I am going to set up a network in a private adress space, which is structured in 4 segments: DMZ (NAT-ing into the public Internet), servers, clients, and guests. All these come together at a CRS125-24G-1S-RM, where there is a unique assignment from segments to the router ports, and a policy which traffic is acceptable between the individual segments (including VoIP traffic).
My basic Q is now: I have the choice of setting up 4 diferrent networks and route between them, or define just one network for all segments and set up a brigde between them. What would you recommend to implement the firewall rules best (IP firewall or bridge filter)? Throughput/usable bandwidth is the major matter.
DL7JP - I am surprised that a lot of folks haven’t jumped all over this one…
It is really a matter of what works best for you. I’ve been at this stuff for years, even before there was the ‘real’ Internet. The debate has raged on about routed vs ‘smart’ bridges as to what is quicker, provides a stable environment, allows for oversight on all data, etc.
I’ve never been a big fan of bridges in a multi faceted network. I find them convenient if it’s a one-on-one link up, especially in a wireless environment but otherwise I avoid them.
I find for my purposes that a static routed environment gives great performance and granular control of all facets of all connected networks. Using OSPF or BGP in a stable environment also gives great performance and control.
Biggest problem, especially for new users, is loops in a bridge and hidden nodes. Now there are settings, STP and RSTP, that help prevent this type of issue, but you know, some folks are just hel bent on doing something and create there own nightmare of loops. That is not to say that you would, just saying I have seen it done and it’s not pretty.
Of course the big problem for new users trying to route separate networks is their lack of understanding about routing… That lack of understanding can easily cause just as many issues as bridge loops…
But anyway regardless you choose bridging or routing you have the wrong device. Th the switch is good for switching but routing or bridging needs to be done in cpu so the single link from switch chip together with cpu performance will be the bottleneck. Compare the CRS125 diagram with some ccr and you will see…
Thanks for your opinions! I decided to go for 4 separate private /24 nets and route rather then bridge - conceptually it seems the more elegant solution in particular since one /24 is WLAN.
As to CCR: I will try to keep the high bandwidth traffic on switched ports, and I will see how well it works.