Re: scaling linux-based router hardware recommendations

[Robert Bays]

I was trying not to pitch my company on list, but the performance numbers I 
quoted are on the Vyatta/Brocade vRouter which is commercially available.  
Other vendors also also have publicly available performance numbers that are 
interesting.


 On Jan 28, 2015, at 5:02 AM, Paul S. cont...@winterei.se wrote:
 
 That's the problem though.
 
 Everyone has presentations for the most part, very few actual tools that 
 end users can just use exist.
 
 On 1/28/2015 午後 08:02, Robert Bays wrote:
 On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote:
 
 My expertise, such as it ever was, is a bit stale at this point, and my
 figures might be a little off. But I think the general principle
 applies: think about the minimum number of x86 instructions, and the
 minimum number of main memory accesses, to inspect a packet header, do a
 routing table lookup, and enqueue the packet on an outbound interface. I
 can't see that ever getting reduced to the point where a generic server
 can handle 40-byte packets at line rate (for that matter, line rate is
 increasing a lot faster than speed of generic server these days).
 Using DPDK it’s possible to do everything stated and achieve 10Gbps line 
 rate at 64byte packets on multiple interfaces simultaneously.  Add ACLs to 
 the test setup and you can reach significant portions of 10Gbps at 64byte 
 packets and full line rate at 128bytes.
 
 Check out Venky Venkatesan’s presentation at the last DPDK Summit for 
 interesting information on pps/CPU cycles and some of the things that can be 
 done to optimize forwarding in a generic processor environment.
 
 http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan
 
 
 

Re: look for BGP routes containing local AS#

[Chuck Anderson]

It used to be the case that looped routes didn't even show up as
hidden routes, because Junos discarded them even from Adj-RIB-In,
although this may have changed at some Junos version.

Also, Junos won't even advertise such looped routes to a neighbor with
the same AS by default, so in many cases you won't see it at all if
you are peering with a Juniper unless it is specifically configured to
send these looped routes with advertise-peer-as, or change the AS
number with as-override.

On Wed, Jan 28, 2015 at 05:32:34PM +0800, Song Li wrote:
 Hi Joel,
 
 It is right that the BGP route containing the local ASN will be
 droped. However, such routes can still be displayed on router. For
 example, you can run show route hidden terse aspath-regex .*local
 ASN.* on Juniper to check them. We are looking for those routes.
 If you can run the command on your Juniper and find such routes,
 could you please provider them for us?
 
 Thanks!
 
 Regards!
 
 Song
 
 在 2015/1/28 16:23, joel jaeggli 写道:
 On 1/27/15 5:45 AM, Song Li wrote:
 Hi everyone,
 
 Recently I studied the BGP AS path looping problem, and found that in
 most cases, the received BGP routes containing local AS# are suspicious.
 However, we checked our BGP routing table (AS23910,CERNET2) on juniper
 router(show route hidden terse aspath-regex .*23910.* ), and have not
 found such routes in Adj-RIB-In.
 
 Updates with your AS in the path are discarded as part of loop
 detection, e.g. they do not become candidate routes.
 
 https://tools.ietf.org/html/rfc4271 page 77
 
 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
 route should be excluded from the Phase 2 decision function.  AS loop
 detection is done by scanning the full AS path (as specified in the
 AS_PATH attribute), and checking that the autonomous system number of
 the local system does not appear in the AS path.  Operations of a BGP
 speaker that is configured to accept routes with its own autonomous
 system number in the AS path are outside the scope of this document.
 
 in junos
 
 neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number
 
 where number is the number of instances of your AS in the path you're
 willing to accept will correct that.
 
 We believe that the received BGP routes containing local AS# are related
 to BGP security problem.
 
 You'll have to elaborate, since their existence is a basic principle in
 the operation of bgp and they are ubiquitous.
 
 Island instances of a distributed ASN communicate with each other by
 allowing such routes in so that they can be evaluated one the basis of
 prefix, specificity, AS path length and so forth.
 
 Hence, we want to look for some real cases in
 the wild. Could anybody give us some examples of such routes?

Re: Cisco IOS stable/production safe versions?

[Daniel Corbe]

Nick Ellermann nellerm...@broadaspect.com writes:

 I have a Cisco IOS specific question for the group and also
 specifically related to the 6500 platform. We have always been very
 conservative with our IOS version that we run in production, we are
 still running a pretty old safe harbor build of 12.2.x on SUP 720
 3BXLs with BGP and OSFP routing. Any advice from fellow network
 operators that are running the 6500 platform in the core still for
 versions that are considered safe for production? We are stable, but I
 am really wanting access to features such as Netflow v9, etc.

 Thanks for any advice!


You're pretty spot on with your thinking here.  Don't upgrade unless
there's a known vulnerability, a bug fix or a feature that you need on a
particular device; and don't expose your management to the Internet.

tl;dr: don't fix what isn't broken.

Having said that; make use of the software download tools on your CCO
account.   Cisco has a list of recommended builds for your particular
platform and code train.

When in doubt you can always fall back to S-train stuff on a Sup720.
-S images were made for service providers and are generally very stable.

-Daniel

Re: look for BGP routes containing local AS#

[Pedro Cavaca]

If your ISP utilizes Juniper platforms, you might have to ask them to allow
the advertisement of these routes, see
http://www.firstdigest.com/2012/09/cisco-vs-juniper-different-ebgp-behavior/

On 28 January 2015 at 09:32, Song Li refresh.ls...@gmail.com wrote:

 Hi Joel,

 It is right that the BGP route containing the local ASN will be droped.
 However, such routes can still be displayed on router. For example, you can
 run show route hidden terse aspath-regex .*local ASN.* on Juniper to
 check them. We are looking for those routes. If you can run the command on
 your Juniper and find such routes, could you please provider them for us?

 Thanks!

 Regards!

 Song

 在 2015/1/28 16:23, joel jaeggli 写道:

  On 1/27/15 5:45 AM, Song Li wrote:

 Hi everyone,

 Recently I studied the BGP AS path looping problem, and found that in
 most cases, the received BGP routes containing local AS# are suspicious.
 However, we checked our BGP routing table (AS23910,CERNET2) on juniper
 router(show route hidden terse aspath-regex .*23910.* ), and have not
 found such routes in Adj-RIB-In.


 Updates with your AS in the path are discarded as part of loop
 detection, e.g. they do not become candidate routes.

 https://tools.ietf.org/html/rfc4271 page 77

 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
 route should be excluded from the Phase 2 decision function.  AS loop
 detection is done by scanning the full AS path (as specified in the
 AS_PATH attribute), and checking that the autonomous system number of
 the local system does not appear in the AS path.  Operations of a BGP
 speaker that is configured to accept routes with its own autonomous
 system number in the AS path are outside the scope of this document.

 in junos

 neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number

 where number is the number of instances of your AS in the path you're
 willing to accept will correct that.

  We believe that the received BGP routes containing local AS# are related
 to BGP security problem.


 You'll have to elaborate, since their existence is a basic principle in
 the operation of bgp and they are ubiquitous.

 Island instances of a distributed ASN communicate with each other by
 allowing such routes in so that they can be evaluated one the basis of
 prefix, specificity, AS path length and so forth.

  Hence, we want to look for some real cases in
 the wild. Could anybody give us some examples of such routes?

 Thanks!

 Best Regards!





 --
 Song Li
 Room 4-204, FIT Building,
 Network Security,
 Department of Electronic Engineering,
 Tsinghua University, Beijing 100084, China
 Tel:( +86) 010-62446440
 E-mail: refresh.ls...@gmail.com

Re: look for BGP routes containing local AS#

[Song Li]

Thanks!

It seems hard to see such routes on the edge router. Nonetheless, we do 
believe there must exist such routes in the wild. We still hope to find 
some real cases of them. If anybody see them in your routers, please let 
us know.


Regards!

Song
在 2015/1/28 21:27, Chuck Anderson 写道:

It used to be the case that looped routes didn't even show up as
hidden routes, because Junos discarded them even from Adj-RIB-In,
although this may have changed at some Junos version.

Also, Junos won't even advertise such looped routes to a neighbor with
the same AS by default, so in many cases you won't see it at all if
you are peering with a Juniper unless it is specifically configured to
send these looped routes with advertise-peer-as, or change the AS
number with as-override.

On Wed, Jan 28, 2015 at 05:32:34PM +0800, Song Li wrote:

Hi Joel,

It is right that the BGP route containing the local ASN will be
droped. However, such routes can still be displayed on router. For
example, you can run show route hidden terse aspath-regex .*local
ASN.* on Juniper to check them. We are looking for those routes.
If you can run the command on your Juniper and find such routes,
could you please provider them for us?

Thanks!

Regards!

Song

在 2015/1/28 16:23, joel jaeggli 写道:

On 1/27/15 5:45 AM, Song Li wrote:

Hi everyone,

Recently I studied the BGP AS path looping problem, and found that in
most cases, the received BGP routes containing local AS# are suspicious.
However, we checked our BGP routing table (AS23910,CERNET2) on juniper
router(show route hidden terse aspath-regex .*23910.* ), and have not
found such routes in Adj-RIB-In.


Updates with your AS in the path are discarded as part of loop
detection, e.g. they do not become candidate routes.

https://tools.ietf.org/html/rfc4271 page 77

If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
route should be excluded from the Phase 2 decision function.  AS loop
detection is done by scanning the full AS path (as specified in the
AS_PATH attribute), and checking that the autonomous system number of
the local system does not appear in the AS path.  Operations of a BGP
speaker that is configured to accept routes with its own autonomous
system number in the AS path are outside the scope of this document.

in junos

neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number

where number is the number of instances of your AS in the path you're
willing to accept will correct that.


We believe that the received BGP routes containing local AS# are related
to BGP security problem.


You'll have to elaborate, since their existence is a basic principle in
the operation of bgp and they are ubiquitous.

Island instances of a distributed ASN communicate with each other by
allowing such routes in so that they can be evaluated one the basis of
prefix, specificity, AS path length and so forth.


Hence, we want to look for some real cases in
the wild. Could anybody give us some examples of such routes?



--
Song Li
Room 4-204, FIT Building,
Network Security,
Department of Electronic Engineering,
Tsinghua University, Beijing 100084, China
Tel:( +86) 010-62446440
E-mail: refresh.ls...@gmail.com

Re: scaling linux-based router hardware recommendations

[Charles N Wyble]

There is no free lunch. If you want  tools that end users can just use then 
buy Cisco. 

Otherwise you need to roll up your sleeves and take the pieces and put them 
together. Or hire people like me to do it for you. 

It isn't overly complicated in my opinion. Also you'll find plenty of 
reasonably priced Linux or BSD integration engineers out there across the globe 
who are used to doing this sort of thing. 

Now once you move beyond basic forwarding / high PPS processing (which seems 
mostly commodity now) and get into say 80gbps (40gbps full duplex) IPS , ip 
reputation, data loss prevention, SSL MITM, AV... well that requires some very 
beefy hardware. Can that be done on x86? I doubt it.

Tilera seems the way to go here. Newer FPGA boards can implement various CPU 
architectures on the fly. You also have CUDA. I hadn't seen chelsio, I'm very 
excited about that. Ill have one in my grubby little hands soon enough. 

transceivers are still horribly expensive. This is a major portion of the bom 
cost on any build, no matter what software stack is putting packets onto them. 

It isn't so simple once you move beyond the 1gbps range and want full feature 
set. And not in one box I think. Look at https://www.bro.org/ for interesting 
multi box scaling. 

On January 28, 2015 7:02:34 AM CST, Paul S. cont...@winterei.se wrote:
That's the problem though.

Everyone has presentations for the most part, very few actual tools
that 
end users can just use exist.

On 1/28/2015 午後 08:02, Robert Bays wrote:
 On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org
wrote:

 My expertise, such as it ever was, is a bit stale at this point, and
my
 figures might be a little off. But I think the general principle
 applies: think about the minimum number of x86 instructions, and the
 minimum number of main memory accesses, to inspect a packet header,
do a
 routing table lookup, and enqueue the packet on an outbound
interface. I
 can't see that ever getting reduced to the point where a generic
server
 can handle 40-byte packets at line rate (for that matter, line
rate is
 increasing a lot faster than speed of generic server these days).
 Using DPDK it’s possible to do everything stated and achieve 10Gbps
line rate at 64byte packets on multiple interfaces simultaneously.  Add
ACLs to the test setup and you can reach significant portions of 10Gbps
at 64byte packets and full line rate at 128bytes.

 Check out Venky Venkatesan’s presentation at the last DPDK Summit for
interesting information on pps/CPU cycles and some of the things that
can be done to optimize forwarding in a generic processor environment.


http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan




!DSPAM:54c8de34274511264773590!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: look for BGP routes containing local AS#

[Song Li]

Hi Joel,

It is right that the BGP route containing the local ASN will be droped. 
However, such routes can still be displayed on router. For example, you 
can run show route hidden terse aspath-regex .*local ASN.* on 
Juniper to check them. We are looking for those routes. If you can run 
the command on your Juniper and find such routes, could you please 
provider them for us?


Thanks!

Regards!

Song

在 2015/1/28 16:23, joel jaeggli 写道:

On 1/27/15 5:45 AM, Song Li wrote:

Hi everyone,

Recently I studied the BGP AS path looping problem, and found that in
most cases, the received BGP routes containing local AS# are suspicious.
However, we checked our BGP routing table (AS23910,CERNET2) on juniper
router(show route hidden terse aspath-regex .*23910.* ), and have not
found such routes in Adj-RIB-In.


Updates with your AS in the path are discarded as part of loop
detection, e.g. they do not become candidate routes.

https://tools.ietf.org/html/rfc4271 page 77

If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
route should be excluded from the Phase 2 decision function.  AS loop
detection is done by scanning the full AS path (as specified in the
AS_PATH attribute), and checking that the autonomous system number of
the local system does not appear in the AS path.  Operations of a BGP
speaker that is configured to accept routes with its own autonomous
system number in the AS path are outside the scope of this document.

in junos

neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number

where number is the number of instances of your AS in the path you're
willing to accept will correct that.


We believe that the received BGP routes containing local AS# are related
to BGP security problem.


You'll have to elaborate, since their existence is a basic principle in
the operation of bgp and they are ubiquitous.

Island instances of a distributed ASN communicate with each other by
allowing such routes in so that they can be evaluated one the basis of
prefix, specificity, AS path length and so forth.


Hence, we want to look for some real cases in
the wild. Could anybody give us some examples of such routes?

Thanks!

Best Regards!







--
Song Li
Room 4-204, FIT Building,
Network Security,
Department of Electronic Engineering,
Tsinghua University, Beijing 100084, China
Tel:( +86) 010-62446440
E-mail: refresh.ls...@gmail.com

Re: look for BGP routes containing local AS#

[joel jaeggli]

On 1/27/15 5:45 AM, Song Li wrote:
 Hi everyone,
 
 Recently I studied the BGP AS path looping problem, and found that in
 most cases, the received BGP routes containing local AS# are suspicious.
 However, we checked our BGP routing table (AS23910,CERNET2) on juniper
 router(show route hidden terse aspath-regex .*23910.* ), and have not
 found such routes in Adj-RIB-In.

Updates with your AS in the path are discarded as part of loop
detection, e.g. they do not become candidate routes.

https://tools.ietf.org/html/rfc4271 page 77

   If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
   route should be excluded from the Phase 2 decision function.  AS loop
   detection is done by scanning the full AS path (as specified in the
   AS_PATH attribute), and checking that the autonomous system number of
   the local system does not appear in the AS path.  Operations of a BGP
   speaker that is configured to accept routes with its own autonomous
   system number in the AS path are outside the scope of this document.

in junos

neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number

where number is the number of instances of your AS in the path you're
willing to accept will correct that.

 We believe that the received BGP routes containing local AS# are related
 to BGP security problem.

You'll have to elaborate, since their existence is a basic principle in
the operation of bgp and they are ubiquitous.

Island instances of a distributed ASN communicate with each other by
allowing such routes in so that they can be evaluated one the basis of
prefix, specificity, AS path length and so forth.

 Hence, we want to look for some real cases in
 the wild. Could anybody give us some examples of such routes?
 
 Thanks!
 
