Hi Aaron, thanks for the info. I¹m curious what you or others do about DDoS attacks to CGNAT devices. It seems that a single attack could affect the thousands of customers that use those devices. Also, do you have issues detecting attacks vs. legitimate traffic when you have so much traffic destined to a small group of IPs? Rich Compton | Principal Eng | 314.596.2828 14810 Grasslands Dr, Englewood, CO 80112 On 4/6/17, 2:33 PM, "NANOG on behalf of Aaron Gould" <nanog-bounces@nanog.org on behalf of aaron1@gvtc.com> wrote:
Last year I evaluated Cisco ASR9006/VSM-500 and Juniper MX104/MS-MIC-16G in my lab.
I went with MX104/MS-MIC-16G. I love it.
I deployed (2) MX104's. Each MX104 has a single MX-MIC-16G card in it. I integrated this CGNAT with MPLS L3VPN's for NAT Inside vrf and NAT outside vrf. Both MX104's learn 0/0 route for outside and send a 0/0 route for inside to all the PE's that have DSLAMs connected to them. So each PE with DSL connected to it learns default route towards 2 equal cost MX104's. I could easily add a third MX104 to this modular architecture.
I have 7,000 DSL broadband customers behind it. Peak time throughput is hitting up at 4 gbps... I see a little over 100,000 service flows (translations) at peak time
I think each MX104 MS-MIC-16G can able about ~7 million translations and about 7 gbps of cgnat throughput... so I'm good.
I have a /25 for each MX104 outside public address pool (so /24 total for both MX104's)... pretty sweet how I use /24 for ~7,000 customers :)
I'll freeze this probably for DSL and not put anything else behind it. I want to leave well-enough alone.
If I move forward with CGNAT'ing Cable Modem (~6,000 more subsrcibers) I'll probably roll-out (2) more MX104's with a new vrf for that...
If I move forward with CGNAT'ing FTTH (~20,000 more subsrcibers) I'll probably roll-out (2) MX240/480/960 with MS-MPC... I feel I'd want/need something beefier for FTTH...
- Aaron
E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.