Re: scaling linux-based router hardware recommendations
I was trying not to pitch my company on list, but the performance numbers I quoted are on the Vyatta/Brocade vRouter which is commercially available. Other vendors also also have publicly available performance numbers that are interesting. On Jan 28, 2015, at 5:02 AM, Paul S. cont...@winterei.se wrote: That's the problem though. Everyone has presentations for the most part, very few actual tools that end users can just use exist. On 1/28/2015 午後 08:02, Robert Bays wrote: On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote: My expertise, such as it ever was, is a bit stale at this point, and my figures might be a little off. But I think the general principle applies: think about the minimum number of x86 instructions, and the minimum number of main memory accesses, to inspect a packet header, do a routing table lookup, and enqueue the packet on an outbound interface. I can't see that ever getting reduced to the point where a generic server can handle 40-byte packets at line rate (for that matter, line rate is increasing a lot faster than speed of generic server these days). Using DPDK it’s possible to do everything stated and achieve 10Gbps line rate at 64byte packets on multiple interfaces simultaneously. Add ACLs to the test setup and you can reach significant portions of 10Gbps at 64byte packets and full line rate at 128bytes. Check out Venky Venkatesan’s presentation at the last DPDK Summit for interesting information on pps/CPU cycles and some of the things that can be done to optimize forwarding in a generic processor environment. http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan
Re: look for BGP routes containing local AS#
It used to be the case that looped routes didn't even show up as hidden routes, because Junos discarded them even from Adj-RIB-In, although this may have changed at some Junos version. Also, Junos won't even advertise such looped routes to a neighbor with the same AS by default, so in many cases you won't see it at all if you are peering with a Juniper unless it is specifically configured to send these looped routes with advertise-peer-as, or change the AS number with as-override. On Wed, Jan 28, 2015 at 05:32:34PM +0800, Song Li wrote: Hi Joel, It is right that the BGP route containing the local ASN will be droped. However, such routes can still be displayed on router. For example, you can run show route hidden terse aspath-regex .*local ASN.* on Juniper to check them. We are looking for those routes. If you can run the command on your Juniper and find such routes, could you please provider them for us? Thanks! Regards! Song 在 2015/1/28 16:23, joel jaeggli 写道: On 1/27/15 5:45 AM, Song Li wrote: Hi everyone, Recently I studied the BGP AS path looping problem, and found that in most cases, the received BGP routes containing local AS# are suspicious. However, we checked our BGP routing table (AS23910,CERNET2) on juniper router(show route hidden terse aspath-regex .*23910.* ), and have not found such routes in Adj-RIB-In. Updates with your AS in the path are discarded as part of loop detection, e.g. they do not become candidate routes. https://tools.ietf.org/html/rfc4271 page 77 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP route should be excluded from the Phase 2 decision function. AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path. Operations of a BGP speaker that is configured to accept routes with its own autonomous system number in the AS path are outside the scope of this document. in junos neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number where number is the number of instances of your AS in the path you're willing to accept will correct that. We believe that the received BGP routes containing local AS# are related to BGP security problem. You'll have to elaborate, since their existence is a basic principle in the operation of bgp and they are ubiquitous. Island instances of a distributed ASN communicate with each other by allowing such routes in so that they can be evaluated one the basis of prefix, specificity, AS path length and so forth. Hence, we want to look for some real cases in the wild. Could anybody give us some examples of such routes?
Re: Cisco IOS stable/production safe versions?
Nick Ellermann nellerm...@broadaspect.com writes: I have a Cisco IOS specific question for the group and also specifically related to the 6500 platform. We have always been very conservative with our IOS version that we run in production, we are still running a pretty old safe harbor build of 12.2.x on SUP 720 3BXLs with BGP and OSFP routing. Any advice from fellow network operators that are running the 6500 platform in the core still for versions that are considered safe for production? We are stable, but I am really wanting access to features such as Netflow v9, etc. Thanks for any advice! You're pretty spot on with your thinking here. Don't upgrade unless there's a known vulnerability, a bug fix or a feature that you need on a particular device; and don't expose your management to the Internet. tl;dr: don't fix what isn't broken. Having said that; make use of the software download tools on your CCO account. Cisco has a list of recommended builds for your particular platform and code train. When in doubt you can always fall back to S-train stuff on a Sup720. -S images were made for service providers and are generally very stable. -Daniel
Re: look for BGP routes containing local AS#
If your ISP utilizes Juniper platforms, you might have to ask them to allow the advertisement of these routes, see http://www.firstdigest.com/2012/09/cisco-vs-juniper-different-ebgp-behavior/ On 28 January 2015 at 09:32, Song Li refresh.ls...@gmail.com wrote: Hi Joel, It is right that the BGP route containing the local ASN will be droped. However, such routes can still be displayed on router. For example, you can run show route hidden terse aspath-regex .*local ASN.* on Juniper to check them. We are looking for those routes. If you can run the command on your Juniper and find such routes, could you please provider them for us? Thanks! Regards! Song 在 2015/1/28 16:23, joel jaeggli 写道: On 1/27/15 5:45 AM, Song Li wrote: Hi everyone, Recently I studied the BGP AS path looping problem, and found that in most cases, the received BGP routes containing local AS# are suspicious. However, we checked our BGP routing table (AS23910,CERNET2) on juniper router(show route hidden terse aspath-regex .*23910.