dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1286
share rss forum feed

mdpeterman

join:2010-10-10
Westerville, OH

[Info] Selecting a Router

Hello!
I'm looking for help in selecting a router for a new home I am working in. I am installing a home automation system and the project has expanded into networking. I am fairly familiar with networking, but need some help selecting the hardware I need to get the job done.
The customer will have a cable connection coming in. To be future proof I want NAT and firewall throughput to be at least 100mbps. It would also be nice to have either a second WAN interface built in, or at least the ability to add a second.
The router needs to support 802.1Q VLANS but I need granular inter-VLAN routing. The routers I have had experience with so far have inter-VLAN routing, but its all or nothing. I want to be able to route only certain ports to specific IPs. So basically each VLAN has a firewall in front of it I think...
For example
10.0.0.0/24 - "Internal Net" VLAN 1
10.0.1.0/24 - "Guest WiFi" VLAN 2

I have a web server at 10.0.0.2, I want clients on the guest wifi to be able to reach 10.0.0.2 on port 80 only. I will have printers and other things as well I will want to open up ports for as well.

I would also like the router to have built in support for VPN connections for remote access to the homes network.

Thanks for the recommendations!

Also, if there is another brand of hardware you think would be better suited, I am open to that as well.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
On top of my head, here are some examples.

Cisco
1921 router
ASA 5520

Juniper
SRX 210

You may want verify on the manufacturer's website of the performance, ports, Layer-2/3 features, and throughput to see whether the gear's price quote justify the performance. From my experience, the Juniper SRX 100 might be your best bang for your buck.

hang10

join:2002-11-03
Temecula, CA
I struggled with this same problem for some time. I ended up buying a layer 3 switch to handle all the inter vlan routing, acls, etc. I purchased the juniper ex2200 and have been very happy. Comes with gigabit and Poe. I use a asa5505 for the gateway. All routing inside the network is handled by the switch. Support was very cheap at 70 bucks for 3 years for software and hardware.

Hang10

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to mdpeterman
- What's the budget you're looking for?

- Are you looking to buy brand new with smartnet, or are you okay with ebay pickings and Google support?

ZBFW or private VLANs would give you the isolation you want for your VLANs, but you're looking at having
to pick up a seperate switch that has PVLAN support.

Regards

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
reply to mdpeterman
Almost any business-class commercial router with GigE NICs will be able to pull this off easily. That said, almost any modern open source router with GigE NICs will be able to pull this off easily too.

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

To be future proof I want NAT and firewall throughput to be at least 100mbps.

said by Bink:

Almost any business-class commercial router with GigE NICs will be able to pull this off easily.

NEGATIVE. Only the very highest end commercial products can do 100mbps, wire speed, NAT (and firrewall.) 100M NAT is a lot of work for a router. Most lower end PCs (linux, freebsd, etc.) can handle it without much trouble -- which means most middle-ground firewalls can do it... I've never tested a base ASA5505, but an older Pix520 can do it. (they aren't very good at routing, 'tho.)

(Cisco routers are designed for routing, not high-touch security features. As such, they don't have the cpu power to do heavy lifting.)

mdpeterman

join:2010-10-10
Westerville, OH
reply to HELLFIRE
I would like to stay about or under 2k for the router and about 2k for the switch if possible, but there is flexibility if needed to get all of the features I need.

Not sure the best route for me to take as far as purchasing. What are the costs and benefits of Smartnet vs. just buying outright?

I was looking at the Cisco SG500X-48P-K9-NA switch. Will that work along side one of the Cisco ISRs to take care of the features listed in my initial post?

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
reply to cramer
said by cramer:

said by Bink:

Almost any business-class commercial router with GigE NICs will be able to pull this off easily.

NEGATIVE. Only the very highest end commercial products can do 100mbps, wire speed, NAT (and firrewall.) 100M NAT is a lot of work for a router. Most lower end PCs (linux, freebsd, etc.) can handle it without much trouble -- which means most middle-ground firewalls can do it... I've never tested a base ASA5505, but an older Pix520 can do it. (they aren't very good at routing, 'tho.)

