Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
I am in the market for a router for my startup's office. We have a 100Mbps fiber connection, and the office is wired with cat-5 attached to a Cisco 300 series managed switch. Currently we have a number of machines connected directly to the Internet with no firewall, with the majority of my colleagues connecting via an Apple Airport Extreme, which really can not handle the traffic and suffers interference as we are in central London.
I'm looking at some medium-range routers, specifically some WatchGuard XTM 2 Series models (I have experience with the old SnapGear 560, which sadly was killed a couple years ago).
My main concern is network throughput because we are a video company and uploading very large files on a regular basis (saturating 100Mbps up for hours at a time). The WatchGuard spec gives 3 throughput numbers: Firewall, VPN, and XTM in decreasing order of magnitude.
I'm trying to interpret these numbers and wondering if they represent all LAN traffic or just LAN to WAN, and whether up/down traffic should be added together. In short, what should I be looking for if I want to saturate our fiber, do I really need a full 200Mbps Firewall throughput?
If you're just passing video files to remote sites over the net then that's just the "Firewall" throughput. if you need the firewall to be an endpoint for a VPN, then that will naturally bring the throughput down due to all the extra encryption work it has to do. It sounds like this is not a VPN based scenario, or you would have said it was, so those 2 series devices would be fairly well aligned to your fibre connection. (fiber?? awww come on, you're in London!!) The XTM stuff appears to be some form of IDS, and so given you have a defined set of upload / download endpoints for your video you'd probably just want to exclude those endpoints from this filtering.
And these will just be L3 traffic related, so if you were just switching between local machines, it'd be either 100mbps or 1gbps based on what ports you were using any way. I wouldn't recommend switching through that device though, unless you have very logical reasons to do so, otherwise just stick with the Cisco switch and uplink from that to your firewall on a gigabit port.
Thanks for the response. Sorry for the misspellings, but I'm hopelessly American having just arrived in the UK 2 months ago.
As may be obvious I'm a web developer and not well-versed in system or network administration (though I tend to be a jack-of-all-trades), but I have a dumb follow up.
As far as LAN traffic is concerned, we currently have none because we don't have a router (just the locked down one provided by the telco, which is not providing DHCP). Based on your response, I am to understand that even though this router will provide DHCP to our LAN, LAN traffic will not go through the router directly. That is, the router provides the IP address, but the LAN traffic just goes through the switch without needing to be routed. Again, my mental model of TCP/IP is weak, and my knowledge of what our Cisco switch can do is even fuzzier (it says it can do static L3 routing for instance, but no clue what that means, could it take some of the load off the router for WAN traffic?). So basically, router throughput specs are irrelevant for normal LAN traffic (other than VPN traffic)?
so Layer 2 = switching in your local subne and L3 = routing between different subnets. so if you're going from 192.168.1.1 to 192.168.1.2 you're just switching to will just go up one cable and down another in a L2 world. The Cisco 300 series supports L3 stuff but it doesn't look like you have any reason to want to route outside of getting to the interwebs, so that is why you have the firewall in the first place. You can't offload that routing work, you'd just end up doing it twice. The 300 series also supports ACL's, so you... ***could*** do some security on that instead of buying a firewall altogether, but it is NOT a firewall so I really would suggest you avoide that temptation.
If you introduce a firewall then you'll have an additional network space to be aware of. I presume your ISP has given you a /29 of public IP space or some such, so you'd potentially give all of those addresses to the firewall (but in reality I doubt you'd have any real use for more than one of them) and then add a new subnet behind the firewall, e.g. 192.168.1.0/24, which could be dished out via DHCP from the firewall. Note now though that you would need to perform NAT on the firewall, so all traffic reaching your ISP will appear to come from one of the public addresses they gave you rather than the new private networks behind the firewall or you'll never see that traffic again. It's an extremely common thing to do, and the smaller the firewall is, the more likely it is that it'll be there enabled by default.
Yes, they've given us a /29 and yes we are okay with DHCP and NAT for most everything. There may be a developer server or two that we want to expose directly on an IP address, but even most of that could be handled with simple port forwarding.