No announcement yet.

Need help making DMZ upgrade argument

  • Filter
  • Time
  • Show
Clear All
new posts

  • Need help making DMZ upgrade argument

    We have a customer was a 200mb internet pipe and a DMZ where we have just upgraded the cisco routers/switches (to GB compliant) and Bluecoat boxes

    However we still have a PIX 525 and a NokiaIP710 which only have 100MB interfaces and no expansion capability to upgrade all interfaces to 100mb

    I need some material for a solid argument as to why we wont be able to make use of the full 200mb link. Clearly I can talk about auto negotaition between different interface types and also how newer firewalls (ASA / Checkpoint) we would have far greater additional metrics beyond link speed (b/s), such as packets per second (p/s), connections per second (c/s), transactions per second (t/s), and maximum concurrent connections (mcc)

    Any input as to valid arguments I can make would be welcome but need to find a valid way of saying that we cant make full use of the 200mb link when the slowest part of the network only runs at 100mb

  • #2
    Re: Need help making DMZ upgrade argument

    honestly - that realllly depends on the physical infrastructure of your network.

    if the PIX525 sits at the front end, and is what the connection is terminated on, then yes definitely you won't get the full 200Mb that's pretty simple.

    However, if it's setting back behind a few other things, and isn't necessarily a bottleneck in it's own right, then it may not matter.
    Please do show your appreciation to those who assist you by leaving Rep Point


    • #3
      Re: Need help making DMZ upgrade argument

      Why not look at the interface statistics on the terminating device to see what your bandwidth utilization is? Just cause you have a 200mb pipe doesnt mean you are sending/receiving at that rate. This will determine how much of the link you are actually using. You may be only using say 60mb of it. It thats the case then there is no issue. If you are close to CIR then yes the argument can be made to either upgrade the "bootleneck" device or downgrade the circuit. In my opinion its always better to have more bandwidth available, as you can always upgrade the devices down the road. Its like saying you have 100mb switches with gigabit uplinks. Do we scrab the gig uplinks because the switchports only suppor 100mb? No. If congestion does come into play there is always QOS mechanisms to prioritize traffic or police it to a certain rate so the slower devices dont become overburdened.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)


      • #4
        Re: Need help making DMZ upgrade argument

        auglan makes a good point. How much of the 200Mbps pipe is actually being used? If it's not exceeding 100Mbps then upgrading the 100Mbps downstream links is pointless.

        As far as making your case to the customer, you can't put 10 pounds of junk in a 5 pound bag and you can't pump 200 gallons of water through a 100 gallon hose.