I’m looking at putting a RB450G in place as a sort of ‘tap’ on a network (between the router and the switch). My hope is to have the RB act as a silent bridge (possibly ponding two nics for in traffic and 2 for out traffic) while pushing netflow-v5 to a machine (running silk tools).
I currently have the device running with a bridge covering 4 of the nics. Placing it between the router and the switch works, all hosts continue to have network access (so the bridge seems to work). I have also implemented traffic-flow and have enabled it across all interfaces.
My questions:
Traffic flow does not seem to be reporting all flows, any thoughts on this?
When looking (in winbox) at the bridge interface, how come the statistics (packets in / out, etc etc) do not reflect the combination (summation) of all the ports included in the bridge?
For the bridge - use-ip-firewall=yes set? This should get the NetFlow going. Also if they (the flows) are too many - incerase the cache size maybe …
Bridge counting packets - It counts packets to/from MT hsot itslef, for example WInBox traffic! If you want the forwarded (bridged) packets - in WinBox - you can add a counter in Bridge ->Filter -an accept rule.
What is the Router ? A Cisco one or a Linux box ? Why not use the almighty MikroTik?
Thanks for the reply! I enable the fw and yup, it works.
I have another scenario for you, what if instead of putting the RB between the router and the switch I could only place it off of a span port off the switch (monitor port)? I just did this and don’t see any traffic besides traffic generated by the RB itself (pumping traffic flow to my collector), am I missing something that I should change on the config?
As for why not use the RB instead of the cisco router I had it behind, I’m “thinking / workshoping” different solutions for when I might want to place my RB onto a network for the purpose of gathering network traffic info, not necessarily ‘for ever’, i.e I don’t want it to be a permanent piece of hw on the network.
That said, I’m also not quite sure what kind of loads this thing can handle (specs on the site are very NOT industry level and don’t list enough details, at least the stuff I can find). As such I’m reluctant to use one as a outward facing FW and / or router.
The CIsco routers have NetFlow as well. Export the data direclty from it!
Forget about Spanning a port on a swtch! THAT MEANS PACKET LOSS and PERFORMANCE DEGRADATION! Unless its a 1gig switch that talks to a router at less than 100Mbps and you are spanning that port that has that little load only…
Some switches themselves can push NetFlow data to your analyzer / db…
RB in Bridge mode is good but pushing NetFlow woll give you information if you can use it with your amounts of traffic - just watch the CPU usage of the RB at peak hours! It will be good IMO.
RouterOS is pretty reliable. I have seen Cisco go down like sh!t. As well as all kinds of BS from every vendor ha ha.
Unfortunately not all cisco gear can export netflow (especially if it is grey market and out of date)… So your thought on the spanning port scenario is, yes, it would give me info, but the port will get so overloaded that I will loose information due to packet loss (I had suspected this, and yes, unfortunately it will all be giga connections).
Can you explain the “RB in Bridge mode is good but pushing NetFlow woll give you information” line? Are you saying it will or won’t? Sorry to bug so much, very very much appreciate your help (ordering the book you mentioned today).
And I agree, all systems go down, and I suspect this RB guy to be pretty damn solid, I just need to figure out a way to load test it in a non production setting, or talk to someone who can show me the loads it can handle. (Mikrotik themselves?)
-P
I was in bit of hurry and was not able to fix my post.
I mean that when you use the RB in bridge mode with use-ip-firewall=yes - the load on it is equal as if it was the main router taht would otherwise push that traffic. Or close. So watching the CPU usage of the RB will give you a good idea of how much traffic you can run through it in routing mode. (because use-ip-firewall=yes is set).
If your WAN is encrypted then there is a bigger model of RB I beleive for that kind of loads…
That list is interesting but not much use, they all seem to be on the wireless side, and I already have a 450g (and respective case) built up, I’m just looking for better numbers / data on what the load can be on this machine (the pretty bar graph on the web site is a bit ‘vague’).
Opening this thread up as I have come into issues with the RB (450G).
Deployement:
ISP → Router (Cisco) → RB450G → Switch (Cisco)
Goal:
Set the RB as a transparent bridge between router and switch in order to see all traffic (create netflow)
So Far:
eth1 on RB is connected to Cisco Router
eth2 on RB is connected to Cisco Switch
eth1 and eth2 are part of ‘myBridge’, traffic passing, all good (almost, see “issues”)
added vlans to ‘myBridge’ to match up with vlans defined on router, netflow generates traffic for all traffic
Issues:
By adding all vlans to ‘myBridge’ I gain the ability to generate netflow off all the vlan traffic, but does it not break the logical seperation of all the vlans? Perhaps another way to do this?
Biggest issue: DROP in bandwidth. Usually get (using simple online bandwidth tests) 9Mpbs Down / 20 Mbps up, now with RB in place we get 2 down / 1 up!!! What could be causing this?
All physical connections before and with the RB are 100 Mbps, so this isn’t it. I have FW turned on but with no rules (none at all), perhaps this is the issue?
I have had to remove the RB because of this loss in bandwidth, and won’t be able to use it again until I can come up with the reasons behind the loss, so I hope someone can give me some insight or thoughts on where to look.
Well its your own fault you did that smart thing with the VLANs
By he way, can’t ya export the NetFlow from either the Cisco Rotuer and/or the Cisco switch ?
Hey, setting aside me playing around here, I was curous about the exact purpouse of each device here. Maybe an entire network topology diagram would be appropriate, if you expect anyone to understand the issue.
Spanning ports (monitor session) impacts different platforms differently. On 4500/6500 series switches there is absolutely no performance impact. On 2500xl/3500xl all packet copying is still done in the hardware fast switching fabric (very little impact), but all copies must be held until all packets have been forwarded so if the monitoring port is subscribed for over 50% over a long period of time performance on all ports that receive a packet copy can be affected - so unless you’re pushing 500Mbps sustained on a gig port you’re fine even on those older switches. Can’t quickly find any background on newer platforms such as 3560s or the 3700 series but they likely perform better.
guys, he’s asking about the rb450 performance and why it sucks, not how to replace it with another solution. dont bother replying if your going to give him another suggestion other than whats wrong with the rb450…
how many packets per second are you running thru there?
So you have to use ip-firewall=yes because vlans / netflow doesn’t work with out it?
Are you using switch mode or bridge mode?
From what I have experienced on the stndard rb450 is that it barely handles my load on the cable modem here. Normally 10mb of traffic is nothing for these things, but when they are all 64 byte packets it doesn’t perform as well as I’d like. Now I do have a bunch of firewall rules and QoS and things, not just a bridge, but it might just be that this unit is too small for what you are trying to accomplish ?
Is throughput low even when transparent bridge firewall and vlan settings are off?
What ROS version are you using?
What is the CPU usage like?
Edit: What is the MTU size on cisco?
ha ha ha.