[c-nsp] ASA or FRSW in transparent mode over qinq

Matt Carter matt at iseek.com.au
Sun Jul 13 21:03:58 EDT 2008


>
> what is the constant vrf reference?
> just because someone is an mpls vpn customer does not mean they are
> going to
> be a managed firewall customer..i dont know why you keep referencing
> vrf?

"Which firewall does MPLS providers use to connect customer VRF's to the Internet? 6500's with FWSM's? What if they have thousands of VRF's?"

pretty hard not to enter that discussion without talking about VRF. :)

>
> and 2000 customers on a 65/7600 is alot, you dont think so?

fraid i'm with raul on this one, i too would like to see platforms supporting much larger numbers of contexts instead of focusing on high forwarding rates per context, which simply blows out per-context cost in environments where that is not required. i'd much rather see myself hitting the forwarding limits of the box before i exhaust my contexts, rather than exhausting contexts and having gigabits of bandwidth leftover.

is 2000 customers a lot when each customer is doing < 1mbps of traffic ? wouldn't one think the aggregate forwarding rate of all the customers is more relevant than the actual numbers of customers?

the sad situation is i've seen environments where for example 200+ individual firewalls have been deployed as although centralising and virtualising may technically be the best solution, because of the low forwarding rate of corporate wan internet firewall an aggregation model using ASA or FWSM ends up being more costly than simply deploying and managing hundreds of individual say PIX501 sized firewalls. it is quite a sad situation when an aggregation model ends up being more costly than deploying X hundred individual units, isnt it supposed to work the other way?

> > > As far as I heard, now a single FWSM can scale to 50Gbps if you
> have a
> > > Supervisor 720-10G-3C and don't want stateful inspection...
> >
> > Performance is fun and all, but more customers (vrfs) per box would
> be
> > more useful I'd think.

agreed.




More information about the cisco-nsp mailing list