Re: Spamhaus BGP feed experiences?
On Sun, May 17, 2015 at 7:50 AM, Mike Lyon mike.l...@gmail.com wrote: Any ISPs out there (big or small) ever used the Spamhaus BGP feed to prevent against botnet, spam, etc? If so, how has your experience been? Is it worthwhile? Has it helped? On / off list responses are appreciated in advance. We've been using the BGP feed for a little over a year now. We had some problems with malware infected end user PCs causing upstream congestion resulting in slow internet complains. The spamhouse feed definitely helped a little with our problem but it's not the magic super tool to completely stop malware in your network. On the other hand there was no complain due to a false positive (a couple of years ago we had one complain due to a false positive on the EDROP list). Best Regards, Frederik Kriewitz
Re: Low Cost 10G Router
On 19/May/15 19:35, Colton Conor wrote: As low as possible, though I am not sure how low that can be. For example, I can get a MX480 used with a 4 10G card for $16K. That would easily handle my needs, but it's overkill for what we need to do. I would love a solution under 10K, but not sure if one exists. If you can get an MX480 with 4x 10Gbps ports at that price, I'd take it. Might seem like too much now, but when you need to grow, having that chassis will come in very handy. The problem with boxes like the MX80, MX104 and ASR9001 is while they meet what you want now, they'll struggle because expansion is fixed (how's that for an oxymoron). That US$6,000 you'll save now will be more costly when you plan the upgrades in the future. Mark.
Re: Low Cost 10G Router
Wiadomość napisana przez Max Tulyev max...@netassist.ua w dniu 19 maj 2015, o godz. 19:58: We are using softrouters based on Supermicro chassis, E5v3 cpu, Linux/BIRD and Intel 10G NICs. And VERY happy. Out of curiosity, how much traffic you pass over those softrouters? Piotr
Re: Measuring DNS Performance Graphing Logs
http://docs.cacti.net/usertemplate%3ahost%3abind9.7 http://forums.cacti.net/about6332.html those are like result 1 and 5 of cacti graph dns server in the googles... (the second is even the 1st result in a bingz search) On Tue, May 19, 2015 at 1:34 PM, Zayed Mahmud zayed.mah...@gmail.com wrote: Hello! This is my first message to NANOG's mailing list. I hope someone can help me. I was wondering which tool(s) can I use to measure the performance of my 3 DNS servers (1 primary, 1 secondary, 1 solely cacheDNS)? From the stats I would like to know if my DNS server is serving as it should be or if any of it's options are set inappropriately and others alike. I looked for a while but could not find any. Any help would be highly appreciated. I am running bind9 on UNIX platform. Question 2) I would also like to know how can I graph my DNS logs? And how can I integrate it to my CACTI server as well? I couldn't find any suitable plugin. Any suggestion? -- -- Best Regards, *Zayed Mahmud* *Senior Core IP Network Team,* *Banglalion Communications Limited, Bangladesh.*
Re: your mail
On 5/19/2015 15:37, Jared Mauch wrote: Can someone fix the DMARC settings to something more sensible? I've had to deal with this on the outages list already and it's simple to have it work in a more predictable way for users than injecting this text. The best settings are Munge From, (dmarc_moderation_action) as it will preserve the thread in a sensible way. I feel it's quite damaging to keep injecting this into the thread. One should also clear the dmarc_wrapped_message_text setting. Blank subject lines get routed to the spam sump here. As a matter of policy, I do not open unexpected attachments, and strong suggest that opening an unexpected attachment may be the most dangerous thing you can do with an email reader is some environments. -- sed quis custodiet ipsos custodes? (Juvenal)
Re: Low Cost 10G Router
The BGP daemon on the CCR routers is not multi-threaded; it only will use one core. Josh On Tue, May 19, 2015 at 10:06 PM, Colton Conor colton.co...@gmail.com wrote: So this new $1295 Mikrotik CCR1036-8G-2S+EM has a 36 core Tilera CPU with 16GB of ram. Each core is running at 1.2Ghz? I assume that Mikrotik is multicore in software, so why does this box not outperform these intel boxes that everyone is recommending? Is it just a limitation of ports? On Tue, May 19, 2015 at 6:03 PM, Faisal Imtiaz fai...@snappytelecom.net wrote: I've seen serious, unusual performance bottlenecks in Mikrotik CCR, in some cases not even achieving a gigabit speeds on 10G interfaces. Performance drops more rapidly then Cisco with smaller packet sizes. -mel beckman Folks often forget that Mikrotik ROS can also run on x86 machines. Size your favorite hardware (server) or network appliance with appropriate ports, add MT ROS on a CF card, and you are good to go. We use i7 based network appliance with dual 10g cards (you can use a quad 10g card, such as those made by hotlav). with a 2gig of ram, you can easily do multiple (4-5 or more full bgp peers), and i7 are good for approx 1.2mill pps. Best of luck. Faisal Imtiaz Snappy Internet Telecom
Re: Low Cost 10G Router
