SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed

wblanton

@stephenw10 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

Nice!

I tested some BiDi modules here and they worked without issue.

Steve

Steve,

Do you know if the 1G BiDi will work with the XG-7100 1U? I've having some issues using the "generic" ones from FS.com. I've started another thread but haven't heard anything.

stephenw10

The one I have does:

[21.02.2-RELEASE][root@7100.stevew.lan]/root: ifconfig -vvvm ix1
ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: IX1
        options=e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
        capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:08:a2:0e:a5:92
        inet6 fe80::208:a2ff:fe0e:a592%ix1 prefixlen 64 scopeid 0x4
        inet 172.21.16.243 netmask 0xffffff00 broadcast 172.21.16.255
        media: Ethernet autoselect (Unknown <rxpause,txpause>)
        status: active
        supported media:
                media autoselect
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        plugged: SFP/SFP+/SFP28 1000BASE-LX (LC)
        vendor: OEM PN: SFP-GE-BX03-D SN: NV20200713025 DATE: 2020-07-14
        module temperature: 27.94 C Voltage: 3.31 Volts
        RX: 0.20 mW (-6.79 dBm) TX: 0.12 mW (-8.97 dBm)

        SFF8472 DUMP (0xA0 0..127 range):
        03 04 07 00 00 00 02 00 00 01 01 01 0D 00 03 1E 
        00 00 00 00 4F 45 4D 20 20 20 20 20 20 20 20 20 
        20 20 20 20 00 00 90 65 53 46 50 2D 47 45 2D 42 
        58 30 33 2D 44 20 20 20 41 20 20 20 06 0E 00 09 
        00 1A 00 00 4E 56 32 30 32 30 30 37 31 33 30 32 
        35 20 20 20 32 30 30 37 31 34 20 20 68 F0 01 0B 
        FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
        FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

Though I was quite surprised about that. It doesn't report a link speed so cannot be set to 1G fixed which is often required for use like this.

Steve

wblanton

@stephenw10 Good to know it's possible! Have you been running this without any issue?

stephenw10

Not for any time. I just moved it from an SG-2100 to test. I saw no problems though and it also runs fine in the SG-2100, been running there for months.

Steve

msf2000

@cabledude
You may be able to do the SG-3100 but only if you offload Suricata and/or nTopNG to a separate machine. Otherwise, go with the 5100 as suggested earlier.

I speak from experience, as having tried it before. ;)

Biggy823

@msf2000 I too happen to be in the same boat. I have the SG-3100 and currently experiencing lock ups and random reboots. It just does not have the horse power needed to run these applications. I am now facing the hard choice that I am going to have to upgrade to the 5100. Don't make the same mistake that I did.

brians

@msf2000 SG-3100 is not good for me. I just installed one for customer and was trying to get decent IPSec speeds between installed 3100 at 200Mbps fibre site and 500Mbps fibre remote site using SG-5100. I was only able to achieve around 80Mbps throughput. I had tried at home for a while where I use a home built pfSense. I try connecting SG-3100 to our work SG-5100 - both sites are 1Gbps fibre. With my home build setup I get around 700-800Mbps IPSec but with SG-3100 could not get any decent speed at all. Older SG-2220 is way better around 400Mbps IPSec but it is limited to around only 700Mbps LAN routing so I could never hit full 940Mbps in Speedtest. I wish Netgate would come out with inexpensive line of routers using the Intel CPU with good IPSec encryption instead of these ARM processors. Maybe SG-3100 work good connecting IPSec to another SG-3100 and maybe when I have time I can test a 700Mbps site to a this 200Mbps site both using SG-3100

skogs

The biggest trouble with the hardware offerings is that there is a world of difference between an Atom cpu and a Xeon. Atom can hardly keep up with moderate home use; and there is literally nothing in the lineup for full wire speed home without going up to a much more enterprise capable Xeon. The 5100 is really the lowest priced NICE machine in the lineup that can pretend to keep up with crypto.

I think something with Ryzen V2000 series embedded processors would be much more appropriate for long term use. Engineering team...please hear my prayers...

NOCling

@brians said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

I was only able to achieve around 80Mbps throughput. I had tried at home for a while where I use a home built pfSense. I try connecting SG-3100 to our work SG-5100 - both sites are 1Gbps fibre. With my home build setup I get around 700-800Mbps IPSec but with SG-3100 could not get any decent speed at all.

The Hardware Crypto offload in the SG-3100 supports AES_CBC do you use this?
I guess you have set up the IPsec with AEC_GCM and then, the SG-3100 have it run in slow software mode.

brians

@nocling

Yes I tried AES and SHA1 for encryption and did not get expected results.

Could be that the other end, SG-5100, is doing software crypto with these settings and is the bottleneck? I am thinking SG-3100 to SG-3100 may be a good test to do when I get the chance.

NOCling

I don't think so. the Atom of the SG-5100 supports AES CBC to.

brians

After upgrading a few SG-3100 to 20.05 it seems to have resolved my issues with VPN speed, and I get expected IPsec VPN performance now.

SG-5100 is still far better if can justify the price.