* ), and have not found such routes in Adj-RIB-In. Updates with your AS in the path are discarded as part of loop detection, e.g. they do not become candidate routes. https://tools.ietf.org/html/rfc4271 page 77 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP route should be excluded from the Phase 2 decision function. AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path. Operations of a BGP speaker that is configured to accept routes with its own autonomous system number in the AS path are outside the scope of this document. in junos neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number where number is the number of instances of your AS in the path you're willing to accept will correct that. We believe that the received BGP routes containing local AS# are related to BGP security problem. You'll have to elaborate, since their existence is a basic principle in the operation of bgp and they are ubiquitous. Island instances of a distributed ASN communicate with each other by allowing such routes in so that they can be evaluated one the basis of prefix, specificity, AS path length and so forth. Hence, we want to look for some real cases in the wild. Could anybody give us some examples of such routes? Thanks! Best Regards! -- Song Li Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.ls...@gmail.com
Re: look for BGP routes containing local AS#
Thanks! It seems hard to see such routes on the edge router. Nonetheless, we do believe there must exist such routes in the wild. We still hope to find some real cases of them. If anybody see them in your routers, please let us know. Regards! Song 在 2015/1/28 21:27, Chuck Anderson 写道: It used to be the case that looped routes didn't even show up as hidden routes, because Junos discarded them even from Adj-RIB-In, although this may have changed at some Junos version. Also, Junos won't even advertise such looped routes to a neighbor with the same AS by default, so in many cases you won't see it at all if you are peering with a Juniper unless it is specifically configured to send these looped routes with advertise-peer-as, or change the AS number with as-override. On Wed, Jan 28, 2015 at 05:32:34PM +0800, Song Li wrote: Hi Joel, It is right that the BGP route containing the local ASN will be droped. However, such routes can still be displayed on router. For example, you can run show route hidden terse aspath-regex .*local ASN.* on Juniper to check them. We are looking for those routes. If you can run the command on your Juniper and find such routes, could you please provider them for us? Thanks! Regards! Song 在 2015/1/28 16:23, joel jaeggli 写道: On 1/27/15 5:45 AM, Song Li wrote: Hi everyone, Recently I studied the BGP AS path looping problem, and found that in most cases, the received BGP routes containing local AS# are suspicious. However, we checked our BGP routing table (AS23910,CERNET2) on juniper router(show route hidden terse aspath-regex .*23910.* ), and have not found such routes in Adj-RIB-In. Updates with your AS in the path are discarded as part of loop detection, e.g. they do not become candidate routes. https://tools.ietf.org/html/rfc4271 page 77 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP route should be excluded from the Phase 2 decision function. AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path. Operations of a BGP speaker that is configured to accept routes with its own autonomous system number in the AS path are outside the scope of this document. in junos neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number where number is the number of instances of your AS in the path you're willing to accept will correct that. We believe that the received BGP routes containing local AS# are related to BGP security problem. You'll have to elaborate, since their existence is a basic principle in the operation of bgp and they are ubiquitous. Island instances of a distributed ASN communicate with each other by allowing such routes in so that they can be evaluated one the basis of prefix, specificity, AS path length and so forth. Hence, we want to look for some real cases in the wild. Could anybody give us some examples of such routes? -- Song Li Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.ls...@gmail.com
Re: scaling linux-based router hardware recommendations
There is no free lunch. If you want tools that end users can just use then buy Cisco. Otherwise you need to roll up your sleeves and take the pieces and put them together. Or hire people like me to do it for you. It isn't overly complicated in my opinion. Also you'll find plenty of reasonably priced Linux or BSD integration engineers out there across the globe who are used to doing this sort of thing. Now once you move beyond basic forwarding / high PPS processing (which seems mostly commodity now) and get into say 80gbps (40gbps full duplex) IPS , ip reputation, data loss prevention, SSL MITM, AV... well that requires some very beefy hardware. Can that be done on x86? I doubt it. Tilera seems the way to go here. Newer FPGA boards can implement various CPU architectures on the fly. You also have CUDA. I hadn't seen chelsio, I'm very excited about that. Ill have one in my grubby little hands soon enough. transceivers are still horribly expensive. This is a major portion of the bom cost on any build, no matter what software stack is putting packets onto them. It isn't so simple once you move beyond the 1gbps range and want full feature set. And not in one box I think. Look at https://www.bro.org/ for interesting multi box scaling. On January 28, 2015 7:02:34 AM CST, Paul S. cont...@winterei.se wrote: That's the problem though. Everyone has presentations for the most part, very few actual tools that end users can just use exist. On 1/28/2015 午後 08:02, Robert Bays wrote: On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote: My expertise, such as it ever was, is a bit stale at this point, and my figures might be a little off. But I think the general principle applies: think about the minimum number of x86 instructions, and the minimum number of main memory accesses, to inspect a packet header, do a routing table lookup, and enqueue the packet on an outbound interface. I can't see that ever getting reduced to the point where a generic server can handle 40-byte packets at line rate (for that matter, line rate is increasing a lot faster than speed of generic server these days). Using DPDK it’s possible to do everything stated and achieve 10Gbps line rate at 64byte packets on multiple interfaces simultaneously. Add ACLs to the test setup and you can reach significant portions of 10Gbps at 64byte packets and full line rate at 128bytes. Check out Venky Venkatesan’s presentation at the last DPDK Summit for interesting information on pps/CPU cycles and some of the things that can be done to optimize forwarding in a generic processor environment. http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan !DSPAM:54c8de34274511264773590! -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: look for BGP routes containing local AS#