You can save a ton if you drop the requirement for full routes. Ask for a simple default route and then calculate your most used routes offline and upload that daily to the switch. I believe if you have just a few thousand routes, your outbound will be nearly the same as with full routes. Your inbound will be exactly the same, as even the smallest device can announce your prefixes. PS. ZTE has a ZXR 8900e switch with 8x 10g with 1 million routes for less than 10k USD. A ZTE 59e switch with 4x 10g with 30k routes is about 3k USD. Regards, Baldur
RE: Low Cost 10G Router
On May 19, 2015, at 10:22, Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at? I have two ServerU L-800 boxes routing BGP and OSPF, one of those has 4x10G SFP+ port and the other box, the more interesting experience I had, has a 2x40G Chelsio expansion board. Both run FreeBSD, one of the boxes run a thing called ProApps which is a FreeBSD based system ServerU people offer to their customers, with a nice and easy GUI, but essentially FreeBSD. My experience with ServerU boxes started from security needs, for high performance firewall and IDP, and recently I started to try it as router. So far, so good. The later box I started with BSDRP and later went for a default FreeBSD system. In this system I mostly run OSPF + BFD and stateles firewall, for a very critical customer site we have at Diebold. What we do in this ServerU L-800 + Chelsio card box is: - We have BIRD doing the dirty work for OSPF + BFD- We have a trigger in BIRD wich updates Chelsio T5's Forwarding Table- We have stateless firewalling handled with cxgbetool on Chelsio directly In this particular setup, with FreeBSD+BIRD+ServerUL800+Chelsio we handle every day, 4.2Mpps on 2x40G ports mostly on Chelsio ASICS, leaving most of ServerU CPU for BIRD and other FreeBSD features such as vlan, lagg, etc. Interrupt CPU usage is very low, since it's mostly handled on Chelsio board. So far I haven't tried adding a full BGP routing table to Chelsio, but the couple dozen routes we have demand this pps rate, gracefully handled by the box. It's a 1,200 USD starting cost for a very decent router which promisses to delivery a good pps and bps rate specially when compared to Mikrotik's CCR and other Cisco/Brocade routers on this same grade. Add to it a couple hundred extra bucks to have a very decent Chelsio T5 ASICS expansion to L800 chassis and you pretty much have a system that, according to Chelsion data sheet, promisses to delivery 27 milion packets per second filtered and forwarded. Pretty much Line Rate for 10G ports. I don't know about the expected 27Mpps per port, but I can confirm 4.8Mpps peaking / 4.2Mpps avging on my rack everyday, and for the price I pay on this ServerU + FreeBSD setup I can't avoid to suggest it worths pretty much a try! http://www.serveru.us/en/netmapl800 If you buy a Chelsio card or already have it, or have it at a better price (sometimes we find very good 300.00 USD deals on chelsio T5, while their list price is ~900.00 USD) talk to 'em first, they have Chelsio front expansions by default but if you buy a Chelsio x8 PCIe card your own they need to arrange ServerU L-800 to have it perfectly fitted in their L-800 chassis, and usually it requires rear raiser replacement in their router, so talk to them first... I learned it the bad way ;] bought the chelsio card myself and found out I could not use it, since this L-800 router comes with raisers for front expansions. They were gentle enough to upgrade the raiser for free but I had to ship the box back to Florida. So talk to them...
ATT/Telia issue
Seeing this on AS7018 to AS1299. Anyone out there at either provider know anything about this? HOST: PC-002 Loss% Snt LastAvg Best Wrst StDev 1.|-- 172.31.255.1 0.0% 10 10.7030.9 2.|-- 10.98.0.30.0% 10 11.0110.0 3.|-- 67.51.253.17 0.0% 10 22.5240.7 4.|-- 67.51.253.3 0.0% 10 11.2120.4 5.|-- v202.core1.pdx1.he.net 0.0% 10 7 10.57 121.9 6.|-- 10ge12-4.core1.sea1.he.net 0.0% 10 55.0550.0 7.|-- sea-b1-link.telia.net0.0% 10 55.85 122.2 8.|-- den-b1-link.telia.net0.0% 10 108 107.3 106 1080.7 9.|-- sjo-b21-link.telia.net 20.0% 10 137 134.9 134 1371.0 10.|-- 192.205.33.45 40.0% 10 136 136.2 135 1381.2 11.|-- cr1.sffca.ip.att.net10.0% 10 141 141.9 139 1451.9 12.|-- 12.122.2.77 20.0% 10 140 140.1 137 1422.0 13.|-- 12.122.160.149 10.0% 10 138 141.1 137 1648.6 14.|-- 12.117.131.214 30.0% 10 139 141.0 139 1451.9 15.|-- 199.103.47.230.0% 1051 128.0 51 142 34.0 HOST: PC-002 Loss% Snt LastAvg Best Wrst StDev 1.|-- 172.31.255.1 0.0% 20 11.1 030.6 2.|-- 10.98.0.40.0% 20 11.3 140.7 3.|-- 67.51.253.17 0.0% 20 34.9 2 48 10.2 4.|-- 67.51.253.1 0.0% 20 21.1 120.3 5.|-- 67.51.253.11 0.0% 20 11.4 120.5 6.|-- v202.core1.pdx1.he.net 0.0% 20 69.1 1 123.2 7.|-- 10ge12-4.core1.sea1.he.net 0.0% 20 56.5 5 111.7 8.|-- sea-b1-link.telia.net0.0% 20 55.1 560.3 9.|-- att-ic-153030-sea-b1.c.telia.net 0.0% 20 97.7 691.2 10.|-- cr83.st0wa.ip.att.net5.0% 20 118 119.7 117 1231.5 11.|-- cr2.ptdor.ip.att.net 0.0% 20 119 120.1 118 1221.4 12.|-- cr2.sffca.ip.att.net 0.0% 20 120 119.2 117 1211.4 13.|-- cr2.sc1ca.ip.att.net 0.0% 20 119 121.1 118 1496.6 14.|-- 12.122.151.129 0.0% 20 118 119.8 117 1221.5 15.|-- ???100.0% 20 00.0 000.0 16.|-- 71.157.120.39 75.0% 20 119 118.6 118 1190.5 17.|-- 108-248-29-59.lightspeed.renonv.sbcglobal.net5.0% 20 139 137.1 135 1462.5 18.|-- 108-241-228-42.lightspeed.renonv.sbcglobal.net 5.0% 20 143 139.2 135 1524.9 Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender, delete this email and destroy all copies.
