# newbie question : expensive switches with ips?

## phillosophy

Hi, 

I'm putting together a small network for my home office and my question is, 

what are the advantages of buying a cisco gigabit intelligent switch over a regular 

switch for a network of 2 servers and 7 desktops running a mix of gentoo and 

microsoft desktops. 

Also, why does the switch need an ip address for?  

thanks in advance

----------

## bluedevils

someone with more experience can correct me, but a switch like that is able to split up the ports to be on different networks.   If you are planning to have more than one network, then this would help.  If you are only having one network where all servers and workstations talk to each other, then a simpler switch will do.  The IP is for the administration of the switch.

----------

## kashani

bluedevils has the right of it. Generally you can refer to them as managed and unmanaged switches. Managed switches can give you snmp stats, use vlans, allow you to set port speeds, and a number of other things depending on how much you paid for it. Having this is nice if you're running a web service because you can vlan the databases away from the public servers, set the port speed to full duplex/100 so that your lame ass load balancer doesn't negotiate half/10, have central authentication for all your switches, do port trunking, etc.

Unmanaged switches just shove data around which for your environment is probably all you need. And they are way cheaper most of the time though you can get some slightly nicer ones that let you get snmp stats. Those seem to be coming down in price as well.

kashani

----------

## 1clue

I have a question that sort of fits into this, but I'll put in my two cents to describe the differences being discussed here.

A hub takes every packet that comes in to any port and sends it to every other port.  It's the hardware equivalent of broadcasting.

A layer 1 switch only broadcasts if it doesn't know where the destination is.  It accepts the packet, and forwards it to the destination specified.  This is the sort of switch you get at Best Buy or CompUSA.

A layer 2 switch can be separated into different VLANs, where each port can be assigned to one or more networks.  One means of doing this is 802.1q trunking, if you need to have one ethernet port belong to more than one VLAN.  Each VLAN belongs to a different network, so if you have host 1 on VLAN 23, and host 2 on VLAN 19 the switch will send the packet to the router which will then send it back on the proper VLAN just as though there were two physical networks with two physical switches separated by a physical router.

A layer 3 switch can also be a router.  The above scenario can all be squished into one piece of hardware.

Layer 2 and layer 3 switches are called managed switches.  They are, in effect, a computer with a bunch of network interfaces.  They generally have an operating system which is tailored to network management.  A layer 1 switch has nothing to configure, so even if it's a computer in there is no way to manage it.

Now for my questions:

I  was just looking at documentation for using 802.1q trunking on Linux.  I saw for the first time that there are security issues with that.  I use a couple layer 3 switches with each port hooked up to a specific VLAN, or being a dedicated 802.1q trunk.  This is all behind a real firewall, but the semipublic network is still just a VLAN.

I was going to ask where some good documentation was for setting up 802.1q on a Linux box, but now I guess I have to ask if I should even try it.  Do I need to get my DMZ off onto a separate physical network?  How many of you have done this using a Linux router/firewall, in a real office environment?  My Linux router days were office based, but it was a single network and a simple firewall, using a piece of junk 200 mhz pentium some years back.

----------

## guero61

Unless you know something I don't the only issue with using VLANs (tagged VLANs, precisely) is that there's no "security" - i.e., anyone on the same segment can read your packets if they configure the proper VLAN themselves.  If you only allow trusted hosts to be plugged into tagged (trunk) ports and force everyone else to flat VLANs (strip tags), you should be fine.

Example:  At my house, I have (according to your description) a layer-1 switch.  If I were to use 802.1q between my Linux boxes (assuming the switch isn't so dumb it strips the tags off or disregards the packets as invalid and drops them), I'd better not complain to anyone that someone else on my switch could eavesdrop the packets - they'd tell me to sod off and get a real switch.  However, my *real* setup is that (again, from your description) I have a layer-1 switch and a layer-3 switch.  My Linux and BSD boxes are on trunking ports w/a default VLAN on the layer-3 switch, and everyone else is on the layer-1 switch, whose uplink to the layer-3 is forced (intentional tag stripping) to VLAN 0.

