I must confess to harboring a bit of a superior attitude toward my colleagues who think they need pricey Cisco and other snooty brand-name networking gear for every little thing. Linux and inexpensive x86 hardware handle all but the most demanding networking tasks capably and inexpensively. I like having complete control and customizability, and not having to pay per-user taxes.
But as powerful as Linux networking is, even Linux has its limitations, and one of them is you still need a commercial Ethernet switch. Sure, you could cobble together some hardware, throw Linux on it, and handcraft a perfectly good Ethernet switch. But it's hardly worth the effort, though it might be fun as a learning exercise, because you have a lot of small, inexpensive Ethernet switches to choose from. Unmanaged, or dumb switches are all but given away in boxes of cereal. A little five-port 10/100/1000 dumb switch goes for under $50. 24-port models are under $200.
But my upper-crust colleagues are right about one thing: inexpensive dumb switches really are dumb and limited. They're fine for sharing an Internet connection on a simple LAN where you don't need MAC filtering, access controls, traffic shaping, and so forth. You can do all these things with Linux, but a lot of these chores are easier on a managed, or smart switch. In addition, a smart switch includes features you can't replicate with Linux, such as VLANs (Virtual LANs) and per-port controls. And now that high-end features have fallen into low-priced switches, we sensible geeks can be both frugal and elite.
There are a lot of contenders for your smart switch money, though none of them make any special exertions to attract Linux customers. However, some brands are more Linux-friendly than others. Netgear, SMC, 3Com, Hewlett-Packard, and Trendnet all make good affordable managed switches. You still have to deal with a bit of Windows dopiness, such as management software that is Windows-only, or installation software for Windows users who don't know how to type a URL into a Web browser. Fortunately, you don't need these to get full functionality from other platforms as long as the switch has a Web-based administration panel and is SNMP-enabled.
For this article I'll feature the Netgear ProSafe GS108T. This is a nice little 8-port gigabit router with a great feature set and good, reliable performance. Let's hit the high points:
- 10/100/1000 Mbps auto-sensing Gigabit Ethernet
- Spanning tree protocol
- Jumbo frame support
- SNMP v1, v2c
- Port Mirroring
- RADIUS pass-through
- Port-based QoS
- Firmware updates via Web control panel
- Web-based administration
- Per-port MAC filtering
- Port Trunking
All of that in a $100 device is a great bargain. The only thing that's missing for my complete happiness is a serial port for proper serial console administration. Those come on more expensive switches; the GS108T is administered solely via Web browser. Most of the lower-cost smart switches offer Web administration, and while the interfaces vary a bit, they work pretty much the same way.
The GS108T comes with a default IP address of 192.168.0.239. All smart switches should have a default address, which you'll find in their manuals. Because the GS108T does not have a serial port, the quick way to get up and running is to connect it directly to a PC with an Ethernet cable. A special network administrator's laptop is perfect for this. First temporarily change your PC's address so that it's on the same network as the switch:
# ip addr add 192.168.0.100/24 dev eth0
Using the ip command allows you to add this address on top of your existing address, so you can still be connected to your network.
Now point a Web browser to http://192.168.0.239, and log in with the defaults. (The Netgear's default password is password.) Obviously your first job is to set a new password, preferably one that the entire world does not know. Beware of browser follies—Firefox and Opera should work for everything; Konqueror and Safari don't always render scripts correctly, or else Firefox and Opera are more tolerate of funky scripting.
Next, give it a static IP address, plus a subnet mask and default gateway. The Netgear can also be assigned a hostname, which it calls "System name". If you enter the switch's hostname into your local DNS you'll be able to network with it just like any other network host. For example, you can use nmap to find your smart switches along with your other up hosts:
$ nmap -sP 192.168.1.0/24
Starting Nmap 4.20 ( http://insecure.org ) at 2008-01-03 17:13 PST
Host xena.alrac.net (192.168.1.10) appears to be up.
Host uberpc.alrac.net (192.168.1.12) appears to be up.
Host netgear-gs108t.alrac.net (192.168.1.189) appears to be up.
Nmap finished: 256 IP addresses (3 hosts up) scanned in 2.232 seconds
If you assign static addresses from your DHCP server, most switches have their MAC addresses printed on stickers, so you can have it all set up before you connect the switch to your network. When you're finished setting up your switch, remove the extra address on your PC this way:
# ip addr del 192.168.0.100/24 dev eth0
At this point you are the proud owner of a higher-priced dumb switch, and can go ahead and put it to work.
Naturally we're not doing this just to have a lot of bells and whistles we're not going to use. So the next steps are to set the correct time and a session timeout. Unfortunately, the Netgear does not accept a domain name like pool.ntp.org, but requires an IP address for a time server. Fortunately, it's easy to set up your own local time server, which is the preferred time server etiquette anyway.
You may want to restrict who can access the switch by filtering IP addresses. On the Netgear, use the "IP Access List" to set your list of allowed addresses.
Easy Rate Limiting
A common chore is bandwidth throttling, or rate-limiting. On a smart switch you can limit either ingress or egress bandwidth, or both, per port by clicking a few checkboxes. This is an easy way to put the brakes on bandwidth hogs.
Snooping Your Whole LAN
The downside to switched LANs is they make sniffing traffic a little harder. But not to worry, for your smart switch lets you sniff as many packets as you want. The Netgear has a simple configuration that allows you to choose your sniffer port, which ports to sniff, and if you want ingress, egress, or both. Set this up, plug into your chosen sniffer port, and away you go.
Next week we'll get into the really fun stuff: virtual LANs, link aggregation, and QoS the easy way.