Which point of failure is more severe? (7200 router or Cat 4507)

Answered Question
May 7th, 2007

Hi, please let me know if my rationale below is right or wrong:

Imagine I have fiber connectivity from my MPLS provider to MySite, in which I have (1) 7200 VXR router with special module to accomodate fiber.

The 7200 router is connected to (1) 4500 switch.

If I have money to address one point of ailure or the other, do you agree that I should put one more core switch (and do HSRP) instead of bothering with the router and internet connectivty.

My rationale to address the core switch point of failure first is because at least users should be able to use internal resources in the event of failure. If the 7200 router ever goes south, I would lose Internet connectivity, but as long as I have internal communications thanks to the redundant core switch, that should be a better deal.

I have this problem too.
0 votes
Correct Answer by sundar.palaniappan about 9 years 7 months ago

Marlon,

I agree with your last post. It would be a good move if you do NOT terminate your external connections on your core switches. The reason being any DOS attacks would have to go through additional layer of protection before your internal (core) network would be compromised. Again, keep in mind cost is a big factor in making decisions.

As far as adding a 2nd core switch that would be a good idea as well as that would prevent a single of failure within the internal network.

HTH

Sundar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Paolo Bevilacqua Mon, 05/07/2007 - 15:24

Hi,

first of all, in these days of sophisticated L3 switches, unless your 7200 is doing something that only a router can do, you can attach the fiber (if it is ethernet) directly to the cat 4500, and have eliminated a point of failure already.

Then, making the switch redundant is not easy, as it depends on many factors, like type and q.ty of ports, role in the network, etc.

This is why I like stackable switches like the 3750. Good density, great features, and not too expensive to store an extra one, just in case. Or just put in the stack and on failure, takie it out an reconnect ports as necessary.

Hope this helps, please rate post if it does!

news2010a Mon, 05/07/2007 - 18:56

I don't want to disdain or look down on your insight, but 5 out 4 network engineers tell me that that the practice of letting the fiber-ethernet directly onto the core switch doesn't seem to be a best practice, to my understanding.

Paolo Bevilacqua Tue, 05/08/2007 - 03:12

Any opinion is welcome. Next time, you can ask why the recommendation so it can discussed further.

Best Practices are a good thing, but must be substantiated.

Anyway I think I was probably forgetting a couple of very good reasons for having a router before the switch: NAT and Firewall.

mohammedmahmoud Mon, 05/07/2007 - 21:37

Hi,

As Paolo has stated it would be nice to eliminate any points of failure and connect the fiber cable directly, the issue of not connecting the ethernet cables directly between devices and using switches in between was in the era of UTP cables.

HTH, please rate all helpful post,

Mohammed Mahmoud.

news2010a Tue, 05/08/2007 - 06:30

Thanks for all your insight. I heard from a neteng about this and I am very, very curious on what the best practice would be regarding this approach of connecting the ethernet/fiber directly onto the core switch. If you think the below rationale is not compelling, please let me know. Also, I am new to MPLS and I don't know whether MPLS would not apply to the apparent correct rationale outlined below:

"I would recommend keeping the 7200. For security I NEVER like external connections on a core switch. I prefer to filter, netflow monitor, and deny junk data away from the core.

The 7200 can easily handle high bandwidth flows (with modern NPE's/NSE's) so its not a performance hit to keep it there. I have about 20 things I do by default to watch what's coming in / going out, and I would rather not have to worry about my internal -> internal data polluting those records. "

Correct Answer
sundar.palaniappan Tue, 05/08/2007 - 06:42

Marlon,

I agree with your last post. It would be a good move if you do NOT terminate your external connections on your core switches. The reason being any DOS attacks would have to go through additional layer of protection before your internal (core) network would be compromised. Again, keep in mind cost is a big factor in making decisions.

As far as adding a 2nd core switch that would be a good idea as well as that would prevent a single of failure within the internal network.

HTH

Sundar

Actions

This Discussion