dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1093
share rss forum feed

markysharkey
Premium
join:2012-12-20
united kingd

1 edit

887 with Gigabit ports and Gigabit "internet"

If I had ethernet to the premises and an 887 with Gigabit ports, could that not handle a Gigabit "internet" connection subject to appropriate SVI/VLAN and NAT configs?
How much speed does NAT soak up with, say, 3 clients?


aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 recommendation

Just because something has Gigabit port (whether it is switch port, router port, NIC port), it does not necessary mean that it is able to push data in wirespeed. Certain considerations are also in the mix such as CPU, ASIC, backplane (if applicable). For server NIC, harddrive speed and buffer come into play.

There is Cisco router performance table that can be found in this forum FAQ to get some ideas of how capable the routers are in term of pps (packet per second) data throughput.


HELLFIRE
Premium
join:2009-11-25
kudos:13
reply to markysharkey

Second aryoba's comments entirely. If you take a look at the performance sheets of Cisco, or for that matter any
manufacturer's gear, you'll see how much of a performance delta you'll get between "bare metal" / base config,
and "all the bells and whistles turned on." Stuff like crypto, IDS / IPS / Anti-anything basically drops performance
thru the basement floor on ANY performance spec sheet I've ever read to date.

Short version, "test for yourself according to your needs / environment."

Regards


markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey

Clearly I am mis-remembering the spec of the 887 as the 4 switch ports are 10/100, not Gigabit.
Plan B then would be to drop the internet connection into a L3 switch with either an IP address on the interface after running the no switchport command, or adding a VLAN and appropriate SVI. Are there any flaws in that plan?

Also, apologies to anyone from the other thread where I posted this originally. Clearly the mods like to keep things 100% on topic. I will know for the future.


nosx

join:2004-12-27
00000
kudos:5

While that would work if you had globally unique IPs on all your endpoints/hosts, multilayer switches will generally speaking not do things like NAT. That would be the role of a router as opposed to a switch.


markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey

NAT... good point =:-o
I'll have to see if the "routing" IOS of a 2960S does NAT.
If not I'll have to install the ISP's basic router and refund the cost of the 887 that's curently sitting on an ADSL line. My project manager is gonna love that when I tell him!
--
Binary is as easy as 01 10 11


markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey

Seems like a 1921 might fit the bill to replace the 887 on that particular installation. I would welcome your thoughts on that option.
--
Binary is as easy as 01 10 11


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8
reply to markysharkey

The 2960(S) can barely do any L3 (static) routing. I seriously doubt it can do NAT. The 3550 won't, and it's a "true" L3 switch -- some of the commands are there, but it doesn't support it.


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to markysharkey

Hardware wise, a 1921 router fits the bill. You may want to add HWIC-1ADSL card to keep your ADSL to terminate on your own equipment instead of terminating on the ISP basic router.

With 1921 router, keep in mind that you will then have to have at least ip security license in order to support firewall feature like CBAC or ZBF (assuming you do want to have firewall in place between your internal network and ISP/Internet).

Another consideration is to get firewall with full routing capabilities and no extra cost for license purposes which is Juniper SRX 210. Similarly you may want to add ADSL PIM card to terminate the ADSL line.


markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey

Cramer... yes I need to double check the 2960S for NAT commands. I agree it's doubtful, but I need to console in and be 100% sure...

Aryoba, the ISP is providing ethernet connectivity independently of the PSTN line. I could keep the ADSL line for bonding / back-up, but with a 1Gb (yes 1 Gb) internet connection, bonding an extra ~10Mb ADSL line doesn't really seem worthwhile. Failover is a different story so I may well add an ADSL WIC for that purpose.
--
Binary is as easy as 01 10 11


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by markysharkey:

Cramer... yes I need to double check the 2960S for NAT commands. I agree it's doubtful, but I need to console in and be 100% sure...

The only Cisco Catalyst switch model that I know supports NAT is 6500 series. Since you are getting 1 Gbps connection, getting 6500 series is not a bad idea especially when you can get one for cheap on ebay

said by markysharkey:

Aryoba, the ISP is providing ethernet connectivity independently of the PSTN line. I could keep the ADSL line for bonding / back-up, but with a 1Gb (yes 1 Gb) internet connection, bonding an extra ~10Mb ADSL line doesn't really seem worthwhile. Failover is a different story so I may well add an ADSL WIC for that purpose.

Cisco switches/routers are not that smart in handling failover that involves NAT with two different subnets. Using firewall for such purpose (i.e. Cisco ASA or Juniper SRX) is more fitting since firewall has elegant way of handling and is natively designed for such purpose.

I imagine this 1 Gbps connection is a broadband type (Cable Internet) instead of actual circuit of Unprotected Wave or OC-48?

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

Cisco switches/routers are not that smart in handling failover that involves NAT with two different subnets...

To be fair, NOTHING can. NAT into two different public subnets is going to end up with broken connections when the link fails. NAT into ISP1's addresss space is going to break with the link, as you cannot use ISP1's addresses through ISP2. No one should have to think about that equation.

(Using your own address space announced to each ISP is a different story. Since the ASA doesn't do BGP, it's ruled out here.)

aryoba
Premium,MVM
join:2002-08-22
kudos:4

For non-critical or non-sensitive application such as Internet browsing, shifting from ISP 1 subnet to ISP 2 subnet is likely to be transparent from users perspective unless the backup ISP link bandwidth is significantly smaller or congested than the primary one.

In regards of having firewall announcing your own address space to each ISP via BGP, Juniper SRX is better choice than the ASA


markysharkey
Premium
join:2012-12-20
united kingd
reply to aryoba

It's ethernet. The ISP is an independent here in the UK building their own infrastructure. They present me with an RJ45 hanging off some CAT6.
Local equipment is installed to (usually) the apartment block plant room with fibre back to the local distribution point and CAT6 to any apartment signing up to the service.
I'm taking an 887 to test SVI and "raw" ethernet port behaviour and do some basic speed tests with NAT and CBAC configured.
I may suggest an ASA but as this is a domestic install an ASA might be overkill. A 1921 with a Sec licence should do I would think.
--
Binary is as easy as 01 10 11


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by markysharkey:

It's ethernet. The ISP is an independent here in the UK building their own infrastructure. They present me with an RJ45 hanging off some CAT6.
Local equipment is installed to (usually) the apartment block plant room with fibre back to the local distribution point and CAT6 to any apartment signing up to the service.

It sounds like the 1 Gbps pipe will be shared among multiple tenants, which you may end up getting 10% or 5% of it depending on tenant usage pattern or any bandwidth shaping methodology the building management implemented.

With that in mind, a 1921 router, ASA 5505, and SRX 100 should fit the bill.

said by markysharkey:

I may suggest an ASA but as this is a domestic install an ASA might be overkill. A 1921 with a Sec licence should do I would think.

If I were you, I would ask price, feature, and performance comparison table from your authorized Cisco reseller. You will then decide which one is most suitable.

markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey

quote:
It sounds like the 1 Gbps pipe will be shared among multiple tenants
Nope. Each tenant is supplied with a dedicated connection at either 20Meg, 100Meg or 1 Gig depending on how much they spend on their monthly subscription. This is a high end ISP installing bespoke kit on each site for high end, high worth individuals.
The client will religiously check they are getting what they're paying for and will sue if they routinely don't get what the SLA / T's and C's says they should get.
Yes I know download speeds aren't an exact science but thankfully if speeds are down it's not my head on the block, unless I have under specced the kit.
--
Binary is as easy as 01 10 11

HELLFIRE
Premium
join:2009-11-25
kudos:13
reply to markysharkey

said by aryoba:

said by markysharkey:

Cramer... yes I need to double check the 2960S for NAT commands. I agree it's doubtful, but I need to console in and be 100% sure...

The only Cisco Catalyst switch model that I know supports NAT is 6500 series. Since you are getting 1 Gbps connection, getting 6500 series is not a bad idea especially when you can get one for cheap on ebay

Guarenteed the lower end Catalyst switches won't do NAT -- ie. 29xx, 35xx, 36xx, 37xx. 6500s will, but I recall
someone once telling me it was with a VERY specific combination of SUPs and code. For ISRs and fixed switches,
use them for what they are designed for -- ISR for routing and fixed switch for switching.

Here's a Q&A on the 3750s that confirms they can't do NAT

Question, who's the ISP here, if you don't mind sharing, markysharkey See Profile?

Regards

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

When in doubt... /go/fn

2960C
3560C
5000-RSM/RSFC (really?)
and several 6000 combinations


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to HELLFIRE

said by HELLFIRE:

said by aryoba:

said by markysharkey:

Cramer... yes I need to double check the 2960S for NAT commands. I agree it's doubtful, but I need to console in and be 100% sure...

The only Cisco Catalyst switch model that I know supports NAT is 6500 series. Since you are getting 1 Gbps connection, getting 6500 series is not a bad idea especially when you can get one for cheap on ebay

Guarenteed the lower end Catalyst switches won't do NAT -- ie. 29xx, 35xx, 36xx, 37xx. 6500s will, but I recall someone once telling me it was with a VERY specific combination of SUPs and code.

You can always plug in FWSM to do NAT plus some security stuff

markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey

OK, so that saves me having to log in to the switch. NAT is out so I'll go with a 1921, remove the current 887 and donate it to myself as lab equipment
--
Binary is as easy as 01 10 11