An Affordable Managed Switch to Learn Networking

An Affordable Managed Switch to Learn Networking


A while back I made a video about how to plan a HomeLab, and if I can summarise the advice I gave in one sentence it would be: "Build something that is representative of an enterprise IT environment so you can learn how it works; but don't spend enterprise money to do it.

" Now this advice works great for servers because servers are just computers. You can install a server operating system on an old laptop and it'll work just fine, but the same thing can't be said for networking. You can't just take a random consumer grade switch like this and make it run spanning tree. They're well known for making network equipment like SFP modules that are compatible with the big enterprise vendors like Cisco and Juniper, but much cheaper; but they also sell switches. So I set them a challenge... "Show me something with enterprise-grade features that is actually affordable for a regular person." "Oh, and we don't all have a dedicated server room for our HomeLab, so it also needs to be silent!" 

 Those are managed, unmanaged, and smart managed. Unmanaged are just dumb switches. You plug in some cables, and network happens. They're the type you'll find on most home networks because they're really cheap and there's zero configuration required. You just plug them in and you're done! Managed switches are way more intelligent. When you think about an enterprise switch you're thinking managed. They have a whole host of security, performance, and monitoring capabilities to craft and protect your network.

Also read: Do You NEED Faster Ethernet?

They are computers in their own right and can provide basic network infrastructure services such as DHCP and time synchronisation that you might traditionally run from a server, and they can act as enforcement agents for security policies. As for smart managed? That might sound like it's the next tier up but they actually sit in-between managed and unmanaged switches in terms of both price and features. Sometimes they're just called smart switches. They provide very limited configuration options compared to a managed switch but they cover a lot of the basics you'll need in a small business network, like VLANs. They're a compromise, but can be a useful one. A managed switch tends to have a complicated command line operating system to learn.

A smart switch by comparison can fit its more limited features within a basic web interface so they're easier to pick up and use with relatively little experience. You're probably wondering which type of switch you should choose for your HomeLab... Well, don't get an unmanaged switch. As a bare minimum you want VLANs. With an unmanaged switch every cable you plug into your switch gets put into one big network. VLANs let you chop up your switch into lots of different networks. You can create four VLANs and it's like having four separate switches.

Check out: The Ship Show podcast

There are loads of reasons you might want to create multiple networks. You might want separation between your home network and your lab. You might have IoT devices that you want to separate from your more sensitive devices. You might want to learn about firewalls and routing, or install something like pfSense. You might be publishing services to the internet and want to put them in a DMZ. That's like five different networks already! It's easy to create virtual networks inside your hypervisor and drop virtual machines into them, but as soon as you want to extend that to the physical world you need a switch.

If you have five networks you need five switches. You also need five network interfaces on your host server, and things starting to get out of hand. With VLANs you can divide one switch into five. You can configure a single port to act as a trunk between your switch and your host, and your host will then send all the traffic down that same cable but tag each packet with the VLAN it belongs to. When it arrives at the switch it will read the tag and put it into the correct network. Trust me: you want VLANs. That narrows us down to managed or smart managed switches.

What I did was I bought a smart managed switch. My logic was that if I could create VLANs and trunk them to my host then I could play with all the virtual machines I wanted and connect them up to the real world. What else do you need? I... regret that decision. All of what I said held true; but a lab is for learning and there have been a number of times I just found myself stuck because I wanted to play with a technology that needed more from my network than the smart managed switch could provide. Like authentication. It's pretty standard that you'll need a password to join a wireless network, but get a cable plugged in and you have access to everything. Not great in publicly accessible buildings or areas. It doesn't have to be that way. With a managed switch you can have the switch block access until the client has authenticated.

 You can even require them to meet policy checks like making sure their antivirus is up to date. Do I need this at home? No; but I want to learn how it works. Or even things you might take for granted, like monitoring. The smart managed switch I had was a fairly inexpensive one (it wasn't FS.com just for the record). It looked the part but man it was buggy! I went through several firmwares where it would just randomly lose parts of its config (and no I didn't forget to save it). It would have been nice to at least get alerted that something was up. It would have been handy to integrate that into my regular backup routine.

But smart managed means you've just got a web interface; so no access to the filesystem, no access to the command line, no automated backups. If you just want it to do one thing and it happens to support that one thing, great. But if you want to experiment and learn it becomes limiting, quickly. So my advice is that at a bare minimum you need a smart switch, but if you're interested in learning about the network side of things then you really want to try for a fully managed switch so you're not limiting your ability to tinker and learn.

