Hardware for 200 VLANs, IPv4+IPv6 routing, 10GbE and Stateful Firewall
-
Hello,
currently we use one of our switches as a L3 switch that does all the routing (without firewalling) but it seems as if it is the performance bottle neck. Hence, the idea is to take the routing away from the switch (downgrade it to an L2 switch) and let pfSense do the routing. This is the first time I would like to try a pfSense appliance and thus I have no idea about the right choice of hardware.Our switches are 1 x HP5412zl, 1 x HP5406zl and 1x HP2910ai. The pfSense appliance shall have 2 x 10GbE and 3 x 1GbE. The HP5412zl and HP5406zl will each be connected via one of the 10GbE. The HP2910ai will use 2 x 1GbE as a trunk (HP terminology). The 3rd 1GbE port is the WAN port. Actually we need 1000BASE-SX for that, because our carrier provides us with a 1GB fiber.
Each of the three switches has nearly 200 VLANs and the corresponding VLANs need to communicate across all switches. Hence, the pfSense needs to support 200 bridges. Each brigde includes both 10GbE ports and the trunk port with the correct VLAN.
Moreover, the pfSense appliance will be the default gateway for each of the 200 VLANs (IPv4 and IPV6) and shall route the traffic between them and to/from the WAN port.
The WAN port needs to be protected by a stateful firewall. There is no need to do any firewalling between the internal 200 VLANs.
Any recommendation for a suitable hardware?
Slightly off-topic, but also important: Each subnet needs DHCP (IPv4 and IPv6 stateful DHCP). At the moment the L3 switch is a DHCP relay for each VLAN, the DHCP server is a separate hardware. Will it be better to keep that setup with pfSense so that pfSense is only a DHCP relay, too, or shall pfSense directly serve DHCP for each VLAN?
Thanks
-
Just a heads up, Captive Portal has an issue with more than 120 vlans, incase you have something crazy like that
https://redmine.pfsense.org/issues/4150
-
Thanks, but we do not need a captive portal. We use 802.11X (EAP) to authenticate the users.
-
Anyone?
What is about the http://store.pfsense.org/c2758/ together with the 10GbE expansion card? The manufacturer self-confidently claims that the hardware can handle this smoothly. But being asked for any statistics about the throughput he fails to provide sound data. On the other side Thomas Krenn AG (a well respected manufacturer/reseller in Germany) refrained from submitting an offer, because they told me not to know any general-purpose, standard PC hardware that would be able to handle that network traffic reliably.
Additionally, I found this post http://www.gossamer-threads.com/lists/nanog/users/177388 that takes up a position somewhere in the middle of those extrema. But ultimately, the conclusion is "it depends".
-
it seems as if it is the performance bottle neck.
You don't know where the bottleneck is? You just want to change something and hope things get better?
-
More or less, yes. The HP switches do not really support instrumentalization, hence there is no way to actually look inside and find out if the ASICs are under high load, if they are idle, if buffers a full, etc. There are two reasons why I suspect the HP switch to be the bottle neck. (a) By the method of elimination I do not see any other component that could be the problem. (b) Another organization had a similar setup with similar problems and they moved the routing functionality away from the HP switch to a newly added Cisco 4000 Series router. After that their performance problems were history.
-
I would get better switches.
-
If you're not filtering any of the traffic between vLANs, why have pfSense aware of them at all? There is no way that a pfSense box will have anywhere near the throughput of a L3 switch if all you need is simple routing between vLANs. In my core network at work I use a pair of Cisco Nexus 5548UP switches w/ L3 Modules and 16-port expansion cards for servers and aggregation & Nexus 2248TP Fabric Extenders for 1Gbe data center devices.
What is it that you are seeing as a performance bottleneck?
