Why do you need a switch in a local network? Selecting a Suitable LAN Device

How to choose a switch given the existing variety? The functionality of modern models is very different. You can purchase either a simple unmanaged switch or a multifunctional managed switch, which is not much different from a full-fledged router. An example of the latter is Mikrotik CRS125-24G-1S-2HND-IN from the new Cloud Router Switch line. Accordingly, the price of such models will be much higher.

Therefore, when choosing a switch, first of all, you need to decide which of the functions and parameters of modern switches you need, and which ones you shouldn’t overpay for. But first, a little theory.

Types of switches

However, if previously managed switches differed from unmanaged switches, including a wider range of functions, now the difference can only be in the possibility or impossibility of remote device management. As for the rest, manufacturers add additional functionality to even the simplest models, often increasing their cost.

Therefore, at the moment, the classification of switches by level is more informative.

Switch levels

In order to choose a switch that best suits our needs, we need to know its level. This setting is determined based on what OSI (data transfer) network model the device uses.

• Devices first level, using physical data transmission have almost disappeared from the market. If anyone else remembers hubs, then this is just an example of a physical level when information is transmitted in a continuous stream.
• Level 2. Almost all unmanaged switches fall into this category. The so-called channel network model. Devices divide incoming information into separate packets (frames), check them and send them to a specific recipient device. The basis for information distribution in second-level switches is MAC addresses. From these, the switch compiles an addressing table, remembering which MAC address corresponds to which port. They don't understand IP addresses.

• Level 3. By choosing such a switch, you get a device that already works with IP addresses. It also supports many other possibilities for working with data: converting logical addresses into physical ones, network protocols IPv4, IPv6, IPX, etc., pptp, pppoe, vpn connections and others. On the third, network level of data transmission, almost all routers and the most “advanced” part of switches work.

• Level 4. The OSI network model used here is called transport. Not even all routers are released with support for this model. Traffic distribution occurs at an intelligent level - the device can work with applications and, based on the headers of data packets, direct them to the desired address. In addition, transport layer protocols, for example TCP, guarantee the reliability of packet delivery, maintain a certain sequence of their transmission, and are able to optimize traffic.

Select a switch - read the characteristics

How to choose a switch based on parameters and functions? Let's look at what is meant by some of the commonly used symbols in specifications. Basic parameters include:

Number of ports. Their number varies from 5 to 48. When choosing a switch, it is better to provide a reserve for further network expansion.

Basic data rate. Most often we see the designation 10/100/1000 Mbit/s - the speeds that each port of the device supports. That is, the selected switch can operate at a speed of 10 Mbit/s, 100 Mbit/s or 1000 Mbit/s. There are quite a lot of models that are equipped with both gigabit and 10/100 Mb/s ports. Most modern switches operate according to the IEEE 802.3 Nway standard, automatically detecting port speeds.

Bandwidth and Internal Bandwidth. The first value, also called the switching matrix, is the maximum amount of traffic that can be passed through the switch per unit of time. It is calculated very simply: number of ports x port speed x 2 (duplex). For example, an 8-port gigabit switch has a throughput of 16 Gbps.
Internal throughput is usually indicated by the manufacturer and is only needed for comparison with the previous value. If the declared internal bandwidth is less than the maximum, the device will not cope well with heavy loads, slow down and freeze.

Auto MDI/MDI-X detection. This is auto-detection and support for both standards by which the twisted pair was crimped, without the need for manual control of connections.

Expansion slots. Possibility of connecting additional interfaces, for example, optical.

MAC address table size. To select a switch, it is important to calculate in advance the size of the table you need, preferably taking into account future network expansion. If there are not enough entries in the table, the switch will write new ones over the old ones, and this will slow down data transfer.

Form factor. The switches are available in two types of housing: desktop/wall-mounted and rack-mounted. In the latter case, the standard device size is 19 inches. Special ears for rack mounting can be removable.

We select a switch with the functions we need to work with traffic

Flow control ( Flow Control, IEEE 802.3x protocol). Provides coordination of data sending and receiving between the sending device and the switch under high loads, in order to avoid packet loss. The function is supported by almost every switch.

Jumbo Frame- increased packages. Used for speeds from 1 Gbit/sec and higher, it allows you to speed up data transfer by reducing the number of packets and the time for processing them. The function is found in almost every switch.

Full-duplex and Half-duplex modes. Almost all modern switches support auto-negotiation between half-duplex and full-duplex (transmitting data in one direction only, transferring data in both directions at the same time) to avoid problems in the network.

