Re: 10G CPE w/VXLAN - vendors?

[Arie Vayner]

Not sure how much of "CPE" it needs to be, but for example the whole Cisco
Catalyst 9K product line (including the smaller C9300 switches) support the
whole EVPN/VXLAN stack).
A similar set of products exist on the Arista side (e.g. 7xx switches) as
well as Juniper EX4400 products...

On Wed, Jun 14, 2023, 11:53 Adam Thompson  wrote:

> Hello, all.
>
> I’m having difficulty finding vendors, never mind products, that fit my
> need.
>
>
>
> We have a small but growing number of L2 (bridged) customers that have
> diverse fiber paths available, and, naturally, want to make use of them.
>
> We have a solution for this: we extend the edge of our EVPN VXLAN fabric
> right to the customer premise.  The customer-prem device needs 4x10G SFP+
> cages (2 redundant paths, plus LAG to customer), and the switches we
> currently use, Arista 7020Rs, are quite expensive if I’m deploying one one
> per customer.  (Nice switches, but overkill here – I don’t need 40/100G,
> and I don’t need 24 SFP+ ports.  And they still take forever to ship.)
>
>
>
> We use RFC7438 §6.3 “vlan-aware-bundle” mode, not §6.1 “vlan-based” mode,
> which limits our choices somewhat.  I might be willing to entertain
> spinning up a separate VXLAN mesh using RFC7438 §6.1 (“vlan-based”) and
> static VTEPs if it saves me a lot of pain.
>
>
>
> However, I’m having trouble finding small & cheap*er* 1U (or even
> desktop/wallmount) devices that have 4 SFP+ cages, and can do VXLAN, in the
> first place.
>
> Who even makes CPE gear with SFP+ ports?  (Other than Mikrotik
> CRS309-1G-8S+IN / CRS317-1G-16S+RM, which are nice, but our policy requires
> vendor support contracts, so… no-go.)
>
>
>
> Vendors?  Model#s, if you happen to know any?
>
>
>
> Reply here or privately, whatever floats your boat – any pointers
> appreciated!
>
>
>
> *Adam Thompson*
>
> Consultant, Infrastructure Services
>
> [image: [MERLIN logo]]
>
> 100 - 135 Innovation Drive
>
> Winnipeg, MB R3T 6A8
>
> (204) 977-6824 or 1-800-430-6404 (MB only)
>
> https://www.merlin.mb.ca
>
> Chat with me on Teams
> 
>
>
>

Re: Increase bandwidth usage in partial-mesh network?

[Arie Vayner]

Maybe something like this (if you can break it into different bgp ASNs by
network area):

"draft-mohanty-bess-ebgp-dmz-03"
https://datatracker.ietf.org/doc/html/draft-mohanty-bess-ebgp-dmz-03

On Wed, Oct 13, 2021, 10:30 Adam Thompson  wrote:

> Looking for recommendtions or suggestions...
>
> I've got a downstream customer asking for help;  they have a private
> internal network that I've taken to calling the "partial-mesh network from
> hell": it's got two partially-overlapping radio networks, mixed with
> islands of isolated fiber connectivity.
> Dynamic routing protocols (IS-IS, OSPF, EIGRP, etc.) generally will only
> select the _best_ path, they won't spread the load unless all paths are
> equal - and they are very unequal in this network, ECMP would likely fail
> horribly.
> The network is becoming bandwidth-limited, so they're wanting to make use
> of all available paths, not just the single "best" path.  It's also remote
> and spread out, so adding new links or upgrading existing links is
> difficult and expensive.
> Oh, and their routers are overdue for a refresh, so acquiring replacement
> h/w is now possible.
>
> Has anyone come across any product or technology that can handle the
> multi-path-ness and the private-network-ness like a regular router, but
> also provides the intelligent per-flow path steering based on e.g. latency,
> like an SD-WAN device (and/or some firewalls)?
>
> Here's hoping,
> -Adam
>
> *Adam Thompson*
> Consultant, Infrastructure Services
> [image: 1593169877849]
> 100 - 135 Innovation Drive
> Winnipeg, MB, R3T 6A8
> (204) 977-6824 or 1-800-430-6404 (MB only)
> athomp...@merlin.mb.ca
> www.merlin.mb.ca
>

Re: Network issues in Israel/Middle East

[Arie Vayner]

Most (if not all) of Israel's capacity is served from Europe. There is no
real reason to serve users in Israel from India... You should most likely
be using instances in Frankfurt or London for best results.

