Speeds and feeds
Wed, 3 Jun 1998 13:53:17 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
I was notthe person doing it at the time, but we were able to change over from 1
T-1 with a cisco 2501 to 4 T-1's (with A.S.) with a cisco 4700 with only the
down time needed to change out the routers.
On Tue, 2 Jun 1998, Stout, Bill wrote:
> Date: Tue, 02 Jun 1998 13:56:43 -0400
> From: "Stout, Bill" <StoutB@pioneer-standard.com>
> To: Firewall-wizards <firstname.lastname@example.org>
> Subject: Re: Speeds and feeds
> Thanks for all the replies.
> The T-1 is definitely the bottleneck, there are about 30 engineers who
> do heavy FTP traffic towards the end of the day, the 150-person company
> just received funding, and will triple headcount including engineers.
> They also have two remote offices wired in via F-T1 Frame-Relay which
> access the Internet via the same Internet T-1, and the company is
> considering replacing the F/R with VPNs. They do product demonstrations
> through remote dial-up to the external webservers. Their existing
> firewall is FW-1. They have four 255.255.255.192 (26-bit) subnets.
> T-3s aren't that $bad out here in Silicon Valley, there are alot of
> local POPs and lots of bandwidth. We'd use only use a bit of the fiber
> (or copper) and channelize the T-3 for maybe 10Mpbs of the 45Mbps
> available. However money is money, T-3s take time, a Cisco 7000 is
> about $20K, the CT3IP card is about $50K, so multiple T-1s are still in
> the running.
> I would rather use redundant feeds and BGP, but migrating from set ISP
> IPs to a BGP A.S. is...intrusive. (Thinking to myself: Hmm, would also
> need to permit traffic incoming traffic only to the local machines and
> do an implicit deny to any to prevent from becoming an exchange
> point...). The web caching proxies do sound like a good idea.
> A completely separate T-1 and firewall is the path of least resistance,
> but isn't a balanced use of bandwidth.
> I know Netscape has multiple T-3s (and Alphas), as well as Pointcast,
> E-Trade, and other companies that do high-bandwidth premises traffic.
> If the traffic came from purely servers and not users, server
> co-location in a 10/100Mpbs Internet eXchange would be the answer.
> The answer, I believe, is to add two T-1s in a BGP configuration, leave
> the existing T-1 in place (then cut-over the fw to new BGP IP), suggest
> an additional web caching proxy (Inktomi?) and create a migration plan
> to replace the remote F/R links with local firewalls, T-1 links, and a
> VPN for each.
> LAN--+--FW-+-R1----| | |--R4-FW--+---LAN Remote office 1
> | +-R2----Internet VPNsvr
> VPN +-R3----| |
> Server |--R5-FW--+---LAN Remote office 2
> R2,3=BGP VPNsvr
> Bill Stout
> P.S. - I'm looking to add a local (San Jose/Fremont) Firewall-1
> installation/configuration consultant to my database (I'm a proxy guy).
> Oh, and a Cisco BGP configuration consultant. :)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
-----END PGP SIGNATURE-----