Recommend 24-48 port Managed Switch with ACL's.

TechBoyJK · Feb 19, 2014

Hi Guys,

Looking for recommendations on a gigabit managed switch that supports ACL's which can allow/deny traffic based on port. Also would prefer CLI access and ability to stack. If not stacking, need easy way to dump config to 2nd backup switch.

I might consider less than 24 ports as some of the connections could be dumped to an unmanaged switch on the backend.

I've looked at this TP-Link switch. Seems to have everything I need and the price is great.

http://www.amazon.com/TP-LINK-TL-SG3...4+port+managed

I also found this Force 10 K50 switch which seems to meet my needs.

http://www.ebay.com/itm/FORCE10-S50...74?pt=US_Network_Switches&hash=item461a1cec72

Cisco seems to be to costly for the requirements. I'm also looking at HP switches as well.

Ertaz · Feb 19, 2014

I will say this: I love Cisco gear, but for most people it's overkill for their application.

The included lifetime warranty on the HP Procurve is an awesome feature. No smartnet to buy. The HP Security ACL guide is here:

http://h20565.www2.hp.com/portal/si...x.portlet.endCacheTok=com.vignette.cachetoken

imagoon · Feb 19, 2014

Force10 and TP-Link are not the same class of gear. You also need to define "ACLs" because switch ability in that area tend to vary greatly. Most L2 switches (like that TP-Link?) only have basic MAC address ACLs which tend to limit usefulness. The bigger HP procurves, Juniper and Cisco gear generally read Layer 3-5 frames and do different things with them.

drebo · Feb 20, 2014

Nexus 7k. It's the only way.

cmetz · Feb 20, 2014

TechBoyJK said:
Hi Guys,

Looking for recommendations on a gigabit managed switch that supports ACL's which can allow/deny traffic based on port. Also would prefer CLI access and ability to stack. If not stacking, need easy way to dump config to 2nd backup switch.

What problem are you trying to solve?

Ertaz · Feb 20, 2014

drebo said:
Nexus 7k. It's the only way.

VPC's everywhere. ball in'

TechBoyJK · Feb 20, 2014

imagoon said:
Force10 and TP-Link are not the same class of gear. You also need to define "ACLs" because switch ability in that area tend to vary greatly. Most L2 switches (like that TP-Link?) only have basic MAC address ACLs which tend to limit usefulness. The bigger HP procurves, Juniper and Cisco gear generally read Layer 3-5 frames and do different things with them.

I'm really tempted to pull the trigger on the Force 10 switches in the OP. It has everything I need, has great reviews, and seems to be a true datacenter quality device.

TechBoyJK · Feb 20, 2014

cmetz said:
What problem are you trying to solve?

I'm launching a webapp and want a single, reliable switch that I can buy two of (in case one does die).

I need to split it into several vLans, and I want to be able to employ an ACL so that the public facing ports can have some basic IPtables style rules set on it.

I basically want to deny anything except port 80 requests to 2-4 of the ports.

I have an old, but trusty Juniper NS25 I'm using as a gateway to the management interfaces and for development side access.

azazel1024 · Feb 20, 2014

I have the TP-Link SG2216, which should support everything you want. Its bigger brother, the SG2424 would be a 24 port model that can do all that and cheap (I think the 24 port runs around $160 or so).

TP-Link also just came out with a different version of the 16/24 port without the SFP+ ports that I think runs $20 or so cheaper.

TechBoyJK · Feb 20, 2014

azazel1024 said:
I have the TP-Link SG2216, which should support everything you want. Its bigger brother, the SG2424 would be a 24 port model that can do all that and cheap (I think the 24 port runs around $160 or so).

TP-Link also just came out with a different version of the 16/24 port without the SFP+ ports that I think runs $20 or so cheaper.

I don't think their ACL supports what I need.

I want to block traffic to particular ports/IP's by port.

For instance, if I have a webserver plugged into port 3, I want to be able to

Deny All
Allow 80

From what I'm reading, the TP-Links don't have the horsepower to do high intensity switching with ACL's and not shit themselves.

imagoon · Feb 20, 2014

In reality you are trying to do firewall rules in a switch. This might work on a switch or 2 but it doesn't scale well. Also most of the gear I work with can only do inbound filtering (cisco) so outbound is a free for all. Also not all switches can do more than IP range filtering, let alone do ACL's at full port speed. You also need to review RAM / Flash (config) space / processor to make sure that the system is still usable with the ACLs in it.

Cooky · Feb 20, 2014

Ertaz said:
The included lifetime warranty on the HP Procurve is an awesome feature. No smartnet to buy.

FYI - Cisco's "desktop" switches all come w/ lifetime warranty now.

imagoon · Feb 20, 2014

Cooky said:
FYI - Cisco's "desktop" switches all come w/ lifetime warranty now.

So does the "Small Business" lines. They are actually quite impressive now and make fantastic stackable "edge" switches. They are pretty good "core" switches for smaller deployments.

8 x 48 1gig ports in a stack with multiple 10GB uplinks is hard to scoff for the price. POE and nonPOE mix readily also.

cmetz · Feb 20, 2014

TechBoyJK said:
I need to split it into several vLans, and I want to be able to employ an ACL so that the public facing ports can have some basic IPtables style rules set on it.

You should use a simple managed or even web-managed switch, and then a firewall device. You can use VLAN trunks on the firewall if you pick one that does that, it will do the ACLs you want, you can be stateless or flow-stateful, and if you buy a not much more expensive device you can do much more sophisticated things.

