Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[joel jaeggli]

On 9/30/16 12:42 PM, Pedro wrote:
> 
> Hello,
> 
> I have some idea to put switch before bgp router in order to terminate
> isp 10G uplinks on switch, not router. Main reason is that could be some
> kind of 1st level of defence against ddos, second reason, less
> important, save cost of router ports, do many port mirrors.

The distinction on cost of ports is somewhat germain when dealing with
things like span ports. maybe strictly speaking if the router platform
can handle line rate forwarding at minimum packet size it is just as
performant as the switch at both forwarding and probably acl application
(there are of course exceptions).  in general these switches has
substantially smaller port buffers then a router or high end l3 switch
platform (qfx10k or ptx for example) would have when spanning ports or
doing some statistical multiplexing. Which can be a liability.

A number of us no doubt use layer2/3 switches as customer aggregation or
indeed peering platforms. and suitability for such may depend on the mix
of hardware  and software features available as well as non-forwarding
attributes such as the amount of memory available. i have boxes for
example that have a full table rib but only default route for
non-customer routes. the prospects for gettting away with that sort of
thing with only 2GB of ram are growing increasingly dire.

So i would say this sort thing does work, and with some familiarity with
the platforms you become more comfortable with their limitations, but
it's not automatically the best route, and the additional bump in the
forwarding path is not free of costs or complexity.

> I think about N3K-C3064PQ or Juniper ex4500 because there are quite
> cheap and a lot of on Ebay.
> 
> I would like on nexus or juniper try use some feature:
> 
> -  limit udp, icmp, bum packets (bandwith,pps) at ingress tagged port or
> vlan
> -  create counters: passed and dropped packets, best way to get this
> counters via snmp oid, sent snmp traps, syslog etc in order to monitor
> or even as a action shut down port
> -  port mirror from many ports/vlans to multiple port (other anty ddos
> solutions)
> -  limited bgp but with flowspec to comunicate with another anty ddos
> devices
> 
> I'm also wondering how this feature above impact on cpu/whole switch. It
> can be some performance degradation ot all of this feature are done in
> hardware, with wirespeeed ? Which model will better to do this ?
> 
> Thanks for any advice,
> Pedro
> 
> ---
> Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie
> antywirusowe Avast.
> https://www.avast.com/antivirus
> 
> 




signature.asc
Description: OpenPGP digital signature

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[James Jun]

On Sat, Oct 01, 2016 at 06:17:42PM +0300, Saku Ytti wrote:
> On 1 October 2016 at 18:12, James Jun  wrote:
> 
> > We also want support contracts from our vendors.  EOL boxes get removed 
> > from support availability within few years of the announcement.
> 
> Support, particularly software maintenance is indeed the key deadline,
> after that you're on your own. For EX this would be 2019 or 2021
> depending on model, if that fits to your amortisation times, then it's
> fine. You may get more out of it, but you can't build business case on
> it.

Yup, exactly.  There are things to keep around from used market for unimportant 
stuff (OOB etc), but software maintenance support on production box is key.

James

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[Saku Ytti]

On 1 October 2016 at 18:12, James Jun  wrote:

> We also want support contracts from our vendors.  EOL boxes get removed from 
> support availability within few years of the announcement.

Support, particularly software maintenance is indeed the key deadline,
after that you're on your own. For EX this would be 2019 or 2021
depending on model, if that fits to your amortisation times, then it's
fine. You may get more out of it, but you can't build business case on
it.

-- 
  ++ytti

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[Josh Reynolds]

Again, keep doing that :P

Be sure to eBay it for a reasonable price when you are done!

On Oct 1, 2016 10:12 AM, "James Jun"  wrote:

> On Sat, Oct 01, 2016 at 09:22:32AM -0500, Mike Hammett wrote:
> > Better power performance, newer features, higher capacities sure are all
> great reasons to get newer hardware. EOL isn't. Don't too many of you adopt
> that strategy, though. I still want my source of cheap EOL hardware. :-)
>
> We also want support contracts from our vendors.  EOL boxes get removed
> from support availability within few years of the announcement.
>
> James
>

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[James Jun]

On Sat, Oct 01, 2016 at 09:22:32AM -0500, Mike Hammett wrote:
> Better power performance, newer features, higher capacities sure are all 
> great reasons to get newer hardware. EOL isn't. Don't too many of you adopt 
> that strategy, though. I still want my source of cheap EOL hardware. :-) 

We also want support contracts from our vendors.  EOL boxes get removed from 
support availability within few years of the announcement.