All that to say, VLANs are not insecure unless improperly implemented.

----------

## 1clue

There would be that, but also I understand that there are other things.  For example, some Cisco gear will put packets on the wrong VLAN under heavy loads.  I guess that if you're not using trunking this would only cause a network error, so come to think of it I'm not sure how it would be exploited from the outside.

Hmm.  I think that since I force a VLAN on every workstation and server, the packet sniffing issue isn't going to be a problem.  If they gain access to something that's the same as if it were a non-VLAN network, except in the case of gaining access to a switch.  That would be the same as if they got onto any layer 3 switch, VLANs or straight networking.  I'll still have to look into it more just to be sure, but you've salved my conscience a bit.

I don't think a layer 1 switch will forward 802.1q packets.  I think a hub might, since that might just be a pure ethernet implementation, which could be hardware, but a switch actually uses packet inspection and knows TCP if I understand things correctly.  I suspect your 802.1 connections will have to be crossover cables between two hosts, and your router will need to be a switch for the trunked machines.  Probably be easier to implement separate physical networks with layer 1 switches.

Thanks for the pointer.

----------

## kashani

Your layer 1, layer 2, and layer 3 nomenclature is giving me a headache. Layers have nothing to do with capability and everything to do with the OSI model. 

Layer 1 is the physical layer, ie the actually wires and circuits, no tcp packets of ether frames at getting passed here, only electric signals which the other layers ride on top of.

Layer 2 is where ether frames are sent on top of the electric signals from layer 1. Hubs and switches operate at layer 2. Hubs can only talk in one direction, half duplex, at a time which is why when things get busy you start getting collisions. Switches can talk full duplex and also doesn't need to broadcast to each port since it can track MAC addresses. Because ether frames are passed to the destination MAC address you can not packet sniff on switches without doing some magic.

Layer 3 is routing and generally tcp packets which ride the ether frames on top of the elctric signals Are we clear on the whole OSI model now?  :Smile:   Things that do layer 3 are called routers. Devices with a routing engine sitting in the middle of a big switch fabric are called layer 3 switches even though they are routers. Welcome to martketing. 

Managed switches are not layer 2 or layer 3 anything, but switches you can log into and configure. Otherwise they just sit there tossing packets about being unmanaged.

As to the whole DMZ thing, if your DMZ doesn't have any trunking ports then you have no security issues. If it does then you need to change your configuration. And no one can read the packets in the first place unless they want to do some MAC spoofing which should cause any managed switch to bitch loudly into your syslog server.

The Cisco wrong vlan under load bug was circa '98 unless there has been a new one I'm unaware of. Here's a white paper on vlan security.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

kashani

----------

## guero61

True, I was just trying to keep w/his nomenclature to maintain context.  I don't know of any switches that don't... switch.  Layer 2 switches (what you deem layer 1) or hubs are what everyone is going to see - MAC to MAC communication; the difference will be whether all packets are 'broadcast' or not.  What was called layers 2 & 3 are characteristics of managed layer two switches.  True layer 3 fabrics exist, but most people probably have never seen one; your context translates to a router, if with N switching ports.

I second the bit on VLAN + overload - I work in an environment where nearly every class of Cisco switch has been pushed to it's backplane limits, and we've seen no such issues.

