Community discussions

 
purathal
just joined
Topic Author
Posts: 7
Joined: Mon Nov 30, 2015 4:27 am

Firewall protection with 1Gbps throughput

Mon Nov 30, 2015 5:54 am

Hello,

I am new Microtik world and have the following questions.

Here are some of my requirements;

- I am looking for a hardware firewall device to be placed in the hosting industry (high volume traffic).
- The device must be capable of allowing 1Gbps throughput (uplink connection)
- several web, email and application servers will be placed behind the hardware firewall device and each one of those servers will have *multiple* public IPv4 addresses assigned to them. So the hardware firewall device must be capable of protecting all those multiple public IP addresses for various services.
- no vpn access required
- no public IP to private IP natting will be used anywhere in this scenario.
- nothing else really, except pure firewall protection and network montioring

I am currently considering CCR1009-8G-1S-1S+ device. What are your thoughts based on my above requirements?

Also, any help would be really appreciated if you can point me in the right direction on how to add and manage multiple IP addresses on CCR1009 device as described above.
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Mon Nov 30, 2015 12:19 pm

That device should be suitable for your application.

Without knowing more specific details its hard to be sure... is 1Gbps the actual traffic volume? if so, can you get any kind of actual firewall interface stats to see packet size distribution?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
purathal
just joined
Topic Author
Posts: 7
Joined: Mon Nov 30, 2015 4:27 am

Re: Firewall protection with 1Gbps throughput

Mon Nov 30, 2015 5:35 pm

That device should be suitable for your application.

Without knowing more specific details its hard to be sure... is 1Gbps the actual traffic volume? if so, can you get any kind of actual firewall interface stats to see packet size distribution?
1Gbps is the actual uplink port allocated to me by the data center. I don't have any stats to show yet as this will be for a brand new setup.

Any idea how I can go about to configure this router/firewall to support multiple IPv4 addresses assigned to each server that's located behind the device? The 1Gbps uplink connection will come with /29. I will then purchase extra IPs /27 or /26 to add them to each server. All those /27 and /26 IPs need to be go through this firewall device for all (in and out) traffic inspection.
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Tue Dec 01, 2015 6:16 pm

I think this device will cope with your traffic unless is 1Gbps non-stop, and more than 50% of packet distribution being 64bytes.

Nothing special needed for your setup, just simple routing and firewalling, public IPs are IPs, think of them just like Private or reserved IPs. Just try to use them wisely without wasting any where a private ip could be used.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Firewall protection with 1Gbps throughput

Wed Dec 02, 2015 12:21 am

maybe ccr1009 can cope with your load

but

if you have the budget consider a ccr1036 to have spare CPU power to future grow

ccr1036 its 2.0 X the price of ccr1009 but has 4.0 X the cpu power, CCR1036 have the best performance per dollar ratio of all mikrotik product
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Firewall protection with 1Gbps throughput

Wed Dec 02, 2015 2:40 pm

While I love MikroTik products, they wouldn't be my first choice as a firewall. You might consider building (or buying) a hardware based pfSense machine with 3 NICs and run it as an inline firewall/IPS. You just bridge two of the NICs together and enable packet filtering on the bridge interface. The third NIC can be used for management purposes. I built one for my home using about $200 in hardware, and the CPU usually stays under about 15% even when maxing out my Internet connection (about 100 mbps). This setup lets me easily implement Geo-IP filtering, source/destination/port based filtering, built-in Snort IPS, and I really haven't noticed any latency issues. A lot of the MT units tend to drop throughput when you hit about 20+ firewall rules.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Wed Dec 02, 2015 4:54 pm

Well. It always depends. Generally I agree with you but in case you don't need deep packet inspection or other special things that are not provided by ros at all you can have 50 rules in low performance devices like Rb2011 and have no problems with passing 100mbits in natting mode. Not only buying some x86 hardware but also management of it and feeding it cost money that you can simply spare if you could be satisfied with ros possibilities .
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Wed Dec 02, 2015 9:31 pm

