Re: [c-nsp] BGP MD5 DDOS ?
Dobbins, Roland rdobb...@arbor.net writes: On Sep 16, 2012, at 7:05 PM, Robert E. Seastrom wrote: An extra knob, an extra data point to be collected, managed, (and possibly get wrong) as a proxy for are you sure? [y/N] is a huge step away from goodness. Given that the consequences of getting it wrong are just, Oops, I forgot to configure the MD5 key vs. the possible consequences of bringing up a new peer without sufficient preparation and safeguards, I'll take the configuration entropy hit every time. You forgot the consequences of getting some other element of the config wrong because you were preoccupied with the MD5 key. I'll take simplicity every time. -r ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP MD5 DDOS ?
Dobbins, Roland rdobb...@arbor.net writes: On Sep 15, 2012, at 7:58 PM, Nick Hilliard wrote: The general advice is still to use copp or acls to deprioritise unknown bgp traffic. Gtsm can help in some situations, particularly at Ixps. Otherwise md5 is a matter of choice. Some people like it; others don't. Concur. There are no recorded instances of MD5 keying contributing to a DoS in the wild, AFAIK. And of course if you use iACLs, CoPP, GTSM, you therefore keep unwanted traffic off your session in the first place. I agree - if unwanted traffic hits the control plane without being clamped down, you've lost the game in so many other ways... MD5 keying is useful as a safeguard to make folks really think before they bring up new peers. Sort of a last-ditch, Are you *really* use you want to do this, have you done everything else necessary to secure and protect this new routing relationship? Emphatically disagree. Optimize for technician brain cells (where Moore's Law does not apply). An extra knob, an extra data point to be collected, managed, (and possibly get wrong) as a proxy for are you sure? [y/N] is a huge step away from goodness. The most reliable components are the ones you leave out. - C. Gordon Bell -r ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS over GRE/IPSEC
Gert Doering g...@greenie.muc.de writes: Hi, On Wed, Aug 08, 2012 at 10:16:56AM +0300, Aivars wrote: Well, 19xx with a proper licensing will work. Everything else depends on pps and scale. I want to see that. MPLS over GRE over *IPSEC* with 1 Gbit/sec using a 19xx (the original poster explicitely mentioned 1 Gbit/sec as requirement). What's that license you mention, the turbocharger tuning+ license? Cisco data sheets list the ISR G2 as up to 350 Mbps with services, which means if the sun is shining and you're not asking anything complicated, it might do 350 Mbps - but there's no way to even go *near* 1 Gbit/s with those. And that's for the 3945 - the 19xx are specced high speed WAN environments ... up to 25 Mbps. You forgot the honoring the DSCP bits inside the encrypted packets part. That'll be even more fun to watch. :) -r ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Small, Low Power Cisco Router Recommendation
I've been reasonably happy with the RB750(G|GL|). The configuration language is not a Cisco knock-off, but you'll figure it out easily enough. Sure I have a laundry list of bugs and complaints, but that's the case for the big name guys as well, and it's easy to exceed expectations when one is paying only $39 to $59 apiece for 'em. -r Rusty Dekema rdek...@gmail.com writes: Hmm. Of the options presented so far, this Mikrotik RB750 sounds the most promising. I've found that Linksys products have a tendency to partially or completely fail on a regular basis for no apparent reason. The Cisco 819, however, is far too expensive for this penny-ante project. The Cisco 806, on the other hand, looks great, especially for the 1mbit application. Is there another Cisco router like that but with 10/100 Ethernet ports? If so, that would probably be the ideal. [I'll be buying these on eBay anyway, so it doesn't matter if it's EOL. And at prices like this, one can afford a spare or two...] Thanks again, Rusty D On Thu, Jul 19, 2012 at 8:37 PM, Roy r.engehau...@gmail.com wrote: Mikrotik :-) The RB750 will do it On 7/19/2012 5:19 PM, Rusty Dekema wrote: Good evening, This question is a bit far afield for this list, but I need a reliable, quiet-or-silent, low-power-consumption Cisco router with two 10 or 10/100 Ethernet ports. All they need to do is do a default route with NAT between the Ethernet interfaces. One of them will only have to handle 1 mbit (max) of traffic; the other could receive traffic bursts up to 30 mbit, although it would still be acceptable if it can only push 10-15mbit. Low cost, quiet/silent operation, and low power consumption are the primary requirements here. Any suggestions? Thanks, Rusty D __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ . ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [j-nsp] Broadband Model suggestion?
