First impression on TP-Link JetStream SG2428P Managed Gigabit PoE+ Switch

I recently replaced my home/lab switch by TP_link TL-SG2428P to save power. As my old Juniper 4200 becomes to expensive to run. 570 AUD I paid for new switch should pay back in a year in electricity savings.

TLDR You get what you pay for.

This in not comprehensive review just my impression after configuring and using it for a week.
I got v5 hardware.

• Hardware Version: TL-SG2428P 5.0
• Firmware Version: 5.0.4 Build 20221130 Rel.42340

TP-LInk constantly iterating hardware, so you mileage may vary.

I like

1. Usable CLI. Very Cisco like. It is possible to fully configure it without struggling with WebGUI. ssh and telent are supported. Auto-complete on tab key works.
2. SNMP works and useful.
3. less than 30W+POE power consumption
4. Spanning tree supports MST and it actually works.
5. Can remove default admin user (not all SOHO can do it)
6. Can move management interface out of VLAN1
7. There is primary and secondary boot images. So gives you some protection from bricking the device.
8. IPv6 support seems to be complete. But need more testing.

Note

1. SNMP is slow. Scrap time went from 12 seconds on 48 port ancient Juniper switch to 24 sec on 24 port TP-Link. Every scrap generates syslog message CPU RISING THRESHOLD: Total CPU Utilization is 90%.. There is no dropping threshold message BTW.
2. Syslog works, but there is no way to configure what to log and what not need to be logged. And on my taste it goes not log what i need and logs i do not want.
3. LACP is working but only can hash on MAC or IP address. Can’t do ports which makes it way less useful.
4. It is quiet under my minimal 30W POE load by rack switch standards. But it is not something you want in you living room. Fans can spin at different speeds, and it is really loud on startup.

I do not like

1. SSH is there. But what stop TP-Link to add support of reasonably modern protocols? It does support SSH v2 and AES-CBC. But HMAC-SHA1 and DH-SHA1 is best you can get. Killer is SSH-DSS for host key algorithm. This is how to ssh to it: ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-dss -o Ciphers=+aes256-cbc
2. While snmp works it does not report anything on the host like CPU or memory. Only interface statistic. I did not dig to MIBS, so may be it is still there somewhere. 64 counters are supported.
3. No console port. If you can’t TCP to it, only option is factory reset. At least with CLI config collection can be automated. Oxidized seems to be have module for it, but I did not try it yet.
4. in show commands interface names are case sensitive. But output of show commands return it in wrong case. As example show interface status returns

    Port      Status      Speed     Duplex    FlowCtrl    Active-Medium   Description
     ----      ------      -----     ------    --------    -------------   -----------
     Gi1/0/1   LinkUp      1000M     Full      Disable     Copper          LAN
   

   but you have to use show interface counters gigabitEthernet 1/0/1 to get details. show interface counters Gi1/0/1 will give you an error.

5. I did not find an obvious way how to restrict access to management and SNMP based on source IP. There is some firewalling features but all my attempts to use it end up with loosing access to the switch. Why there no serial console there!!!??