On 09/26/17 06:29, marcel.duregards--- via NANOG wrote:
Dear Nanoger,
Anyone have an advice on CPE which can support the following features,
please:
I've been building cpe devices using various models from
http://www.lannerinc.com.
I populate with Debian linux:. I use pxeboot to autoboot into install
mode with dnsmasq providing deb-install preseed build files. On the
auto reboot after o/s install, I finish up with consistent, documented
builds with SaltStack. This provides the necessary customized
switching, routing, security, and monitoring.
Raymond Burkholder
https://blog.raymond.burkholder.net
441 705 7292
1)
1 Gigabits/s ipv4 or ipv6 forwarding IMIX or Internet traffic, full
duplex (not sure if cisco or miercom are conducting bidirectionals
traffic flows at the same time).
With an FW-7543, I can iperf bidirectional 1gbps with no acl. I can get
strongswan ipsec bidirectional at about 50mbps (the cpu has AES-NI). I
havn't tried ipsec on devices like the FW-7573.
2)
with ACLs and with uRPF
with prefix filtering
with bgp ext-communities (rfc 8092 would be a ++, but not mandatory)
I can customize configs with various combinations of VRRP,
FreeRangeRouting BGP/OSPF (full routes are no problem), nftables for
ACL, lldpd, hostapd for wireless, openvswitch for bridging
requirements/netflow/sflow ...
The linux kernel supplies uRPF. FreeRangeRouting (a fork of Quagga) can
do prefix filtering, ext-communities, etc. They have even recently
implemented EVPN using VxLAN for encapsulation.
3)
with BGP full route, 1 eBGP session + 1 iBGP (--> multihomed, single
attached solution, so there is 2 CPE connected to 2 bgp transit))
I've used the FW-7543 in pairs to a customer for this: a management
port, a port between the two, an upstream port, and a downstream port.
4)
vrf light and
SNMP + telnet/ssh with ACLs
Linux kernel has VRF capabilities, or use namespaces or native
containers for segregation of functions or for implementing virtual
functions.
Currently on Cisco side, we see the following candidates:
- ASR 1001-x
- ASR 1002
- ISR 4431, 4451
- ISR G2 2921 + 2951 + 3925(E) (EoL soon, so we are currently in the
process of evaluating other solution).
But we would like also to include other manufacturer : juniper, mikrotik
, etc....
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
