secure.boy
Limp Gawd
- Joined
- Oct 22, 2007
- Messages
- 474
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
no iBGP between your border routers??? and do you have two physically-separate links between each border router and each ISP? sounds like this is a pretty darn important network.. why are you going cheap and using a peecee as a router?
edit: also, is having 3 ISP(?) connections really necessary? if it's just for failure reasons, it's probably overkill.
this is not a ISP
we have our AS and /19 address,
so i;m going with ubuntu or debain and quagga
firewalls are cisco, checkpoint...
this is not a ISP
we have our AS and /19 address,
so i;m going with ubuntu or debain and quagga
firewalls are cisco, checkpoint...
AS-x AS-y AS-z
| \ / | / |
| \ / | / /
| /\ / | /
| / /\ | /
| / / \ | /
|/ / \|/
R1--------------- R2
| |
| |
| |
SW1--------------SW2
| |
| |
| |
FW1--------------FW2
| |
| |
| |
SW3--------------SW4
| /
| /
| /
| /
Host
If you have a /19, your own ASN and are connecting to three upstreams why would you go with a cheap solution at the edge? I'm all for open source but if it's that important go with something field proven such as a Cisco or Juniper box instead. We use Cisco 7206VXR's at our edge, looking at the new ASR line as well as juniper to slowly phase in as the 7206's need replaced.
The problem with dropping the crossing between the routers, switches, and firewalls is if R1 and SW2 die, you're dead. Now the chances of this all happening may be small but still better to do it so at no matter which one of a pair dies the other side can handle.
that is not a cheap solution
i need only fe or ge interfaces
that is not a cheap solution
i need only fe or ge interfaces
i saw in one data sheet the J2320 has 256/512mb ram that looks funny for meHow is that not cheap? The J2320 from Juniper is about $1,999 brand new, provides you with 600Mbit performance, comes with a warranty and optional 4 or 2 hour replacement programs. 4 ge interfaces with the option to expand using the pic modules.
Yes, the 7200 in general is pretty expensive, but there are many other options out there, including it's compeditor, the J2320 as I mentioned earlier.
i saw in one data sheet the J2320 has 256/512mb ram that looks funny for me
no iBGP between your border routers??? and do you have two physically-separate links between each border router and each ISP?
iBGP is definitely not a need for this layout, technically you can 100% get away with this and any IGP and not have to use an EGP, then again you lose the one benefit of BGP and thats path manipulation. Also, we cant assume that hes using it for failover because we don't know what hes doing with his eBGP attributes nor how is end hosts at the edge communicate with the rest of the outside world.I assume your secondary router is purely for failover purposes and you won't be trying to load-balance the connections at all? You really should have a direct connection between your routers and run IBGP between them. Otherwise you will probably run into routing issues.
Negative, the switch is being used for any kind of RP connectivity for the CE routers as well as the failover for the ASA's(since theres no direct connection). If we removed the outside switches we would need to directly connect both routers and both ASA's.In your configuration you can remove the switches unless you are using them for the routers to talk to each other for iBGP.
Cross-over cable . This is how we suggest that you configure the ASA if at all possible. If you must traverse the switch, carve out a L2 VLAN for the failover.However, if you use cisco firewalls, the way they do HA, you'll have to keep the switches
Meh, this is a lazyness statement. Good engineering will always, no matter what bring the single point of failure as close to the inner edge as possible. Your prior statement would literally have the single point of failure at the CE routers, that is totally unacceptable by any standards.True, but I've found that trying to engineer a solution for more than a single failure at any one time typically becomes a kludged solution. Not that it can't be done, but remember you have to manage it and know how everything will work if something does fail. I guess it all depends on how important the data is and how much you're willing to spend.
Yeah, what's funny?! Haha..
Ockie -- I'm curious.. were you comparing that against a 7200 NPE-G1 or G2? Those numbers on the Juniper seem pretty good.
At any rate, you're only peering with 3 ASes, so you should get by using that server if you're set on it.. provided that they aren't advertising the full BGP table. Just don't underestimate the power of specialized hardware, even if the specs don't look astonishing. Think of software rendering a game vs having a dedicated GPU...
well , I got in here a bit late... where to start.....
iBGP is definitely not a need for this layout, technically you can 100% get away with this and any IGP and not have to use an EGP, then again you lose the one benefit of BGP and thats path manipulation. Also, we cant assume that hes using it for failover because we don't know what hes doing with his eBGP attributes nor how is end hosts at the edge communicate with the rest of the outside world.
Negative, the switch is being used for any kind of RP connectivity for the CE routers as well as the failover for the ASA's(since theres no direct connection). If we removed the outside switches we would need to directly connect both routers and both ASA's.
Cross-over cable . This is how we suggest that you configure the ASA if at all possible. If you must traverse the switch, carve out a L2 VLAN for the failover.
Meh, this is a lazyness statement. Good engineering will always, no matter what bring the single point of failure as close to the inner edge as possible. Your prior statement would literally have the single point of failure at the CE routers, that is totally unacceptable by any standards.