My experience with Zhone (the MALC and their ONTs) was that it was quite easy to get working and didn't rely on any kind of proprietary management software which is always a risk when playing in those areas. Web configuration UI on the ONT was not the most awesome thing in the world, but it didn't do the gotta have IE kind of thing that I had run into on other devices. -r Jared Mauch ja...@puck.nether.net writes: He may be looking for alternative vendors as well. :-) Zhone has inexpensive CPE hardware. I have a few in my home lab. You can deploy them for a few 100 on the cheap if you already have SMF available. (just under $300 for everything). Jared Mauch On Jul 12, 2012, at 4:56 AM, Chris Kawchuk juniperd...@gmail.com wrote: Your Vendor's Sales Rep and Systems Engineer should be more than happy to help in this regard. =) - CK. On 2012-07-12, at 5:01 PM, Frank Norman wrote: Dear friends, I need suggestion for broadband network based on xDSL fiber based last miles (GPON/Metro technologies), Subscriber base upto 40-50 thousand customer, Requirement for subscribers will be; - Authentication authorization - Dynamic Rate-limiting policing (with Multi service support) - Session state monitoring - Session Accounting for Billing (prepaid/postpaid) and other policies in standard broadband networks. Now can someone tell me 1) what are the standard models (PPPoE or DHCP ? ) that are being used in such kind of broadband networks?? and which is more flexible?? 2) How is bandwidth management for subscribers is handled?? through the same BRAS or by installation of separate devices like packeteer, packetlogic etc 2) Which devices/vendors can handle these kind of requirements?? (We already have AAA radius expertise, so i am only concerned with network equipment side) Good Day! Frank ___ juniper-nsp mailing list juniper-...@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-...@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] lsd
While MPLS hides the underlying topology from you, LSD is good for exposing the metaphysical layer. ;-) Scott Granados sc...@granados-llc.net writes: Gee and I thought LSD was for the operator and not a feature. Nice, no reason the gear shouldn't share in the fun. :) On Apr 25, 2012, at 11:10 AM, Peter Rathlev wrote: On Wed, 2012-04-25 at 09:44 -0500, Aaron wrote: Is there something similar in IOS to lsd (label switch db) found in IOS XR ? does this function of lsd exist in ios? (lsd seems like what I used to understand as lib/tib but unsure at this point). if there is an lsd-type thing in IOS, is there a way to see client apps (l2vpn, bgp, etc) bound to it like in xr below. ? Unsure if this is what you're looking for, but you can see the LFIB via: Router#show mpls forwarding Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 16 Pop Label IPv4 VRF[V] 2632 aggregate/VRF3305 17 Pop Label IPv4 VRF[V] 71864 aggregate/VRF2400 18 Pop Label IPv4 VRF[V] 37630 aggregate/VRF2401 19 Pop Label IPv4 VRF[V] 266812aggregate/VRF2433 20 10510.20.30.8/320 Gi4/2 10.10.250.161 21 14710.20.30.152/32 0 Gi4/2 10.10.250.161 22 No Label l2ckt(10)7465810 Gi4/4 point2point 23 11210.20.30.31/32 0 Gi4/2 10.10.250.161 24 No Label 10.10.250.8/30 0 Gi4/2 10.10.250.161 25 No Label 10.10.241.64/27 0 Gi4/2 10.10.250.161 26 27 10.20.30.151/32 0 Gi4/2 10.10.250.161 27 11410.20.30.133/32 0 Gi4/2 10.10.250.161 ... Specific L2VPN VC labels: Router#show mpls l2transport vc Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Gi4/4 Ethernet 10.20.30.17 10 UP Gi4/3 Ethernet 10.20.30.27 3 UP Router# Sorry if this if off in the wrong direction. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Limits on virtual-access interfaces ?
