Switch with high ACL capacity

Tim Jackson jackson.tim at gmail.com
Tue Nov 6 19:51:41 UTC 2018

Juniper QFX10000(including 100002) supports ~64k ACL entries + FlowSpec


On Tue, Nov 6, 2018 at 1:49 PM Mike Hammett <nanog at ics-il.net> wrote:

> The intent is to see if I can construct a poor man's DDOS scrubber. There
> are low cost systems out there for the detection, but they just trigger
> something else to do the work. Obviously there is black hole routing, but
> I'm looking for something with a bit more finesse.
> If I need to get a switch anyway, might as well try to take advantage of
> it for other uses.
> -----Mike HammettIntelligent Computing SolutionsMidwest Internet
> ExchangeThe Brothers WISP
> ----- Original Message -----
> From: Lotia, Pratik M <Pratik.Lotia at charter.com>
> To: Mike Hammett <nanog at ics-il.net>, 'nanog list' <nanog at nanog.org>
> Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST)
> Subject: Re: Switch with high ACL capacity
> Mike,
> Can you shed some light on the use case? Looks like you are confusing ACLs
> and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they
> have a different use case. ACLs cannot be configured using Flowspec
> announcements. Flowspec can be loosely explained as 'Routing based on L4
> rules' (there's a lot more to it than just L4). I doubt if a there is a
> Switch which can hold a large number of Flowspec entries.
> ~Pratik Lotia
> “Improvement begins with I.”
> On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" <
> nanog-bounces at nanog.org on behalf of nanog at ics-il.net> wrote:
>     I am looking for recommendations as to a 10G or 40G switch that has
> the ability to hold a large number of entries in ACLs.
>     Preferred if I can get them there via the BGP flow spec, but some sort
> of API or even just brute force on the console would be good enough.
>     Used or even end of life is fine.
>     -----Mike HammettIntelligent Computing SolutionsMidwest Internet
> ExchangeThe Brothers WISP
> The contents of this e-mail message and any attachments are intended
> solely for the addressee(s) and may contain confidential and/or legally
> privileged information. If you are not the intended recipient of this
> message or if this message has been addressed to you in error, please
> immediately alert the sender by reply e-mail and then delete this message
> and any attachments. If you are not the intended recipient, you are
> notified that any use, dissemination, distribution, copying, or storage of
> this message or any attachment is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20181106/6993042d/attachment.html>

More information about the NANOG mailing list