Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[joel jaeggli <joelja () bogus com>]

On 9/30/16 12:42 PM, Pedro wrote:
> Hello,
>
> I have some idea to put switch before bgp router in order to terminate
> isp 10G uplinks on switch, not router. Main reason is that could be some
> kind of 1st level of defence against ddos, second reason, less
> important, save cost of router ports, do many port mirrors.

The distinction on cost of ports is somewhat germain when dealing with
things like span ports. maybe strictly speaking if the router platform
can handle line rate forwarding at minimum packet size it is just as
performant as the switch at both forwarding and probably acl application
(there are of course exceptions).  in general these switches has
substantially smaller port buffers then a router or high end l3 switch
platform (qfx10k or ptx for example) would have when spanning ports or
doing some statistical multiplexing. Which can be a liability.

A number of us no doubt use layer2/3 switches as customer aggregation or
indeed peering platforms. and suitability for such may depend on the mix
of hardware  and software features available as well as non-forwarding
attributes such as the amount of memory available. i have boxes for
example that have a full table rib but only default route for
non-customer routes. the prospects for gettting away with that sort of
thing with only 2GB of ram are growing increasingly dire.

So i would say this sort thing does work, and with some familiarity with
the platforms you become more comfortable with their limitations, but
it's not automatically the best route, and the additional bump in the
forwarding path is not free of costs or complexity.

> I think about N3K-C3064PQ or Juniper ex4500 because there are quite
> cheap and a lot of on Ebay.
>
> I would like on nexus or juniper try use some feature:
>
> -  limit udp, icmp, bum packets (bandwith,pps) at ingress tagged port or
> vlan
> -  create counters: passed and dropped packets, best way to get this
> counters via snmp oid, sent snmp traps, syslog etc in order to monitor
> or even as a action shut down port
> -  port mirror from many ports/vlans to multiple port (other anty ddos
> solutions)
> -  limited bgp but with flowspec to comunicate with another anty ddos
> devices
>
> I'm also wondering how this feature above impact on cpu/whole switch. It
> can be some performance degradation ot all of this feature are done in
> hardware, with wirespeeed ? Which model will better to do this ?
>
> Thanks for any advice,
> Pedro
>
> ---
> Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie
> antywirusowe Avast.
> https://www.avast.com/antivirus

Attachment: signature.asc
Description: OpenPGP digital signature