Okay, I’ve been watching lots of YouTube videos about switches and I’ve just made myself more confused. Managed versus unmanaged seems to be having a GUI versus not having a GUI, but why would anyone want a GUI on a switch? Shouldn’t your router do that? Also, a switch is like a tube station for local traffic, essentially an extension lead, so why do some have fans?
There is only one router on your network. It routes traffic from one machine to another. This is typically also the gateway, and it only has so many ports.
If you want more physical devices connected to your network, you’d need switches to fan out your network.
Un-managed switches essentially takes packets from one port and pass them through another port, easy peasy, nothing fancy.
Managed switches, however, can do more than just take packet from one port, then push it out to the other side. You can set up link aggregation for example, allowing more throughput by using two or more ports to go to the same destination (maybe for example a central file server). You can have L2 vs L3 switches so they route differently. You can have multiple paths to reach another machine, for redundancy but must implement STP to prevent broadcast loops etc.
Once your network grows larger than just Internet for a couple of desktops, it gets a lot more interesting.
Thank you. So based on this, shouldn’t things like OpenWRT and OPNSense be made for switches rather than routers? Since the switch seems to be doing all the heavy lifting.
If you use everything from the same vendor, you could manage them in one place (see Ubiquiti’s UniFi stack as example), but at the end of the day, they serve different purposes and target different parts of your network.
Switches are Layer-2 devices (data link layer). They operate on FRAMES and use MAC addresses to send data around between devices on the SAME NETWORK.
Routers are Layer-3 devices (network layer). They operate on PACKETS (which is basically a wrapper around FRAMES) and IP addresses to send traffic between DIFFERENT NETWORKS.
Switches may have some smart capabilities, such as creating separate logical networks (VLANs), or providing power to PoE devices, or prioritizing layer-2 traffic within a lan (CoS - class of service) and they do all the “heavy lifting” of slinging frames around to the right device on your LAN.
Routers tend to do all the “heavy lifting” of routing packets BETWEEN NETWORKS. They sit at the perimeter of networks (between your LAN and the internet, for example, or between your LAN and another DMZ LAN in your house, or maybe a GUEST LAN). They are often paired with firewall features to inspect the traffic and only allow certain types of traffic through one direction or the other, or they may simply route packets. They can also prioritize layer-3 traffic (QoS - quality of service).
A lot of things can get really confusing between the two because many routers have built-in switches, so they do some layer-2 stuff. And more expensive switches can even have some routing features to allow traffic to hop from one VLAN to another without going all the way out to a router (called layer-3 switches, though you typically don’t see these in homes outside the computer enthusiast community – they’re more of an enterprise thing).
I think the reason you don’t see OpenWRT or OPNSense for switches is because simple networks don’t need the advanced switching capabilities that such a product would provide, and highly complex networks often need the speed of hardware-based switching and don’t want to slow it down with a software layer.
I don’t know if anyone has told you this today, but you’re awesome! Thank you for writing that out.
A managed switch allows you to have vlans, routing, QoS, spanning tree protection etc. You don’t necessarily need a gui, a lot of them are cli only, which is preferable but less user friendly if you’re not used to it. Depending on your needs a managed switch can be overkill.
But doesn’t the router do the VLAN stuff? Sorry, I don’t know how to phrase it properly
VLANs are an extension of the Ethernet technology, and operate on the link layer (OSI layer 2). They are handled by switches. VLANs can belong to different subnets, and communication between them requires routing, which happens on the network layer (OSI layer 3) on either routers or layer-3 switches, but VLANs themselves are handled by switches.
I recommend Network Chuck on youtube, his videos are very noob-friendly.
Thanks, I’ll check him out.
It does, also the router most likely also has switch functionality if it has several Ethernet ports.
The router does the routing from one vlan into another. The switch has a funktion to apply the traffic with a specific vlan-tag. E.g. On the switch: to your PC vlan 3 could be applied and for your fridge vlan 25. On the router: You can allow vlan 3 access to the Internet but vlan 25 not. For management purposes you could allow vlan 3 access to vlan 25 but not the other way around.
