Switch requirement (CISCO) struggle.

[Dan Dan]

Afternoon guys, I'm here looking for a solution (maybe a little bit of a rant).

I am really struggling to find the switch requirement I need from CISCO, I think it is fairly simple but it seems that I can not find what I need.

I need to purchase 12 switches, they will be LAN based switches eventually connected to a WAN, I need the port presence to be fibre fixed (not SPF based) and an uplink port on the switch, something that looks like this 3750.

The 3750 is no longer supported so they offered me the 3850 RJ45 connection, not what I want, it has to be fibre.
The only fibre option they offer me is SFP based which I also do not want because they are nearly 4x the price and you have to buy an SFP module for each individual port.

Can anybody show me a CISCO switch that they supply with fixed fibre ports, I'm sure it can't be that hard .

Thanks in advance

 

[Screeeech]

I haven’t seen fixed fibre switches like that for years now, they were very rarely used. I had a good look and I couldn’t find anything modern or supported by Cisco, (checked a few other vendors too) seems they were all eol’d years ago.

My theory is that when you design a switch, building the optical equipment into the switch itself is inefficient and expensive for the vendor, the lasers or leds have to be inside the unit, which takes up space - modern switches are all about lowering the cost per port and keeping the feature set high, SFPs allow them to do that far more easily.

Probably time to bite the bullet, move to SFP based switches and change your structured cabling to suit.

If you do your research, you can source third party Cisco compatible optics for a decent saving, just make sure they’re supported.

 

[mrkev]

I'm not sure exactly what you require but all 'fibre based' switches will be using SFPs. Do you really need 12 switches that have all the ports capable of taking fibre (with SFP) or standard RJ45 switch with fibre capable uplinks?

 

[Dan Dan]

In short yes, the system has to be all fibre for its classification to be assured (above secret information).

 

[Screeeech]

An SFP based switch is going to be the only supported option now.

 

[Dan Dan]

Are there any cheaper options, Juniper etc?

 

[Armageus]

In short yes, the system has to be all fibre for its classification to be assured (above secret information).

Not sure how fibre makes it any more secure than copper?

Are there any cheaper options, Juniper etc?

Surely if the requirements are it has to be fibre, and sfp+ is the only supported option, then the price is whatever the price is. Between similar tier vendors there isn't going to be a huge variation in price.

 

[Screeeech]

Are there any cheaper options, Juniper etc?

Depends on your reseller, Juniper do tend to be expensive, they make an EX4200-24F which does 24x1G SFP with 10G uplinks,

HP make decent enterprise stuff these days which I think tends to be cheaper, for example the HP ARUBA 3810M 16SFP+ which does 1/10G.

It's also worth pointing out that a lot of vendors use the same commodity chipsets (Broadcom etc) with switches at this level, so most offerings are going to be very similar - the big decision will be whether you want to stick with the same feature set and operating system, as Juniper is quite different to Cisco, etc.

 

[mrkev]

Also don't forget vendors like Cisco will do chassis based switches which will should work out cheaper to buy (and to run), e.g. C9410R .

 

[LizardKing]

Are there any cheaper options, Juniper etc?

Define cheaper! if everything else is Cisco, get Cisco. Theres no point saving a few hundred per switch then having to spend extra consultancy fees due to it being out of scope. unless you have all the skills necessary in house.

 

[mad_allan]

What are you connecting to the switches? Surely SFP based switches and DAC cables would be the cheapest solution.

 

[ChrisD.]

Not sure how fibre makes it any more secure than copper?

Tempest rules. Most runs have to be fibre, copper is only allowed in short runs and not to other rooms etc.

 

[Caged]

It’s very strange to have a requirement for a security clearance and then also nickel-and-dime the project to the extent that buying SFP modules is an extravagant expense.

You’re probably best off looking at what people like ADVA and Keymile can build.

 

[Energize]

Not sure how fibre makes it any more secure than copper?

Copper cables can easily be spliced to intercept traffic, very difficult to do that with a fibre connection.

 

[Rainmaker]

Copper cables can easily be spliced to intercept traffic, very difficult to do that with a fibre connection.

GCHQ and the NSA manage, as I'm sure do many others... If this is for classified data, surely your policy has recommended/approved vendors? I'm surprised they trust Cisco anyway, given all the NSA backdoors shown to be in them. Better FVEYS than Chinese or Russian, I suppose.

 

[Trifid]

Copper cables can easily be spliced to intercept traffic, very difficult to do that with a fibre connection.

Passive fibre taps exist.

 

[ChrisD.]

It's temptest, not tapping cables. Copper radiates data, fibre does not.

 

[Energize]

Passive fibre taps exist.

Yes they do exist but the cost of attack is greater. Also as ChrisD. mentioned copper cabling gives off electromagnetic radiation.

In the real world this stuff doesn't really matter, but if you want certification for top secret information it's something that has to be abided by.

 

[Zefan]

In all secret systems I've known, fibre and media media convertors suffice. Surely SFPs are fine in this instance?

 

[Caged]

From what I can tell from the thread, the expense of the switch and the SFPs is the problem - which together with the security requirements doesn't make sense.