Redoing network, looking for L3 switch recommendation and comments

[RTM]

In the not too distant future I expect to be revamping my home/lab network.
But I am a little stumped as to how to which switches to buy.
As always it is difficult to find the right balance of performance and price, I know I will have to make a compromise somewhere.

My overall plan is to get/use 3 switches:
1. (main infrastructure in a network closet) L3 switch (need approx. 24x 1g and 4x 10g (SFP+ ideally)
2. (lab) 12+ port SFP+ switch, uplink: 2x sfp+ to switch 1
3. (lab) 24 port 1G RJ45 switch and 2x sfp+, uplink: 2x sfp+ to switch 2

Part of the plan is that switch 1 will be in a network closet with a firewall and NAS, where it will help provide a relatively stable network to various devices via drops and wifi.
Lab devices (including switch 2 and 3) may be offline or in a halfconfigured state, which should be acceptable at any point in time. Result of this is that core network should work without network hardware in the lab.

I expect switch 2 will be a Mikrotik CRS317 and switch 3 will be a Mikrotik CRS326, but I am not so sure about switch 1.

My requirements are as follows for switch 1:

- L3, I believe static routing should be sufficient (could be L2 switch + a fast router)
- Silent, ideally fanless, but *some* noise is acceptable
- Supported, in the sense that software updates are provided for the foreseeable future, ideally without a subscription
- Depth of device can not be "too deep", I am not sure what the limits will be, but I assume around 30cm

Not absolutely required:
- sFlow
- PoE, I do not expect to need many PoE ports, so *could* make do with injectors
- Ideally a new device with warranty
- Cheap :)

Of course a lot of other requirements are omitted because I assume that given the above they will be supported.

Here are some of the options for switch 1, that I have been considering:

• Cisco SG350X-24 (maybe the P version), as far as I can tell it matches all requirements, but there are reports that is can be fairly noisy when using 10g connectors
• Ruckus ICX7150-24 (again maybe the P version), again it looks very nice, downside is that buying new with support for 4x sfp+ is expensive and somewhat difficult in Europe
• Mikrotik CRS326 + CCR2004 (essentially a L2 switch + fast router combo), there are a lot of unknowns to this solution
• Juniper EX3400, main thing against this solution is probably price and I assume it will need a subscription for updates
• HPE 2930F, looks pretty nice but maybe a little expensive

I would like to avoid manufacturers like tp-link, d-link, zyxel and I am not too sure about Ubiquiti either.

So what I am hoping, is that you guys have comments or suggestions to my plans, am I missing some awesome device?
I would also like to hear about experiences with some of these devices, I am quite interested in comments of noise level from Cisco SG350X, Juniper or HPE switches.

 

[tsteine]

It should be noted that Mikrotik CRS switches are abysmal for L3 performance.

https://www.servethehome.com/mikrotik-crs326-24s2qrm-review-insane-switch/mikrotik-crs326-24s2qrm-performance/

 

[Stephan]

I always steer towards HPE/Aruba or Dell OEM these days in such cases (revamping home office network et al). Reasons:

a) Hardware is well built, no need to replace capacitors after only 2 years because they have drifted below spec (hello TP-Link).

b) They use reliable chips and not the cheapest 1/10G solution in the Shenzhen market.

c) Free and open access to firmware updates, should the need arise. Done with all the subscriptions.

 

[j_h_o]

+1 for Ruckus/Brocade. There are some threads on this forum on ICX6450/ICX6610; this largely applies to the ICX7xxx series as well.
Having full CLI here, instead of WebUI on SG350X is nice. These also work well with "all" SFP/SFP+ modules.

I'd avoid Mikrotik due to L3 performance.

Juniper will require subscription.

HPE/Aruba is picky for SFP+ modules.

 

[elag]

It should be noted that Mikrotik CRS switches are abysmal for L3 performance.

https://www.servethehome.com/mikrotik-crs326-24s2qrm-review-insane-switch/mikrotik-crs326-24s2qrm-performance/

On the Mikrotik forum I saw today that the CRS317 will get L3 hardware offloading support. I have seen no figures for the real througput on them. See: Manual:CRS3xx series switches - MikroTik Wiki

 

[tsteine]

On the Mikrotik forum I saw today that the CRS317 will get L3 hardware offloading support. I have seen no figures for the real througput on them. See: Manual:CRS3xx series switches - MikroTik Wiki

That is a welcome addition, though I would like to see ACL offloads as well for that to be interesting, routing between vlans is nice, but often you need a firewall between vlans as well. it shouldn't be necessary to rely on device configured firewalls on the vlans themselves to block unwanted traffic.

