4 Replies Latest reply on Sep 5, 2013 1:27 PM by noor

    Segregating two routed sub-nets and  provide internet connectivity (inbound and outbound)

    tbayne New Member

      Good afternoon,

       

      Stating for the record that I am a newb at net working, and with Adtran switches.

       

      I have a 1534P switch.  I have two sub-nets which need to share a single internet connection.

       

      Currently I have internet (50 Mbps) connection terminating at the 1534, port 1, and the subnets at ports 3 and 5.  Each subnet has it's own firewall equipment (Sonicwall in one case, Cisco in the other).

       

      After a bit of playing around things are working, but performance is terrible - roughly 1/10th (or less) of what it should be.  I have "protection" enabled on the ports to which the subnets are connected.

       

      Any suggestions?

       

      Terry

        • Re: Segregating two routed sub-nets and  provide internet connectivity (inbound and outbound)
          levi Employee

          Terry:

           

          Thank you for asking this question in the support community.  Hopefully, we will be able to get things back up to speed for you.  If you get a chance to reply to this post and attach a current version of the ADTRAN's firmware, I will be happy to review it for you (please, remember to remove any pieces of the configuration that is sensitive to the organization).

           

          Are you able to plug a device directly into the ADTRAN unit (bypassing the firewalls) and obtain performance that meets your expectations?

           

          Levi

            • Re: Segregating two routed sub-nets and  provide internet connectivity (inbound and outbound)
              tbayne New Member

              Levi,

               

              Thanks for the response.  Directly plugging into the switch (bypassing the firewall equipment) does not improve performance.

               

              Further, I borrowed a router (dedicated small PC running pFSense), configured it, plugged both networks into it, and connected it's WAN port to our WAN connection - removing the Adtran switch.  In this configuration performance is as expected.  So in my opinion it is the configuration of the switch - or the capabilities of the switch to function in this capacity (mostly as a router).

               

              Message was edited by: levi (Removed config. and added as attachment)

                • Re: Segregating two routed sub-nets and  provide internet connectivity (inbound and outbound)
                  levi Employee

                  tbayne:

                   

                  There are several things I suggest you change.

                   

                  • Configure three separate VLANs for each subnet (instead of secondary subnets on one VLAN)
                  • Configure the ports to be assigned to the VLANs
                  • Add the command ip route-cache express to each VLAN interface
                  • Configure the VLAN connected to the Internet connect to 50 Mbps
                  • Also make sure the ports connected to the firewalls are negotiated to the proper speed and duplex

                   

                  Here is an example:

                   

                  interface vlan 1

                  description INTERNET CONNECTION

                    ip address  24.214.206.174  255.255.255.252

                    traffic-shape rate 50000000

                    ip route-cache express

                    no shutdown

                   

                  interface vlan 2

                  description FIREWALL 1

                    ip address 69.73.18.113  255.255.255.240

                    ip route-cache express

                    no shutdown

                   

                  interface vlan 2

                  description FIREWALL 2

                    ip address  207.98.167.65  255.255.255.248

                    ip route-cache express

                    no shutdown

                   

                  interface gigabit-switchport 0/3

                    description SED

                    no shutdown

                    switchport access vlan 2

                    switchport protected

                  !

                  interface gigabit-switchport 0/5

                    description Trident

                    no shutdown

                    switchport access vlan 3

                    switchport protected


                  I hope that makes sense, but let me know what additional questions you have. 


                  Levi

              • Re: Segregating two routed sub-nets and  provide internet connectivity (inbound and outbound)
                Employee

                tbayne - I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                 

                Thanks,

                Noor