 Best Regards!
 




signature.asc
Description: OpenPGP digital signature

Re: scaling linux-based router hardware recommendations

[Robert Bays]

 On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote:
 
 My expertise, such as it ever was, is a bit stale at this point, and my 
 figures might be a little off. But I think the general principle 
 applies: think about the minimum number of x86 instructions, and the 
 minimum number of main memory accesses, to inspect a packet header, do a 
 routing table lookup, and enqueue the packet on an outbound interface. I 
 can't see that ever getting reduced to the point where a generic server 
 can handle 40-byte packets at line rate (for that matter, line rate is 
 increasing a lot faster than speed of generic server these days).

Using DPDK it’s possible to do everything stated and achieve 10Gbps line rate 
at 64byte packets on multiple interfaces simultaneously.  Add ACLs to the test 
setup and you can reach significant portions of 10Gbps at 64byte packets and 
full line rate at 128bytes.

Check out Venky Venkatesan’s presentation at the last DPDK Summit for 
interesting information on pps/CPU cycles and some of the things that can be 
done to optimize forwarding in a generic processor environment.

http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan

Re: scaling linux-based router hardware recommendations

[Paul S.]

That's the problem though.

Everyone has presentations for the most part, very few actual tools that 
end users can just use exist.


On 1/28/2015 午後 08:02, Robert Bays wrote:

On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote:

My expertise, such as it ever was, is a bit stale at this point, and my
figures might be a little off. But I think the general principle
applies: think about the minimum number of x86 instructions, and the
minimum number of main memory accesses, to inspect a packet header, do a
routing table lookup, and enqueue the packet on an outbound interface. I
can't see that ever getting reduced to the point where a generic server
can handle 40-byte packets at line rate (for that matter, line rate is
increasing a lot faster than speed of generic server these days).

Using DPDK it’s possible to do everything stated and achieve 10Gbps line rate 
at 64byte packets on multiple interfaces simultaneously.  Add ACLs to the test 
setup and you can reach significant portions of 10Gbps at 64byte packets and 
full line rate at 128bytes.

Check out Venky Venkatesan’s presentation at the last DPDK Summit for 
interesting information on pps/CPU cycles and some of the things that can be 
done to optimize forwarding in a generic processor environment.

http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan

Re: Network ops lists.

[Alex Brooks]

On Wed, Jan 28, 2015 at 2:27 AM, Seiichi Kawamura kawamu...@mesh.ad.jp wrote:
 Not my list, but here's one.
 http://www.bugest.net/nogs.html

 I'm sure there's more though. BDNOG, BTNOG, HKNOG ...


As has been mentioned, there are also a few special purpose
non-geographic lists around.  Voiceops for VoIP
(http://www.voiceops.org/), DC-Ops for Data Centre operation
discussion (https://puck.nether.net/mailman/listinfo/dc-ops), IPv6 Ops
for IPv6 specific stuff (http://lists.cluenet.de/pipermail/ipv6-ops/)
come to mind.

Be aware that other regional ops mailing lists can be a little quieter
than NANOG.  UKNOF (http://www.uknof.org.uk/) is a great example of
this, there are lots of great people from loads of ISPs and network
operators on that list, with lots of experience of the UK and Western
Europe, they also host two meetings a year, a bit like the NANOG
meetings, but if you subscribed to the list you might think it a
little dead until someone posts something on topic.  Their meeting
last week had nearly 300 attendees, including BT, the BBC, Cisco,
Akamai and Amazon along with a heck of a lot of very interesting
talks, most of which are on Youtube.  You will find that other
regional groups do similar things as well.

HTH,

Alex

Re: scaling linux-based router hardware recommendations

[Mark Tinka]

On 28/1/15 16:45, Colin Johnston wrote:

qnx os based router works well with powerpc, could be pushed far higher load 
than intel based chips


The problem being that QNX is a 32-bit kernel.

Mark.

Re: DDOS, IDS, RTBH, and Rate limiting

[Pavel Odintsov]

Hello, folks!

NetFlow v5 and v9 support have just added to FastNetMon:
https://github.com/FastVPSEestiOu/fastnetmon

Now you can catch DDoS attacks and collect data from sFLOW v5, NetFlow
v5/v9 and even from mirror port with PF_RING in one tool
simultaneously!

Will be very glad for feedback and testing!

On Wed, Dec 3, 2014 at 7:57 AM, Roland Dobbins rdobb...@arbor.net wrote:

 On 2 Dec 2014, at 17:18, Pavel Odintsov wrote:

 In near future I will add netflow v5 support.


 Good job - you should really go for NetFlow v9 when you can, as it supports
 IPv6 and MPLS labels.

 Next would be IPFIX.

 ---
 Roland Dobbins rdobb...@arbor.net



-- 
Sincerely yours, Pavel Odintsov

Re: scaling linux-based router hardware recommendations

[Adrian Chadd]

[snip]

To inject science into the discussion:

http://bsdrp.net/documentation/examples/forwarding_performance_lab_of_an_ibm_system_x3550_m3_with_10-gigabit_intel_x540-at2

And he maintains a test setup to check for performance regressions:

http://bsdrp.net/documentation/examples/freebsd_performance_regression_lab

Now, this is using the in-kernel stack, not netmap/pfring/etc that
uses all the batching-y, stack-shallow-y implementations that the
kernel currently doesn't have. But, there are people out there doing
science on it and trying very hard to kick things along. The nice
thing about what has come out of the DPDK related stuff is, well, the
bar is set very high now. Now it's up to the open source groups to
stop messing around and do something about it.


If you're interested in more of this stuff, go poke Jim at pfsense/netgate.


-adrian
(This and RSS work is plainly in my stuff I do for fun category, btw.)

Re: scaling linux-based router hardware recommendations

[Eduardo Meyer]

 - 1x ServerU Netmap L800 box in Bridge Mode for Core Firewall protection
 - 2x ServerU Netmap L800 boxes as BGP router (redundant)
 - Several Netmap L800, L100 and iXSystems servers (iXS for everything else
 since ServerU are only networking-centric, not high storage high processing
 Xeon servers)

 In this setup I am running yet another not well known but very promising
 technology, called Netmap.

 A Netmap firewall (called netmap-ipfw) was supplied from ServerU vendor,
 it's a slightly modified version from what you can download from Luigi
 Rizzo's (netmap author) public repository with multithread capabilities
 based on the number of queues available in the ServerU igb(4) networking
 card.

 What it does is, IMHO, amazing for a x86 hardware: line rate firewall on
 1GbE port (1.3-1.4Mpps) and line rate firewall for 10GbE port (12-14Mpps)
 in a system with 8 @2.4Ghz Intel Rangeley CPU.

 It's not Linux DNA. It's not PF_RING. It's not Intel DPDK.

 It's netmap, it's there, available, on FreeBSD base system with a number of
 utilities and code for reference on Rizzos' repositories. It's there, it's
 available and it's amazing.

 This firewall has saved my sleep several times since November, dropping up
 to 9Mpps amplified UDP/NTP traffic on peak DDoS attack rates.

 For the BGP box, I needed trunking, Q-in-Q and vlan. And sadly right now
 this is not available in a netmap implementation.

 It means I had to keep my BGP router in the kernel path. It's funny to say
 this, but Netmap usually skips kernel path completely and does its job
 direct on the NIC, reaching backplane and bus limits directly.

 ServerU people recommended me to use Chelsio Terminator 5 40G ports. OK I
 only needed 10G but they convinced me not to look at the bits per second
 numbers but the packets per seconds number.

 Honestly, I don't know how Chelsio T5 did it, even though ServerU 1GbE
 ports perform very good on interruption CPU usage (probably this is an
 Intel igb(4) / ix(4) credit) but everything I route from one 40GbE port to
 the other port on the same L-800 expansion card, I have very, very, very
 LOW interrupt rates. Sometimes I have no interrupt at all!!

 I peaked routing 6Mpps on ServerU L-800 and still had CPU there,


I am also a user for FreeBSD netmap-ipfw, running kipfw fwd to, say, fwd
http traffic to a peerapp appliance. My numbers are not line rate, I peak
on 900Kpps, but still have CPU idle.

