Death to the Firewall

Home / Death to the Firewall

Death to the Firewall

Posted Jun 6 2011 by Brent Salisbury in Speculative with 0 Comments

I have a new plan for an area that has three requirements.

1. 10gbps throughput with MPLS/VPN support to act as a PE node with MVPN support.

2. Traffic shaping and reduction of traffic.

3. Blacklisting of offenders who violate policy, DMCA/RIAA etc.

Tradidtionally that would be a huge traffic shaping box that is through the roof if available at 10G speeds.

For route/switch, either a chassis based lan switch with MPLS support (overkill possibly). Other than the ME3600 (which we have some of but thats another long story) it is big chassis or ISR/ASR routers from each vendor. Juniper 4500 is sketchy on the documentation of whether it is just MPLS on the northbound uplinks.

The firewalling could be done at 10GE with expensive ASA/ESX solutions but also very pricey.

All three of those boxes are expensive to life-cycle on a 5 year to top it up. 500K+.

In comes NBAR-2. Before you flame it looks like there is a really cool manner inwhich it is done on the ESP in the ASR from what I can see. Typically NBAR for classifications on the 6ks wrecked shop but the nice thing about the ASR 1k is the 40 cores on it. Instead of just forking the header up for a forward it inspects payload in the ESP it appears.

For firewalling/blacklisting I will give a go with the IOS FW onboard also due to the loads of cores to deal with that. I need to dig deeper on impact there but it still beats a 5585-ssp60.

10GE route switch should still be available if the proper ESP is selected and still maintain the speeds. After digging in with a TME it seems there are some cool classification features roadmaped but I cannot remember what was NDA and not.

Next month I have a CPOC to proof it along with another project. So hopefully I will have time for a full day of beating the ASR ESP’s up and see what the results are. The next week I have a POC at Juniper HQ for a 8 node MX PO for our regional network. I will get a post as time permits for the two people who would read and care. I did this post in 3 minutes before a meeting. Only thing I claim are inaccuracies!

Death to firewalls. What network engineers like em anyways.

Tags: OpenFlow, Software Defined Networking Categories: Speculative

Leave a Reply Click here to cancel reply.

Start Blogging Today!

Sharing your ideas and thoughts with the community is what brings innovation and change. It is the number one thing I recommend to people looking to accelerate their career in IT. I use HostGator.com. It is $4-$5 a month for unlimited everything. Here are two coupon codes you can use. You save a few bucks and I get a few bucks referal. There are free Wordpress sites like WordPress.com.
if you just want to get started. I started there but a hosted site in the long run was better. HostGator was what I found to consistently have the best reviews and I have been happy with them if you want dedicated hosting. Just sign up for the “Hatchling plan” it is all you need for Wordpress. They have an easy mechanism of importing from WordPress into HostGator. Irregardless of hosting site, start sharing your thoughts somewhere!

#######################################
$9.94 off a site use code NETWORKSTATIC10
25% off a order use code NETWORKSTATIC25
#######################################

Feel free to use anything you find on the site that is useful as long as no kitties are harmed in the process

Death to the Firewall