1 edit |
887 with Gigabit ports and Gigabit "internet"If I had ethernet to the premises and an 887 with Gigabit ports, could that not handle a Gigabit "internet" connection subject to appropriate SVI/VLAN and NAT configs? How much speed does NAT soak up with, say, 3 clients? |
|
1 recommendation |
aryoba
MVM
2013-Jan-22 6:54 pm
Just because something has Gigabit port (whether it is switch port, router port, NIC port), it does not necessary mean that it is able to push data in wirespeed. Certain considerations are also in the mix such as CPU, ASIC, backplane (if applicable). For server NIC, harddrive speed and buffer come into play.
There is Cisco router performance table that can be found in this forum FAQ to get some ideas of how capable the routers are in term of pps (packet per second) data throughput. |
|
|
to markysharkey
Second aryoba's comments entirely. If you take a look at the performance sheets of Cisco, or for that matter any manufacturer's gear, you'll see how much of a performance delta you'll get between "bare metal" / base config, and "all the bells and whistles turned on." Stuff like crypto, IDS / IPS / Anti-anything basically drops performance thru the basement floor on ANY performance spec sheet I've ever read to date.
Short version, "test for yourself according to your needs / environment."
Regards |
|
|
|
Clearly I am mis-remembering the spec of the 887 as the 4 switch ports are 10/100, not Gigabit. Plan B then would be to drop the internet connection into a L3 switch with either an IP address on the interface after running the no switchport command, or adding a VLAN and appropriate SVI. Are there any flaws in that plan?
Also, apologies to anyone from the other thread where I posted this originally. Clearly the mods like to keep things 100% on topic. I will know for the future. |
|
|
meta
Member
2013-Jan-23 7:38 pm
While that would work if you had globally unique IPs on all your endpoints/hosts, multilayer switches will generally speaking not do things like NAT. That would be the role of a router as opposed to a switch. |
|
|
NAT... good point =:-o I'll have to see if the "routing" IOS of a 2960S does NAT. If not I'll have to install the ISP's basic router and refund the cost of the 887 that's curently sitting on an ADSL line. My project manager is gonna love that when I tell him! |
|
markysharkey |
Seems like a 1921 might fit the bill to replace the 887 on that particular installation. I would welcome your thoughts on that option. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC |
to markysharkey
The 2960(S) can barely do any L3 (static) routing. I seriously doubt it can do NAT. The 3550 won't, and it's a "true" L3 switch -- some of the commands are there, but it doesn't support it. |
|
|
to markysharkey
Hardware wise, a 1921 router fits the bill. You may want to add HWIC-1ADSL card to keep your ADSL to terminate on your own equipment instead of terminating on the ISP basic router.
With 1921 router, keep in mind that you will then have to have at least ip security license in order to support firewall feature like CBAC or ZBF (assuming you do want to have firewall in place between your internal network and ISP/Internet).
Another consideration is to get firewall with full routing capabilities and no extra cost for license purposes which is Juniper SRX 210. Similarly you may want to add ADSL PIM card to terminate the ADSL line. |
|
|
Cramer... yes I need to double check the 2960S for NAT commands. I agree it's doubtful, but I need to console in and be 100% sure...
Aryoba, the ISP is providing ethernet connectivity independently of the PSTN line. I could keep the ADSL line for bonding / back-up, but with a 1Gb (yes 1 Gb) internet connection, bonding an extra ~10Mb ADSL line doesn't really seem worthwhile. Failover is a different story so I may well add an ADSL WIC for that purpose. |
|
|
aryoba
MVM
2013-Jan-24 9:01 am
said by markysharkey:Cramer... yes I need to double check the 2960S for NAT commands. I agree it's doubtful, but I need to console in and be 100% sure... The only Cisco Catalyst switch model that I know supports NAT is 6500 series. Since you are getting 1 Gbps connection, getting 6500 series is not a bad idea especially when you can get one for cheap on ebay said by markysharkey:Aryoba, the ISP is providing ethernet connectivity independently of the PSTN line. I could keep the ADSL line for bonding / back-up, but with a 1Gb (yes 1 Gb) internet connection, bonding an extra ~10Mb ADSL line doesn't really seem worthwhile. Failover is a different story so I may well add an ADSL WIC for that purpose. Cisco switches/routers are not that smart in handling failover that involves NAT with two different subnets. Using firewall for such purpose (i.e. Cisco ASA or Juniper SRX) is more fitting since firewall has elegant way of handling and is natively designed for such purpose. I imagine this 1 Gbps connection is a broadband type (Cable Internet) instead of actual circuit of Unprotected Wave or OC-48? |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
cramer