On Mon, May 25, 2020, 12:46 Martijn Schmidt via NANOG 
wrote:

> Hey John,
>
> Do you have some background information about how Dublin is "technically
> farther away" than Mumbai? Is the latency actually better in the middle of
> the night? I'm genuinely curious, and I'll explain the reason why.. :)
>
> The shortest submarine route to Mumbai would probably be Mednautilus to
> Greece, hope you can crossconnect to AAE-1 there, and then through Egypt,
> around the Arabian Peninsula, to Mumbai. All in all ~7800km if not more,
> and that's a pretty uncommon path - you may have to go all the way to Italy
> or even Marseille to do the crossconnect.
>
> Compared to using let's say Jonah to connect to Italy for ~2300km,
> terrestrial to the western UK via the Channel tunnel for another ~2500km,
> take UK to Ireland over let's say Solas for ~230km, and the last stretch to
> Dublin for ~180km. All in all ~5200km, and that's all pretty common routing
> for the Internet.
>
> Then the last option could be a terrestrial path straight through the
> Arabian peninsula and using a submarine cable for the last stretch to
> Mumbai, which may technically be the shortest distance with ~4500km
> covered.. but let's just say that there is a reason why Google's Blue-Raman
> cable will be a very impressive achievement if/when it goes live:
> https://www.haaretz.com/israel-news/business/.premium-israel-to-play-key-role-in-giant-google-fiber-optic-cable-project-1.8764470
>
> Best regards,
> Martijn
> --
> *From:* NANOG  on behalf of John Von Essen <
> j...@essenz.com>
> *Sent:* 25 May 2020 20:59
> *To:* NANOG Operators' Group 
> *Subject:* Network issues in Israel/Middle East
>
> I know this is outside the scope of “North America”, but has anyone else
> been fielding more issues related to network health/congestion in the
> middle east, specifically Israel?
>
> Our users in Israel are primarily served from India-based resources
> (AWS/Azure), both of which have cloud capacity issues in India that I’m
> aware of.
>
> Also, the majority of our users in Israel that have been reporting
> slowness seem to be mostly behind the ISP Bezeq. If we force them to route
> to Ireland (which is technically farther away form a latency standpoint)
> things are much better, so I’m wondering if just Bezeq (or everyone in
> Israel) is just experiencing 3rd party-related network congestion to Mumbai.
>
> Thanks
> John
>
>
>

Re: Consistent routing policy?

[Arie Vayner]

Ben,

To make it a bit cleaner, you most likely want to send your aggregate (/21)
to all service providers, and then if you choose to deaggregate and create
more specific advertisements for traffic engineering purposes, you just
advertise the relevant longer prefixes (/22's for example) on the specific
uplink you want the traffic to return on.

So for example, let's say you have a /21, and you want to split the traffic
across 2x /22's, you advertise the /21 on both ISP links, and a single
(different) /22 on each ISP link.

This way the more specific route (/22) will pull the traffic towards the
ISP that is advertising it, but in case of a failure on one of those links,
you still have the /21 aggregate that will pull all the traffic to the
other link.

This should generally work, but may have strange edge cases, especially
when ISPs do their own (not necessarily standard) traffic engineering.
For example ISP A, getting a /21 could set the local preference for that
/21 higher than other peers (where they would be learning your other /22),
so traffic originating from this local ISP would take the local path
regardless of your policy. This is when you will have to start looking at
their BGP communities...

Tnx
Arie

On Mon, Sep 16, 2019 at 7:13 AM Ben Logan 
wrote:

> Thanks, Mark, that makes sense.
>
> Take care,
> Ben
>
> On Mon, Sep 16, 2019 at 9:05 AM Mark Tinka  wrote:
>
>>
>>
>> On 16/Sep/19 14:47, Ben Logan wrote:
>> > Thanks, Mark.  So the discrepancy between what's being advertised (/21
>> > vs /22) shouldn't cause any issues?  That's the part I got a bit
>> > confused about.  I don't see how it would, but I wanted to make sure.
>>
>> Longest match always wins... so provided your /22's are in the global
>> table, traffic will follow the path toward them before the /21 is
>> preferred.
>>
>> So, for example, if the upstream to whom you are sending the /21 doesn't
>> do anything about how they learn the /22 from another source, (for their
>> network) they will also send traffic back to you via the /22 path. This
>> may or may not be preferred by you, or them. I suppose that's the main
>> thing to think about.
>>
>> Mark.
>>
>
>
> --
> 
> Ben Logan
> Senior Network Engineer | Working Lead
> Wilkes Communications | RiverStreet Networks
>
> Address: 1400 River St Wilkesboro, NC 28697
> Email: benlo...@myriverstreet.net
> Phone: 336-973-9075
> Mobile: 336-452-8072
>  wilkes.net 
>  myriverstreet.net 
> 
> 
> 
> 
> 
>
>
> This email transmission contains information which may be confidential
> and/or privileged. The information is intended to be for the use of the
> individual or entity named on this transmission. If you are not the
> intended recipient, be aware that any disclosure, copying, distribution or
> use of the contents of this email information is prohibited. If you have
> received this email in error, please notify the sender to arrange for
> retrieval of the original documents. Thank you.
>

Re: Multicast traffic % in enterprise network ?

[Arie Vayner]

Multicast is heavily used for applications such as stock trading and
industrial networks. So it really depends...

