Looking for a recommendation. We're about to refresh some gear in our datacenter. We have an Aruba 5412R L3 switch that connects all our servers and other appliances. We plan to keep it in place. We're going to be putting in a new NGFW (Fortinet or Palo Alto) for the Internet stuff. We have 46 WAN connected sites that pull data and Internet from our datacenter. Our datacenter is connected to the WAN at 100G (100G handoff to an AT&T Metro-E switch). Our 5412R does not support 100G (it does have 40G ports). It's also weak at a L3 router. It does basic L3 stuff, but does not have the features a dedicated router has. AT&T threw a curve ball at us a while back and forced us into a 100G handoff instead of the 40G we were planning to connect to our 5412R. At any rate, we threw in a 100G Fiberstore L3 switch to pick up the handoff to AT&T as well as act as our "core" router as it had more traffic shaping and L3 features than the 5412R. It currently has a 10G connection to our existing Palo Alto 5050, a 40G connection to our 5412R and a 100G connection to AT&T. It's actually been working great, but we want something better in the long run.
All that said, we're looking at replacing the FS switch with something that will give us the capacity to grow over the next 5 years. At a minimum, we'll need a 40G handoff to the new NGFW (we plan to support a maximum of 30Gb/s of Internet traffic over the next 5 years), a 40G (or two 40G aggregated to 80G) connection to our 5412R and the 100G connection to AT&T. Since we have a lot more bandwidth leaving our datacenter than we have coming into the remote sites, it would be a bonus to have something that can do some advanced traffic shaping on VLAN or subinterface egress so we can control the traffic heading out to our sites. I know Cisco ASR and Juniper can do this. Juniper actually has a good explanation of what I'm talking about here: https://www.juniper.net/documentation/en_US/junos/topics/concept/cos-virtual-channel-security-overview.html. It also needs to potentially handle a bunch of policy-based routing. We currently run all traffic headed for the Internet through some in-line web filters. We may moving to a cloud filtering solution. Clients using the cloud solution would be redirected around the in-line web filters. I testing doing this with policy-based routing rules on the Fiberstore switch. It works great when there are only a few clients in the ACL to process and set the next hop accordingly, but just about crippled the switch when I tried to have it look at all the traffic coming from our 30k+ clients.
We've been kicking around the idea of consolidating the core routing and firewalling into a single device. We're still in talks with Fortinet, but the cost of putting in a Palo Alto solution that would satisfy the firewall and routing components costs about $500k more than a model that just does the firewalling. I'm having a hard time justifying the cost to do that.
So in short, I'm looking for an advanced L3 switch or dedicated router that has 10G, 40G, and 100G ports. We'll have less than 100G of sustained throughput running through it. Probably more like 50G or 60G max. Preferably a 1U or 2U device given we only need a few ports. I don't want to put in a huge chassis if there are other options.
I'm looking at the Juniper MX204 and Cisco ASR 9901. I'm a little worried that we may need more 40G or 100G ports on the 9901, but the 9904 may be overkill. Anyone running any of these?
Any other recommendations would be appreciated!
Thanks!
No comments:
Post a Comment