[svlug] Switches (was: Re: on proprietary hardware and licenses...)

Sargun Dhillon xbmodder at gmail.com
Mon May 19 08:59:32 PDT 2008 

There are actually quite a few layer 3 switches. When we (network
admins) setup networks we try to push all the hard work onto routers
and then all the soft work onto layer 3 switches. What kind of
networks do you do work on? Also the nice thing about L3 switches is
that they are cheap, and have many ports. This allows you to use them
for all sorts of cleverness like L2 failover amongst other things.
Especially with the push of cheap L3 switches to the mass market now
it is easier to find these sorts of high-end setups in smaller
companies. I mean, the Linksys SRW2024 is basically a repackaged
Cat2650G with a crappier OS. Also, it has some stuff taken off the
board, etc, but when it comes down to it, its the same basic thing.

If you really want a "free" switch, you can have one (L2/L3) but
expect to pay a lot of money. You can get a Xilinix Virtex-5, and then
a few free ethernet IP cores + PHYs and then you have your switch (Ok,
that's WAY over simplifying things).

This is actually a really good time to have this conversation, because
a group recently released IOS "rootkit" exploits. This has triggered
discussion in the NANOG mailing list about free, and open source
network hardware (not beer, but speech). For example, if I have an IOS
support contract, I cannot hack it and then disclose without facing
major legal issues. Foundry and Juniper have better policies, but they
are too freaking $. As Foundry is in the Southern Bay Area I'm sure
there are more than a few foundry engineers reading this piece of
mail. It would be interesting to put Linux on your control plane, and
open it up. We don't care about the silicon on your forwarding plane.
Its awesome, we love it, but its the control plane we want to
/control/. Also, it would be interesting to bring in some foundry
hardware and play with it a little. I'm sure the foundry guys would
love to show off their hardware in exchange for letting us hack it a
little bit.

On Sun, May 18, 2008 at 3:44 PM, Mark Weisler
<mark at weisler-saratoga-ca.us> wrote:
> On Sunday 18 May 2008 13:42:15 Luke S Crawford wrote:
>> Mark Weisler <mark at weisler-saratoga-ca.us> writes:
>>
>> ...snip "Cisco software is really expensive, even if the h/w is reasonably
>> priced used"  discussion.
>>
>> > To me, this is an interesting analysis of proprietary commercial hardware
>> > and software in a world changing rapidly with offerings such as m0n0wall,
>> > netfilter/iptables, and many more that operate on generic hardware
>>
>> I've seen lots of progress in the router field.
>>
>> Switches, however, are another matter.
>>
>> Sure, you never put the snmp address outside the firewall, but
>> Running old software is still kinda dangerous.  I'd like to
>> replace my catalyst 2924 with something a little more modern, preferably
>> something that keeps ahead of the security updates.
>>
>> Open-source managed-switch firmware would be pretty awesome, but I don't
>> know that such a thing exists.  I'd be ok with closed-source stuff, if
>> keeping the switch up to date didn't cost more than a new (used) one.
>>
>> are there better ideas besides just going unmanaged, or just using old
>> firmware revisions and disabling/firewalling vulnerabilities as they
>> become known?    I know most of the consumer-grade switch manufacturers
>> offer managed models that can be had new at more reasonable prices-
>> are they any good?
> In my somewhat limited experience, yes consumer-grade switch are quite good
> now.
>
> But let me explain my perspective.
>
> I like to keep switching limited to switching and then require the
> router/firewall to do the harder  work and to be able to keep up with
> changing times and conditions.
>
> Thus, a quality but not necessarily expensive switch is becoming commoditized.
> There are very low cost models for homes and then there are smaller
> enterprise switches with, say, 16 to 24 ports available for businesses. These
> are from Netgear, Linksys, D-Link and others and have sturdier power supplies
> and components. They seem very good at switching. Power over Ethernet (POE)
> is a nice option when you need it for VoIP phones or video camera for
> example.
>
> But then routing. That's were I like m0n0wall and other open source offerings.
> You can get in there and adjust and add as needed and maybe influence the
> developing community to put in features--like traffic shaping that has become
> so important for VoIP in the last couple of years. And generic (but good
> quality) hardware works really well-it's reliable and cost-effective.
>
> So, the fact that switches aren't very "open" doesn't bother me much.
>
> In my view of the world (at this time, and I keep learning) what will and
> should take work to "keep up to date" is the router while switching
> functionality changes little over time. I realize that someone can build a
> switch with routing functionality built into it. I personally would avoid
> such a switch and look for that functionality in the router.
> Mark
>
>
>
>
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
>
>

More information about the svlug mailing list