James

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[Mike Hammett]

I like putting a switch in front so then I can run two routers behind and get a 
/29 from the upstream. I can then do router maintenance, upgrades, etc. without 
taking the circuit down. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Pedro" <piotr.1...@interia.pl> 
To: nanog@nanog.org 
Sent: Friday, September 30, 2016 2:42:37 PM 
Subject: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos 


Hello, 

I have some idea to put switch before bgp router in order to terminate 
isp 10G uplinks on switch, not router. Main reason is that could be some 
kind of 1st level of defence against ddos, second reason, less 
important, save cost of router ports, do many port mirrors. 

I think about N3K-C3064PQ or Juniper ex4500 because there are quite 
cheap and a lot of on Ebay. 

I would like on nexus or juniper try use some feature: 

- limit udp, icmp, bum packets (bandwith,pps) at ingress tagged port or 
vlan 
- create counters: passed and dropped packets, best way to get this 
counters via snmp oid, sent snmp traps, syslog etc in order to monitor 
or even as a action shut down port 
- port mirror from many ports/vlans to multiple port (other anty ddos 
solutions) 
- limited bgp but with flowspec to comunicate with another anty ddos 
devices 

I'm also wondering how this feature above impact on cpu/whole switch. It 
can be some performance degradation ot all of this feature are done in 
hardware, with wirespeeed ? Which model will better to do this ? 

Thanks for any advice, 
Pedro 

--- 
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie 
antywirusowe Avast. 
https://www.avast.com/antivirus 

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[Mike Hammett]

That sort of thing has never bothered me much. If the platform is so great, 
surely it'll last more than a few years. What's the MTBF on these things? 
Decades? 

Better power performance, newer features, higher capacities sure are all great 
reasons to get newer hardware. EOL isn't. Don't too many of you adopt that 
strategy, though. I still want my source of cheap EOL hardware. :-) 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Matt Freitag" <mlfre...@mtu.edu> 
To: "Saku Ytti" <s...@ytti.fi> 
Cc: "nanog list" <nanog@nanog.org> 
Sent: Friday, September 30, 2016 3:50:25 PM 
Subject: Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against 
ddos 

Pedro, 

Please also keep in mind that the Juniper EX4500 is an end of life product. 
Soon you won't be able to get Juniper to support you. That's why there are 
so many for so cheap on eBay. 

Matt Freitag 
Network Engineer I 
Information Technology 
Michigan Technological University 
(906) 487-3696 <%28906%29%20487-3696> 
https://www.mtu.edu/ 
https://www.it.mtu.edu/ 

On Fri, Sep 30, 2016 at 4:06 PM, Saku Ytti <s...@ytti.fi> wrote: 

> On 30 September 2016 at 22:42, Pedro <piotr.1...@interia.pl> wrote: 
> 
> Hey Pedro, 
> 
> > I have some idea to put switch before bgp router in order to terminate 
> isp 
> > 10G uplinks on switch, not router. Main reason is that could be some 
> kind of 
> > 1st level of defence against ddos, second reason, less important, save 
> cost 
> > of router ports, do many port mirrors. 
> 
> I don't understand your rationale, unless your router is software box, 
> but as it has 10G interface, probably not. 
> Your router should be able to limit packets in HW, likely with better 
> counter and filtering options than cheap switch. 
> 
> -- 
> ++ytti 
> 

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[Saku Ytti]

On 1 October 2016 at 10:03, Pedro  wrote:
> We had situations, that we lost all our bgp sessions, not even only on ports
> where flood was coming. Just cpu overloaded. I don't care about support too
> much, there are cheap enough to have spare.

What is the device you're trying to protect? Perhaps it supports
reasonable CoPP features so that you can protect it directly on
itself. To do this CoPP on neighbouring switch, you'll need unique
policer for each and every BGP session and ARP, your switch may not
support this and it is provisioning nightmare.

