Re: MX 80 advantages and shortcomings

[Paul Stewart <paul () paulstewart org>]

Pros - small footprint, cost, feature rich
Cons - no redundancy (other than power), 1/3rd the processor power

Paul


On Tue, 5 Jul 2011, chavan sanjay wrote:

> Hi Team,
>  
> Can anyone enlighten me on the pros and cons of MX 80 platform
>  
> Thanks
>
> Sanjay C.P.
>
> --- On Tue, 7/5/11, nanog-request () nanog org <nanog-request () nanog org> wrote:
>
>
> From: nanog-request () nanog org <nanog-request () nanog org>
> Subject: NANOG Digest, Vol 42, Issue 5
> To: nanog () nanog org
> Date: Tuesday, July 5, 2011, 5:30 PM
>
>
> Send NANOG mailing list submissions to
>     nanog () nanog org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>     https://mailman.nanog.org/mailman/listinfo/nanog
> or, via email, send a message with subject or body 'help' to
>     nanog-request () nanog org
>
> You can reach the person managing the list at
>     nanog-owner () nanog org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of NANOG digest..."
>
>
> Today's Topics:
>
>    1. cheapo UUFB solution for Cisco 7201 (Rogelio)
>    2. Re: Firewall Appliance Suggestions (Curtis Maurand)
>    3. RE: Firewall Appliance Suggestions (Jean CLERY)
>    4. Re: Firewall Appliance Suggestions (Peter Nowak)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 4 Jul 2011 11:34:11 -0300
> From: Rogelio <scubacuda () gmail com>
> Subject: cheapo UUFB solution for Cisco 7201
> To: nanog () nanog org
> Message-ID:
>     <CALJphbs6UBWKqGVW1EyvCL6pKGtCKjSYNZB=q70FxPOQ7D0CHA () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I've got a Cisco 7201 with about 500 L2TPv2 tunnels, and I suspect
> that UUFB (unknown unicast flooding) is resulting in spiking (I put an
> ACL on to kill broadcast traffic, so I'm sure that's not related).
> I've googled and don't see anything for the 7201, just the 7600
> series.  :/
>
> i.e. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/blocking.html
>
> Anyone have any suggestions on (something cheap) that I can put in
> front of this box to spare it from (what I suspect) is a gateway that
> unicast floods when a MAC address has aged?
>
> To add to my challenges, I'm in Brazil and importing gear is insanely
> effing difficult.  :/
>
> --
> Also on LinkedIn?  Feel free to connect if you too are an open
> networker: scubacuda () gmail com
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 04 Jul 2011 17:40:56 -0400
> From: Curtis Maurand <cmaurand () xyonet com>
> Subject: Re: Firewall Appliance Suggestions
> To: nanog () nanog org
> Message-ID: <4E123368.7020602 () xyonet com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote:
> > Linux + iptables + fwbuilder
> >
> >
> >
> > On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch<blake () pfankuch me>  wrote:
> > > Howdy,
> > >                  I am looking for something a little unique in a bit of a tough situation with some sticky requirements.  First off, my 
> > > requirements are a little weird and I can't bend them a whole lot due to stipulations being put on me.  I am in need a firewall appliance 
> > > which can be run on VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within a single Phase 1.  I am also in need of 
> > > something that can support VLAN interfaces on the LAN side, and ideally something with multi zoning so I can keep LAN side networks separate 
> > > from each without ridiculous firewall rules.  Meaning build a zone for "Customer network 1" and it displays separately (ease of 
> > > management and firewall config hopefully).  I need a minimum of 10 "zones" on LAN side (/29 or /30), and NAT support for LAN to WAN 
> > > (to dedicate all outbound connections to a single IP from a specific zone), ideally something extremely scalable (100-200 zones).  And here
> is the super fun part!  I need something that is going to be web managed primarily as minions will be doing most of the 
> day to day maintenance, or very simple CLI config.  Willing to pay for something if need be, but looking for something 
> that can easily handly 50-100mbit of throughput.
> > > Any Ideas?
> > >
> > > Thanks!
> > >
> > > Blake Pfankuch
> Vyatta.  They have an appliance on their website.
>
> --Curtis
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 5 Jul 2011 00:58:51 +0200
> From: "Jean CLERY" <jean.clerymrs () gmail com>
> Subject: RE: Firewall Appliance Suggestions
> To: "'Curtis Maurand'" <cmaurand () xyonet com>,    <nanog () nanog org>
> Message-ID: <F7819E52D830406983C30BC43FAD7E3D@ezekiel>
> Content-Type: text/plain;    charset="iso-8859-1"
>
> Hi Blake
> Try www.netasq.com
>
> Regards,
> Jean CLERY
>
>
> -----Message d'origine-----
> De?: Curtis Maurand [mailto:cmaurand () xyonet com]
> Envoy??: lundi 4 juillet 2011 23:41
> ??: nanog () nanog org
> Objet?: Re: Firewall Appliance Suggestions
>
