Rackmount gigabit switch recommendations

Muel · 17 Jul 2012 at 16:15

Heyup

As always, I want to do this as cheaply as I can but also I want to play around with networks. I have very little experience bar the fact that I have a Sonicwall TZ170 and have played about with that a bit.

I've never had a managed switch or anything like that, but I've decided that I'd like one. I have a server running ESXi, which has a few VMs on it. What I want is to set up a VPN so that the server will have two NICs, and I can either pass the NIC dedicated to my internal network to a particular VM, or I can pass the NIC dedicated to the external network (I.E: available over the VPN).

Is this possible? I want to essentially end up with some VMs I can access from outside (web dev server, Minecraft server etc) and some that I can't, and that are local only (print server, shared storage for media etc).

I need a gigabit, rack mountable switch (or router?) that can achieve this.

Help? I've got almost no knowledge but would love to play and learn.

DRZ · 17 Jul 2012 at 16:50

I think you've got some terms mixed up here (and/or are presenting this inaccurately).

Let's start with the switch. I'm going to assume that you want a managed device so you can learn with it (because you certainly don't need a full layer 3 managed switch for what you are suggesting), and the best "vendor" for that is probably Cisco. However, you said "cheap" and that probably means you're not going to get a 'proper' Cisco switch for that.

The idea of a VPN is essentially exactly what it stands for, a Virtual Private Network. I.e. connect to the VPN and it is as if you are on the local LAN (most basic explanation here!). Would you be wanting to give this access to known external people (friends/relatives) or open to the general public? If it is the former then yeah, VPN and external servers either on a different subnet/vlan with appropriate ACLs or on the same subnet with appropriate ACLs. If it is the latter, then VPN is going to be a massive PITA for you to manage and you want to set up a DMZ.

In any case, I wouldn't be "passing the NIC" anywhere. I'd have a vSwitch and corresponding VLAN and subnet that was for externally accessible services and another one for internal. You would then have both NICs teamed together going into your switch (active/passive if there isn't any EtherChannel support on your switch, active/active if there is). VLAN trunking is your friend here, so you can get both VLANs from your ESX environment into your LAN.

If I was doing the shopping for that, I'd get the cheapest Layer 2 managed Gigabit switch that I could find that supported VLANs, 802.1q and EtherChannel (probably going to be a Netgear of some sort I'd have thought) and the best Cisco router you could afford to act as a router-on-a-stick.

With these basic elements you have the foundation of a pretty decent learning environment.

Muel · 17 Jul 2012 at 17:22

DRZ said:
I think you've got some terms mixed up here (and/or are presenting this inaccurately).

Highly likely, I'm very nooby when it comes to networks!

DRZ said:
Let's start with the switch. I'm going to assume that you want a managed device so you can learn with it (because you certainly don't need a full layer 3 managed switch for what you are suggesting), and the best "vendor" for that is probably Cisco. However, you said "cheap" and that probably means you're not going to get a 'proper' Cisco switch for that.

I think "managed" is what I need, yes. I doubt I can afford a proper Cisco jobby, for a budget I'd say around £50-75 second hand? The number of ports doesn't bother me really, 12 or above is fine.

DRZ said:
The idea of a VPN is essentially exactly what it stands for, a Virtual Private Network. I.e. connect to the VPN and it is as if you are on the local LAN (most basic explanation here!). Would you be wanting to give this access to known external people (friends/relatives) or open to the general public? If it is the former then yeah, VPN and external servers either on a different subnet/vlan with appropriate ACLs or on the same subnet with appropriate ACLs. If it is the latter, then VPN is going to be a massive PITA for you to manage and you want to set up a DMZ.

I see, errm I want it all private, not public. My Minecraft server is strictly friends and family, as I don't have the hardware to support more than a few users. I also don't want the hassle of people building stuff then getting arsey if I just decide to change the map, so strictly mates only.

