[c-nsp] Design Question
Ray Burkholder
ray at oneunified.net
Mon May 8 19:04:26 EDT 2006
Would multi-VRF's (aka vrf-lite) work in this instance by separating the
inbound 'routing area' from the internal 'routing area' and letting the
PIX's 'route' between the two VRF's? I've found that this lets the routing
protocols do what they do best and removes the 'kludgy' nature of large
scale PBR.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peder @
NetworkOblivion
Sent: Monday, May 08, 2006 12:47
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Design Question
I've got a design/product question. First, some background. We run a colo
site for some web hosting and push about 20Mbps. About 4 years ago Cisco
recommended buying a 6509 and doing SLB, routing and switching all within
the one box. The firewall blade wasn't out, so we had to use a pair of PIX
535's. So the upstream Internet comes into the 6509 on two FE, is
policy-routed to the outside of the PIX, comes back into the 6509 from the
PIX and then there is SLB to the servers on different VLAN's.
The combination of the access-lists for the various VLAN's and the policy
routing is filling the TCAM and causing everything to be software-switch.
Not a big deal performance-wise, but once the 6509 is up, it takes 20-30
minutes for it to forward traffic because it is messing with the TCAM. I
want to pull the Internet connections out of the 6509 and put them in two
routers/L3switches and from there connect to the two PIX's and from there to
the 6509. This should alleviate the TCAM issues.
The question I have is whether there is any benefit to using a router such
as a 2800/3800 versus a L3 switch for the two upstream connections.
It seems silly to drop in two 24-port switches to use 3 ports on each
(upstream, to PIX, and crossover for pix failover). Of course the switches
should give full line rate forwarding whereas the routers will not, but I
was wondering if there are any features that would cause the routers to be a
better solution.
I thought about moving the VLAN's to the PIX's, but that would limit me to
1Gig total between vlan's and that could be an issue as backups go between
vlan's and there is a LOT of data.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Scanned for viruses and dangerous content at http://www.oneunified.net and
is believed to be clean.
--
Scanned for viruses and dangerous content at
http://www.oneunified.net and is believed to be clean.
More information about the cisco-nsp
mailing list