[c-nsp] Cisco gear for hosting provider
Matthew Marlowe
matt at deploylinux.net
Sun Nov 19 23:18:30 EST 2006
We just had a similiar business requirement here, and decided to deploy two Cisco 3845's w/
1 EtherSwitch Service Module in each. the service modules have built Cat3750 Stack
connectors and management of the 3750 stack can be performed directly in the router.
Pro:
Service contracts are cheaper as we get rid of some switches and firewalls
IPS weekly signature updates + AIM-VPN on the 3845 are quite nice (no need for seperate firewalls,
or vpn concentrators and able to filter all ingres links)
built in redundant power supplies compared to the 2800's, no need for redundant power on some switches
1GB ram and minimal worries about being dropped into process switching on ISR's
Builtin Dual Gige Ports + 4 Network Module Slots + 4 HWICS
Add on cards are relatively inexpensive (50% less?) compared to 7200/7500
ISR platform but nearly every component is easy to swap in/out, OIR on network modules
Very reliable downlink to switching layer
Should be well supported for any reasonable life time.
Con:
Hardware relatively expensive
Even though the 3845 is rated to ~250Mbps, enabling IPS + ip inspect effectively results in a max of 50-100Mbps.
We have to run 12.4T, ugh......TAC will be our best friend.
No real long term experience in hosting provider environment, vendors also arent very familiar with the config
Some questions about BGP scaleability, but given that I've seen 3662's do many bgp peers fine in the past - no real concern.
I think what sold us is consolidated/ease of manageability, nice integration/downlink to the 3750's, and relatively
low long term support contract costs which if the gear lasts 5-10 years will be much more than the initial
hardware. Given that we are supporting a hosting environment, our clients appreciate the filtering on all ingress + weekly IPS updates.
Of course, our needs on the hosting front are a little different -- all the systems are client owned standardized vmware esx
boxes w/ their own local storage. Security + reliability + FE density + ease of management are much more important than
raw performance or cost. I'm not sure we'll ever exceed 100Mbps, but easily have a dozen wan links (t-1 / ipsec over gre / bgp).
Matt
More information about the cisco-nsp
mailing list