Re: Router Recommendations

[Tom Beecher via NANOG <nanog () lists nanog org>]

> If any box is on the public Internet without management plane protection,
> you're going to be compromised. Sure, some may be faster than others, but
> that doesn't excuse you from rudimentary protections.


If you can't do control plane protection on a device, you should yeet it
into the sun, even on an internal network.  Lateral movement is a thing.

On Mon, Feb 9, 2026 at 1:57 PM Mike Hammett via NANOG <nanog () lists nanog org>
wrote:

> I'd consider that a bad-faith argument.
>
> "What if there is no control/management plane protection to the device?"
>
> If any box is on the public Internet without management plane protection,
> you're going to be compromised. Sure, some may be faster than others, but
> that doesn't excuse you from rudimentary protections.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ----- Original Message -----
> From: "Barry Greene" <bgreene () senki org>
> To: "North American Network Operators Group" <nanog () lists nanog org>
> Cc: "Mike Hammett" <nanog () ics-il net>
> Sent: Monday, February 9, 2026 12:53:14 PM
> Subject: Re: Router Recommendations
>
> Hi Mike,
>
> Where are your security requirements? What is the worth of a router today
> if you put an v6 ACL on it and you drop all your packets to the punt path?
> What if you cannot get Netflow/IPFIX/sFlow running at a sample rate with
> export that does not blogged down the control/management plane? What if
> there is no control/management plane protection to the device?
>
> Remember, the are a whole class of threat actors that LOVE Mikrotik’s
> success. It gives them more boxes to ‘own' and use with minimal operational
> impact to the operator.
>
> Barry
>
> > On Feb 10, 2026, at 06:10, Mike Hammett via NANOG <nanog () lists nanog org>
> wrote:
> > I'm looking for new BGP routers. I'm currently running Mikrotik, which
> has served me well so far, but looking at interface speed, count, FIB size,
> etc. and they just aren't going to cut it.
> > I'm looking for:
> > • Has at least 6x 100G ports
> > • Has a smattering of 10G/25G ports
> > • Has meaningful packet buffers
> > • Routes in hardware at least 2m routes combined of IPv4 and IPv6, more
> is better
> > • Has reasonably low power usage, I don't need 1 kw going to a router
> > • Is cost-effective
> > • Used is fine
> >
> >
> > I like how the MX301 looks, but it's way more than I'd want to spend,
> primarily because there really isn't a used market for them yet.
> > Arista and Cisco NCS are close, but to check all of the boxes, you're up
> to about $15k - $20k. To get to $5k or less, you're compromising on at
> least two of the things I'm looking for.
> > EdgeCore and UfiSpace may have some models that are in the $5k - $8k
> range, once you purchase OcNOS.
> > I'd have no problem with the EdgeCore and UfiSpace direction, but I
> wanted to make sure I wasn't leaving anything out of consideration.
> > -----
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> > Midwest-IX
> > http://www.midwest-ix.com
> >
> > _______________________________________________
> > NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ANH4UUU6K3CMCSWSBHAALWTYLHK32OGG/
>
>
>
> _______________________________________________
> NANOG mailing list
>
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/UW2FQIME6LQJU5PAOWC3AGWSEYO4USK4/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/5SPTR43TICE2H4VBEE2MSMDRGJYQNPJD/