Traffic prioritization (IEEE 802.1p standard)- the device can identify more important packets (for example, VoIP) and send them first. When choosing a switch for a network where a significant portion of the traffic will be audio or video, you should pay attention to this function

Support VLAN(standard IEEE 802.1q). VLAN is a convenient means for delimiting separate sections: the internal network of an enterprise and the public network for clients, various departments, etc.

To ensure security within the network, control or check the performance of network equipment, mirroring (traffic duplication) can be used. For example, all incoming information is sent to one port for checking or recording by certain software.

Port Forwarding. You may need this function to deploy a server with Internet access, or for online games.

Loop protection - STP and LBD functions. Particularly important when choosing unmanaged switches. It is almost impossible to detect the formed loop in them - a looped section of the network, the cause of many glitches and freezes. LoopBack Detection automatically blocks the port where a loop has occurred. The STP protocol (IEEE 802.1d) and its more advanced descendants - IEEE 802.1w, IEEE 802.1s - act a little differently, optimizing the network for a tree structure. Initially, the structure provides for spare, looped branches. They are disabled by default, and the switch only starts them when there is a loss on some of the main lines.

Link aggregation (IEEE 802.3ad). Increases channel throughput by combining multiple physical ports into one logical one. The maximum throughput according to the standard is 8 Gbit/sec.

Stacking. Each manufacturer has its own stacking design, but in general this feature refers to the virtual combination of multiple switches into one logical unit. The purpose of stacking is to obtain a larger number of ports than is possible with a physical switch.

Switch functions for monitoring and troubleshooting

Many switches detect a faulty cable connection, usually when the device is turned on, as well as the type of fault - broken wire, short circuit, etc. For example, D-Link provides special indicators on the case:

Protection against virus traffic (Safeguard Engine). The technique allows you to increase operating stability and protect the central processor from overloads with “garbage” traffic of virus programs.

Power Features

Energy saving.How to choose a switch that will save you energy? Pay attentione for the presence of energy saving functions. Some manufacturers, such as D-Link, produce switches with power consumption regulation. For example, a smart switch monitors the devices connected to it, and if any of them is not working at the moment, the corresponding port is put into “sleep mode”.

Power over Ethernet (PoE, IEEE 802.af standard). A switch using this technology can power devices connected to it over twisted pair cables.

Built-in lightning protection. A very necessary function, but we must remember that such switches must be grounded, otherwise the protection will not work.

website

Issues of building local networks seem very complex to non-specialist users due to the extensive terminological dictionary. Hubs and switches are imagined as complex equipment reminiscent of telephone exchanges, and the creation of a local home network becomes a reason to turn to specialists. In fact, the switch is not as scary as its name: both devices are elementary network nodes that have minimal functionality, do not require knowledge of installation and operation, and are quite accessible to everyone.

Definition

Hub— a network hub designed to connect computers into a single local network by connecting Ethernet cables.

Switch(switch) is a network switch designed to connect several computers into a local network via an Ethernet interface.

Comparison

As we can see from the definition, the difference between a hub and a switch is related to the type of device: hub and switch. Despite one task - organizing a local network via Ethernet - devices approach its solution in different ways. A hub is a simple splitter that provides a direct connection between network clients. A switch is a more “smart” device that distributes data packets between clients in accordance with the request.

The hub, receiving a signal from one node, transmits it to all connected devices, and reception depends entirely on the recipient: the computer itself must recognize whether the packet is intended for it. Naturally, the answer assumes the same pattern. The signal pokes into all segments of the network until it finds one that will receive it. This circumstance reduces network throughput (and data exchange speed, respectively). The switch, receiving a data packet from the computer, sends it exactly to the address that was specified by the sender, relieving the network of load. A network organized through a switch is considered more secure: traffic exchange occurs directly between two clients, and others cannot process a signal that is not intended for them. Unlike a hub, a switch provides high throughput of the created network.

Logitec LAN-SW/PS Hub

The switch requires correct configuration of the network card of the client computer: the IP address and subnet mask must match each other (the subnet mask indicates part of the IP address as the network address, and the other part as the client address). The hub does not require any settings, because it works at the physical level of the OSI network model, broadcasting a signal. The switch operates at the channel level, exchanging data packets. Another feature of the hub is the equalization of nodes in terms of data transfer speed, focusing on the lowest rates.