Re: Low Cost 10G Router
So this new $1295 Mikrotik CCR1036-8G-2S+EM has a 36 core Tilera CPU with 16GB of ram. Each core is running at 1.2Ghz? I assume that Mikrotik is multicore in software, so why does this box not outperform these intel boxes that everyone is recommending? Is it just a limitation of ports? On Tue, May 19, 2015 at 6:03 PM, Faisal Imtiaz fai...@snappytelecom.net wrote: I've seen serious, unusual performance bottlenecks in Mikrotik CCR, in some cases not even achieving a gigabit speeds on 10G interfaces. Performance drops more rapidly then Cisco with smaller packet sizes. -mel beckman Folks often forget that Mikrotik ROS can also run on x86 machines. Size your favorite hardware (server) or network appliance with appropriate ports, add MT ROS on a CF card, and you are good to go. We use i7 based network appliance with dual 10g cards (you can use a quad 10g card, such as those made by hotlav). with a 2gig of ram, you can easily do multiple (4-5 or more full bgp peers), and i7 are good for approx 1.2mill pps. Best of luck. Faisal Imtiaz Snappy Internet Telecom
Measuring DNS Performance Graphing Logs
Hello! This is my first message to NANOG's mailing list. I hope someone can help me. I was wondering which tool(s) can I use to measure the performance of my 3 DNS servers (1 primary, 1 secondary, 1 solely cacheDNS)? From the stats I would like to know if my DNS server is serving as it should be or if any of it's options are set inappropriately and others alike. I looked for a while but could not find any. Any help would be highly appreciated. I am running bind9 on UNIX platform. Question 2) I would also like to know how can I graph my DNS logs? And how can I integrate it to my CACTI server as well? I couldn't find any suitable plugin. Any suggestion? -- -- Best Regards, *Zayed Mahmud* *Senior Core IP Network Team,* *Banglalion Communications Limited, Bangladesh.*
Re: Low Cost 10G Router
Last config I touched: 2xIntel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz, 12 Gbit summary, 5% each core load. On 19.05.15 21:06, Piotr Iwanejko wrote: Wiadomość napisana przez Max Tulyev max...@netassist.ua w dniu 19 maj 2015, o godz. 19:58: We are using softrouters based on Supermicro chassis, E5v3 cpu, Linux/BIRD and Intel 10G NICs. And VERY happy. Out of curiosity, how much traffic you pass over those softrouters? Piotr
Re: Low Cost 10G Router
19.05.2015, 21:26, Max Tulyev max...@netassist.ua: Last config I touched: 2xIntel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz, 12 Gbit summary, 5% each core load. And what PPS rate (in+out)? -- wbr, Oleg. Anarchy is about taking complete responsibility for yourself. Alan Moore.
Re: Low Cost 10G Router
How much of that traffic is valid legit traffic as well :( Colin On 19 May 2015, at 19:32, Oleg A. Arkhangelsky syso...@yandex.ru wrote: 19.05.2015, 21:26, Max Tulyev max...@netassist.ua: Last config I touched: 2xIntel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz, 12 Gbit summary, 5% each core load. And what PPS rate (in+out)? -- wbr, Oleg. Anarchy is about taking complete responsibility for yourself. Alan Moore.
Re: Spamhaus BGP feed experiences?
How much false positives (i.e. blackholing traffic users want to reach)? On 18.05.15 21:04, Marco d'Itri wrote: On May 17, Mike Lyon mike.l...@gmail.com wrote: Any ISPs out there (big or small) ever used the Spamhaus BGP feed to prevent against botnet, spam, etc? If so, how has your experience been? Is it worthwhile? Has it helped? On / off list responses are appreciated in advance. We use Spamhaus DROP (not the BGP version: our software asks a human to review each change). The benefits are not obvious since we do not have access customers, but it will blackhole some networks you obviously do not want to talk to, and it has not caused any troubles either.
Re: Low Cost 10G Router
1.4Mpps now. On 19.05.15 21:32, Oleg A. Arkhangelsky wrote: 19.05.2015, 21:26, Max Tulyev max...@netassist.ua: Last config I touched: 2xIntel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz, 12 Gbit summary, 5% each core load. And what PPS rate (in+out)? -- wbr, Oleg. Anarchy is about taking complete responsibility for yourself. Alan Moore.
Re: Low Cost 10G Router
How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. I haven't tried this configuration as a full router in production, but have been using them in a few places as a firewall solution and they've handled everything I've thrown their way so far. Initially, I had these in place as low-capital solutions that were going to be temporary so we could start building out a new environment and collect usage data to have real world sizing data for something like an ASA cluster, but they've worked so well that we've held off on that purchase for now (given challenging budget times in higher-education). The stability of VyOS has been good, and the image-based upgrade system has worked every time without issues for the past year or two (starting from 1.0.1 to the current 1.1.5). That said documentation for VyOS is poor, so you should be ready to dig into some source code or hit the IRC channel to get things running. Having a foundation with general Linux knowledge is helpful here too. If you just need a 10G link but only commit to 2-3G then this solution might be able to work well for you. If you need closer to line-rate 10G at small packet sizes then you might start running into performance limitations due to latency. If this is the case there is the Vyatta vRouter 5600 (VyOS is based on the GPL portions of the 5400), which claims to have Intel DPDK support and can handle multi-10G at line rate; but last time I checked it was really expensive ($10,000 per core or something ridiculous like that). In terms of commercial solutions, I think 10G and BGP are two things that don't combine well for cheap. An ASR1K might do the trick, but more likely than not you're looking at an ASR9K if you want full tables; I don't have any experience with the 1K personally so I can't speak to that. The ASR 9K is a really great platform and is what we use for BGP here, but it's pretty much the opposite of cheap. As far as the firewall stuff goes, I have a draft of VyOS as a firewall that I've been wanting to put together (still needs work): http://soucy.org/vyos/UsingVyOSasaFirewall.pdf P.S. Sorry the documentation for VyOS is so bad, what's there so far in the User Guide is basically me trying to do a first pass in hopes that others would help out and there haven't been many updates. On Tue, May 19, 2015 at 1:22 PM, Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at? -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: Low Cost 10G Router
Here is what I found on Google about Cisco's options: http://www.cisco.com/c/en/us/products/routers/asr-1000-series-aggregation-services-routers/models-comparison.html And when it comes to Juniper, you might be able to get it done with MX40 (look at their options, there are different combinations of chassis and cards), and you can always upgrade to a MX80 later. Just not sure you can find anything low cost when you need to route 10gbps. On Tue, May 19, 2015 at 12:22 PM, Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Low Cost 10G Router
What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Low Cost 10G Router
If you are considering Juniper, check out the MX104. There are bundles currently that give you similar capacity to an MX80 at a significantly lower price. thanks, -Randy - On May 19, 2015, at 1:22 PM, Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Low Cost 10G Router
