Thanks Matts for your comprehensive reply
And thank your for the indulgence.
I have ordered a 2960.
Good luck with that. I never quite saw the point of spending £500 on what is at heart a cheap Chinese router.
The firewall fails to block SMNP packets (a 2955 bug also - I spent hours today proving it). No fixes for the 2955 but the latest 2960 firmware fixes these.
From what I recall the SNMP bug is mitigated by enabling the SNMP agent and setting an unreachable management IP. There are similar 'tricks' for the management UI.
The reason we were seeing "untrusted" packets in the SNOM phone logs was because of the Draytek firewall SNMP (port 161) bug. The public subnet is under a constant attack (of course) but only a few of them are port 161. The rest are high VOIP ports.
Hmm...Yes...And no. The reason you are seeing untrusted packets in the phone logs is because the firewall is not filtering the untrusted packets. The target of an attack is an interface, the 'subnet' is merely a logical imposition. The 'outside' interface is under constant attack. On the 'inside' interface you should only see the packets you want forwarded to/from the outside interface, otherwise the firewall is not doing it's job or the firewall policies are inadequate.
So the 2955 firewall *does* work for the 2nd Subnet. It just has the port 161 bug. One can check this with syslog on the firewall.
The last time I checked the 'use for routing' option did what it said on the tin. Packets are simply forwarded at Layer 3, bypassing the higher layer functions. NAT and firewall are Layer 7 functionality. Syslog is useful for diagnostics but to be sure of what is actually occurring at the interface, one connects a packet sniffer to the wire and learns how to use it.
The 2960 also claims to support a facility whereby the subnet is routed through to a specific RJ45, so you have a sort of physical separation. I think they do it by tagging an IP range, and then they use a tagged VLAN feature.
You are talking about the multi-tenant scenario. The example use case is a WAN link being shared by separate customers in the same building.
A simple multi-tenant configuration uses a port based VLAN to partition the switch (Layer 2) into separate 'segments' (broadcast domains). Above Layer 2 the packets are transiting a software blob and any traffic segregation is entirely logical. Above Layer 3 a port based VLAN resembles the individual network interfaces in a multi-homed host, allowing a single DHCP server process to provision a different subnet on each segment. On a single switch or stack you do not need tagging, as traffic at Layer 3 is already classified by IP and subnet mask.
You can think of a port based VLAN as a 'vertical' partition in a single switch or stack. Tagging becomes necessary when the VLAN needs to be extended 'horizontally' between switches and stacks connected by standard media (utp, fibre).
What routers do you think are better?
For small businesses with less than 100Mbps of WAN bandwidth and wanting to migrate away from Draytek, my starting point is the Ubiquiti EdgeMax. At the entry level, £50 buys 5 x 1 Gbe ports, 1.5Gbps of throughput and a half useful web GUI. I can sell an EdgeMax and include the time to configure it at a similar price to a low end Draytek.
Ubiquiti devices are a very different proposition to the Draytek devices though. When you buy an EdgeMax you are essentially buying a ready rolled
Vyatta platform.
This is just one of my preferences. I won't make recommendations without a requirement.
I would prefer something without major bugs...
Good job you got rid of the
RV320 :eek
Every year or so I have to toddle off and renew my Cisco Express certification for the sake of a business I'm partnered with. Every year or so I am reminded why I no longer bother with Cisco
I would be interested to hear how you get on with the 2960.