(Cisco routers are designed for routing, not high-touch security features. As such, they don't have the cpu power to do heavy lifting.)

Just because Cisco is notorious for putting underpowered CPUs in their routers doesn’t mean everyone else does too—and an ASA5505 does not have GigE NICs.

nosx

join:2004-12-27
00000
kudos:5
Now now, cant we all just agree that mbps is an absolutely worthless way to measure router performance?

Frames per second is the only valuable metric because weather there are 64 bytes of data in the frame or 1500 or 9000 bytes of data in the frame, none of that changes the actual performance of the forwarding engine that spends all day looking up entries in a table.

If you send 64 byte frames through a million packet/sec router will only push a piddly 488mbps, while if you send 9000 byte jumbo frames that number jumps to over 70gig/sec.

Measuring throughput in bits/sec is an ancient internet-prepetuated myth. Thats why the router performance doc from Cisco lists packets/sec and the mbps value everybody gets angry with is WITH 64 BYTE FRAMES but too-long;didnt-read skip over the details of what the test shows and how to apply that data.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to mdpeterman
said by mdpeterman:

I would like to stay about or under 2k for the router and about 2k for the switch if possible, but there is flexibility if needed to get all of the features I need.

Then the equipment I suggested should fit the bill

said by mdpeterman:

Not sure the best route for me to take as far as purchasing. What are the costs and benefits of Smartnet vs. just buying outright?

With supporting contract (either Cisco Smartnet or Juniper Care), you have an insurance in case something goes wrong hardware wise, software (firmware) wise, or technical assistance.

I suggest you choose a local reseller that are specialized in small businesses to get the best deal.

said by mdpeterman:

I was looking at the Cisco SG500X-48P-K9-NA switch. Will that work along side one of the Cisco ISRs to take care of the features listed in my initial post?

If I were you I would stay away from ex-Linksys product since they are not the real Cisco product. A Catalyst 2960 switch should be a consideration starting point instead.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to mdpeterman
said by cramer:

I've never tested a base ASA5505

I`ve done some IPERF testing with a 5505 on a default config, and 100Mbit wirespeed
is no problems for the device, but I do agree with cramer's assessment the PIX / ASA
line sucks for routing -- ie. no IS-IS or BGP functionality.

If 2K for your router and 2K for the switch is your thoughts, I'd agree on getting
a managed switch -- 2950 / 2960 should be good to start, but if you want private VLANs
that'd entail a 3560 or 3750, which can EASILY cost 10K brand new, so do some checking
around.

If uptime is another key consideration for you, I'd also budget for Smartnet / JCARE / etc;
the WORST thing is when a key piece of equipment dies and you get the dreaded "this is
not under any sort coverage, have a nice day" brushoff.

Let us know if you have any other questions that would help you narrow your choices.

Regards

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
Indeed. It's not just routing protocols, but the core capability of "routing and forwarding". A Pix can do it, but it's ugly. The ASA is a little better (same-security level), but only slightly.

In this case, I'd use a firewall for firewall functions (NAT, access policies, IDS/IPS [slow on anything], etc.) and a layer 3 switch for routing. (And a midspan power inserter for PoE if there's a need for line powered IP phones. The cost for integrated switch PoE isn't worth it, on this scale.)

hang10

join:2002-11-03
Temecula, CA
reply to mdpeterman
I know this is a Cisco forum but seriously the juniper ex2200 is a excellent switch for the price. And they don't hammer you on the support. The Asa is also a good choice because of the ability to add features if you need them at a later date.

moazzamali

join:2010-07-09
54000
reply to mdpeterman
I will suggest you to buy cisco 1921 with base license, ASA 5505 with base license and 2960 with lan base image.
As far as inter vlan routing s concern, Cisco 2960 with lan base image can be used for routing.
In this scenario router will be used for NAT and ASA will be used as firewall. firewall and router both are in your budget. Always get smartnet.
Incase your router or switch stop working, cisco will immediately(depends upon your service contract) replace it with no additional cost.
If you want exact BOQ do let me know.
Feel free to ask if you have any querry