Hi Cha0s,
But the only reason I did that is because my supervisors cannot handle more that 128K routes.
It's so strange, CCR1036-..+EM can receive 2 full routes table with no problem. Currently we handle more than 1.600.000 routes in CCR1036. The only limitation we found on CCR1036 is only 10Gbps uplink and 10Gbps downlink. If we need more than 10Gbps, we have to use CCR1072.
Last 2 month we ordered CCR1072 to handle more bandwidth and it caused reboot a lot, there are many people see the same issues here:
viewtopic.php?t=122525 (already contact Mikrotik support and filing RMA to return device.
Regarding ACLs, you can do that, but keep in mind that a Nexus is a switch, not a firewall.
We use switch before CCR1036 to drop UDP source port only, because most UDP reflection attack come from the same source UDP (53, 161, 389 ...) port. CCR1036 can handle with raw table but it take CPU to high load and bottleneck at bandwidth pipe.
Some attack come with 20Gbps, 40Gbps and CCR1036 is limited at 10Gbps uplink only (so we use switch to receive 40Gbps, drop dirty UDP traffic with ACL and allow clean remaining traffic goes into CCR1036 (this may included TCP syn attack, some other attacks). The rest remaining let CCR1036 deal with it.