On Thu, Aug 9, 2018, 00:23 Justin M. Streiner  wrote:

> On Wed, 8 Aug 2018, Mankamana Mishra (mankamis) via NANOG wrote:
>
> >  *   If there is any data which can provide what % of traffic is
> > multicast traffic. And if multicast is removed, how much unicast traffic
> > it would add up?
> >  *   Since this forum has people from deployment area, I would love to
> > know if there is real deployment problems or its pain to deploy
> > multicast.
>
> > These questions is to work / discussion in IETF to see what is pain
> > points for multicast, and how can we simplify it.
>
> The amount of multicast traffic on an enterprise network will depend
> greatly on how multicast is being used, and to some extent, the type of
> business the enterprise is in.
>
> An enterprise that uses multicast primarily for IPTV distribution might
> have different business and technology drivers than, say, a hospital
> or healthcare organization that has patient monitors that use multicast
> to communicate back to a central monitoring station.  The percentage of
> multicast traffic in those two scenarios might be vastly different, but
> no less important to their respective organizations.
>
> Thank you
> jms
>

Re: How are you configuring BFD timers?

[Arie Vayner]

Not directly related, but I wonder: how common is micro-BFD for detecting
bundle member failures?



On Thu, Mar 22, 2018 at 10:12 PM Måns Nilsson 
wrote:

>
>
> --On 22 mars 2018 23:45:16 +0200 Saku Ytti  wrote:
>
> > On 22 March 2018 at 22:41, Måns Nilsson 
> > wrote:
> >
> >> Subject: Re: How are you configuring BFD timers? Date: Wed, Mar 21, 2018
> >> at 04:24:47PM + Quoting Job Snijders (j...@instituut.net):
> >>> Silly question perhaps, but why would you do BFD on dark fiber?
> >>
> >> Because Ethernet lacks the PRDI that real WAN protocols have.
> >
> > Indeed, RFI on ethernet is rather modern addition, turning 20 this year.
>
> (You just reminded me I've been doing some sort of WAN network ops for
> about 20 years.)
>
> That does indeed solve the problem for dark fibre, and those lucky WDM
> systems that actually reflect input status to output. Not always true, I'm
> afraid (just look at the Ethernet switch mid-span that Thomas Bellman wrote
> about; a fitting metaphor for all "ethernet-over-other.." models..).
> Ethernet still regards "no frames seen on the yellow coax" as an
> opportunity to send traffic rather than an error, if we're talking old
> things ;-).  BFD solves that, and it is worthwhile to have one setup
> regardless of technology, if possible.
>
> --
> Måns Nilsson primary/secondary/besserwisser/machina
> MN-1334-RIPE   SA0XLR+46 705 989668
> CHUBBY CHECKER just had a CHICKEN SANDWICH in downtown DULUTH!
>

Re: [c-nsp] ASR opinions..

[Arie Vayner]

Mark,

I guess it has to do with the fact that every FIB entry also has a data
structure on the RP, as control plane has to calculate the FIB (i.e.
CEF...) and then copy the result into the forwarding plane (ESP).

Arie

On Thu, Mar 8, 2012 at 1:34 PM, Mark Tinka mti...@globaltransit.net wrote:

 On Wednesday, February 08, 2012 11:28:24 PM Arie Vayner
 wrote:

  Mark,

 Hello Arie.

 Sorry for the very late reply.

  I made sure with the BU, and they confirmed that ASR1001
  with 8GB RAM can handle 1M routes per the data sheet.

 Are we talking 1,000,000 FIB entries, as I don't see how
 control plane RAM can influence FIB capacity in this
 particular case :-)?

 Mark.

Re: [c-nsp] ASR opinions..

[Arie Vayner]

Mark,

I made sure with the BU, and they confirmed that ASR1001 with 8GB RAM can
handle 1M routes per the data sheet.
The difference between ASR1001 and ASR1002 with EFP5 is due to a more
powerful integrated RP on ASR1001 (Not really RP2, but closer to RP2 than
RP1) and more memory (4GB is max on RP1)

Arie

On Wed, Feb 1, 2012 at 5:50 AM, Mark Tinka mti...@globaltransit.net wrote:

 On Tuesday, January 31, 2012 06:38:10 AM Christopher J.
 Pilkington wrote:

  Does anyone have a link to a definitive document clearly
  showing FIB numbers for the ASR1001?  I've got an email
  into our Cisco SE, but I don't think they're motivated
  to sell us a lower-end box. :-)

 On that link, Tables 1 and 3 contradict each other re: the
 ASR1001.

 However, I confirmed with our SE, and he says no way the
 ASR1001 supports anything more than 512,000 v4 entries and
 128,000 v6 entries (which is Table 3).

 Maybe someone on the list from Cisco can help fix the
 documentation.

 Mark.

Re: Yahoo and IPv6

[Arie Vayner]

Igor,

When testing, you should take into consideration that people from all across
the world may use this tool, and in some places speed is not the same as in
other places... Latency... Bad linkes... Etc.