----------

## jmbsvicetto

Hi.

guero61, true layer 3 switch are very common. In the old days, what some like to call the Cisco days, layer 3 devices were exclusively routers - mostly Cisco. In the last 6 or more years, I bet that most layer 3 devices are indeed layer 3 switches - a very common example is the 3COM 4900. By the way, switch fabrics are more rare and more expansive as they're supposed to have fault-tolerance. Some alternatives are based on VRRP and other technologies - take a look at 3COM's XRN architecture.

kashani, there's also the newer layer 4 switches, which are layer2 switches that take a peek at the TCP segment - frequently to read the origin and destination ports and set a priority in the packet. Oh and you're right that managed switches are not layer 2 or layer3 devices, but I know no unmanaged switch that does layer3.  :Wink: 

phillosophy, for that type of network buying a Cisco is overkill and a waste of money. If you want to buy a good switch, look at other brands. Since you seem to be new at this, I would advice you take a look at 3COM switches. If you just have those 2 server and 7 desktops, depending on the type of work you do at the office, you might get by with a cheap Gigabit switch with 16 ports costing $150 to $300. If you go for a full-featured switch with 24 ports be ready to spend between $1000 to $3000.

----------

## guero61

 *jmbsvicetto wrote:*   

> Hi.
> 
> guero61, true layer 3 switch are very common. In the old days, what some like to call the Cisco days
> 
> 

 

Ugh.  I still largely live in those days.

----------

## 1clue

I guess I have to admit to forwarding an assumption.

I have layer 2 managed switches and layer 3 managed switches.  I assumed that layer 1 switches exist and that they were the stuff you get at best buy -- layer 2 unmanaged switches.  We have stacks of those too, but we're trying to get out of that.

My apologies.

----------

## kashani

 *jmbsvicetto wrote:*   

> Hi.
> 
> guero61, true layer 3 switch are very common. In the old days, what some like to call the Cisco days, layer 3 devices were exclusively routers - mostly Cisco. In the last 6 or more years, I bet that most layer 3 devices are indeed layer 3 switches - a very common example is the 3COM 4900. By the way, switch fabrics are more rare and more expansive as they're supposed to have fault-tolerance. Some alternatives are based on VRRP and other technologies - take a look at 3COM's XRN architecture.
> 
> kashani, there's also the newer layer 4 switches, which are layer2 switches that take a peek at the TCP segment - frequently to read the origin and destination ports and set a priority in the packet. Oh and you're right that managed switches are not layer 2 or layer3 devices, but I know no unmanaged switch that does layer3. 
> ...

 

This is all a bit tomayto / tomahto at this point. 

I call anything with a routing engine in it a router... if it happens to come attached to a switch fabric as well, it's a modern router. Things operating at layer 4-7 are load balancers though the marketing term "Application Switch" seems to be gaining ground. BTW they've been out since '97 or least that's the first time I used one so I don't seen them as being new. You can have a load balancing engine in your switch with a routing engine, but it's expensive AND tends to suck more than things that are just load balanacers. 

Does 3Com actually have password recovery that works on their switches these days? I was less than impressed with them around five years ago and that was one of my bigger issues.

kashani

----------

## jmbsvicetto

 *kashani wrote:*   

> 
> 
> Things operating at layer 4-7 are load balancers though the marketing term "Application Switch" seems to be gaining ground. BTW they've been out since '97 or least that's the first time I used one so I don't seen them as being new.
> 
> 

 

I wasnt' talking about the load balancers/application swiches. I was talking about the layer 2 switches that do layer4 "snooping" - like the 3COM SW4400.

 *kashani wrote:*   

> 
> 
> Does 3Com actually have password recovery that works on their switches these days? I was less than impressed with them around five years ago and that was one of my bigger issues.
> 
> 

 

What do you mean by that? Please elaborate a bit on that.

----------

## tgh

Sorry to dig up an old post... but there are also 16/24 port "smart" switches which now fill the void between unmanaged layer-2 switches ($10-$20/port) and fully managed switches ($40-$100/port).  Look at the SMC line-up and you'll find "smart" 16-port switches in the $240 range ($15/port).

These units have a web interface, modest features, and seem to support vlans (tagged/untagged), port trunking, port mirroring, etc.  Nice to have those features without spending much more then an unmanaged gigabit switch.

So nice that prices keep dropping on the gigabit gear...

----------