DRZ said:
In any case, I wouldn't be "passing the NIC" anywhere. I'd have a vSwitch and corresponding VLAN and subnet that was for externally accessible services and another one for internal. You would then have both NICs teamed together going into your switch (active/passive if there isn't any EtherChannel support on your switch, active/active if there is). VLAN trunking is your friend here, so you can get both VLANs from your ESX environment into your LAN.

I think I understand this. I'd be teaming both NICs together for double speeds, but have two virtual networks, giving certain VMs access to either network as I see fit?

I want my Windows Server 2008 VM to be private, so only stuff in my flat can access my printer and network storage, but I want my two Ubuntu Server VMs to be on the VPN, so my mates can log in and access my Minecraft stuff and my web dev server. (Also meaning I can access stuff I'm developing from outside the flat, at uni for example).

DRZ said:
If I was doing the shopping for that, I'd get the cheapest Layer 2 managed Gigabit switch that I could find that supported VLANs, 802.1q and EtherChannel (probably going to be a Netgear of some sort I'd have thought) and the best Cisco router you could afford to act as a router-on-a-stick.

With these basic elements you have the foundation of a pretty decent learning environment.

Something like a NetGear GSM712 or do you reckon a GS116UK would suffice? Not rack mountable though I think.

(I have a project in mind, ideally want to mount it properly.)

Why would I need a router as well? I have two at the moment (kind of), the O2 free one acting as a modem, then the TZ170 which is kind of a router/firewall I think.

daz · 17 Jul 2012 at 17:54

I think the only option at this price range is a Dell.

DRZ · 17 Jul 2012 at 18:25

Muel said:
Highly likely, I'm very nooby when it comes to networks!

I think "managed" is what I need, yes. I doubt I can afford a proper Cisco jobby, for a budget I'd say around £50-75 second hand? The number of ports doesn't bother me really, 12 or above is fine.

I see, errm I want it all private, not public. My Minecraft server is strictly friends and family, as I don't have the hardware to support more than a few users. I also don't want the hassle of people building stuff then getting arsey if I just decide to change the map, so strictly mates only.

I think I understand this. I'd be teaming both NICs together for double speeds, but have two virtual networks, giving certain VMs access to either network as I see fit?

I want my Windows Server 2008 VM to be private, so only stuff in my flat can access my printer and network storage, but I want my two Ubuntu Server VMs to be on the VPN, so my mates can log in and access my Minecraft stuff and my web dev server. (Also meaning I can access stuff I'm developing from outside the flat, at uni for example).

Something like a NetGear GSM712 or do you reckon a GS116UK would suffice? Not rack mountable though I think. (I have a project in mind, ideally want to mount it properly.)

Why would I need a router as well? I have two at the moment (kind of), the O2 free one acting as a modem, then the TZ170 which is kind of a router/firewall I think.

The SonicWall might do the trick, I've not looked into those in a while. The reason why you need a router is because if you have an internal subnet/VLAN and a DMZ subnet/VLAN then you're going to need to get traffic between them. You might even choose to go the whole hog and have a "user" VLAN for your house, a server VLAN for your internal stuff and then your DMZ VLAN. You need to be able to get traffic between those three in a secure and controllable manner - which is where the router comes in.

You've got some choices about how you do the VPN (especially around different access for different people), but a lot of that comes down to how clever the SonicWall is at the VPN side of things.

I'm not sure that £75 is anything like a large enough budget to do this, although the GSM712 does look like it would do what you wanted.

Muel · 17 Jul 2012 at 21:57

£75 was just a ballpark of what I've ideally like to spend on a switch, but looks like I'll have to get a router as well...

I didn't think of the subnet/VLAN (are they the same thing?) issue, traffic is going to have to go between them you're right, so that computers on the "internal" subnet/VLAN can access the stuff on the public one. (Minecraft server).

I've no idea what the Sonicwall can do tbh, I'll have a look later. The Sonicwall does have a major problem though in that it doesn't have any gigabit ports.

The other option I guess is to get a basic unmanaged gigabit switch and stick everything on that, and just not have a VPN. That's no fun though.

