I need to create several distinct VLANs, and provide a way for traffic to move between them. A "router on a stick" approach seems ideal:
Internet
|
Router with Trunking Capability ("router on a stick")
*
* Trunk between router and switch
*
Switch with Trunking Capability
| | | | |
| | | | |
| LAN 2 | LAN 4 |
| 10.0.2.0/24 | 10.0.4.0/24 |
| | |
LAN 1 LAN 3 LAN 5
10.0.1.0/24 10.0.3.0/24 10.0.5.0/24
We have trunk-capable Layer-2 switches. The question is what to use as the router on a stick. My choices seem to be:
- Use an existing Cisco 5505 ASA firewall. It appears the ASA can do the routing, but it's a 100Mbps device, and so seems sub-optimal at best
- Buy a router. This seems overkill.
- Buy a Layer-3 switch. Also seems overkill.
- Use an existing, shared Linux Box as a router (e.g. the NIS server)
- Use a dedicated Linux box as a router
- Something I'm not thinking of
I think either (4) or (5) is my best option, but I'm not sure how to choose between them. I expect the amount of traffic that has to cross the VLANs to be somewhat small, but bursty. How much load does routing add to a CentOS machine?
I would suggest either 1 or 5, with 1 being preferred. The Cisco ASA even with the 100Mbps interface should be able to handle routing between your vlans. If you don't expect lots of traffic across vlans, then why do you feel it won't be able to handle this load? Is the current cpu/mem usage on the ASA that high? What type of Internet connection do you have?
The reason why I would suggest using your existing ASA: 1. Don't need to purchase new hardware, or redeploy current hardware. 2. Reduces the number of potential points of failure. Yes, now everything relies on the ASA but that is preferred over having to worry about the ASA and a dedicated linux server acting as a router. You could just purchase another ASA in the future and setup HA.
I'd use a dedicated device-- either a layer 3 switch, router, or dedicated commodity PC.
The nicest thing about using a dedicated device is that you don't lose your intra-VLAN routing because of regular maintenance events like server computer patches / reboots. A sufficiently stripped-down Linux or OpenBSD installation running no unnecessary services will need very little in the way of regular patching and rebooting (not unlike most purpose-built embedded devices), and you can use less volatile storage technologies than hard disk drives, like boot from flash or optical media.
Rather than relying on any off-the-shelf benchmarks I'd do some in-house testing with the types and quantities of traffic that you expect to be moving around. Particularly on a shared server / router scenario, the character of your particular server computer's existing workload and NIC drivers are going to play a big role in performance.
My prior experience suggests that you wouldn't expect to see a noticible hit in performance for a lightly-loaded server computer's other duties if it were processing small, bursty routing traffic. YMMV, though, and you should test it out and see.
Option 1 is good as:
Option 2 and 3 are not desirable due to cost over head.
Option 4 and 5 both are ok. If your NIS server remains up most of the time and does not require tinkering. If you use NIS server for interVLAN routing then whenever you reboot server for maintenance, network will stop working. If NIS server is not reliable or requires frequent reboots then dedicated server is better. Again depends on how much cost of one additional server matters.
Option 4 and 5 will allow you to put basic firewall rules in iptables if you want to allow only certain type of interVLAN traffic. You can also capture packets using tcpdump/wireshark and analyze in case of problems. Having a Linux machine as main router would be heaven for people who want to learn network diagnostics by capturing and analysing packets. You can also run DHCP server on this machine, since you do not have Layer 3 switch you cannot specify 'ip helper-address', so this is the only way to have centralized DHCP server without having a L3 switch.