I'd consult the list archive, since theres a couple recent and fairly lengthy threads on this.
joel On Jul 5, 2011, at 8:56 AM, chavan sanjay wrote: > Hi Team, > > Can anyone enlighten me on the pros and cons of MX 80 platform > > Thanks > > Sanjay C.P. > > --- On Tue, 7/5/11, [email protected] <[email protected]> wrote: > > > From: [email protected] <[email protected]> > Subject: NANOG Digest, Vol 42, Issue 5 > To: [email protected] > Date: Tuesday, July 5, 2011, 5:30 PM > > > Send NANOG mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://mailman.nanog.org/mailman/listinfo/nanog > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of NANOG digest..." > > > Today's Topics: > > 1. cheapo UUFB solution for Cisco 7201 (Rogelio) > 2. Re: Firewall Appliance Suggestions (Curtis Maurand) > 3. RE: Firewall Appliance Suggestions (Jean CLERY) > 4. Re: Firewall Appliance Suggestions (Peter Nowak) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 4 Jul 2011 11:34:11 -0300 > From: Rogelio <[email protected]> > Subject: cheapo UUFB solution for Cisco 7201 > To: [email protected] > Message-ID: > <CALJphbs6UBWKqGVW1EyvCL6pKGtCKjSYNZB=q70fxpoq7d0...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > I've got a Cisco 7201 with about 500 L2TPv2 tunnels, and I suspect > that UUFB (unknown unicast flooding) is resulting in spiking (I put an > ACL on to kill broadcast traffic, so I'm sure that's not related). > I've googled and don't see anything for the 7201, just the 7600 > series. :/ > > i.e. > http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/blocking.html > > Anyone have any suggestions on (something cheap) that I can put in > front of this box to spare it from (what I suspect) is a gateway that > unicast floods when a MAC address has aged? > > To add to my challenges, I'm in Brazil and importing gear is insanely > effing difficult. :/ > > -- > Also on LinkedIn? Feel free to connect if you too are an open > networker: [email protected] > > > > ------------------------------ > > Message: 2 > Date: Mon, 04 Jul 2011 17:40:56 -0400 > From: Curtis Maurand <[email protected]> > Subject: Re: Firewall Appliance Suggestions > To: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote: >> Linux + iptables + fwbuilder >> >> >> >> On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch<[email protected]> wrote: >>> Howdy, >>> I am looking for something a little unique in a bit of a >>> tough situation with some sticky requirements. First off, my requirements >>> are a little weird and I can't bend them a whole lot due to stipulations >>> being put on me. I am in need a firewall appliance which can be run on >>> VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within >>> a single Phase 1. I am also in need of something that can support VLAN >>> interfaces on the LAN side, and ideally something with multi zoning so I >>> can keep LAN side networks separate from each without ridiculous firewall >>> rules. Meaning build a zone for "Customer network 1" and it displays >>> separately (ease of management and firewall config hopefully). I need a >>> minimum of 10 "zones" on LAN side (/29 or /30), and NAT support for LAN to >>> WAN (to dedicate all outbound connections to a single IP from a specific >>> zone), ideally something extremely scalable (100-200 zones). And here > is the super fun part! I need something that is going to be web managed > primarily as minions will be doing most of the day to day maintenance, or > very simple CLI config. Willing to pay for something if need be, but looking > for something that can easily handly 50-100mbit of throughput. >>> >>> Any Ideas? >>> >>> Thanks! >>> >>> Blake Pfankuch >>> > Vyatta. They have an appliance on their website. > > --Curtis > > > > > ------------------------------ > > Message: 3 > Date: Tue, 5 Jul 2011 00:58:51 +0200 > From: "Jean CLERY" <[email protected]> > Subject: RE: Firewall Appliance Suggestions > To: "'Curtis Maurand'" <[email protected]>, <[email protected]> > Message-ID: <F7819E52D830406983C30BC43FAD7E3D@ezekiel> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Blake > Try www.netasq.com > > Regards, > Jean CLERY > > > -----Message d'origine----- > De?: Curtis Maurand [mailto:[email protected]] > Envoy??: lundi 4 juillet 2011 23:41 > ??: [email protected] > Objet?: Re: Firewall Appliance Suggestions > > On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote: >> Linux + iptables + fwbuilder >> >> >> >> On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch<[email