[c-nsp] LAN + Security solution hint

james list jameslist72 at gmail.com
Wed Feb 3 16:02:22 EST 2016

Hi Gert
Despite all the technical details I really appreciated I have to thank you
for the feedback.

Unfortuantely it s a tender and i can not so much deal with questions or
re-think to requirements...

Regarding the firewall I need stateful feature, nat, Policy, ipsec.. quite
standard despite load balancing and what else.
Thorughput i'd say 2 Gbs not a problem that in my view.

I ve see fortinet could apply (it does firewall and try to load balance)
and maybe f5 (that is currently doing load balancing and trying to do

Thanks again
Il 03/Feb/2016 19:58, "Gert Doering" <gert at greenie.muc.de> ha scritto:

> Hi,
> On Wed, Feb 03, 2016 at 07:34:16PM +0100, james list wrote:
> > I'd use cisco 3850/3750 in stack but i m not sure this is the right
> choice.
> The problem is that what you're asking for is nearly impossible, so
> coming up with a "this will work with gear x, that will need y" is quite
> a bit of hard work...
> The number of ports are easily fulfilled e.g. with an 6880x chassis
> (scaling up to 80x10GE ports), or an 6840x scaled-down 6880, but neither
> will give you 10G on Copper - just fiber, or twinax direct attach.
> There's 40x10GE copper on a number of Nexus 3xxx or 9xxx 1RU models,
> so there might do or not, but these are more "access" type switches,
> so, single supervisor, no "non-stop switching/routing" - if it's dead,
> it's dead...
> The NCS5001 that we discussed these days is brand new and has all the
> bandwidth that you'd ever need - but if its control plane fails (single
> supervisor engine), it's dead.  Again.
> So you might re-think the requirements for resiliency - if you attach
> every machine to two of these boxes, and use fiber, I'd go for 2x 6840x
> (possibly in a VSS config, or active/passive channels).
> Now, for the firewall - what throughput?  Which features (besides
> "load balancing" which isn't something firewalls usually do...)?
> Very complex requirements, price range from expensive to unbelievable,
> and even then might not sing and dance well enough.
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list