MX 80 advantages and shortcomings
Joel Jaeggli
joelja at bogus.com
Tue Jul 5 16:59:55 UTC 2011
I'd consult the list archive, since theres a couple recent and fairly lengthy threads on this.
joel
On Jul 5, 2011, at 8:56 AM, chavan sanjay wrote:
> Hi Team,
>
> Can anyone enlighten me on the pros and cons of MX 80 platform
>
> Thanks
>
> Sanjay C.P.
>
> --- On Tue, 7/5/11, nanog-request at nanog.org <nanog-request at nanog.org> wrote:
>
>
> From: nanog-request at nanog.org <nanog-request at nanog.org>
> Subject: NANOG Digest, Vol 42, Issue 5
> To: nanog at nanog.org
> Date: Tuesday, July 5, 2011, 5:30 PM
>
>
> Send NANOG mailing list submissions to
> nanog at nanog.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.nanog.org/mailman/listinfo/nanog
> or, via email, send a message with subject or body 'help' to
> nanog-request at nanog.org
>
> You can reach the person managing the list at
> nanog-owner at nanog.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of NANOG digest..."
>
>
> Today's Topics:
>
> 1. cheapo UUFB solution for Cisco 7201 (Rogelio)
> 2. Re: Firewall Appliance Suggestions (Curtis Maurand)
> 3. RE: Firewall Appliance Suggestions (Jean CLERY)
> 4. Re: Firewall Appliance Suggestions (Peter Nowak)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 4 Jul 2011 11:34:11 -0300
> From: Rogelio <scubacuda at gmail.com>
> Subject: cheapo UUFB solution for Cisco 7201
> To: nanog at nanog.org
> Message-ID:
> <CALJphbs6UBWKqGVW1EyvCL6pKGtCKjSYNZB=q70FxPOQ7D0CHA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I've got a Cisco 7201 with about 500 L2TPv2 tunnels, and I suspect
> that UUFB (unknown unicast flooding) is resulting in spiking (I put an
> ACL on to kill broadcast traffic, so I'm sure that's not related).
> I've googled and don't see anything for the 7201, just the 7600
> series. :/
>
> i.e. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/blocking.html
>
> Anyone have any suggestions on (something cheap) that I can put in
> front of this box to spare it from (what I suspect) is a gateway that
> unicast floods when a MAC address has aged?
>
> To add to my challenges, I'm in Brazil and importing gear is insanely
> effing difficult. :/
>
> --
> Also on LinkedIn? Feel free to connect if you too are an open
> networker: scubacuda at gmail.com
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 04 Jul 2011 17:40:56 -0400
> From: Curtis Maurand <cmaurand at xyonet.com>
> Subject: Re: Firewall Appliance Suggestions
> To: nanog at nanog.org
> Message-ID: <4E123368.7020602 at xyonet.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote:
>> Linux + iptables + fwbuilder
>>
>>
>>
>> On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch<blake at pfankuch.me> wrote:
>>> Howdy,
>>> I am looking for something a little unique in a bit of a tough situation with some sticky requirements. First off, my requirements are a little weird and I can't bend them a whole lot due to stipulations being put on me. I am in need a firewall appliance which can be run on VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within a single Phase 1. I am also in need of something that can support VLAN interfaces on the LAN side, and ideally something with multi zoning so I can keep LAN side networks separate from each without ridiculous firewall rules. Meaning build a zone for "Customer network 1" and it displays separately (ease of management and firewall config hopefully). I need a minimum of 10 "zones" on LAN side (/29 or /30), and NAT support for LAN to WAN (to dedicate all outbound connections to a single IP from a specific zone), ideally something extremely scalable (100-200 zones). And here
> is the super fun part! I need something that is going to be web managed primarily as minions will be doing most of the day to day maintenance, or very simple CLI config. Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput.
>>>
>>> Any Ideas?
>>>
>>> Thanks!
>>>
>>> Blake Pfankuch
>>>
> Vyatta. They have an appliance on their website.
>
> --Curtis
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 5 Jul 2011 00:58:51 +0200
> From: "Jean CLERY" <jean.clerymrs at gmail.com>
> Subject: RE: Firewall Appliance Suggestions
> To: "'Curtis Maurand'" <cmaurand at xyonet.com>, <nanog at nanog.org>
> Message-ID: <F7819E52D830406983C30BC43FAD7E3D at ezekiel>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Blake
> Try www.netasq.com
>
> Regards,
> Jean CLERY
>
>
> -----Message d'origine-----
> De?: Curtis Maurand [mailto:cmaurand at xyonet.com]
> Envoy??: lundi 4 juillet 2011 23:41
> ??: nanog at nanog.org
> Objet?: Re: Firewall Appliance Suggestions
>
> On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote:
>> Linux + iptables + fwbuilder
>>
>>
>>
>> On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch<blake at pfankuch.me>
> wrote:
>>> Howdy,
>>> I am looking for something a little unique in a bit of a
> tough situation with some sticky requirements. First off, my requirements
> are a little weird and I can't bend them a whole lot due to stipulations
> being put on me. I am in need a firewall appliance which can be run on
> VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within
> a single Phase 1. I am also in need of something that can support VLAN
> interfaces on the LAN side, and ideally something with multi zoning so I can
> keep LAN side networks separate from each without ridiculous firewall rules.
