Community discussions

MikroTik App
 
itvietnam
just joined
Topic Author
Posts: 7
Joined: Fri Sep 22, 2017 10:07 am

Place switch beore eBGP router

Mon Aug 02, 2021 6:01 pm

Hi,

I want to check: is it possible to deploy a switch (Eg: Cisco N3K-C3064PQ-10GX) before Service Provider (IP transit) and our BGP router (CCR1036). This switch we use to do create ACL and deny some UDP protocol on switch?

Is this possible in real life?

We don't our CCR1036 processing too much because it's usually high load for these kind of traffic.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Place switch beore eBGP router

Wed Aug 04, 2021 10:55 am

Yes you can do that. I do the exact same thing with a couple of N7K's in front of a couple of CCR1036's.
But the only reason I did that is because my supervisors cannot handle more that 128K routes. Otherwise I would have used the Nexus for BGP.

Regarding ACLs, you can do that, but keep in mind that a Nexus is a switch, not a firewall.

You can also do stateless firewall on the CCR itself by using the Raw table, instead of Filter (thus bypassing Connection Tracking - which takes too much resources).
In my experience using Raw there is almost no extra load on the CCR, handling multiple gbits of traffic (or DDoS attacks).
 
itvietnam
just joined
Topic Author
Posts: 7
Joined: Fri Sep 22, 2017 10:07 am

Re: Place switch beore eBGP router

Wed Aug 04, 2021 11:31 am

Hi Cha0s,
But the only reason I did that is because my supervisors cannot handle more that 128K routes.
It's so strange, CCR1036-..+EM can receive 2 full routes table with no problem. Currently we handle more than 1.600.000 routes in CCR1036. The only limitation we found on CCR1036 is only 10Gbps uplink and 10Gbps downlink. If we need more than 10Gbps, we have to use CCR1072.

Last 2 month we ordered CCR1072 to handle more bandwidth and it caused reboot a lot, there are many people see the same issues here: viewtopic.php?t=122525 (already contact Mikrotik support and filing RMA to return device.
Regarding ACLs, you can do that, but keep in mind that a Nexus is a switch, not a firewall.
We use switch before CCR1036 to drop UDP source port only, because most UDP reflection attack come from the same source UDP (53, 161, 389 ...) port. CCR1036 can handle with raw table but it take CPU to high load and bottleneck at bandwidth pipe.

Some attack come with 20Gbps, 40Gbps and CCR1036 is limited at 10Gbps uplink only (so we use switch to receive 40Gbps, drop dirty UDP traffic with ACL and allow clean remaining traffic goes into CCR1036 (this may included TCP syn attack, some other attacks). The rest remaining let CCR1036 deal with it.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Place switch beore eBGP router

Wed Aug 04, 2021 12:32 pm

CCRs do not have supervisors. I was referring to Nexus.
 
itvietnam
just joined
Topic Author
Posts: 7
Joined: Fri Sep 22, 2017 10:07 am

Re: Place switch beore eBGP router

Wed Aug 04, 2021 12:50 pm

CCRs do not have supervisors. I was referring to Nexus.
Thanks for your clarify.

I'm still looking for router can handle more than 40Gbps traffic, seem CCR1036 is capped at 10Gbps and CCR1072 is not stable. Do you have any recommend?
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Place switch beore eBGP router

Thu Aug 05, 2021 5:19 pm

Couldn't You use a CHR? At these levels of traffic, might be better...

Who is online

Users browsing this forum: galp and 19 guests