Do I need 1 or 2 Smart Switches?

johnpoz

Yes you need a switch that supports vlan tags.  It does not need to support the full enterprise feature set of say a nexus 7k from cisco ;)  Ie fully managed..  It does not need to support layer 3 routing.. This is going to be easier for you to do at pfsense for sure.  You could pick up a $40 "smart" switch that would allow you vlan with tags..

Now I am a huge fan of the cisco sg300 and its replacement the 350 is prob even better?  These are normally very good price point.  They have a very rich feature set, and allow for both cli and have a nice gui for the new user, etc.  You can use them in layer 3 mode if you so desire.

What I would suggest is you set it up layer 2 to start with.. Once you have everything working the way you want - if you want to play/learn about downstream routers in your network and the use of transit networks, etc. etc.  Then sure by all means change it to layer 3 and have fun.

But that sort of setup is way more complex than you need in some home setup that is for sure.  Now if you want to firewall between your networks your going to have to do it at your layer 3 switch(router) and then all your other firewall rules going to the internet are going to have to be done at pfsense.  While depending on size and setup of your network sure it makes sense to use layer 3 switches..  But for a couple of vlans it is just so much easier to let pfsense do your firewalling and routing at the edge..

So I have been in the field for many years.  I do mostly routing and switching for my job..  And don't run layer 3 switch in my some would say way over complicated home network ;)  I have multiple vlans and multiple ssids on different vlans..  And I don't run my sg300 in layer 3 because it makes no sense to do so..  It would just make my network harder to manage.  Since now I would have to do all the ACL's and ACE's at that devices vs just easy to use pfsense..

jahonix

@johnpoz:

… set it up layer 2 to start with ... change it to layer 3 and have fun.

@mifronte: Just a reminder that the Cisco SG-300 switches need a completely new config when the fun begins. After switching to L3 mode the old L2 config is gone. You have been warned.  ;-)

I completely agree with what Derelict and johnpoz posted so far.

jahonix

@mifronte:

Please keep in mind anything beyond an unmanaged switch is new to me and one of the main reason I would like to use a managed switch is to learn and experiment more about networking.

Well, the part of a managed switch you'll be using probably comes down to VLAN separations with tagged and untagged ports and a trunk.

It's really not that hard, just think of multiple separate switches within one case where ports and dependencies can be freely configured.
A trunk-port just squeezes the traffic of multiple separate devices through a single port, still keeping traffic separated. The port's speed is what limits the combined traffic.

Since better AccessPoints can be fed a trunk as well you can have VLAN A for traffic bridged to LAN, VLAN B for separated/guest WiFi, VLAN C for IoT devices, … etc. That can't be done with separate switches.

mifronte

Thank you for the great advice!

The more I read up on VLAN and refresh my readings on TCP/IP the more I realized that I will just start using a managed switch as a L2 device and let pfSense handle all the routing.  I too am leaning toward the Cisco SMB SG300/350 line and operate it in L2 mode until a need arises for converting it to L3 mode.

Looks like it is not a good time to be looking for a Cisco SMB SG300/350 switch since the SG300 stock level is low and hence prices are going up.  The SG350 are not widely available yet and so their prices are high too.

I do have a network design question and I hope I am phrasing it correctly:

Let's say I assign a port on a managed switch to a VLAN, but the port will be an untagged member.  Can I attach an unmanaged switch to that port so that all devices connected to the unmanaged switch will be part of the port's assigned VLAN?

If I can reuse my unmanaged switch, I may be able to get away with just the 10-port managed switch.

jahonix

@mifronte:

Let's say I assign a port on a managed switch to a VLAN, but the port will be an untagged member.

An untagged switch-port is pretty much exactly what an unmanaged switch is on all ports. Except you cannot assign internal belongings.
(with limitations [CDP et al], I know, but that's not relevant here.)
Yes, that would work. But it's not exactly a straight forward design.

@mifronte:

If I can reuse my unmanaged switch, I may be able to get away with just the 10-port managed switch.

That'll hardly work. Been there, done that.
You always need one more port. If not now then tomorrow or next month.
Your money is spent once you buy gear. You cannot reuse it to buy bigger gear (except for selling the old one on eBay and such).
Have a look at the SG300-20. No PoE but no fan either. Might fit your project well.

dennypage

If you search for SG 300 advice, you will find many experienced networking folk say things like "The first thing I always do with an SG 300 is put them in layer 3 mode." Like many others, I didn't listen the first time… a painful lesson. :)

@jahonix:

Just a reminder that the Cisco SG-300 switches need a completely new config when the fun begins. After switching to L3 mode the old L2 config is gone. You have been warned.  ;-)

johnpoz

So what if the config is gone?  He is moving from layer 2 to 3 so why would his previous config be relevant at all?

He can save his config, move to l3 - do the play he wants, and then move back and reload his config. No harm no foul.. Few minutes of copy of a config.

Why would you put the device in layer 3 mode if your not going to be using layer 3??  That seems like just horrible advice from someone that has no clue to be honest..

