. For example, a simple vendor-provided parental control feature may merely block the DNS requests for sites on a list deemed to be unsuitable for children, thus rendering those sites inaccessible (to the average user).
When DoH is in use, the firewall will never see the DNS requests and not get the opportunity to intervene in name-based restriction rules. The end result is that if DoH is enabled before your firewall is modified to no longer depend on DNS requests, then the firewall may be rendered mostly moot. Kids will be surfing porn and employees wasting hours on social media. Not all firewall features are dependent upon DNS, but a surprising number may be. The trick is that we don’t fully know yet. Your firewall vendor likely doesn’t know yet the extent of this issue.

Private and Split-horizon Domains

In business, it is common for internal servers to be part of a private DNS domain. Such a domain is unresolvable by an external DNS server – DNS requests only work inside the company firewall, for example, files.corp.abcwidgets.com. The trick is, that the planned browser DoH implementation uses external DNS servers to answer requests. Companies which have these private DNS configurations will need to either prevent DoH from being enabled in their employee browsers (stop the auto-upgrades), or scramble to upgrade their internal DNS servers to support DoH, and then ensure that it is referenced as the DoH Trusted Recursive Resolver in the browser.

Summary

The DoH standard is still quite young and in a draft stage. But that apparently is not be slowing down Google and Mozilla, who seem eager to ensure our privacy in this way. Due to the fast-track path of these power players, home and business users may be caught unaware and unprepared. It may be necessary to delay the adoption of DoH for some users and businesses, by disabling it in the browser, to ensure network controls continue to work until firewalls can be modified/upgraded. Interestingly, DoH does not have any impact on domain name DNS hosting. If you own a domain name, there is nothing that needs to be done when DoH is flipped on.

At this time, Google and Mozilla look like they have the upper hand, and DoH will move forward. Given that DoH pokes the (non-) Net Neutrality bears and the laws ensuring governments’ ability to surveil, it’s possible that a clash of the Titans could ensue in the courts.