Looking for highly reliable rackmount 24x1Gbit switch under $250

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

jan.lalinsky

New Member
Apr 11, 2020
7
0
1
Hey guys,

we're looking into upgrading our in-rack networking and I'm trying to figure out which switch brands and models fit best for these requirements of ours:

* the switch will be used for cca 20 web servers in a single rack
* at least 24x 1Gbit (Ethernet RJ45) ports, 10Gbit uplink (probably via SFP+)
* unmanaged, plug and play, high reliability, zero maintenance, zero bells and whistles
* untainted brand (no security issues in the past few years), so no Cisco products or other infamous brands (for the curious, 5 High Impact Flaws Affect Cisco Routers, Switches, IP Phones and Cameras )
* price up to $250

What do you think about these? Do you have a preferred brand / model that would fit?

We have had good experience with old 3COM switches so far, however 3COM got eaten by HP. The best model that I've seen so far is

HPE 1420 24G 2SFP+ Switch (JH018A)
https://store.hp.com/us/en/pdp/hp-1420-24g-2sfp-switch

Any thoughts/comments on this or other similar HP hardware?
 

Cixelyn

Researcher
Nov 7, 2018
50
30
18
San Francisco
CSS326-24G-2S+RM

Only $139 w/
- 24 GBase-T ports
- 2x 10G SFP+ Ports

Completely passive (no fans, etc.) + rated for -20 to 70C ambient.
SwOS, so completely plug & play w/ no fussing around. L2 only though.

We use these as management switches in the back of a super toasty rack.
 
Last edited:
  • Like
Reactions: dswartz

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
1,050
437
83

i386

Well-Known Member
Mar 18, 2016
4,221
1,540
113
34
Germany
* untainted brand (no security issues in the past few years), so no Cisco products or other infamous brands (for the curious, 5 High Impact Flaws Affect Cisco Routers, Switches, IP Phones and Cameras )
This made me think for a while.
Cisco is still the biggest name in enterprise networking (51.3% market share, source: IDC 2019). I think there is a large amount of security audits & tests trying to find vulnerabilities that could be exploited, be it by cisco engineers, IT security companies or hackers/(NSA? :D). Hence more public reports about security flaws in cisco devices and software.
For smaller brands I think there are less audits/tests that report on the security problems, but that doesn't mean there are no issues.
 
  • Like
Reactions: Callan05

jan.lalinsky

New Member
Apr 11, 2020
7
0
1
Thanks guys.

@Cixelyn that piece looks quite nice, but Mikrotik had some hooplas recently with security and the model lacks C14 plug. I don't like using adapters in rack, too unreliable connection and messy. The price is great though. Do you think this model is free of security issues that were reported in past years?

@BoredSysadmin you're right, I'm looking at JH018A now. On a second thought, I've realized we may need spanning tree functionality and it seems these models do not support that at all. Could you recommend next best thing which could do STP?

@i386 I agree on that, but this doesn't really change our attitude - that brand is a frequent target with well-known attacks. Some other brand with smaller market share is actually preferable to us, even if it also has some unknown security issues (as almost any piece of technology has nowadays).
 

Cixelyn

Researcher
Nov 7, 2018
50
30
18
San Francisco
@Cixelyn that piece looks quite nice, but Mikrotik had some hooplas recently with security and the model lacks C14 plug. I don't like using adapters in rack, too unreliable connection and messy. The price is great though. Do you think this model is free of security issues that were reported in past years?
Yeah I agree the adapter situation is a bit finicky... maybe you could use the passive PoE input instead to reduce rack clutter?

Do you think this model is free of security issues that were reported in past years?
The last few major MikroTik CVEs were against their RouterOS platform. The CSS326-24G-2S+RM is SwOS only, and shouldn't be affected.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Honestly, I don't really think it matters too much (not saying at all here...) whether the vendor has had security issues if you are buying an unmanaged switch. I would argue (but am obviously unable/unwilling to get some stats here) that most of these vulnerabilities relate to stuff above L2 (such as services), which is not present on a simple L2 switch.

Also, hypothetically if there were vulnerabilities to exploit in the switch, it is not like you would be able to patch them or anything.

On a another note: I find it interesting that brandname is this important for security while an unmanaged switch is being considered, something that obviously makes it impossible to segregate the hosts that connects to the switch. Obviously there are other ways to improve security and legitimate reasons to have all hosts on the same subnet, so don't take this as criticism maybe just a suggestion to always be critical ;) (and maybe if you feel like it, to explain what it is your are building)
 

jan.lalinsky

New Member
Apr 11, 2020
7
0
1
Honestly, I don't really think it matters too much (not saying at all here...) whether the vendor has had security issues if you are buying an unmanaged switch. I would argue (but am obviously unable/unwilling to get some stats here) that most of these vulnerabilities relate to stuff above L2 (such as services), which is not present on a simple L2 switch.

