HIBS_ICT
asked on
Router on a stick slow!
We've upgraded our old Custom Built Linux Router (ipTables) to a Router on a Stick model using a Netgear SRX5308. The old Linux router had 6 NICs as gateways for our 6 Subnetworks. 5 were on our LAN while the last one connected up to the internet. This router handled crossing traffic between networks and worked fine.
The new setup is the Netgear Router with 6 VLANs set up on it with gateway IPs. We've enabled intervlan routing to enable this router to route traffic between the VLANs.
Problem is, we are experiencing significant network degradation by going to the new model. Because of our problems Netgear gave us a completely new one, but, I still have my doubts that this will cope.
This is the device here:
http://www.netgear.com/business/products/security/wired-VPN-firewalls/SRX5308.aspx
Can someone tell me whether this device is ideal to handle a network of our size? We have 6 different VLANs. One for servers, one for wireless, one for our DMZ, and the other 3 for segmenting our network. As you can see, intervlan routing is critical to get everything talking to each other. We've got about 20 servers and 400 network clients (computers, printers, IP cameras etc).
Any advice would be much appreciated.
The new setup is the Netgear Router with 6 VLANs set up on it with gateway IPs. We've enabled intervlan routing to enable this router to route traffic between the VLANs.
Problem is, we are experiencing significant network degradation by going to the new model. Because of our problems Netgear gave us a completely new one, but, I still have my doubts that this will cope.
This is the device here:
http://www.netgear.com/business/products/security/wired-VPN-firewalls/SRX5308.aspx
Can someone tell me whether this device is ideal to handle a network of our size? We have 6 different VLANs. One for servers, one for wireless, one for our DMZ, and the other 3 for segmenting our network. As you can see, intervlan routing is critical to get everything talking to each other. We've got about 20 servers and 400 network clients (computers, printers, IP cameras etc).
Any advice would be much appreciated.
Soulja
I tell you right off, that router on the stick model is not the most optimal choice in regards to intervlan routing. You really want to keep that at the distribution layer and not on your edge device. The firewall has enough responsibilities in regards to packet inspection, vpn, etc. You should get you a layer 3 switch and let that perform the vlan routing, then uplink that switch to the firewall to pass any internet traffic to it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
+1 on the above.
Think about it: You now have 20 servers and 400 clients, communicating via a single router interface, which sees all of the traffic twice- in and then out again. No, it is not going to work very well.
Think about it: You now have 20 servers and 400 clients, communicating via a single router interface, which sees all of the traffic twice- in and then out again. No, it is not going to work very well.
Sorry, I'd have to disagree Mike,
1. The Router is designed for that. That is what they are built for. They have extremely fast back planes and can handle it just fine. They also have CPUs in the devices that can handle it. It is their whole reason to exist. I'm also not talking about doing it with a 20 year old Cisco 2501 or some home-user thing you's get at BestBuy.
2. The Router only sees the traffic that actually has to cross it from one side to another. If the traffic does not have to cross the router then the traffic never leaves the Layer2 switch fabric. When the communicating Hosts are in the same subnet together,.. the sending Host sends an ARP request,... the receiving Host answers the request and the traffic goes directly to the target Host based on the MAC address without even effecting the Router.
3. I have been using this design in practice in a production environment for over a decade. It runs and performs beautifully, and I have a lot more than 20 servers. It is a whole building packed full of equipment (more equipment than humans) and some of it is very "busy" equipment. I even have exactly 6 IP Segments just as the original poster to this thread has. The Router I use is built to handle up to 256 Subnets,...so I am sure it can handle 6,...and it is not even considered a "high-end" Router.
On a positive note, you are helping to make a point I always make about keeping sunbets with in a /24bit 254 Host segments. Putting 400 Hosts and 20 Server into a single segment by rolling the Mask back to /23 (510 hosts) would be a mess with all the broadcasts clogging it up. Every time I make that point all are get are arguments from people who refuse to build their networks properly.
1. The Router is designed for that. That is what they are built for. They have extremely fast back planes and can handle it just fine. They also have CPUs in the devices that can handle it. It is their whole reason to exist. I'm also not talking about doing it with a 20 year old Cisco 2501 or some home-user thing you's get at BestBuy.
2. The Router only sees the traffic that actually has to cross it from one side to another. If the traffic does not have to cross the router then the traffic never leaves the Layer2 switch fabric. When the communicating Hosts are in the same subnet together,.. the sending Host sends an ARP request,... the receiving Host answers the request and the traffic goes directly to the target Host based on the MAC address without even effecting the Router.
3. I have been using this design in practice in a production environment for over a decade. It runs and performs beautifully, and I have a lot more than 20 servers. It is a whole building packed full of equipment (more equipment than humans) and some of it is very "busy" equipment. I even have exactly 6 IP Segments just as the original poster to this thread has. The Router I use is built to handle up to 256 Subnets,...so I am sure it can handle 6,...and it is not even considered a "high-end" Router.