I had a hard time figuring out how to use netmap-ipfw, due to lack of
updated documentation, but once I got it running and set up, ecerything was
very straightforward with default code, no modifications, just as available.

I agree FreeBSD-netmap seems more ready, with tools, toolchains and code
available wheh compared to DPDK or Linux DNA. Also in the hope for further
evolvings of Netmap in the base system.

Numbers are impressive indeed.




-- 
===
Eduardo Meyer
pessoal: dudu.me...@gmail.com
profissional: ddm.farmac...@saude.gov.br

Re: scaling linux-based router hardware recommendations

[Colin Johnston]

qnx os based router works well with powerpc, could be pushed far higher load 
than intel based chips

Colin


 That's the problem though.
 
 Everyone has presentations for the most part, very few actual tools
 that 
 end users can just use exist.
 
 On 1/28/2015 午後 08:02, Robert Bays wrote:
 On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org
 wrote:
 
 My expertise, such as it ever was, is a bit stale at this point, and
 my
 figures might be a little off. But I think the general principle
 applies: think about the minimum number of x86 instructions, and the
 minimum number of main memory accesses, to inspect a packet header,
 do a
 routing table lookup, and enqueue the packet on an outbound
 interface. I
 can't see that ever getting reduced to the point where a generic
 server
 can handle 40-byte packets at line rate (for that matter, line
 rate is
 increasing a lot faster than speed of generic server these days).
 Using DPDK it’s possible to do everything stated and achieve 10Gbps
 line rate at 64byte packets on multiple interfaces simultaneously.  Add
 ACLs to the test setup and you can reach significant portions of 10Gbps
 at 64byte packets and full line rate at 128bytes.
 
 Check out Venky Venkatesan’s presentation at the last DPDK Summit for
 interesting information on pps/CPU cycles and some of the things that
 can be done to optimize forwarding in a generic processor environment.
 
 
 http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan
 
 
 
 
 !DSPAM:54c8de34274511264773590!
 
 -- 
 Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: scaling linux-based router hardware recommendations

[Baldur Norddahl]

10g transceivers are not overly expensive if you buy compatible modules.

SFP+ Direct attach cable is $16.
SFP+ multimode module is $18.
SFP+ singlemode LR module is $48.

That is nothing compared to what vendors are asking for a real router.

I believe there are many startups that are going for 2x 10G transit with
full tables. We are one of them for sure. And then you need a cheap way to
handle up to 20G bidirectional traffic, because as a startup it is not a
good idea to fork over what equals to a whole year of salary to Cisco or
Juniper. Even if you have that kind of money, you would want to spent it on
something that will get you revenue.

The obvious solution is a server (or two for redundancy) running Linux or
BSD. You will be getting the Intel NIC with two SFP+ slots, so you can
connect a transit connection directly to each server.

This works well enough. We used a setup just like that for a year, before
we upgraded to a hardware router. The weak point is that it will likely
have trouble if you get hit by a real big DDoS with small packets.

But back to cost of things. If I use my own company as an example, we are a
FTTH provider. We use PON switches with 2x 10G ports on each switch. You
can get many PON switches for the price of one router with at least 4x 10G
ports (equivalent to the Linux routers). The PON switches will earn you
revenue, it is what you connect your customers to. Better to get a bigger
network, than spend the money on a router.

The cost of SFP+/XFP and GPON C+ modules on the PON switch is only about
10% of the cost of the switch itself (again using compatible modules).

A switch with 24x1G and 4x 10G can be bought for $3000. You can fill it
completely with optics for $300 - again about 10%.

My point is that if you are in an environment where every dollar counts,
you do not need to spent a majority of your funds on optics. And neither do
you need that expensive router until later in the game.

Regards,

Baldur





On 28 January 2015 at 15:35, Charles N Wyble char...@thefnf.org wrote:

 There is no free lunch. If you want  tools that end users can just use
 then buy Cisco.

 Otherwise you need to roll up your sleeves and take the pieces and put
 them together. Or hire people like me to do it for you.

 It isn't overly complicated in my opinion. Also you'll find plenty of
 reasonably priced Linux or BSD integration engineers out there across the
 globe who are used to doing this sort of thing.

 Now once you move beyond basic forwarding / high PPS processing (which
 seems mostly commodity now) and get into say 80gbps (40gbps full duplex)
 IPS , ip reputation, data loss prevention, SSL MITM, AV... well that
 requires some very beefy hardware. Can that be done on x86? I doubt it.

 Tilera seems the way to go here. Newer FPGA boards can implement various
 CPU architectures on the fly. You also have CUDA. I hadn't seen chelsio,
 I'm very excited about that. Ill have one in my grubby little hands soon
 enough.

 transceivers are still horribly expensive. This is a major portion of the
 bom cost on any build, no matter what software stack is putting packets
 onto them.

 It isn't so simple once you move beyond the 1gbps range and want full
 feature set. And not in one box I think. Look at https://www.bro.org/ for
 interesting multi box scaling.

 On January 28, 2015 7:02:34 AM CST, Paul S. cont...@winterei.se wrote:
 That's the problem though.
 
 Everyone has presentations for the most part, very few actual tools
 that
 end users can just use exist.
 
 On 1/28/2015 午後 08:02, Robert Bays wrote:
  On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org
 wrote:
 
  My expertise, such as it ever was, is a bit stale at this point, and
 my
  figures might be a little off. But I think the general principle
  applies: think about the minimum number of x86 instructions, and the
  minimum number of main memory accesses, to inspect a packet header,
 do a
  routing table lookup, and enqueue the packet on an outbound
 interface. I
  can't see that ever getting reduced to the point where a generic
 server
  can handle 40-byte packets at line rate (for that matter, line
 rate is
  increasing a lot faster than speed of generic server these days).
  Using DPDK it’s possible to do everything stated and achieve 10Gbps
 line rate at 64byte packets on multiple interfaces simultaneously.  Add
 ACLs to the test setup and you can reach significant portions of 10Gbps
 at 64byte packets and full line rate at 128bytes.
 
  Check out Venky Venkatesan’s presentation at the last DPDK Summit for
 interesting information on pps/CPU cycles and some of the things that
 can be done to optimize forwarding in a generic processor environment.
 
 
 
 http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan
 
 
 
 
 !DSPAM:54c8de34274511264773590!

 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: scaling linux-based router hardware recommendations

[Nick Hilliard]

On 28/01/2015 14:45, Colin Johnston wrote:
 qnx os based router works well with powerpc, could be pushed far higher
 load than intel based chips

that may be so, but how many people out there know how to push qnx that
hard compared freebsd/linux on amd64 compatible hardware, and how many
people know how to configure up a juniper mx or cisco asr9k, compared to
the number that can tune a freely available unix.  As someone pointed out
elsewhere, there's no such thing as a free lunch.  If you want to economise
on hardware, you should expect to pay for the expertise to do it.

Nick

RE: Alerting systems, Logicmonitor and/or alternatives

[Raymond Burkholder]

 What's the collective opinion here? Is anyone using them or a similar service?
 Are there non-cloud-based alternatives that are relatively easy to set up and
 manage? We've explored Zabbix, Nagios, MRTG and its various wrappers,
 and Intermapper. Anything else new on the horizon that has a GUI front-end
 that is configurable without a lot of scripting experience, etc.?

Try OMD.  It packages a python wrapper called check_mk around Nagios and adds 
on charts via an already integrated pnp4nagios.  

The guys doing check_mk have done an amazing job of harnessing the power of 
Nagios through the use of configuration files which nicely minimizes the amount 
of work necessary for getting things monitored, while maximizing how things are 
grouped and structured.

Since I like it so much, I'm in the process of migrating our monitoring from a 
combination of NagiosXI, Observium, and Cacti over to the OMD package. 

It has fast agents for monitoring vsphere.  Has native agents for Linux and 
Windows.  And can do SNMP.  And has good customization for those who want more 
done that what is supplied out of the box.

 
 We would love to buy something that works for us and pay a reasonable
 price for it, but I'm not particularly interested in the equivalent of 
 renting a
 time-share in order to monitor our networks.

Check_mk has support and professional services available.  It is open source 
for those who wish to go the DIY route.