Also, hypothetically if there were vulnerabilities to exploit in the switch, it is not like you would be able to patch them or anything.
It's simple. I am unwilling to give money and buy a new product made by a company that has multiple serious issues with security. If the issues are few and isolated (Mikrotik), that is less of a problem.

On a another note: I find it interesting that brandname is this important for security while an unmanaged switch is being considered, something that obviously makes it impossible to segregate the hosts that connects to the switch. Obviously there are other ways to improve security and legitimate reasons to have all hosts on the same subnet, so don't take this as criticism maybe just a suggestion to always be critical ;) (and maybe if you feel like it, to explain what it is your are building)
I do not insist on buying a specific brandname, I just can't go for market dominator with history of problems and bad reviews.

The intended application is switching packets between hosts on multiple public IP subnets. Is that impossible with unmanaged switch? (Honest question.)
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
I just spent a little time reading the posts in the thread more thoroughly (sorry, should have cought it before), and it seems to me that you will need a managed switch of sorts (at least it is my understanding that STP typically means you need something like that).

Given that your budget is limited, I would say you are limited to cheaper non-enterprice(y) hardware that does not require a support contract like Mikrotik CSS/CRS326's, HPE 1820/1920 (fwiw I don't trust these guys to keep software updates free), Cisco SG250/SG350, Ubiquiti Edgeswitch Lite and so on.

You may need more money for some of the above devices and perhaps you can find a great deal on some other used hardware on eBay (though you should avoid hardware that needs a support contract to give you access to firmware updates).
It's simple. I am unwilling to give money and buy a new product made by a company that has multiple serious issues with security. If the issues are few and isolated (Mikrotik), that is less of a problem.

I do not insist on buying a specific brandname, I just can't go for market dominator with history of problems and bad reviews.

The intended application is switching packets between hosts on multiple public IP subnets. Is that impossible with unmanaged switch? (Honest question.)
I just cought myself writing a long-winded reply, and honestly I don't think it would have helped anyone ;)
So In stead of doing that, I will just say these two things: don't get too caught up in the brandname and their vulnerabilities they only give limited insight into the quality of a codebase. The other: an important aspect that is often overlooked is how they deal with the vulnerabilities.

Of course to add onto that, I suggest you look into what you can do to mitigate the potential issues, like hardening the device (perhaps the CDP vulnerability you linked to could have been mitigated if CDP was disabled) and making sure it is patched.

To answer your question about whether you can use multiple public IP subnets on an unmanaged switch, I would say probably yes - but really we need more info on the setup, like what is in front of the switch? a router?
If you need to have hosts communicate between the subnets, you are going to need a router of some sort (like a Layer 3 switch)

(I know this was also a long-winded reply, but just imagine how much more long-winded it could have been :p)
 

jan.lalinsky

New Member
Apr 11, 2020
7
0
1
...it seems to me that you will need a managed switch of sorts (at least it is my understanding that STP typically means you need something like that).
Yes that is my understanding as well. But maybe we won't need STP, I am not sure. Let's forget about STP for now.

but really we need more info on the setup
Fair enough - we have servers in two racks in a DC, each rack is supplied with single ethernet cable from the provider. What is on the other side of the cable I have no idea, but I suspect it is some high-end router that manages several public IP ranges of different customers of the provider.

This cable we plug into uplink port of top-of-the-rack switch where other servers that are in the rack connect to as well. The servers are running mostly websites, email services, backups and some restricted-access servers for operations.

Currently we have managed L2 switches doing this. However, with upgrade to 10Gbit we prefer to go unmanaged if possible - we do not need any bells and whistles vendors claim are important like VLANS, port mirroring or pretty charts. We just need speed, reliability (no crashes, no malware getting inside). Optionally we would like the switch to be smart enough to use direct switch-to-switch cable connection to send packets directly from one switch to another, if possible, instead of going around through provider's router.

If you need to have hosts communicate between the subnets, you are going to need a router of some sort (like a Layer 3 switch)
I hope not. Currently we're running with those old managed L2 switches and everything apparently works. From what I've gathered so far, if machine A sends to machine B on the same switch, the switch should not care about IP addresses being from different subnets, but should just send them to the correct physical port based on MAC address. Am I wrong on this - and the switch does the dumbest thing and sends those packets to the router first?
 

dswartz

Active Member
Jul 14, 2011
610
79
28
CSS326-24G-2S+RM

Only $139 w/
- 24 GBase-T ports
- 2x 10G SFP+ Ports

Completely passive (no fans, etc.) + rated for -20 to 70C ambient.
SwOS, so completely plug & play w/ no fussing around. L2 only though.

We use these as management switches in the back of a super toasty rack.
+1 on these. I replaced a ubiquiti 24-port because my two esxi hosts with 10gb enet had no way to talk to each other without a back to back link, and that eliminates them from being the management network NICs. This switch was perfect in that respect. I don't do routing or anything funky, so a vanilla switch was the ticket.
 

cesmith9999

Well-Known Member
Mar 26, 2013
1,417
468
83
The cables in each rack, are they on the same subnet? If different subnets, to minimize traffic up stream you would need L3 Switchs. If same subnet, you would need to only use 1 of them.