On a positive note, you are helping to make a point I always make about keeping sunbets with in a /24bit 254 Host segments. Putting 400 Hosts and 20 Server into a single segment by rolling the Mask back to /23 (510 hosts) would be a mess with all the broadcasts clogging it up. Every time I make that point all are get are arguments from people who refuse to build their networks properly.
@ pwindell
What exactly are you disareeing with? Running that much traffic through a single router interface is not optimal. In your first comment you even recommended using a routed interface per vlan.
Now if we stick to the context of the original question which was vlan routing, the optimal design is to put Layer 3 switching at the distribution layer to handle inter-vlan routing. This is common best practice. Why would you put a router at the distribution layer when you would be restricted by port density, where a L3 switch have more available?
Yes, your design would work, but that doesn't mean it is the optimal, best practice design. Just like router on the stick works, but it's not best practice.
What exactly are you disareeing with? Running that much traffic through a single router interface is not optimal. In your first comment you even recommended using a routed interface per vlan.
Now if we stick to the context of the original question which was vlan routing, the optimal design is to put Layer 3 switching at the distribution layer to handle inter-vlan routing. This is common best practice. Why would you put a router at the distribution layer when you would be restricted by port density, where a L3 switch have more available?
Yes, your design would work, but that doesn't mean it is the optimal, best practice design. Just like router on the stick works, but it's not best practice.
Think about it: You now have 20 servers and 400 clients, communicating via a single router interface, which sees all of the traffic twice- in and then out again. No, it is not going to work very well.
So was this a statement about his design or the one I gave him? I interpreted it to but against mine.
I suggested to get away from the "router on a stick" thing and use a more conventional design. I'm suggesting a Router with 6 Interfaces. If a convention router or an L3 Switch,..I don't care. An L3 still has interfaces,...they are just virtualised in how you group the ports with the VLANs.
Yes, your design would work, but that doesn't mean it is the optimal, best practice design. Just like router on the stick works, but it's not best practice.
That would be the part I completely disagree with. I think you are completely underestimating what a good L3 switch is capable of handling. It can handle 6 subnets perfectly fine (router on a stick won't),...I've been demonstrating it "live" at our place for over 12 years. Now you start getting up to 32 or 64 subnets,..that's a different story. Secondly, I am not opposed to using more than one router,...the drawing is generic,...was not created just for this thread, and is intended to communicate a design theory,...not be a parts list of the equipment you have to buy.
Also the "router on a stick" that neither of us like,...its main failure on performance isn't simply the router,...it is the shared cable (which includes the interface speed) can only run so many bits per second and that is all it can do,...even if the Routers RAM and CPU could handle far more than that. Running multiple physical interfaces will bring back the performance until you start to reach the routers CPU and RAM capacity. Surely that is something we can agree on.
So was this a statement about his design or the one I gave him? I interpreted it to but against mine.
I suggested to get away from the "router on a stick" thing and use a more conventional design. I'm suggesting a Router with 6 Interfaces. If a convention router or an L3 Switch,..I don't care. An L3 still has interfaces,...they are just virtualised in how you group the ports with the VLANs.
Yes, your design would work, but that doesn't mean it is the optimal, best practice design. Just like router on the stick works, but it's not best practice.
That would be the part I completely disagree with. I think you are completely underestimating what a good L3 switch is capable of handling. It can handle 6 subnets perfectly fine (router on a stick won't),...I've been demonstrating it "live" at our place for over 12 years. Now you start getting up to 32 or 64 subnets,..that's a different story. Secondly, I am not opposed to using more than one router,...the drawing is generic,...was not created just for this thread, and is intended to communicate a design theory,...not be a parts list of the equipment you have to buy.
Also the "router on a stick" that neither of us like,...its main failure on performance isn't simply the router,...it is the shared cable (which includes the interface speed) can only run so many bits per second and that is all it can do,...even if the Routers RAM and CPU could handle far more than that. Running multiple physical interfaces will bring back the performance until you start to reach the routers CPU and RAM capacity. Surely that is something we can agree on.
Man, what are you talking about here?
I think you are completely underestimating what a good L3 switch is capable of handling.
All of my comments have been in support of using Layer 3 switching for the vlan routing. How am I underestimating it if I am in support of it.
I am not opposed to using more than one router
Where did we stated to use more than one router?
I think you are completely underestimating what a good L3 switch is capable of handling.
All of my comments have been in support of using Layer 3 switching for the vlan routing. How am I underestimating it if I am in support of it.
I am not opposed to using more than one router
Where did we stated to use more than one router?
Soulja,...please pay attention...
I wasn't talking to you in the first place...
I was disagreeing with THIS statement which came after my first post.
Think about it: You now have 20 servers and 400 clients, communicating via a single router interface, which sees all of the traffic twice- in and then out again. No, it is not going to work very well.
I t came from MIKE,.....NOT you.
So I disagreed with Mike,...not You
I even began by saying,....."Sorry, I'd have to disagree Mike,"
I was also intending to disagree with Mike in a civil, and hopefully informative manner,...at least that was what I was attempting.