Raymond

blog.raymond.burkholder.net


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: scaling linux-based router hardware recommendations

[Philip]

I recently built a pair of Linux based routers to handle full BGP tables
from 3 upstream providers (10gig links)
I had penguincomputing.com build me two reasonably powerful (dual xeon hex
core processor) servers with SolarFlare
http://solarflare.com/1040GbE-Flareon-Server-IO-Adapters NICs. (I didn't
get a chance to play with open-onload before moving on to a new opportunity)
Rudimentary testing with iperf showed I could saturate a 10gig link with
minimal system load.

With real world traffic, the limits came when we started pushing packets in
the several hundred thousand range. However, this was due to the fact that
these routers were also doing firewall / NAT duty (iptables),
load-balancing (haproxy), VPN endpoints (openvpn), plus the routing eBGP
(quagga), and internally propagating OSPF routes as well (quagga).
Interrupt handling / system load became a problem only when our hadoop
cluster (200+ nodes) started crazy aws s3 communications, otherwise things
ran pretty well.

The systems, configurations and software were pretty much just hacked
together by me. Ideally we would have bought Juniper / Cisco gear, but my
budget of $50K wouldn't even buy half a router after my vendors were done
quoting me the real stuff.
I ended up spending ~$15K to build this solution. I'm a not a networking
person though, just a Linux hack, but was able to get this solution working
reliably.

-Philip












On Mon, Jan 26, 2015 at 2:53 PM, micah anderson mi...@riseup.net wrote:


 Hi,

 I know that specially programmed ASICs on dedicated hardware like Cisco,
 Juniper, etc. are going to always outperform a general purpose server
 running gnu/linux, *bsd... but I find the idea of trying to use
 proprietary, NSA-backdoored devices difficult to accept, especially when
 I don't have the budget for it.

 I've noticed that even with a relatively modern system (supermicro with
 a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server
 adapters, and 16gig of ram, you still tend to get high percentage of
 time working on softirqs on all the CPUs when pps reaches somewhere
 around 60-70k, and the traffic approaching 600-900mbit/sec (during a
 DDoS, such hardware cannot typically cope).

 It seems like finding hardware more optimized for very high packet per
 second counts would be a good thing to do. I just have no idea what is
 out there that could meet these goals. I'm unsure if faster CPUs, or
 more CPUs is really the problem, or networking cards, or just plain old
 fashioned tuning.

 Any ideas or suggestions would be welcome!
 micah

Re: Alerting systems, Logicmonitor and/or alternatives

[Dorance Martinez Cortes]

Hi Jay,

I have experience with nagios and cacti, now I'm experimenting with logic
monitor and observium. The observium is a great tool to discover your
network devices but don't have great graphics and don't have any alarm
system, but you can get a lot of information about your network devices,
connections, ip address, protocols and configurations. Logic Monitor is a
new tool for me, but without comparison with nagios, they have well
support, but some times you need time to create personal data-points
because they don't have recognising for all devices.

Nagios could require time for implementation and experience with command
line and snmp. not is a expensive tool only if you don't want pay for it.
But the nagios XI is a great tool with lot of functions, automatización
process,  graphics, and capacity planning. You can try with nagios xi with
network analyzer.

If you don't have budget maybe nagios core and observium can offer a great
solution.

For comercial solution, I recommend you nagios xi and nagios network
analyzer.

2015-01-28 13:06 GMT-05:00 Jay Hennigan j...@west.net:

 I know that this topic has been kicking around for at least a decade,
 but wanted to get current opinions of other network operators. Most of
 us have explored Nagios, MRTG, and several front-ends for MRTG.

 We are looking into a new player in the space called Logicmonitor. They
 have a very functional and easy to navigate front end and configuration
 tool, and I very much like the look-and-feel of their product.

 What I don't like is that they only offer it as a cloud-based service.
 Internal probes tie in to a collector which we maintain. The collector
 then phones home over the Internet to their hosted service periodically
 and they remotely analyze the data and generate alerts, plot graphs, etc.

 From a technical standpoint this adds more points of failure in series,
 will cause missed alerts if their cloud-based service goes down (who is
 guarding the guards?) will cause false alarms if their service is still
 up but can't reach the collector, and doesn't give us a full view under
 the hood.

 Of course their sales guys are giving us Our time and energy is
 dedicated to reliability and professionally managed multi-carrier
 highly secure data centers language to encourage the warm fuzzies.

 From a scalability standpoint we incur ever-increasing recurring costs
 as we grow and add monitored devices and services.

 What's the collective opinion here? Is anyone using them or a similar
 service? Are there non-cloud-based alternatives that are relatively easy
 to set up and manage? We've explored Zabbix, Nagios, MRTG and its
 various wrappers, and Intermapper. Anything else new on the horizon that
 has a GUI front-end that is configurable without a lot of scripting
 experience, etc.?

 We would love to buy something that works for us and pay a reasonable
 price for it, but I'm not particularly interested in the equivalent of
 renting a time-share in order to monitor our networks.


 --
 Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
 Impulse Internet Service  -  http://www.impulse.net/
 Your local telephone and internet company - 805 884-6323 - WB6RDV




-- 

Cordialmente,


Dorancé Martínez Cortés
+57 320 6968121
Linux User Number 112632
Nagios Certified Administrator
Certificación ITIL Fundation 2011 ed.
Cali - Colombia
doranc...@gmail.com
http://dmcingenieria.net
http://dmci.co

Si piensas que la tecnología puede solucionar tus problemas de seguridad,
está claro que ni entiendes los problemas ni entiendes la tecnología Bruce
Schneier

Re: look for BGP routes containing local AS#

[Song Li]

Hi Patrick,

We want to know what's the reason for the received routes containing 
local ASN. Hence we need real cases of those routes in the Internet. And 
any routes like that are welcome, whether they are on Juniper router or 
other BGP software.


Thank you!

Regards!

Song

在 2015/1/29 1:50, Patrick Tracanelli 写道:


Sorry, what do you need exactly? A sample? For education purposes are you 
looking for something specific?
You need it to be on Juniper router or other BGP software will do?

I have this scenario from Brazil-US, with specifics getting received both ways 
but it’s not Juniper.




Thanks!

Regards!

Song

在 2015/1/28 16:23, joel jaeggli 写道:

On 1/27/15 5:45 AM, Song Li wrote:

Hi everyone,

Recently I studied the BGP AS path looping problem, and found that in
most cases, the received BGP routes containing local AS# are suspicious.
However, we checked our BGP routing table (AS23910,CERNET2) on juniper
router(show route hidden terse aspath-regex .*23910.* ), and have not
found such routes in Adj-RIB-In.


Updates with your AS in the path are discarded as part of loop
detection, e.g. they do not become candidate routes.

https://tools.ietf.org/html/rfc4271 page 77

  If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
  route should be excluded from the Phase 2 decision function.  AS loop
  detection is done by scanning the full AS path (as specified in the
  AS_PATH attribute), and checking that the autonomous system number of
  the local system does not appear in the AS path.  Operations of a BGP
  speaker that is configured to accept routes with its own autonomous
  system number in the AS path are outside the scope of this document.

in junos

neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number

where number is the number of instances of your AS in the path you're
willing to accept will correct that.


We believe that the received BGP routes containing local AS# are related
to BGP security problem.


You'll have to elaborate, since their existence is a basic principle in
the operation of bgp and they are ubiquitous.

Island instances of a distributed ASN communicate with each other by
allowing such routes in so that they can be evaluated one the basis of
prefix, specificity, AS path length and so forth.


Hence, we want to look for some real cases in
the wild. Could anybody give us some examples of such routes?

Thanks!

Best Regards!







--
Song Li
Room 4-204, FIT Building,
Network Security,
Department of Electronic Engineering,
Tsinghua University, Beijing 100084, China
Tel:( +86) 010-62446440
E-mail: refresh.ls...@gmail.com


--
Patrick Tracanelli

FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316...@sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
Long live Hanin Elias, Kim Deal!




--
Song Li
Room 4-204, FIT Building,
Network Security,
Department of Electronic Engineering,
Tsinghua University, Beijing 100084, China
Tel:( +86) 010-62446440
E-mail: refresh.ls...@gmail.com

cable modem firmware upgrade

[A MEKKAOUI]

Hi,

 

Anyone knows how to upgrade Motorola SB6120 cable modem firmware other than
going through the internet provider? Your help will be appreciated.