Chris
 

jan.lalinsky

New Member
Apr 11, 2020
7
0
1
The cables in each rack, are they on the same subnet? If different subnets, to minimize traffic up stream you would need L3 Switchs. If same subnet, you would need to only use 1 of them.

Chris
Any cable carries multiple public IP addresses from different ranges. Routing those packets outside the rack is handled by provider's router.

Do you think switches are too dumb to figure out and cache the physical ports on the switch when moving packets between unrelated IP addresses that are connected on the same switch? Any good sources on how switches work where this can be learned?
 

i386

Well-Known Member
Mar 18, 2016
4,221
1,540
113
34
Germany
Cisco :D
Their courses are great, especially CCENT & CCNA when you're learning the basics.

Get your hands on a switch with cisco like cli (BROCADE ICX6450 :D) for practicing.
 

Wolfstar

Active Member
Nov 28, 2015
159
83
28
48
Any cable carries multiple public IP addresses from different ranges. Routing those packets outside the rack is handled by provider's router.

Do you think switches are too dumb to figure out and cache the physical ports on the switch when moving packets between unrelated IP addresses that are connected on the same switch? Any good sources on how switches work where this can be learned?
Hokay. First thing's first, understand the way layers work in networking. Specifically, if a program is using an IP address to communicate, then the underlying OS sends an ARP request - "Who has this IP?" to the network. If there's no response from another machine in the same broadcast domain, the router responds. Generally speaking - but not always - you have for sanity's sake one IP subnet per VLAN (aka Broadcast Domain). You CAN do more than that, but it can also lead to confusion, chaos, and bad heartburn.

If you actually are in a setup where you have one VLAN per subnet, then ALL of the traffic destined for another subnet leaves that network and goes through the router. Not just initial packet, but every last bit of data leaves the switch, goes to the router, and the router sends it on to the destination - even if that destination is the next switchport over. If you are paying for data transfer across that one cable from the provider, you really, REALLY want a routed setup with designated IP blocks sent to you and your own router and switch infrastructure in the cabinet.

Now, if you're currently using managed switches with VLAN capability, but you're not actually using any VLANs, you're MAYBE okay to replace with an unmanaged switch. I personally wouldn't do it, but I'm a network engineer, so my opinion on the subject is tainted by too much knowledge. :) But no, there's no switch smart enough to remember what port it sent to the way you mean it, because unless it's handling Layer 3 switching duties itself, it only transfers traffic to the port that answers the ARP request - and in the case of different subnets, that's almost always the router uplink. When the traffic comes back it's going from the router to the destination, and that's a totally different (Layer 2) traffic flow than from the source to the router.
 

jan.lalinsky

New Member
Apr 11, 2020
7
0
1
I did a test using arping and tcpdump and the result is that I never see provider's switch or router. Machines cache correct MAC address for all IPs, irrespective of subnets.

Then I realized that the purpose of arp table is to know where to send frames. So it would seem that my machines can communicate directly over the switch after all, router does not enter the picture unless they want to talk to the outside world.
 

Wolfstar

Active Member
Nov 28, 2015
159
83
28
48
So you have no VLANs configured at all, and multiple subnets configured on the devices? You don't have anything answering for multiple IP addresses?

If that's the case, then two observations:

1. Yes, you can probably get away with an unmanaged switch.
2. Your switching platform is already HIGHLY unlikely to be your greatest network vulnerability.

Honestly it sounds like you're in desperate need of a networking professional to come in and analyze your needs and your existing setup, but it doesn't sound as though you're really in a position to do that (or implement the recommendations even if you could).
 

jan.lalinsky

New Member
Apr 11, 2020
7
0
1
So you have no VLANs configured at all, and multiple subnets configured on the devices? You don't have anything answering for multiple IP addresses?
Most servers have IPs from different subnets. Switch has no problem with this, probably because it does not care about IP addresses at all. It just sends frames to correct physical ports. Since these are L2 switches, I assume this is generic L2 switch functionality which any other switch will have.

2. Your switching platform is already HIGHLY unlikely to be your greatest network vulnerability.
That is true, but I'm not focusing here on a complete network security overhaul, just figuring out which switches meet our requirements. Going unmanaged is better for us, as we don't need the functionality and the attackers can't exploit what isn't there. And unmanaged is cheaper.

Honestly it sounds like you're in desperate need of a networking professional to come in and analyze your needs and your existing setup, but it doesn't sound as though you're really in a position to do that (or implement the recommendations even if you could).
Will all due respect, that sounds like a misplaced offer of services. 1) I'm not desperate, just trying to learn about switching and implement the best setup at our company 2)I'm not building a distributed database cluster for spy agency. I think learning and asking other people here and elsewhere about how switches work is adequate.

So far, the unmanaged HPE model above seems like the best option to me. Thanks all for help.