Switch COMPEX PS2208B

Conclusions website

1. Hub is a hub, switch is a switch.
2. The hub device is the simplest, the switch is more “intelligent”.
3. The hub transmits the signal to all network clients, the switch only to the recipient.
4. The performance of a network organized through a switch is higher.
5. The switch provides a higher level of data transmission security.
6. The hub operates at the physical layer of the OSI network model, the switch at the channel layer.
7. The switch requires proper configuration of network cards of network clients.

The logical topology of an Ethernet network is a multi-access bus in which all devices share access to the same communication medium. This logical topology determines how nodes on a network view and process frames sent and received on that network. However, virtually all Ethernet networks today use a star or extended star physical topology. This means that in most Ethernet networks, end devices are typically connected to a Layer 2 LAN switch in a point-to-point manner.

A Layer 2 LAN switch performs switching and filtering based only on the OSI link layer MAC address. The switch is completely transparent to network protocols and user applications. The Layer 2 switch creates a table of MAC addresses, which it then uses to make packet forwarding decisions. Layer 2 switches rely on routers to transfer data between independent IP subnets.

Switches use MAC addresses to transmit data across the network through their switch fabric to the appropriate port towards the destination host. The switch fabric provides integrated channels and complementary machine programming tools to control the path of data through the switch. For a switch to know which port to use to transmit a unicast frame, it first needs to know what hosts are on each of its ports.

The switch determines how to process incoming frames using its own MAC address table. It creates its own MAC address table by adding the MAC addresses of hosts that are connected to each of its ports. After entering the MAC address for a particular host connected to a specific port, the switch will be able to send traffic intended for that host through the port that is associated with the host for subsequent transmissions.

If the switch receives a data frame for which there is no destination MAC address in the table, it forwards the frame on all ports except the one on which the frame was received. If a response is received from the destination host, the switch enters the host's MAC address into the address table using data from the frame's source address field. In networks with multiple connected switches, the MAC address tables contain multiple MAC addresses of the ports connecting the switches, which reflect elements outside the node. Typically, switch ports used to connect two switches have multiple MAC addresses entered into the corresponding table.

In the past, switches used one of the following forwarding methods to switch data between network ports:

Buffered switching

Switching without buffering

In buffered switching, when the switch receives a frame, it stores the data in a buffer until the entire frame is received. During storage, the switch analyzes the frame to obtain information about its destination. The switch also checks for errors using the tail of the Ethernet cyclic redundancy check (CRC) frame.

When using unbuffered switching, the switch processes data as it arrives, even if the transfer has not yet completed. The switch buffers just enough frames to read the destination MAC address so it can determine which port to forward the data to. The destination MAC address is specified in 6 bytes of the frame after the preamble. The switch looks up the destination MAC address in its switch table, determines the outgoing interface port, and routes the frame to its destination node through the switch's dedicated port. The switch does not check the frame for any errors. Because the switch does not have to wait for the entire frame to be buffered and does not perform error checking, switching without buffering is faster than switching with buffering. However, because the switch does not check for errors, it forwards corrupt frames throughout the network. During forwarding, damaged frames reduce throughput. Ultimately, the destination NIC rejects the corrupted frames.

Modular switches offer greater configuration flexibility. They typically come with varying chassis sizes to allow for multiple modular line cards to be installed. The ports are actually located on line cards. The line card is inserted into the switch chassis, similar to expansion cards installed in a PC. The larger the chassis, the more modules it supports. As shown in the picture, there are many different chassis sizes to choose from. If you purchased a modular switch with a 24-port line card, you can easily install another of the same card, increasing the total number of ports to 48.

To create a local or home network, you need special devices. From this article you will learn a little about them. I will try to explain as simply as possible so that everyone can understand.

Purpose .

Hub, switch and router are designed to create a network between computers. Of course, after creation, this network will also function.

Difference .

What is a hub

A hub is a repeater. Everything that is connected to it will be repeated. One is given to the hub and therefore everything is connected.
For example, you connected 5 computers through the Hub. To transfer data from the fifth computer to the first, the data will pass through all the computers on the network. It's like a parallel phone - any computer can access your data, and so can you. Due to this, the load and distribution also increases. Accordingly, the more computers are connected, the slower the connection will be and the greater the load on the network. This is why nowadays fewer and fewer hubs are being produced and less and less are being used. Soon they will completely disappear.

What is a switch?

The switch replaces the hub and corrects the shortcomings of its predecessor. Each connected to the switch has its own separate IP address. This reduces the load on the network and each computer will receive only what it needs and others will not know about it. But the switch has a disadvantage associated with dignity. The fact is that if you want to divide the network into more than 2 computers, then you will need more IP addresses. This usually depends on the provider, and they usually only provide one IP address.

What is a router?

Router - it is often also called a router. Why? Yes, because it is a link between two different networks and transmits data based on a specific route specified in its routing table. To put it very simply, the router is an intermediary between your network and Internet access. The router corrects all the mistakes of its predecessors and that is why it is the most popular nowadays. Especially considering the fact that routers are often equipped with Wi-Fi antennas for transmitting the Internet to wireless devices, and also have the ability to connect USB modems.

The router can be used either separately: PC -> router -> Internet, or together with other devices: PC -> switch/hub -> router -> Internet.

Another advantage of the router is its easy installation. Often, only minimal knowledge is required from you to connect, configure a network and access the Internet.

So. Let me summarize briefly.

All these devices are needed to create a network. Hub and switch are not very different from each other. A router is the most necessary and convenient solution for creating a network.

In the vast majority of home local networks, only a wireless router is used as active equipment. However, if you need more than four wired connections, you will need to add a network switch (although today there are routers with seven to eight ports for clients). The second common reason for purchasing this equipment is more convenient network wiring. For example, you can install a switch near the TV, connect one cable from the router to it, and connect the TV itself, media player, game console and other equipment to other ports.

The simplest models of network switches have just a couple of key characteristics - the number of ports and their speed. And taking into account modern requirements and the development of the element base, we can say that if the goal of saving at any cost or some specific requirements is not the goal, it is worth buying models with gigabit ports. FastEthernet networks with a speed of 100 Mbps are of course used today, but it is unlikely that their users will encounter the problem of a lack of ports on the router. Although, of course, this is also possible, if you recall the products of some well-known manufacturers with one or two ports for a local network. Moreover, it would be appropriate to use a gigabit switch here to increase the performance of the entire wired local network.

In addition, when choosing, you can also take into account the brand, material and design of the case, the implementation of the power supply (external or internal), the presence and location of indicators and other parameters. Surprisingly, the characteristic of operating speed, which is familiar to many other devices, in this case makes virtually no sense, as was recently published. In data transfer tests, models of completely different categories and prices show the same results.

In this article, we decided to briefly talk about what can be interesting and useful in “real” Level 2 switches. Of course, this material does not pretend to be the most detailed and in-depth presentation of the topic, but, hopefully, it will be useful to those who are faced with more serious tasks or requirements when building their local network in an apartment, house or office than installing a router and setting up Wi-Fi. Fi. In addition, many topics will be presented in a simplified format, reflecting only the main points in the interesting and varied topic of network packet switching.

Previous articles in the “Building a Home Network” series are available at the following links:

In addition, useful information about building networks is available in this subsection.

Theory

First, let's remember how a “regular” network switch works.

This “box” is small in size, has several RJ45 ports for connecting network cables, a set of indicators and a power input. It works according to algorithms programmed by the manufacturer and does not have any user-accessible settings. The principle of “connect the cables - turn on the power - works” is used. Each device (more precisely, its network adapter) on the local network has a unique address - MAC address. It consists of six bytes and is written in the format "AA:BB:CC:DD:EE:FF" with hexadecimal digits. You can find it out programmatically or by looking at the information plate. Formally, this address is considered to be issued by the manufacturer at the production stage and is unique. But in some cases this is not the case (uniqueness is required only within the local network segment, and changing the address can be easily done in many operating systems). By the way, the first three bytes can sometimes reveal the name of the creator of the chip or even the entire device.

If for a global network (in particular the Internet), addressing devices and processing packets is carried out at the IP address level, then in each individual local network segment MAC addresses are used for this. All devices on the same local network must have different MAC addresses. If this is not the case, there will be problems with the delivery of network packets and network operation. Moreover, this low level of information exchange is implemented within the operating system network stacks and the user does not need to interact with it. Perhaps, in reality there are literally a couple of common situations where a MAC address can be used. For example, when replacing a router on a new device, specify the same MAC address of the WAN port that was on the old one. The second option is to enable MAC address filters on the router to block access to the Internet or Wi-Fi.