Hi Joel, It is right that the BGP route containing the local ASN will be droped. However, such routes can still be displayed on router. For example, you can run show route hidden terse aspath-regex .*local ASN.* on Juniper to check them. We are looking for those routes. If you can run the command on your Juniper and find such routes, could you please provider them for us? Thanks! Regards! Song 在 2015/1/28 16:23, joel jaeggli 写道: On 1/27/15 5:45 AM, Song Li wrote: Hi everyone, Recently I studied the BGP AS path looping problem, and found that in most cases, the received BGP routes containing local AS# are suspicious. However, we checked our BGP routing table (AS23910,CERNET2) on juniper router(show route hidden terse aspath-regex .*23910.* ), and have not found such routes in Adj-RIB-In. Updates with your AS in the path are discarded as part of loop detection, e.g. they do not become candidate routes. https://tools.ietf.org/html/rfc4271 page 77 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP route should be excluded from the Phase 2 decision function. AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path. Operations of a BGP speaker that is configured to accept routes with its own autonomous system number in the AS path are outside the scope of this document. in junos neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number where number is the number of instances of your AS in the path you're willing to accept will correct that. We believe that the received BGP routes containing local AS# are related to BGP security problem. You'll have to elaborate, since their existence is a basic principle in the operation of bgp and they are ubiquitous. Island instances of a distributed ASN communicate with each other by allowing such routes in so that they can be evaluated one the basis of prefix, specificity, AS path length and so forth. Hence, we want to look for some real cases in the wild. Could anybody give us some examples of such routes? Thanks! Best Regards! -- Song Li Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.ls...@gmail.com
Re: look for BGP routes containing local AS#
On 1/27/15 5:45 AM, Song Li wrote: Hi everyone, Recently I studied the BGP AS path looping problem, and found that in most cases, the received BGP routes containing local AS# are suspicious. However, we checked our BGP routing table (AS23910,CERNET2) on juniper router(show route hidden terse aspath-regex .*23910.* ), and have not found such routes in Adj-RIB-In. Updates with your AS in the path are discarded as part of loop detection, e.g. they do not become candidate routes. https://tools.ietf.org/html/rfc4271 page 77 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP route should be excluded from the Phase 2 decision function. AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path. Operations of a BGP speaker that is configured to accept routes with its own autonomous system number in the AS path are outside the scope of this document. in junos neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number where number is the number of instances of your AS in the path you're willing to accept will correct that. We believe that the received BGP routes containing local AS# are related to BGP security problem. You'll have to elaborate, since their existence is a basic principle in the operation of bgp and they are ubiquitous. Island instances of a distributed ASN communicate with each other by allowing such routes in so that they can be evaluated one the basis of prefix, specificity, AS path length and so forth. Hence, we want to look for some real cases in the wild. Could anybody give us some examples of such routes? Thanks! Best Regards! signature.asc Description: OpenPGP digital signature
Re: scaling linux-based router hardware recommendations
On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote: My expertise, such as it ever was, is a bit stale at this point, and my figures might be a little off. But I think the general principle applies: think about the minimum number of x86 instructions, and the minimum number of main memory accesses, to inspect a packet header, do a routing table lookup, and enqueue the packet on an outbound interface. I can't see that ever getting reduced to the point where a generic server can handle 40-byte packets at line rate (for that matter, line rate is increasing a lot faster than speed of generic server these days). Using DPDK it’s possible to do everything stated and achieve 10Gbps line rate at 64byte packets on multiple interfaces simultaneously. Add ACLs to the test setup and you can reach significant portions of 10Gbps at 64byte packets and full line rate at 128bytes. Check out Venky Venkatesan’s presentation at the last DPDK Summit for interesting information on pps/CPU cycles and some of the things that can be done to optimize forwarding in a generic processor environment. http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan
Re: scaling linux-based router hardware recommendations
That's the problem though. Everyone has presentations for the most part, very few actual tools that end users can just use exist. On 1/28/2015 午後 08:02, Robert Bays wrote: On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote: My expertise, such as it ever was, is a bit stale at this point, and my figures might be a little off. But I think the general principle applies: think about the minimum number of x86 instructions, and the minimum number of main memory accesses, to inspect a packet header, do a routing table lookup, and enqueue the packet on an outbound interface. I can't see that ever getting reduced to the point where a generic server can handle 40-byte packets at line rate (for that matter, line rate is increasing a lot faster than speed of generic server these days). Using DPDK it’s possible to do everything stated and achieve 10Gbps line rate at 64byte packets on multiple interfaces simultaneously. Add ACLs to the test setup and you can reach significant portions of 10Gbps at 64byte packets and full line rate at 128bytes. Check out Venky Venkatesan’s presentation at the last DPDK Summit for interesting information on pps/CPU cycles and some of the things that can be done to optimize forwarding in a generic processor environment. http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan
Re: Network ops lists.