So everything I thought was a LAN up until now is really just a VLAN?
You’ve run up against the first thing that seems to really confuse people when they begin learning about networking.
What you thought of as a LAN is a LAN. A VLAN is a Virtual LAN. It’s the same concept but virtualized, allowing more than one LAN on hardware that is just physically a single LAN.
When most people are talking about setting up VLANs they are usually describing the creation of a separate layer 3 subnet and the creation of a VLAN ID that gets tagged to all packets that get sent on that separate subnet. This allows for both layer 2 and 3 separation of the virtual lans on a single physical network.
Conceptually it’s very similar to VM’s running on a single server.
So what differentiates a virtual LAN from a real LAN? Like how can I tell which one my ISP had set-up?
So switches are able to do a lot of interesting things.
Think about in a business, you want to have credit card machines, users computers, and maybe a security system and cameras. There have been so many news reports of how awful the cyber security of security cameras are that maybe you don’t want them to be on the same local network as the thing taking your customers payments. So, you could buy another router and switches and pay for a second internet service. But you know you don’t use all the bandwidth you currently have and you have extra ports on the switch. What if you could create a second local network? Have it on the same physical hardware but logically separate in the router and switch. Like a virtual local area network.
This is exactly what a VLAN can accomplish. Now though, you have to tell the switch what port is using what VLAN, so you build a GUI into it.
Some switches are also able to supply power to those cameras and the access points around your business, but that takes more electricity going into the switch, so you need to keep heat down, so slap a fan in there. Also, what happens if you want to power cycle a camera? Well, you could go find the cable and physically unplug it, or you could just reboot the whole switch, but hey, you already have a GUI for VLAN config, why not slap the ability to turn a port on and off in there too!
The same goes for a home network, maybe you have a few cheap smart lights that have a questionable level of security… they’re fun though! So instead of risking your whole network, slap them in a dedicated VLAN and now some sweaty neckbeard doesn’t get to know what Christmas present you bought for your one favorite coworker.
These are just a few examples of the top of my head. There’s plenty of other reasons for a GUI and fans.
Thank you for taking the time to write that out. I appreciate it.
so why do some have fans
As in cooling?
Switches generate a ton of heat in the ports’ copper wires, especially gigabit+ and PoE. Higher-grade consumer and industrial (think Cisco) switches also have powerful hardware because they do a lot more than packet switching – they handle QoS, VLANs, and ACL-based filtering, as well as gigabit or faster connections on all ports.
So if the switch does all of that, what does the router do?
Switches (particularly layer-3 switches) have basic routing capabilities to connect different VLANs, but that is not their focus. Their purpose is to facilitate communication between devices connected to the same subnet, and across subnets on the same LAN.
Routers specialize in communication between networks, e.g. between a LAN and the internet. They can use static routes or dynamic routnig
algorithmsprotocols (e.g. RIP, EIGRP, OSPF, BGP) to find the shortest route, often across many routers, from the source to the destination.Think of routers as intercity railway lines, and switches as local transportation.
The device that is usually referred to as a “home router” is usually a combination of a router, a switch, a wireless access point, optionally a cable modem, and sometimes a telephone modem; plus it offers services like a firewall, NAT, and sometimes VPNs. It does everything, but with a much lower performance compared to dedicated hardware.
Can I come and live with you so you can break everything down to me so simply 😂
Okay, so for my network, I would set my existing router to modem mode and then have that plugged into the router and then the router plugged to a switch, a switch connected to an access point and my devices connected to the access point. Does that make the modem the Eurostar? In that case, what is the router even doing? Does that mean I would need an access point for each VLAN? And if it does, is it really virtual if it’s tied to physical hardware.
Generally, yes. WAN -> modem -> router -> switch -> (devices, wireless AP, other switches).
If you set the internet provider’s device to modem/bridge mode, it will do one thing, and one thing only: forward traffic between the ISP’s infrastructure (like DOCSIS, telephone line, PPPoE, FrameRelay, etc) and an Ethernet port. The traffic on that port will be unfiltered and dangerous internet traffic.
The first device after the modem should be something with a firewall and NAT. In most cases, this is a consumer-grade router, but it could also be a computer running pfSense/OPNsense/OpenWRT (which basically turns it into a router). The firewall’s role should be obvious – it filters everything that passes through it, and only allows permitted traffic.
NAT (Network Address Translation) is a bit more complex. I’ll skim over the details – it allows you to have a private network of any size communicate with a public network using only a single public IP address (which is usually supplied by the ISP). It also enhances security because NAT is what facilitates port-forwarding, and your private network won’t be exposed through the public address unless you do that. NAT is almost always handled by the router. Firewalls can be integrated into the router, integrated into the modem, or implemented as a discrete device – make sure that the internet traffic passes through at least one firewall!
The router in this case handles NAT, finding the first hop on the internet for outgoing traffic, and routing incoming traffic to the subnet that contains the destination device.
From the perspective of packet switching on the network, a wireless access point is really no different than a switch, except it facilitates communication with wireless devices. Depending on the model, APs can support VLANs, and each wireless network can be assigned to a different VLAN on the same device.
For example:
- “family” wifi network on VLAN 100 with a password for trusted devices
- “guest” wifi network on VLAN 101 with open authentication for untrusted devices
- Connect the AP to a port on the switch, set those ports to trunk mode, and allow VLANs 100 and 101
- Set the rest of the ports, where the wired devices will be connected, to access mode on VLAN 100
- Give each VLAN a different subnet (e.g. 192.168.0.0 for one, 192.168.1.0 for the other)
This way you can set up the router to allow both subnets to communicate with the internet, the family subnet to talk to devices on the guest subnet, but prevent guest devices from talking to the family subnet.
How you achieve this depends on your ISP and what devices you own. For example, the ISP might only give you an IPv6 address, which is an altogether different headache.
Thank you so much! I kinda had the bits in my head, but you’ve connected the dots for me. I am truly grateful!
A switch will allow a star shaped network. The switch is in the middle and connects all devices that are plugged in.
I always thought the router was the heart of the network, but it seems a router doesn’t actually do very much.
More like the bouncer. It communicates with the outside world, ensures the correct device inside your network talks to its intended outside network (NAT), and several other things that I have forgotten.
Sorry to make you dig in your brain, there’s far more fun things to do with your Thursday afternoon. But I appreciate it. I feel like my ISPs over simplify things and that’s lead to my misconceptions.
I used to do tech support for non tech savvy people and couldn’t use the jargon, so I got good at giving enuf info to know how things work without bogging them down in terminology, terminology is scary for some people. Answering like another did further down would require me to actually dig in my brain, and would illicit a confused dog look from my old clients, but what they said about the OSI layers is the real answer.
I’m grateful for your experience and expertise.
a switch is like a tube station for local traffic, essentially an extension lead
You’re right, a basic unmanaged switch is basically that!
Managed switch is a smarter switch. For example, creating VLANs or doing port trunking.
These are generally configured on the switch GUI as you mentioned.
Think of them as a computer with dedicated software to control how the network interfaces behaves.
Certainly not an expert here but the GUI “being there” means you can configure something about the traffic flowing through, maybe VLANs or QoS. That also might be why some switches have fans. Deciding what packet has priority or is allowed is a bit more computationally complex (read: heat generating) than just pushing a packet to the right address.
You might want a VLAN if you have a server connected to the same switch as your PC, but they shouldn’t “see” each other. If you didn’t have a VLAN there, your router or firewall can’t manage anything about the connection. Say you have a website and database on your server and only the website should be accessible by your computer, you’d be able to configure that with the firewall.
I feel like you would benefit from revisiting the OSI model
https://youtu.be/tkySicWdTa4?si=vivkiWeqGKyW5Wxj
Switches can have many different purposes, and can act as a router or not. This series of videos covers the OSI model, and provides some information on how many layers of the OSI model an individual switch can capture.
Thank you