A regular network switch allows you to combine several clients to exchange network traffic between them. Moreover, not only one computer or other client device can be connected to each port, but also another switch with its own clients. Roughly, the switch’s operation diagram looks like this: when a packet arrives at a port, it remembers the sender’s MAC and writes it into the “clients on this physical port” table, the recipient’s address is checked against other similar tables, and if it is in one of them, the packet is sent to corresponding physical port. Additionally, algorithms are provided for eliminating loops, searching for new devices, checking whether a device has changed a port, and others. To implement this scheme, no complex logic is required; everything works on fairly simple and inexpensive processors, so, as we said above, even low-end models are able to show maximum speeds.

Managed or sometimes called “smart” switches are much more complex. They are able to use more information from network packets to implement more complex algorithms for processing them. Some of these technologies may also be useful for “high-end” or more demanding home users, as well as for solving some special tasks.

Second-level switches (Level 2, data link layer) are capable of taking into account, when switching packets, information contained within certain fields of network packets, in particular VLAN, QoS, multicast and some others. This is the option we will talk about in this article. More complex models of the third level (Level 3) can already be considered routers, since they operate with IP addresses and work with third-level protocols (in particular RIP and OSPF).

Please note that there is no single universal and standard set of capabilities for managed switches. Each manufacturer creates its own product lines based on its understanding of consumer requirements. So in each case it is worth paying attention to the specifications of a particular product and their compliance with the tasks set. Of course, there is no talk of any “alternative” firmware with wider capabilities here.

As an example, we use the Zyxel GS2200-8HP device. This model has been on the market for a long time, but is quite suitable for this article. Modern products in this segment from Zyxel generally provide similar capabilities. In particular, the current device of the same configuration is offered under the article number GS2210-8HP.

The Zyxel GS2200-8HP is an eight-port (24-port version available in the series) Level 2 managed gigabit switch that also includes PoE support and RJ45/SFP combo ports, as well as some higher-level switching features.

In terms of its format, it can be called a desktop model, but the package includes additional mounting hardware for installation in a standard 19″ rack. The body is made of metal. On the right side we see a ventilation grille, and on the opposite side there are two small fans. At the back there is only a network cable input for the built-in power supply.

All connections, traditionally for such equipment, are made from the front side for ease of use in racks with patch panels. On the left there is an insert with the manufacturer's logo and the illuminated name of the device. Next are the indicators - power, system, alarm, status/activity and power LEDs for each port.

Next, the main eight network connectors are installed, and after them two RJ45 and two SFPs that duplicate them with their own indicators. Such solutions are another characteristic feature of such devices. Typically, SFP is used to connect optical communication lines. Their main difference from the usual twisted pair is the ability to work over significantly longer distances - up to tens of kilometers.

Due to the fact that different types of physical lines can be used here, SFP standard ports are installed directly in the switch, into which special transceiver modules must be additionally installed, and optical cables are connected to them. At the same time, the resulting ports do not differ in their capabilities from the others, of course, except for the lack of PoE support. They can also be used in port trunking mode, scenarios with VLANs and other technologies.

The console serial port completes the description. It is used for servicing and other operations. In particular, we note that there is no reset button, which is typical for home equipment. In severe cases of loss of control, you will have to connect via the serial port and reload the entire configuration file in debug mode.

The solution supports administration via the Web and command line, firmware updates, 802.1x protocol to protect against unauthorized connections, SNMP for integration into monitoring systems, packets with a size of up to 9216 bytes (Jumbo Frames) to increase network performance, second-layer switching services, stacking capabilities for ease of administration.

Of the eight main ports, half support PoE+ with up to 30 W per port, and the remaining four support PoE with 15.4 W. The maximum power consumption is 230 W, of which up to 180 W can be supplied via PoE.

The electronic version of the user manual has more than three hundred pages. So the functions described in this article represent only a small part of the capabilities of this device.

Management and control

Unlike simple network switches, “smart” ones have tools for remote configuration. Their role is most often played by the familiar Web interface, and for “real administrators” access to the command line with its own interface via telnet or ssh is provided. A similar command line can be obtained through a connection to the serial port on the switch. In addition to habit, working with the command line has the advantage of convenient automation using scripts. There is also support for the FTP protocol, which allows you to quickly download new firmware files and manage configurations.

For example, you can check the status of connections, manage ports and modes, allow or deny access, and so on. In addition, this option is less demanding on bandwidth (requires less traffic) and the equipment used for access. But in the screenshots, of course, the Web interface looks more beautiful, so in this article we will use it for illustrations. Security is provided by a traditional administrator username/password, there is support for HTTPS, and you can also configure additional restrictions on access to switch management.

