[191877] in North American Network Operators' Group
Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against
daemon@ATHENA.MIT.EDU (Mike Hammett)
Sat Oct 1 10:26:01 2016
X-Original-To: nanog@nanog.org
Date: Sat, 1 Oct 2016 09:24:22 -0500 (CDT)
From: Mike Hammett <nanog@ics-il.net>
To: Pedro <piotr.1234@interia.pl>
In-Reply-To: <aaa7dd0a-5c99-342e-a311-ff136bd768c1@interia.pl>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
I like putting a switch in front so then I can run two routers behind and g=
et a /29 from the upstream. I can then do router maintenance, upgrades, etc=
. without taking the circuit down.=20
-----=20
Mike Hammett=20
Intelligent Computing Solutions=20
http://www.ics-il.com=20
Midwest-IX=20
http://www.midwest-ix.com=20
----- Original Message -----
From: "Pedro" <piotr.1234@interia.pl>=20
To: nanog@nanog.org=20
Sent: Friday, September 30, 2016 2:42:37 PM=20
Subject: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against dd=
os=20
Hello,=20
I have some idea to put switch before bgp router in order to terminate=20
isp 10G uplinks on switch, not router. Main reason is that could be some=20
kind of 1st level of defence against ddos, second reason, less=20
important, save cost of router ports, do many port mirrors.=20
I think about N3K-C3064PQ or Juniper ex4500 because there are quite=20
cheap and a lot of on Ebay.=20
I would like on nexus or juniper try use some feature:=20
- limit udp, icmp, bum packets (bandwith,pps) at ingress tagged port or=20
vlan=20
- create counters: passed and dropped packets, best way to get this=20
counters via snmp oid, sent snmp traps, syslog etc in order to monitor=20
or even as a action shut down port=20
- port mirror from many ports/vlans to multiple port (other anty ddos=20
solutions)=20
- limited bgp but with flowspec to comunicate with another anty ddos=20
devices=20
I'm also wondering how this feature above impact on cpu/whole switch. It=20
can be some performance degradation ot all of this feature are done in=20
hardware, with wirespeeed ? Which model will better to do this ?=20
Thanks for any advice,=20
Pedro=20
---=20
Ta wiadomo=C5=9B=C4=87 zosta=C5=82a sprawdzona na obecno=C5=9B=C4=87 wirus=
=C3=B3w przez oprogramowanie antywirusowe Avast.=20
https://www.avast.com/antivirus=20
