RE: Switch with high ACL capacity

2018-11-06 Thread Mike Hammett
Nov 2018 14:04:36 -0600 (CST) Subject: RE: Switch with high ACL capacity I would see if you can get your upstream providers to apply rules to a dedicated interface upstream (drop NTP, memcache, LDAP, rate limit SSDP), and connect that to your switch, which would announce the /32’s or /128’s to

RE: Switch with high ACL capacity

2018-11-06 Thread Mike Hammett
t: Tuesday, November 06, 2018 13:47 To: Lotia, Pratik M Cc: 'nanog list' Subject: Re: Switch with high ACL capacity The intent is to see if I can construct a poor man's DDOS scrubber. There are low cost systems out there for the detection, but they just trigger something else to do

RE: Switch with high ACL capacity

2018-11-06 Thread Mike Hammett
: 'nanog list' Sent: Tue, 06 Nov 2018 13:52:38 -0600 (CST) Subject: RE: Switch with high ACL capacity Mike, Are you sure you have enough inbound capacity to setup such a thing? Do you have RTBH setup for the final means of killing the attack? If you could get another set of circuits to

RE: Switch with high ACL capacity

2018-11-06 Thread Ryan Hamel
. | Dedicated Servers, Colocation, Cloud From: NANOG On Behalf Of Tim Jackson Sent: Tuesday, November 06, 2018 11:52 AM To: na...@ics-il.net Cc: nanog list Subject: Re: Switch with high ACL capacity Juniper QFX1(including 12) supports ~64k ACL entries + FlowSpec -- Tim On Tue, Nov 6, 2018 at

RE: Switch with high ACL capacity

2018-11-06 Thread Ryan Hamel
Behalf Of Mike Hammett Sent: Tuesday, November 06, 2018 11:47 AM To: Lotia, Pratik M Cc: 'nanog list' Subject: Re: Switch with high ACL capacity The intent is to see if I can construct a poor man's DDOS scrubber. There are low cost systems out there for the detection, but they j

Re: Switch with high ACL capacity

2018-11-06 Thread Tim Jackson
lutionsMidwest Internet > ExchangeThe Brothers WISP > > - Original Message - > From: Lotia, Pratik M > To: Mike Hammett , 'nanog list' > Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST) > Subject: Re: Switch with high ACL capacity > > Mike, > > Can

Re: Switch with high ACL capacity

2018-11-06 Thread Mike Hammett
-0600 (CST) Subject: Re: Switch with high ACL capacity Mike, Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcemen

Re: Switch with high ACL capacity

2018-11-06 Thread Lotia, Pratik M
Mike, Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcements. Flowspec can be loosely explained as 'Routing based on