Note that, unlike many home devices, the interface has an explicit button for saving the current switch configuration to its non-volatile memory. Also on many pages you can use the Help button to call up contextual help.

Another option for monitoring the operation of the switch is to use the SNMP protocol. Using specialized programs, you can obtain information about the hardware status of the device, such as temperature or loss of a link on a port. For large projects, it will be useful to implement a special mode for managing several switches (a cluster of switches) from a single interface - Cluster Management.

The minimum initial steps to start up the device typically include updating the firmware, changing the administrator password, and configuring the switch's own IP address.

In addition, it is usually worth paying attention to options such as network name, synchronization of the built-in clock, sending the event log to an external server (for example, Syslog).

When planning the network layout and switch settings, it is recommended to calculate and think through all the points in advance, since the device does not have built-in controls for blocking and contradictions. For example, if you “forget” that you previously configured port aggregation, then VLANs with their participation may behave completely differently than required. Not to mention the possibility of losing connection with the switch, which is especially unpleasant when connecting remotely.

One of the basic “smart” functions of switches is support for network port aggregation technologies. Also used for this technology are terms such as trunking, bonding, and teaming. In this case, clients or other switches are connected to this switch not with one cable, but with several at once. Of course, this requires having several network cards on your computer. Network cards can be either separate or made in the form of a single expansion card with several ports. Typically in this scenario we are talking about two or four links. The main tasks solved in this way are increasing the speed of the network connection and increasing its reliability (duplication). A switch can support several such connections at once, depending on its hardware configuration, in particular, the number of physical ports and processor power. One option is to connect a pair of switches in this way, which will increase the overall network performance and eliminate bottlenecks.

To implement the scheme, it is advisable to use network cards that explicitly support this technology. But in general, the implementation of port aggregation can be done at the software level. This technology is most often implemented through the open LACP/802.3ad protocol, which is used to monitor the status of links and manage them. But there are also private options from individual vendors.

At the client operating system level, after appropriate configuration, a new standard network interface usually simply appears, which has its own MAC and IP addresses, so that all applications can work with it without any special actions.

Fault tolerance is ensured by having multiple physical connections between devices. If the connection fails, traffic is automatically redirected along the remaining links. Once the line is restored, it will start working again.

As for increasing speed, the situation here is a little more complicated. Formally, we can assume that productivity is multiplied according to the number of lines used. However, the actual increase in data transmission and reception speed depends on specific tasks and applications. In particular, if we are talking about such a simple and common task as reading files from a network storage device on a computer, then it will not gain anything from combining ports, even if both devices are connected to the switch by several links. But if port trunking is configured on a network storage device and several “regular” clients access it simultaneously, then this option will already receive a significant gain in overall performance.

Some examples of use and test results are given in the article. Thus, we can say that the use of port aggregation technologies at home will be useful only if there are several fast clients and servers, as well as a sufficiently high load on the network.

Setting up port aggregation on a switch is usually straightforward. In particular, on the Zyxel GS2200-8HP the necessary parameters are located in the Advanced Application - Link Aggregation menu. In total, this model supports up to eight groups. There are no restrictions on the composition of groups - you can use any physical port in any group. The switch supports both static port trunking and LACP.

On the status page you can check the current assignments by group.

On the settings page, active groups and their type are indicated (used to select the packet distribution scheme across physical links), as well as the assignment of ports to the required groups.

If necessary, enable LACP for the required groups on the third page.

Next, you need to configure similar settings on the device on the other side of the link. In particular, on a QNAP network drive this is done as follows - go to the network settings, select ports and the type of their connection.

After this, you can check the status of the ports on the switch and evaluate the effectiveness of the solution in your tasks.

VLAN

In a typical local network configuration, network packets “walking” through it use a common physical environment, like flows of people at subway transfer stations. Of course, switches, in a certain sense, prevent “foreign” packets from reaching the interface of your network card, but some packets, such as broadcast packets, can penetrate any corner of the network. Despite the simplicity and high speed of this scheme, there are situations when, for some reason, you need to separate certain types of traffic. This may be due to security requirements or the need to meet performance or prioritization requirements.

Of course, these issues can be resolved by creating a separate segment of the physical network - with its own switches and cables. But this is not always possible to implement. This is where VLAN (Virtual Local Area Network) technology—a logical or virtual local computer network—may come in handy. It may also be referred to as 802.1q.

