MX 80 advantages and shortcomings
Hi Team, Can anyone enlighten me on the pros and cons of MX 80 platform Thanks Sanjay C.P. --- On Tue, 7/5/11, nanog-requ...@nanog.org nanog-requ...@nanog.org wrote: From: nanog-requ...@nanog.org nanog-requ...@nanog.org Subject: NANOG Digest, Vol 42, Issue 5 To: nanog@nanog.org Date: Tuesday, July 5, 2011, 5:30 PM Send NANOG mailing list submissions to nanog@nanog.org To subscribe or unsubscribe via the World Wide Web, visit https://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-requ...@nanog.org You can reach the person managing the list at nanog-ow...@nanog.org When replying, please edit your Subject line so it is more specific than Re: Contents of NANOG digest... Today's Topics: 1. cheapo UUFB solution for Cisco 7201 (Rogelio) 2. Re: Firewall Appliance Suggestions (Curtis Maurand) 3. RE: Firewall Appliance Suggestions (Jean CLERY) 4. Re: Firewall Appliance Suggestions (Peter Nowak) -- Message: 1 Date: Mon, 4 Jul 2011 11:34:11 -0300 From: Rogelio scubac...@gmail.com Subject: cheapo UUFB solution for Cisco 7201 To: nanog@nanog.org Message-ID: CALJphbs6UBWKqGVW1EyvCL6pKGtCKjSYNZB=q70fxpoq7d0...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 I've got a Cisco 7201 with about 500 L2TPv2 tunnels, and I suspect that UUFB (unknown unicast flooding) is resulting in spiking (I put an ACL on to kill broadcast traffic, so I'm sure that's not related). I've googled and don't see anything for the 7201, just the 7600 series. :/ i.e. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/blocking.html Anyone have any suggestions on (something cheap) that I can put in front of this box to spare it from (what I suspect) is a gateway that unicast floods when a MAC address has aged? To add to my challenges, I'm in Brazil and importing gear is insanely effing difficult. :/ -- Also on LinkedIn? Feel free to connect if you too are an open networker: scubac...@gmail.com -- Message: 2 Date: Mon, 04 Jul 2011 17:40:56 -0400 From: Curtis Maurand cmaur...@xyonet.com Subject: Re: Firewall Appliance Suggestions To: nanog@nanog.org Message-ID: 4e123368.7020...@xyonet.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote: Linux + iptables + fwbuilder On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuchbl...@pfankuch.me wrote: Howdy, I am looking for something a little unique in a bit of a tough situation with some sticky requirements. First off, my requirements are a little weird and I can't bend them a whole lot due to stipulations being put on me. I am in need a firewall appliance which can be run on VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within a single Phase 1. I am also in need of something that can support VLAN interfaces on the LAN side, and ideally something with multi zoning so I can keep LAN side networks separate from each without ridiculous firewall rules. Meaning build a zone for Customer network 1 and it displays separately (ease of management and firewall config hopefully). I need a minimum of 10 zones on LAN side (/29 or /30), and NAT support for LAN to WAN (to dedicate all outbound connections to a single IP from a specific zone), ideally something extremely scalable (100-200 zones). And here is the super fun part! I need something that is going to be web managed primarily as minions will be doing most of the day to day maintenance, or very simple CLI config. Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput. Any Ideas? Thanks! Blake Pfankuch Vyatta. They have an appliance on their website. --Curtis -- Message: 3 Date: Tue, 5 Jul 2011 00:58:51 +0200 From: Jean CLERY jean.clery...@gmail.com Subject: RE: Firewall Appliance Suggestions To: 'Curtis Maurand' cmaur...@xyonet.com, nanog@nanog.org Message-ID: F7819E52D830406983C30BC43FAD7E3D@ezekiel Content-Type: text/plain; charset=iso-8859-1 Hi Blake Try www.netasq.com Regards, Jean CLERY -Message d'origine- De?: Curtis Maurand [mailto:cmaur...@xyonet.com] Envoy??: lundi 4 juillet 2011 23:41 ??: nanog@nanog.org Objet?: Re: Firewall Appliance Suggestions On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote: Linux + iptables + fwbuilder On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuchbl...@pfankuch.me wrote: Howdy, I am looking for something a little unique in a bit of a tough situation with some sticky requirements. First off, my requirements are a little weird and I can't bend them a whole lot due to stipulations being put on me. I am in need a firewall appliance which can be run on VMware vSphere, with IPSEC support for multiple Phase 2
Re: MX 80 advantages and shortcomings