Arie

On Tue, May 10, 2011 at 7:58 AM, Igor Gashinsky i...@gashinsky.net wrote:

 On Mon, 9 May 2011, valdis.kletni...@vt.edu wrote:

 :: Given the following posting from earlier this morning:
 ::
 ::  The location that's affecting the results is pending removal from DNS;
 ::  and ASAP we hope to have the name moved to the geo-LB that suppors v6,
 ::  instead of the round robin it is today.
 ::
 :: I feel pretty damned justified in saying it wasn't *my* network causing
 the retransmits.
 ::
 :: (Oh - and kudos for the person quoted above for 'fessing up, and to the
 people
 :: that tracked down the actual issue. That always sucks when the test rig
 itself
 :: has issues. Glad to hear it will be fixed)

 In the spirit of full disclosure, I'll fess up a little more then :) We
 did have the cname for the help pages point to an old rotation, something
 that is getting rectified, and the timeout in the javascript was a tad too
 aggressive (would lead to some unwanted false negatives), so that timeout
 is going to be up'ed to between 5 and 10 seconds (we are measuring a few
 different things, so which value will be used will depend on what is being
 measured where).

 Thank you for catching this -- we are still working on finishing up the
 monitoring component of flag day related content :)

 -igor

Re: Yahoo and IPv6

[Arie Vayner]

Actually, I have just noticed a slightly more disturbing thing on the Yahoo
IPv6 help page...

I have IPv6 connectivity through a HE tunnel, and I can reach IPv6 services
(the only issue is that my ISP's DNS is not IPv6 enabled), but I tried to
run the Start IPv6 Test tool at http://help.yahoo.com/l/us/yahoo/ipv6/ and
it says:
We detected an issue with your IPv6 configuration. On World IPv6 Day, you
will have issues reaching Yahoo!, as well as your other favorite web sites.
We recommend disabling
IPv6http://us.lrd.yahoo.com/_ylt=ArHGqIAYvt_4fpp3N3vLzmNRJ3tG/SIG=11vv8jc1f/**http%3A//help.yahoo.com/l/us/yahoo/ipv6/general/ipv6-09.html,
or seeking assistance in order to fix your system's IPv6 configuration
through your ISP or computer manufacturer.

What disturbs me is the piece saying We recommend disabling
IPv6http://us.lrd.yahoo.com/_ylt=ArHGqIAYvt_4fpp3N3vLzmNRJ3tG/SIG=11vv8jc1f/**http%3A//help.yahoo.com/l/us/yahoo/ipv6/general/ipv6-09.html
, with a very easy link...

Arie


On Mon, May 9, 2011 at 9:54 AM, Franck Martin fmar...@linkedin.com wrote:

 http://help.yahoo.com/l/us/yahoo/ipv6/general/ipv6-05.html
 Will IPv6 become a permanent change on June 8, 2011?
 No. World IPv6 day is a 24-hour trial period in which we will publish our
 content on both the IPv4 and IPv6 servers. Yahoo! is participating in order
 to help prepare our services (as well as your hardware) to help ensure a
 smooth transition for when the IPv4 addresses run out. 

 Huh… I thought IPv4 addresses had run out already….

 At IANA level and now for anyone in the AP region at least.

Re: Numbering nameservers and resolvers

[Arie Vayner]

For resolvers, I guess it would make sense to advertise them as /32s as
dynamic prefixes coming from some SLB device...
You can have multiple VIPs, each representing a different POP/network
domain...

Arie

On Mon, Aug 16, 2010 at 9:49 AM, Mike mike-na...@tiedyenetworks.com wrote:

 Hi Folks,

   I am needing to renumber some core infrastructure - namely, my
 nameservers and my resolvers - and I was wondering if the collective wisdom
 still says heck yes keep this stuff all on seperate subnets away from
 eachother? Anyone got advice either way? Should I try to give sequential
 numbers to my resolvers for the benefit of consultants ... like .11, .22 and
 .33 for my server ips?

 Mike-

Re: Numbering nameservers and resolvers

[Arie Vayner]

In IPv6 you should be able to advertise up to /48 with no problem...
Arie

On Mon, Aug 16, 2010 at 4:03 PM, Chris Adams cmad...@hiwaay.net wrote:

 Once upon a time, Patrick W. Gilmore patr...@ianai.net said:
  1) Use different prefixes.  A single prefix going down should not kill
  your entire network.  (Nameservers and resolvers being unreachable
  breaks the whole Internet as far as users are concerned.)

 How do you do this in the IPv6 world, where I get a single /32?  Will
 others accept announcements of two /33s to better handle things like
 this?

 --
 Chris Adams cmad...@hiwaay.net
 Systems and Network Administrator - HiWAAY Internet Services
 I don't speak for anybody but myself - that's enough trouble.

Re: Overseas - Latency

[Arie Vayner]

Eric,

I just ran a few traceroutes from Israel (through 2 different providers) and
the performance seems normal.

Can you tell me where to test specifically to?

Thanks
Arie

On Tue, Jul 6, 2010 at 6:05 PM, Eric Williams ewilli...@connectria.comwrote:

 We have several customers that are reporting horrible latency when coming
 from overseas (Israel, Europe, etc...)  Looking at a few global maps for
 latency, I don't see any issues.  Does anybody know of any fiber cuts or
 any issues currently going on?  FYI, the customer in question at my
 datacenter currently uses Level3 and Cogent and we reside in St. Louis.