On Wed, Jan 28, 2015 at 2:27 AM, Seiichi Kawamura kawamu...@mesh.ad.jp wrote: Not my list, but here's one. http://www.bugest.net/nogs.html I'm sure there's more though. BDNOG, BTNOG, HKNOG ... As has been mentioned, there are also a few special purpose non-geographic lists around. Voiceops for VoIP (http://www.voiceops.org/), DC-Ops for Data Centre operation discussion (https://puck.nether.net/mailman/listinfo/dc-ops), IPv6 Ops for IPv6 specific stuff (http://lists.cluenet.de/pipermail/ipv6-ops/) come to mind. Be aware that other regional ops mailing lists can be a little quieter than NANOG. UKNOF (http://www.uknof.org.uk/) is a great example of this, there are lots of great people from loads of ISPs and network operators on that list, with lots of experience of the UK and Western Europe, they also host two meetings a year, a bit like the NANOG meetings, but if you subscribed to the list you might think it a little dead until someone posts something on topic. Their meeting last week had nearly 300 attendees, including BT, the BBC, Cisco, Akamai and Amazon along with a heck of a lot of very interesting talks, most of which are on Youtube. You will find that other regional groups do similar things as well. HTH, Alex
Re: scaling linux-based router hardware recommendations
On 28/1/15 16:45, Colin Johnston wrote: qnx os based router works well with powerpc, could be pushed far higher load than intel based chips The problem being that QNX is a 32-bit kernel. Mark.
Re: DDOS, IDS, RTBH, and Rate limiting
Hello, folks! NetFlow v5 and v9 support have just added to FastNetMon: https://github.com/FastVPSEestiOu/fastnetmon Now you can catch DDoS attacks and collect data from sFLOW v5, NetFlow v5/v9 and even from mirror port with PF_RING in one tool simultaneously! Will be very glad for feedback and testing! On Wed, Dec 3, 2014 at 7:57 AM, Roland Dobbins rdobb...@arbor.net wrote: On 2 Dec 2014, at 17:18, Pavel Odintsov wrote: In near future I will add netflow v5 support. Good job - you should really go for NetFlow v9 when you can, as it supports IPv6 and MPLS labels. Next would be IPFIX. --- Roland Dobbins rdobb...@arbor.net -- Sincerely yours, Pavel Odintsov
Re: scaling linux-based router hardware recommendations
[snip] To inject science into the discussion: http://bsdrp.net/documentation/examples/forwarding_performance_lab_of_an_ibm_system_x3550_m3_with_10-gigabit_intel_x540-at2 And he maintains a test setup to check for performance regressions: http://bsdrp.net/documentation/examples/freebsd_performance_regression_lab Now, this is using the in-kernel stack, not netmap/pfring/etc that uses all the batching-y, stack-shallow-y implementations that the kernel currently doesn't have. But, there are people out there doing science on it and trying very hard to kick things along. The nice thing about what has come out of the DPDK related stuff is, well, the bar is set very high now. Now it's up to the open source groups to stop messing around and do something about it. If you're interested in more of this stuff, go poke Jim at pfsense/netgate. -adrian (This and RSS work is plainly in my stuff I do for fun category, btw.)
Re: scaling linux-based router hardware recommendations
- 1x ServerU Netmap L800 box in Bridge Mode for Core Firewall protection - 2x ServerU Netmap L800 boxes as BGP router (redundant) - Several Netmap L800, L100 and iXSystems servers (iXS for everything else since ServerU are only networking-centric, not high storage high processing Xeon servers) In this setup I am running yet another not well known but very promising technology, called Netmap. A Netmap firewall (called netmap-ipfw) was supplied from ServerU vendor, it's a slightly modified version from what you can download from Luigi Rizzo's (netmap author) public repository with multithread capabilities based on the number of queues available in the ServerU igb(4) networking card. What it does is, IMHO, amazing for a x86 hardware: line rate firewall on 1GbE port (1.3-1.4Mpps) and line rate firewall for 10GbE port (12-14Mpps) in a system with 8 @2.4Ghz Intel Rangeley CPU. It's not Linux DNA. It's not PF_RING. It's not Intel DPDK. It's netmap, it's there, available, on FreeBSD base system with a number of utilities and code for reference on Rizzos' repositories. It's there, it's available and it's amazing. This firewall has saved my sleep several times since November, dropping up to 9Mpps amplified UDP/NTP traffic on peak DDoS attack rates. For the BGP box, I needed trunking, Q-in-Q and vlan. And sadly right now this is not available in a netmap implementation. It means I had to keep my BGP router in the kernel path. It's funny to say this, but Netmap usually skips kernel path completely and does its job direct on the NIC, reaching backplane and bus limits directly. ServerU people recommended me to use Chelsio Terminator 5 40G ports. OK I only needed 10G but they convinced me not to look at the bits per second numbers but the packets per seconds number. Honestly, I don't know how Chelsio T5 did it, even though ServerU 1GbE ports perform very good on interruption CPU usage (probably this is an Intel igb(4) / ix(4) credit) but everything I route from one 40GbE port to the other port on the same L-800 expansion card, I have very, very, very LOW interrupt rates. Sometimes I have no interrupt at all!! I peaked routing 6Mpps on ServerU L-800 and still had CPU there, I am also a user for FreeBSD netmap-ipfw, running kipfw fwd to, say, fwd http traffic to a peerapp appliance. My numbers are not line rate, I peak on 900Kpps, but still have CPU idle. I had a hard time figuring out how to use netmap-ipfw, due to lack of updated documentation, but once I got it running and set up, ecerything was very straightforward with default code, no modifications, just as available. I agree FreeBSD-netmap seems more ready, with tools, toolchains and code available wheh compared to DPDK or Linux DNA. Also in the hope for further evolvings of Netmap in the base system. Numbers are impressive indeed. -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: scaling linux-based router hardware recommendations
