[svlug] Switches (was: Re: on proprietary hardware and licenses...)

Luke S Crawford lsc at prgmr.com
Mon May 19 18:06:47 PDT 2008 

"Sargun Dhillon" <xbmodder at gmail.com> writes:

> There are actually quite a few layer 3 switches. When we (network
> admins) setup networks we try to push all the hard work onto routers
> and then all the soft work onto layer 3 switches. What kind of
> networks do you do work on? 

Me, I run a small hosting company.  Essentials for me:

1. span port  functionality (so I can plug all my traffic into a IDS  
It's incredibly convenient to see things happen before you get abuse
reports.  this functionality is useful for all kinds of network monitoring.)  

2. port-level ACLs.   If a customer can spoof his source address, my IDS
is not useful against malicious customers, or customers who become owned
by sufficiently competent black-hats.  Note, I don't care about mac
address->vlan coherency.  I just want to say 'only send packets that are 
broadcast, originate from or are destined to IP x.x.x.x down this hole'

3. port-level snmp reporting
(of course, if I have #1 and 2, I can do IP-level bandwidth monitoring at 
the span port.)

4. partitioning vlans (that is, I don't need any tagged ports or vlan
tunneling/sharing of any kind;  I just want to be able to partition the switch
into multiple smaller switches for customers who buy more than one port
who want backplanes)

5. the ability to log-in and see interface status (duplex/speed and
interface errors)  

> This is actually a really good time to have this conversation, because
> a group recently released IOS "rootkit" exploits. This has triggered
> discussion in the NANOG mailing list about free, and open source
> network hardware (not beer, but speech). For example, if I have an IOS
> support contract, I cannot hack it and then disclose without facing
> major legal issues. Foundry and Juniper have better policies, but they
> are too freaking $. As Foundry is in the Southern Bay Area I'm sure
> there are more than a few foundry engineers reading this piece of
> mail. It would be interesting to put Linux on your control plane, and
> open it up. We don't care about the silicon on your forwarding plane.
> Its awesome, we love it, but its the control plane we want to
> /control/. Also, it would be interesting to bring in some foundry
> hardware and play with it a little. I'm sure the foundry guys would
> love to show off their hardware in exchange for letting us hack it a
> little bit.

I wonder if we'd have better luck with the hardware that is a few revisions 
back? 100Mbps is plenty for 90% of what I  want to do right now.  
(storage being the exception, but 1000Mbps isn't quite acceptable for that, 
and I suspect that by the time I can afford 10G, the same will be true.) -  
I susupect many people are in the same boat that I am, where they want 
reliable, secure software for 100M hardware with an affordable price tag, 
and maybe the switch vendors would find that less threatening.

More information about the svlug mailing list