To a rough approximation, the operation of this technology can be described as the use of additional “tags” for each network packet when it is processed in the switch and on the end device. In this case, data exchange only works within a group of devices with the same VLAN. Since not all equipment uses VLANs, the scheme also uses operations such as adding and removing tags from a network packet as it passes through the switch. Accordingly, it is added when a packet is received from a “regular” physical port for sending through the VLAN network, and removed when it is necessary to transmit a packet from the VLAN network to a “regular” port.

As an example of the use of this technology, we can recall multi-service connections of operators - when you get access to the Internet, IPTV and telephony via one cable. This was previously found in ADSL connections, and today is used in GPON.

The switch in question supports the simplified “Port-based VLAN” mode, when the division into virtual networks is carried out at the level of physical ports. This scheme is less flexible than 802.1q, but may be suitable in some configurations. Note that this mode is mutually exclusive with 802.1q, and for selection there is a corresponding item in the Web interface.

To create a VLAN according to the 802.1q standard, on the Advanced Applications - VLAN - Static VLAN page, specify the name of the virtual network, its identifier, and then select the ports involved and their parameters. For example, when connecting regular clients, it is worth removing VLAN tags from the packets sent to them.

Depending on whether this is a client connection or a switch connection, you need to configure the required options on the Advanced Applications - VLAN - VLAN Port Settings page. In particular, this concerns adding tags to packets arriving at the port input, allowing packets without tags or with other identifiers to be broadcast through the port, and isolating the virtual network.

Access control and authentication

Ethernet technology initially did not support access control to the physical medium. It was enough to plug the device into the switch port - and it began to work as part of the local network. In many cases, this is sufficient because the security is provided by the complexity of a direct physical connection to the network. But today, the requirements for the network infrastructure have changed significantly and the implementation of the 802.1x protocol is increasingly found in network equipment.

In this scenario, when connecting to a switch port, the client provides its authentication data and without confirmation from the access control server, no information is exchanged with the network. Most often, the scheme involves the presence of an external server, such as RADIUS or TACACS+. The use of 802.1x also provides additional capabilities for monitoring network operation. If in the standard scheme you can “bind” only to the client’s hardware parameter (MAC address), for example, to issue an IP, set speed limits and access rights, then working with user accounts will be more convenient in large networks, since it allows for client mobility and other top level features.

A RADIUS server on a QNAP NAS was used for testing. It is designed as a separately installed package and has its own user base. It is quite suitable for this task, although in general it has few capabilities.

The client was a computer with Windows 8.1. To use 802.1x on it, you need to enable one service and after that a new tab appears in the properties of the network card.

Note that in this case we are talking exclusively about controlling access to the physical port of the switch. In addition, do not forget that it is necessary to ensure constant and reliable access of the switch to the RADIUS server.

To implement this feature, the switch has two functions. The first, the simplest, allows you to limit incoming and outgoing traffic on a specified physical port.

This switch also allows you to use prioritization for physical ports. In this case, there are no hard limits for speed, but you can select devices whose traffic will be processed first.

The second is part of a more general scheme with the classification of switched traffic according to various criteria and is only one of the options for its use.

First, on the Classifier page, you need to define traffic classification rules. They apply Level 2 criteria - in particular MAC addresses, and in this model Level 3 rules can also be applied - including protocol type, IP addresses and port numbers.

Next, on the Policy Rule page, you specify the necessary actions with the traffic “selected” according to the selected rules. The following operations are provided here: setting a VLAN tag, limiting the speed, outputting a packet to a given port, setting a priority field, dropping a packet. These functions allow, for example, to limit data exchange rates for client data or services.

More complex schemes may use 802.1p priority fields in network packets. For example, you can tell the switch to handle telephony traffic first and give browser browsing the lowest priority.

PoE

Another possibility that is not directly related to the packet switching process is to provide power to client devices via a network cable. This is often used to connect IP cameras, telephones and wireless access points, which reduces the number of wires and simplifies switching. When choosing such a model, it is important to take into account several parameters, the main one of which is the standard used by the client equipment. The fact is that some manufacturers use their own implementations, which are incompatible with other solutions and can even lead to breakdown of “foreign” equipment. It is also worth highlighting “passive PoE”, when power is transmitted at a relatively low voltage without feedback and control of the recipient.

A more correct, convenient and universal option would be to use “active PoE”, operating according to the 802.3af or 802.3at standards and capable of transmitting up to 30 W (higher values ​​are also found in new versions of the standards). In this scheme, the transmitter and receiver exchange information with each other and agree on the necessary power parameters, in particular power consumption.