Definitely if that's going to be the load from a start, and the budget suits, chechito nailed it, go for the 1036.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
purathal
just joined
Topic Author
Posts: 7
Joined: Mon Nov 30, 2015 4:27 am

Re: Firewall protection with 1Gbps throughput

Fri Dec 04, 2015 3:17 am

maybe ccr1009 can cope with your load

but

if you have the budget consider a ccr1036 to have spare CPU power to future grow

ccr1036 its 2.0 X the price of ccr1009 but has 4.0 X the cpu power, CCR1036 have the best performance per dollar ratio of all mikrotik product
Thanks for the suggestion and considering the future growth... CCR1036 looks good. Apart from the uplink connection, out of those 12 x 1Gig ports I suppose I can use many of them as the switch ports? I will have less than 10 devices behind this router/firewall. I want to avoid buying another 1G switch unless I really have to...
 
purathal
just joined
Topic Author
Posts: 7
Joined: Mon Nov 30, 2015 4:27 am

Re: Firewall protection with 1Gbps throughput

Fri Dec 04, 2015 3:27 am

While I love MikroTik products, they wouldn't be my first choice as a firewall. You might consider building (or buying) a hardware based pfSense machine with 3 NICs and run it as an inline firewall/IPS. You just bridge two of the NICs together and enable packet filtering on the bridge interface. The third NIC can be used for management purposes. I built one for my home using about $200 in hardware, and the CPU usually stays under about 15% even when maxing out my Internet connection (about 100 mbps). This setup lets me easily implement Geo-IP filtering, source/destination/port based filtering, built-in Snort IPS, and I really haven't noticed any latency issues. A lot of the MT units tend to drop throughput when you hit about 20+ firewall rules.
It is interesting that you mention that now...because I have been debating between getting a PFSense or Microtik (both are new to me). I looked at PFSense high end appliance (PFsense C2758) and it costs quite a bit more than the recently suggested (Microtik CCR 1036) but when comparing them both it appears the CCR1036 will be able to handle lot more throughput and has better specs?

I don't need deep packet inspection or anything.. I am literally looking for a hardware based firewall solution to sit in front of a few web, email and VPS servers and block all ports except the commonly allowed for web services. But having the ability to add hundreds of public IPv4 addresses and filtering traffic for them is a must.
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Fri Dec 04, 2015 12:28 pm

I have been using pfSense since it first beta till 2013, in fact I still have some pfSense firewalls laying around pending replacement.

I have replaced all, why?

- CCRs cost per port ratio is unbeatable
- CCRs Performance/cost ratio is unbeatable
- CCRs hardware reliability vs PC based solutions = night and day
- CCRs power consumption is 1/10

So without entering OS territory (in fact I don't use Linux since 2000, been using FreeBSD for servers since) just per cost/reliability/performance/power consumption criteria, dedicated hardware for routing/firewalling tasks wins ten out of ten times.

Good multiport network cards for PC platform (Intel based) cost per port is outrageous for routers/firewalls; you almost can buy a CCR1009 just with the cost of two such cards alone, and that's now that more affordable cards have been released (i350); not too long ago the price was 2x.

PC hardware is much more complex than a routerboard, with much more components prone to failing: more fans, add-on cards, HDDs, SSDs, much more slots that can fail, etc.