-- 
  ++ytti

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[Pedro]

We had situations, that we lost all our bgp sessions, not even only on
ports where flood was coming. Just cpu overloaded. I don't care about
support too much, there are cheap enough to have spare. Soft is mature
with known bugs so i assume that this risk are accepted. Bigger problem
for me is technical details about features, which i desribed in my first
post. Most of this features i tested on trident2 chipset extreme 670, it
works but with problems and some limits. Now i have to change vendor.
Really wondering what can i get from N3K-C3064PQ, its also build on
trident2 AFAIK

thanks for answers,
Pedro


W dniu 2016-09-30 o 22:50, Matt Freitag pisze:

Pedro,

Please also keep in mind that the Juniper EX4500 is an end of life
product. Soon you won't be able to get Juniper to support you. That's
why there are so many for so cheap on eBay.

Matt Freitag
Network Engineer I
Information Technology
Michigan Technological University
(906) 487-3696 
https://www.mtu.edu/
https://www.it.mtu.edu/


On Fri, Sep 30, 2016 at 4:06 PM, Saku Ytti > wrote:

On 30 September 2016 at 22:42, Pedro > wrote:

Hey Pedro,

> I have some idea to put switch before bgp router in order to terminate isp
> 10G uplinks on switch, not router. Main reason is that could be some kind 
of
> 1st level of defence against ddos, second reason, less important, save 
cost
> of router ports, do many port mirrors.

I don't understand your rationale, unless your router is software box,
but as it has 10G interface, probably not.
Your router should be able to limit packets in HW, likely with better
counter and filtering options than cheap switch.

--
  ++ytti





---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie 
antywirusowe Avast.
https://www.avast.com/antivirus

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[Matt Freitag]

Pedro,

Please also keep in mind that the Juniper EX4500 is an end of life product.
Soon you won't be able to get Juniper to support you. That's why there are
so many for so cheap on eBay.

Matt Freitag
Network Engineer I
Information Technology
Michigan Technological University
(906) 487-3696 <%28906%29%20487-3696>
https://www.mtu.edu/
https://www.it.mtu.edu/

On Fri, Sep 30, 2016 at 4:06 PM, Saku Ytti  wrote:

> On 30 September 2016 at 22:42, Pedro  wrote:
>
> Hey Pedro,
>
> > I have some idea to put switch before bgp router in order to terminate
> isp
> > 10G uplinks on switch, not router. Main reason is that could be some
> kind of
> > 1st level of defence against ddos, second reason, less important, save
> cost
> > of router ports, do many port mirrors.
>
> I don't understand your rationale, unless your router is software box,
> but as it has 10G interface, probably not.
> Your router should be able to limit packets in HW, likely with better
> counter and filtering options than cheap switch.
>
> --
>   ++ytti
>

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[Saku Ytti]

On 30 September 2016 at 22:42, Pedro  wrote:

Hey Pedro,

> I have some idea to put switch before bgp router in order to terminate isp
> 10G uplinks on switch, not router. Main reason is that could be some kind of
> 1st level of defence against ddos, second reason, less important, save cost
> of router ports, do many port mirrors.

I don't understand your rationale, unless your router is software box,
but as it has 10G interface, probably not.
Your router should be able to limit packets in HW, likely with better
counter and filtering options than cheap switch.

-- 
  ++ytti

nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

[Pedro]

Hello,

I have some idea to put switch before bgp router in order to terminate
isp 10G uplinks on switch, not router. Main reason is that could be some
kind of 1st level of defence against ddos, second reason, less
important, save cost of router ports, do many port mirrors.

I think about N3K-C3064PQ or Juniper ex4500 because there are quite
cheap and a lot of on Ebay.

I would like on nexus or juniper try use some feature:

-  limit udp, icmp, bum packets (bandwith,pps) at ingress tagged port or
vlan
-  create counters: passed and dropped packets, best way to get this
counters via snmp oid, sent snmp traps, syslog etc in order to monitor
or even as a action shut down port
-  port mirror from many ports/vlans to multiple port (other anty ddos
solutions)
-  limited bgp but with flowspec to comunicate with another anty ddos
devices

I'm also wondering how this feature above impact on cpu/whole switch. It
can be some performance degradation ot all of this feature are done in
hardware, with wirespeeed ? Which model will better to do this ?

Thanks for any advice,
Pedro

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie 
antywirusowe Avast.
https://www.avast.com/antivirus