[c-nsp] Internet border router recommendations and experiences
Nick Hilliard
nick at foobar.org
Wed Feb 22 14:47:43 EST 2023
Eric Louie via cisco-nsp wrote on 22/02/2023 18:29:
> Mark, thanks. We were quoted a MX304 for the Internet edge from
> Juniper. How has your experience been with it? are you 10G upstream
> and downstream? Any IPS on the 10G connection?
Eric,
you're mixing up DFZ routing capability with traffic inspection. If you
need IPS functionality on top of exterior routing capability, then you
need to get a router for routing and a firewall for the stateful content
inspection. If you want DDOS protection, then you need to think about
how you want to approach this, e.g. upstream blackholing, DDOS
mitigation service with GRE return path, or dropping traffic on the box
using urpf (but that only gets you as much DDOS sinking capacity as the
sum of your upstreams, so you'd need to question whether this was a
useful approach).
NCS-5501 is an ok platform if you stay within its limitations. Lots of
good use cases, but it's not really suitable for dfz functionality.
I'd concur with Mark's recommendation of Juniper MX204 as a 10G edge
routing platform. MX304 is overkill for this application. The equivalent
Cisco box for this market segment is the ASR9902, which is not cost
competitive to the MX204.
Nick
More information about the cisco-nsp
mailing list