 

Thank you

 

A MEKKAOUI

MEKTEL INC

www.mektel.ca

 

RE: cable modem firmware upgrade

[Nathan Anderson]

On Wednesday, January 28, 2015 8:11 PM, A MEKKAOUI wrote:

 Anyone knows how to upgrade Motorola SB6120 cable modem firmware other
 than going through the internet provider? Your help will be appreciated.

My employer managed a handful of small DOCSIS networks for a while where 99% of 
the modems were Motorola, and as far as I know, there is no way to push a 
firmware update to the modem from the ethernet side...only from the RF side.  
And trust me: I looked.  If I ever had to update the firmware on some batch of 
modems that weren't already deployed on a network, I would hook them up to a 
test CMTS that we had on the bench in order to do so.

I would strongly suspect that this is going to hold true for just about any 
DOCSIS modem.

-- 
Nathan Anderson
First Step Internet, LLC
nath...@fsr.com

Re: PDU for high amp 48Vdc

[Bill Woodcock]

The rotary actuators are an off-the-shelf item for transfer switches.  No 
problem to get them paired with high-amperage switches. But a contactor, which 
is a solenoid-driven switch, is also an off-the-shelf item. The ones I use in 
EV applications are rated for 1000A, and cost about $300.  You need to be 
careful to look at the trade-off between voltage, amperage, and the per-cycle 
probability of a weld, though.  An over-rated contactor helps a lot if you're 
going to be cycling it a lot, whereas if it's for emergency use only, you can 
hew a lot closer to the max rating. 


-Bill


 On Jan 28, 2015, at 18:40, Robert Drake rdr...@direcpath.com wrote:
 
 For larger DC devices with ~50amps per side, does anyone have a software 
 accessible way to turn off power?
 
 I've looked into PDU's but the ones I find have a max of 10amps.
 
 I've considered building something with solenoids or a rotary actuator that 
 would turn the switches on or off, but that's a complete one-off and would 
 need to be done for each device we manage (not to mention it involves janky 
 wiring all over the place I've got to explain to the colo)
 
 My use case is pretty infrequent so it needs to be remote-hands cheap.. it's 
 for emergencies when you need to completely power cycle a redundantly powered 
 DC device.  The last time I needed this it was because a router was stuck in 
 a boot loop due to a bad IOS upgrade and wouldn't break to rommon since it 
 had been 60 seconds.  It came up again tonight because we wanted to disable 
 one power supply to troubleshoot something.
 
 FWIW, I believe I've seen newer Cisco gear with high-end power supplies that 
 have a console or ethernet port which would possibly let you shut them down 
 remotely.  That solves the problem nicely if you're dealing with only one bit 
 of hardware, but I'd like a general solution that worked with any vendor.  
 Possibly a fuse panel with solenoids that could add/remove fuses when 
 needed.. or would that be considered dangerous in code-ways or in telco fire 
 regulation ways?
 
 
 
 

Re: PDU for high amp 48Vdc

[Andy Brezinsky]

We use ServerTech for -48Vdc switching, 
http://www.servertech.com/products/-48vdcpowermanagement/


Not quite remote-hands cheap, but worth every penny in a pinch.


On 01/28/2015 08:38 PM, Robert Drake wrote:
For larger DC devices with ~50amps per side, does anyone have a 
software accessible way to turn off power?


I've looked into PDU's but the ones I find have a max of 10amps.

I've considered building something with solenoids or a rotary actuator 
that would turn the switches on or off, but that's a complete one-off 
and would need to be done for each device we manage (not to mention it 
involves janky wiring all over the place I've got to explain to the colo)


My use case is pretty infrequent so it needs to be remote-hands 
cheap.. it's for emergencies when you need to completely power cycle a 
redundantly powered DC device.  The last time I needed this it was 
because a router was stuck in a boot loop due to a bad IOS upgrade and 
wouldn't break to rommon since it had been 60 seconds.  It came up 
again tonight because we wanted to disable one power supply to 
troubleshoot something.


FWIW, I believe I've seen newer Cisco gear with high-end power 
supplies that have a console or ethernet port which would possibly let 
you shut them down remotely.  That solves the problem nicely if you're 
dealing with only one bit of hardware, but I'd like a general solution 
that worked with any vendor.  Possibly a fuse panel with solenoids 
that could add/remove fuses when needed.. or would that be considered 
dangerous in code-ways or in telco fire regulation ways?

PDU for high amp 48Vdc

[Robert Drake]

For larger DC devices with ~50amps per side, does anyone have a software 
accessible way to turn off power?


I've looked into PDU's but the ones I find have a max of 10amps.

I've considered building something with solenoids or a rotary actuator 
that would turn the switches on or off, but that's a complete one-off 
and would need to be done for each device we manage (not to mention it 
involves janky wiring all over the place I've got to explain to the colo)


My use case is pretty infrequent so it needs to be remote-hands cheap.. 
it's for emergencies when you need to completely power cycle a 
redundantly powered DC device.  The last time I needed this it was 
because a router was stuck in a boot loop due to a bad IOS upgrade and 
wouldn't break to rommon since it had been 60 seconds.  It came up 
again tonight because we wanted to disable one power supply to 
troubleshoot something.


FWIW, I believe I've seen newer Cisco gear with high-end power supplies 
that have a console or ethernet port which would possibly let you shut 
them down remotely.  That solves the problem nicely if you're dealing 
with only one bit of hardware, but I'd like a general solution that 
worked with any vendor.  Possibly a fuse panel with solenoids that could 
add/remove fuses when needed.. or would that be considered dangerous in 
code-ways or in telco fire regulation ways?

Re: Alerting systems, Logicmonitor and/or alternatives

[Rich Kulawiec]

On Wed, Jan 28, 2015 at 10:06:26AM -0800, Jay Hennigan wrote:
 What I don't like is that they only offer it as a cloud-based service.

One of the downsides of all such services is that the more successful
they are, the bigger a target they are.  And they're a tempting target,
since successful penetration would yield a wealth of data about every
client they have (if that penetration was limited to read-only access)
and possibly more, e.g., silencing alarms that would otherwise be
triggered (if that penetration allowed write access).

---rsk

RE: cable modem firmware upgrade

[Frank Bulk]

And even if you updated it yourself, it's possible that your service
provider's config file would automatically downgrade it.

Best bet is to ask your internet provider to upgrade your modem.  

Frank

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nathan Anderson
Sent: Wednesday, January 28, 2015 10:20 PM
To: 'A MEKKAOUI'; 'nanog@nanog.org'
Subject: RE: cable modem firmware upgrade

On Wednesday, January 28, 2015 8:11 PM, A MEKKAOUI wrote:

 Anyone knows how to upgrade Motorola SB6120 cable modem firmware other
 than going through the internet provider? Your help will be appreciated.

My employer managed a handful of small DOCSIS networks for a while where 99%
of the modems were Motorola, and as far as I know, there is no way to push a
firmware update to the modem from the ethernet side...only from the RF side.
And trust me: I looked.  If I ever had to update the firmware on some batch
of modems that weren't already deployed on a network, I would hook them up
to a test CMTS that we had on the bench in order to do so.

I would strongly suspect that this is going to hold true for just about any
DOCSIS modem.

-- 
Nathan Anderson
First Step Internet, LLC
nath...@fsr.com

Recommended wireless AP for 400 users office

[Manuel Marín]

Dear nanog community

I was wondering if you can recommend or share your experience with APs that
you can use in locations that have 300-500 users. I friend recommended me
Ruckus Wireless, it would be great if you can share your experience with
Ruckus or with a similar vendor.  My experience with ubiquity for this type
of requirement was not that good.

Thank you and have a great day

Re: Recommended wireless AP for 400 users office

[Mike Lyon]

Check out Xirrus
On Jan 28, 2015 9:08 PM, Manuel Marín m...@transtelco.net wrote:

 Dear nanog community

 I was wondering if you can recommend or share your experience with APs that
 you can use in locations that have 300-500 users. I friend recommended me
 Ruckus Wireless, it would be great if you can share your experience with
 Ruckus or with a similar vendor.  My experience with ubiquity for this type
 of requirement was not that good.

