[c-nsp] LAN + Security solution hint

james list jameslist72 at gmail.com
Wed Feb 3 16:02:22 EST 2016 

Hi Gert
Despite all the technical details I really appreciated I have to thank you
for the feedback.

Unfortuantely it s a tender and i can not so much deal with questions or
re-think to requirements...

Regarding the firewall I need stateful feature, nat, Policy, ipsec.. quite
standard despite load balancing and what else.
Thorughput i'd say 2 Gbs not a problem that in my view.

I ve see fortinet could apply (it does firewall and try to load balance)
and maybe f5 (that is currently doing load balancing and trying to do
firewall)...

Thanks again
James
Il 03/Feb/2016 19:58, "Gert Doering" <gert at greenie.muc.de> ha scritto:

> Hi,
>
> On Wed, Feb 03, 2016 at 07:34:16PM +0100, james list wrote:
> > I'd use cisco 3850/3750 in stack but i m not sure this is the right
> choice.
>
> The problem is that what you're asking for is nearly impossible, so
> coming up with a "this will work with gear x, that will need y" is quite
> a bit of hard work...
>
> The number of ports are easily fulfilled e.g. with an 6880x chassis
> (scaling up to 80x10GE ports), or an 6840x scaled-down 6880, but neither
> will give you 10G on Copper - just fiber, or twinax direct attach.
>
> There's 40x10GE copper on a number of Nexus 3xxx or 9xxx 1RU models,
> so there might do or not, but these are more "access" type switches,
> so, single supervisor, no "non-stop switching/routing" - if it's dead,
> it's dead...
>
> The NCS5001 that we discussed these days is brand new and has all the
> bandwidth that you'd ever need - but if its control plane fails (single
> supervisor engine), it's dead.  Again.
>
> So you might re-think the requirements for resiliency - if you attach
> every machine to two of these boxes, and use fiber, I'd go for 2x 6840x
> (possibly in a VSS config, or active/passive channels).
>
> Now, for the firewall - what throughput?  Which features (besides
> "load balancing" which isn't something firewalls usually do...)?
>
> Very complex requirements, price range from expensive to unbelievable,
> and even then might not sing and dance well enough.
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>

More information about the cisco-nsp mailing list