Mike mike-cisconspl...@tiedyenetworks.com writes: Howdy, I have a 7201 terminating pppoe sessions. I ran the following command and saw that the max virtual-access interface number was 900, per below: sh int virtual-access ? 1-900 Virtual-Access interface number I am wondering if this is actually a dynamic number? My high water pppoe sessions (max up at one time) is 898, and so I am wondering if I will hit this limit or if it will grow once I cross that threshold? Yes, they're cloned from the virtual-template as needed. show idb will give you an idea about interface descriptor blocks and how close you are to exhaustion (not even close on that platform). My recolllection is that on the 7206VXR under 12.3 and 12.4 you get 20,000. This is old neurons though. -r ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSEC + TFTP don't work
Victor Sudakov v...@mpeks.tomsk.su writes: Randy wrote: Victor wrote: RS wrote: Try setting the MTU on the ethernet on the TFTP server to 1400 or so rather than 1500. That oughta fix the problem, assuming that the tftp server software is sanely written. If it were TCP (tftpboot is of course udp) that would DTRT. Actually I have tried something like route add -net $protected_net -mtu 1300 $ipsec_gateway on the TFTP server and it did not help. I think the TFTP server just sends its packets as requested by the client and does not care if the MTU is small. What you tried, wouldn't work because TFTP is UDP and the mtu size is decided by application in question; unlike TCP. Therefore I thought that the above advice (try setting the MTU on the ethernet) would not work either. It might not. I qualified that advice with if the server software is sanely written. I have enough gray hair to remember stuff like ProNet80, Hyperchannel, FDDI, and IBM Token Ring (both speeds), each with a different MTU. Heck, you might get lucky and have 10ge with jumbo frames big enough to stick the entirety of pxeboot(8) in a single packet. Anyway, it would never occur to me to write something that sent UDP packets (which I intended to arrive un-fragmented because typically the stacks that speak TFTP are brain-dead and can't handle reassembly) without groveling through whatever gymnastics I had to in the OS to crawl through the routing table, determine the exit interface, and set the size of the packets I wanted to send accordingly. Guessing at the OS and specific release of software you're running and performing a code review to see if whoever wrote that TFTP server wrote it in the way that I would have is, obviously, beyond the scope of the free advice you're likely to get in an august forum such as this. -r ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSEC + TFTP don't work
Victor Sudakov v...@mpeks.tomsk.su writes: I feel that the issue may be in IP fragmentation of some sort which the dumb PXE TCP/IP stack cannot handle, but a google search did not help. At least neither an Intel NIC, nor a Realtek NIC nor a GPXE emulation work. I'm pretty sure you're on the right track. Try setting the MTU on the ethernet on the TFTP server to 1400 or so rather than 1500. That oughta fix the problem, assuming that the tftp server software is sanely written. If it were TCP (tftpboot is of course udp) that would DTRT. -r ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need a Primer on WCCP / Web Hijacking
or pfsense captive portal (easy to set up, cheaper than mikrotik) or openwrt + chilispot (somewhat more difficult to set up, even cheaper yet) ---rob a. rahman isnaini r.sutan [EMAIL PROTECTED] writes: Mikrotik with Hotspot Profile... for cheaper fast solution rgs a. rahman isnaini rangkayo sutan Jonathan Charles wrote: Cust has access points open to public, they need to hijack the web requests and take them a web page where they enter a security code, and then allow them... So, I need to integrate this with some form of ACS (still finding out) and a web server... I think WCCP will do it, just looking for a primer to start me off... TIA Jonathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High temperatures on cisco 6504-E chassis
Koen [EMAIL PROTECTED] writes: We got 2 WS-C6504-E chassis both with 1 sup 7203CXL and 2 WS-X6748-GE-TX and we see that the asic temperature is always higher then 40C which is the max operational temperature according to the docs. The max operational temperature quoted in documentation is almost always ambient (or inlet) temperature, not the temperature of any particular hot spot on the board. At 30c inlet, you're well within spec. Is there something you have read that leads you to believe things are different in this case? Can you point me there if so? -r ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP network stops being advertized
