[142561] in North American Network Operators' Group
Re: MX 80 advantages and shortcomings
daemon@ATHENA.MIT.EDU (Joel Jaeggli)
Tue Jul 5 13:01:20 2011
From: Joel Jaeggli <joelja@bogus.com>
In-Reply-To: <1309881416.62321.YahooMailClassic@web110609.mail.gq1.yahoo.com>
Date: Tue, 5 Jul 2011 09:59:55 -0700
To: chavan sanjay <sanju_ddd@yahoo.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I'd consult the list archive, since theres a couple recent and fairly =
lengthy threads on this.
joel
On Jul 5, 2011, at 8:56 AM, chavan sanjay wrote:
> Hi Team,
> =20
> Can anyone enlighten me on the pros and cons of MX 80 platform
> =20
> Thanks
>=20
> Sanjay C.P.
>=20
> --- On Tue, 7/5/11, nanog-request@nanog.org <nanog-request@nanog.org> =
wrote:
>=20
>=20
> From: nanog-request@nanog.org <nanog-request@nanog.org>
> Subject: NANOG Digest, Vol 42, Issue 5
> To: nanog@nanog.org
> Date: Tuesday, July 5, 2011, 5:30 PM
>=20
>=20
> Send NANOG mailing list submissions to
> nanog@nanog.org
>=20
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.nanog.org/mailman/listinfo/nanog
> or, via email, send a message with subject or body 'help' to
> nanog-request@nanog.org
>=20
> You can reach the person managing the list at
> nanog-owner@nanog.org
>=20
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of NANOG digest..."
>=20
>=20
> Today's Topics:
>=20
> 1. cheapo UUFB solution for Cisco 7201 (Rogelio)
> 2. Re: Firewall Appliance Suggestions (Curtis Maurand)
> 3. RE: Firewall Appliance Suggestions (Jean CLERY)
> 4. Re: Firewall Appliance Suggestions (Peter Nowak)
>=20
>=20
> ----------------------------------------------------------------------
>=20
> Message: 1
> Date: Mon, 4 Jul 2011 11:34:11 -0300
> From: Rogelio <scubacuda@gmail.com>
> Subject: cheapo UUFB solution for Cisco 7201
> To: nanog@nanog.org
> Message-ID:
> =
<CALJphbs6UBWKqGVW1EyvCL6pKGtCKjSYNZB=3Dq70FxPOQ7D0CHA@mail.gmail.com>
> Content-Type: text/plain; charset=3DISO-8859-1
>=20
> I've got a Cisco 7201 with about 500 L2TPv2 tunnels, and I suspect
> that UUFB (unknown unicast flooding) is resulting in spiking (I put an
> ACL on to kill broadcast traffic, so I'm sure that's not related).
> I've googled and don't see anything for the 7201, just the 7600
> series. :/
>=20
> i.e. =
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guid=
e/blocking.html
>=20
> Anyone have any suggestions on (something cheap) that I can put in
> front of this box to spare it from (what I suspect) is a gateway that
> unicast floods when a MAC address has aged?
>=20
> To add to my challenges, I'm in Brazil and importing gear is insanely
> effing difficult. :/
>=20
> --
> Also on LinkedIn? Feel free to connect if you too are an open
> networker: scubacuda@gmail.com
>=20
>=20
>=20
> ------------------------------
>=20
> Message: 2
> Date: Mon, 04 Jul 2011 17:40:56 -0400
> From: Curtis Maurand <cmaurand@xyonet.com>
> Subject: Re: Firewall Appliance Suggestions
> To: nanog@nanog.org
> Message-ID: <4E123368.7020602@xyonet.com>
> Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed
>=20
> On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote:
>> Linux + iptables + fwbuilder
>>=20
>>=20
>>=20
>> On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch<blake@pfankuch.me> =
wrote:
>>> Howdy,
>>> I am looking for something a little unique in a bit =
of a tough situation with some sticky requirements. First off, my =
requirements are a little weird and I can't bend them a whole lot due to =
stipulations being put on me. I am in need a firewall appliance which =
can be run on VMware vSphere, with IPSEC support for multiple Phase 2 =
negotiations within a single Phase 1. I am also in need of something =
that can support VLAN interfaces on the LAN side, and ideally something =
with multi zoning so I can keep LAN side networks separate from each =
without ridiculous firewall rules. Meaning build a zone for "Customer =
network 1" and it displays separately (ease of management and firewall =
config hopefully). I need a minimum of 10 "zones" on LAN side (/29 or =
/30), and NAT support for LAN to WAN (to dedicate all outbound =
connections to a single IP from a specific zone), ideally something =
extremely scalable (100-200 zones). And here
> is the super fun part! I need something that is going to be web =
managed primarily as minions will be doing most of the day to day =
maintenance, or very simple CLI config. Willing to pay for something if =
need be, but looking for something that can easily handly 50-100mbit of =
throughput.
>>>=20
>>> Any Ideas?
>>>=20
>>> Thanks!
>>>=20
>>> Blake Pfankuch
>>>=20
> Vyatta. They have an appliance on their website.
