Which Switch and Why

I am looking for some guidance and confidence.

I work for a medium healthcare facility that has 2 locations and 180 staff. In total, we have 300 PCs and Printers. The network was installed years ago with only a gig backbone. Aruba switches only have SFP, not SFP+.

I am upgrading by installing fiber to all the IDFs, replacing the switches with SFP+, to be running 10g backbone. I am looking at the unify switches and trying to decide if I should go with the Pro or the Enterprise switches. I have no experience with the unify switches and because we are in healthcare, I cannot have downtime.

Our network is pretty simple very few VLANs with some routing so I will need to have Layer 3 switching.

From what I can read I do not see a big difference between Pro and Enterprise. Pro can use the cloud key so I can monitor and program the network remotely where enterprise seems to be more traditionally managed.

so the question is should I be looking at Pro or Enterprise, and is one or the other more stable?

Thanks,

Todd

I don’t know exactly what models you are looking for but the UniFi / Network / Switching – Ubiquiti Inc. line of switches all can use the Cloudkey or a self hosted controller.

I wouldn’t recommend doing L3 switching since firewalls today are more than capable of handling the routing with the benefit of doing packet inspection. You should design your network where all the default interfaces are running on a FW so you can better secure your systems.

This should make things easier for selecting a switch since all you need is L2 capability. Save your spending for the better firewall and services.

1 Like

You might want to also consider switches from these guys https://www.fs.com I’ve always liked the look of them.

I guess I was not as clear as I should have been. The switches that I am looking at are UniFi:

Switch Pro 48 PoE - SKU: USW-Pro-48-PoE
VS
EdgeSwitch PoE+ 48 (750W) - SKU: ES-48-750W

What is the benefit of an EdgeSwitch vs Pro?

Thanks

The Edge line has a web interface on each device and can be monitored / kinda managed via their (I think) UISP software. UniFi switches are completely managed via the UniFi software but have no local management. Neither have any good L3 support.

Adding to what @LTS_Tom said: If you want to use UniFi, you want the Switch Pro 48 PoE - SKU: USW-Pro-48-PoE.
EdgeSwitches are not part of the UniFi family.
I feel they have much better L3 support, but like @FredFerrell said: You may want to use a better Firewall. pfSense is pretty awesome. …and there are lots of pfSense videos in this channel.
cheers!

I’m a strong believer that unless a FW supports SSL decrypt/forward proxy I wouldn’t use it. It’s a must these days and there are many reasonable options on the market. My go tos are Palo Altos and Fortinets. If there is an area on your network that you shouldn’t go cheap, it’s the firewall.

HA! Oh wait…you are being serious aren’t you? I think tech wise there are a lot of options but cost wise not so much. Literally none of the small business that I have worked with can afford the brand name next gen firewalls that do SSL decryption. In big enterprises it tends to break stuff so the enterprises I work with are shifting more towards endpoint monitoring than the network (even though they do have the fancy network stuff, it’s just a pain, especially when it comes to who pays for it in a large distributed network). I think COVID pushing work from home was the catalyst for this change. If they aren’t in the office it’s a lot harder to justify the cost vs something like zScaler for remote access and content filtering, or SentinelOne, or Huntress, or some combination of things. Maybe not the case for this particular post however.

Were we talking about switches? @alkyred Why does this facility need layer 3 switching? If the network is “pretty simple very few VLANs with some routing” then spend your money on L2 switches and get better routers.

Absolutely!

Here is a good take on the unifi line.
https://evanmccann.net/blog/2020/6/unifi-switches-buyers-guide

agree on the L3 capabilities - keep with L2.

So this is what I am hearing.

Move our routing to our Palo Alto PA-820 Firewall save the money and Install Layer 2 switches.

Todd

1 Like

Fred-
I’m not going to sell myself as a network engineer, the complexity of routing is that our two facilities are spokes in a Metro E circuit that is shared with our healthcare EMR provider. So we need to route traffic in the Metro E circuit between our 2 facilities, and our EMR provider.

So currently, both our locations have a PA-820 FW that handles internet traffic, A cisco router that handles the Metro E routing, and a variety of Aruba switches that handle the local VLAN routing. The reason I am digging into this is the current backbone switches are only 1Gig and we are expanding the second location so I need to purchase additional switches. Lastly, I need to migrate the backbone to 10Gig.

Hopefully, I explained where I am at.

Todd

I would say that is a little more than a simple network. Why not just upgrade the hardware you have to newer models that have 10Gbps capabilities?

In the past I’ve seen a pair of layer 3 switches used to route between several routers (internet, point-to-point, and VPN backup for the point-to-point). This was done when access to one or more of the routers was difficult, such as when a 3rd party manages your point-to-point connections. Make no mistake, a pair of big routers with enough interfaces and processing power should be able to do all of your routing, but sometimes it’s just easier to go a different way. All of the devices were pairs that were connected for fault tolerance per the manufacturer guidelines.

These days a lot of corporations are going SDWAN but that is a whole different ball of yarn to unravel. With the SDWAN deployments I have seen they were moving the routing off of the L3 switches and onto SDWAN appliances (VMware) and consolidating routers into those appliances as possible. This was done to achieve more efficient routing as well as better control of the configuration within the routers themselves. I wasn’t that involved in the process though.

I think you should be running several solutions that way you have multiple layers of protection. Also, a PA with full licensing can be purchased for around $2K-$3K. That is nothing compared to the costs associated with rebuilding a network.

What I would consider doing is run all your networks through the firewall on each site. The PA-820s have plenty of ports and also support vlan-interfaces/sub-interfaces so you just need to run a trunk from your switch that connects to the firewall. I would also connect the ME circuit to the firewall and just make sure you setup your static routes correctly. The internet circuit is already connected so that stays as is. Now you will have each network flowing through your firewalls and can better secure your flows.