> Meaning build a zone for "Customer network 1" and it displays separately
> (ease of management and firewall config hopefully). I need a minimum of 10
> "zones" on LAN side (/29 or /30), and NAT support for LAN to WAN (to
> dedicate all outbound connections to a single IP from a specific zone),
> ideally something extremely scalable (100-200 zones). And here is the super
> fun part! I need something that is going to be web managed primarily as
> minions will be doing most of the day to day maintenance, or very simple CLI
> config. Willing to pay for something if need be, but looking for something
> that can easily handly 50-100mbit of throughput.
>>>
>>> Any Ideas?
>>>
>>> Thanks!
>>>
>>> Blake Pfankuch
>>>
> Vyatta. They have an appliance on their website.
>
> --Curtis
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 5 Jul 2011 00:50:45 -0400
> From: Peter Nowak <pnowak at batblue.com>
> Subject: Re: Firewall Appliance Suggestions
> To: Blake T. Pfankuch <blake at pfankuch.me>
> Cc: "NANOG \(nanog at nanog.org\)" <nanog at nanog.org>
> Message-ID: <1B8D4E1C-BA43-4257-89DA-7D6EBB154927 at batblue.com>
> Content-Type: text/plain; charset=us-ascii
>
> They don't have a VM yet - coming soon - but you may take a look at Palo Alto Networks. Having just a regular stateful firewall is not a good idea anymore...
>
> Peter Nowak
>
> On Jul 1, 2011, at 12:35 AM, Blake T. Pfankuch wrote:
>
>> Normally I would agree with you as far as separate instances, however this will be in a situation where we pay ridiculous amounts for cpu and memory, so a single instance is what we are shooting for (remember those ridiculous requirements). I am planning to do some further testing with vyatta and pfsense. Thanks you all for the on list and off list responses!
>>
>> -----Original Message-----
>> From: Sargun Dhillon [mailto:sargun at sargun.me]
>> Sent: Thursday, June 30, 2011 9:56 PM
>> To: George Bonser
>> Cc: Blake T. Pfankuch; NANOG (nanog at nanog.org)
>> Subject: Re: Firewall Appliance Suggestions
>>
>>
>>
>> ----- Original Message -----
>>> From: "George Bonser" <gbonser at seven.com>
>>> To: "Blake T. Pfankuch" <blake at pfankuch.me>, "NANOG (nanog at nanog.org)"
>>> <nanog at nanog.org>
>>> Sent: Thursday, June 30, 2011 11:30:53 AM
>>> Subject: RE: Firewall Appliance Suggestions
>>>
>>>> Willing to pay for something if need be, but looking for something
>>>> that can easily handly 50-100mbit of throughput.
>>>>
>>>> Any Ideas?
>>>>
>>>> Thanks!
>>>>
>>>> Blake Pfankuch
>>>
>>>
>>> I might also look at Vyatta. They have appliances or you can run the
>>> software on your own hardware.
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> I would not go with Vyatta if you're doing anything complex. The number of random bugs I've hit with their software are numerous. In the right hands, it's a powerful tool. And it seems to fit your solution really well.
>>
>> If I were in your shoes, I would install two instances that would handle the "edge" of the cluster, and then an instance per customer (lightweight, they sell a VMWare image). Then use dynamic routing to direct traffic to the customer (assign each customer their own ASN, and peer with their instance). So, worse case scenario, the NOC monkey only breaks one customer's gear.
>>
>>
>> --
>> Sargun Dhillon
>> VoIP (US): +1-925-235-1105
>
> Peter Nowak
> Manager, Technical Services
> Bat Blue Corporation | Integrity . Privacy . Availability
> p. 212.461.3322 x3020 | f. 212.584.9999 | w. www.batblue.com
> Bat Blue's AS: 25885 | BGP Policy | Peering Policy
> Bat Blue's Legal Notice
>
> Receive Bat Blue's DSB Intelligence Report
>
> Bat Blue is proud to be the Official WiFi Provider for ESPN's X-Games
>
>
>
>
> ------------------------------
>
> _______________________________________________
> NANOG mailing list
> NANOG at nanog.org
> https://mailman.nanog.org/mailman/listinfo/nanog
>
> End of NANOG Digest, Vol 42, Issue 5
> ************************************
>
More information about the NANOG
mailing list