Speeds and feeds

David Lang dlang@diginsite.com
Wed, 3 Jun 1998 13:53:17 -0700 (PDT)


-----BEGIN PGP SIGNED MESSAGE-----

I was notthe person doing it at the time, but we were able to change over from 1
T-1 with a cisco 2501 to 4 T-1's (with A.S.) with a cisco 4700 with only the
down time needed to change out the routers.

David Lang


On Tue, 2 Jun 1998, Stout, Bill wrote:

> Date: Tue, 02 Jun 1998 13:56:43 -0400
> From: "Stout, Bill" <StoutB@pioneer-standard.com>
> To: Firewall-wizards <firewall-wizards@nfr.net>
> Subject: Re: Speeds and feeds
> 
> 
> Thanks for all the replies.
> 
> The T-1 is definitely the bottleneck, there are about 30 engineers who
> do heavy FTP traffic towards the end of the day, the 150-person company
> just received funding, and will triple headcount including engineers.
> They also have two remote offices wired in via F-T1 Frame-Relay which
> access the Internet via the same Internet T-1, and the company is
> considering replacing the F/R with VPNs.  They do product demonstrations
> through remote dial-up to the external webservers.  Their existing
> firewall is FW-1.  They have four 255.255.255.192 (26-bit) subnets.
> 
> T-3s aren't that $bad out here in Silicon Valley, there are alot of
> local POPs and lots of bandwidth.  We'd use only use a bit of the fiber
> (or copper) and channelize the T-3 for maybe 10Mpbs of the 45Mbps
> available.  However money is money, T-3s take time, a Cisco 7000 is
> about $20K, the CT3IP card is about $50K, so multiple T-1s are still in
> the running.
> 
> I would rather use redundant feeds and BGP, but migrating from set ISP
> IPs to a BGP A.S. is...intrusive.  (Thinking to myself: Hmm, would also
> need to permit traffic incoming traffic only to the local machines and
> do an implicit deny to any to prevent from becoming an exchange
> point...).  The web caching proxies do sound like a good idea.
> 
> A completely separate T-1 and firewall is the path of least resistance,
> but isn't a balanced use of bandwidth.
> 
> I know Netscape has multiple T-3s (and Alphas), as well as Pointcast,
> E-Trade, and other companies that do high-bandwidth premises traffic.
> If the traffic came from purely servers and not users, server
> co-location in a 10/100Mpbs Internet eXchange would be the answer.
> 
> The answer, I believe, is to add two T-1s in a BGP configuration, leave
> the existing T-1 in place (then cut-over the fw to new BGP IP), suggest
> an additional web caching proxy (Inktomi?) and create a migration plan
> to replace the remote F/R links with local firewalls, T-1 links, and a
> VPN for each.
> 
>                        Laptops/VPNclient
>                            |
>     LAN--+--FW-+-R1----|   |  |--R4-FW--+---LAN  Remote office 1
>          |     +-R2----Internet        VPNsvr
>         VPN    +-R3----|      |
>        Server                 |--R5-FW--+---LAN  Remote office 2
>                  R2,3=BGP              VPNsvr
> 
> Bill Stout
> 
> P.S. - I'm looking to add a local (San Jose/Fremont) Firewall-1
> installation/configuration consultant to my database (I'm a proxy guy).
> Oh, and a Cisco BGP configuration consultant.  :)
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNXW3vz7msCGEppcbAQEHHwgAuZJz5I0HTa3Q3Ay/Ez3UOgMUYiewkKGh
MqrKqiO1ZhyoR0l0x+49s0z4h4ipVtyVQYmuaauBlTlqLtubuB/VaIYdV1qGmlU2
bqH7k2LRju94POy5oGduloNSTFmTT2DlZLoRU/FPi6It4yxOf/seTsWgDnQMTog9
thNSTt9O9hFjhggH4DvqC0P1ovFPJPlUx94/8373FxaDRHUQtOgytSwogNiEK3dV
LLrIu3S+DiFnTlArSmkW/DpoB/3iW2hULM4EjBqWveKNDLZWrEuG6kbNko9Up2+B
pkzS3v2WkteNGY5AXR6GwwzESpxVa4+SbQyfORhc3ysHGBBsOV/iZg==
=UCkd
-----END PGP SIGNATURE-----