Which brings us to this! This is what FS.com sent over. It's an S3910-24TF. Catchy name, right? It has 24 standard RJ45 ports and four SFP ports, all one gigabit. It's got the 802.1X authentication I was looking for. SNMP, RMON, and syslog for monitoring. You can use it as your DHCP server, your time server, or force people to authenticate in a web browser before they're allowed access to the internet or sensitive network segments. It has port mirroring. It does inter-VLAN routing. It's stackable. It has high availability features like the virtual router redundancy protocol.

Look, I'm not going to spend the rest of the video just listing features because that will get tedious very quickly. Have a look on the website, check the manual... by the way that manual is detailed! There are literally thousands of pages of documentation. If you look up RADIUS in the configuration guide it doesn't just tell you how to configure it on the switch. It tells you how the RADIUS protocol works.

Read more: https://theamberpost.com/post/how-to-launch-an-nft-marketplace-on-solana

This is a useful reference even if you don't use an FS switch. The best part is it does all of this whilst remaining completely silent. I used to have a second hand Cisco switch at home and it was noisy. That's why I stipulated to FS that this needed to be quiet; because if you're using in a HomeLab your family might not appreciate the constant home of fans. The S3910 model they sent is fanless, which ticks the wife approval box; and also... hey, if it doesn't require active cooling that's generally a sign it's not consuming tons of power, and with energy prices these days I don't need a switch burning through my bank account! I'm not going to do a bunch of performance testing on the switch.

I'll put a link to the Ixia report in the video description if you want to see the latency and throughput numbers because there's not a lot I can add to it. Instead, let's take a look at the management side of things, and how you could start learning with it. There are two ways of managing the switch - the web interface, and the command line. The web interface is accessible using HTTP or HTTPS. The command line is successful using SSH, Telnet, or a console cable. The web interface is an easier learning curve but it only gives you access to a subset of the features. It's kind of like using the switch as a souped up smart manage switch where you click on icons in the browser, but you don't get access to everything. You do get more than a smart switch would give you but for ultimate control you'll need the command line. The way I would approach this is to start with the web interface. 

What you can do is click your way through the options in the web interface to configure something, then inspect the configuration you generated to see what it actually looks like. That's a good way to learn about the capabilities of the switch, as well as start learning about the command line; because a lot of the config that gets generated is basically what you would have typed into the command line. The best way to show you this is to show you, so let's set up some VLANs. I've reset the configuration for this demo so don't get too excited when you see passwords and suchlike in the config, OK?

I knew this was going on YouTube when I recorded it. When you log in you'll see this status dashboard. To get to the VLANs we're going to go to favourites then VLAN. We've got a default VLAN with ID 1. Let's edit that and call it our "internal" network. Now let's make a new VLAN with ID 2 and name it "internet". We'll select ports 2 and 3 and click Save. That's it. Now let's take a look at the configuration that generated. There are a couple of places we can see it. The first is in the web interface. We can go to System, Settings, Reset... yeah, be careful in here, OK? If we click the Display Current Configuration button it gets listed in here. Not the easiest way to read it but you can select all and copy it to a text editor. The other way we can see this is in the command line, so let's take a look at that. I'm going to do a bit of movie magic here because you know how I said I wiped the config and took this off my network? I recorded logging into it first so I could show you this. So this bit is from an alternate timeline. I just thought it was cool.

Here I am logging into the switch, and what's this? A mobile app prompt? Remember my video about secure remote access for openHAB? I had the servers still lying around from that one so I hooked the switch up using RADIUS for authentication. In the corporate world you'd do this to provide centralised access control and auditing for your network infrastructure. In my case I just thought it would be fun to show multi-factor authentication on a command line. Let me know if that's something you actually use. If someone gets onto your switch and changes VLANs about they could drop themselves into a different network so it could definitely be used for lateral movement.

Then again if they can actually get onto the management interface you're probably in trouble anyway. Let me know though - I'm curious if you do it. Let's jump timestreams again and back to our sanitised switch we just added our VLAN to. We can show the configuration directly in our command line by typing "show running-config". You can see our internet VLAN right there. Let's open another connection and create another VLAN. This time we'll do it in the command line but we're going to use the configuration we generated in the web interface to guide us. Type "configure" to enter global configuration mode and then we're going to copy the config from the left side of the screen. 