Re: International TE

[Arie Vayner]

Thomas,

Check this link:
http://onesc.net/communities/

You can always play with as-path prepending and advertising a more specific
subnets through different providers...

http://onesc.net/communities/Arie

On Thu, Apr 29, 2010 at 4:43 PM, Thomas Magill
tmag...@providecommerce.comwrote:

 I am interested in only accepting international traffic from one of our
 secondary providers only.  Most providers I have dealt with have a TE
 community list which allows me to prepend or not not advertise to their
 upstream peers.  However, my primary provider does not have this.  My
 goal is to not advertise internationally through this provider.  I am
 considering just setting the communities for my provider's upstream
 peers (about 7 of them) to tell them to not advertise internationally.
 I am also trying to get my primary provider to implement this
 functionality.



 Are there any better ways to do this?  Also, if anyone has a
 consolidated list of provider TE communities that would be a great
 resource.



 Thomas Magill
 Network Engineer

 Office: (858) 909-3777

 Cell: (858) 869-9685
 tmag...@providecommerce.com


 provide-commerce
 4840 Eastgate Mall

 San Diego, CA  92121



 ProFlowers http://www.proflowers.com/  | redENVELOPE
 http://www.redenvelope.com/  | Cherry Moon Farms
 http://www.cherrymoonfarms.com/  | Shari's Berries
 http://www.berries.com/

Re: Ethernet Services cards types queue values

[Arie Vayner]

Burak,

The idea is that you use the high queue cards as UNI ports terminating
customers, where you would have many service instances and complex QOS
policies such hierarchical shaping and multiple classes per customer.

On the core links you would usually need less queues as you would have a
generic aggregated QOS policy.

Specifically on the 7600 I think you are looking at the regular LAN
modules (as opposed to the ES20/ES+ modules) which have the lower queue
numbers per port. These modules (the LAN modules) also have more limited
functionality support as they do not have the ability to support many
features supported only on the ES modules.
For some services/features you would require the ES modules to be on either
UNI or NNI (depending on what you want to achieve).

For ASR9000 there are also a few module types following the same model
above. More queues for UNI and less queues (and thus cheaper) for NNI, but
in this case supporting all the different features.

Arie

On Wed, Jan 27, 2010 at 8:18 AM, Burak Dikici bdik...@gmail.com wrote:

 Hello,


 There is different types for the Cisco 7600 Series Ethernet Services cards.
 ( More expensive cards with high queue values and less expensive cards with
 low queue values.)



 http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-549419.html
 Hardware queues
 ES Plus XT 40G line cards
 • 128,000 ingress queues
 • 256,000 egress queues
 ES Plus XT 20G line cards
 *• 64,000 ingress queues*
 • 128,000 egress queues
 Hierarchical QoS (H-QoS)





 http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-570730.html
 Hardware queues
 Cisco 7600 Series ES Plus Transport 40G and 20G Line Cards
 *Supporting up to 16 level 4 queues per physical port*
 Hierarchical QoS (H-QoS)



 Low queue cards have got only 4 queues per physical port. High queue cards
 have got minimum 64.000 queue. This is very huge difference.  In what kind
 of scenario do we have to use the High queue cards ? Could you give some
 examples please ?  Kind Regards.


 Burak

Re: IOS family naming

[Arie Vayner]

Andrey,

I could not find a good link, but let me give you some info on SG, SGA, EW
and EWA.
All these trains are for the 4500 family (including 4900). They are just
different generations.

The EW (and then EWA) were the older trains for 4500, which were replaced by
the SG trains.
If I am not too wrong EW/EWA was new around 2004.

SGA was the 1st release for the SG train, but later releases are not called
SGB/SGC, but are just marked SG, so you get 12.2(31)SGA as the first release
(with 12.2(31)SGA1, 12.2(31)SGA2 etc being maintenance releases, with SGA11
scheduled to be released in a few weeks).

The later SG releases are numbered as 12.2(37)SG, 12.2(40)SG, etc - and we
have 12.2(53)SG as the latest one. Each such release brings in new features,
and has its own maintenance releases (so it would be 12.2(53)SG1,
12.2(53)SG2 etc, with 12.2(53)GS2 being scheduled for the Q2CY10)

Hope this gives you a better view.

Arie

On Tue, Jan 26, 2010 at 10:35 PM, Andrey Gordon andrey.gor...@gmail.comwrote:

 Hi List,
 Anyone recalls ever seeing the IOS naming convention document. In
 particular
 I'm interested in differences between families and trains.

 This is all I found:
 http://www.cisco.com/warp/public/620/1.html#topic1

 But im looking for something a bit more recent maybe? Can figure out
 differences between say SG, SGA, EW and EWA.

 A link to the cipher would certainly help.

 -
 Andrey Gordon [andrey.gor...@gmail.com]

Re: I don't need no stinking firewall!

[Arie Vayner]

What is nice about load balancers is that if you design your solution
correctly, you can scale them in a very nice way. Things like direct server
return, where only the requests hit the load balancer, but the replies
(which are usually larger) just route back directly to the client can free
up resources on the load balancer to handle more complex policies.
This also reduces the imposed symmetry for routing that firewalls bring to
the table.