No where in my statement did I say that he did not need to run a routing protocol. I said that he did not need to run INTERIOR bgp, that he could use any other IGP if he would like. Secondly, if hes wants to peer with public AS's hes going to be forced to use BGP, I thought I made that obvious when I said we didn't know what kind of attribute manipulation he was going to be doing. Lastly, he does NOT, let me say that again.. he does NOT need to run iBGP between his routers. Running iBGP in this case will not gain you ANYTHING(unless you want to do some kind of pathing manipulation). With VRRP properly configured and AS path prepending configured on the secondary router traffic will NEVER see the secondardy router. Fin.no routing protocol is ever "necessary", but it's pretty darn stupid not to use them. Also, it's pretty much standard practice not to run IGP between different AS's that you don't manage. Regardless of what he's using the secondary router for, if he's running BGP with the 3 AS's, he's going to want to run iBGP between the routers.
No, im not missing your point but I do see a very poorly engineered(if you can call it that) solution. Just pointing that out, if I went to a customer with that and they had half a brain I would be laughed at.again, i think you missed my point. Nowhere in the crappy ascii diagram I provided above is there a single point of failure other than the host itself. I was saying that we dont' ever try to account for more than 1 failure.
Since his topology is fully-meshed with the ASes, I agree.iBGP is definitely not a need for this layout, technically you can 100% get away with this and any IGP and not have to use an EGP, then again you lose the one benefit of BGP and thats path manipulation.
Couldn't agree more. If you've got the money, keep single failures at the access level.Meh, this is a lazyness statement. Good engineering will always, no matter what bring the single point of failure as close to the inner edge as possible. Your prior statement would literally have the single point of failure at the CE routers, that is totally unacceptable by any standards.
CEF is an IOS hack to get around the overhead of context switching, not a hardware feature. The FIB for it is allocated from main memory. As for as the ASICs go... well, even a route processor is technically an ASIC as it is application specific. Line cards also have their own ASICs -- why bother the main processor if two hosts are on the same card (e.g. dCEF)? Even on the newer Nexus 7010 platform, there's an ASIC that muxes 4 10Gb interfaces, and then an ASIC that muxes those ASICs. To say that ASICs don't exist in routers is like saying they don't have capacitors... there are plenty of them. I just hope you weren't a comp eng or EE major!Someone said that ASICS are better than computer hardware earlier in this thread... well they were kind of right, on Cisco routers there aren't ASICS but there are dedicated routing processors and CEF tables, which alone are the reason why packet switching is so fast today. No matter how beefy you're server is, you still have some piece of software that is process switching everything off to the CPU, which may not have cycles available.
CEF is an IOS hack to get around the overhead of context switching, not a hardware feature. The FIB for it is allocated from main memory. As for as the ASICs go... well, even a route processor is technically an ASIC as it is application specific. Line cards also have their own ASICs -- why bother the main processor if two hosts are on the same card (e.g. dCEF)? Even on the newer Nexus 7010 platform, there's an ASIC that muxes 4 10Gb interfaces, and then an ASIC that muxes those ASICs. To say that ASICs don't exist in routers is like saying they don't have capacitors... there are plenty of them. I just hope you weren't a comp eng or EE major!
Ah, ok... yeah, I tend to break things down further than they really need to be. I guess I'm still in college mode where I want to know how all components build on each other.You're absolutely right about CEF, both the FIB and adjacency table is software driven, didn't think I said it was hardware. I was just stating that by utilizing CEF packet switching would tremendously faster( due to not having to constantly do RIB lookups, rewrites per packet, etc). If we are speaking Cisco hardware, ASIC's relate to switching engines while routing processors refer to packet switching engines for the routing platform.
And no, I was not an EE or comp eng major(network engineering actually) but I do use the Cisco terminology
As for the ASICs, I think that we were arguing semantics here, technically routers do have ASICs by pure definition, but they are not called ASICs by anyone at Cisco(not even the developers), they are considered routing processors.
BW-3750-CoreSWA#show platform port-asic version
Port-Asic Version Info:
========================
ASIC-0: Version:8 DeviceType:0x2C1
ASIC-1: Version:9 DeviceType:0x2F4
ASIC-2: Version:9 DeviceType:0x2F4
ASIC-3: Version:9 DeviceType:0x2F4
ASIC-4: Version:9 DeviceType:0x2F4
ASIC-5: Version:9 DeviceType:0x2F4
ASIC-6: Version:9 DeviceType:0x2F4
ASIC-7: Version:9 DeviceType:0x2F4
ASIC-8: Version:9 DeviceType:0x2F4
ASIC-9: Version:9 DeviceType:0x2F4
ASIC-10: Version:9 DeviceType:0x2F4
ASIC-11: Version:9 DeviceType:0x2F4
ASIC-12: Version:9 DeviceType:0x2F4
BW-3750-CoreSWA#sh ver | inc IOS
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
BW-3750-CoreSWA#
Hrm... are you sure about this?