Now, as we moved along YOU said:
Yes, your design would work, but that doesn't mean it is the optimal, best practice design. Just like router on the stick works, but it's not best practice.
That came from YOU,...and yes,..I disagreed with YOU,...on THAT.
Where did we stated to use more than one router?
Now perhaps you could have clarified why you think my design is not optimal,...but you didn't,...so I was forced to make the assumption that it was because there was only one router handling all six subnets. To which I responded......I am not opposed to using more than one router.
If you are still confused about who was talking to who and why,...I guess you'll have to stay that way.
I wasn't talking to you in the first place...
I was disagreeing with THIS statement which came after my first post.
Think about it: You now have 20 servers and 400 clients, communicating via a single router interface, which sees all of the traffic twice- in and then out again. No, it is not going to work very well.
I t came from MIKE,.....NOT you.
So I disagreed with Mike,...not You
I even began by saying,....."Sorry, I'd have to disagree Mike,"
I was also intending to disagree with Mike in a civil, and hopefully informative manner,...at least that was what I was attempting.
Now, as we moved along YOU said:
Yes, your design would work, but that doesn't mean it is the optimal, best practice design. Just like router on the stick works, but it's not best practice.
That came from YOU,...and yes,..I disagreed with YOU,...on THAT.
Where did we stated to use more than one router?
Now perhaps you could have clarified why you think my design is not optimal,...but you didn't,...so I was forced to make the assumption that it was because there was only one router handling all six subnets. To which I responded......I am not opposed to using more than one router.
If you are still confused about who was talking to who and why,...I guess you'll have to stay that way.
Finally, ....if Mike intended that to be a comment to the original poster and not to my design,...then I apologize to Mike,...I misinterpreted it to be toward me (which I clarified that two posts back)
Yes, my statement was in regards to the original poster, not to either of you. My only comment on your posts was "+1 on the above" which I'm sure you realize means that I agreed with both of you.
What I meant in my comment was that running all that traffic to/from a single router interface could cause a lot of congestion and I'm not surprised that the poster is seeing problems.
What I meant in my comment was that running all that traffic to/from a single router interface could cause a lot of congestion and I'm not surprised that the poster is seeing problems.
That's Mike. Yes that is ture, I didn't catch the "+1 on the above" until after I submitted the post,...and unfortunately with EE there is not way to go back and edit anything after it is sent.
Sorry I misinterpreted that.
If the thread would have just ended after your post it would have been perfect.
Sorry I misinterpreted that.
If the thread would have just ended after your post it would have been perfect.
See,..can't edit posts after sent,...meant to say "Thank's Mike",..not "That's Mike"
This site REALLY needs to do something about that. I have even talked to them over the phone about being able to edit [your own] posts to correct things like that,...at least up to the point the answer is accepted and the thread closed.
This site REALLY needs to do something about that. I have even talked to them over the phone about being able to edit [your own] posts to correct things like that,...at least up to the point the answer is accepted and the thread closed.
Yeah, that would be a really useful feature. I can't tell you how many times I've posted, then added a 2nd post because I wanted to add/correct something.
You also cannot send private messages between the Sites registered "Experts" (like between me and you). I talked to them on the phone about that to,..today in fact. But they wasn't interested in that one.
They are interested in the edit feature but can't decide how to approach it.
They are interested in the edit feature but can't decide how to approach it.
This is why internet postings will never replace voice to voice communication as it just to much miscommunication.
I never disagreed with your original design with an interface for each vlan, I was stating that it is not the best practice design. I can say that we all agree that one interface for vlan routing is not optimal.
Case closed.
I never disagreed with your original design with an interface for each vlan, I was stating that it is not the best practice design. I can say that we all agree that one interface for vlan routing is not optimal.
Case closed.
I think it is best practice design. So that disagreement was legit,...the rest was just a misunderstanding. We should just drop it,..there is no point in it anymore.
You're right on the internet posting not ever replacing voice-to-voice. When I need support with something I pretty much never go to any web forums,...EE, or any other. I either turn to the product documentation or I call the product Support people (by voice) of whatever product the problem is concerned with. I also want my problems solved "yesterday",...not 2-3 days from now after wating on the message turn-around-time you get with web forums.
I also try to never build any "Frankenstein Monsters" at work that is bigger and more complex than my knowledge can handle, and if I see that coming in the future I'm not above going back to school if I have to in order to get ready for it.
You're right on the internet posting not ever replacing voice-to-voice. When I need support with something I pretty much never go to any web forums,...EE, or any other. I either turn to the product documentation or I call the product Support people (by voice) of whatever product the problem is concerned with. I also want my problems solved "yesterday",...not 2-3 days from now after wating on the message turn-around-time you get with web forums.
I also try to never build any "Frankenstein Monsters" at work that is bigger and more complex than my knowledge can handle, and if I see that coming in the future I'm not above going back to school if I have to in order to get ready for it.