Further on, if you want to really protect against a real DDoS you would most
likely would have to look at a really distributed solution, where the
different geographical load balancing solutions come into play.

Arie

On Wed, Jan 6, 2010 at 7:03 AM, George Bonser gbon...@seven.com wrote:



  -Original Message-
  From: Dobbins, Roland [mailto:rdobb...@arbor.net]
  Sent: Tuesday, January 05, 2010 8:53 PM
  To: NANOG list
  Subject: Re: I don't need no stinking firewall!
 
 
  On Jan 6, 2010, at 11:43 AM, George Bonser wrote:
 
Yes, you have to take some of the things that were done in one spot
  and do
   them in different locations now, but the results are an amazing
  increase
   in service capacity per dollar spent on infrastructure.
 
  I strongly agree with the majority of your comments, with the caveat
  that I've seen many, many load-balancers fall over due to state-
  exhaustion, too; load-balancers need northbound protection from DDoS
  (S/RTBH, flow-spec, IDMS, et. al.), as well.
 

 Yes, I have seen load balancers fall over, too.  I have some interesting
 stories of how those problems have been solved. Sometimes it relies on
 using a feature of one vendor to leverage a feature of another vendor.
 But I generally agree with you.  There is a lot that can be done ahead
 of the load balancers.

Re: Finding asymmetric path

[Arie Vayner]

Actually, this can be achieved easily using reflexive ACLs on any Cisco
router, so no real need to change the topology or add new devices in the
path:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl

Arie

On Sat, Nov 28, 2009 at 10:26 PM, Duane Waddle duane.wad...@gmail.comwrote:

 On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns br...@2mbit.com wrote:

  My partner Tammy says a PIX could probably accomplish the same task (we
 have some here for the corp lan stuff, including spares).

 Yes, a PIX/ASA would stop this cold.  The TCP state tracking would not
 allow traffic to pass unless the whole 3-way handshake was observed by
 the box.  Only recently did Cisco add features to make tracking the
 TCP connection state optional.
 (
 http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
 )
  The larger ASA-5580 machines can be virtualized into dozens (or more)
 security contexts as needed.  I imagine it would take some effort to
 figure out how to cleanly integrate such a configuration into a POP.

 --D

Re: Wireless STM-1 link

[Arie Vayner]

Rens,

Does not sound like the symptoms for what I want to write about, but this is
something you need to consider in any way:

When you run sub-rate links (i.e. 1GE interface with really 155Mbps as the
service) you need to make sure that you do not try to push more traffic than
the link can take.
This is mostly relevant for traffic bursts, which happen all the time with
IP traffic. So even if on average you do not use the bandwidth, still you
have short bursts whenever you start a transaction (like a file transfer
etc).

In order to avoid packets being dropped due to this burst on the link, the
1GE equipment before the link should be doing egress shaping to the rate
(sometimes even it is good to choose a rate slightly lower then the actual
rate) of the link.
This would make sure that the network equipment manages the packet drops (if
you have a child QOS policy) and you do not get random tail drops of the
burst.

This means that you need to choose the right network device that actually
supports egress shaping. Be aware that many L2/L3 switches do not support
this.

Arie

On Thu, Sep 10, 2009 at 12:55 PM, Rens r...@autempspourmoi.be wrote:

 All the interfaces are forced to 1Gbps and full duplex.

 Maybe I should give some extra info.
 All the traffic seems to pass ok via that link but I have seen that often
 OSPF adjacencies go down/up , I suspect that the HELLO packets are being
 dropped that pass via that link.

 That's why I started to look a little deeper and do some ping tests.

 -Original Message-
 From: Adam Goodman [mailto:a...@wispring.com]
 Sent: jeudi 10 septembre 2009 11:45
 To: Rens
 Cc: nanog@nanog.org
 Subject: Re: Wireless STM-1 link

 Sounds like this might be an Ethernet negotiaton problem

 
 Sent from my phone

 On Sep 10, 2009, at 12:05 PM, Rens r...@autempspourmoi.be wrote:

  Hi all,
 
 
 
  I'm encountering a problem with a wireless STM-1 link which has a
  switch
  connected at each end.
 
  The wireless link has Gigabit Ethernet interfaces and so have my
  switches.
 
 
 
  When I ping between the 2 switches via that wireless link I'm
  getting a lot
  of pings that are lost.
 
  The wireless link is not saturated but I'm thinking it could have to
  do
  something with the gigabit interfaces and only having 155Mbps on the
  link
  itself?
 
 
 
  All ideas welcome.
 
 
 
  Regards,
 
 
 
  Rens
 

Re: BGP Growth projections

[Arie Vayner]

I would second Ivan's comment.
Unless you are a major transit operator (which beats the small ISP
requirement), you don't really need a full view, and can do we a limited
view with a default route.

Arie

On Sat, Jul 11, 2009 at 10:27 AM, Ivan Pepelnjak i...@ioshints.info wrote:

 Let me be the devil's advocate: why would you need full Internet routing?
 Taking reasonably sized neighborhoods of your upstreams (AS paths up to X
 AS
 numbers) plus a default to your best upstream might do the trick.

