[c-nsp] nexus N3K-C3064PQ as 1st level protection against ddos ?

Romain Boissat rboissat at lv0.in
Sat Oct 1 07:08:44 EDT 2016


Hello Pedro,

2016-10-01 9:21 GMT+02:00 Pedro <piotr.1234 at interia.pl>:

> Hello,
>
> I have some idea to put switch before bgp router in order to terminate isp
> 10G uplinks on switch, not router. Main reason is it could be some kind of
> 1st level of defence against ddos, second reason, less important, save cost
> of router ports.
>
> It's possible use this feature?
>
> -  limit udp, icmp (bandwith,pps) at ingress port or vlan
>

See my point below concerning Infrastructure ACL.


> -  create counters: passed and dropped packets, best way to get this
> counters via snmp oid
>

SNMP can be great for this, you could imagine sFlow it the hardware
supports it.


> -  port mirror from many ports/vlans to multiple port (other anty ddos
> solutions)
>

Look for sFlow support :)


> -  limited bgp but with flowspec to comunicate with another anty ddos
> devices
>

One can also think about implementing iACL (infrastructure ACL) in order to
protect the infrastructure directly from the border to scrub undesired
traffic as soon as possible.


> I'm also wondering how this feature above impact on cpu/whole switch. It
> can be some performance degradation ot all of this feature are done in
> hardware, with wirespeeed ?
>

It should be processed at the asic level, you should be okay performance
wise. Mind the TCAM usage though, you may need to use "hardware profile
tcam region" to optimize according to your needs.

Cheers,

-- 
Romain Boissat
chroot-me.in


More information about the cisco-nsp mailing list