nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

Mike Hammett nanog at
Sat Oct 1 14:24:22 UTC 2016

I like putting a switch in front so then I can run two routers behind and get a /29 from the upstream. I can then do router maintenance, upgrades, etc. without taking the circuit down. 

Mike Hammett 
Intelligent Computing Solutions 


----- Original Message -----

From: "Pedro" <piotr.1234 at> 
To: nanog at 
Sent: Friday, September 30, 2016 2:42:37 PM 
Subject: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos 


I have some idea to put switch before bgp router in order to terminate 
isp 10G uplinks on switch, not router. Main reason is that could be some 
kind of 1st level of defence against ddos, second reason, less 
important, save cost of router ports, do many port mirrors. 

I think about N3K-C3064PQ or Juniper ex4500 because there are quite 
cheap and a lot of on Ebay. 

I would like on nexus or juniper try use some feature: 

- limit udp, icmp, bum packets (bandwith,pps) at ingress tagged port or 
- create counters: passed and dropped packets, best way to get this 
counters via snmp oid, sent snmp traps, syslog etc in order to monitor 
or even as a action shut down port 
- port mirror from many ports/vlans to multiple port (other anty ddos 
- limited bgp but with flowspec to comunicate with another anty ddos 

I'm also wondering how this feature above impact on cpu/whole switch. It 
can be some performance degradation ot all of this feature are done in 
hardware, with wirespeeed ? Which model will better to do this ? 

Thanks for any advice, 

Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. 

More information about the NANOG mailing list