Entering OS territory, the tools RouterOS offers to debug/diagnose networks out of the box beats any PC based firewall, and speaking of productivity, once you use Winbox, web GUIs will harass you to no end, you'll feel "tangled".
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Firewall protection with 1Gbps throughput

Fri Dec 04, 2015 3:11 pm

I'm not arguing that dedicated network hardware isn't the best option in most cases. It all depends on your use case. For me, given my bandwidth requirements, and the throughput capabilities of the 750GL which I currently use, it made more sense to spend $200 on some x86 hardware and run it as an inline appliance between my ISP and my router. I have a rather complicated home network (multiple subnets that all need simultaneous 1Gbps thru the router, VPN tunnels to other sites, etc.), and it simply would have cost more than $200 to get an MT unit that could handle all my needs. For my application, the CCR1009 comes close, but I'd be running it close to capacity, meaning I'd need at least a 1016, at a cost of over $400 more than my x86 box. Even with a 1016, with the size of my rulebase, I'm not sure I'd be able to get the advertised nearly 12 Gb/s it's capable of once you figure in the overhead of multiple VPN tunnels.

The other advantage of running the x86 for me is that it lets me run Snort inspection on all my inbound/outbound traffic, offering a deeper level of scrutiny that ROS can't provide. So it's not just about the cost/port or cost/performance ratios, it's also about features. Also, there are plenty of appliance options for pfSense that don't involve $1k+ rackmounts...look on eBay and you can find a lot of pfSense appliances for a lot less. You just have to make sure it's right-sized for your particular application.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Fri Dec 04, 2015 5:02 pm

I'm not arguing that dedicated network hardware isn't the best option in most cases. It all depends on your use case. For
I couldn't agree more... it dependes on your use case. SOHO is not the same use case that a company making profit (hosting company I understand) specially in terms of budget criteria.

There are also more considerations for NOC scenarios, rackmount space (U) and power draw counts, and counts a lot.
me, given my bandwidth requirements, and the throughput capabilities of the 750GL which I currently use, it made more sense to spend $200 on some x86 hardware and run it as an inline appliance between my ISP and my router. I have a rather complicated home network (multiple subnets that all need simultaneous 1Gbps thru the router, VPN tunnels to
Didn't you say your Internet uplink is 100mbps? Why 1Gbps through the router?

Don't know your previous experience with Routerboard hardware, but 750GL is rather low on the product pyramid.

VPN tunnels is not an area that impacts CPU usage as much as having a complex or not optimized firewall or mangle, as that affects every connection passing through the router.

If your internet line is 100Mbps on a SOHO scenario (thousands of connections), you don't need a CCR1009, let alone a CCR1016, for that application a rb850, RB3011 or RB1100AHx2 (depending on simultaneous connection figures) suit the task.

Even a RB2011 depending on firewall optimization would be more than enough depending on simultaneous connections.
A lot of the MT units tend to drop throughput when you hit about 20+ firewall rules.
Specially the lower powered ones, however, do you say this based on extrapolation of brochure data synthetic benchmarks, or actual hands-on usage?
The other advantage of running the x86 for me is that it lets me run Snort inspection on all my inbound/outbound traffic, offering a deeper level of scrutiny that ROS can't provide. So it's not just about the cost/port or cost/performance ratios, it's also about features. Also, there are plenty of appliance options for pfSense that don't involve $1k+ rackmounts...look on eBay and you can find a lot of pfSense appliances for a lot less. You just have to make sure it's right-sized for your particular application.
There's always multiple ways of achieving things (it's in fact one of Mikrotik mottos), but good practices / design and using the right tools should always prevail; on a firewall I look for features, reliability and performance related to firewalling, routing, network related services and related diagnosing/troubleshooting.

For IDS or CTS, I prefer to separate it from firewalling, having the freedom to tailor the system to my needs or choose the system I consider more suited for the task at any given time (you know opensource projects are fast moving targets, specially if successful) or run complex queries or reports, weblog DNS resolving... without risking the throughput performance.

If you need a deep level of scrutiny, or CTS, there's no need to analyze it inline on the firewall itself, I don't agree with that as being either good practice nor design.

