Our current connection to the campus backbone is a 100 megabit connection. While we have a (somewhat) new gigabit backbone connection, we are not using it yet because we need to revise our network architecture.

One of the issues with our current network setup is that it was designed before firewalls were common. As a result, our current backbone connection connects directly to one of our /24 subnets, where (of course) a number of our servers live. This forces us to use a bridging firewall instead of a routing one, because we want those servers to be behind the firewall.

If you can, you really want to use a routing firewall:

• OpenBSD's pfsync and CARP support only works (well) with routing firewalls, which means that our current firewall doesn't have an automatic hot backup; if it fails, the recovery procedure requires someone to go to the machine room.
• bridging firewalls can't do some things.

Given this, what you generally want is that your touchdown subnet (the subnet that your external connection sits on) to have only your external connection and your routing firewall. In theory we could achieve this even with our current connection, but for two issues: first, a /24 is a pretty large chunk of network space to use up for just two things, and second, a number of our servers on that subnet have by now very well known IP addresses and would be hard to move.

Our new gigabit connection uses a very small touchdown network for just this sort of network setup. However, this means that to use it we pretty much need to build a new firewall setup and shuffle how our internal routing is done, and we haven't yet had time to do either.

(We are fortunate that no one is really chomping at the bit to have gigabit connectivity to elsewhere on campus.)