Question TP-Link TL-SG3428

[LittleCreekHosting]

This is for a data center with public ip's. I bought the TP-Link TL-SG3428. I was hoping to use it to route the public ip's I have been assigned.

Cogent has assigned me a /22 block. They are forwarding that block to an ip out of a /29. So just for example. They are forwarding 38.45.x.x/22 to 38.32.x.2. So the way I understand it the switch would need to be assigned 38.32.x.2. I was hoping the switch would then forward the /22 block to the other ports. But I am having trouble doing that.

What I would like to know is this switch capable of doing this or am I wasting my time trying to make it work?

Thank you.

 

[kanewolf]

This is for a data center with public ip's. I bought the TP-Link TL-SG3428. I was hoping to use it to route the public ip's I have been assigned.

Cogent has assigned me a /22 block. They are forwarding that block to an ip out of a /29. So just for example. They are forwarding 38.45.x.x/22 to 38.32.x.2. So the way I understand it the switch would need to be assigned 38.32.x.2. I was hoping the switch would then forward the /22 block to the other ports. But I am having trouble doing that.

What I would like to know is this switch capable of doing this or am I wasting my time trying to make it work?

Thank you.

It isn't a full layer 3 switch, based on the description on the TP-Link website. But it also says it supports static routing.
With a /22 I think you have more IP addresses that this switch will support. You are trying to support 1000 public IP addresses with a $200 switch?
You need to rethink your hardware selection, IMO.

 

[LittleCreekHosting]

What layer 3 switch would you recommend?

 

[bill001g]

Routing does not really work that way.

You are going to have 2 interfaces and 2 IP addresses. You are going to have 1 on the /29 going to the ISP and a second on your vlan that is used for the /22. You would likely use the .1 IP.

Hard to say if that switch can do this. It needs enough memory to keep track of over 1000 ip addresses. I can find nothing on the switch limit but it does say it has a 512 arp limit which means that is also likely the maximum number of IP it can support.

This also assumes you are going to use a actual DHCP server rather than try to use the switch for this function.

Pretty much nobody uses a layer 3 switch for this function. Almost all companies have a firewall doing this. Someone can easily attack the switch or any of your servers and take everything down. A firewall also has much more memory so it can easily run handle the IP addresses and even dhcp function.

 

[LittleCreekHosting]

Now I have a /22 and 2 /24 with more ip's to come. I think I am asking the wrong question. What device will do what I need to do? I am using a simply Linux router now and it does a good job until somebody generates too many connections for it to handle. It handles the bandwidth fine but the number of connections not so much.

Cogent is routing all my public ip's to a single ip on the outward interface on the router. The inside interface has a .1 address for each of the networks to act as the default gateway address for the servers on the inside.

Some have said a layer 3 switch will do the job. Others say use a full router. bill001g mentioned a firewall device. I am really out of my element. I just want to know what device will do the job and a specific model for me to start learning. It also needs to be able to accept a sfp+ module for the WAN.

I really do appreciate the help.

 

[bill001g]

It would be strange that you linux box is overloading just running as a router. A router has no concept of sessions or connections. It purely looks at the destination IP and decides where to send it. If it was running a actual routing protocol then it would be more complex but in your case is sound like you are doing simple static routing.

I will assume that since you are using multiple public IP addresses that you are not running NAT. NAT adds a lot of cpu overhead.

What is more likely is that box is acting as a firewall and the firewall rules are what is causing the overload. A firewall does look at the number of connections.

To make things simpler I would buy a very simple switch that can take SFP+ interfaces. In effect it is a media converter. You can buy actual media converters but they generally are overpriced 2 port switches. You need nothing other than a simple layer 2 switch with the SFP+ port you need and what ever speed ethernet you need.

After this you can just get a larger linux pc. It all depends on what functions you are doing in addition to simple routing.

 

[LittleCreekHosting]

On my Linux router the ksoftirqd would eat up CPU, it could get up to 100%. This post said this could be due to the number of connections: https://askubuntu.com/questions/7858/why-is-ksoftirqd-0-process-using-all-of-my-cpu

No NATing. I was using SNORT and iptables but SNORT overloads it as well.

What I experience is much slower speeds from the inside while the router itself maintains normal speeds. At that time SNORT of course is overloading. That I completely understand. But also ksoftirqd is between 50% and 100% CPU used. I also only have a problem when a client on the inside starts doing something nefarious like port scanning and such. Usually it looks like a UDP attack. When I stop that ksoftirqd goes back down to normal.

My router is only a Intel Core2 Duo with 4 GB of ram. It served me very well when I started out. I have several lying around. I would love to just keep using a Linux router since its so easy to set up and manage.

I was thinking of using a AMD Ryzen 5 5600G 6-Core 12-Thread CPU and 16 GB of ram. Do you think that would be enough?

 

[bill001g]

I have not used linux router/firewalls in data center applications so I am unsure how you size these boxes.

Many functions in these type of device are singled threaded. Having extra cores and threads does not increase the performance.
What they really want is high cpu clock speed so a single core can do more work. It is not that simplistic though since it can for example run firewall filters on a different cpu than the one that is doing the routing function.

My experience in internet data center network is completely the opposite of yours. Management decided that the cost of the router was tiny compared with the cost of things like bandwidth and IP block leases. They insisted that I only run equipment form say cisco or juniper and would not even consider home made solutions or even lower price competitors. These commercial solution are pretty easy they have tables that tell you how much throughput on the different models

What you might search for are maybe forums related to the firewall/router linux image you are running. These guys tend to discuss sizing the machines. You might also look for some of the companies that sell prepackaged linux based router/firewalls.
All they are doing in many cases is preloading the software onto a machine for you. What you can do is try to get the specs of the machines and see which cpu and memory they are using. That should give you a idea what you need in a machine.