low cost managed switch for 100 mac or ip control

[ask]

I recently purchased the netgear GS716t managed switch for the purpose of data flow control from about 100 devices. The specs listed claimed 8000 mac address database. After placing it in the network, I discovered it had a very low trusted mac limit of 20. My need is to have individual control of at least 100 MAC or IP adresses. Can anyone recommend a reasonably priced switch that would let me do that? I need at least 10 ports. Thanks for any help. I meant GB switch.

 

[vwgtiron]

Might not be a bad choice!!

http://www.newegg.com/Product/Product.aspx?Item=N82E16833316076

get two of these double check with hp to see if they support 100 macs if not they will have something. I love ProCurve I dont hear a lot about them on this website so. I have 2 in my house with a trendnet 633-gr on cat6 and its pretty awesome. I am not the smartest networking guy but know this is a layer 2 switch, and I didn't want to have to work for it.

 

[ask]

I checked this product and it is not a managed switch, can you elaborate a bit on how I could use it to block or filter data from devices using IP or MAC addresses?

 

[vwgtiron]

TP lLink anyone

I guess I misunderstood you the first time check out tp link stuff for bang for buck. Also I do all my home control through the router interface but that may not be feasible for you depending on your configuration. I have both unmanaged procurves going into the router and control ip addresses from there, set priority and how much time each ip is allowed on the internet and with web filtering on the router what they can see. Here try this company they are well reviewed and the throughput and price seem right. Have you thought about a smart switch. Should cover most of your needs. here is the link on ncix http://ncix.com/products/index.php?sku=41422&vpn=TL-SG2216WEB&manufacture=TP Link.
I have bought a couple of items from them and they work well. Also for an up and comer they have to be priced competitively. Might double check with the admin though. I haven't seen them on this website reviewed before but I may be wrong. I also don't know what price range you are considering. I am trying to keep it frugal and you could also have fiber installed direct with modules. 10 ports is kind of hard to do 8 is better but you would have to double up. more to run unless you can put an unmanaged switch behind the 8 port managed.

ALso see here http://www.tp-link.com/products/product_spe.asp?id=63
Software Specification
Standards and Protocols
IEEE 802.3, 802.3u, 802.3ab, 802.3z, 802.3ad, 802.3x, 802.1q, 802.1p
Basic Function
MAC Address Auto-Learning and Auto-aging
Storm Control (Broadcast, Multicast, Unknown unicast)
Port Mirroring
MAC Address Table
4k
Switching Capacity
32Gbps
Transmission Method
Store-and-Forward
Priority
Port based Priority
IEEE 802.1p based Priority: 4 Queues
IP DSCP based Priority
Link Aggregation
IEEE 802.3ad LACP Link Aggregation
VLAN
Port Based VLAN
802.1Q Tag-VLAN
MTU VLAN
Access Control List
Based on Port
Based on MAC
Security & Authentication
Port Security
Statick MAC Address Binding
Dynamic MAC Address Binding
Network Management
Web (Http) Management
Remote Management
System Function
Fixed IP Address Setting
VCT (visual cable test )
Port Flow Statistics
TFTP Upgrade
Hardware Specification
Ports
16 10/100/1000Mbps Auto-Negotiation RJ45 ports (Auto MDI/MDIX)
2 Gigabit SFP ports (shared with port 15, 16)
Network Media
10BASE-T: UTP category 3, 4, 5 cable (maximum 100m)
EIA/TIA-568 100Ω STP (maximum 100m)
100BASE-TX/1000Base-T: UTP category 5, 5e cable (maximum 100m)
EIA/TIA-568 100Ω STP (maximum 100m)
1000BASE-X: MMF, SMF
LED Indicators
Power, System, Link/Act, 1000M,
Safety & Emission
FCC, CE
Dimensions (W*D*H)
17.3*10.2*1.7 in. (440*260*44 mm)
Environment
Operating Temperature: 0℃~40℃ (32℉~104℉)
Storage Temperature: -40℃~70℃ (-40℉~158℉)
Operating Humidity: 10%~90% non-condensing
Storage Humidity: 5%~90% non-condensing
Power
100-240VAC, 50/60Hz
Supports Static MAC address and filtering MAC address management

 

[ask]

Thank you vwgtiron. The TP-link product looks intersting and the price is also attractive. However, it does not seem to have many vendors in the US. I would love to try it though especially if someone who have used it can tell me if I can have individual access control of upto 100 ip addresses or MAC addresses.