Code:BW-3750-CoreSWA#show platform port-asic version Port-Asic Version Info: ======================== ASIC-0: Version:8 DeviceType:0x2C1 ASIC-1: Version:9 DeviceType:0x2F4 ASIC-2: Version:9 DeviceType:0x2F4 ASIC-3: Version:9 DeviceType:0x2F4 ASIC-4: Version:9 DeviceType:0x2F4 ASIC-5: Version:9 DeviceType:0x2F4 ASIC-6: Version:9 DeviceType:0x2F4 ASIC-7: Version:9 DeviceType:0x2F4 ASIC-8: Version:9 DeviceType:0x2F4 ASIC-9: Version:9 DeviceType:0x2F4 ASIC-10: Version:9 DeviceType:0x2F4 ASIC-11: Version:9 DeviceType:0x2F4 ASIC-12: Version:9 DeviceType:0x2F4 BW-3750-CoreSWA#sh ver | inc IOS Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2) BW-3750-CoreSWA#
xphil3 said:If we are speaking Cisco hardware, ASIC's relate to switching engines while routing processors refer to packet switching engines for the routing platform.
No where in my statement did I say that he did not need to run a routing protocol. I said that he did not need to run INTERIOR bgp, that he could use any other IGP if he would like. Secondly, if hes wants to peer with public AS's hes going to be forced to use BGP, I thought I made that obvious when I said we didn't know what kind of attribute manipulation he was going to be doing. Lastly, he does NOT, let me say that again.. he does NOT need to run iBGP between his routers. Running iBGP in this case will not gain you ANYTHING(unless you want to do some kind of pathing manipulation). With VRRP properly configured and AS path prepending configured on the secondary router traffic will NEVER see the secondardy router. Fin.
No, im not missing your point but I do see a very poorly engineered(if you can call it that) solution. Just pointing that out, if I went to a customer with that and they had half a brain I would be laughed at.
Once again, there is no benefit from running either an IGP or EGP within his AS if he configures VRRP with AS-path prepending on his secondary device. The only benefit that he would gain from running iBGP is preventing asymmetric routing conditions if he was *not* running a virtual failover protocol.Sure he can run an IGP, but if he's not running iBGP, he'd have to redistribute routes from BGP into OSPF/RIP/whatever. But then again, that's more a matter of (like you said) what he wants to do with the routes he receives. All I'm saying is that in most cases, you are better off just setting up the iBGP from the get-go (more of a best practices type of thing).
I think I should restate what I was saying, your solution does work. I never said that it didn't, just that it was poorly engineered. The reason I said that was because from my standpoint, and the customers that I deal(ISP's and enterprise level customers) with that solution is NOT fault tolerant. Yes, there is no *single* point of failure but if other failures do occur in your designed your hosed(which was stated earlier in this thread). Now, you recommended that solution to the OP, who clearly had enough interfaces on his CE routers to redundantly connect them to his "outside" switches, to remove those links. In that situation alone, the solution is poorly engineered.Please, by all means, explain to me why a customer would laugh at the solution? Seriously, I want to know what you are talking about. My *assumption* (and i know that we've all done a lot of assuming in this thread), is that you are making assumptions on how things would be configured. I can guarantee you that the solution I have shown does work, and works well if configured properly. However, we're all here to learn and I would love for you to show me a better one and point out exactly what you think is wrong with it.
Once again, there is no benefit from running either an IGP or EGP within his AS if he configures VRRP with AS-path prepending on his secondary device. The only benefit that he would gain from running iBGP is preventing asymmetric routing conditions if he was *not* running a virtual failover protocol.
I think I should restate what I was saying, your solution does work. I never said that it didn't, just that it was poorly engineered. The reason I said that was because from my standpoint, and the customers that I deal(ISP's and enterprise level customers) with that solution is NOT fault tolerant. Yes, there is no *single* point of failure but if other failures do occur in your designed your hosed(which was stated earlier in this thread). Now, you recommended that solution to the OP, who clearly had enough interfaces on his CE routers to redundantly connect them to his "outside" switches, to remove those links. In that situation alone, the solution is poorly engineered.
You're a smart dude, not saying anything otherwise but for ISP/enterprise level customers your solution would be sent back to engineering.
With all this said, you're right... we're doing a whole lot of assuming and flaming(which is always good fun, its how I learn most of the time). I think threads like these are the more valuable threads on the forums. Think about it, You, me and a few others have basically engineered a solution for this guy, for FREE.... thank god I didn't have to sign an non-compete
Heh, I as well do the Govt work(bunch of different orgs). Things in the commercial world are a bit different but more so when it relates to the pace of how things get done. Government has and will also be slower. Sit tight with your govt job(especially if you're a contractor) as its the best and secure place to be in at the current momentFor the record, in the arena I deal with (gov't datacenters), they seem to be fine with only accounting for a single failure at any point in time. Perhaps things are different in the commercial world, and to be honest, I'd love to get out of the gov't work (way too many headaches). These are the things I've been taught since I started, and no one has told me otherwise, so I'll definitely keep this in mind.
Heh, I as well do the Govt work(bunch of different orgs). Things in the commercial world are a bit different but more so when it relates to the pace of how things get done. Government has and will also be slower. Sit tight with your govt job(especially if you're a contractor) as its the best and secure place to be in at the current moment
Perhaps things are different in the commercial world, and to be honest, I'd love to get out of the gov't work (way too many headaches).