Re: Speeds and feeds

["Stout, Bill" <StoutB () pioneer-standard com>]

Thanks for all the replies.

The T-1 is definitely the bottleneck, there are about 30 engineers who
do heavy FTP traffic towards the end of the day, the 150-person company
just received funding, and will triple headcount including engineers.
They also have two remote offices wired in via F-T1 Frame-Relay which
access the Internet via the same Internet T-1, and the company is
considering replacing the F/R with VPNs.  They do product demonstrations
through remote dial-up to the external webservers.  Their existing
firewall is FW-1.  They have four 255.255.255.192 (26-bit) subnets.

T-3s aren't that $bad out here in Silicon Valley, there are alot of
local POPs and lots of bandwidth.  We'd use only use a bit of the fiber
(or copper) and channelize the T-3 for maybe 10Mpbs of the 45Mbps
available.  However money is money, T-3s take time, a Cisco 7000 is
about $20K, the CT3IP card is about $50K, so multiple T-1s are still in
the running.

I would rather use redundant feeds and BGP, but migrating from set ISP
IPs to a BGP A.S. is...intrusive.  (Thinking to myself: Hmm, would also
need to permit traffic incoming traffic only to the local machines and
do an implicit deny to any to prevent from becoming an exchange
point...).  The web caching proxies do sound like a good idea.

A completely separate T-1 and firewall is the path of least resistance,
but isn't a balanced use of bandwidth.

I know Netscape has multiple T-3s (and Alphas), as well as Pointcast,
E-Trade, and other companies that do high-bandwidth premises traffic.
If the traffic came from purely servers and not users, server
co-location in a 10/100Mpbs Internet eXchange would be the answer.

The answer, I believe, is to add two T-1s in a BGP configuration, leave
the existing T-1 in place (then cut-over the fw to new BGP IP), suggest
an additional web caching proxy (Inktomi?) and create a migration plan
to replace the remote F/R links with local firewalls, T-1 links, and a
VPN for each.

                       Laptops/VPNclient
                           |
    LAN--+--FW-+-R1----|   |  |--R4-FW--+---LAN  Remote office 1
         |     +-R2----Internet        VPNsvr
        VPN    +-R3----|      |
       Server                 |--R5-FW--+---LAN  Remote office 2
                 R2,3=BGP              VPNsvr

Bill Stout

P.S. - I'm looking to add a local (San Jose/Fremont) Firewall-1
installation/configuration consultant to my database (I'm a proxy guy).
Oh, and a Cisco BGP configuration consultant.  :)