Mx204 alternative

Denys Fedoryshchenko nuclearcat at nuclearcat.com
Mon Sep 2 13:23:46 UTC 2019


On 2019-09-02 15:52, Baldur Norddahl wrote:
> 
> Maturity is such a subjective word. But yes there are plenty of
> options for routing protocols on a Linux. Every internet exchange is
> running BGP on Linux for the route server after all.
> 
> I am not recommending a server over MX204. I think MX204 is brilliant.
> It is one of the cheapest options and if that is not cheap enough,
> THEN the server solution is probably what you may be looking for.
> 
> You can move a lot of traffic even with an old leftover server.
> Especially if you are not concerned with moving 64 bytes DDoS at line
> speed, because likely you would be down anyway in that case.
> 
> As to the OPEX I would claim there are small shops that would have an
> easier time with a server, because they know how to do that. They
> would have only one or two routers and learning how to run JUNOS just
> for that might never happen. It all depends on what workforce you
> have. Network people or server guys?
> 
> Regards
> 
> Baldur
> 
>> 

I think that such types of DDoS are much easier to solve on a server 
with XDP/eBPF than on MX.
And much cheaper if we are talking about the new SYN+ACK DDoS and it is 
exactly 64b ddos case. I used multiple 82599.

 From snabbco discussion, issue #1013, "If you read Intel datasheets then 
the minimum packet rate they are guaranteeing is 64B for 10G (82599), 
128B for 40G (XL710), and 256B for 100G (FM10K)."

But "hardware", ASIC enabled routers such as MX might be not better and 
even need some tuning.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB33477&actp=METADATA
"On summit MX204 and MX10003 platforms, the line rate frame size is 119 
byte for 10/40GbE port and 95 byte for 100GbE port."
or some QFX, for example, Broadcom Tomahawk 32x100G switches only do 
line-rate with >= 250B packets according to datasheets.



More information about the NANOG mailing list