 Thank you and have a great day

Re: Recommended wireless AP for 400 users office

[Tyler Mills]

Have had a lot of experience with Ruckus(and Unifi unfortunately).  The
Ruckus platform is one of the best. If you will be responsible for
supporting the deployment, it will save you a lot of frustration when
compared with UBNT.

On Thu Jan 29 2015 at 12:18:54 AM Mike Lyon mike.l...@gmail.com wrote:

 Check out Xirrus
 On Jan 28, 2015 9:08 PM, Manuel Marín m...@transtelco.net wrote:

  Dear nanog community
 
  I was wondering if you can recommend or share your experience with APs
 that
  you can use in locations that have 300-500 users. I friend recommended me
  Ruckus Wireless, it would be great if you can share your experience with
  Ruckus or with a similar vendor.  My experience with ubiquity for this
 type
  of requirement was not that good.
 
  Thank you and have a great day
 

Re: look for BGP routes containing local AS#

[Patrick Tracanelli]

 On 28/01/2015, at 07:32, Song Li refresh.ls...@gmail.com wrote:
 
 Hi Joel,
 
 It is right that the BGP route containing the local ASN will be droped. 
 However, such routes can still be displayed on router. For example, you can 
 run show route hidden terse aspath-regex .*local ASN.* on Juniper to 
 check them. We are looking for those routes. If you can run the command on 
 your Juniper and find such routes, could you please provider them for us?
 

Sorry, what do you need exactly? A sample? For education purposes are you 
looking for something specific?
You need it to be on Juniper router or other BGP software will do?

I have this scenario from Brazil-US, with specifics getting received both ways 
but it’s not Juniper.



 Thanks!
 
 Regards!
 
 Song
 
 在 2015/1/28 16:23, joel jaeggli 写道:
 On 1/27/15 5:45 AM, Song Li wrote:
 Hi everyone,
 
 Recently I studied the BGP AS path looping problem, and found that in
 most cases, the received BGP routes containing local AS# are suspicious.
 However, we checked our BGP routing table (AS23910,CERNET2) on juniper
 router(show route hidden terse aspath-regex .*23910.* ), and have not
 found such routes in Adj-RIB-In.
 
 Updates with your AS in the path are discarded as part of loop
 detection, e.g. they do not become candidate routes.
 
 https://tools.ietf.org/html/rfc4271 page 77
 
  If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
  route should be excluded from the Phase 2 decision function.  AS loop
  detection is done by scanning the full AS path (as specified in the
  AS_PATH attribute), and checking that the autonomous system number of
  the local system does not appear in the AS path.  Operations of a BGP
  speaker that is configured to accept routes with its own autonomous
  system number in the AS path are outside the scope of this document.
 
 in junos
 
 neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number
 
 where number is the number of instances of your AS in the path you're
 willing to accept will correct that.
 
 We believe that the received BGP routes containing local AS# are related
 to BGP security problem.
 
 You'll have to elaborate, since their existence is a basic principle in
 the operation of bgp and they are ubiquitous.
 
 Island instances of a distributed ASN communicate with each other by
 allowing such routes in so that they can be evaluated one the basis of
 prefix, specificity, AS path length and so forth.
 
 Hence, we want to look for some real cases in
 the wild. Could anybody give us some examples of such routes?
 
 Thanks!
 
 Best Regards!
 
 
 
 
 
 -- 
 Song Li
 Room 4-204, FIT Building,
 Network Security,
 Department of Electronic Engineering,
 Tsinghua University, Beijing 100084, China
 Tel:( +86) 010-62446440
 E-mail: refresh.ls...@gmail.com

--
Patrick Tracanelli

FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316...@sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
Long live Hanin Elias, Kim Deal!

Re: Alerting systems, Logicmonitor and/or alternatives

[Mel Beckman]

The value proposition of all cloud services is that you get instant technical 
capability without building your own infrastructure. I see cloud NMS services 
like LogicMonitor and Spiceworks as a good deal for small organizations without 
their own IT people. But for all the reasons you give, the model doesn't scale 
very well.

For network professionals, the value of self-managed internal monitoring 
infrastructure far outweighs the temporary ease and low cost of cloud 
monitoring. In particular, commercial monitoring offerings, such as 
Intermapper, PRTG, and SolarWinds, are extremely cost effective for business 
network operations. Their cost is easily justifiable, especially if you have a 
busy staff. Yes, you can get many of the commercial tool capabilities in open 
source projects such as OpenNMS and Cacti. But as you note, they can be a pain 
to configure, and if your labor is worth anything, the commercial options are 
usually a better deal.

One exception I've found recently is Mikrotik's The Dude, which is free, but 
not FOSS. It's fully graphical, is straightforward to install and configure. It 
has a client/server architecture like Intermapper, but doesn't run natively on 
as many platforms (Windows only; other OSes must use emulation). Although it 
works with any SNMP device, it has special support for Mikrotik, since Mikrotik 
devised it.

To recap, I think cloud monitoring is pointless for managing inside networks 
for any organization having a reasonably capable IT staff. 


On Jan 28, 2015, at 10:06 AM, Jay Hennigan j...@west.net
 wrote:

 I know that this topic has been kicking around for at least a decade,
 but wanted to get current opinions of other network operators. Most of
 us have explored Nagios, MRTG, and several front-ends for MRTG.
 
 We are looking into a new player in the space called Logicmonitor. They
 have a very functional and easy to navigate front end and configuration
 tool, and I very much like the look-and-feel of their product.
 
 What I don't like is that they only offer it as a cloud-based service.
 Internal probes tie in to a collector which we maintain. The collector
 then phones home over the Internet to their hosted service periodically
 and they remotely analyze the data and generate alerts, plot graphs, etc.
 
 From a technical standpoint this adds more points of failure in series,
 will cause missed alerts if their cloud-based service goes down (who is
 guarding the guards?) will cause false alarms if their service is still
 up but can't reach the collector, and doesn't give us a full view under
 the hood.
 
 Of course their sales guys are giving us Our time and energy is
 dedicated to reliability and professionally managed multi-carrier
 highly secure data centers language to encourage the warm fuzzies.
 
 From a scalability standpoint we incur ever-increasing recurring costs
 as we grow and add monitored devices and services.
 
 What's the collective opinion here? Is anyone using them or a similar
 service? Are there non-cloud-based alternatives that are relatively easy
 to set up and manage? We've explored Zabbix, Nagios, MRTG and its
 various wrappers, and Intermapper. Anything else new on the horizon that
 has a GUI front-end that is configurable without a lot of scripting
 experience, etc.?
 
 We would love to buy something that works for us and pay a reasonable
 price for it, but I'm not particularly interested in the equivalent of
 renting a time-share in order to monitor our networks.
 
 
 --
 Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
 Impulse Internet Service  -  http://www.impulse.net/
 Your local telephone and internet company - 805 884-6323 - WB6RDV

Alerting systems, Logicmonitor and/or alternatives

[Jay Hennigan]

I know that this topic has been kicking around for at least a decade,
but wanted to get current opinions of other network operators. Most of
us have explored Nagios, MRTG, and several front-ends for MRTG.

We are looking into a new player in the space called Logicmonitor. They
have a very functional and easy to navigate front end and configuration
tool, and I very much like the look-and-feel of their product.

What I don't like is that they only offer it as a cloud-based service.
Internal probes tie in to a collector which we maintain. The collector
then phones home over the Internet to their hosted service periodically
and they remotely analyze the data and generate alerts, plot graphs, etc.

From a technical standpoint this adds more points of failure in series,
will cause missed alerts if their cloud-based service goes down (who is
guarding the guards?) will cause false alarms if their service is still
up but can't reach the collector, and doesn't give us a full view under
the hood.

Of course their sales guys are giving us Our time and energy is
dedicated to reliability and professionally managed multi-carrier
highly secure data centers language to encourage the warm fuzzies.

From a scalability standpoint we incur ever-increasing recurring costs
as we grow and add monitored devices and services.

What's the collective opinion here? Is anyone using them or a similar
service? Are there non-cloud-based alternatives that are relatively easy
to set up and manage? We've explored Zabbix, Nagios, MRTG and its
various wrappers, and Intermapper. Anything else new on the horizon that
has a GUI front-end that is configurable without a lot of scripting
experience, etc.?

