need some recommendations on hardware....

Hey all,
Boy, we are growing fast! And with the network not properly setup from the get go Iam playing catch up.
I would like any and all suggestions.

As of now we have just consumer switches at our towers. Iam afraid to even look and see how many pps they can pass. Until I learn how to use all the gadgets with a managed switch I want to get something that IS managed but I can just plug in and not worry about it. Then when things slow down I can get all the goodies going on it. I have been looking at MikroTik switches but not sure what I need to be looking for. I want to implement vlans in the near future so it need to be vlan capable. What other spec should I look for? And what other brands?

Do you all use one at your gateway? I have sm isolation enabled but I want to further protect our customers from virus out breaks and the such… And what specs should I pay attention to in a firewall? I guess it needs VPN passthrough but what else? I want something that can grow with the company. We have about 200 subscribers as of now. And something easy to sey up until I can sit down and mess with it.

And anything that you all think will make my life easier.

Thanks all

Congrats on hitting 200 subscribers!

Switch-wise, I would strongly advise checking out eBay for some Cisco 2900s. Very stable switches, good feature set, excellent price. Plus you can plug-n-play them until you can figure out how to make them work for you. Extremely popular line of switches with lots of documentation and help scattered across the 'net.

Firewall-wise, there are a lot of different options depending on how involved you want to become with your customer traffic…
- are you NATting?
- do you intend to perform DPI?
- do you need to perform some rate limiting?
- do you need transparent proxying?

We just dump them out of a PPPoE router onto the Internet with a few basic ACLs in place to stop major viruses and spam bots for our dynamic customers. (You know the stuff - block SMB, MS SQL, SMTP, whatever the nasty-de-jour is.)

Everything you need for a tower. No Fan, Managed, SNMP, VLAN, QoS, etc, etc, etc. … EWN1C0.htm

Milan switches have done us well.
Fortigate firewalls are excellent

Both are GUI based, but you can get into some CLI if thats your forte. They both are solid performers under heavy loads.

personally we use mikrotiks at every site and they have been phenomenal for its reliability, feature set, and price. they can do switching or routing or both at the same time. we are planning to start using transparent proxying and possibly set up for vlan’ing

we tried those procurves out, it turns out you cant turn off ports

Thanks all for the replies. Keep them coming.

The mikrotiks are they pretty much plug and play or do I need to load the MIBs in?
And the procurves how do they do in cold enviroments?


mikrotiks are fairly easy to setup and get running but it does take a little while to get adjusted to setting them up if your use to Cisco equipment, its a little different. MIB’s are for monitoring and if using anything other than the dude i suspect you would have to install them into your NMS

Thanks all.
I think Iam going to start off with the procurve switches.
There small enough to fit in our box on site.

A few questions about these fortigate firewalls. Does the Unified Threat Management slow down the network and or the users experience? Do you all use the series with the UTM?
If you were me with 200 customers and growing which ones would you be looking at?

Thanks for any info

we use a fortigate 60 as a backup router for our core imagestream, it handles the load for passing traffic, not the scanning, that would kill this model, but thats also close to 700 customers.

Contact fortigate and ask them about the provider routers they offer, they are designed to handle the scanning of a large provider network, and their support is impeccable. You can usually google any issue you encounter and find a solution on the web.

The 50s would handle the traffic and basic scanning at POPs, but for a core router you would need a big boy, which you would pay (invest) for.

Ok, so I think I narrowed my firewall choices down to 2.
the Fortinet FortiGate 200A
and the
Fortinet FortiGate 300A
the thing Iam worried abot is the “capacity” spec.
anybody care to comment?

Before you go with the Fortigate (I’m not saying not to) you may want to take a hard look at MikroTik. I was able to see a presentation on some of the capabilities of MikroTik and I have to say, I was very impressed. Deep packet inspection allows shaping based on traffic signatures. This means you can shape P2P running on any port. A MT box can also terminate PPPoE sessions, as well as a number of other tasks.

MT runs on routerboards or your own Intel/AMD platform. Routerboards are pretty cost-effective - an RB600 can do 100kpps for ~250.00, and an RB1000 can do 400kpps for ~700.00.

I’m not saying it’s the end all be all, but its worth a look. More than a few WISP’s, some with thousands of users are running it with great success.

we do use a RB1000 as our core router with approx. 900 customers with lots of room to spare, cpu usage is usually only about 15% it has been running since august 2008 with absolutley no problems and for $700 its a great deal. also they have gigabit ports for when we upgrade in the far future. makes custom routers for any solution.

Boy, talk about saving a CHUCK of change!
I do like it. Will it play nice with our cisco router.
So, I guess its a either or kind of deal…its either a router or a switch or a firewall? Iam looking at the RB1000.
Well, I guess I need to do some reading up on it.

Anybody do business with It looks like they just put the board in a case and sell it?


Replaces the Cisco.

It routes, switches, firewalls, slices, dices, frappe’s, flambe’s…

Talk to Dennis Burgess over at

Like Jerry said it does do everything and more for a minimal cost. It will play nice with Cisco equipment if properly configured.

well, I got my procurve switches and I want to get them installed here real soon.
I was looking over the management and config. guide and was curious on the section about rate limits to control broadcast storms. Now, I have ticked PPPoE, SMB, Bootp server and IPv4 Multicast under port filtering at the SM. Is that sufficient or should I enable the rate limit on the switch? If so, what should I set the limit to? 1K, 2K…

Thanks for any info.

We also use the ProCurve 1700 switch at a few SM to AP backhaul sites. I would be very interested in recommendations on setting the Rate Limits. Would the limit be different if we you use DHCP or not?

In addition there are two other settings to choose for each port, LLDP and Flow Control. I am assuming both should be off?

Jerry Richardson wrote:
Deep packet inspection allows shaping based on traffic signatures. This means you can shape P2P running on any port. A MT box can also terminate PPPoE sessions, as well as a number of other tasks.


Do you know which of the models/versions does traffic shaping?

MikroTik’s RouterOS is an open-architecture software that runs on routerboards.