DComTalk.com

Mark · Guest

Hi,
Im trying to source a router for internal routing only. I want to
connect our current network with a network of factory machines which
use a different ip range (Our domain 192.168.1.xxx, Factory
192.168.2.xxx). Im after a reasonably priced solution that will
prevent packets from the factory network reaching the office network,
but still allow the office to connect to the factory machines. Im
assuming that I will need a router with 2 ethernet ports that will
connect to the appropriate switched. Could anyone recommend a good
solution that isnt too expensive? (was thinkin up to £500ish). I don't
want anything too fancy as I dont need firewall/vpn/adsl etc. just
internal routing.

Thanks

Guest · Posted: Mon Jan 31, 2005 5:13 pm Post subject: Re: Internal Router Only

coconutpete@hotmail.com (Mark) wrote:

Walter Roberson · Guest

In article <2f68fab2.0501310308.355d7fcb@posting.google.com>,
Mark <coconutpete@hotmail.com> wrote:
:Im trying to source a router for internal routing only. I want to
:connect our current network with a network of factory machines which
:use a different ip range (Our domain 192.168.1.xxx, Factory
:192.168.2.xxx). Im after a reasonably priced solution that will
:prevent packets from the factory network reaching the office network,
:but still allow the office to connect to the factory machines.

That can't be done if you are using TCP. TCP *needs* return
packets: you *want* packets to return from the factory network
if you are using TCP.

Perhaps a more precise criteria would be that you do not want the
factory network to be able to initiate connections to the office
network? If so, then what are your plans with respect to DNS,
WINS, email, intranet to be able to read the Material Safety Data Sheets,
and so on? Are you planning to use a network monitoring package
that uses SNMP to examine the state of the switches and/or devices?
SNMP is UDP based, and UDP can't tell replies from new transmissions.

:Im
:assuming that I will need a router with 2 ethernet ports that will
:connect to the appropriate switched.

Not completely true: you could do it with a single port "router
on a stick" if the router and your switch support 802.11Q VLANs.

:Could anyone recommend a good
:solution that isnt too expensive? (was thinkin up to £500ish). I don't
:want anything too fancy as I dont need firewall/vpn/adsl etc. just
:internal routing.

£500 would easily cover a true firewall such as a PIX 501, but as
the other poster pointed out, you can probably get away with a
D-Link or Linksys or Netgear device that has stateful packet inspection
(SPI). These devices tend to assume that you have many addresses
on the secure side that are to be network address translated (NAT)
into one [or sometimes two] source IPs as they go out. If your factory
machines will have a need to differentiate between different office
sources (e.g., for logging or authentication purposes, or because
you have some protocols other than TCP or UDP in the mix), then
you will have to do a bit more digging.

I don't recall that you gave any bandwidth estimates that the
router would need to handle?

If, after reflection upon the points I raise above, you find that
your situation is more complex than you were previously thinking,
then you might find that a Cisco PIX 501 (possibly
with the optional "50 user license"), or Cisco 837 VPN Bundle
might make more sense.
--
The image data is transmitted back to Earth at the speed of light
and usually at 12 bits per pixel.

Guest · Posted: Tue Feb 01, 2005 2:46 am Post subject: Re: Internal Router Only

Does anyone have VPN performance numbers for the 830 series? (pps I
guess).

I have done a quick search and can find (as usual with cisco
performance numebrs) exactly nothing.
I am interested specifically in IPSEC

Walter Roberson · Guest

In article <1107207963.419972.234880@f14g2000cwb.googlegroups.com>,
<anybody43@hotmail.com> wrote:
:Does anyone have VPN performance numbers for the 830 series? (pps I
:guess).

:I have done a quick search and can find (as usual with cisco
:performance numebrs) exactly nothing.
:I am interested specifically in IPSEC

A question probably better put to comp.dcom.sys.cisco, but no
matter, I've looked up the numbers recently anyhow:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/netbr09186a00801f0a72.html

Cisco 830: 10 tunnels (peers), 7 Mbps 3DES, 2 Mbps AES-128

The high 3DES relative to the AES-128 is due to the fact that
the 831, 836, and 837 have hardware DES and 3DES acceleration that
does not support AES, so AES is done in software.

For comparison, since you appeared to be reacting to my mention
of the Cisco 837: the Cisco PIX 501 is 3 Mbps 3DES, 4.5 Mbps AES-128
[software in both cases], and the PIX 506E is 17 Mbps 3DES,
30 Mbps AES-128 [hardware support.]

For Cisco IOS routers, a useful performance comparison can be found at
http://www.cisco.com/warp/public/765/tools/quickreference/routerperformance.pdf
These are raw pps figures, not IPSec figures. Different models and
software releases react differently when additional features such as
NAT or QoS are added to the mix: some slow down drastically and others
like the new 2800/3800 series are supposed to be able to keep going at
full speed with a wide range of features turned on.
--
Caution: A subset of the statements in this message may be
tautologically true.

	DComTalk.com Forum Index -> Ethernet	All times are GMT
Page 1 of 1