[c-nsp] 6500 SUP720 datacenter setup

jkrejci at usinternet.com jkrejci at usinternet.com
Sun Jan 23 16:16:31 EST 2011 

No experience with the fw module but if you had an asa or any fw (single or pair) you could run the outside interface(s) off the 6500 on one vlan, then one or more physical inside interfaces back to the 6500 with one or more vlans per customer.


Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Lars Eidsheim <lhe at intellit.no>
Sender: cisco-nsp-bounces at puck.nether.net
Date: Sun, 23 Jan 2011 20:34:54 
To: cisco-nsp at puck.nether.net<cisco-nsp at puck.nether.net>
Subject: [c-nsp] 6500 SUP720 datacenter setup

I am looking for advice regarding a 6500 layout in a datacenter setup. The 6500 has SUP720-3B running 12.2(33) SXI4 Adv.IP Services. The initial design was to terminate and route customers on the 6500 using a unique VLAN for each customer and allocate a IP subnet for each VLAN.

An issue about this solution is firewalling and we will need to firewall some customers. According to other threads the IOS firewalling feature is limited on the 6500 platform and should be avoided. A stateful portbased firewall using ACLs would be sufficient for our need if it would be the same as in router IOS. A quick solution would be to terminate all customers on a router, eg a 7200, which would  do the job, but we would have all traffic routed over a single interface which would make the router a bottleneck.
Another solution might be to use FWSM as a transparent firewall (see diagram below). I would prefer to terminate interfaces on the 6500 rather than on the FWSM in a routed setup.

Vlan 200 (WAN 1) (x.y.z.1/30)
                |
                |
.-----------.
|6500 SUP720|
'-----------'
                |
                |
Vlan 100 (CUST A) (a.b.c.1/30)
Vlan 101 (CUST B) (a.b.c.5/30)
Vlan 102 (CUST C) (a.b.c.9/30)


I would be happy to hear your thoughts and experience on the subject.

Regards,

Lars Eidsheim



________________________________
This email has been scanned and secured by Intellit

This communication is for use by the intended recipient and contains information that may be privileged, confidential and exempt from disclosure or copyrighted under applicable law. If you are not the intended recipient, you are hereby formally notified that any dissemination, use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. Please notify the sender by return e-mail and delete this e-mail from your system.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list