Even a "lowly" (in terms of CPU) 750GL can be setup to use its switch to put ports in mirror mode (no CPU involved) to feed a separate PC where you can run a pfSense, Suricata or whatever IDS you like (like you did, but not inline), without touching a single packet of the original traffic stream, and more importantly, seperating routing/firewalling duties from IDS ones. Same goes for CTS, that's what Traffic Flow is for...
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Fri Dec 04, 2015 7:15 pm

Regarding how to design ip addressing, this could be an example for a /29 optimizing IP usage, private transport address space being a /24 with specific /32 routes because this was drawn for a different post, but you get the idea.

You won't be using pppoe, so could ask your uplink provider to use a private /30 for your uplink connection, that way you can use all the /29 public IPs. Assign the router one to a loopback (bridge) and you are set.

Image
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
purathal
just joined
Topic Author
Posts: 7
Joined: Mon Nov 30, 2015 4:27 am

Re: Firewall protection with 1Gbps throughput

Fri Dec 04, 2015 9:57 pm

Regarding how to design ip addressing, this could be an example for a /29 optimizing IP usage, private transport address space being a /24 with specific /32 routes because this was drawn for a different post, but you get the idea.

You won't be using pppoe, so could ask your uplink provider to use a private /30 for your uplink connection, that way you can use all the /29 public IPs. Assign the router one to a loopback (bridge) and you are set.
Thanks Pukkita for everything!

One more question - I am also considering getting a 1Gig managed layer 3 switch as the "core" switch to connect to the 1Gbps uplink connect and I wonder what switch would be equivalent to CCR 1036 router/firewall (in terms of 1Gbps throughput handling where CCR1036 was recommended over CCR1009). I am looking for same kind of performance and hardware specs but in a layer 3 switch.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Firewall protection with 1Gbps throughput

Sat Dec 05, 2015 4:37 am

Regarding how to design ip addressing, this could be an example for a /29 optimizing IP usage, private transport address space being a /24 with specific /32 routes because this was drawn for a different post, but you get the idea.

You won't be using pppoe, so could ask your uplink provider to use a private /30 for your uplink connection, that way you can use all the /29 public IPs. Assign the router one to a loopback (bridge) and you are set.
Thanks Pukkita for everything!

One more question - I am also considering getting a 1Gig managed layer 3 switch as the "core" switch to connect to the 1Gbps uplink connect and I wonder what switch would be equivalent to CCR 1036 router/firewall (in terms of 1Gbps throughput handling where CCR1036 was recommended over CCR1009). I am looking for same kind of performance and hardware specs but in a layer 3 switch.
interesting comparison

i dont have experience with layer 3 switches

i hope something with that experience can help to this topic
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Sat Dec 05, 2015 2:48 pm

Switches work at wirespeed, although Routerboards CRS switches offer the possibility to remove certain ports from the switch and add routing functions, Layer2 functions (e.g. VLANs) can be done by the switch chip itself without taking CPU resources.

In your scenario, it will depend on how do you plan to deploy servers, which kind of interfaces are you going to use, how many servers, etc.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
purathal
just joined
Topic Author
Posts: 7
Joined: Mon Nov 30, 2015 4:27 am

Re: Firewall protection with 1Gbps throughput

Sat Dec 05, 2015 5:31 pm

Switches work at wirespeed, although Routerboards CRS switches offer the possibility to remove certain ports from the switch and add routing functions, Layer2 functions (e.g. VLANs) can be done by the switch chip itself without taking CPU resources.

In your scenario, it will depend on how do you plan to deploy servers, which kind of interfaces are you going to use, how many servers, etc.
I plan to use the switch as the "Core Switch". The data center provided uplink connection "1Gbps link" network drop will be connected to it. I have about 7-10 servers that I plan to connect to the same switch (all servers have 1Gbps NIC). Again all servers need to be able to utilize the 1Gbps uplink (like previously suggested CCR1036 appliance to handle large volume of traffic). On the same switch, I also plan to do port monitoring, bandwidth usage limit, etc for certain servers thats connected to it.

This kind of takes be back to one of my previous questions (which I did not get an answer yet). Can I use some of CCR1036 ports in pure switch mode and not worry about investing in a switch? Regardless I like to know a Mircotik switch that can handle same bandwidth throughput as the CCR1036.
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Sat Dec 05, 2015 5:52 pm

I plan to use the switch as the "Core Switch". The data center provided uplink connection "1Gbps link" network drop will be connected to it.
CRS switches are switches with a additional L3 capabilities, none of them will be able to cope with 1Gbps of L3 traffic.
I have about 7-10 servers that I plan to connect to the same switch (all servers have 1Gbps NIC). Again all servers need to be able to utilize the 1Gbps uplink (like previously suggested CCR1036 appliance to handle large volume of traffic). On the same switch, I also plan to do port monitoring, bandwidth usage limit, etc for certain servers thats connected to it.

This kind of takes be back to one of my previous questions (which I did not get an answer yet). Can I use some of CCR1036 ports in pure switch mode and not worry about investing in a switch?


No, CCR as their name implies, are Core or "Pure" Routers, they don't have switch ports (CCR1016, CCR1036, CCR1072) but for the CCR1009 variations, which are equipped with a 4 port switch chip for ether1-4.

However they have plenty of power to spare, so if you were to choose between a CCR or CRS the logical option would be the CCR.
Regardless I like to know a Mircotik switch that can handle same bandwidth throughput as the CCR1036.
Almost any CRS Switch can have almost the same or more Layer2 throughput as the CCR1036, as I said, they work at wirespeed (no CPU involved, but the switch chips) at Layer2, whereas on a CCR everything, being L2 or L3, is done by the CPU cores.

Forget using any of the CRS for Layer3 in your scenario, they're neither conceived for that, nor will be able to cope with that Uplink bandwidth.

If you want to keep it to a single device, then I'd go for a CCR1036-12G-4S.

If you want the best of both worlds, I'd get a CRS226-24G-2S+RM as a matching companion for a CCR1036-8G-2S+.

You'll have plenty of ports to "tap in" using port mirroring, and both have 2 SFP+ interfaces if you were to trunk both. That is, following the same choosing criteria of sizing in advance, as your Uplink will be 1Gbps. This will be vastly oversized for a 1Gbps Uplink, but again I'm keen on spend once...

Do you have any budget in mind?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
purathal
just joined
Topic Author
Posts: 7
Joined: Mon Nov 30, 2015 4:27 am

Re: Firewall protection with 1Gbps throughput

Sun Dec 06, 2015 12:20 pm


CRS switches are switches with a additional L3 capabilities, none of them will be able to cope with 1Gbps of L3 traffic.
Just to make it clear...can I use CRS switches ( CRS226-24G-2S+RM ) as a "managed switch" to set maximum allowed bandwidth usage limit on specific ports? For example if I had SERVER A connected to PORT 5 and I want to limit only 3TB of maximum data transferred on PORT 5. Can I do that?
No, CCR as their name implies, are Core or "Pure" Routers, they don't have switch ports (CCR1016, CCR1036, CCR1072) but for the CCR1009 variations, which are equipped with a 4 port switch chip for ether1-4.

However they have plenty of power to spare, so if you were to choose between a CCR or CRS the logical option would be the CCR.
CCR1036 has 12 ports - How exactly those 12 ports can be used if none of them can be used as switch ports? I guess I am missing to understand some basics here. Sorry.

If you want to keep it to a single device, then I'd go for a CCR1036-12G-4S.