qnx os based router works well with powerpc, could be pushed far higher load than intel based chips Colin That's the problem though. Everyone has presentations for the most part, very few actual tools that end users can just use exist. On 1/28/2015 午後 08:02, Robert Bays wrote: On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote: My expertise, such as it ever was, is a bit stale at this point, and my figures might be a little off. But I think the general principle applies: think about the minimum number of x86 instructions, and the minimum number of main memory accesses, to inspect a packet header, do a routing table lookup, and enqueue the packet on an outbound interface. I can't see that ever getting reduced to the point where a generic server can handle 40-byte packets at line rate (for that matter, line rate is increasing a lot faster than speed of generic server these days). Using DPDK it’s possible to do everything stated and achieve 10Gbps line rate at 64byte packets on multiple interfaces simultaneously. Add ACLs to the test setup and you can reach significant portions of 10Gbps at 64byte packets and full line rate at 128bytes. Check out Venky Venkatesan’s presentation at the last DPDK Summit for interesting information on pps/CPU cycles and some of the things that can be done to optimize forwarding in a generic processor environment. http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan !DSPAM:54c8de34274511264773590! -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: scaling linux-based router hardware recommendations
10g transceivers are not overly expensive if you buy compatible modules. SFP+ Direct attach cable is $16. SFP+ multimode module is $18. SFP+ singlemode LR module is $48. That is nothing compared to what vendors are asking for a real router. I believe there are many startups that are going for 2x 10G transit with full tables. We are one of them for sure. And then you need a cheap way to handle up to 20G bidirectional traffic, because as a startup it is not a good idea to fork over what equals to a whole year of salary to Cisco or Juniper. Even if you have that kind of money, you would want to spent it on something that will get you revenue. The obvious solution is a server (or two for redundancy) running Linux or BSD. You will be getting the Intel NIC with two SFP+ slots, so you can connect a transit connection directly to each server. This works well enough. We used a setup just like that for a year, before we upgraded to a hardware router. The weak point is that it will likely have trouble if you get hit by a real big DDoS with small packets. But back to cost of things. If I use my own company as an example, we are a FTTH provider. We use PON switches with 2x 10G ports on each switch. You can get many PON switches for the price of one router with at least 4x 10G ports (equivalent to the Linux routers). The PON switches will earn you revenue, it is what you connect your customers to. Better to get a bigger network, than spend the money on a router. The cost of SFP+/XFP and GPON C+ modules on the PON switch is only about 10% of the cost of the switch itself (again using compatible modules). A switch with 24x1G and 4x 10G can be bought for $3000. You can fill it completely with optics for $300 - again about 10%. My point is that if you are in an environment where every dollar counts, you do not need to spent a majority of your funds on optics. And neither do you need that expensive router until later in the game. Regards, Baldur On 28 January 2015 at 15:35, Charles N Wyble char...@thefnf.org wrote: There is no free lunch. If you want tools that end users can just use then buy Cisco. Otherwise you need to roll up your sleeves and take the pieces and put them together. Or hire people like me to do it for you. It isn't overly complicated in my opinion. Also you'll find plenty of reasonably priced Linux or BSD integration engineers out there across the globe who are used to doing this sort of thing. Now once you move beyond basic forwarding / high PPS processing (which seems mostly commodity now) and get into say 80gbps (40gbps full duplex) IPS , ip reputation, data loss prevention, SSL MITM, AV... well that requires some very beefy hardware. Can that be done on x86? I doubt it. Tilera seems the way to go here. Newer FPGA boards can implement various CPU architectures on the fly. You also have CUDA. I hadn't seen chelsio, I'm very excited about that. Ill have one in my grubby little hands soon enough. transceivers are still horribly expensive. This is a major portion of the bom cost on any build, no matter what software stack is putting packets onto them. It isn't so simple once you move beyond the 1gbps range and want full feature set. And not in one box I think. Look at https://www.bro.org/ for interesting multi box scaling. On January 28, 2015 7:02:34 AM CST, Paul S. cont...@winterei.se wrote: That's the problem though. Everyone has presentations for the most part, very few actual tools that end users can just use exist. On 1/28/2015 午後 08:02, Robert Bays wrote: On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote: My expertise, such as it ever was, is a bit stale at this point, and my figures might be a little off. But I think the general principle applies: think about the minimum number of x86 instructions, and the minimum number of main memory accesses, to inspect a packet header, do a routing table lookup, and enqueue the packet on an outbound interface. I can't see that ever getting reduced to the point where a generic server can handle 40-byte packets at line rate (for that matter, line rate is increasing a lot faster than speed of generic server these days). Using DPDK it’s possible to do everything stated and achieve 10Gbps line rate at 64byte packets on multiple interfaces simultaneously. Add ACLs to the test setup and you can reach significant portions of 10Gbps at 64byte packets and full line rate at 128bytes. Check out Venky Venkatesan’s presentation at the last DPDK Summit for interesting information on pps/CPU cycles and some of the things that can be done to optimize forwarding in a generic processor environment. http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan !DSPAM:54c8de34274511264773590! -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: scaling linux-based router hardware recommendations