Hello! Yep, there are no existent open source routers yet exists. But there are a lot of capabilities for this. We could just wait some time. But DPDK _definitely_ could process 64mpps and 40GE with deep inspection and processing on enough cheap E5 2670v3 chips. Yes, definitely it's ideas about good future. They can't be used now but they have really awesome outlook. On Tue, May 19, 2015 at 11:46 PM, char...@thefnf.org wrote: On 2015-05-19 14:23, Pavel Odintsov wrote: Hello! Somebody definitely should build full feature router with DPDK/netmap/pf_ring :) Netmap yes. The rest no. Why? Because netmap supports libpcap, which means everything just works. Other solutions need porting. You are going along, someone mentions a neat new libpcap based tool on NANOG and you want to try it out. If you've got DPDK/pf_ring, that means you are now having to port it. That's a fair amount of effort to just eval $COOL_NEW_TOOL. I have finished detailed performance tests for all of them and could achieve wire speed forwarding (with simple packet rewrite and checksum calculation) with all of they. With what features applied? DPDK with a fairly full feature set (firewall rules/dynamic routing/across a vpn tunnel/doing full l7 deep packet inspection) on straight commodity (something relatively recent gen xeon something many cores) hardware on $CERTAIN_POPULAR_RTOS seems to max out ~5gbps from what my local neighborhood network testing nerds tell me. As always, your mileage will most certainly vary of course. The nice thing about commodity boxes is that you can just deploy the same core kit and scale it up/down (ram/cpu/redundant psu) at your favorite vendors procurement portal (oh hey $systems_purchaser , can you order a couple extra boxes with that next set of a dozen boxes your buying with this SKU and take it out of my budget? Thx). You are still going to pay a pretty decent list price for boxes that can reasonably forward AND inspect/block/modify at anything approaching line rate over say 5gbps. Then you have things like the parallela board of course with it's FPGA. And you have CUDA cards. But staffing costs for someone who has FPGA(parallel in general)/sysadmin/netadmin skills well that's pricy (and you'll want a couple of those in house if you do this at any kind of scale). Or you could just contract them I suppose (say at like $700.00 per hour or so?, which is what I'd charge to be a one man FPGA coding SDN slinging band since it's sort of like catching unicorns) Course you could just have your jack of all trades in house sys/net ops person and contract coding skills as needed. Don't think this will really save you money. It won't. Buy a Juniper. Seriously. (I have a 6509 in my house along with various switches/routers/wifi/voip phones (all cisco). I'm not anti cisco by any means). But they are expensive from what I hear. You get what you pay for though. What it will get you, is a very powerful and flexible solution that lets you manage at hyperscale with a unified command/control plane. It's DEVOPS 2.0 ( I can fire my netadmins now like I fired my sysadmins after I gave dev full prod access? COOL!) (Yes I'm being incredibly sarcastic and don't actually believe that). :) Also look at onepk from cisco. It's kinda cool if you want SDN without having to fully build your own kit. -- Sincerely yours, Pavel Odintsov
RE: Low Cost 10G Router
The running estimate is about 3 cores per 10GIf to maintain Line-Rate forwarding. The Enterprise version of Vyatte runs around 1.5-2 cores per 10Gif (Depends on how the forwarding plane is treating traffic, if you're remarking or heavy firewall rules the interrupt forwarding cost starts to impede. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Max Tulyev Sent: Tuesday, May 19, 2015 1:24 PM To: nanog@nanog.org Subject: Re: Low Cost 10G Router Last config I touched: 2xIntel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz, 12 Gbit summary, 5% each core load. On 19.05.15 21:06, Piotr Iwanejko wrote: Wiadomość napisana przez Max Tulyev max...@netassist.ua w dniu 19 maj 2015, o godz. 19:58: We are using softrouters based on Supermicro chassis, E5v3 cpu, Linux/BIRD and Intel 10G NICs. And VERY happy. Out of curiosity, how much traffic you pass over those softrouters? Piotr
Re: your mail
On Tue, May 19, 2015 at 03:53:19PM +, Ryan Shea via NANOG wrote: This post was from a subscriber whose From: address domain has a DMARC policy of reject or quarantine. The NANOG mailing list has automatically wrapped this message to prevent other subscribers mail systems from rejecting it. Can someone fix the DMARC settings to something more sensible? I've had to deal with this on the outages list already and it's simple to have it work in a more predictable way for users than injecting this text. The best settings are Munge From, (dmarc_moderation_action) as it will preserve the thread in a sensible way. I feel it's quite damaging to keep injecting this into the thread. One should also clear the dmarc_wrapped_message_text setting. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Low Cost 10G Router
... This customer had a asr1002 , but have a crash on asr router and only have this acx to up your link... Its a good test... Enviado via iPhone Grupo Connectoway Em 19/05/2015, às 18:59, Rodrigo 1telecom rodr...@1telecom.com.br escreveu: I know if is not possible to have a full routing on ex3300(low memory for it) , but i never tried to do a default router on it( with EFL licence and software above version 12) I have many bgp session with cisco 3750 switchs.. Traffic about 2gb on it... Have a peer( ebgp customer) with a acx2000( i know it have 10gb port) we send to this router a default route only... And it have 1.5gb with us and more 1gb with other link provider... Enviado via iPhone Grupo Connectoway Em 19/05/2015, às 17:59, Pavel Odintsov pavel.odint...@gmail.com escreveu: Hello! Yep, there are no existent open source routers yet exists. But there are a lot of capabilities for this. We could just wait some time. But DPDK _definitely_ could process 64mpps and 40GE with deep inspection and processing on enough cheap E5 2670v3 chips. Yes, definitely it's ideas about good future. They can't be used now but they have really awesome outlook. On Tue, May 19, 2015 at 11:46 PM, char...