Literally just type the same thing and change the number: "vlan 3". You'll notice our command prompt has changed to show we're now working on a VLAN. If you look back at the config you'll notice the name of the VLAN is indented. That's showing the same thing. The name is indented to show it's configuration within the VLAN. Our command prompt is changed to show we're configuring within the VLAN. So copy the next line "name" and then we'll call this VLAN "DMZ". Now if you want to jump back up a level to get to our global configuration mode we can type "exit". That's our VLAN created. Now we need to assign it to a port. Same again: copy the config we already made using the web interface. Let's assign it to port 4, so "interface GigabitEthernet 0/4".

The command prompt has changed again - we're now configuring the interface. Look at the indented line in the configuration: "switchport access vlan" and then "3" to assign VLAN 3. "Exit" to go back to global configuration. "Exit" again to get out of configuration mode and back to exec mode. Now if we do "show running-config" we'll see our new VLAN configuration, just like the ones we configured in the web interface. In fact if you refresh your web interface now we'll see our new VLAN showing up. Now I could have read the documentation and that's obviously a very good thing to do, but i think this is a great way to teach yourself how to use the command line.

If you've not worked with switches before, one thing you might not be aware of is that if I reboot the switch right now all of that config will be lost. By default any changes we make are applied to the running configuration in memory, but they're not saved. To save it we have to enter the command "write". This is a handy "Get out of Fail Free" card because if you're making a change, just don't write the config until you're sure it's working correctly. Test it first. That way if something goes wrong and you're not quite sure what the problem is you can just reboot the switch to undo all of your changes. Point of note, though: any changes you make in the web interface are saved automatically. You can't just reboot to undo those, so have a backup and try not to lock yourself out. One thing you may have noticed here if you're familiar with Cisco's kit is that the commands probably looked very similar. Yeah, I could make a joke about it but honestly it just makes sense.

Cisco is the big dog and there's a pretty sizable industry built around their training and certifications. Why would you try to compete with that when you can just use it? If you're looking to gain formal certifications in networking there's a good chance it'll be a Cisco certification; so the ability to take what you've learned and just use it straight on an FS switch? That's a lot easier to sell than trying to get you to learn a whole new ecosystem. If you know how to use Cisco IOS you should be in familiar territory here. Speaking of Cisco, let's talk numbers. The FS model I have here retails for £320 GBP or $369 USD (although the world being what it is right now those numbers will move around a bit). If you consider that something like a Cisco Catalyst with these features is going to be into four figures, that's pretty reasonable for the features you're getting; and definitely more palatable for those without enterprise budgets such as HomeLabbers.

This is their latest edition, though; if you drop back to the older 3900 series instead of the 3910 you can actually get 10 Gbps SPF+ ports and a lot of the same features for £285 GBP, $329 USD. They've built the 3910 to a higher specification so it does have a bit more of a premium for the additional reliability: quadruple the meantime between failures, and a five-year warranty instead of four. All useful for a critical service where you can't afford downtime, but you could skip that at home.

Or there's a 3700 that's cheaper still at £181 GBP, $209 USD. Or you can sacrifice some connectivity and get an 8 port plus 2 SPF model for £60 GBP, $39 USD. These are all still managed switches, by the way. You still have scripting, syslog, SNMP, VLANs and the like; but the little eight port fella isn't gonna have all the features of this bigger one. If I needed 10 Gbps, personally; I'd probably drop back to the 3900 and grab a couple of SPF+ modules to whack in it. As it turns out, my network traffic tops out at around 650 Mbps so it fits well within the gigabit port speed on this switch. I've been running my network off it for about a month and collecting these stats using SNMP. If you're interested in how I'm collecting and processing this monitoring data then let me know in the comments. 

I'm using a tool called Checkmk and it's probably worth its own video, so shout if you want to see a review of it. While you're down there keep an eye out for the like button (it likes to be pressed) and check the video description for links to this switch and FS.com's online store. Thanks again to FS for sending this over. Thanks to you for watching. Thanks in advance for checking out one of these videos as well. This is my original HomeLab video, and this? Well... it's a surprise. 

https://telegra.ph/Why-CentOS-Stream-is-Important-09-05

https://telegra.ph/Your-Emails-Are-Not-Secure-And-What-You-Can-Do-About-It-09-05

https://telegra.ph/YAka-kriptovalyuta-maye-najshvidshij-chas-tranzakc%D1%96i-07-04

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org