Roland, I agree with everything you mentioned in your email. No matter how much money and resources you have, if you don't have the talent and people required to get the job done the project will fail. There a many outfits, like Scotts for example, that will handle most all of these issues for an operator that doesn't have the skills, talent, or personnel to deploy such a network on their own. I tried to keep the topics as broad as possible. No, I didn't go into detail about recursive or authoritative as I figured the general term DNS would cover both for the readers of this forum. The same with availability and resiliency and telemetry visibility and network hardening and the other detailed terms you have mentioned as I am making the assumption that this networking gear being talk about (carrier grade routers) would have most of these capabilities and people that would implement them (certified network engineers) would handle these issues. With that being said, we are not trying to crowdsource the architecture, design, deployment, and operations of our network. We are just seeking categorical advice as mentioned. If you ask this question to many of the network vendors that make these products they will try to oversell you on items you don't need. Just trying to cut through some of the marketing BS that the vendors produce, and see what people in the real world are actually deploying. On Thu, Jul 31, 2014 at 11:24 AM, Roland Dobbins <rdobbins@arbor.net> wrote:
On Jul 31, 2014, at 8:23 PM, Colton Conor <colton.conor@gmail.com> wrote:
Is a firewall needed in the core?
No, quite the opposite:
<https://app.box.com/s/a3oqqlgwe15j8svojvzl>
How would you build a access network from the ground up if you had the resources and time to do so?
I'd hire folks who have experience from both and architectural and operational perspectives, and who have the necessary local knowledge. Most of the question you're asking (except the one about iatrogenic stateful firewalls) are situationally-specific, and aren't really going to be answerable in detail via a mailing-list, no matter the depth and breadth of expertise of many of those participating in said email list.
For example, you've asked nothing specifically about recursive or authoritative DNS infrastructure, although they're both key (you did mention DNS generically, which is good, but that's overly broad). Nothing about availability and resiliency and telemetry visibility and network hardening. Nothing about access policies, mitigation systems, quarantine systems, etc. Nothing about upstream transit requirements, nothing about peering goals and imperatives. Nothing about redundancy at any level/in any area/for any function. And so forth.
I'm not criticizing you; I'm just trying to make the point that instead of concentrating on vendors and technologies and hardware and software, it's better to concentrate on *people* who have the requisite experience and expertise, and go from there. There are lots of specializations and subspecializations, and it's important to have folks who have broad experience spanning multiple areas, as well as others who know *everything* in a given area.
While you can get some categorical advice, you can't really crowdsource the architecture, design, deployment, and operations of your network.
;>
---------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön