Ethernet on/off switch

[philbx1]

Hi all,
I'd like to preface this question with a mention to someone who had posted the same idea on this forum.
His idea was pretty much effed by people who didn't understand what he wanted, and by ignorance or the old 'I know better'
thoughts pretty much broke the subject.
So, I'll try to explain in a better way exactly what I want to achieve.
What I'm trying to create is an ethernet controlled on/off switch. This would involve an ethernet module to take an on/off command
and turn the other side of the ethernet connection on or off.
I assume there are multiple 1-in/multi out relay ICs (or mosfets) to handle the switching but haven't yet found anything yet
so I'm hoping for some thoughts from you guys.

Thanks for any specific thoughts you have on this.

[capt bullshot]

I'm not sure if I got your goal.
What I understand is:
A box, sitting in the middle of an ethernet cable, that is able to receive an on/off command from one side of the cable, and then opens or closes the cable through connection?

[Monkeh]

https://www.gl-inet.com/ar300m/

[nfmax]

The wotsit you are looking for is called a 'managed switch'. Controlled over the Ethernet, usually using SNMP, and switching Ethernet packets between ports, as authorised by Management.

[ebclr]

This is a little more but you can control connections by another connection

https://mikrotik.com/product/RB750r2

[wraper]

I assume there are multiple 1-in/multi out relay ICs (or mosfets) to handle the switching but haven't yet found anything yet
so I'm hoping for some thoughts from you guys.

Talk about ignorance.

His idea was pretty much effed by people who didn't understand what he wanted, and by ignorance or the old 'I know better'

[wraper]

Something like MAX4927ETN+ and Ethernet transformer on each end. Given that you won't try to squeeze out maximum Ethernet cable length.

[dmills]

One managed switch chip, a couple of PHYs, and a PIC32 or such (Just for the ethernet stack and built in mac address), the rest is just a small matter of typing and pushing some copper around on a PCB.

However, surely easier to just run something on the endpoint that takes the interface down when you want ethernet off, and brings it back up when you want it on?
ifdown eth0 and ethup eth0 are not exactly difficult things to paraphrase even in Winders.

If I wanted this thing for some reason I would probably just be straight on ebay for a managed switch and just control one of the ports over SNMP, 20 quid or so and maybe 15 minutes to write the control program.

Regards, Dan.

[timpattinson]

This sounds like an XY problem. What is the problem you are trying to solve with this? Is there something you're not mentioning, like protection from HV or strong fields? What's wrong with disconnecting in software or turning the port off?

[philbx1]

Yes capt,

That's exactly what I'm after.
The purpose is to ensure that a server or backup device is safely taken offline.
An expansion on this would be another device on the network to send on/off packets to more than 1 of these devices.
Thanks.

I'm not sure if I got your goal.
What I understand is:
A box, sitting in the middle of an ethernet cable, that is able to receive an on/off command from one side of the cable, and then opens or closes the cable through connection?

[philbx1]

Hi Monkeh,
Actually these mini routers would be OK given that I could change the OpenWRT code to send to various on/off devices
but I'd still need to make a device to send to.

https://www.gl-inet.com/ar300m/

[philbx1]

Hi nfmax,

Thanks for replying.
Actually what I'm after isn't a managed switch. I have at least 15 of these from 16 ports upward onsite.
All I'm after is an ethernet module like https://www.banggood.com/ENC28J60-Ethernet-Shield-Network-Module-V1_0-For-Arduino-Nano-p-1013491.html
combined with an Arduino Nano and either a multi-switching relay IC or multi-switching Mosfet.

The wotsit you are looking for is called a 'managed switch'. Controlled over the Ethernet, usually using SNMP, and switching Ethernet packets between ports, as authorised by Management.

[philbx1]

Hi ebclr,

Well, I'm trying to go cheap, and appreciate your link but have simpler ideas.
Please check out my replies below.
Thanks.

This is a little more but you can control connections by another connection

https://mikrotik.com/product/RB750r2

[philbx1]

Hey wraper.

Whoohoo! Someone with a decent thought. I'll check out the datasheet.
Thanks

Something like MAX4927ETN+ and Ethernet transformer on each end. Given that you won't try to squeeze out maximum Ethernet cable length.

[philbx1]

Hi Tim,

The purpose is to automate isolation of a server or backup device.
The reason is that I've recently seen ransomware attacks on companies where things may have gone better
if they had taken a server offline after a backup and/or the backup NAS device which has domain shares active.
 

This sounds like an XY problem. What is the problem you are trying to solve with this? Is there something you're not mentioning, like protection from HV or strong fields? What's wrong with disconnecting in software or turning the port off?

[CJay]

You're not going to mitigate a ransomware attack by isolating an ethernet connection if the host is already infected.

The best way to protect your backups is to run a *proper* backup routine and you need to do some research into how long ransomware will be quietly running and encrypting your data before announcing itself to you.

Plan your backup routine around that.

However, if you want to pursue this avenue then plug your servers into a switch (or multiple switches if you want redundancy), have each switch you want to isolate powered from a managed PDU, switch off the whole PDU.

Someone else has already mentioned a solution which would be my preference, a decent quality managed switch will allow you to switch off individual ports and it can be done via script from the host you want to isolate as a scheduled task so it only happens when your backup is finished or about to start.

[bob225]

The low tech way would be a 5 port switch and a ip switch/pdu to turn the power on and off

A managed switch and turn on authentication on the port(s) for the server

[timpattinson]

Just done some googling...
From 2015: https://www.eevblog.com/forum/projects/want-to-physically-isolate-ethernet-onoff-design-recommendations-needed/
and this product: https://proaudioeng.com/products/pae-2911-dual-remote-ethernet-relay/

and this one, claiming CAT6 compliance: http://www.l-com.com/secure-data-l-com-category-6-a-b-physical-layer-air-gap-network-switches-rj45-ports

[forrestc]

What I'm trying to create is an ethernet controlled on/off switch. This would involve an ethernet module to take an on/off command
and turn the other side of the ethernet connection on or off.

Some background: 

So, I have a chunk of automated test gear.   Part of this is automated test is to test connectivity to an ethernet port.   However, before I hook the unit under test to ethernet, I want to do some electrical testing to make sure all the connections are electrically ok.    So, I switch the ethernet to the rest of the test gear.

What I am about to describe is how I do this.   BEFORE I DO, SOME DISCLAIMERS:   This does NOT preserve the balanced signal on the ethernet correctly.  This SHOULDN'T BE TRUSTED to always work.   In particular ethernet can be more fussy and also less fussy than you'd expect.   So this method can add severe flakiness to your ethernet connection.   

With that in mind, it works well enough for me to do 100Mb/s traffic tests through the device.

What I have done is take a USB attached arduino and hook it up to one of these:  https://www.amazon.com/SainSmart-101-70-103-16-Channel-Relay-Module/dp/B0057OC66U/ref=sr_1_7?ie=UTF8&qid=1528971389&sr=8-7&keywords=sainsmart+relay   

They also make an 8 relay version, which might be better suited for your needs (I needed a few other things switched, which is why I used the 16 instead of an .

For each of the 8 wires in the CAT5 cable, each gets switched by a single relay.  In my case, it switches between the test equipment and an ethernet port.  I wrote a chunk of software for the arduino that switches the relays.  Like I said, it works well enough, but again we're only taking a few feet of ethernet cable here, so the signal has a lot of room for the problems introduced by running these through relays.   Actually now I think about this I might have only switched the 4 which are used in the 10/100 ethernet standard, but the premise is the same.

If you want to do this in a nicer way, there are also several vendors which have signal switches.  For instance Diodes, Inc. has a line of switches - see https://www.diodes.com/products/connectivity-and-timing/switches-mux/protocol-switches/lan-signal-switch/  .  So does Ti ... http://www.ti.com/switches-multiplexers/protocol-specific/products.html#p1389=LAN .  I haven't used these so I can't discuss how well they work, or what is involved in using them.

Personally, I'd agree with others, I'd rather just use the management in an ethernet switch or similar to do this, or turn power off to a switch, etc.   Simple, usually scriptable via SNMP, etc.