On 28/01/2015 14:45, Colin Johnston wrote: qnx os based router works well with powerpc, could be pushed far higher load than intel based chips that may be so, but how many people out there know how to push qnx that hard compared freebsd/linux on amd64 compatible hardware, and how many people know how to configure up a juniper mx or cisco asr9k, compared to the number that can tune a freely available unix. As someone pointed out elsewhere, there's no such thing as a free lunch. If you want to economise on hardware, you should expect to pay for the expertise to do it. Nick
RE: Alerting systems, Logicmonitor and/or alternatives
What's the collective opinion here? Is anyone using them or a similar service? Are there non-cloud-based alternatives that are relatively easy to set up and manage? We've explored Zabbix, Nagios, MRTG and its various wrappers, and Intermapper. Anything else new on the horizon that has a GUI front-end that is configurable without a lot of scripting experience, etc.? Try OMD. It packages a python wrapper called check_mk around Nagios and adds on charts via an already integrated pnp4nagios. The guys doing check_mk have done an amazing job of harnessing the power of Nagios through the use of configuration files which nicely minimizes the amount of work necessary for getting things monitored, while maximizing how things are grouped and structured. Since I like it so much, I'm in the process of migrating our monitoring from a combination of NagiosXI, Observium, and Cacti over to the OMD package. It has fast agents for monitoring vsphere. Has native agents for Linux and Windows. And can do SNMP. And has good customization for those who want more done that what is supplied out of the box. We would love to buy something that works for us and pay a reasonable price for it, but I'm not particularly interested in the equivalent of renting a time-share in order to monitor our networks. Check_mk has support and professional services available. It is open source for those who wish to go the DIY route. Raymond blog.raymond.burkholder.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: scaling linux-based router hardware recommendations
I recently built a pair of Linux based routers to handle full BGP tables from 3 upstream providers (10gig links) I had penguincomputing.com build me two reasonably powerful (dual xeon hex core processor) servers with SolarFlare http://solarflare.com/1040GbE-Flareon-Server-IO-Adapters NICs. (I didn't get a chance to play with open-onload before moving on to a new opportunity) Rudimentary testing with iperf showed I could saturate a 10gig link with minimal system load. With real world traffic, the limits came when we started pushing packets in the several hundred thousand range. However, this was due to the fact that these routers were also doing firewall / NAT duty (iptables), load-balancing (haproxy), VPN endpoints (openvpn), plus the routing eBGP (quagga), and internally propagating OSPF routes as well (quagga). Interrupt handling / system load became a problem only when our hadoop cluster (200+ nodes) started crazy aws s3 communications, otherwise things ran pretty well. The systems, configurations and software were pretty much just hacked together by me. Ideally we would have bought Juniper / Cisco gear, but my budget of $50K wouldn't even buy half a router after my vendors were done quoting me the real stuff. I ended up spending ~$15K to build this solution. I'm a not a networking person though, just a Linux hack, but was able to get this solution working reliably. -Philip On Mon, Jan 26, 2015 at 2:53 PM, micah anderson mi...@riseup.net wrote: Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah
Re: Alerting systems, Logicmonitor and/or alternatives
Hi Jay, I have experience with nagios and cacti, now I'm experimenting with logic monitor and observium. The observium is a great tool to discover your network devices but don't have great graphics and don't have any alarm system, but you can get a lot of information about your network devices, connections, ip address, protocols and configurations. Logic Monitor is a new tool for me, but without comparison with nagios, they have well support, but some times you need time to create personal data-points because they don't have recognising for all devices. Nagios could require time for implementation and experience with command line and snmp. not is a expensive tool only if you don't want pay for it. But the nagios XI is a great tool with lot of functions, automatización process, graphics, and capacity planning. You can try with nagios xi with network analyzer. If you don't have budget maybe nagios core and observium can offer a great solution. For comercial solution, I recommend you nagios xi and nagios network analyzer. 2015-01-28 13:06 GMT-05:00 Jay Hennigan j...@west.net: I know that this topic has been kicking around for at least a decade, but wanted to get current opinions of other network operators. Most of us have explored Nagios, MRTG, and several front-ends for MRTG. We are looking into a new player in the space called Logicmonitor. They have a very functional and easy to navigate front end and configuration tool, and I very much like the look-and-feel of their product. What I don't like is that they only offer it as a cloud-based service. Internal probes tie in to a collector which we maintain. The collector then phones home over the Internet to their hosted service periodically and they remotely analyze the data and generate alerts, plot graphs, etc. From a technical standpoint this adds more points of failure in series, will cause missed alerts if their cloud-based service goes down (who is guarding the guards?) will cause false alarms if their service is still up but can't reach the collector, and doesn't give us a full view under the hood. Of course their sales guys are giving us Our time and energy is dedicated to reliability and professionally managed multi-carrier highly secure data centers language to encourage the warm fuzzies. From a scalability standpoint we incur ever-increasing recurring costs as we grow and add monitored devices and services. What's the collective opinion here? Is anyone using them or a similar service? Are there non-cloud-based alternatives that are relatively easy to set up and manage? We've explored Zabbix, Nagios, MRTG and its various wrappers, and Intermapper. Anything else new on the horizon that has a GUI front-end that is configurable without a lot of scripting experience, etc.? We would love to buy something that works for us and pay a reasonable price for it, but I'm not particularly interested in the equivalent of renting a time-share in order to monitor our networks. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV -- Cordialmente, Dorancé Martínez Cortés +57 320 6968121 Linux User Number 112632 Nagios Certified Administrator Certificación ITIL Fundation 2011 ed. Cali - Colombia doranc...@gmail.com http://dmcingenieria.net http://dmci.co Si piensas que la tecnología puede solucionar tus problemas de seguridad, está claro que ni entiendes los problemas ni entiendes la tecnología Bruce Schneier
