Switch with high ACL capacity

I am looking for recommendations as to a 10G or 40G switch that has the ability to hold a large number of entries in ACLs.

Preferred if I can get them there via the BGP flow spec, but some sort of API or even just brute force on the console would be good enough.

Used or even end of life is fine.

-----Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP


Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcements. Flowspec can be loosely explained as 'Routing based on L4 rules' (there's a lot more to it than just L4). I doubt if a there is a Switch which can hold a large number of Flowspec entries.

~Pratik Lotia
“Improvement begins with I.”

The intent is to see if I can construct a poor man's DDOS scrubber. There are low cost systems out there for the detection, but they just trigger something else to do the work. Obviously there is black hole routing, but I'm looking for something with a bit more finesse.

If I need to get a switch anyway, might as well try to take advantage of it for other uses.

-----Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP

Juniper QFX10000(including 100002) supports ~64k ACL entries + FlowSpec


Are you sure you have enough inbound capacity to setup such a thing? Do you have RTBH setup for the final means of killing the attack?

If you could get another set of circuits to feed this switch from your same providers, and they accept more specific announcements, you could use this to swing /32's or /128's to said dedicated links so it won't affect your clients traffic.

I would see if you can get your upstream providers to apply rules to a dedicated interface upstream (drop NTP, memcache, LDAP, rate limit SSDP), and connect that to your switch, which would announce the /32’s or /128’s to pull the traffic over. You would of course have to announce the /24 or /48 through the carrier that has the filters in place to ensure they get all the traffic. After post processing the spoofed traffic, it should leave you with flooding to take care of.

If the DDoS exceeds capacity, I simply resort to the RTBH. Until then, if I can handle it more delicately, then great. If I can handle it by adjusting routing policy (shy of blackholing) or by dropping traffic selectively until then, I deliver a better experience.

Eyeball networks can handle DDoSes a bit differently than content guys because most of our traffic is on just a handful of ASNs on a few ports.

-----Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP

Other than it completes the DDoS.

*nods* The more ways of knocking down the low hanging fruit the better.