 Ivan

 http://www.ioshints.info/about
 http://blog.ioshints.info/


  -Original Message-
  From: Mark Radabaugh [mailto:m...@amplex.net]
  Sent: Friday, July 10, 2009 6:42 PM
  To: nanog list
  Subject: BGP Growth projections
 
  I'm looking for new core routers for a small ISP and having a
  hard time
  finding something appropriate and reasonably priced.   We don't have
  huge traffic levels (1Gb) and are mostly running Ethernet
  interfaces to
  upstreams rather than legacy  interfaces (when did OC3 become
  legacy?).
 
  Lot's of choices for routers that can handle the existing BGP
  tables - but not so much in small platforms (1-10Gb traffic)
  if you assume that
  IPv6 is going to explode the routing table in the next 5
  years.The
  manufacturers still seem to think low traffic routers don't
  need much memory or CPU.
 
  What projections are you using regarding the default free
  zone over the next 5 years when picking new hardware?
 
  --
 
  Mark Radabaugh
  Amplex
  419.837.5015 x21
  m...@amplex.net
 
 
 
 

Re: sniffing x.25 on SUN/Solaris

[Arie Vayner]

Kas,

I would assume that the x.25 traffic is using async ports on the Sun (or is
it over IP)?
If its async, you are out of luck, and should use some RS232 (I assume...)
sniffer which can recognize x.25

Arie

On Sun, Jul 5, 2009 at 2:56 PM, Kasper Adel karim.a...@gmail.com wrote:

 Hello,

 I am trying to capture x.25 traffic from a Sun Machine and i wonder if
 snoop
 supports it because i asked my customer to capture it and send it over but
 the trace doesnt include anything x/25 related.

 Regards,
 Kas

Re: Traceroute management

[Arie Vayner]

Hmm, take a look at pingplotter

Arie

On Tue, Jun 9, 2009 at 10:28 PM, Dylan Ebner dylan.eb...@crlmed.com wrote:

 My company uses it's internet connection primarily for VPN tunneling. I
 have always wanted a tool that I can enter the peer ip addresses and it
 will every 8 or 12 hours run a traceroute and log it so I can build
 historical maps of the path our traffic is taking. Has anyone ever seen
 any apps like this, preferably something that is free.

 Thanks

Re: NPE-G2 vs. Sup720-3BXL

[Arie Vayner]

David,

My 1st advice would be to look also at the other features/capabilities you
require, and not just at feeds and speeds.

Some examples for functionality could be:
- QOS
- NetFlow
- DDoS resistance

In general the 6500 and the 12000 are hardware based platforms, with the
12000 being more distributed in nature, using linecard resources for data
plane (6500 does it too if you have DFC installed). 7200 is a CPU/software
based platform, so the same processor does packet forwarding and control
plane processing.

The 6500 (depends on specific module selection) is more restricted with QOS
and NetFlow functionality as it is designed to do very fast forwarding at a
relativly cheaper price.
The 12000 has everything implemented in hardware, and depends on the engine
types (don't use anything other than Eng 3 or 5) has all the support you may
dream of for things like QOS and other features.
The 7200 is a software based router, which means that it support any feature
you may ever dream of, but the scalability decreases as you turn them on.

Another option you should consider seriously should be the ASR1000 router,
which is a newer platform and has a new architecture. All its features are
based on hardware support, and it could actually prove the best choice for
what you need.
The ASR1002 comes with 4 integrated 1GE ports, which could be all that you
would ever need (but it has quite a few extension slots left).

Arie

On Fri, May 15, 2009 at 6:07 PM, David Storandt dstora...@teljet.comwrote:

 We're stuck in an engineering pickle, so some experience from this
 crew would be useful in tie-breaking...

 We operate a business-grade FTTx ISP with ~75 customers and 800Mbps of
 Internet traffic, currently using 6509/Sup2s for core routing and port
 aggregation. The MSFC2s are under stress from 3x full route feeds,
 pared down to 85% to fit the TCAM tables. One system has a FlexWAN
 with an OC3 card and it's crushing the CPU on the MSFC2. System tuning
 (stable IOS and esp. disabling SPD) helped a lot but still doesn't
 have the power to pull through. Hardware upgrades are needed...

 We need true full routes and more CPU horsepower for crunching BGP
 (+12 smaller peers + ISIS). OC3 interfaces are going to be mandatory,
 one each at two locations. Oh yeah, we're still a larger startup
 without endless pockets. Power, rack space, and SmartNet are not
 concerns at any location (on-site cold spares). We may need an
 upstream OC12 in the future but that's a ways out and not a concern
 here.

 Our engineering team has settled on three $20k/node options:
 - Sup720-3BXLs with PS and fan upgrades
 - Sup2s as switches + ISIS + statics and no BGP, push BGP edge routing
 off to NPE-G2s across a 2-3Gbps port-channel
 - Sup2s as switches + ISIS + statics and no BGP, push BGP edge routing
 off to a 12008 with E3 engines across a 2-3Gbps port-channel.

 Ideas and constructive opinions welcome, especially software and
 stability-related.