> On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote:
> > Linux + iptables + fwbuilder
> >
> >
> >
> > On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch<blake () pfankuch me>
> wrote:
> > > Howdy,
> > >                  I am looking for something a little unique in a bit of a
> tough situation with some sticky requirements.  First off, my requirements
> are a little weird and I can't bend them a whole lot due to stipulations
> being put on me.  I am in need a firewall appliance which can be run on
> VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within
> a single Phase 1.  I am also in need of something that can support VLAN
> interfaces on the LAN side, and ideally something with multi zoning so I can
> keep LAN side networks separate from each without ridiculous firewall rules.
> Meaning build a zone for "Customer network 1" and it displays separately
> (ease of management and firewall config hopefully).  I need a minimum of 10
> "zones" on LAN side (/29 or /30), and NAT support for LAN to WAN (to
> dedicate all outbound connections to a single IP from a specific zone),
> ideally something extremely scalable (100-200 zones).  And here is the super
> fun part!  I need something that is going to be web managed primarily as
> minions will be doing most of the day to day maintenance, or very simple CLI
> config.  Willing to pay for something if need be, but looking for something
> that can easily handly 50-100mbit of throughput.
> > > Any Ideas?
> > >
> > > Thanks!
> > >
> > > Blake Pfankuch
> Vyatta.  They have an appliance on their website.
>
> --Curtis
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 5 Jul 2011 00:50:45 -0400
> From: Peter Nowak <pnowak () batblue com>
> Subject: Re: Firewall Appliance Suggestions
> To: Blake T. Pfankuch <blake () pfankuch me>
> Cc: "NANOG \(nanog () nanog org\)" <nanog () nanog org>
> Message-ID: <1B8D4E1C-BA43-4257-89DA-7D6EBB154927 () batblue com>
> Content-Type: text/plain;    charset=us-ascii
>
> They don't have a VM yet - coming soon - but you may take a look at Palo Alto Networks. Having just a regular stateful 
> firewall is not a good idea anymore...
>
> Peter Nowak
>
> On Jul 1, 2011, at 12:35 AM, Blake T. Pfankuch wrote:
>
> > Normally I would agree with you as far as separate instances, however this will be in a situation where we pay 
> > ridiculous amounts for cpu and memory, so a single instance is what we are shooting for (remember those ridiculous 
> > requirements).  I am planning to do some further testing with vyatta and pfsense.  Thanks you all for the on list and 
> > off list responses!
> >
> > -----Original Message-----
> > From: Sargun Dhillon [mailto:sargun () sargun me]
> > Sent: Thursday, June 30, 2011 9:56 PM
> > To: George Bonser
> > Cc: Blake T. Pfankuch; NANOG (nanog () nanog org)
> > Subject: Re: Firewall Appliance Suggestions
> >
> >
> >
> > ----- Original Message -----
> > > From: "George Bonser" <gbonser () seven com>
> > > To: "Blake T. Pfankuch" <blake () pfankuch me>, "NANOG (nanog () nanog org)"
> > > <nanog () nanog org>
> > > Sent: Thursday, June 30, 2011 11:30:53 AM
> > > Subject: RE: Firewall Appliance Suggestions
> > >
> > > > Willing to pay for something if need be, but looking for something
> > > > that can easily handly 50-100mbit of throughput.
> > > >
> > > > Any Ideas?
> > > >
> > > > Thanks!
> > > >
> > > > Blake Pfankuch
> > >
> > >
> > > I might also look at Vyatta.  They have appliances or you can run the
> > > software on your own hardware.
> >
> > I would not go with Vyatta if you're doing anything complex. The number of random bugs I've hit with their software are 
> > numerous. In the right hands, it's a powerful tool. And it seems to fit your solution really well.
> >
> > If I were in your shoes, I would install two instances that would handle the "edge" of the cluster, and then an instance per 
> > customer (lightweight, they sell a VMWare image). Then use dynamic routing to direct traffic to the customer (assign each customer 
> > their own ASN, and peer with their instance). So, worse case scenario, the NOC monkey only breaks one customer's gear.
> >
> >
> > --
> > Sargun Dhillon
> > VoIP (US): +1-925-235-1105
>
> Peter Nowak
> Manager, Technical Services
> Bat Blue Corporation | Integrity . Privacy . Availability
> p. 212.461.3322 x3020 | f. 212.584.9999 | w. www.batblue.com
> Bat Blue's AS: 25885 | BGP Policy | Peering Policy
> Bat Blue's Legal Notice
>
> Receive Bat Blue's DSB Intelligence Report
>
> Bat Blue is proud to be the Official WiFi Provider for ESPN's X-Games
>
>
>
>
> ------------------------------
>
> _______________________________________________
> NANOG mailing list
> NANOG () nanog org
> https://mailman.nanog.org/mailman/listinfo/nanog
>
> End of NANOG Digest, Vol 42, Issue 5
> ************************************