@thefnf.org wrote: On 2015-05-19 14:23, Pavel Odintsov wrote: Hello! Somebody definitely should build full feature router with DPDK/netmap/pf_ring :) Netmap yes. The rest no. Why? Because netmap supports libpcap, which means everything just works. Other solutions need porting. You are going along, someone mentions a neat new libpcap based tool on NANOG and you want to try it out. If you've got DPDK/pf_ring, that means you are now having to port it. That's a fair amount of effort to just eval $COOL_NEW_TOOL. I have finished detailed performance tests for all of them and could achieve wire speed forwarding (with simple packet rewrite and checksum calculation) with all of they. With what features applied? DPDK with a fairly full feature set (firewall rules/dynamic routing/across a vpn tunnel/doing full l7 deep packet inspection) on straight commodity (something relatively recent gen xeon something many cores) hardware on $CERTAIN_POPULAR_RTOS seems to max out ~5gbps from what my local neighborhood network testing nerds tell me. As always, your mileage will most certainly vary of course. The nice thing about commodity boxes is that you can just deploy the same core kit and scale it up/down (ram/cpu/redundant psu) at your favorite vendors procurement portal (oh hey $systems_purchaser , can you order a couple extra boxes with that next set of a dozen boxes your buying with this SKU and take it out of my budget? Thx). You are still going to pay a pretty decent list price for boxes that can reasonably forward AND inspect/block/modify at anything approaching line rate over say 5gbps. Then you have things like the parallela board of course with it's FPGA. And you have CUDA cards. But staffing costs for someone who has FPGA(parallel in general)/sysadmin/netadmin skills well that's pricy (and you'll want a couple of those in house if you do this at any kind of scale). Or you could just contract them I suppose (say at like $700.00 per hour or so?, which is what I'd charge to be a one man FPGA coding SDN slinging band since it's sort of like catching unicorns) Course you could just have your jack of all trades in house sys/net ops person and contract coding skills as needed. Don't think this will really save you money. It won't. Buy a Juniper. Seriously. (I have a 6509 in my house along with various switches/routers/wifi/voip phones (all cisco). I'm not anti cisco by any means). But they are expensive from what I hear. You get what you pay for though. What it will get you, is a very powerful and flexible solution that lets you manage at hyperscale with a unified command/control plane. It's DEVOPS 2.0 ( I can fire my netadmins now like I fired my sysadmins after I gave dev full prod access? COOL!) (Yes I'm being incredibly sarcastic and don't actually believe that). :) Also look at onepk from cisco. It's kinda cool if you want SDN without having to fully build your own kit. -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
I do use L3 switches for BGP at some locations (Cisco 3750) and they perform great. The problem is no instrumentation (e.g. Sflow, netflow). -mel via cell On May 19, 2015, at 12:55 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: What about L3 switches? You could receive full BGP table with Linux BOX with ExaBGP, parse it and feed to L3 switch. On Tue, May 19, 2015 at 10:44 PM, Mel Beckman m...@beckman.org wrote: I've seen serious, unusual performance bottlenecks in Mikrotik CCR, in some cases not even achieving a gigabit speeds on 10G interfaces. Performance drops more rapidly then Cisco with smaller packet sizes. -mel beckman On May 19, 2015, at 12:28 PM, Justin Wilson - MTIN li...@mtin.net wrote: I second the Mikrotik recommendation. You don’t get support like you would with Cisco but it’s a solid product. Justin Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On May 19, 2015, at 3:16 PM, Keefe John keefe...@ethoplex.com wrote: For about $1000 you could get a Mikrotik CCR1036-8G-2S+EM but it only has 2 SFP+ ports. http://routerboard.com/CCR1036-8G-2SplusEM Keefe On 5/19/2015 3:46 PM, Joe Greco wrote: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
I've seen serious, unusual performance bottlenecks in Mikrotik CCR, in some cases not even achieving a gigabit speeds on 10G interfaces. Performance drops more rapidly then Cisco with smaller packet sizes. -mel beckman Folks often forget that Mikrotik ROS can also run on x86 machines. Size your favorite hardware (server) or network appliance with appropriate ports, add MT ROS on a CF card, and you are good to go. We use i7 based network appliance with dual 10g cards (you can use a quad 10g card, such as those made by hotlav). with a 2gig of ram, you can easily do multiple (4-5 or more full bgp peers), and i7 are good for approx 1.2mill pps. Best of luck. Faisal Imtiaz Snappy Internet Telecom
Re: Low Cost 10G Router
I've seen serious, unusual performance bottlenecks in Mikrotik CCR, in some cases not even achieving a gigabit speeds on 10G interfaces. Performance drops more rapidly then Cisco with smaller packet sizes. -mel beckman On May 19, 2015, at 12:28 PM, Justin Wilson - MTIN li...@mtin.net wrote: I second the Mikrotik recommendation. You don’t get support like you would with Cisco but it’s a solid product. Justin Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On May 19, 2015, at 3:16 PM, Keefe John keefe...@ethoplex.com wrote: For about $1000 you could get a Mikrotik CCR1036-8G-2S+EM but it only has 2 SFP+ ports. http://routerboard.com/CCR1036-8G-2SplusEM Keefe On 5/19/2015 3:46 PM, Joe Greco wrote: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG
Re: Low Cost 10G Router
On 2015-05-19 14:23, Pavel Odintsov wrote: Hello! Somebody definitely should build full feature router with DPDK/netmap/pf_ring :) Netmap yes. The rest no. Why? Because netmap supports libpcap, which means everything just works. Other solutions need porting. You are going along, someone mentions a neat new libpcap based tool on NANOG and you want to try it out. If you've got DPDK/pf_ring, that means you are now having to port it. That's a fair amount of effort to just eval $COOL_NEW_TOOL. I have finished detailed performance tests for all of them and could achieve wire speed forwarding (with simple packet rewrite and checksum calculation) with all of they. With what features applied? DPDK with a fairly full feature set (firewall rules/dynamic routing/across a vpn tunnel/doing full l7 deep packet inspection) on straight commodity (something relatively recent gen xeon something many cores) hardware on $CERTAIN_POPULAR_RTOS seems to max out ~5gbps from what my local neighborhood network testing nerds tell me. As always, your mileage will most certainly vary of course. The nice thing about commodity boxes is that you can just deploy the same core kit and scale it up/down (ram/cpu/redundant psu) at your favorite vendors procurement portal (oh hey $systems_purchaser , can you order a couple extra boxes with that next set of a dozen boxes your buying with this SKU and take it out of my budget? Thx). You are still going to pay a pretty decent list price for boxes that can reasonably forward AND inspect/block/modify at anything approaching line rate over say 5gbps. Then you have things like the parallela board of course with it's FPGA. And you have CUDA cards. But staffing costs for someone who has FPGA(parallel in general)/sysadmin/netadmin skills well that's pricy (and you'll want a couple of those in house if you do this at any kind of scale). Or you could just contract them I suppose (say at like $700.00 per hour or so?, which is what I'd charge to be a one man FPGA coding SDN slinging band since it's sort of like catching unicorns) Course you could just have your jack of all trades in house sys/net ops person and contract coding skills as needed. Don't think this will really save you money. It won't. Buy a Juniper. Seriously. (I have a 6509 in my house along with various switches/routers/wifi/voip phones (all cisco). I'm not anti cisco by any means). But they are expensive from what I hear. You get what you pay for though. What it will get you, is a very powerful and flexible solution that lets you manage at hyperscale with a unified command/control plane. It's DEVOPS 2.0 ( I can fire my netadmins now like I fired my sysadmins after I gave dev full prod access? COOL!) (Yes I'm being incredibly sarcastic and don't actually believe that). :) Also look at onepk from cisco. It's kinda cool if you want SDN without having to fully build your own kit.