Deepak Jain [EMAIL PROTECTED] writes: In the old days, null was handled by CPU (software switched), so lots of us old-timers got into the habit of using loopback instead of null. On a modern platform it should make no operational difference provided you have everything you need set up properly. (null routing the /16, for example, might be bad if you ever actually try to route that whole prefix instead of just subs -- as it would be specific and static). That's why you put a high distance metric on static pull-up routes. Any real static routes or connected interfaces will override ip route 192.148.252.0 255.255.254.0 Loopback0 240 -r ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problems doing NPE upgrade
Chris Conn [EMAIL PROTECTED] writes: Roy wrote: A client has a 7206VXR that we are attempting to just upgrade the NPE. When we replace the NPE-300 with an NPE-400 we get a crash loop during the boot. The OS we are using is Cisco IOS Software, 7200 Software (C7200-P-M), Version 12.4(8d), RELEASE SOFTWARE (fc2) Console log follows. Any ideas welcome. Roy Hello, Check your bootflash. You may have to upgrade it to a newer version that can recognize the NPE-400. Yep, that's almost certainly it. It is *amazing* the amount of trouble people have with 7200s that is directly traceable to the bootflash being wildly out of sync with the running IOS load. Not that I've ever picked up malfunctioning VXRs on the cheap that turned out to work fine after getting re-flashed whistles innocently... -r ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
The HAR is going to be announced on April Fool's day. My lawyers told me that as long as I didn't reveal anything about the feature set (which I find laughable), that I wasn't breaking the NDA, so don't sweat it. Remember folks, you heard it here first... ---rob Joseph Jackson [EMAIL PROTECTED] writes: What are you talking about then? -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Fred Reimer Sent: Monday, March 24, 2008 5:03 PM To: Niels Bakker; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall I'm not talking about the ASR... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Niels Bakker Sent: Monday, March 24, 2008 5:32 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall * [EMAIL PROTECTED] (Fred Reimer) [Mon 24 Mar 2008, 22:28 CET]: Don't be giving out any NDA materials now... The ASR and its featureset have been announced and thus are public knowledge. -- Niels. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommendations for T1 Extender
Adam Piasecki [EMAIL PROTECTED] writes: In the past we used Pargain equipment, but it's becoming hard to find that stuff. So we are starting to look for a new product. Basically we want to take a T1 from the LEC extended it 1-4miles and have the receving end connect into our router. You know that ADC bought Pairgain back in 2000 right? The current technology cards are a lot smaller than the classic Pairgain box and fit in the standard 220 and 400 shelves (among others; I see on their web site that they have support for 3192 and Litespan 2000 mechanicals too). https://www-wsp.adc.com/ecom/catalog/hierDisplay.do?NODE=OND50995 They didn't even change the name; still call 'em HiGain. AFAIK, these cards are current production; you can order them up from your favorite vendor. ADC-nee-Pairgain cards have always worked fine for me... ---rob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OC3 Throughput
Of course, the *real* answer which everyone seems to be overlooking is that you're terminating PPPoE-over-L2TP per Paul's original mail. The encap/deencap is the limiting factor, and you're gonna pummel any known NPE up to and including the NPE-G1 before you hit the link speed limit with ATM or POS (you're running an ISP; you *will* have traffic going both ways, and substantial upstream in todays p2p world). What processor do you have in there? ---Rob Aaron [EMAIL PROTECTED] writes: Of course you didn't specify ATM originally either. POS would probably give you a few more since you don't have the ATM overhead. On Nov 17, 2007 3:09 PM, Garry [EMAIL PROTECTED] wrote: Paul Stewart wrote: A few people hit me offline stating that it's not nice to hold back the answers