Re: [c-nsp] Nexus V1000 - Feedback?
___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
On Jun 9, 2009, at 5:00 PM, Roland Dobbins wrote: On Jun 10, 2009, at 6:41 AM, Maxwell Reid wrote: It's using them in combination with vShield Zones at the ESX level (new feature of v4) that yields the best results. It's also important to note that all of this runs in software, and is thus subject to the performance limitations thereof. When you're talking about a box with 16-32 3 Ghz Cores and 128 GBs of ram with offloading NIC/CNA's that software is pretty speedy. A single host running 3 vms can go as high as 350,000 IOPs/sec from a storage perspective, and handle high PPS loads w/ 10GbE at line rate. Even hardware appliances like the ASA boot strap off what appears to be KVM and handle multiple contexts in software; and you really only need specialized ASIC's as part of the forwarding plane of high end routers. ~Max --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Unfortunately, inefficiency scales really well. -- Kevin Lawton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
On Jun 10, 2009, at 9:32 PM, Maxwell Reid wrote: you really only need specialized ASIC's as part of the forwarding plane of high end routers. When you're talking about DDoS, that's what's needed; general-purpose CPUs on boxes running many different VM/OS/app stacks, or things like ASAs don't cut it. That's why you don't see stateful firewalling in front of major public- facing properties; not only is it useless by definition in such scenarios, in which every single incoming connection is unsolicited, but it's a DDoS chokepoint due to the state instantiated and the limited resources available. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Unfortunately, inefficiency scales really well. -- Kevin Lawton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
All, I had some feedback from people that have tried it in the lab, but not in production yet. I notice that in all the Cisco marketing material it talks repeatedly about how the guest's security profile will migrate with the VM. However, as far as I can tell NX-OS only offers non-stateful ACLs and no inspection so I'm not sure it's really that useful? Sam Sam Stickland wrote: Hi, Has anyone here deployed the Nexus V1000? I'm interested in feedback (good, back or indifferent). Thanks, Sam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
On Jun 9, 2009, at 6:12 PM, Sam Stickland wrote: only offers non-stateful ACLs and no inspection so I'm not sure it's really that useful? Stateful inspection in front of front-end servers is generally not only useless, but counterproductive, as it greatly increases susceptibility to DDoS. Especially with a software-based switch/ router/what-have-you. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Unfortunately, inefficiency scales really well. -- Kevin Lawton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
Hi, On Tue, Jun 09, 2009 at 12:12:32PM +0100, Sam Stickland wrote: I notice that in all the Cisco marketing material it talks repeatedly about how the guest's security profile will migrate with the VM. However, as far as I can tell NX-OS only offers non-stateful ACLs and no inspection so I'm not sure it's really that useful? Well, you need to put this in relation to the standard VMware switch - which can't do ACLs, and where nothing whatsoever will migrate but everything (VLAN setup etc) needs to be properly prepated beforhand for VMotion to work... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpmCJz0VGNnD.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
The ACLs on the vswitch/nexus are only part of the security equation. It's using them in combination with vShield Zones at the ESX level (new feature of v4) that yields the best results. ~Max On Jun 9, 2009, at 7:39 AM, Gert Doering wrote: Hi, On Tue, Jun 09, 2009 at 12:12:32PM +0100, Sam Stickland wrote: I notice that in all the Cisco marketing material it talks repeatedly about how the guest's security profile will migrate with the VM. However, as far as I can tell NX-OS only offers non-stateful ACLs and no inspection so I'm not sure it's really that useful? Well, you need to put this in relation to the standard VMware switch - which can't do ACLs, and where nothing whatsoever will migrate but everything (VLAN setup etc) needs to be properly prepated beforhand for VMotion to work... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
On Jun 10, 2009, at 6:41 AM, Maxwell Reid wrote: It's using them in combination with vShield Zones at the ESX level (new feature of v4) that yields the best results. It's also important to note that all of this runs in software, and is thus subject to the performance limitations thereof. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Unfortunately, inefficiency scales really well. -- Kevin Lawton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus V1000 - Feedback?
Hi, Has anyone here deployed the Nexus V1000? I'm interested in feedback (good, back or indifferent). Thanks, Sam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus V1000 - Feedback?
Hi, On Mon, Jun 01, 2009 at 04:27:54PM +0100, Sam Stickland wrote: Has anyone here deployed the Nexus V1000? I'm interested in feedback (good, back or indifferent). We haven't deployed it yet, but what I was demonstrated at Networkers in Barcelona was definitely Way Cool. The Cisco way to configure and monitor switches, not the VMware web-thingie... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpE46j0oHxZo.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/