Re: look for BGP routes containing local AS#
Hi Patrick, We want to know what's the reason for the received routes containing local ASN. Hence we need real cases of those routes in the Internet. And any routes like that are welcome, whether they are on Juniper router or other BGP software. Thank you! Regards! Song 在 2015/1/29 1:50, Patrick Tracanelli 写道: Sorry, what do you need exactly? A sample? For education purposes are you looking for something specific? You need it to be on Juniper router or other BGP software will do? I have this scenario from Brazil-US, with specifics getting received both ways but it’s not Juniper. Thanks! Regards! Song 在 2015/1/28 16:23, joel jaeggli 写道: On 1/27/15 5:45 AM, Song Li wrote: Hi everyone, Recently I studied the BGP AS path looping problem, and found that in most cases, the received BGP routes containing local AS# are suspicious. However, we checked our BGP routing table (AS23910,CERNET2) on juniper router(show route hidden terse aspath-regex .*23910.* ), and have not found such routes in Adj-RIB-In. Updates with your AS in the path are discarded as part of loop detection, e.g. they do not become candidate routes. https://tools.ietf.org/html/rfc4271 page 77 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP route should be excluded from the Phase 2 decision function. AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path. Operations of a BGP speaker that is configured to accept routes with its own autonomous system number in the AS path are outside the scope of this document. in junos neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number where number is the number of instances of your AS in the path you're willing to accept will correct that. We believe that the received BGP routes containing local AS# are related to BGP security problem. You'll have to elaborate, since their existence is a basic principle in the operation of bgp and they are ubiquitous. Island instances of a distributed ASN communicate with each other by allowing such routes in so that they can be evaluated one the basis of prefix, specificity, AS path length and so forth. Hence, we want to look for some real cases in the wild. Could anybody give us some examples of such routes? Thanks! Best Regards! -- Song Li Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.ls...@gmail.com -- Patrick Tracanelli FreeBSD Brasil LTDA. Tel.: (31) 3516-0800 316...@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br Long live Hanin Elias, Kim Deal! -- Song Li Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.ls...@gmail.com
cable modem firmware upgrade
Hi, Anyone knows how to upgrade Motorola SB6120 cable modem firmware other than going through the internet provider? Your help will be appreciated. Thank you A MEKKAOUI MEKTEL INC www.mektel.ca
RE: cable modem firmware upgrade
On Wednesday, January 28, 2015 8:11 PM, A MEKKAOUI wrote: Anyone knows how to upgrade Motorola SB6120 cable modem firmware other than going through the internet provider? Your help will be appreciated. My employer managed a handful of small DOCSIS networks for a while where 99% of the modems were Motorola, and as far as I know, there is no way to push a firmware update to the modem from the ethernet side...only from the RF side. And trust me: I looked. If I ever had to update the firmware on some batch of modems that weren't already deployed on a network, I would hook them up to a test CMTS that we had on the bench in order to do so. I would strongly suspect that this is going to hold true for just about any DOCSIS modem. -- Nathan Anderson First Step Internet, LLC nath...@fsr.com
Re: PDU for high amp 48Vdc
The rotary actuators are an off-the-shelf item for transfer switches. No problem to get them paired with high-amperage switches. But a contactor, which is a solenoid-driven switch, is also an off-the-shelf item. The ones I use in EV applications are rated for 1000A, and cost about $300. You need to be careful to look at the trade-off between voltage, amperage, and the per-cycle probability of a weld, though. An over-rated contactor helps a lot if you're going to be cycling it a lot, whereas if it's for emergency use only, you can hew a lot closer to the max rating. -Bill On Jan 28, 2015, at 18:40, Robert Drake rdr...@direcpath.com wrote: For larger DC devices with ~50amps per side, does anyone have a software accessible way to turn off power? I've looked into PDU's but the ones I find have a max of 10amps. I've considered building something with solenoids or a rotary actuator that would turn the switches on or off, but that's a complete one-off and would need to be done for each device we manage (not to mention it involves janky wiring all over the place I've got to explain to the colo) My use case is pretty infrequent so it needs to be remote-hands cheap.. it's for emergencies when you need to completely power cycle a redundantly powered DC device. The last time I needed this it was because a router was stuck in a boot loop due to a bad IOS upgrade and wouldn't break to rommon since it had been 60 seconds. It came up again tonight because we wanted to disable one power supply to troubleshoot something. FWIW, I believe I've seen newer Cisco gear with high-end power supplies that have a console or ethernet port which would possibly let you shut them down remotely. That solves the problem nicely if you're dealing with only one bit of hardware, but I'd like a general solution that worked with any vendor. Possibly a fuse panel with solenoids that could add/remove fuses when needed.. or would that be considered dangerous in code-ways or in telco fire regulation ways?
