01 Feb Adventures in Switching
It’s always a focus at Mindpack Studios to make changes which increase uptime, reliability, security and pizza breaks. In this article we’ll discuss a bit about network switches and what decisions we’ve made recently to increase our network facility reliability and security.
We’ve decided to purchase a couple of layer 3 switches to replace our existing layer 2 switches. Our original switches were NetGear ProSafe’s, which to this day we find still an incredibly reliable Layer 2 switch for their price, but without the features we needed, it was time to scrap shelf them and replace with something a bit more robust.
Since we have been recently hosting a few managed server products for clients, we’ve noticed that plugging everyone into our existing layer 2 dumb switches was acceptable and fast, but not the most secure under certain circumstances. When this was just Mindpack servers that was a fine solution, as Mindpack doesn’t really have anything to hide from itself. But after we started co-locating servers for other companies, not administratively managed by us, it began to make more sense to segregate these services by ownership. In this case, what we needed was to start with some dedicated VLAN’s, and follow that up with some inter-VLAN access control.
Think of a switched network (the network in your home or office) a bit like an apartment complex where everyone leaves their doors unlocked and their always in a good trusting mood. The switch ports themselves would be apartments in this example, and the network cables would be hallways and stairwells.
In our example, taking data from one switch port to another is similar to you walking to the neighbors apartment to talk with them, or them walking over to talk to you. To make things simple we’ll assume that everyone in the apartment complex has a husband or wife or kids or dog or a robot waiting by so no messages are missed, and nobody is offended when their neighbors just walk in unannounced to deliver a message.
In your home or office this typically works really well, usually we want our computers to talk with each other more easily, so this level of friendliness isn’t really a problem, if anything it’s a great help. Nothing to get in the way when our computer wants to talk with the server or other computers. Everything just works and we are happy.
One day, you are doing your message deliveries in your apartment complex, talking with your neighbors, when someone decides to break in one of the windows that were left open. The thief breaks in, gains entry to your belongings and then begins walking around like they are just another apartment tenant. Talking to other tenants, providing misinformation, and maybe even stealing a few things here or there, or worse, lighting the apartment complex on fire. (Normally computers have a handful more protections in place to prevent this, but this is an example and we’re just pretending, so let’s move on.)
The idea here is that at the network level (the apartment complex), the security is pretty simple with layer 2 switches, as they were built to maintain that everyone in the apartment could speak with each other and do so very quickly. Nothing to get in the way of communication (no keycards, no door knobs on the doors, no offense created by barging in on your neighbors, etc). But a Layer 3 switch steps this up a notch (or 11), by adding building security locks on each floor and also keycards on each apartment door. Oh, and people now get offended when you stop by unannounced, they just typically don’t answer you.
By example, this sounds pretty easy. Easy enough where most people probably say, “why not just do this in the first place?”, why even have the simple apartment version anyway? And in most cases the answer is ironically simple – “simplicity”. For your home or office you really don’t need the additional security, you’d just end up setting all the key codes to the same password and end up leaving all the doors open anyway. But there is another concern as well, and that’s “speed”. See, when you add all these potential speed traps to the movement of all these apartment tenants, we have to assume that speed will degrade. Heck, instead of proud Charlie in Apt 1337 moving from one floor to another without delay, he now has to type in 3 pass-codes to get there, he also has to *hope* someone is home because if they aren’t or they don’t answer the door he has to go back home and try again later.
To offset the speed problem, more infrastructure has to be created, the apartments now needs retinal scanners instead of pass-codes, elevators, walking paths, armed guards, etc. To put simply, basically, no two Layer 3 switches are alike as each has separate feature sets that allow packets (or people in our example) to move more quickly to the next area. Some have guards while some don’t, some have retinal scanners while some use old pass code style infrastructure.
At the start, our goal was primarily to provide dedicated segments for dedicated server customers. To protect both Mindpack and said clients in the case of a security breach. We knew a few things we’d love to have if financially possible (full speed backplane switching, trunking failover/aggregation, etc), and a few other things we’d need to have regardless of costs (plenty of vlans, inter-vlan access control, etc). For instance, our mediate thought was make sure the switch could theoretically offer 24+ VLANS per device, mainly because if we did need to host 24 dedicated 2U servers per rack we could do this.
In the switching world, a handful of good companies exist, Cisco, Brocade, Juniper, etc. Each company offers a handful of good solutions and price-points varying from $500 up to $4000 or $5000 (or more). But our solution was with our trusty and reliable friends at Adtran. We needed 2 of these switches, and we wanted 24 VLAN’s per device if possible, full speed backplane switching across VLAN’s w/ hardware ASIC access control lists per port. After a pretty thorough multi-day comparison and analysis, we managed to get everything we wanted from a company that would pick up the phone when we called and was willing to talk with us about a single product sale of 2 switches. Adtran 1544 switches are our solution, and after setup I can honestly say it was a perfect choice – everything we wanted and then some, great client protection, speed, and most importantly reliability in a cost effective package. Thanks Adtran!