 

[ask]

surprised with the few responses

I am a newbee in this field and I am using the network switch in a special hardware development troublshooting application, but I am really surprised at the few reponses I received for my question. Am I asking for something unusual? I was under the impression that managed switches are fairly regularly used for filtering traffic using either MAC or IP addresses. I hoped to get 5 or 6 popular recommendations fairly quickly but I got a response only from one person. Another issue that is confusing me is, what good is the spec of '8k MAC address size' if you purchase the switch and find out it does not let enter more than 20? Am I missing something here? Of course my main experience has been with Netgear switches and I have been on the phone for about a week now and the engineers at Netgear have been telling me that all their products have a trusted MAC limit of 20. They are saying higher end Layer 3 switches will allow me to filter a 100 hundred or more devices using IP addresses. But I am having a difficult time believing them until someone who has used one tells me the product will indeed do that. Models I am looking at are GSM7312 and GSM7212. Could I have some tried and true recommendations please?

 

[jdabbs]

I am a newbee in this field and I am using the network switch in a special hardware development troublshooting application, but I am really surprised at the few reponses I received for my question. Am I asking for something unusual? I was under the impression that managed switches are fairly regularly used for filtering traffic using either MAC or IP addresses. I hoped to get 5 or 6 popular recommendations fairly quickly but I got a response only from one person.

You won't get many answers because you aren't using the device in a conventional manner. Access control by MAC whitelist is cumbersome; the Cisco Way(tm) of handling port security on a flat network is to set a per-port MAC limit. The administrative burden of whitelisting is only justified in environments where you need eyes-on device approval, or when your worth as an admin is determined by the visibility of your (pointless) endeavors. Filtering is handled by ACL, but the logical method is to filter groups by criteria (again, admin burden), which may not be applicable to your "special hardware development troublshooting application."

Another issue that is confusing me is, what good is the spec of '8k MAC address size' if you purchase the switch and find out it does not let enter more than 20? Am I missing something here?

Yes, how switches work. Key concepts: Ethernet, difference between hub and switch, MAC address table.

But I am having a difficult time believing them until someone who has used one tells me the product will indeed do that. Models I am looking at are GSM7312 and GSM7212. Could I have some tried and true recommendations please?

Asking manufacturers is a good start. I'd also look for device emulators.

 

[ask]

Right, it is unconventional.

You won't get many answers because you aren't using the device in a conventional manner. Access control by MAC whitelist is cumbersome; the Cisco Way(tm) of handling port security on a flat network is to set a per-port MAC limit. The administrative burden of whitelisting is only justified in environments where you need eyes-on device approval, or when your worth as an admin is determined by the visibility of your (pointless) endeavors. Filtering is handled by ACL, but the logical method is to filter groups by criteria (again, admin burden), which may not be applicable to your "special hardware development troublshooting application."

So, if I understand you correctly, the Trusted MAC scheme limit I discovered on the Netgear switch is an industry wide limitation not of the particular switch i was using. Indeed I found it awkward because a port is normally open until you enter one MAC address, at which point it blocks all except the ones you entered. The problem with this is if there are several devices using a port and you want to block one device, you have to list all the others you want to go through using up the 20 MAC address limit very quickly. As you said the problem is I am not using the switch in the conventional manner. So what switch do you recommend that allows me to filter using ACL? My network consists of 100 devices that are all sending data one way to a pc. All devices and the PC are on local network (192.168.5.x) and every 12 devices are connected to a 16 port unmanaged switch to a total of 96 devices using 8 unmanaged switches. I am connecting one port of each of these 8 unmanaged switches to a managed switch of at least 10 ports ( 8 from the unmanaged switches, 1 to uplink to the PC, and 1 for switch management). The idea is to block data from any device when I want to. It does not matter to me whether it is by using IP address or the MAC address. The Netgear switch I returned had an ACL list which is designed to manage access of the management PC only not other traffic. Any recommendations for a GB switch (low cost, needless to say, if possible) to do this? Thanks for your help.


Asking manufacturers is a good start. I'd also look for device emulators.

Where do you get device emulators for switches?

 

[jdabbs]

So, if I understand you correctly, the Trusted MAC scheme limit I discovered on the Netgear switch is an industry wide limitation not of the particular switch i was using. Indeed I found it awkward because a port is normally open until you enter one MAC address, at which point it blocks all except the ones you entered. The problem with this is if there are several devices using a port and you want to block one device, you have to list all the others you want to go through using up the 20 MAC address limit very quickly. As you said the problem is I am not using the switch in the conventional manner. So what switch do you recommend that allows me to filter using ACL? My network consists of 100 devices that are all sending data one way to a pc. All devices and the PC are on local network (192.168.5.x) and every 12 devices are connected to a 16 port unmanaged switch to a total of 96 devices using 8 unmanaged switches. I am connecting one port of each of these 8 unmanaged switches to a managed switch of at least 10 ports ( 8 from the unmanaged switches, 1 to uplink to the PC, and 1 for switch management). The idea is to block data from any device when I want to. It does not matter to me whether it is by using IP address or the MAC address. The Netgear switch I returned had an ACL list which is designed to manage access of the management PC only not other traffic. Any recommendations for a GB switch (low cost, needless to say, if possible) to do this? Thanks for your help.

I wouldn't call it a limitation. Feature set is largely inspired by what customers want. Since there's better ways of handling access control, MAC whitelisting gets short shrift. There's little stopping manufacturers from doing so, only a lack of incentive/return.

ACLs:
I did not have a particular switch in mind (unfortunately "Cisco" and "low-cost" rarely coexist in the same sentence) but rather wanted to broaden your search criteria.

Based on your project description you are interested primarily in the traffic to one port. Given the limited number of relevant interfaces, I'd have first considered a firewall.

Netgear said they have a switch that meets your criteria. Decide how much you can afford to spend to get the right solution (factoring in returns/lost productivity for missteps). If you are on a really tight budget but flexible labor, I'd consider investing an afternoon to gauge the feasibility of configuring your own firewall. The process would go something like this: Right now you have 8 switches with 12 hosts each. I'd convert to 7 switches of 13-14 hosts, and use the 8th switch to tie them all together. If recabling is too much, test with only 7 of the 8 switches. Find a spare PC or if possible repurpose one of your hosts (assuming "device"=PC), add two Intel NICs*, install pfSense and set up bridging between the LAN and optional interfaces. The 8th switch gets the LAN port and your actual PC the optional. Use the firewall rules GUI to filter IP traffic passing through the bridge. If the 16-port unmanaged switch and pfsense firewall are up to handling the traffic, then it's worth considering.

Where do you get device emulators for switches?

Same place as routers:
Netgear
D-Link

There isn't universal device availability. It may be worthwhile to inquire about an emulator for a specific product when dealing with manufacturers--since they are useful in lower-tier product support, one likely exists even if it isn't indexed by Google.

*you don't need two or Intel-brand NICs. It is strongly recommended since you avoid having to reconfigure the WAN interface from default, and having supported hardware is a comfort when troubleshooting.

 

[ask]

Based on your project description you are interested primarily in the traffic to one port. Given the limited number of relevant interfaces, I'd have first considered a firewall.

Netgear said they have a switch that meets your criteria. Decide how much you can afford to spend to get the right solution (factoring in returns/lost productivity for missteps). If you are on a really tight budget but flexible labor, I'd consider investing an afternoon to gauge the feasibility of configuring your own firewall. The process would go something like this: Right now you have 8 switches with 12 hosts each. I'd convert to 7 switches of 13-14 hosts, and use the 8th switch to tie them all together. If recabling is too much, test with only 7 of the 8 switches. Find a spare PC or if possible repurpose one of your hosts (assuming "device"=PC), add two Intel NICs*, install pfSense and set up bridging between the LAN and optional interfaces. The 8th switch gets the LAN port and your actual PC the optional. Use the firewall rules GUI to filter IP traffic passing through the bridge. If the 16-port unmanaged switch and pfsense firewall are up to handling the traffic, then it's worth considering.

First of all Thank you very much for taking the time to give a detailed recommendation. I am interested in testing this firewall idea. recabling is going to be difficult but I do have other options to test whether the setup works. I have a question that may have the answer at your fingertips. As I explained before, this is for a sensing application where each one of ~100 devices is sending about 2000 bytes of data at the rate of over 40Hz. The data needs to reach the processor pc with minimal delay. Do you know how much latency(if any) the pfsense will introduce to the system? I have started looking into Pfsense, I have not gotten the answer yet.

Same place as routers:
Netgear
D-Link

There isn't universal device availability. It may be worthwhile to inquire about an emulator for a specific product when dealing with manufacturers--since they are useful in lower-tier product support, one likely exists even if it isn't indexed by Google.

*you don't need two or Intel-brand NICs. It is strongly recommended since you avoid having to reconfigure the WAN interface from default, and having supported hardware is a comfort when troubleshooting.

I will check this as well, Thanks.

 

[jdabbs]

First of all Thank you very much for taking the time to give a detailed recommendation. I am interested in testing this firewall idea. recabling is going to be difficult but I do have other options to test whether the setup works. I have a question that may have the answer at your fingertips. As I explained before, this is for a sensing application where each one of ~100 devices is sending about 2000 bytes of data at the rate of over 40Hz. The data needs to reach the processor pc with minimal delay. Do you know how much latency(if any) the pfsense will introduce to the system? I have started looking into Pfsense, I have not gotten the answer yet.

My home router is an 800 MHz embedded PC running pfSense. I set up a quick test using the configuration described (bridging) with a filtering rule, and observed the baseline 1 ms latency. 1 packet/sec + normal network traffic is much lower than 40x100 4000 packets/sec, but that should give you some idea of performance before scaling is applied.