Can anyone enlighten me on the pros and cons of MX 80 platform There's been quite a bit of discussion about the MX80 on the juniper-nsp list, and I recommend asking on that list instead (if you don't find what you already need in the list archives). As a general rule, people are more likely to be able to help you if you specify *what* you might want to use the MX80 for. Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: MX 80 advantages and shortcomings
Pros - small footprint, cost, feature rich Cons - no redundancy (other than power), 1/3rd the processor power Paul On Tue, 5 Jul 2011, chavan sanjay wrote: Hi Team, Can anyone enlighten me on the pros and cons of MX 80 platform Thanks Sanjay C.P. --- On Tue, 7/5/11, nanog-requ...@nanog.org nanog-requ...@nanog.org wrote: From: nanog-requ...@nanog.org nanog-requ...@nanog.org Subject: NANOG Digest, Vol 42, Issue 5 To: nanog@nanog.org Date: Tuesday, July 5, 2011, 5:30 PM Send NANOG mailing list submissions to nanog@nanog.org To subscribe or unsubscribe via the World Wide Web, visit https://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-requ...@nanog.org You can reach the person managing the list at nanog-ow...@nanog.org When replying, please edit your Subject line so it is more specific than Re: Contents of NANOG digest... Today's Topics: 1. cheapo UUFB solution for Cisco 7201 (Rogelio) 2. Re: Firewall Appliance Suggestions (Curtis Maurand) 3. RE: Firewall Appliance Suggestions (Jean CLERY) 4. Re: Firewall Appliance Suggestions (Peter Nowak) -- Message: 1 Date: Mon, 4 Jul 2011 11:34:11 -0300 From: Rogelio scubac...@gmail.com Subject: cheapo UUFB solution for Cisco 7201 To: nanog@nanog.org Message-ID: CALJphbs6UBWKqGVW1EyvCL6pKGtCKjSYNZB=q70fxpoq7d0...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 I've got a Cisco 7201 with about 500 L2TPv2 tunnels, and I suspect that UUFB (unknown unicast flooding) is resulting in spiking (I put an ACL on to kill broadcast traffic, so I'm sure that's not related). I've googled and don't see anything for the 7201, just the 7600 series. :/ i.e. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/blocking.html Anyone have any suggestions on (something cheap) that I can put in front of this box to spare it from (what I suspect) is a gateway that unicast floods when a MAC address has aged? To add to my challenges, I'm in Brazil and importing gear is insanely effing difficult. :/ -- Also on LinkedIn? Feel free to connect if you too are an open networker: scubac...@gmail.com -- Message: 2 Date: Mon, 04 Jul 2011 17:40:56 -0400 From: Curtis Maurand cmaur...@xyonet.com Subject: Re: Firewall Appliance Suggestions To: nanog@nanog.org Message-ID: 4e123368.7020...@xyonet.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote: Linux + iptables + fwbuilder On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuchbl...@pfankuch.me wrote: Howdy, I am looking for something a little unique in a bit of a tough situation with some sticky requirements. First off, my requirements are a little weird and I can't bend them a whole lot due to stipulations being put on me. I am in need a firewall appliance which can be run on VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within a single Phase 1. I am also in need of something that can support VLAN interfaces on the LAN side, and ideally something with multi zoning so I can keep LAN side networks separate from each without ridiculous firewall rules. Meaning build a zone for Customer network 1 and it displays separately (ease of management and firewall config hopefully). I need a minimum of 10 zones on LAN side (/29 or /30), and NAT support for LAN to WAN (to dedicate all outbound connections to a single IP from a specific zone), ideally something extremely scalable (100-200 zones). And here is the super fun part! I need something that is going to be web managed primarily as minions will be doing most of the day to day maintenance, or very simple CLI config. Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput. Any Ideas? Thanks! Blake Pfankuch Vyatta. They have an appliance on their website. --Curtis -- Message: 3 Date: Tue, 5 Jul 2011 00:58:51 +0200 From: Jean CLERY jean.clery...@gmail.com Subject: RE: Firewall Appliance Suggestions To: 'Curtis Maurand' cmaur...@xyonet.com, nanog@nanog.org Message-ID: F7819E52D830406983C30BC43FAD7E3D@ezekiel Content-Type: text/plain; charset=iso-8859-1 Hi Blake Try www.netasq.com Regards, Jean CLERY -Message d'origine- De?: Curtis Maurand [mailto:cmaur...@xyonet.com] Envoy??: lundi 4 juillet 2011 23:41 ??: nanog@nanog.org Objet?: Re: Firewall Appliance Suggestions On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote: Linux + iptables + fwbuilder On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuchbl...@pfankuch.me wrote: Howdy, I am looking for something a little unique in a bit of a tough situation with some sticky requirements. First off, my requirements are a little weird and I can't bend them a whole lot
