Hi Joseph,

Thanks for valueble info.Anyway, i did look at Cisco Catalyst 4500 series datasheet at cisco.com, and found that, IPV4 routing is only 250Mbps. Does it really will limit WAN throughput? Sorry , but im confuse on this.

http://www.cisco.com/en/US/prod/collateral/switches/ps10902/ps12332/data_sheet_c78-696791.html

Regards,

Nagis

Hi Joseph,

Thanks again. Yes, i misread Mpps as Mbps. So as conclusion i'm choosing Cisco 4503-E with Sup 7E , for 1 Gbps WAN (internet) connection. The most feature I need is only BGP, and if possible DDOS prevention feature set. NAT/QOS features will be in firewall portion which not under my control.

Regards,

Nagis

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Unsure the 4500 supports much in the way of DDOS.  They do support BGP, but hardware is limited to 256K routes, something to be aware of if you were planning on taking full Internet BGP tables.

Hi Joseph,

Im planning to get only ISP's AS locally generated route, and the rest by default route. Any suggetion you can provide for DDOS and bigger routing table?

Regards,

Nagis

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

For just one ISP's local AS routes, you should be fine.

For DDOS, to protect this network device or the rest of the network?  If the former, Cisco does have white papers for hardening recommendations.  Later IOSs sometimes even support a new AutoSecure command (see http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper09186a00801dbf61.html).

If you need bigger router tables, you'll need the hardware that supports it.  For software based routers, sometimes it's as simple as adding RAM.  For hardware L3 switches, it can be more complex/expensive/not-possible.  For example the 6500 series provide their standard and XL variants of their supervisors and DFCs.

I'd go for an ASR1004 with RP2 and, AT LEAST, an ESP 10.

You'll have to cater full routes than depending the ISP.

Sent from Cisco Technical Support iPhone App

Hi Joseph,

Actually I have two different  ISP link , eact at 1Gbps. So im planning to get 2 unit of Router/Switch and do BGP Multihoming. Not sure if outbound load balancing possible using two router with two ISP, but i wished to balance traffic since im paying huge amount to both ISP. Any Suggestion?

Regards,

Nagis

IOS NAT Load-Balancing for Two ISP Connections

Hi ,

We have own Public IP and AS number, NAT will be on firewall. Router just for routing purpose.

Regards,

Nagis

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

For load balancing, across two devices, you have several options, from simple to complex.  If you're working with gig links, that aren't really going to be fully saturated, a simple approach might be sufficient.  You also need to decide whether load balancing based on outbound traffic is sufficient, or whether inbound load balancing needs to be considered independently of outbound.  (I.e. if inbound traffic is in response to outbound traffic, if you balance outbound, inbound, generally, balances correspondingly.  But, if inbound traffic is being the initiated, e.g. to public servers you're hosting, then balancing that traffic is much more complex.)

For example of simple outbound load balancing, if you can route your outbound traffic to both your edge routers, "equally" (GLBP, ECMP), you'll roughtly load balance outbound, and if inbound traffic is in response, to two different NATed IPs, it will roughtly load balance inbound.

Next layer of complexity, if you're carrying fully Internet routing tables from both your ISPs, and if you exchange that between both your internal routers (iBGP), then each of your internal routers will direct traffic to the other internal router if the other has a better (shorter Internet AS path).  This assumes you're still initially sending outbound traffic to both routers "equally", as described in the prior paragraph.

The next layer of complexity might be to use Cisco's OER/PfR technology.  This technology will load balance, dynamically, on actual link loading and/or measured performance to end destinations.  This technology, I don't think is available on 4500s.  Full technology is available on many of the software based routers, unsure whether the ASR series is included.

Again, if traffic is initiated from the inside, inbound traffic will generally "track" your outbound balancing.  PfR also supports dynamic inbound balancing, but that's a much more complex setup and you might need cooperation from your ISPs to obtain maximum effectiveness.

Hi Joseph,

Thanks for such useful info. After check pricing with vendor, My Boss good to go with ASR1001 instead. So we will buy 2 unit of ASR1001, 1 for each 1Gb link.  How should i connect this two router to firewall ? Should I place Layer 2 switch so that all this devices(Firewall and 2 ASR) connected to it? Firewall should point default gateway to which ASR? what if the ASR pointed by Firewall is physically down?

The most is that we want to loadbalnce outbound traffic and also inbound traffic in responce to outbound. Eg, web browsing, downloading, streaming and etc.

Regards,

Nagis

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Will there be one firewall for two?  (If one, redundancy?)

Will firewall(s) be on outside or inside of these routers?

Will firewall be transparent or will we need to route though it?  If the latter, will firewall be doing static or dynamic routing?  If the latter, what's you IGP?