If you want the best of both worlds, I'd get a CRS226-24G-2S+RM as a matching companion for a CCR1036-8G-2S+.
I am little confused now. So, if CCR1036 can only be used as pure router and I have about 7-10 servers to connect to it, how can all those servers connect with "router only" device without any switch capability?
Do you have any budget in mind?
About $1500.
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Sun Dec 06, 2015 12:39 pm

All ports that are not switchable are always at least bridgeable.
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Sun Dec 06, 2015 4:56 pm


CRS switches are switches with a additional L3 capabilities, none of them will be able to cope with 1Gbps of L3 traffic.
Just to make it clear...can I use CRS switches ( CRS226-24G-2S+RM ) as a "managed switch" to set maximum allowed bandwidth usage limit on specific ports? For example if I had SERVER A connected to PORT 5 and I want to limit only 3TB of maximum data transferred on PORT 5. Can I do that?
Not sure about that as I never tried to achieve that in such way, and CRS swiches are rather "recent". But it's not the "best practice" way to do it in your scenario.
No, CCR as their name implies, are Core or "Pure" Routers, they don't have switch ports (CCR1016, CCR1036, CCR1072) but for the CCR1009 variations, which are equipped with a 4 port switch chip for ether1-4.

However they have plenty of power to spare, so if you were to choose between a CCR or CRS the logical option would be the CCR.
CCR1036 has 12 ports - How exactly those 12 ports can be used if none of them can be used as switch ports? I guess I am missing to understand some basics here. Sorry.
As jarda pointed, you can use them to build bridges (sort of software version of a switch).

If you want to keep it to a single device, then I'd go for a CCR1036-12G-4S.


If you want the best of both worlds, I'd get a CRS226-24G-2S+RM as a matching companion for a CCR1036-8G-2S+.
I am little confused now. So, if CCR1036 can only be used as pure router and I have about 7-10 servers to connect to it, how can all those servers connect with "router only" device without any switch capability?
I didn't say that "can only be used", but that hardware-wise, they're "pure" routers with no switch ports. To put two or more ports in the same L2 segment on a CCR you create a bridge, and add those ports to it.

CCRs of course can "switch" in the sense of having several ports in the same L2 segment; but as we were speaking about hardware the general consensus is switching = doing it by a hardware switch chip, whereas bridging = doing it by software bridges.

Do you have any budget in mind?
About $1500.
Then a CRS226-24G-2S+RM / CCR1036-8G-2S+ combo fits your budget... do some research, in Europe at least both can be had for about $1000.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Firewall protection with 1Gbps throughput

Sun Dec 06, 2015 5:44 pm

i think a CRS no way can be compared to a layer switch 3


i think CRS is a ligth layer 2 switch with limited functionalities plus a embedded software router with a very small cpu for management purposes and very limited layer 3 throughput


a TRUe layer 3 switch can do layer 3 processing in hardware at wire speed without cpu usage

whats the problem why anybody have not a layer 3 switch??

price, a 24 gigabit port layer 3 switch starts from 3000us
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Firewall protection with 1Gbps throughput

Sun Dec 06, 2015 5:53 pm

i think CRS226-24G-2S+RM / CCR1036-8G-2S+ is a good combination combination but i will prefer another vendor of switch, so many issues has been reported on CRS switches.

i think you can use the CCR1036-8G-2S+as a router and the dlink DGS-1510-28 as a switch

if you dont like dlink you can choose cisco SG500X-24
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Firewall protection with 1Gbps throughput

Sun Dec 06, 2015 11:19 pm

Truth is the CRS226 has been released very recently, I don't have direct experience with it, so cannot give it a definite judgement; neither for past issues, which could have been solved, nor by people bad reviews, as the ones not having problems usually don't post on the forums.

People needed a learning curve for the CRS-specific RouterOS setup also, as this was brand new too.

I have direct experience with the CRS125 with several in production and I'm very happy with them; there were issues at release time due to the hardware youth, but were solved.

Of course you can choose any other brand switch, though this time I have to disagree with you chechito :D no more Dlink nor anything ending in "-link" switches for me for these kind of scenarios, even less, manageable ones, I already had my dose.

You can write mikrotik support and ask about any standing problems, if any, with the CRS226 that may make it not suitable for your specific setup in terms of advanced Layer 2 operations (QoS, filtering, mirroring, etc).
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum

Who is online

Users browsing this forum: No registered users and 15 guests