Re: MX 80 advantages and shortcomings
I'd consult the list archive, since theres a couple recent and fairly lengthy threads on this. joel On Jul 5, 2011, at 8:56 AM, chavan sanjay wrote: Hi Team, Can anyone enlighten me on the pros and cons of MX 80 platform Thanks Sanjay C.P. --- On Tue, 7/5/11, nanog-requ...@nanog.org nanog-requ...@nanog.org wrote: From: nanog-requ...@nanog.org nanog-requ...@nanog.org Subject: NANOG Digest, Vol 42, Issue 5 To: nanog@nanog.org Date: Tuesday, July 5, 2011, 5:30 PM Send NANOG mailing list submissions to nanog@nanog.org To subscribe or unsubscribe via the World Wide Web, visit https://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-requ...@nanog.org You can reach the person managing the list at nanog-ow...@nanog.org When replying, please edit your Subject line so it is more specific than Re: Contents of NANOG digest... Today's Topics: 1. cheapo UUFB solution for Cisco 7201 (Rogelio) 2. Re: Firewall Appliance Suggestions (Curtis Maurand) 3. RE: Firewall Appliance Suggestions (Jean CLERY) 4. Re: Firewall Appliance Suggestions (Peter Nowak) -- Message: 1 Date: Mon, 4 Jul 2011 11:34:11 -0300 From: Rogelio scubac...@gmail.com Subject: cheapo UUFB solution for Cisco 7201 To: nanog@nanog.org Message-ID: CALJphbs6UBWKqGVW1EyvCL6pKGtCKjSYNZB=q70fxpoq7d0...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 I've got a Cisco 7201 with about 500 L2TPv2 tunnels, and I suspect that UUFB (unknown unicast flooding) is resulting in spiking (I put an ACL on to kill broadcast traffic, so I'm sure that's not related). I've googled and don't see anything for the 7201, just the 7600 series. :/ i.e. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/blocking.html Anyone have any suggestions on (something cheap) that I can put in front of this box to spare it from (what I suspect) is a gateway that unicast floods when a MAC address has aged? To add to my challenges, I'm in Brazil and importing gear is insanely effing difficult. :/ -- Also on LinkedIn? Feel free to connect if you too are an open networker: scubac...@gmail.com -- Message: 2 Date: Mon, 04 Jul 2011 17:40:56 -0400 From: Curtis Maurand cmaur...@xyonet.com Subject: Re: Firewall Appliance Suggestions To: nanog@nanog.org Message-ID: 4e123368.7020...@xyonet.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote: Linux + iptables + fwbuilder On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuchbl...@pfankuch.me wrote: Howdy, I am looking for something a little unique in a bit of a tough situation with some sticky requirements. First off, my requirements are a little weird and I can't bend them a whole lot due to stipulations being put on me. I am in need a firewall appliance which can be run on VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within a single Phase 1. I am also in need of something that can support VLAN interfaces on the LAN side, and ideally something with multi zoning so I can keep LAN side networks separate from each without ridiculous firewall rules. Meaning build a zone for Customer network 1 and it displays separately (ease of management and firewall config hopefully). I need a minimum of 10 zones on LAN side (/29 or /30), and NAT support for LAN to WAN (to dedicate all outbound connections to a single IP from a specific zone), ideally something extremely scalable (100-200 zones). And here is the super fun part! I need something that is going to be web managed primarily as minions will be doing most of the day to day maintenance, or very simple CLI config. Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput. Any Ideas? Thanks! Blake Pfankuch Vyatta. They have an appliance on their website. --Curtis -- Message: 3 Date: Tue, 5 Jul 2011 00:58:51 +0200 From: Jean CLERY jean.clery...@gmail.com Subject: RE: Firewall Appliance Suggestions To: 'Curtis Maurand' cmaur...@xyonet.com,nanog@nanog.org Message-ID: F7819E52D830406983C30BC43FAD7E3D@ezekiel Content-Type: text/plain;charset=iso-8859-1 Hi Blake Try www.netasq.com Regards, Jean CLERY -Message d'origine- De?: Curtis Maurand [mailto:cmaur...@xyonet.com] Envoy??: lundi 4 juillet 2011 23:41 ??: nanog@nanog.org Objet?: Re: Firewall Appliance Suggestions On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote: Linux + iptables + fwbuilder On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuchbl...@pfankuch.me wrote: Howdy, I am looking for something a little unique in
Re: MX 80 advantages and shortcomings
On Tue, Jul 05, 2011 at 12:48:45PM -0400, Paul Stewart wrote: Pros - small footprint, cost, feature rich Cons - no redundancy (other than power), 1/3rd the processor power cons - being a different CPU architecture from its bigger cousins, features tend to not appear at the same time on MX80 as the others.