So... to close this one out. I finally actually replaced the RB2011 with the RB3011 yesterday, and took the opportunity to use some better encryption algorithms. It's doing over 3X the IPSEC throughput compared with the 2011 (average 90Mbit vs 20Mbit), which is pretty close to the limit of the link (100Mbit). So my gut feel is it could go further if I had the bandwidth for it. Thanks Mike & the Duxtel team for humouring my 10000 questions! Average CPU was 30% for the duration of the transfer instead of 90% which is also a good indication of headroom I guess. I did a backup / restore of the config which mostly worked fine, except a couple of gotchas: - the interface labelling was weird on the restore. For example the switch ports were labelled 1-8 following the physical layout... but on restore they became 1,2,3,4,8,7,6,5 which messed me up until I worked out what was happening. - The policy routes for IPSEC tunnels didn't restore - The IPSEC PSK didn't restore but easy enough to sort out once I'd worked that out. The thing that caused me most grief actually was creating a borked IPSEC policy route which locked me out of the device totally. Had to log in via console port to disable it. The reset button didn't work btw - it just kicked into etherboot mode but I couldn't get it to actually do a factory reset using the reset button. Cheers all! On Wed, 6 Nov 2019 at 13:17, Chris Herrmann <chrisherrmann7@gmail.com> wrote:
Sounds like the RB3011 will fit the bill... I don't quite need to push 1.8Gbps per stream :)
The RB3011/4011 are both more $$ than the RB450Gx4 or 750Gr3. If the extra $ are necessary to meet what i want then that's fine, but if the smaller unit will do it - then that would be better as it's smaller... presumably lower power and cheaper.
@Russell I think the VLAN on switch chip might be the thing that tripped me up with one of the other units I played with, in which case the 3011 would be a better option?
Cheers,
Chris