and that they were curious... right you are - sorry about that...;) The general answer has been 110-120Mb/s considering ATM overheads etc. on a 5 minute graph average - beyond that you are really pushing your luck. We have one such circuit today that is hitting 110 regularily and sometimes hits 120 for short peaks - my concerns are now staring at me on a graph In general (at least speaking from an ISP's point of view) when utilizing a link beyond 90% peak or beyond 75% average, it's time to upgrade ... otherwise it's just a question of time when the link capacity is causing quality degradation for the users ... (unless the peaks are caused by batch-only traffic). Take the usage graph to your boss and tell him you need another link or an OC12 upgrade ;) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OC3 Throughput
Clayton Zekelman [EMAIL PROTECTED] writes: An NPE-G1 easily handles 2 full ATM-OC3's worth of L2TP tunnels. We have several of these in production, and typically hit around 60% CPU utilization. My experience with both NPE-G1s and 7301s does not parallel this. Could be an artifact of the load we were running, the fact that we were running on 802.11 vlans on gigabit ethernet rather than ATM, or some kind of local configuration requirement that I haven't thought of today. Wasn't running unicast RPF on the NPEs, preferring to run it on the edge-facing interfaces in the GSRs. Was running dynamically loaded outbound SMTP filters via radius attribute 242. Yes, I did have CEF turned on. :-) My experience is that once you were in the 120-130 Mbit range (sum of in and out), you were pretty much at the 80+% range and should be looking at a new router to add to the mix. Of course, it probably depends even more on packets per second than it does on data moved. My customers were some filesharin' fools. In the early morning our outbound exceeded the inbound by about 20%. That could have figured into our situation as well. Obviously caution is required for the budgetary numbers; take Cisco's and your colleagues' numbers with a grain of salt, hedge the numbers in your model, and come out looking like a hero. :-) ---Rob - Original Message --- Subject: Re: [c-nsp] OC3 Throughput From: Robert E. Seastrom [EMAIL PROTECTED] Date: Mon, 26 Nov 2007 07:48:40 -0500 To: Aaron [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Of course, the *real* answer which everyone seems to be overlooking is that you're terminating PPPoE-over-L2TP per Paul's original mail. The encap/deencap is the limiting factor, and you're gonna pummel any known NPE up to and including the NPE-G1 before you hit the link speed limit with ATM or POS (you're running an ISP; you *will* have traffic going both ways, and substantial upstream in todays p2p world). What processor do you have in there? ---Rob Aaron [EMAIL PROTECTED] writes: Of course you didn't specify ATM originally either. POS would probably give you a few more since you don't have the ATM overhead. On Nov 17, 2007 3:09 PM, Garry [EMAIL PROTECTED] wrote: Paul Stewart wrote: A few people hit me offline stating that it's not nice to hold back the answers and that they were curious... right you are - sorry about that...;) The general answer has been 110-120Mb/s considering ATM overheads etc. on a 5 minute graph average - beyond that you are really pushing your luck. We have one such circuit today that is hitting 110 regularily and sometimes hits 120 for short peaks - my concerns are now staring at me on a graph In general (at least speaking from an ISP's point of view) when utilizing a link beyond 90% peak or beyond 75% average, it's time to upgrade ... otherwise it's just a question of time when the link capacity is causing quality degradation for the users ... (unless the peaks are caused by batch-only traffic). Take the usage graph to your boss and tell him you need another link or an OC12 upgrade ;) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what limits bw on a tcp stream?
I have gear in Amsterdam and in San Jose. Pushing log files from Amsterdam to San Jose through rsync seems to top out at 7Mbps even Is rsync using ssh to move the data? ssh has its own windowing issues. There's a high perf fix for that which you should be able to find via google. This. http://www.psc.edu/networking/projects/hpn-ssh/ Modern TCP stacks deal OK. 7Mbps at that distance is about right for ssh-constrained. ---Rob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what limits bw on a tcp stream?