 Many thanks,
 -Dave

Re: Broadband Subscriber Management

[Arie Vayner]

You need also to remember that in many cases the DSL link is not provided by
the actual ISP. In many cases this is a wholesale scenario which uses L2TP
to forward the PPP session from the telco/DSL provider to the ISP.
In many cases there would also be another L2TP hop to another
sub-ISP/customer.

Arie

On Wed, Apr 22, 2009 at 7:01 PM, Curtis Maurand cmaur...@xyonet.com wrote:


 I don't understand why DSL providers don't just administratively down the
 port the customer is hooked to rather than using PPPoE which costs bandwidth
 and has huge management overhead when you have to disconnect a customer.  I
 made the same recommendation to the St. Maarten (Dutch) phone company
 several years ago.  They weren't listening either.   That way you can rate
 limit via ATM or by throttling the port administratively.

 Just a suggestion


 Sherwin Ang wrote:

 Hello Nanog!

 i just would like to see how other operators are handling
 broadband/DSL subscribers in their BRAS.  Currently, we are
 implementing PPPoE with AAA on our Redback SE's and Cisco boxes.  As
 our subscriber base grows and grows, management of user logins,
 passwords, password resets, password changes are getting really huge.
 Some customers also complains about the method of logging in, asking
 for an easier way to do it or dump logins altogether.  We're looking
 at DHCP/CLIPS for Redback but haven't really tested it since it
 requires a new license for it.  For Cisco, we've been empty so far in
 looking for a solution wherein we still have accounting and
 rate-limiting on subscriber vc's.

 how are network operators in your areas do it?  DHCP?  if i do DHCP,
 will i still have the flexibility of sending a radius reply attribute
 so i could rate-limit the subscribers speed? or still offer speed on
 demand via radius/time-based upgrade of their rate-limits during
 off-peak hours?

 thank you for any insights that you may share.


 -Sherwin

Re: L2 - L3 Etherchannel

[Arie Vayner]

Yes.

On Wed, Apr 8, 2009 at 9:03 PM, Amolak amolak.si...@gmail.com wrote:

 Hi All,

 Is it possible to create L2 Etherchannel at one end and L3 etherchannel at
 another end?

 For Example:

 SW-1
 

 interface GigabitEthernet1/1
  channel-group 1 mode desirable
  channel-protocol pagp
 !
 interface GigabitEthernet1/2
  channel-group 1 mode desirable
  channel-protocol pagp
 !
 interface Port-channel 1
  no ip address
  switchport
  switchport access vlan 10
  switchport mode access
 !
 int vlan10
  ip address 1.1.1.1 255.255.255.252
 !
 

 SW-2
 

 interface Port-channel 2
  ip address 1.1.1.2 255.255.255.252
 !
 interface GigabitEthernet1/1
  no ip address
  channel-group 2 mode desirable
  channel-protocol pagp
 !
 interface GigabitEthernet1/2
  no ip address
  channel-group 2 mode desirable
  channel-protocol pagp
 !

 I don't have a lab to test it, can somebody confirm if the connectivity
 will
 work between these devices as per this setup.

 Thanks,
 Amolak

Re: Using 32 bit ASN numbers

[Arie Vayner]

Pender,

One small correction... For 7600, 12.2SR, the support would come out in
12.2SRD

Arie

On Fri, Aug 29, 2008 at 6:44 PM, Pender, James [EMAIL PROTECTED]wrote:


 These are the dates I have for Cisco platforms:

 IOS XR 3.4 - September 2007
 IOS 12.0(32)S11 - November 2008
 IOS 12.2SRE - December 2008
 IOS 12.5(1)T - April 2009

 -Original Message-
 From: andy lam [mailto:[EMAIL PROTECTED]
 Sent: Friday, August 29, 2008 11:29 AM
 To: [EMAIL PROTECTED]; Brian Raaen
 Subject: Re: Using 32 bit ASN numbers


 Cisco IOS XR Software Release 3.4.0 adds support for BGP Authentication Key
 Chaining, BGP 4-Byte Autonomous System Number (ASN), and BGP Next Hop
 tracking enhancements.

 http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.4/general/release/notes/reln_34.html#wp239046
 BGP 4-Byte ASN-Increases the range of supported autonomous systems from 2
 bytes to 4 bytes to scale with expected Internet growth.

 12.2SR* is supposed to be in late 2008, but has not yet been announced
 publicly.


 Juniper it's in JUNOS 9.1 as farr as I can tell.


 --- On Fri, 8/29/08, Brian Raaen [EMAIL PROTECTED] wrote:

 From: Brian Raaen [EMAIL PROTECTED]
 Subject: Using 32 bit ASN numbers
 To: [EMAIL PROTECTED]
 Date: Friday, August 29, 2008, 11:04 AM

 I am doing some research for our company regarding 32 bit ASN numbers.  I
 am
 trying to locate information about vendor and service provider support.  In
 particular I have not been able to find what Cisco IOS image I would need
 to
 load on our router to support 32 bit ASN's.  I also want to know what
 experience people have had with service provider support of 32 bit ASN's

 --
 Brian Raaen
 Network Engineer
 [EMAIL PROTECTED]