nanog mailing list archives
Re: Switch with high ACL capacity
From: Tim Jackson <jackson.tim () gmail com>
Date: Tue, 6 Nov 2018 13:51:41 -0600
Juniper QFX10000(including 100002) supports ~64k ACL entries + FlowSpec -- Tim On Tue, Nov 6, 2018 at 1:49 PM Mike Hammett <nanog () ics-il net> wrote:
The intent is to see if I can construct a poor man's DDOS scrubber. There
are low cost systems out there for the detection, but they just trigger
something else to do the work. Obviously there is black hole routing, but
I'm looking for something with a bit more finesse.
If I need to get a switch anyway, might as well try to take advantage of
it for other uses.
-----Mike HammettIntelligent Computing SolutionsMidwest Internet
ExchangeThe Brothers WISP
----- Original Message -----
From: Lotia, Pratik M <Pratik.Lotia () charter com>
To: Mike Hammett <nanog () ics-il net>, 'nanog list' <nanog () nanog org>
Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST)
Subject: Re: Switch with high ACL capacity
Mike,
Can you shed some light on the use case? Looks like you are confusing ACLs
and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they
have a different use case. ACLs cannot be configured using Flowspec
announcements. Flowspec can be loosely explained as 'Routing based on L4
rules' (there's a lot more to it than just L4). I doubt if a there is a
Switch which can hold a large number of Flowspec entries.
~Pratik Lotia
“Improvement begins with I.”
On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" <
nanog-bounces () nanog org on behalf of nanog () ics-il net> wrote:
I am looking for recommendations as to a 10G or 40G switch that has
the ability to hold a large number of entries in ACLs.
Preferred if I can get them there via the BGP flow spec, but some sort
of API or even just brute force on the console would be good enough.
Used or even end of life is fine.
-----Mike HammettIntelligent Computing SolutionsMidwest Internet
ExchangeThe Brothers WISP
E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended
solely for the addressee(s) and may contain confidential and/or legally
privileged information. If you are not the intended recipient of this
message or if this message has been addressed to you in error, please
immediately alert the sender by reply e-mail and then delete this message
and any attachments. If you are not the intended recipient, you are
notified that any use, dissemination, distribution, copying, or storage of
this message or any attachment is strictly prohibited.
Current thread:
- Switch with high ACL capacity Mike Hammett (Nov 06)
- Re: Switch with high ACL capacity Lotia, Pratik M (Nov 06)
- Re: Switch with high ACL capacity Mike Hammett (Nov 06)
- Re: Switch with high ACL capacity Tim Jackson (Nov 06)
- RE: Switch with high ACL capacity Ryan Hamel (Nov 06)
- RE: Switch with high ACL capacity Mike Hammett (Nov 06)
- Re: Switch with high ACL capacity Mike Hammett (Nov 06)
- RE: Switch with high ACL capacity Ryan Hamel (Nov 06)
- RE: Switch with high ACL capacity Mike Hammett (Nov 06)
- Re: Switch with high ACL capacity Lotia, Pratik M (Nov 06)
- Message not available
- RE: Switch with high ACL capacity Mike Hammett (Nov 06)