Peter Lothberg [EMAIL PROTECTED] writes: I have gear in Amsterdam and in San Jose. Pushing log files from Amsterdam to San Jose through rsync seems to top out at 7Mbps even Is rsync using ssh to move the data? ssh has its own windowing issues. There's a high perf fix for that which you should be able to find via google. This. http://www.psc.edu/networking/projects/hpn-ssh/ Modern TCP stacks deal OK. 7Mbps at that distance is about right for ssh-constrained. ---Rob We did over 4Gbit/s with two mail-order PC's in 2004 over a best_effort comercial IP network at about 0.5s RTT. http://proj.sunet.se/LSR3-s/ Yep, and that required only modest tweaks to the kernel parameters. Wasn't running over ssh though. The internal buffers on off-the-shelf openssh break performance pretty seriously for long fat pipes (unless the hpn-ssh mods have been integrated back into production openssh, which I'd really love to hear). ---Rob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vty access-list
Try using an access-class on the VTY and a simple acl (number 1-99) instead. ---rob C and C Dominte [EMAIL PROTECTED] writes: Hi, I am trying to filter SSH access on a router from outside by source and destination ip address. To be more clear, the source SSH access is the outside /24 network x.x.x.x, and the destination SSH IP is one of the router's ip's. I want to be able to cut the ssh listening on all the ip's from the router interfaces, and allow it only on one ip. The problem is that if the access list looks like: access-list 199 permit tcp x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.0 eq 22 it blocks the ssh access for all ip's including y.y.y.y if the access list applied to the vty lines is: access-list 199 permit tcp x.x.x.x 0.0.0.255 any eq 22 it permits the ssh access to all ip's residing on the router. Is this a normal behavior of the IOS, to block access to all the ip's, including to the one that is supposed to be allowed? Thanks, Catalin - For ideas on reducing your carbon footprint visit Yahoo! For Good this month. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ipv6 autoconfig linux
Harold Ritter \(hritter\) [EMAIL PROTECTED] writes: Oops. I guess I should have looked at that first ;0) I don't understand you got assigned a /64. I though the smallest block that could be assigned to a customer site was /48. It's actually anywhere from a /64 to a /48, in the ARIN region anyway. http://www.arin.net/policy/nrpm.html#six541 ---rob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE-G1 vs NSE-1
Kanagaraj Krishna [EMAIL PROTECTED] writes: Hi, Whats the difference btw both this cards and which would suit an ISP environment running BGP, IPv6 etc? The NSE-1 was an oddball card even in its day. End of software maintenance for it was back in 2005. It has similar performance to the NPE-400 in non-PXF applications. Without a doubt, the NPE-G1 is the right choice. ---Rob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Feedback on: Security Advice for Routers and Switches
Matthew Lange [EMAIL PROTECTED] writes: * Implement blackhole routing on the Internet interface, using the Bogon list[3] Actually, I would put static bogon lists in the common but bad advice section, right there with turning off ICMP (sorry, RobT!). Why? Well, except for certain networks that are likely to be reserved in perpetuity (for instance, 0/8, 255/8, 1918 space...), _every last one of them_ is gonna end up getting assigned within the next four years [1]. Are *you* going to be around to monitor the bogon list and update it every few months? If not you then who? Have you done a threat analysis and figured out what the marginal risk is of allowing bogons from unassigned or reserved IP address space vs. allowing bogons from hijacked or supernet-sucked address space (against which you have no effective recourse)? I don't run bogon lists and I encourage others to not use them either. The downsides outweigh the benefits. I handle spam and other such nuisances at the application layer. ---Rob [1] http://www.potaroo.net/presentations/2007-05-09-ripe54-ipv4.pdf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] New hardware choose help needed
Dmitriy Sirant [EMAIL PROTECTED] writes: Cisco 7204VXR NPE-G1 What we need from it: 1. Terminate about 50-150 VLANs 2. Terminate about 2500-4000 PPPoE users (at 100Mb, not ADSL) 3. Dynamic access lists and rate-limits for PPPoE users via Radius. 4. 2 x 1000Mbit/s ports to clients with full load and 1 x 1000Mbit/s port to ISP with load about 500Mbit/s All at the same time? Not gonna happen. I'm pretty sure it can't even do both parts of (4) at the same time. ---rob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/