data:image/s3,"s3://crabby-images/d2eb6/d2eb6d7a1c9df4d05579c45fe9d74e3c59e4933e" alt="tbayne tbayne"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good afternoon,
Stating for the record that I am a newb at net working, and with Adtran switches.
I have a 1534P switch. I have two sub-nets which need to share a single internet connection.
Currently I have internet (50 Mbps) connection terminating at the 1534, port 1, and the subnets at ports 3 and 5. Each subnet has it's own firewall equipment (Sonicwall in one case, Cisco in the other).
After a bit of playing around things are working, but performance is terrible - roughly 1/10th (or less) of what it should be. I have "protection" enabled on the ports to which the subnets are connected.
Any suggestions?
Terry
Accepted Solutions
data:image/s3,"s3://crabby-images/fc1d9/fc1d9a0e68e580c58122d0d67ed0e91701c6bc72" alt=""
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Not the Solution
- Report Inappropriate Content
There are several things I suggest you change.
- Configure three separate VLANs for each subnet (instead of secondary subnets on one VLAN)
- Configure the ports to be assigned to the VLANs
- Add the command ip route-cache express to each VLAN interface
- Configure the VLAN connected to the Internet connect to 50 Mbps
- Also make sure the ports connected to the firewalls are negotiated to the proper speed and duplex
Here is an example:
interface vlan 1
description INTERNET CONNECTION
ip address 24.214.206.174 255.255.255.252
traffic-shape rate 50000000
ip route-cache express
no shutdown
interface vlan 2
description FIREWALL 1
ip address 69.73.18.113 255.255.255.240
ip route-cache express
no shutdown
interface vlan 2
description FIREWALL 2
ip address 207.98.167.65 255.255.255.248
ip route-cache express
no shutdown
interface gigabit-switchport 0/3
description SED
no shutdown
switchport access vlan 2
switchport protected
!
interface gigabit-switchport 0/5
description Trident
no shutdown
switchport access vlan 3
switchport protected
I hope that makes sense, but let me know what additional questions you have.
Levi
data:image/s3,"s3://crabby-images/fc1d9/fc1d9a0e68e580c58122d0d67ed0e91701c6bc72" alt=""
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Accept as Solution
- Report Inappropriate Content
Re: Segregating two routed sub-nets and provide internet connectivity (inbound and outbound)
Terry:
Thank you for asking this question in the support community. Hopefully, we will be able to get things back up to speed for you. If you get a chance to reply to this post and attach a current version of the ADTRAN's firmware, I will be happy to review it for you (please, remember to remove any pieces of the configuration that is sensitive to the organization).
Are you able to plug a device directly into the ADTRAN unit (bypassing the firewalls) and obtain performance that meets your expectations?
Levi
data:image/s3,"s3://crabby-images/d2eb6/d2eb6d7a1c9df4d05579c45fe9d74e3c59e4933e" alt="tbayne tbayne"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Accept as Solution
- Report Inappropriate Content
Re: Segregating two routed sub-nets and provide internet connectivity (inbound and outbound)
Levi,
Thanks for the response. Directly plugging into the switch (bypassing the firewall equipment) does not improve performance.
Further, I borrowed a router (dedicated small PC running pFSense), configured it, plugged both networks into it, and connected it's WAN port to our WAN connection - removing the Adtran switch. In this configuration performance is as expected. So in my opinion it is the configuration of the switch - or the capabilities of the switch to function in this capacity (mostly as a router).
Message was edited by: levi (Removed config. and added as attachment)
data:image/s3,"s3://crabby-images/fc1d9/fc1d9a0e68e580c58122d0d67ed0e91701c6bc72" alt=""
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Not the Solution
- Report Inappropriate Content
There are several things I suggest you change.
- Configure three separate VLANs for each subnet (instead of secondary subnets on one VLAN)
- Configure the ports to be assigned to the VLANs
- Add the command ip route-cache express to each VLAN interface
- Configure the VLAN connected to the Internet connect to 50 Mbps
- Also make sure the ports connected to the firewalls are negotiated to the proper speed and duplex
Here is an example:
interface vlan 1
description INTERNET CONNECTION
ip address 24.214.206.174 255.255.255.252
traffic-shape rate 50000000
ip route-cache express
no shutdown
interface vlan 2
description FIREWALL 1
ip address 69.73.18.113 255.255.255.240
ip route-cache express
no shutdown
interface vlan 2
description FIREWALL 2
ip address 207.98.167.65 255.255.255.248
ip route-cache express
no shutdown
interface gigabit-switchport 0/3
description SED
no shutdown
switchport access vlan 2
switchport protected
!
interface gigabit-switchport 0/5
description Trident
no shutdown
switchport access vlan 3
switchport protected
I hope that makes sense, but let me know what additional questions you have.
Levi
data:image/s3,"s3://crabby-images/fc1d9/fc1d9a0e68e580c58122d0d67ed0e91701c6bc72" alt=""
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Accept as Solution
- Report Inappropriate Content
Re: Segregating two routed sub-nets and provide internet connectivity (inbound and outbound)
- I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor