Firewall Wizards mailing list archives
Re: Speeds and feeds
From: "Stout, Bill" <StoutB () pioneer-standard com>
Date: Tue, 02 Jun 1998 13:56:43 -0400
Thanks for all the replies. The T-1 is definitely the bottleneck, there are about 30 engineers who do heavy FTP traffic towards the end of the day, the 150-person company just received funding, and will triple headcount including engineers. They also have two remote offices wired in via F-T1 Frame-Relay which access the Internet via the same Internet T-1, and the company is considering replacing the F/R with VPNs. They do product demonstrations through remote dial-up to the external webservers. Their existing firewall is FW-1. They have four 255.255.255.192 (26-bit) subnets. T-3s aren't that $bad out here in Silicon Valley, there are alot of local POPs and lots of bandwidth. We'd use only use a bit of the fiber (or copper) and channelize the T-3 for maybe 10Mpbs of the 45Mbps available. However money is money, T-3s take time, a Cisco 7000 is about $20K, the CT3IP card is about $50K, so multiple T-1s are still in the running. I would rather use redundant feeds and BGP, but migrating from set ISP IPs to a BGP A.S. is...intrusive. (Thinking to myself: Hmm, would also need to permit traffic incoming traffic only to the local machines and do an implicit deny to any to prevent from becoming an exchange point...). The web caching proxies do sound like a good idea. A completely separate T-1 and firewall is the path of least resistance, but isn't a balanced use of bandwidth. I know Netscape has multiple T-3s (and Alphas), as well as Pointcast, E-Trade, and other companies that do high-bandwidth premises traffic. If the traffic came from purely servers and not users, server co-location in a 10/100Mpbs Internet eXchange would be the answer. The answer, I believe, is to add two T-1s in a BGP configuration, leave the existing T-1 in place (then cut-over the fw to new BGP IP), suggest an additional web caching proxy (Inktomi?) and create a migration plan to replace the remote F/R links with local firewalls, T-1 links, and a VPN for each. Laptops/VPNclient | LAN--+--FW-+-R1----| | |--R4-FW--+---LAN Remote office 1 | +-R2----Internet VPNsvr VPN +-R3----| | Server |--R5-FW--+---LAN Remote office 2 R2,3=BGP VPNsvr Bill Stout P.S. - I'm looking to add a local (San Jose/Fremont) Firewall-1 installation/configuration consultant to my database (I'm a proxy guy). Oh, and a Cisco BGP configuration consultant. :)
Current thread:
- Re: Speeds and feeds Stout, Bill (Jun 02)
- Re: Speeds and feeds David Lang (Jun 03)
- <Possible follow-ups>
- Re: Speeds and feeds tqbf (Jun 03)
- RE: Speeds and feeds Andrew J. Luca (Jun 05)
- Re: Speeds and feeds tqbf (Jun 05)
- RE: Speeds and feeds Andrew J. Luca (Jun 07)
- Re: Speeds and feeds tqbf (Jun 07)
- RE: Speeds and feeds Andrew J. Luca (Jun 07)
- Re: Speeds and feeds tqbf (Jun 07)
- RE: Speeds and feeds Andrew J. Luca (Jun 08)
- RE: Speeds and feeds Andrew J. Luca (Jun 05)