I want to share my idea and in the same time, ask for some questions:
We have currently a core router in city1 and another one in city2, connected via 10G fiber link.
They currently to BGP, announce our AS to the world, and do some nat for vpn users l2tp.
there is fasttrack on site.
Everything is going well, the bgp is damn slow :) The router is a 1036.
I tried to replace it with a 2004 but the 2004 was at 4x100 cpu and was to slow (there were some firewall rules + fasttrack)
My idea is to:
The core router will be a 2004 again, working ONLY in fastpath
with a DAC there will be the 1036 that will do all NAT+fasttrack + filters for the downstream network.
I will connect the 2004 + 1036 with 1g port, PTP to access it via mac telnet, rommon mac winbox and so on.
How do I protect the router only in fastpath? My idea is to disable all the services and access via external separated interface.
Another variant wil be to enable for example winbox and restrict only the internal network (but in this way it will be wide open on all the IPs and it will restrict access, however the service will be expoesed (even on a non-standard port).
What is your opinion here?
I have read the test benchmark and in routing (fastpath) in the worst case it should be capable of move my traffic. We have a 5+gb traffic at peak hours.
what are your opinion? I dont want a 1072 because I fear the flaw of watchdog...