3Com Switch 5500G-EI
We put the new 3Com stackable switches to the test. Their manageability and support for VLANs, RADIUS authentication, 802.1x access control and PoE add up to a grand slam.
November 18, 2005
Power Stack
I had no problem with setup from the console (serial) port (19200-8-N-1-N) and the command-line interface. The CLI is easy to navigate and offers both user and system views of the switch. The system view is a configuration mode, similar to Cisco's "configure terminal" (config t) command. I set both the IP address and mask of the default VLANs and their default routes and an external NTP (Network Time Protocol) server.
PoE support is optional; be sure to specify PoE support when buying or upgrading the power supply unit (PSU). PoE can be added for about $1,500 per PSU. To upgrade from a standard PSU to one supporting PoE, I turned off the 24-port switch, removed the standard PSU with a screwdriver and installed the new unit.
Good • Stackable• RADIUS authentication and 802.1x access control• Power over Ethernet support (IEEE 802.3af)• Dual power AC/DC Bad • CLI is not a Cisco IOS• Slow Web-based GUI 3Com 5500G-EI Switches, $5,995 to $13,495. 3Com, (800) NET-3COM, (508) 323-5000. www.3Com.com |
Stacking the 24- and 48-port switches into a common backplane required a special 3Com .5 meter stacking cable with color-coded ends. As many as eight switches can be stacked. Once you make the connections, 3Com's XRN (Expandable Resilient Networking) fabric becomes the common backplane.
The XRN fabric includes three technologies:
3Com's Switch Manager Click to enlarge in another window
» DDM (Distributed Device Management) let me manage each of the units through any port or IP address associated with the switches. In effect, I treated both switches as a single Layer 3 switch with a common VLAN.» DLA (Distributed Link Aggregation) let me group ports together, across switches, for load balancing and redundancy.
» DRR (Distributed Resilient Routing) technology let the stacked switches forward packets as a single unit. This allows for uniform VLAN interfaces, routing tables, and Layer 3 forwarding tables.
In short, multiple switches can operate as a single unit, a configuration that came in handy when I tested the line speed on the 1000Base-T ports on each switch and across the switches.
I set up Spirent's SmartBits 600B Chassis with Spirent's TeraMetrics XD four-port Gigabit interface, then plugged each Gigabit port into the 24-port switch. With SmartFlow, I set up tests using Ethernet packet or frame (128 byte) flows between each of the two pairs of Gigabit Ethernet links. I stepped up the test in 10 percent increments to the full line rate on each port. The flows generated traffic sufficient to use up to 100 percent of available throughput on the 3Com ports under test. The 5500G-EIs didn't drop any frames. I repeated the tests and received the same results for the 48-port switch. Then, I set up the flows between the 24- and the 48-port switch. Again, 3Com's XRN DDR did not miss a frame.
If your parents ever asked, "Who do you think you are?" or, "Just where do you think you're going?" they have something in common with the 5500G-EI, which interrogates all frames presented to it. Based on the answers it receives from the frames and/or a RADIUS server, the switch permits or denies port access.Let's take, "Where do you think you're going?" first. I set up an ACL (access-control list) to restrict users from accessing the Web before 8:30 a.m. and after 5 p.m. I did this using Internet Explorer 6 (Netscape 7 also would work), accessing the Web interface and selecting QoS (quality of service) profiles from the device options.
In the QoS pages, I created an ACL to block HTTP (Port 80) access, assigned the rule to a schedule that included before- and after-work hours seven days a week, then associated the ACL to a QoS profile assigned to the ports on the 24- and 48-port switches. After I saved that configuration, end users who were plugged into the switch ports assigned to the QoS couldn't access the Web during those times.
3Com's Web Interface |
Asking, "Who do you think you are?" required a greater authority than the 3Com switches have. For that authority, I set up Funk Software's Steel-Belted Radius server to use native or local authentication and configured the switches as Radius clients. For Radius users, I used the MAC (Media Access Control) addresses of client devices under test as the user names and passwords, per 3Com's RADA (Radius Authenticated Device Access). RADA is 3Com's extension of 802.1x authentication. It ensures that only allowed devices have access through the switch using a RADIUS server.
In my test, when a client device was detected on a switch port, the switch recorded its MAC address and passed it as the user name and password. The Funk Radius server then authorized the port for use depending on whether the user name/password credentials matched user names and passwords to those I configured as permitted users on the RADIUS server.The switch quickly integrated with Tipping Point's SMS (Security Management System). SMS acts as a RADIUS proxy to detect and alert the RADIUS server of clients that do not meet security profiles. The RADIUS server then places those clients on a black list and blocks network access. RADIUS setup is easier than it appears: I didn't need to set up multiple users on the RADIUS server based on MAC addresses. Instead RADA let me set up one user and associated MAC address as a checklist attribute in the user settings, where the attribute was "Calling-Station-ID."
The RADA authentication worked like a charm. I even configured the RADIUS server to return a VLAN number and an ACL to the port based on the credentials of the user accessing the switch. In effect, I could deny a device's access to the network and even quarantine it off to a separate VLAN.
Stack Manager
I had plenty of options to manage one 3Com switch or a stack of switches. Each device provides for Web management and supports SNMP and a central syslog server. 3Com also includes a Switch Manager to view and configure multiple switches.
With a starting price of $5,995 (approximately $250 per Gigabit port), the 3Com 5500G-EI stacks up in terms of density, performance and manageability. Add the PoE option, and it's good to go in the data center or the wiring closet.Sean Doherty is a senior technology editor and lawyer based at our Syracuse University Real-World Labs®. A former project manager and IT engineer at Syracuse University, he helped develop centrally supported applications and storage systems. Write to him at [email protected].
You May Also Like