Premium Member
2013-Jan-24 10:54 am
Cisco switches/routers are not that smart in handling failover that involves NAT with two different subnets... To be fair, NOTHING can. NAT into two different public subnets is going to end up with broken connections when the link fails. NAT into ISP1's addresss space is going to break with the link, as you cannot use ISP1's addresses through ISP2. No one should have to think about that equation. (Using your own address space announced to each ISP is a different story. Since the ASA doesn't do BGP, it's ruled out here.) |
|
|
aryoba
MVM
2013-Jan-24 11:03 am
For non-critical or non-sensitive application such as Internet browsing, shifting from ISP 1 subnet to ISP 2 subnet is likely to be transparent from users perspective unless the backup ISP link bandwidth is significantly smaller or congested than the primary one. In regards of having firewall announcing your own address space to each ISP via BGP, Juniper SRX is better choice than the ASA |
|
|
to aryoba
It's ethernet. The ISP is an independent here in the UK building their own infrastructure. They present me with an RJ45 hanging off some CAT6. Local equipment is installed to (usually) the apartment block plant room with fibre back to the local distribution point and CAT6 to any apartment signing up to the service. I'm taking an 887 to test SVI and "raw" ethernet port behaviour and do some basic speed tests with NAT and CBAC configured. I may suggest an ASA but as this is a domestic install an ASA might be overkill. A 1921 with a Sec licence should do I would think. |
|
|
aryoba
MVM
2013-Jan-24 11:36 am
said by markysharkey:It's ethernet. The ISP is an independent here in the UK building their own infrastructure. They present me with an RJ45 hanging off some CAT6. Local equipment is installed to (usually) the apartment block plant room with fibre back to the local distribution point and CAT6 to any apartment signing up to the service. It sounds like the 1 Gbps pipe will be shared among multiple tenants, which you may end up getting 10% or 5% of it depending on tenant usage pattern or any bandwidth shaping methodology the building management implemented. With that in mind, a 1921 router, ASA 5505, and SRX 100 should fit the bill. said by markysharkey:I may suggest an ASA but as this is a domestic install an ASA might be overkill. A 1921 with a Sec licence should do I would think. If I were you, I would ask price, feature, and performance comparison table from your authorized Cisco reseller. You will then decide which one is most suitable. |
|
|
quote: It sounds like the 1 Gbps pipe will be shared among multiple tenants
Nope. Each tenant is supplied with a dedicated connection at either 20Meg, 100Meg or 1 Gig depending on how much they spend on their monthly subscription. This is a high end ISP installing bespoke kit on each site for high end, high worth individuals. The client will religiously check they are getting what they're paying for and will sue if they routinely don't get what the SLA / T's and C's says they should get. Yes I know download speeds aren't an exact science but thankfully if speeds are down it's not my head on the block, unless I have under specced the kit. |
|
|
to markysharkey
said by aryoba:said by markysharkey:Cramer... yes I need to double check the 2960S for NAT commands. I agree it's doubtful, but I need to console in and be 100% sure... The only Cisco Catalyst switch model that I know supports NAT is 6500 series. Since you are getting 1 Gbps connection, getting 6500 series is not a bad idea especially when you can get one for cheap on ebay Guarenteed the lower end Catalyst switches won't do NAT -- ie. 29xx, 35xx, 36xx, 37xx. 6500s will, but I recall someone once telling me it was with a VERY specific combination of SUPs and code. For ISRs and fixed switches, use them for what they are designed for -- ISR for routing and fixed switch for switching. Here's a Q&A on the 3750s that confirms they can't do NATQuestion, who's the ISP here, if you don't mind sharing, markysharkey ? Regards |
|
cramer Premium Member join:2007-04-10 Raleigh, NC |
cramer
Premium Member
2013-Jan-25 12:14 am
When in doubt... /go/fn
2960C 3560C 5000-RSM/RSFC (really?) and several 6000 combinations |
|
|
to HELLFIRE
said by HELLFIRE:said by aryoba:said by markysharkey:Cramer... yes I need to double check the 2960S for NAT commands. I agree it's doubtful, but I need to console in and be 100% sure... The only Cisco Catalyst switch model that I know supports NAT is 6500 series. Since you are getting 1 Gbps connection, getting 6500 series is not a bad idea especially when you can get one for cheap on ebay Guarenteed the lower end Catalyst switches won't do NAT -- ie. 29xx, 35xx, 36xx, 37xx. 6500s will, but I recall someone once telling me it was with a VERY specific combination of SUPs and code. You can always plug in FWSM to do NAT plus some security stuff |
|
|
OK, so that saves me having to log in to the switch. NAT is out so I'll go with a 1921, remove the current 887 and donate it to myself as lab equipment |
|