protected]> > wrote: >>> Howdy, >>> I am looking for something a little unique in a bit of a > tough situation with some sticky requirements. First off, my requirements > are a little weird and I can't bend them a whole lot due to stipulations > being put on me. I am in need a firewall appliance which can be run on > VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within > a single Phase 1. I am also in need of something that can support VLAN > interfaces on the LAN side, and ideally something with multi zoning so I can > keep LAN side networks separate from each without ridiculous firewall rules. > Meaning build a zone for "Customer network 1" and it displays separately > (ease of management and firewall config hopefully). I need a minimum of 10 > "zones" on LAN side (/29 or /30), and NAT support for LAN to WAN (to > dedicate all outbound connections to a single IP from a specific zone), > ideally something extremely scalable (100-200 zones). And here is the super > fun part! I need something that is going to be web managed primarily as > minions will be doing most of the day to day maintenance, or very simple CLI > config. Willing to pay for something if need be, but looking for something > that can easily handly 50-100mbit of throughput. >>> >>> Any Ideas? >>> >>> Thanks! >>> >>> Blake Pfankuch >>> > Vyatta. They have an appliance on their website. > > --Curtis > > > > > > ------------------------------ > > Message: 4 > Date: Tue, 5 Jul 2011 00:50:45 -0400 > From: Peter Nowak <[email protected]> > Subject: Re: Firewall Appliance Suggestions > To: Blake T. Pfankuch <[email protected]> > Cc: "NANOG \([email protected]\)" <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > They don't have a VM yet - coming soon - but you may take a look at Palo Alto > Networks. Having just a regular stateful firewall is not a good idea > anymore... > > Peter Nowak > > On Jul 1, 2011, at 12:35 AM, Blake T. Pfankuch wrote: > >> Normally I would agree with you as far as separate instances, however this >> will be in a situation where we pay ridiculous amounts for cpu and memory, >> so a single instance is what we are shooting for (remember those ridiculous >> requirements). I am planning to do some further testing with vyatta and >> pfsense. Thanks you all for the on list and off list responses! >> >> -----Original Message----- >> From: Sargun Dhillon [mailto:[email protected]] >> Sent: Thursday, June 30, 2011 9:56 PM >> To: George Bonser >> Cc: Blake T. Pfankuch; NANOG ([email protected]) >> Subject: Re: Firewall Appliance Suggestions >> >> >> >> ----- Original Message ----- >>> From: "George Bonser" <[email protected]> >>> To: "Blake T. Pfankuch" <[email protected]>, "NANOG ([email protected])" >>> <[email protected]> >>> Sent: Thursday, June 30, 2011 11:30:53 AM >>> Subject: RE: Firewall Appliance Suggestions >>> >>>> Willing to pay for something if need be, but looking for something >>>> that can easily handly 50-100mbit of throughput. >>>> >>>> Any Ideas? >>>> >>>> Thanks! >>>> >>>> Blake Pfankuch >>> >>> >>> I might also look at Vyatta. They have appliances or you can run the >>> software on your own hardware. >>> >>> >>> >>> >>> >>> >> >> I would not go with Vyatta if you're doing anything complex. The number of >> random bugs I've hit with their software are numerous. In the right hands, >> it's a powerful tool. And it seems to fit your solution really well. >> >> If I were in your shoes, I would install two instances that would handle the >> "edge" of the cluster, and then an instance per customer (lightweight, they >> sell a VMWare image). Then use dynamic routing to direct traffic to the >> customer (assign each customer their own ASN, and peer with their instance). >> So, worse case scenario, the NOC monkey only breaks one customer's gear. >> >> >> -- >> Sargun Dhillon >> VoIP (US): +1-925-235-1105 > > Peter Nowak > Manager, Technical Services > Bat Blue Corporation | Integrity . Privacy . Availability > p. 212.461.3322 x3020 | f. 212.584.9999 | w. www.batblue.com > Bat Blue's AS: 25885 | BGP Policy | Peering Policy > Bat Blue's Legal Notice > > Receive Bat Blue's DSB Intelligence Report > > Bat Blue is proud to be the Official WiFi Provider for ESPN's X-Games > > > > > ------------------------------ > > _______________________________________________ > NANOG mailing list > [email protected] > https://mailman.nanog.org/mailman/listinfo/nanog > > End of NANOG Digest, Vol 42, Issue 5 > ************************************ >
