T3's are nice if you can afford them, and that's really
the deciding factor, cost.
You haven't mentioned any layer 1/2 soultions, i.e.
muxing 2 or more T1's together. Most ISPs support
that, and it's transparent to the layer 3 setup. You
do tend to halve your MTBF when you mux two
T1s, so make sure the muxing arrangement you
make can deal with one of them going out. Also,
it forces you to use only 1 ISP, which might be bad
if you were hoping to get some redundancy that way.
Other ways (which you've mentioned) are to use seperate
T1s for seperate purposes.. I did that for a while. My
"incoming traffic" such as people hitting my web sites
and sending me mail came in one pipe, by virtue of the
fact that I had a seperate IP range on it. The other pipe
was for my users to "surf." Different ISPs, different address
ranges, no problem. The problems are fairly obvious.. when
one pipe goes over, I can't take advantage of spare
bandwidth on the other. When I lose one pipe, I lose it's
function, because it typically takes to long to switch routes.
It may be viable to switch routes if you stick with one ISP,
and both pipes go to the same or nearby POPs.
I got rid of that soultion because I got T3's.
I don't really have the experiece to speak to BGP routing
solutons.
Ryan
I'm working with a company currently using a T1 which becomes very
sluggish when engineers do many FTP and HTTP sessions through a state
firewall on a Netra-1 (firewall is not a bottleneck). They're thinking
of upgrading to a T3 with a fast proxy server (+ VPN) since they also
are running out of IPs, and internal systems are getting hit by external
packets.
My knee-jerk reaction is to use a very fast CPU system (600MHz Alpha)
and Altavista FW with 100Mbps cards.
webservers
|
Internet--(T3)---R1---FW---+----R2----Internal LAN
VPN
Tunnel Svr
I'm wondering about alternatives to the situation, one is multiple T1s
coming into a set of BGP net for redundancy, and to partition FTP/HTTP
proxies on one server, and remaining traffic on a second server
(allowing future cluster or fail-over via scripts and IP failover of
secondaries). Although this actually may be cheaper, faster and more
reliable, but it's more complex, and harder for the company to fix if it
dies (fails into a degraded mode). Also most local traffic may route
through a single T1, and they may inadvertantly become an Internet
eXchange.
Internet
| | |
(n+1 T1s)
| | |
Cisco 2500s
| | |
Hub/switch
| |
FW-A FW-B
FW-A could be used for outbound client system access, and FW-B could be
used for inbound/server protocols (VPN, webserver SQL, NTP, SMTP, DNS,
etc). A dual-subnet webfarm could connect to third interface on both.
Hmm, too complex maybe.
Opinions?
Bill Stout
Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 88256613.001879A7;
Thu, 28 May 1998 21:27:20 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
id VAA23805; Thu, 28 May 1998 21:25:24 -0700 (PDT)
Received: from inergen.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
id AA17450; Thu, 28 May 98 21:25:23 PDT
Received: from nfr.net (tower.nfr.net [208.196.145.10])
by inergen.sybase.com (8.8.4/8.8.4) with ESMTP
id VAA15911; Thu, 28 May 1998 21:26:48 -0700 (PDT)
Received: (from lists@localhost)
by nfr.net (8.8.8/8.8.8) id QAA18326
for firewall-wizards-outgoing; Thu, 28 May 1998 16:11:04 -0500 (CDT)
Received: (from fwiz@localhost)
by nfr.net (8.8.8/8.8.8) id QAA18294
for firewall-wizardsat_private; Thu, 28 May 1998 16:10:55 -0500 (CDT)
Received: from pse02.pios.com (pse02.pios.com [199.33.129.3])
by nfr.net (8.8.8/8.8.8) with SMTP id NAA15811
for <firewall-wizardsat_private>; Tue, 26 May 1998 13:03:13 -0500 (CDT)
Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA26111; Tue, 26 May
1998 14:05:51 -0400
Date: Tue, 26 May 1998 14:06:42 -0400
From: "Stout, Bill" <StoutB@pioneer-standard.com>
Subject: Speeds and feeds
To: Firewall-wizards <firewall-wizardsat_private>
Message-Id:
<33C5AB9085E1D1119AB90000F89CBC7E1B152Aat_private>
Mime-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
Content-Transfer-Encoding: 7BIT
Sender: owner-firewall-wizardsat_private
Precedence: bulk
Reply-To: "Stout, Bill" <StoutB@pioneer-standard.com>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:30 PDT