Dear Nanoger,
Anyone have an advice on CPE which can support the following features,
please:
I've been building cpe devices using various models from http://www.lannerinc.com.
I populate with Debian linux:. I use pxeboot to autoboot into install mode with dnsmasq providing deb-install preseed build files. On the auto reboot after o/s install, I finish up with consistent, documented builds with SaltStack. This provides the necessary customized switching, routing, security, and monitoring.
Raymond Burkholder
https://blog.raymond.burkholder.net
441 705 7292
1)
1 Gigabits/s ipv4 or ipv6 forwarding IMIX or Internet traffic, full
duplex (not sure if cisco or miercom are conducting bidirectionals
traffic flows at the same time).
With an FW-7543, I can iperf bidirectional 1gbps with no acl. I can get strongswan ipsec bidirectional at about 50mbps (the cpu has AES-NI). I havn't tried ipsec on devices like the FW-7573.
2)
with ACLs and with uRPF
with prefix filtering
with bgp ext-communities (rfc 8092 would be a ++, but not mandatory)
I can customize configs with various combinations of VRRP, FreeRangeRouting BGP/OSPF (full routes are no problem), nftables for ACL, lldpd, hostapd for wireless, openvswitch for bridging requirements/netflow/sflow ...
The linux kernel supplies uRPF. FreeRangeRouting (a fork of Quagga) can do prefix filtering, ext-communities, etc. They have even recently implemented EVPN using VxLAN for encapsulation.
3)
with BGP full route, 1 eBGP session + 1 iBGP (--> multihomed, single
attached solution, so there is 2 CPE connected to 2 bgp transit))
I've used the FW-7543 in pairs to a customer for this: a management port, a port between the two, an upstream port, and a downstream port.
4)
vrf light and
SNMP + telnet/ssh with ACLs
Linux kernel has VRF capabilities, or use namespaces or native containers for segregation of functions or for implementing virtual functions.