The SRX5308 uses the same menu structure as the FVS336G, FVS318G, and UTM10 with multiple top menu options across the upper part of a web page. Once selected, additional sub menus appear below the top menu options. Clicking on a submenu reveals one or more tabbed configuration screens. Table 1 lists the menu options for the SRX.
|Network||WAN||Protocol Binding||Dyn DNS||LAN||DMZ||Routing|
|Security||Services||Schedule||Firewall||Address Filter||Port Triggrng||UPnP||Bandwth Profile||Content Filtering|
|VPN||IPSec VPN||SSL VPN||Certs||Status|
|Admin||Remote Mgt||SNMP||Backup and Upgrade||Time Zone|
|Monitoring||Status||Active Users||Traffic Meter||Diagnstcs||Logs and Email||VPN Logs|
|Web Support||Overview||Knowldg Base||
Table 1: Menu structure
I've used quite a few NETGEAR products and I find the menus intuitive. However, they could be better organized. In the Network menu, you'll find configuration options for WAN ports and Protocol Binding. In the Security menu, you'll find the configuration option for Bandwidth Profiles. In the Monitoring menu, you'll find the option for configuring Traffic Metering. As all these options apply to the WAN ports and are related, it would make more sense to me if they were in the same menu or sub menu.
Configuration stability was generally good and I didn't experience crashing of the router as I changed menus and options. Intermittently, I experienced several seconds of lag when going from menu to menu, especially when manipulating WAN configurations.
The Web Support menu in Table 1 is worth pointing out. This menu provides links to NETGEAR's knowledge base, as well as the full manual for the device, which is handy.
A distinguishing feature of the SRX5308 is its four WAN ports. All four ports are Gigabit Ethernet with DHCP, Static, PPPoE, and PPTP Internet connections all supported. The MTU value on each port is adjustable, with a maximum value of 1500 bytes. So jumbo frame capability on the WAN ports is not supported.
There is a nice display providing status for all eight router ports in the Monitoring menu. As shown in Figure 4, it provides an up/down status on each WAN port and the IP addresses for both the WAN and LAN ports.
Figure 4: Port status
With four WAN ports, you definitely need a good toolset to manage them well. NETGEAR provides multiple tools to leverage all your network's bandwidth, including Load Balancing, Auto Failover, and Protocol Binding.
Load balancing mode is used to distribute traffic over multiple WAN connections, with options for weighted load balancing or round-robin load balancing.
Auto-rollover mode is best used when you have only two WAN connections, since it allows for just a primary and failover interface—the other two interfaces are disabled in this mode. I tested this mode and simulated a WAN interface failure by disconnecting the WAN 1 interface while running a continuous ping to an Internet destination. I was impressed. Only one or two ping packets were lost as the router detected the port down and routed the traffic to the other interface. This is a dramatic improvement over the failover performance of the FVS336G, which took over a minute!
Protocol Binding allows for directing specific traffic to any one of the four WAN ports. There are 63 predefined services or traffic types, which along with source and destination IP values, can be used to direct specific traffic out over certain WAN ports. Additional custom services can be added based on port and protocol. For example, in networks using VoIP, it might be useful to run SIP traffic in and out the WAN 1 interface while sending web traffic to the WAN 2 interface.
WAN Mode options include NAT or Classical Routing. The option is global, however, meaning all four interfaces must be in NAT mode or in Classical Routing mode. I'd like to have the option to enable NAT or Classical Routing per interface. Let's say your network has a cable modem, DSL modem and a T1 for WAN connectivity, all using NAT mode. It could be useful to use the fourth WAN port to route internal traffic in Classical Routing mode if the SRX had the option to configure NAT and Classical Routing on a port by port basis.
The SRX has tools to manage traffic volume through the WAN interfaces. If one of your WAN interfaces is usage sensitive, total monthly traffic can be limited by Megabytes per WAN interface. If you enable Traffic Metering, with or without a limit, the SRX produces a running total of traffic, as shown in Figure 5.
Figure 5: Traffic Statistics
If you're wondering what type of traffic is generating usage on your network, an additional report is available that provides a simple breakdown of traffic by three types: Email, HTTP and Other, shown in Figure 6.
Figure 6: Traffic detail
The four LAN ports are also Gigabit Ethernet. Like the WAN ports, the LAN ports' Maximum Transmission Unit (frame size) is not adjustable. I tested for jumbo frame capability anyway and found the LAN ports support up to 1962 byte frames as you can see in Figure 7. Although this is higher than a standard 1500 (or 1518) Byte frame size, it's not large enough to be of much use.
Figure 7: You can get jumbo-ish frames
The SRX5308, FVS318G and UTM10 all have Gigabit Ethernet LAN ports, yet none support true jumbo frames. I think the SRX would have more utility if the option existed to adjust MTU by LAN port, or even if they automatically passed up to 9K jumbo frames. I asked NETGEAR about this and they said jumbo frame support is on their “road map and it'll just be a matter of time”.
VLAN tagging capability adds a lot of functionality to a network. VLANs are often used to separate LAN traffic, which is useful to improve network security and performance. I really like the VLAN capability of the SRX, which is spec'd to support up to 254 VLANs. The manual refers to the VLAN functionality as port-based, yet it supports 802.1q VLAN tagging as well.
Each LAN port on the SRX must be assigned to at least one VLAN, which becomes its Port VLAN Identifier, or PVID. If you assign more than one VLAN to a port, the port becomes a trunk for connection to a switch or another router. Untagged frames are assigned the PVID of the port. Tagged frames are forwarded to the appropriate port(s) based on the VLAN assignments.
To test the SRX's VLAN tagging capability, I added VLANs 5 and 6 and assigned them both to port 3. I enabled the DHCP server on the SRX for both VLANs, using subnet 192.168.5.0/24 for VLAN 5 and 192.168.6.0/24 for VLAN 6, as shown in Figure 8.
Figure 8: VLAN config
I next connected a NETGEAR GS108T smart switch to the SRX. I connected the SRX's port 3 to port 1 of a NETGEAR GS108T switch and configured port 1 as a trunk port. I then configured the GS108T's port 2 in VLAN 5 and port 3 in VLAN 6.
When I connected a PC to port 2 on the GS108T, it was assigned an IP address in the 192.168.5.0/24 subnet, the proper range for VLAN5. And likewise, when I connected a PC to port 3 on the GS108T, it was assigned an IP address in the 192.168.6.0/24 subnet, the proper range for VLAN6.
This little test verified the SRX is tagging the frames it sends and receives over ports with multiple VLANs. I also tested the SRX's VLAN capability with a Linksys SRW2008 and had the same solid results. So it appears the SRX5308 plays well with other brands of switches.
VLANs are also a best practice if there are VoIP devices on your network. It is a good idea to put VoIP traffic in its own VLAN to ensure VoIP call quality.
In addition to supporting VLANs, the SRX can perform as a SIP Application Layer Gateway (ALG). This simple function enables the router to change the IP address in the SIP header of a VoIP packet to match the public IP address of the router for outgoing SIP messages.
NETGEAR lists the SRX as compatible with VoIP devices from Linksys, SNOM, Cisco, X-Lite, D-Link, Grandstream, Polycom, Siemens, and Aastra. Enabling the ALG is a simple check box in the Advanced menu section of the Firewall (Figure 9).