nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
nanog at ics-il.net
Sat Oct 1 14:24:22 UTC 2016
I like putting a switch in front so then I can run two routers behind and get a /29 from the upstream. I can then do router maintenance, upgrades, etc. without taking the circuit down.
Intelligent Computing Solutions
----- Original Message -----
From: "Pedro" <piotr.1234 at interia.pl>
To: nanog at nanog.org
Sent: Friday, September 30, 2016 2:42:37 PM
Subject: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
I have some idea to put switch before bgp router in order to terminate
isp 10G uplinks on switch, not router. Main reason is that could be some
kind of 1st level of defence against ddos, second reason, less
important, save cost of router ports, do many port mirrors.
I think about N3K-C3064PQ or Juniper ex4500 because there are quite
cheap and a lot of on Ebay.
I would like on nexus or juniper try use some feature:
- limit udp, icmp, bum packets (bandwith,pps) at ingress tagged port or
- create counters: passed and dropped packets, best way to get this
counters via snmp oid, sent snmp traps, syslog etc in order to monitor
or even as a action shut down port
- port mirror from many ports/vlans to multiple port (other anty ddos
- limited bgp but with flowspec to comunicate with another anty ddos
I'm also wondering how this feature above impact on cpu/whole switch. It
can be some performance degradation ot all of this feature are done in
hardware, with wirespeeed ? Which model will better to do this ?
Thanks for any advice,
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
More information about the NANOG