Eric Louie via cisco-nsp wrote on 22/02/2023 18:29:
Mark, thanks. We were quoted a MX304 for the Internet edge from Juniper. How has your experience been with it? are you 10G upstream and downstream? Any IPS on the 10G connection?
Eric,
you're mixing up DFZ routing capability with traffic inspection. If you need IPS functionality on top of exterior routing capability, then you need to get a router for routing and a firewall for the stateful content inspection. If you want DDOS protection, then you need to think about how you want to approach this, e.g. upstream blackholing, DDOS mitigation service with GRE return path, or dropping traffic on the box using urpf (but that only gets you as much DDOS sinking capacity as the sum of your upstreams, so you'd need to question whether this was a useful approach).
NCS-5501 is an ok platform if you stay within its limitations. Lots of good use cases, but it's not really suitable for dfz functionality.
I'd concur with Mark's recommendation of Juniper MX204 as a 10G edge routing platform. MX304 is overkill for this application. The equivalent Cisco box for this market segment is the ASR9902, which is not cost competitive to the MX204.
Nick _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