 

[RTM]

Thanks for the feedback

As for the switches in the lab (switch 2 and 3), I do not need them to be L3 switches (I don't want to pay for L3), so I think Mikrotik switches will be just fine there.

By the way the SG350X does have a command line interface, here is a quote from the datasheet:

Textview CLI - Scriptable CLI. A full CLI as well as a menu CLI are supported

 

[RTM]

On the Mikrotik forum I saw today that the CRS317 will get L3 hardware offloading support. I have seen no figures for the real througput on them. See: Manual:CRS3xx series switches - MikroTik Wiki

That is so cool, and honestly about time.
It is only available in routeros 7 however, I expect it will be a while before that is stable enough to consider using.

And what's up with it only being supported on the CRS317?
I wonder if it is due to the puny application processor that Mikrotik chose to use on some of the newer switches (like the CRS326-24S+2Q+RM)

That is a welcome addition, though I would like to see ACL offloads as well for that to be interesting, routing between vlans is nice, but often you need a firewall between vlans as well. it shouldn't be necessary to rely on device configured firewalls on the vlans themselves to block unwanted traffic.

I believe that may already be supported, it's just not all that useful without routing support
Also to be accurate, it my understanding that L3 switches with ACLs do not perform stateful packet inspection, so I wouldn't call it a firewall, a more accurate description is probably a packet filter.

 

[tsteine]

I believe that may already be supported, it's just not all that useful without routing support
Also to be accurate, it my understanding that L3 switches with ACLs do not perform stateful packet inspection, so I wouldn't call it a firewall, a more accurate description is probably a packet filter.

If we are going to argue semantics, among the types of firewalls are Packet Filtering firewall and Stateful Inspection firewall. Firewall does not automatically imply statefulness.

 

[RTM]

I always steer towards HPE/Aruba or Dell OEM these days in such cases (revamping home office network et al).

Thanks, I forgot all about Dell, the N1524 looks like a decent candidate.
There is not a lot of information from users out there, especially whether or not it is loud.

If we are going to argue semantics, among the types of firewalls are Packet Filtering firewall and Stateful Inspection firewall. Firewall does not automatically imply statefulness.

Fair enough, I stand corrected
What I was trying to avoid, was a possible misunderstanding that people might get from reading what you wrote as "ACL's are all you need and no host firewalls". Obviously they are supplemental and not an either/or sort of thing. And yes, before you reply, I know this is not what you wrote, I am saying it is a possible misunderstanding.

 

[tsteine]

Fair enough, I stand corrected
What I was trying to avoid, was a possible misunderstanding that people might get from reading what you wrote as "ACL's are all you need and no host firewalls". Obviously they are supplemental and not an either/or sort of thing. And yes, before you reply, I know this is not what you wrote, I am saying it is a possible misunderstanding.

We are in complete agreement. What I meant was that the traffic that can be filtered before being sent downstream/to a host should be, and that it shouldn't be necessary to implement firewalling for every possible vlan that could be routed to a host on the host's firewall, just because the switch firewalls packets slow as molasses.

That is a lot of unnecessary traffic and processing that should be dropped on the switch if possible, before going anywhere else.

 

[Sealside]

Juniper will require subscription.

Partly correct. Juniper will require a subscription to be allowed to download firmware. If you can get your hands on the firmware you don't need a subscription. All features that require a license are honor based, so you can use them.
If I would pick a switch today I would probably go with Brocade ICX, but I got one Juniper Ex3300, so just had to picked up another one.
What I do like with my Juniper switches:
- Nice cli
- JWeb GUI is available although I mostly use CLI, the GUI is nice to get a better overview
- Possible to replace fans, both my EX3300 24P are very silent, even though I run several POE devices on them.
- Stackable using Virtual Chassis and fiber between the switches, they act as one switch.

Regards S.

 

[Rand__]

I got a couple of the Cisco's (MP and regular) and also a 715024P /7250-48(nonP).
The sg350xmp (-24) is clearly audible - its the loudest component in my cellar rack but not audible in the server rack.
I'd say it should be fine in a closet.
The non MP is less noisy as one would expect but still audible.

The 7150 (-24P) is also clearly audible unless you tell it to shut up (fanless mode) which is nice - have not used it much to be honest since it was intended as cisco replacement but I got the issue resolved with Cisco support.

I also got a (non P) 7250-48 and that one is quite loud.