[BradC]

We've just done this recently on a site up North. Run the network through a cheap 5 port gigE dumb switch and just drop power to the switch with a relay. The other option was literally a pigtail with a plug on the end, and a panel mounted socket where the security officer could pull the plug out. We figured the switch and relay would tolerate more long term abuse than letting someone just yank a plug.

I'm currently working on a site where they have a bit of vero board and 4 dpdt relays on it breaking 2 pin network connections. 4 PCB mount 8P8C RJ connectors, 4 dpdt 5V relays, lots of green wire and some superglue. It has apparently been in place since 2008 and I'm reliably informed has never caused an issue. Can't say I love the solution, but I can't argue with the results.

[Ian.M]

If a true physical disconnect is required, a miniature DIL DPST reed relay per pair would minimise the impedance discontinuity.  Add a grounded foil shield over the reed relay and a ground plane under it and it should be reasonably trouble free for 100BASE-TX Ethernet, as long as the total cable length is small compared to the specified 100m max cable length.  As 10BASE-T and 100BASE-TX only use two pairs in the cable you only need two DPST reed relays - the other pairs can be left open circuit.

For gigabit ethernet you are probably S.O.L. but it *MAY* be workable if you switch all four pairs within a few inches of the switch or device socket and keep minimise the total cable length.

You can get DPDT reed relays - at a price - which would allow switching between live ethernet and a test jig like Forrestc was doing.  However if your testing involves POE, you may run into problems with contact welding due to inrush current + contact bounce, and DPDT mercury wetted reed relays that can handle the current, are rare, expensive and not ROHS compliant.

[Monkeh]

Hi Monkeh,
Actually these mini routers would be OK given that I could change the OpenWRT code to send to various on/off devices
but I'd still need to make a device to send to.

https://www.gl-inet.com/ar300m/

That is the device to send to. It has two ports, you have control over them.

[Monkeh]

Daft suggestion: Just have the device you want to isolate turn off its own interface. It's not hard.

[capt bullshot]

Yes capt,

That's exactly what I'm after.
The purpose is to ensure that a server or backup device is safely taken offline.
An expansion on this would be another device on the network to send on/off packets to more than 1 of these devices.
Thanks.

I'm not sure if I got your goal.
What I understand is:
A box, sitting in the middle of an ethernet cable, that is able to receive an on/off command from one side of the cable, and then opens or closes the cable through connection?

OK, then I'd suggest to use a simple and cheap 5port Ethernet switch, a bunch of suitable small signal relays and some ethernet-enabled MCU evaluation module.
Connect the incoming ethernet to one port, the module to the next port and for the outgoing port, put the relays in series with the cable. You're near the termination, so some mismatching caused by the relays won't hurt too much. Use a GPIO from the module to control the relays, place some firmware (including a TCP/IP stack) on the module, assign a valid IP address to the moduel and receive the on/off command.
So you've left two ports, you could use them to isolate two more devices the same way.
Connect another MCU module somewhere else to the network, assing IP etc, and e.g. use its GPIO inputs to trigger sending the commands.

Which MCU module to use is up to your favour and skills, I'd use one of these STM32 nucleo 144 boards (including ethernet), they are cheap (~ 20 EUR), and you can find working implementations of some RTOS with LWIP, providing you with all the network related stuff.

For the relays, a decent small signal relay like the ones used in oscilloscopes to switch the attenuator will do the job. Most of them are DPDT, so you'll need four of them per port.

For a more advanced / elegant solution, search for a recent ethernet switch IC (the ones that are inside your typical 5 or 8 port domestic use gigabit ethernet switches), most of them have some kind of configuration interface. Hook your MCU module to one port of this switch for the ethernet connection, connect the configuration interface to the MCU module and use this to enable / disable the target ports of the switch. Maybe you can re-use one of these off-the-shell 8port switches, some of them have an internal small MCU for the basic initialisation of the switch IC. Remove this IC and connect your MCU module instead, the rest is reading datasheets and a bit of reverse engineering. So you basically roll your own managed switch, using a protocol of your choice.

Anyway, I'd just go and buy a suitable managed switch and use the standard protocols / manufacturer provided software.

[NorthGuy]

IMHO, the best way to sever an Ethernet connection is to reset PHY (by simply driving the reset pin low) - much easier to do than relays.