Even the switches that have really sophisticated L7 ACLs, as far as I've ever seen, are stateless. If you're really trying to firewall between the public Internet and a server you care about, you want a flow-stateful firewall. So no switch I've ever seen will do what you should do. And the ones that can do stateless L7 ACLs are much more expensive, such that the price difference would pay for an outboard firewall that will do the job right.

At the low end, pick a good quality SOHO router to start. Third party firmware such as DD-WRT is also a good thing, it'll give you a lot more power to play with. Or look for a cheap PC firewall kind of solution such as pfSense or any of the Linux-based PC firewall distros.

At the high end, look for a Netscreen or Palo Alto firewall. Watch out for recurring maintenance costs on real enterprise networking gear.

How much public Internet bandwidth do you have to your server?

Cooky · Feb 20, 2014

OP has a Juniper NS25, which may support trunking already, but he'll need to confirm.

TechBoyJK · Feb 21, 2014

cmetz said:
You should use a simple managed or even web-managed switch, and then a firewall device. You can use VLAN trunks on the firewall if you pick one that does that, it will do the ACLs you want, you can be stateless or flow-stateful, and if you buy a not much more expensive device you can do much more sophisticated things.

Even the switches that have really sophisticated L7 ACLs, as far as I've ever seen, are stateless. If you're really trying to firewall between the public Internet and a server you care about, you want a flow-stateful firewall. So no switch I've ever seen will do what you should do. And the ones that can do stateless L7 ACLs are much more expensive, such that the price difference would pay for an outboard firewall that will do the job right.

At the low end, pick a good quality SOHO router to start. Third party firmware such as DD-WRT is also a good thing, it'll give you a lot more power to play with. Or look for a cheap PC firewall kind of solution such as pfSense or any of the Linux-based PC firewall distros.

At the high end, look for a Netscreen or Palo Alto firewall. Watch out for recurring maintenance costs on real enterprise networking gear.

How much public Internet bandwidth do you have to your server?

I have a gig uplink in a top tier datacenter.

The reason I'm thinking of doing a straight switch for the public firewall for the app is that it's a really simple setup. Deny All, allow 80

I'll need to buy a pretty pricey firewall to get the raw pps performance that I'd get with a managed switch. Plus I'd be buying a ton of features I don't need. We have many customers doing this in our datacenter because they need the raw PPS performance and can't justify spending $5,000k on a firewall.

Any other access to more secure resources will be sent through a firewall (NS25) w/vpn. So all of the other firewall features I need are already covered by the NS25.

imagoon · Feb 21, 2014

I don't think I could justify 5 million on a firewall either. You are going to need a pretty hefty switch to do ACLs at port speeds also. There is a reason the firewall is 5k. 1 gig port speed switch ACLs may take a 5k + switch also.

TechBoyJK · Feb 21, 2014

imagoon said:
I don't think I could justify 5 million on a firewall either. You are going to need a pretty hefty switch to do ACLs at port speeds also. There is a reason the firewall is 5k. 1 gig port speed switch ACLs may take a 5k + switch also.

haha whoa typo.

What I'm seeing is I can get 2 48 port managed switches, using one as backup, and I can do all my Vlan's, etc. for about $800-$1,000. Then I'd have an ultra reliable backplane that should have more than enough switching capacity to get us to the point I can justify buying a $5,000+ firewall that can keep up.

I don't really want the switch to be able to handle 1000Gbps traffic. In fact, I'll most likely throttle the port down to 100Mbps in production until I can justify it. (for instance, if I start maxing out the port, I'm going to investigate why it's maxing out before I increase it to GigE).

Keep in mind, for customers that have simple webapp configs, they've had big success using an ACL on a switch to block everything and allow 80. Much more PPS for the $$$.

Pandasaurus · Feb 21, 2014

Unless I am mistaken, a sub-$150 Cisco 2970 off eBay will do everything you are looking for...

Just throwing it out there. lol

cmetz · Feb 22, 2014

TechBoyJK,

>I have a gig uplink in a top tier datacenter.

How much bandwidth do you want to actually support under normal circumstances, and under attack? (hint: might not be a full gigabit, you even said yourself you'll probably clock down to 100Mb/s)

>The reason I'm thinking of doing a straight switch for the public firewall for the app is that it's a really simple setup. Deny All, allow 80

Right, but my point was that you might quickly find that this is not sophisticated enough.

>I'll need to buy a pretty pricey firewall to get the raw pps performance that I'd get with a managed switch.

Correct.

>Plus I'd be buying a ton of features I don't need.

Until you do...

>We have many customers doing this in our datacenter because they need the raw PPS performance and can't justify spending $5,000k on a firewall.

It's a common configuration. It's better than nothing, but you need to understand how limited the solution is.

Back to your original question, if you really want to go the switch route, look at a 2960S. A 24-port gig with the enhanced software is about $1000.

But if you only NEED about 100Mb/s of real throughput, consider a PA-200 or a similar NetScreen or Fortinet. PA-200 is about $2000.

drebo · Feb 22, 2014

An SRX-100B will do about 100mbps and is only about $500 brand new.

Or an ASA5520 off of Ebay will do 200-300mbps and is only about $1200.

Recommend 24-48 port Managed Switch with ACL's.

Lifer

Senior member

Diamond Member

Diamond Member

Platinum Member

Senior member

Lifer

Lifer

Senior member

Lifer

Diamond Member

Golden Member

Diamond Member

Platinum Member

Golden Member

Lifer

Diamond Member

Lifer

Member

Platinum Member

Diamond Member