The internal structure of the RN20 differs from a standard switch because it introduces the concept of ?zones? that cross physical boundaries and have VLANs assigned to them. This is intended to allow administrators to implement packet filtering and traffic shaping within a VLAN, rather than just between VLANs. It?s possible to replicate this approach using switches from other vendors, but they generally cost more than the $20,000 RN20, and they typically don?t include load-balancing and traffic-shaping features. Other products that offer these features generally do so ? la carte ? at three or four times the cost.
Ranch has the right idea in that most networks don?t require client systems to be able to communicate with one another. Adding packet filtering at the core to prevent this action can help stop intruders and the spread of viruses.
Despite the solid concept, the solution has problems. The duplex issues are a hassle, the management interface isn?t mature, and the documentation needs to be improved.
Set ?em up
The RN20 is a 2U rack-mount device with 12 copper 10/100 ports, a true out-of-band management port, a DB9 console connection, and an LCD panel. Initial configuration requires navigating through a menu on the LCD panel and configuring a management IP address and default gateway. My test unit came without a down arrow; one of the triangular buttons had been rotated 45 degrees. This couldn?t be fixed without opening the unit.
Once the interface was configured, a patch cable was run from the management port into the network, and the unit was available for configuration via a Web interface. Basic configuration is simple if one grasps the relationship between zones and VLANs, but the coordination between the two should be simpler.
Unfortunately, the Web interface is quirky and browser-specific, requiring Internet Explorer 5.5 or higher on Windows XP or 2000. Some functions of the configuration, such as drop-lists of configured zones, are available in the Network Services Configuration section but not in the Bandwidth Accounting and Control section. Some sections of the configuration contain buttons for functions that aren?t yet available, such as the ability to modify an existing firewall rule.
Other sections of the GUI contain a surprisingly vast array of configuration options, including some not found on most firewalls. In the firewall configuration, for example, it?s possible to create rules that filter specific TCP header contents well beyond source/destination IP and port. This is a nice feature, but of limited value.
One noticeably absent function was the ability to forward DHCP broadcasts to a DHCP server. The RN20 cannot accommodate a single DHCP server with multiple scopes. To implement DHCP, a DHCP server must exist on every VLAN. Ranch hopes to remedy this problem by building a DHCP server into a later firmware release.
RN20?s documentation touches on every aspect of operation but lacks depth and clear examples in key areas. There is no printed manual; all manuals are on a single CD in Microsoft Word format. Additionally, all examples in the documentation (not to mention the default configuration on the unit) refer to public IP ranges for the internal networks. If the unit is implemented without removing the references to these ranges ? or worse, the network is built around those ranges ? then Internet resources on those IP ranges will not be accessible from hosts within the network behind the RN20.
Knock ?em down
During initial cabling, I noticed that some systems and downstream switches were linking to the RN20 at half-duplex, even when the port was forced to full-duplex. Although limited to three ports, the problem could not be resolved on some systems and switches. Other switches did link at 100Mb full-duplex.
Another knock against the RN20 was the density of the 12 copper ports. It?s not possible to seat a rubber-booted patch cable above another booted patch cable; the RJ45 connectors are simply too close to each other.
The RN20 performed as well as expected in my filtering tests, accurately filtering packets at wire rate. But performance of the switch suffered while pushing approximately 500Mbps through the filters between several hosts.
I also implemented load balancing and traffic shaping between the Internet and Server zones. Configuring traffic shaping was a frustrating task, rife with inexplicable error messages from the management interface, and hobbled by the vague documentation. I was able to configure guaranteed and maximum limits on applications at Layer 4. The RN20 cannot shape based on application data but can shape adequately at the TCP/UDP port level.
The load-balancing configuration was simpler, offering weighted round-robin and least connection-balancing algorithms. The RN20 can provide consistent connections for SSL services based on source IP address but cannot do so based on cookies or HTTP header information. That reduces its effectiveness when dealing with super proxies such as AOL. I implemented load balancing for Web and DNS services, and the RN20 dutifully balanced the load.
Ranch Networks has the right idea with the RN20, as it combines the functions of several devices into a single $20,000 unit, and provides internal firewalling at the core. Given that Ranch Networks is a young company offering young products, the RN20 shows promise despite some notable rough edges.