[c-nsp] Design Question
Peder @ NetworkOblivion
peder at networkoblivion.com
Mon May 8 11:46:41 EDT 2006
I've got a design/product question. First, some background. We run a
colo site for some web hosting and push about 20Mbps. About 4 years ago
Cisco recommended buying a 6509 and doing SLB, routing and switching all
within the one box. The firewall blade wasn't out, so we had to use a
pair of PIX 535's. So the upstream Internet comes into the 6509 on two
FE, is policy-routed to the outside of the PIX, comes back into the 6509
from the PIX and then there is SLB to the servers on different VLAN's.
The combination of the access-lists for the various VLAN's and the
policy routing is filling the TCAM and causing everything to be
software-switch. Not a big deal performance-wise, but once the 6509 is
up, it takes 20-30 minutes for it to forward traffic because it is
messing with the TCAM. I want to pull the Internet connections out of
the 6509 and put them in two routers/L3switches and from there connect
to the two PIX's and from there to the 6509. This should alleviate the
TCAM issues.
The question I have is whether there is any benefit to using a router
such as a 2800/3800 versus a L3 switch for the two upstream connections.
It seems silly to drop in two 24-port switches to use 3 ports on each
(upstream, to PIX, and crossover for pix failover). Of course the
switches should give full line rate forwarding whereas the routers will
not, but I was wondering if there are any features that would cause the
routers to be a better solution.
I thought about moving the VLAN's to the PIX's, but that would limit me
to 1Gig total between vlan's and that could be an issue as backups go
between vlan's and there is a LOT of data.
More information about the cisco-nsp
mailing list