Re: Low Cost 10G Router
What about L3 switches? You could receive full BGP table with Linux BOX with ExaBGP, parse it and feed to L3 switch. On Tue, May 19, 2015 at 10:44 PM, Mel Beckman m...@beckman.org wrote: I've seen serious, unusual performance bottlenecks in Mikrotik CCR, in some cases not even achieving a gigabit speeds on 10G interfaces. Performance drops more rapidly then Cisco with smaller packet sizes. -mel beckman On May 19, 2015, at 12:28 PM, Justin Wilson - MTIN li...@mtin.net wrote: I second the Mikrotik recommendation. You don’t get support like you would with Cisco but it’s a solid product. Justin Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On May 19, 2015, at 3:16 PM, Keefe John keefe...@ethoplex.com wrote: For about $1000 you could get a Mikrotik CCR1036-8G-2S+EM but it only has 2 SFP+ ports. http://routerboard.com/CCR1036-8G-2SplusEM Keefe On 5/19/2015 3:46 PM, Joe Greco wrote: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
I know if is not possible to have a full routing on ex3300(low memory for it) , but i never tried to do a default router on it( with EFL licence and software above version 12) I have many bgp session with cisco 3750 switchs.. Traffic about 2gb on it... Have a peer( ebgp customer) with a acx2000( i know it have 10gb port) we send to this router a default route only... And it have 1.5gb with us and more 1gb with other link provider... Enviado via iPhone Grupo Connectoway Em 19/05/2015, às 17:59, Pavel Odintsov pavel.odint...@gmail.com escreveu: Hello! Yep, there are no existent open source routers yet exists. But there are a lot of capabilities for this. We could just wait some time. But DPDK _definitely_ could process 64mpps and 40GE with deep inspection and processing on enough cheap E5 2670v3 chips. Yes, definitely it's ideas about good future. They can't be used now but they have really awesome outlook. On Tue, May 19, 2015 at 11:46 PM, char...@thefnf.org wrote: On 2015-05-19 14:23, Pavel Odintsov wrote: Hello! Somebody definitely should build full feature router with DPDK/netmap/pf_ring :) Netmap yes. The rest no. Why? Because netmap supports libpcap, which means everything just works. Other solutions need porting. You are going along, someone mentions a neat new libpcap based tool on NANOG and you want to try it out. If you've got DPDK/pf_ring, that means you are now having to port it. That's a fair amount of effort to just eval $COOL_NEW_TOOL. I have finished detailed performance tests for all of them and could achieve wire speed forwarding (with simple packet rewrite and checksum calculation) with all of they. With what features applied? DPDK with a fairly full feature set (firewall rules/dynamic routing/across a vpn tunnel/doing full l7 deep packet inspection) on straight commodity (something relatively recent gen xeon something many cores) hardware on $CERTAIN_POPULAR_RTOS seems to max out ~5gbps from what my local neighborhood network testing nerds tell me. As always, your mileage will most certainly vary of course. The nice thing about commodity boxes is that you can just deploy the same core kit and scale it up/down (ram/cpu/redundant psu) at your favorite vendors procurement portal (oh hey $systems_purchaser , can you order a couple extra boxes with that next set of a dozen boxes your buying with this SKU and take it out of my budget? Thx). You are still going to pay a pretty decent list price for boxes that can reasonably forward AND inspect/block/modify at anything approaching line rate over say 5gbps. Then you have things like the parallela board of course with it's FPGA. And you have CUDA cards. But staffing costs for someone who has FPGA(parallel in general)/sysadmin/netadmin skills well that's pricy (and you'll want a couple of those in house if you do this at any kind of scale). Or you could just contract them I suppose (say at like $700.00 per hour or so?, which is what I'd charge to be a one man FPGA coding SDN slinging band since it's sort of like catching unicorns) Course you could just have your jack of all trades in house sys/net ops person and contract coding skills as needed. Don't think this will really save you money. It won't. Buy a Juniper. Seriously. (I have a 6509 in my house along with various switches/routers/wifi/voip phones (all cisco). I'm not anti cisco by any means). But they are expensive from what I hear. You get what you pay for though. What it will get you, is a very powerful and flexible solution that lets you manage at hyperscale with a unified command/control plane. It's DEVOPS 2.0 ( I can fire my netadmins now like I fired my sysadmins after I gave dev full prod access? COOL!) (Yes I'm being incredibly sarcastic and don't actually believe that). :) Also look at onepk from cisco. It's kinda cool if you want SDN without having to fully build your own kit. -- Sincerely yours, Pavel Odintsov
[no subject]
This post was from a subscriber whose From: address domain has a DMARC policy of reject or quarantine. The NANOG mailing list has automatically wrapped this message to prevent other subscribers mail systems from rejecting it.---BeginMessage--- Manually setting up and parsing email notifications for security vulnerabilities for all vendors is mighty annoying. It looks like the ICASI CVRF http://www.icasi.org/cvrf Working Group thought the same thing back in 2011 when they came up with this handy XML schema. I had not known of this until yesterday and noticed that Cisco does a good job http://tools.cisco.com/security/center/cvrfListing.x posting their vulnerabilities in CVRF. Word on the streets is that Juniper https://twitter.com/junipersirt/status/70627418737610752 was at least partially involved in CVRF as well. Brocade may have looked into it as well. This does not seem like a difficult thing for vendors to do, but the missing piece may be customer interest. I am hoping to drum up some interest here -- maybe a few support requests would entice them to hand this off to an intern and we could collectively do better at managing vendor notifications. A tool https://github.com/mschiffm/cvrfparse to parse CVRF is already floating about as well (mschiffm). ---End Message---
