RE: Multiple small switches vs. a single big one; Granularity of control

["Sloane, David" <DSloane () vfa com>]

Can anyone with some good Cisco depth rebut these assumptions about a 6500-series switch "losing it's configuration?"

When I had a 6509, we had two supervisor engines (MSFC's?)  with mirrored configurations and redundant power.  As far 
as I could tell, any hardware or software failure which would clear the configuration would have to kill both 
management cards, making the switch inoperative.

Could an incompetent network admin clear the configuration?  Sure, but the likelihood of that event should decrease 
with tolerance for network downtime.  Generally, 6500-series switches are deployed to meet a need for stability, speed 
and uptime.  They're expensive (per-port compared to fixed-port switches) and complex devices.  I like the "set default 
port-status disable" option - that seems like a more secure way to manage the switch. 


If you're using a layer 3+ switch with hundreds of ports, you've already decided that multiple networks will be fed 
from one switch (unless you're running a layer 2 network segment with several hundred nodes).  If you really need 
gigabit speed firewall throughput between those networks, the FWSM will probably give you the best throughput because 
it sits on the highest-speed link.  For example, the switch fabric on the 6500 series is up to 720Gbps, depending on 
the supervisor engine.  The FWSM looks like a variant on the PIX OS (with a different development/testing cycle) and 
the feature set seems more limited than the current PIX.


Also, I believe the FWSM is a PIX firewall on a blade, not Checkpoint FW1 (see www.cisco.com/warp/public/cc/pd/si/ 
casi/ca6000/prodlit/fwsm_qp.pdf).

For high throughput and expandability, you might want to combine a fast firewall with several Cisco Catalyst 3750 
switches.  They have some nice features (single-IP management of several linked devices) and cost less per port than 
the chassis switches (especially for gigabit ports).

- David



-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of 
Krzysztof Gajdemski
Sent: March 02, 2004 9:57 AM
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control


02.03.2004, 11:37:16, Krzysztof Gajdemski wrote:
> 01.03.2004 13:33:16, Shimon Silberschlag wrote:
> > Lets take it to the extreme: someone (accidentally or intentionally)
> > resets (or otherwise changes) the switch configuration. With
> > separate switches, each segment can talk freely to all other servers
> > on the segment but not outside, since the FW watches that route. For
> > one big switch connected to an outside FW, all segments can talk to
> > all segments (if the switch behaves as a L2 one). What about 6500
> > with FWSM? does resetting the config prevents it from seeing any
> > traffic?
> On C6500 platform all ports are in `disable' or `administratively
> down'
                                      ^^^^^^^
Ooops...

On CatOS all ports are in *enable* state after `clear config all' command unless you explicity change that behaviour 
using `set default port status disable'.

Sorry :)

     k.
--
- -  Krzysztof Gajdemski | songo @ debian.org.pl | KG4751-RIPE
Registered Linux User # 133457 | BLUG Registered Member # 0005
PGP publ. key at: http://i.use.vi.pl/gpg/gpgkey * ID: 3C38979D ,,Szanuję was wszystkich, którzy pozostajecie w cieniu'' 
SNERG
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards