RE: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control
From: Sloane, David (DSloane_at_vfa.com)
Date: 03/02/04
- Previous message: David Kison: "[fw-wiz] VPN Problems between WatchGuard Firebox 700 and Netscreen 5"
- Next in thread: Dale W. Carder: "Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control"
- Reply: Dale W. Carder: "Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control"
- Reply: Mike Meredith: "Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control"
- Reply: Tony Miedaner: "RE: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Tue, 2 Mar 2004 13:36:01 -0500
Can anyone with some good Cisco depth rebut these assumptions about a 6500-series switch "losing it's configuration?"
When I had a 6509, we had two supervisor engines (MSFC's?) with mirrored configurations and redundant power. As far as I could tell, any hardware or software failure which would clear the configuration would have to kill both management cards, making the switch inoperative.
Could an incompetent network admin clear the configuration? Sure, but the likelihood of that event should decrease with tolerance for network downtime. Generally, 6500-series switches are deployed to meet a need for stability, speed and uptime. They're expensive (per-port compared to fixed-port switches) and complex devices. I like the "set default port-status disable" option - that seems like a more secure way to manage the switch.
If you're using a layer 3+ switch with hundreds of ports, you've already decided that multiple networks will be fed from one switch (unless you're running a layer 2 network segment with several hundred nodes). If you really need gigabit speed firewall throughput between those networks, the FWSM will probably give you the best throughput because it sits on the highest-speed link. For example, the switch fabric on the 6500 series is up to 720Gbps, depending on the supervisor engine. The FWSM looks like a variant on the PIX OS (with a different development/testing cycle) and the feature set seems more limited than the current PIX.
Also, I believe the FWSM is a PIX firewall on a blade, not Checkpoint FW1 (see www.cisco.com/warp/public/cc/pd/si/ casi/ca6000/prodlit/fwsm_qp.pdf).
For high throughput and expandability, you might want to combine a fast firewall with several Cisco Catalyst 3750 switches. They have some nice features (single-IP management of several linked devices) and cost less per port than the chassis switches (especially for gigabit ports).
- David
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Krzysztof Gajdemski
Sent: March 02, 2004 9:57 AM
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control
02.03.2004, 11:37:16, Krzysztof Gajdemski wrote:
> 01.03.2004 13:33:16, Shimon Silberschlag wrote:
> > Lets take it to the extreme: someone (accidentally or intentionally)
> > resets (or otherwise changes) the switch configuration. With
> > separate switches, each segment can talk freely to all other servers
> > on the segment but not outside, since the FW watches that route. For
> > one big switch connected to an outside FW, all segments can talk to
> > all segments (if the switch behaves as a L2 one). What about 6500
> > with FWSM? does resetting the config prevents it from seeing any
> > traffic?
> On C6500 platform all ports are in `disable' or `administratively
> down'
^^^^^^^
Ooops...
On CatOS all ports are in *enable* state after `clear config all' command unless you explicity change that behaviour using `set default port status disable'.
Sorry :)
k.
-- - - Krzysztof Gajdemski | songo @ debian.org.pl | KG4751-RIPE Registered Linux User # 133457 | BLUG Registered Member # 0005 PGP publ. key at: http://i.use.vi.pl/gpg/gpgkey * ID: 3C38979D ,,Szanuję was wszystkich, którzy pozostajecie w cieniu'' SNERG _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: David Kison: "[fw-wiz] VPN Problems between WatchGuard Firebox 700 and Netscreen 5"
- Next in thread: Dale W. Carder: "Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control"
- Reply: Dale W. Carder: "Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control"
- Reply: Mike Meredith: "Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control"
- Reply: Tony Miedaner: "RE: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