Re: Low Cost 10G Router
Oops, Cisco ASR 1k series might not cut it, you can take a look at their 9k seriers: http://www.cisco.com/c/en/us/products/routers/asr-9000-series-aggregation-services-routers/models-comparison.html On Tue, May 19, 2015 at 12:22 PM, Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Low Cost 10G Router
We are using softrouters based on Supermicro chassis, E5v3 cpu, Linux/BIRD and Intel 10G NICs. And VERY happy. On 19.05.15 20:22, Colton Conor wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Low Cost 10G Router
Well, Hardly low cost =D - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 05/19/15 13:31, Randy Carpenter wrote: If you are considering Juniper, check out the MX104. There are bundles currently that give you similar capacity to an MX80 at a significantly lower price. thanks, -Randy - On May 19, 2015, at 1:22 PM, Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
RE: Low Cost 10G Router
What's the application, and what traffic levels do you anticipate. Any special features like MPLS or MPLS-TE? -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Colton Conor Sent: Tuesday, May 19, 2015 12:23 PM To: NANOG Subject: Low Cost 10G Router What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Low Cost 10G Router
Huawei NE40E-X1-M4 I've two of these with full routes and so far (4months) they've functioned perfectly, and the price point is... inexpensive. /rh On Tue, May 19, 2015 at 10:22 AM, Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Low Cost 10G Router
As low as possible, though I am not sure how low that can be. For example, I can get a MX480 used with a 4 10G card for $16K. That would easily handle my needs, but it's overkill for what we need to do. I would love a solution under 10K, but not sure if one exists. On Tue, May 19, 2015 at 12:24 PM, Mehmet Akcin meh...@akcin.net wrote: How much is low cost? Mehmet On May 19, 2015, at 10:22, Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Low Cost 10G Router
You could potentially do it with a Vyatta 5600 or a 6Wind Turbo router running on a generic server, but I am not sure where the cost crossover is with physical hardware especially if you go with used hardware. Colton Conor mailto:colton.co...@gmail.com May 19, 2015 at 10:22 AM What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Low Cost 10G Router
If you want virtual 10gb ports go vmware with a cisco routing vm or juniper routing vm Colin On 19 May 2015, at 18:40, Steve Noble sno...@sonn.com wrote: You could potentially do it with a Vyatta 5600 or a 6Wind Turbo router running on a generic server, but I am not sure where the cost crossover is with physical hardware especially if you go with used hardware. Colton Conor mailto:colton.co...@gmail.com May 19, 2015 at 10:22 AM What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Spamhaus BGP feed experiences?
In article 555b8313.5080...@netassist.ua you write: How much false positives (i.e. blackholing traffic users want to reach)? Very little. The DROP list, which is what's in the BGP feed, is a small subset of the SBL, and only includes blocks that send no legitimate traffic at all. On 18.05.15 21:04, Marco d'Itri wrote: On May 17, Mike Lyon mike.l...@gmail.com wrote: Any ISPs out there (big or small) ever used the Spamhaus BGP feed to prevent against botnet, spam, etc? If so, how has your experience been? Is it worthwhile? Has it helped? On / off list responses are appreciated in advance. We use Spamhaus DROP (not the BGP version: our software asks a human to review each change). The benefits are not obvious since we do not have access customers, but it will blackhole some networks you obviously do not want to talk to, and it has not caused any troubles either.
Re: Low Cost 10G Router
How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Low Cost 10G Router
Chat in my nerds irc channel about 10G routers paralleling this 14:21 b the Xeon D-1540 has 8 cores / 16 threads, 2GHz base clock with 2.6GHz turbo, and dual 10G nics on chip 14:21 b 45W TDP 14:31 b supposedly an asrock board is coming that can be 10Gbase-T or SFP+ 14:58 a supermicro are shipping some SFP+ 10G E5 boards 15:00 b but the xeon E5 doesn't have the on die 10G nic 15:07 a X9DRW-7TPF+ http://www.supermicro.com/products/motherboard/xeon/c600/x9drw-7tpf_.cfm Also: 1.4Mpps per 10G link doesnt seem like the minimum packetsize one wants for handling DOS attacks, but I might be bad at math. /kc On Tue, May 19, 2015 at 03:46:16PM -0500, Joe Greco said: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. -- Ken Chase - Toronto Canada
Re:
(-direct-ryan) yikes formatting for this got wonky... On Tue, May 19, 2015 at 11:53 AM, Ryan Shea via NANOG nanog@nanog.org -- Forwarded message -- From: Ryan Shea ryans...@google.com To: nanog list nanog@nanog.org Cc: Date: Tue, 19 May 2015 15:53:15 + Subject: Unified Security Vulnerability Management Manually setting up and parsing email notifications for security vulnerabilities for all vendors is mighty annoying. It looks like the ICASI CVRF http://www.icasi.org/cvrf Working Group thought the same thing back in 2011 when they came up with this handy XML schema. I had not known of this until yesterday and noticed that Cisco does a good job http://tools.cisco.com/security/center/cvrfListing.x posting their vulnerabilities in CVRF. Word on the streets is that Juniper https://twitter.com/junipersirt/status/70627418737610752 was at least partially involved in CVRF as well. Brocade may have looked into it as well. This does not seem like a difficult thing for vendors to do, but the missing piece may be customer interest. I am hoping to drum up some interest here -- maybe a few support requests would entice them to hand this off to an intern and we could collectively do better at managing vendor notifications. A tool https://github.com/mschiffm/cvrfparse to parse CVRF is already floating about as well (mschiffm). I bet if we can get FR/PR numbers for some vendors we might be able to get a bunch of people to add support through a central set of points per vendor. Can we put the PR for juniper here? (and if other folk have a PR/FR for their pet vendor(s) add those to the list?)