Yeah the price point on the older 300-10 is spiked currently, you might find better pricing on the 20 for sure.  Need to wait a few months to let magic of supply and demand work its magic ;)  When the price comes down going to get a 350 and move my 300 into my av cab..  That shitty little $40 smart I have in their while it works, I just miss being able to monitor it via snmp and all the other bells and whistles that come with the sg3xx series..

dennypage

It's good advice from people with experience. I've done a few of these now, and I agree with them. There really isn't any benefit to leaving the SG 300 in mode 2. As to why it's painful, you loose basic configuration that has nothing to do with mode 2/3 like certificates, users, logging, channel groups, port identification, etc. These are things you really don't want to loose, and really shouldn't loose, in a mode switch. And no, you can't reload the prior config. You have to hand edit a new config, which requires a good knowledge of what has to be changed between the modes. And if you have certificates in the config? Ouch.

johnpoz

If you have someone that is unsure of use of the switch, the differences between layer 3 and layer 2..  I don't agree with putting it in layer 3 mode and only using it as layer 2.  You would be better off leaving it layer 2 only if that is what your learning/playing with.

The move to layer 3 if that is what you want to do and the having to put back all your common info like users and certs or ssh keys, etc.  Would all be good practice for the new user ;)

I don't see how home/lab use of this device be layer 2 or layer 3 moving back and forth should be that big of a deal.  If your using it in a actual production setup with a complex setup you should know how your going to use it out of the gate anyway ;)

Derelict

The problem is all your layer2 config. VLANs, tagged/untagged ports are blown out. You should be able to restore a layer 2 config to a layer 3 switch. Layer 3 to layer 2 probably not so much, but I would expect Cisco to disregard the config it doesn't understand and honor what it does. That's what you pay for.

I set my recently-acquired SG300 to L3 out-of-the-box for just this reason.

johnpoz

So what if they are blown out, just put them back.. You can paste in the part of the config that is pertinent..  If your trying to restore from the gui you might have some issues?  But you can always copy and paste the good stuff from your config via the cli without issue.

You put it in layer 3 mode out of the box for what reason - your using it as layer 3??  Do you see a need in the future to use it as layer 3?

dennypage

You can't just paste the pertinent stuff back. It ends up being more complicated than that. And by the time you have the experience necessary to hand edit the config, you have learned enough to know that you want preserve your options and put the unit in mode 3 from the beginning. Even if you have no immediate need for layer 3 routing, there is no advantage to leaving it in mode 2.

johnpoz

Other than less overhead of something your not using..

I am fairly freaking sure I can past my port configs and what vlans they are in back in..  Not like the syntax of commands change for gosh sake..

I half mind to switch it layer 3 just to prove my point ;)

dennypage

In the for what it's worth category, I installed my first SG350 (replacement for the SG300) yesterday. They have completely done away with the system mode setting. :)

jahonix

You wanna say it's always in L3 mode?

BTW: Can you tell differences between 300 and 350 series? I find them extremely hard to find on Cisco's pages…  :(

johnpoz

Huh?  What are you looking for on cisco?

http://www.cisco.com/c/en/us/products/switches/350-series-managed-switches/index.html
http://www.cisco.com/c/en/us/products/switches/small-business-300-series-managed-switches/index.html

jahonix

The differences between SG300 and SG350.
Like compare SG300-10 and SG300-20 features and technical data. I know those tables.

Or any other document which describes what's new in 350 series.
Basically I don't want to campare the complete feature sets myself, only the diffs.

dennypage

@jahonix:

You wanna say it's always in L3 mode?

BTW: Can you tell differences between 300 and 350 series? I find them extremely hard to find on Cisco's pages…  :(

I wasn't able to find any meaningful comparison of the two series on Cisco's site either. I'm guessing that is intentional.

Yes, the main unit itself is always L3. The biggest change that I've noticed is that the 350 has true IPv6 support, and actually appears to route IPv6 at "wire speed". Other things of note include double the TCAM entries (includes IPv6), sFlow support, remote SPAN support for interface or vlan mirroring, L2/L3 on a per interface basis, policy based routing, and port flap monitoring. It also purports to be truly stackable.

There is a new UI. Mostly good. The built in help effectively replaces the Admin Guide and is pretty good. Couple of annoying things: it seems to ignore the idle timer settings and logs you out every two minutes (I assume this is a bug); it has a basic/advanced display mode which would be fine except that basic mode hides almost all IPv6 settings. It also has SNA (Smart Network Application) which I do not have a good use for yet.

One thing that I thought was rather nice is that the 10 port version can itself be powered by upstream POE ports with pass power through to downstream ports. It can also be used as a backup power to an AC adapter. Kinda sweet.

The big disappointment (for me) is that gigabit port to port latency has not improved. Still 2450ns for idle, 3200ns under load for the 10 port unit. The 28 port should offer slightly better numbers (200-300ns), but I haven't tested it yet.

johnpoz

"It also purports to be truly stackable."

Huh where are you seeing that you can stack it?  The SG500 series is stackable.. Maybe your thinking the 350X ?

dennypage

I'm aware that it's not in the data sheet John. It's in the UI help and in the configs. I don't have a second 350 unit to confirm or deny, hence the term "purports."