I've always understood that anything in the core (access-lists, FW blades, IDS modules, etc. ) is a bad design as it just slows down traffic as the core is built for speed. I was always told to move everything to the distro or access-layer, depending on the function, AFAIK, the IDS blades have to look at all traffic, which could slow down core, and this core is for a global bank on Wall St. If it's not done right now, when they expand later this year, the network will suck.
-- RFC 1149 Compliant. Get in my head: http://sar.dynu.com ""Kent Hundley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It's not a bad idea to have an IDS blade in the core, but if you have to > pick either the DMZ and server blocks or the core, I would choose the > former. Having an IDS blade in the core should not affect any other > processing of the switch since its a completely self contained module with > its own processor. (course, murphy is always lurking) > > It's also a good idea to have redundant sup's, but cost may be a factor as > well. One can only have as much redundancy as your pocket book allows, and > sup's aren't cheap. :-) > > Regards, > Kent > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Steven A. Ridder > Sent: Thursday, April 04, 2002 2:20 PM > To: [EMAIL PROTECTED] > Subject: Core layer question [7:40535] > > > Has anyone ever designed a network and put either a firewall or IDS blade in > the core switch block? Even if the customer had no money, wouldn't this > never be advisable? Has anyone ever done it? > > As background for the questions, I started a new job, and so I took over > some accounts, and who ever has been doing the configs ( I think some have > been comming from Cisco!) has been making mistakes here and there. One > proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this > one has a wan block going back to the core block (dual 6506's) with only 1 > sup in each and an IDS blade in each! Isn't it advisable to move the IDS's > to the server and DMZ blocks? Also, isn't it always advisable to go with 2 > sups? > > I just want to make sure I'm not crazy, as I'd not like to casue a ton of > waves my first week on the job. > > -- > > RFC 1149 Compliant. > Get in my head: > http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40771&t=40535 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