We would love to buy something that works for us and pay a reasonable
price for it, but I'm not particularly interested in the equivalent of
renting a time-share in order to monitor our networks.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Alerting systems, Logicmonitor and/or alternatives

[Jeff Cornejo]

We have used LogicMonitor for a few years to monitor hundreds of network 
devices with no reliability issues, at all. The agents have proven to be 
lightweight and rather unobtrusive. I can’t recall a time where we have ever 
had to intervene during regular operations or one of their upgrades.

We do not use the alerting service at this time so no history to report there.

We have only a few dislikes. One of them is the new skin and use the prior one 
still available to us so its a relatively minor issue. The pricing is something 
I’m also not crazy about though they have been willing to work with us on some 
pricing tiers.

Jeff

jeff cornejo
blue ridge internetworks

321 east main st • suite 200
charlottesville va  22902
434.817.0707 x 2001
www.briworks.com http://www.briworks.com/

Central Virginia’s technology authority since 2000.

 On Jan 28, 2015, at 1:06 PM, Jay Hennigan j...@west.net wrote:
 
 I know that this topic has been kicking around for at least a decade,
 but wanted to get current opinions of other network operators. Most of
 us have explored Nagios, MRTG, and several front-ends for MRTG.
 
 We are looking into a new player in the space called Logicmonitor. They
 have a very functional and easy to navigate front end and configuration
 tool, and I very much like the look-and-feel of their product.
 
 What I don't like is that they only offer it as a cloud-based service.
 Internal probes tie in to a collector which we maintain. The collector
 then phones home over the Internet to their hosted service periodically
 and they remotely analyze the data and generate alerts, plot graphs, etc.
 
 From a technical standpoint this adds more points of failure in series,
 will cause missed alerts if their cloud-based service goes down (who is
 guarding the guards?) will cause false alarms if their service is still
 up but can't reach the collector, and doesn't give us a full view under
 the hood.
 
 Of course their sales guys are giving us Our time and energy is
 dedicated to reliability and professionally managed multi-carrier
 highly secure data centers language to encourage the warm fuzzies.
 
 From a scalability standpoint we incur ever-increasing recurring costs
 as we grow and add monitored devices and services.
 
 What's the collective opinion here? Is anyone using them or a similar
 service? Are there non-cloud-based alternatives that are relatively easy
 to set up and manage? We've explored Zabbix, Nagios, MRTG and its
 various wrappers, and Intermapper. Anything else new on the horizon that
 has a GUI front-end that is configurable without a lot of scripting
 experience, etc.?
 
 We would love to buy something that works for us and pay a reasonable
 price for it, but I'm not particularly interested in the equivalent of
 renting a time-share in order to monitor our networks.
 
 
 --
 Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
 Impulse Internet Service  -  http://www.impulse.net/
 Your local telephone and internet company - 805 884-6323 - WB6RDV



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Alerting systems, Logicmonitor and/or alternatives

[charles]

What's the collective opinion here? Is anyone using them or a similar
service? Are there non-cloud-based alternatives that are relatively 
easy

to set up and manage? We've explored Zabbix, Nagios, MRTG and its
various wrappers, and Intermapper. Anything else new on the horizon 
that

has a GUI front-end that is configurable without a lot of scripting
experience, etc.?


Zenoss. I have it monitoring about 4k end points. The documentation is 
phenomnal. I've not had to touch the command line at all for any 
operations. I have two cron jobs on the server (one to do a weekly 
backup to a tar file that gets grabbed by my backup systems, one to run 
zendisc on only subnets I care about (and not everything in zenoss which 
is the default). The learning curve was pretty much non existent (you 
install it (which is apt-get or yum or scripted [i think appliances 
exist, i dunno]) , connect with default creds, change your creds, scan 
your network, classify devices, setup alerting rules and contacts). This 
all presumes you have SNMP already setup of course (which is trivial to 
do on just about everything). (Oh I did use the CLI to load in mibs, but 
that's a one time operation (unless you are constantly adding new 
vendors to your network i guess).




We would love to buy something that works for us and pay a reasonable
price for it, but I'm not particularly interested in the equivalent of
renting a time-share in order to monitor our networks.


Indeed. You should be able to find plenty of Linux engineers that could 
easily set this up. I would probably charge about $250.00 to $500.00 
flat rate for a zenoss deployment, and could deliver it in 8 to 30 hours 
fully ready to go (range depends on size of deployment, HA, multi site 
etc). I expect most other engineers could do about the same (or maybe a 
bit longer if they've never worked with Zenoss before).


(I'm that weird Linux/Windows/VM/storage/security/app admin type who is 
now getting his CCIE cause networking looks fun).





--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

!DSPAM:54c925874441589320983!

Re: look for BGP routes containing local AS#

[joel jaeggli]

On 1/28/15 1:32 AM, Song Li wrote:
 Hi Joel,
 
 It is right that the BGP route containing the local ASN will be droped.
 However, such routes can still be displayed on router. 

There is also the non-zero probability that they don't arrive.

If this is and edge router if your neighbor is a juniper and the only
instance of prefix advertisement with this case is your advertisement
from your router your're not going to get it.

From:

---
https://www.juniper.net/documentation/en_US/junos14.2/topics/topic-map/bgp-route-advertisement.html

Disabling Suppression of Route Advertisements
Junos OS does not advertise the routes learned from one EBGP peer back
to the same external BGP (EBGP) peer. In addition, the software does not
advertise those routes back to any EBGP peers that are in the same AS as
the originating peer, regardless of the routing instance. You can modify
this behavior by including the advertise-peer-as statement in the
configuration. To disable the default advertisement suppression, include
the advertise-peer-as statement:


Note: The route suppression default behavior is disabled if the
as-override statement is included in the configuration.
If you include the advertise-peer-as statement in the configuration, BGP
advertises the route regardless of this check.

To restore the default behavior, include the no-advertise-peer-as
statement in the configuration:

no-advertise-peer-as;
If you include both the as-override and no-advertise-peer-as statements
in the configuration, the no-advertise-peer-as statement is ignored. You
can include these statements at multiple hierarchy levels.

For a list of hierarchy levels at which you can include these
statements, see the statement summary section for these statements.

---

If this is an edge router and your provider is filtering those either
from above or other reasons then you won't recieve them.

If this in an ibgp session and they're not being accepted on the edge
router you will never see them.

 For example, you
 can run show route hidden terse aspath-regex .*local ASN.* on
 Juniper to check them. We are looking for those routes. If you can run
 the command on your Juniper and find such routes, could you please
 provider them for us?
 
 Thanks!
 
 Regards!
 
 Song
 
 在 2015/1/28 16:23, joel jaeggli 写道:
 On 1/27/15 5:45 AM, Song Li wrote:
 Hi everyone,

 Recently I studied the BGP AS path looping problem, and found that in
 most cases, the received BGP routes containing local AS# are suspicious.
 However, we checked our BGP routing table (AS23910,CERNET2) on juniper
 router(show route hidden terse aspath-regex .*23910.* ), and have not
 found such routes in Adj-RIB-In.

 Updates with your AS in the path are discarded as part of loop
 detection, e.g. they do not become candidate routes.

 https://tools.ietf.org/html/rfc4271 page 77

 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
 route should be excluded from the Phase 2 decision function.  AS loop
 detection is done by scanning the full AS path (as specified in the
 AS_PATH attribute), and checking that the autonomous system number of
 the local system does not appear in the AS path.  Operations of a BGP
 speaker that is configured to accept routes with its own autonomous
 system number in the AS path are outside the scope of this document.

 in junos

 neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number

 where number is the number of instances of your AS in the path you're
 willing to accept will correct that.

 We believe that the received BGP routes containing local AS# are related
 to BGP security problem.

 You'll have to elaborate, since their existence is a basic principle in
 the operation of bgp and they are ubiquitous.

 Island instances of a distributed ASN communicate with each other by
 allowing such routes in so that they can be evaluated one the basis of
 prefix, specificity, AS path length and so forth.

 Hence, we want to look for some real cases in
 the wild. Could anybody give us some examples of such routes?

 Thanks!

 Best Regards!



 
 




signature.asc
Description: OpenPGP digital signature