I'm working with a company currently using a T1 which becomes very
sluggish when engineers do many FTP and HTTP sessions through a state
firewall on a Netra-1 (firewall is not a bottleneck). They're thinking
of upgrading to a T3 with a fast proxy server (+ VPN) since they also
are running out of IPs, and internal systems are getting hit by external
packets.
My knee-jerk reaction is to use a very fast CPU system (600MHz Alpha)
and Altavista FW with 100Mbps cards.
webservers
|
Internet--(T3)---R1---FW---+----R2----Internal LAN
VPN
Tunnel Svr
I'm wondering about alternatives to the situation, one is multiple T1s
coming into a set of BGP net for redundancy, and to partition FTP/HTTP
proxies on one server, and remaining traffic on a second server
(allowing future cluster or fail-over via scripts and IP failover of
secondaries). Although this actually may be cheaper, faster and more
reliable, but it's more complex, and harder for the company to fix if it
dies (fails into a degraded mode). Also most local traffic may route
through a single T1, and they may inadvertantly become an Internet
eXchange.
Internet
| | |
(n+1 T1s)
| | |
Cisco 2500s
| | |
Hub/switch
| |
FW-A FW-B
FW-A could be used for outbound client system access, and FW-B could be
used for inbound/server protocols (VPN, webserver SQL, NTP, SMTP, DNS,
etc). A dual-subnet webfarm could connect to third interface on both.
Hmm, too complex maybe.
Opinions?
Bill Stout
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:01 PDT