I'm running a small hosting business from my home and I've got about 5 machines I'm using. I'd like to add more machines, but I need a bigger switch because I don't have enough empty ports on the D-Link router I'm using now.

The way my network is setup is as follows: Each machine is multi-homed... meaning each machine has 2 NIC cards and each machine responds to both an external IP and also a non-routable (192.168.*.*) IP. This gives me "backdoor" access so I can access the machines via my LAN.

I was talking to somebody at a computer store here in my area and they suggested I get something called a "managed switch". I'm not familiar with this term, so I want to make sure I understand.

Basically he explained to me that on a managed switch, you're able to assign some of the ports on the switch to operate on one network and the rest of the ports to be on another network. From this, I concluded it might be something I should get.

If I purchased one of these, maybe I could get a 24 port switch and divide the ports in half so that 12 of them are serving my external IPs and the other 12 are serving my LAN. So on each machine, I would plug a line from eth0 to one of the first 12 ports, and plug eth1 into one of the other 12 ports.

Is that pretty much correct? If not, can someone explain what he means by "managed switch"? Or explain what I probably need? If I'm pretty close on the concept, maybe someone can recommend a device (make and model #) that will suit my needs??? I've never bought anything like this before.

Thanks in advance.

A managed switch is just one that has a remote admin facility - it will have it's own IP address and you will be able to manage the configuration through a Web-based interface. What you've described is VLAN (Virtual LAN), a feature that many managed switches also include. VLAN tends to be used with racks of switches to efficiently split up the available ports between different subnets.

The best solution for your network is probably to buy two small unmanaged switches and upgrade the router. The router should support the concept of a "DMZ", which is a subnet that has different firewall rules to the internal network. Public-facing hosts should be plugged into the switch for the DMZ network, and any private hosts go on the other switch. You then configure the firewall rules for the DMZ network to allow full access from your internal network, and minimal access from all other networks.

Dual-homing each machine and managing independent firewall configs for the two interfaces on each system ought not to be necessary. Since you are doing this I'm assuming that your router doesn't support a DMZ, so you should think about replacing it with either a more sophisticated unit, or using something like M0n0wall which will turn a PC into a dedicated router with a Web management interface.

Hope that helps.

Thank you for explaining that. That helps. However, I worry about buying a pair of small switches that won't allow for many ports if I should decide to expand again later. Granted there are only so many machines I can possibly get into my house before I require a "real" datacenter, but still... I have other machines (personal use) here in my house that also need to connect with the network devices. I really need enough space for about 10 machines in total, so that I can experiment with some new machines too.

I do have a DMZ on my current router, however that's not how I'm setup. Let me explain my setup a little better this time:

I have a DSL modem connected to a hub. The server's external lines are going to the hub. I also have a router plugged into the hub. The servers are also plugged into the router. So the router is taking care of my 192.168 addresses and the hub is handling all my public-facing machines.

My servers are firewalled using iptables rules so the external interface is very strict and the internal interface has no restrictions.

I was really interested in doing away with the router and the hub and buying a better device that will handle everything. If possible, I would even like to replace my DSL modem, as it seems to be just a basic 4-port router that's in "bridge" mode. I'd like to get something a little more "professional grade" that will handle everything.

Let me ask you this... if I'm using DMZ mode, would I still be able to have the machines responding to their external IP address? If I put (for example) two of my servers on the DMZ, will that still work? Will I have to do some wierd port-forwarding or something to distinguish between the 2 machines? If so, that's not going to work, because I have 2 machines that both perform DNS. I also have 2 machines that have http servers running on them.

Assuming the DMZ thing is do-able, maybe I could get a device with say... 12 ports... that also has the DMZ functionality, I could do away with everything? This should still leave me ample room for expansion if I'm no longer needing the 2nd NIC cards in each box.

Thanks for entertaining my half-baked ideas. I appreciate it.

"I was really interested in doing away with the router and the hub and buying a better device that will handle everything. If possible, I would even like to replace my DSL modem, as it seems to be just a basic 4-port router that's in "bridge" mode."

You could buy a combination DSL router and 4-port switch, and then plug other switches into the router's Ethernet ports. These are now astonishingly cheap, though you'd probably want to buy a slightly more expensive unit like a Netgear than a bottom end unit from Linksys. The quality, functionality and usability of the firmware/web interface seems to highly variable between manufacturers, so I wouldn't be tempted to buy cheap - I see lots of complaints in forums about bugs on Linksys routers.

WRT to the switches, we have used Netgear 8 and 16 port desktop switches at work for test labs etc. for years and they work flawlessly. We pay about £30 for an 8 port, so the price is good too.

"Let me ask you this... if I'm using DMZ mode, would I still be able to have the machines responding to their external IP address?"

Yes. The systems in the DMZ would have regular IP addresses, and the systems on the internal network would use one of the ranges designated for private networks, like 192.168.

"I really need enough space for about 10 machines in total, so that I can experiment with some new machines too."

I think that it's worth taking the time to reassess your requirements at this point, before purchasing the network. From experience, machines take a lot of space even with cable management, KVM etc., and each physical machine takes time to maintain. The power of the hardware is now so many orders of magnitude above the requirements of standard network services like DNS, HTTP etc. that you can design a network by thinking about the subnets and services you need, and just having a machine per subnet for the required services, plus a router and a desktop or laptop for yourself. If you haven't tried a virtual machine system like VMWare I strongly recommend that you do - it made me completely rethink network design, and has saved me buying separate test machines for my home network.