× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Announcements

Polls
What is your Experience with NETGEAR Insight cloud management?
Top Contributors
0 Kudos

Enable TLS on all switches for administration

The following switch models, currently do not support TLS connectivity for the admin WEBUI, which in this day and age really not acceptable.

 

Models:
GS305EPP

GS308E (Additionally this switch model does not have a username, you login using just a password).

 

Please can the firmware for the above models be updated to ensure that admin WEBUI access is able to use TLS v1.2 and v1.3 with best practise ciphers.

1 Comment
schumaku
Guru

Answered at least a hundred times in the community.

 

All these GS3xxE as well as their PoE+ and PoE++ siblings are built on non-managed switch cores, making almost all Plus Switches essentially unmanaged switches (compare the hardware prices!).  Highly integrated, cost-effective unmanaged-smart gigabit switch. The switch design is based on the field-proven, industry-leading ROBO architecture.

This device combines all the functions of a high-speed switch system including packet buffers, PHY transceivers, media access controllers (MACs), address management, port-based rate control and a non-blocking switch fabric into a single 65 nm CMOS device. Designed to be fully compliant with the IEEE 802.3 and IEEE 802.3x specifications, including the MAC-control PAUSE frame, the BCM53128 provides compatibility with all industry-standard Ethernet, Fast Ethernet and Gigabit Ethernet (GbE) devices.

 

The management controller, integrated within the BCM53128 is a very low power CPU derived from the 1980s-vintage, 8-bit Intel 8051, which is easily overloaded.  It's actually very impressive engineering managed to squeeze an IP stack and web interface onto such a small CPU at all.

 

The management controller, integrated within the BCM53128 is a weak CPU derived from the 1980s-vintage, 8-bit Intel 8051, which is easily overloaded. This explains the lack of HTTPS SSL support, very occasionally dropped HTTP requests, and so on. It's actually impressive they managed to squeeze an IP stack and web interface onto such a small CPU at all. This limited 8051 service processor does only affect management functionality (it isn't part of the main switch-fabric data path at all). most notably, the switch registers to send a copy of all HTTP (tcp port 80) traffic, originating from any port, to this tiny management CPU.

This has the effect of crippling the layer-2 Flow-Control feature, causing any and all HTTP traffic flowing through the switch to be bottlenecked to about 10 Mb/s whenever Flow Control is switched on. The reason is that flow-control rate limiting kicks in whenever any port receiving the traffic gets overloaded, the weak management CPU effectively connects to a internal 9th, on-chip port that seems to run at only at this low rate. Beyond, all web traffic from anywhere to anywhere (even when carrying an 802.1Q VLAN tag!) gets copied to the virtual port 9 internally, where the controller is active.

 

The very basic httpd is a pure embedded code for simplicity. a single user for configuring these switches is absolutely sufficient. There is no headroom for more memory and processor power, last but not least, this does not make a universal computing platform to hold a partial or fully blown OS.

 

Dreaming is of course allowed.

 

If you expect more than what a Netgear Plus switch model can offer, Netgear has the Smart Switch Series (like GSnnnT[xxx]) / MSnnnT[xxx] / XSnnnT[xxx] for example.

 

if you expect multi-user capability and fully blown comprehensive feature lists, head to the Netgear Managed switch series. Then a tiny, low cost GS308E or GS305EPP isn't for you.