>=20
> --Curtis
>=20
>=20
>=20
>=20
> ------------------------------
>=20
> Message: 3
> Date: Tue, 5 Jul 2011 00:58:51 +0200
> From: "Jean CLERY" <jean.clerymrs@gmail.com>
> Subject: RE: Firewall Appliance Suggestions
> To: "'Curtis Maurand'" <cmaurand@xyonet.com>, <nanog@nanog.org>
> Message-ID: <F7819E52D830406983C30BC43FAD7E3D@ezekiel>
> Content-Type: text/plain; charset=3D"iso-8859-1"
>=20
> Hi Blake
> Try www.netasq.com
>=20
> Regards,
> Jean CLERY
>=20
>=20
> -----Message d'origine-----
> De?: Curtis Maurand [mailto:cmaurand@xyonet.com]=20
> Envoy??: lundi 4 juillet 2011 23:41
> ??: nanog@nanog.org
> Objet?: Re: Firewall Appliance Suggestions
>=20
> On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote:
>> Linux + iptables + fwbuilder
>>=20
>>=20
>>=20
>> On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch<blake@pfankuch.me>
> wrote:
>>> Howdy,
>>> I am looking for something a little unique in a bit =
of a
> tough situation with some sticky requirements. First off, my =
requirements
> are a little weird and I can't bend them a whole lot due to =
stipulations
> being put on me. I am in need a firewall appliance which can be run =
on
> VMware vSphere, with IPSEC support for multiple Phase 2 negotiations =
within
> a single Phase 1. I am also in need of something that can support =
VLAN
> interfaces on the LAN side, and ideally something with multi zoning so =
I can
> keep LAN side networks separate from each without ridiculous firewall =
rules.
> Meaning build a zone for "Customer network 1" and it displays =
separately
> (ease of management and firewall config hopefully). I need a minimum =
of 10
> "zones" on LAN side (/29 or /30), and NAT support for LAN to WAN (to
> dedicate all outbound connections to a single IP from a specific =
zone),
> ideally something extremely scalable (100-200 zones). And here is the =
super
> fun part! I need something that is going to be web managed primarily =
as
> minions will be doing most of the day to day maintenance, or very =
simple CLI
> config. Willing to pay for something if need be, but looking for =
something
> that can easily handly 50-100mbit of throughput.
>>>=20
>>> Any Ideas?
>>>=20
>>> Thanks!
>>>=20
>>> Blake Pfankuch
>>>=20
> Vyatta. They have an appliance on their website.
>=20
> --Curtis
>=20
>=20
>=20
>=20
>=20
> ------------------------------
>=20
> Message: 4
> Date: Tue, 5 Jul 2011 00:50:45 -0400
> From: Peter Nowak <pnowak@batblue.com>
> Subject: Re: Firewall Appliance Suggestions
> To: Blake T. Pfankuch <blake@pfankuch.me>
> Cc: "NANOG \(nanog@nanog.org\)" <nanog@nanog.org>
> Message-ID: <1B8D4E1C-BA43-4257-89DA-7D6EBB154927@batblue.com>
> Content-Type: text/plain; charset=3Dus-ascii
>=20
> They don't have a VM yet - coming soon - but you may take a look at =
Palo Alto Networks. Having just a regular stateful firewall is not a =
good idea anymore...
>=20
> Peter Nowak
>=20
> On Jul 1, 2011, at 12:35 AM, Blake T. Pfankuch wrote:
>=20
>> Normally I would agree with you as far as separate instances, however =
this will be in a situation where we pay ridiculous amounts for cpu and =
memory, so a single instance is what we are shooting for (remember those =
ridiculous requirements). I am planning to do some further testing with =
vyatta and pfsense. Thanks you all for the on list and off list =
responses!
>>=20
>> -----Original Message-----
>> From: Sargun Dhillon [mailto:sargun@sargun.me]=20
>> Sent: Thursday, June 30, 2011 9:56 PM
>> To: George Bonser
>> Cc: Blake T. Pfankuch; NANOG (nanog@nanog.org)
>> Subject: Re: Firewall Appliance Suggestions
>>=20
>>=20
>>=20
>> ----- Original Message -----
>>> From: "George Bonser" <gbonser@seven.com>
>>> To: "Blake T. Pfankuch" <blake@pfankuch.me>, "NANOG =
(nanog@nanog.org)"=20
>>> <nanog@nanog.org>
>>> Sent: Thursday, June 30, 2011 11:30:53 AM
>>> Subject: RE: Firewall Appliance Suggestions
>>>=20
>>>> Willing to pay for something if need be, but looking for something=20=
>>>> that can easily handly 50-100mbit of throughput.
>>>>=20
>>>> Any Ideas?
>>>>=20
>>>> Thanks!
>>>>=20
>>>> Blake Pfankuch
>>>=20
>>>=20
>>> I might also look at Vyatta. They have appliances or you can run =
the=20
>>> software on your own hardware.
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>=20
>> I would not go with Vyatta if you're doing anything complex. The =
number of random bugs I've hit with their software are numerous. In the =
right hands, it's a powerful tool. And it seems to fit your solution =
really well.=20
>>=20
>> If I were in your shoes, I would install two instances that would =
handle the "edge" of the cluster, and then an instance per customer =
(lightweight, they sell a VMWare image). Then use dynamic routing to =
direct traffic to the customer (assign each customer their own ASN, and =
peer with their instance). So, worse case scenario, the NOC monkey only =
breaks one customer's gear.=20
>>=20
>>=20
>> --
>> Sargun Dhillon
>> VoIP (US): +1-925-235-1105
>=20
> Peter Nowak
> Manager, Technical Services
> Bat Blue Corporation | Integrity . Privacy . Availability
> p. 212.461.3322 x3020 | f. 212.584.9999 | w. www.batblue.com
> Bat Blue's AS: 25885 | BGP Policy | Peering Policy
> Bat Blue's Legal Notice
>=20
> Receive Bat Blue's DSB Intelligence Report
>=20
> Bat Blue is proud to be the Official WiFi Provider for ESPN's X-Games
>=20
>=20
>=20
>=20
> ------------------------------
>=20
> _______________________________________________
> NANOG mailing list
> NANOG@nanog.org
> https://mailman.nanog.org/mailman/listinfo/nanog
>=20
> End of NANOG Digest, Vol 42, Issue 5
> ************************************
>=20