Starting to think my rather broken knowledge of messing about with old networking kit I've accumulated over the years won't cut it... Are there any books I can learn from?

Nunzio · 17 Jul 2012 at 22:25

you can get a 2nd hand cisco 2900 for less than 100 quid, so getting a cisco switch isnt hard. Its only layer2, but will do vlans.

Muel · 18 Jul 2012 at 08:38

Aye but the 2900 doesn't have gigabit does it?

How about if I try to pick up a 3560G-24TS cheap?

ashrobbo · 18 Jul 2012 at 09:16

Do you need gigabit?

Muel · 18 Jul 2012 at 09:32

I do indeed, one of the main functions of the server is going to be as a backup server. Can't backup over 2tb of stuff regularly without gigabit!

It's also going to be a media share thingy so streaming 1080p will be a pain without gigabit methinks.

kalvindeane · 18 Jul 2012 at 09:35

I've seen 12-port Gb Cisco 3550 switches go on the bay for £120. I imagine the 3560 will be over £200 though?

Haven't read the thread properly, but it can do vlans and routing too if that's what you need. Worth a look perhaps?

Muel · 18 Jul 2012 at 09:45

Yeh that's way over budget.

Looking at Netgear/Dell stuff I think. Cisco gigabit kit seems to command a premium.

We shall see... I do want to have something to play with.

Zarf · 18 Jul 2012 at 16:26

Check out the Bay.
I picked up a 24 Gigabit port 3com managed Layer 3 for about £30 (probably a couple of grands worth when it was new, it's 2u and massive)and a 16 Gigabit port managed layer 2 for about the same. Had to do a little bit of modding to get the fans down to acceptable bedroom levels.
I'd rather have had Ciscos but the 3Coms have all the features i want.

Since you're on a budget and it's just a home environment I'd probably go virtual with the whole thing - you're already running ESXi so just add another VM running pfSense or Smoothwall, that'll handle all your routing, firewalling and VPN connections using virtual switches.
You wouldn't even need to buy anything, but you could get a cheap second hand managed switch if you wanted some more flexibility with your home wiring and the chance to play with VLANS and Teaming with the rest of your LAN.

DJMK4 · 18 Jul 2012 at 20:57

Sonicwall TZ170 is a firewall which will either come with standard firmware or the enhanced version of the sonic os. The TZ170 is outdated now, they have released newer versions, it can still be used but generally not supported by sonicwall anymore. The ports on the back are For your WAN interface, OPT or secondary interface if you like, and 4 x 10/100 LAN ports, essentially acting as a layer 2 LAN switch.

If you really want to look in to managed switches find a cheap layer 3 Cisco switch on eBay, then a couple of Cisco routers later on if you want to learn.

I work with sonicwall and Cisco kit but the 170 you are referring to is generally a firewall

Muel · 19 Jul 2012 at 11:11

Now considering just setting up a basic VPN instead, you need a password to access anything on my Windows Server 2008 VM anyway so none of my mates will be able to print "poo" over and over again or do hilarious things to my video collection.

If I let them get in via the VPN, then they should just be able to access my minecraft/web dev VMs I think, without getting access to the Windows Server 2008 one right?

Need to upgrade our internet connection anyway, currently on ADSL but could be on fibre optic for around the same monies.

101001101 · 20 Jul 2012 at 22:23

kalvindeane said:
I've seen 12-port Gb Cisco 3550 switches go on the bay for £120. I imagine the 3560 will be over £200 though?

Haven't read the thread properly, but it can do vlans and routing too if that's what you need. Worth a look perhaps?

A 3560G will be well over £200, so will a 3750, do yourself a favour and buy a decent HP procurve (fanless so its quiet) gigabit switch and then a cheap Cisco 3550 or so (layer-3) so you can learn IOS.

A "decent" Cisco gigabit switch (Linksys is not Cisco) is going to blow your budget away, don't mix production with development environment

DJMK4 · 20 Jul 2012 at 22:54