Re: Low Cost 10G Router
For about $1000 you could get a Mikrotik CCR1036-8G-2S+EM but it only has 2 SFP+ ports. http://routerboard.com/CCR1036-8G-2SplusEM Keefe On 5/19/2015 3:46 PM, Joe Greco wrote: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG
Re: Low Cost 10G Router
Chat in my nerds irc channel about 10G routers paralleling this 14:21 b the Xeon D-1540 has 8 cores / 16 threads, 2GHz base clock with 2.6GHz turbo, and dual 10G nics on chip 14:21 b 45W TDP Right, but that's a pretty lame clock. 14:31 b supposedly an asrock board is coming that can be 10Gbase-T or SFP+ Also the only one so far I've seen able to support multiple PCIe. The Supermicro is mini-ITX. But the AsRock has some weird power arrangement too. 14:58 a supermicro are shipping some SFP+ 10G E5 boards 15:00 b but the xeon E5 doesn't have the on die 10G nic 15:07 a X9DRW-7TPF+ http://www.supermicro.com/products/motherboard/xeon/c600/x9drw-7tpf_.cfm Yes, but that's a big wattsy thing. The X10SRW comes in some 1U variants that can handle two PCIe so it'd be an interesting router platform that does not eat lots of space. Also: 1.4Mpps per 10G link doesnt seem like the minimum packetsize one wants for handling DOS attacks, but I might be bad at math. Always an issue. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Low Cost 10G Router
Hello! Somebody definitely should build full feature router with DPDK/netmap/pf_ring :) I have finished detailed performance tests for all of them and could achieve wire speed forwarding (with simple packet rewrite and checksum calculation) with all of they. I.e. I could process 10GE and 14.6 mpps (64byte packets) on very cheap i7 3820 with single intel X540 NIC (total cost about $ 800) with CPU 70% load. But full BGP routing is a challenge but could be implemented with existing approaches like DXR: http://info.iet.unipi.it/~luigi/papers/20120601-dxr.pdf Cheers! On Tue, May 19, 2015 at 10:11 PM, Ken Chase m...@sizone.org wrote: Chat in my nerds irc channel about 10G routers paralleling this 14:21 b the Xeon D-1540 has 8 cores / 16 threads, 2GHz base clock with 2.6GHz turbo, and dual 10G nics on chip 14:21 b 45W TDP 14:31 b supposedly an asrock board is coming that can be 10Gbase-T or SFP+ 14:58 a supermicro are shipping some SFP+ 10G E5 boards 15:00 b but the xeon E5 doesn't have the on die 10G nic 15:07 a X9DRW-7TPF+ http://www.supermicro.com/products/motherboard/xeon/c600/x9drw-7tpf_.cfm Also: 1.4Mpps per 10G link doesnt seem like the minimum packetsize one wants for handling DOS attacks, but I might be bad at math. /kc On Tue, May 19, 2015 at 03:46:16PM -0500, Joe Greco said: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. -- Ken Chase - Toronto Canada -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
I second the Mikrotik recommendation. You don’t get support like you would with Cisco but it’s a solid product. Justin Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On May 19, 2015, at 3:16 PM, Keefe John keefe...@ethoplex.com wrote: For about $1000 you could get a Mikrotik CCR1036-8G-2S+EM but it only has 2 SFP+ ports. http://routerboard.com/CCR1036-8G-2SplusEM Keefe On 5/19/2015 3:46 PM, Joe Greco wrote: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG
Re: Low Cost 10G Router
How much does a Huawei NE40E-X1-M4 cost Richard? On Tue, May 19, 2015 at 1:09 PM, Richard Holbo hol...@sonss.net wrote: Huawei NE40E-X1-M4 I've two of these with full routes and so far (4months) they've functioned perfectly, and the price point is... inexpensive. /rh On Tue, May 19, 2015 at 10:22 AM, Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at?
Re: Low Cost 10G Router
2015-05-19 16:16 GMT-03:00 Keefe John keefe...@ethoplex.com: For about $1000 you could get a Mikrotik CCR1036-8G-2S+EM but it only has 2 SFP+ ports. http://routerboard.com/CCR1036-8G-2SplusEM Run away from Mikrotik, especially if you want to run BGP. -- Eduardo Schoedler
Re: Low Cost 10G Router
Microtik CCR have a huge issues in case of DDOS: http://forum.mikrotik.com/viewtopic.php?t=92728 On Tue, May 19, 2015 at 10:37 PM, Eduardo Schoedler lis...@esds.com.br wrote: 2015-05-19 16:16 GMT-03:00 Keefe John keefe...@ethoplex.com: For about $1000 you could get a Mikrotik CCR1036-8G-2S+EM but it only has 2 SFP+ ports. http://routerboard.com/CCR1036-8G-2SplusEM Run away from Mikrotik, especially if you want to run BGP. -- Eduardo Schoedler -- Sincerely yours, Pavel Odintsov