To test this, we connected an Axis 802.3af PoE compatible camera to the switch. On the front panel of the switch, the corresponding power indicator for this port lights up. Then, through the Web interface, we will be able to monitor the consumption status by port.

Also interesting is the ability to control the power supply to the ports. Because if the camera is connected with one cable and is located in a hard-to-reach place, to reboot it, if necessary, you will need to disconnect this cable either on the camera side or in the wiring closet. And here you can log into the switch remotely in any available way and simply uncheck the “supply power” checkbox, and then put it back. In addition, in the PoE settings, you can configure the priority system for providing power.

As we wrote earlier, the key field of network packets in this equipment is the MAC address. Managed switches often have a set of services designed to use this information.

For example, the model under consideration supports static assignment of MAC addresses to a port (usually this operation occurs automatically), filtering (blocking) of packets by source or recipient MAC addresses.

In addition, you can limit the number of client MAC address registrations on a switch port, which can also be considered an additional security option.

Most layer 3 network packets are usually unidirectional - they go from one addressee to one recipient. But some services use multicast technology, when one package has several recipients at once. The most famous example is IPTV. Using multicast here can significantly reduce bandwidth requirements when it is necessary to deliver information to a large number of clients. For example, multicast of 100 TV channels with a flow of 1 Mbit/s will require 100 Mbit/s for any number of clients. If we use standard technology, then 1000 clients would require 1000 Mbit/s.

We will not go into the details of how IGMP works; we will only note the ability to fine-tune the switch for efficient operation under heavy loads of this type.

Complex networks may use special protocols to control the path of network packets. In particular, they make it possible to eliminate topological loops (“looping” of packets). The switch in question supports STP, RSTP and MSTP and has flexible settings for their operation.

Another feature in demand in large networks is protection against situations such as “broadcast storm”. This concept characterizes a significant increase in broadcast packets in the network, blocking the passage of “normal” useful traffic. The simplest way to combat this is to set limits on the switch ports to process a certain number of packets per second.

Additionally, the device has an Error Disable function. It allows the switch to shut down ports if it detects excessive service traffic. This allows you to maintain productivity and ensure automatic recovery when the problem is fixed.

Another task, more related to security requirements, is monitoring all traffic. In normal mode, the switch implements a scheme to send packets only directly to their recipients. It is impossible to “catch” a “foreign” packet on another port. To implement this task, port mirroring technology is used - control equipment is connected to selected switch ports and all traffic from specified other ports is configured to be sent to this port.

The IP Source Guard and DHCP Snooping ARP Inspection functions are also aimed at increasing security. The first allows you to configure filters involving MAC, IP, VLAN and port number through which all packets will pass. The second protects the DHCP protocol, the third automatically blocks unauthorized clients.

Conclusion

Of course, the capabilities described above represent only a fraction of the network switching technologies available on the market today. And even from this small list, not all of them can find real use among home users. Perhaps the most common are PoE (for example, to power network video cameras), port aggregation (in the case of a large network and the need for fast traffic exchange), traffic control (to ensure the operation of streaming applications under high load on the channel).

Of course, it is not at all necessary to use business-level devices to solve these problems. For example, in stores you can find a regular switch with PoE, port aggregation is also found in some top-end routers, prioritization is also starting to be found in some models with fast processors and high-quality software. But, in our opinion, the option of purchasing more professional equipment, including on the secondary market, can also be considered for home networks with increased requirements for performance, security and manageability.

By the way, there is actually another option. As we said above, in all “smart” switches there can be a different amount of “mind” directly. And many manufacturers have a series of products that fit well into the home budget and at the same time are able to provide many of the features described above. As an example, we can mention the Zyxel GS1900-8HP.

This model has a compact metal case and an external power supply, it has eight Gigabit ports with PoE, and a Web interface is provided for configuration and management.

The device firmware supports port aggregation with LACP, VLAN, port rate limiting, 802.1x, port mirroring and other functions. But unlike the “real managed switch” described above, all this is configured exclusively through the Web interface and, if necessary, even using an assistant.

Of course, we are not talking about the similarity of this model to the device described above in terms of its capabilities as a whole (in particular, there are no traffic classification tools and Level 3 functions here). Rather, it is simply a more suitable option for the home user. Similar models can be found in the catalogs of other manufacturers.