Re: PDU for high amp 48Vdc
We use ServerTech for -48Vdc switching, http://www.servertech.com/products/-48vdcpowermanagement/ Not quite remote-hands cheap, but worth every penny in a pinch. On 01/28/2015 08:38 PM, Robert Drake wrote: For larger DC devices with ~50amps per side, does anyone have a software accessible way to turn off power? I've looked into PDU's but the ones I find have a max of 10amps. I've considered building something with solenoids or a rotary actuator that would turn the switches on or off, but that's a complete one-off and would need to be done for each device we manage (not to mention it involves janky wiring all over the place I've got to explain to the colo) My use case is pretty infrequent so it needs to be remote-hands cheap.. it's for emergencies when you need to completely power cycle a redundantly powered DC device. The last time I needed this it was because a router was stuck in a boot loop due to a bad IOS upgrade and wouldn't break to rommon since it had been 60 seconds. It came up again tonight because we wanted to disable one power supply to troubleshoot something. FWIW, I believe I've seen newer Cisco gear with high-end power supplies that have a console or ethernet port which would possibly let you shut them down remotely. That solves the problem nicely if you're dealing with only one bit of hardware, but I'd like a general solution that worked with any vendor. Possibly a fuse panel with solenoids that could add/remove fuses when needed.. or would that be considered dangerous in code-ways or in telco fire regulation ways?
PDU for high amp 48Vdc
For larger DC devices with ~50amps per side, does anyone have a software accessible way to turn off power? I've looked into PDU's but the ones I find have a max of 10amps. I've considered building something with solenoids or a rotary actuator that would turn the switches on or off, but that's a complete one-off and would need to be done for each device we manage (not to mention it involves janky wiring all over the place I've got to explain to the colo) My use case is pretty infrequent so it needs to be remote-hands cheap.. it's for emergencies when you need to completely power cycle a redundantly powered DC device. The last time I needed this it was because a router was stuck in a boot loop due to a bad IOS upgrade and wouldn't break to rommon since it had been 60 seconds. It came up again tonight because we wanted to disable one power supply to troubleshoot something. FWIW, I believe I've seen newer Cisco gear with high-end power supplies that have a console or ethernet port which would possibly let you shut them down remotely. That solves the problem nicely if you're dealing with only one bit of hardware, but I'd like a general solution that worked with any vendor. Possibly a fuse panel with solenoids that could add/remove fuses when needed.. or would that be considered dangerous in code-ways or in telco fire regulation ways?
Re: Alerting systems, Logicmonitor and/or alternatives
On Wed, Jan 28, 2015 at 10:06:26AM -0800, Jay Hennigan wrote: What I don't like is that they only offer it as a cloud-based service. One of the downsides of all such services is that the more successful they are, the bigger a target they are. And they're a tempting target, since successful penetration would yield a wealth of data about every client they have (if that penetration was limited to read-only access) and possibly more, e.g., silencing alarms that would otherwise be triggered (if that penetration allowed write access). ---rsk
RE: cable modem firmware upgrade
And even if you updated it yourself, it's possible that your service provider's config file would automatically downgrade it. Best bet is to ask your internet provider to upgrade your modem. Frank -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nathan Anderson Sent: Wednesday, January 28, 2015 10:20 PM To: 'A MEKKAOUI'; 'nanog@nanog.org' Subject: RE: cable modem firmware upgrade On Wednesday, January 28, 2015 8:11 PM, A MEKKAOUI wrote: Anyone knows how to upgrade Motorola SB6120 cable modem firmware other than going through the internet provider? Your help will be appreciated. My employer managed a handful of small DOCSIS networks for a while where 99% of the modems were Motorola, and as far as I know, there is no way to push a firmware update to the modem from the ethernet side...only from the RF side. And trust me: I looked. If I ever had to update the firmware on some batch of modems that weren't already deployed on a network, I would hook them up to a test CMTS that we had on the bench in order to do so. I would strongly suspect that this is going to hold true for just about any DOCSIS modem. -- Nathan Anderson First Step Internet, LLC nath...@fsr.com
Recommended wireless AP for 400 users office
Dear nanog community I was wondering if you can recommend or share your experience with APs that you can use in locations that have 300-500 users. I friend recommended me Ruckus Wireless, it would be great if you can share your experience with Ruckus or with a similar vendor. My experience with ubiquity for this type of requirement was not that good. Thank you and have a great day
Re: Recommended wireless AP for 400 users office
Check out Xirrus On Jan 28, 2015 9:08 PM, Manuel Marín m...@transtelco.net wrote: Dear nanog community I was wondering if you can recommend or share your experience with APs that you can use in locations that have 300-500 users. I friend recommended me Ruckus Wireless, it would be great if you can share your experience with Ruckus or with a similar vendor. My experience with ubiquity for this type of requirement was not that good. Thank you and have a great day
Re: Recommended wireless AP for 400 users office
Have had a lot of experience with Ruckus(and Unifi unfortunately). The Ruckus platform is one of the best. If you will be responsible for supporting the deployment, it will save you a lot of frustration when compared with UBNT. On Thu Jan 29 2015 at 12:18:54 AM Mike Lyon mike.l...@gmail.com wrote: Check out Xirrus On Jan 28, 2015 9:08 PM, Manuel Marín m...@transtelco.net wrote: Dear nanog community I was wondering if you can recommend or share your experience with APs that you can use in locations that have 300-500 users. I friend recommended me Ruckus Wireless, it would be great if you can share your experience with Ruckus or with a similar vendor. My experience with ubiquity for this type of requirement was not that good. Thank you and have a great day
Re: look for BGP routes containing local AS#
On 28/01/2015, at 07:32, Song Li refresh.ls...@gmail.com wrote: Hi Joel, It is right that the BGP route containing the local ASN will be droped. However, such routes can still be displayed on router. For example, you can run show route hidden terse aspath-regex .*local ASN.* on Juniper to check them. We are looking for those routes. If you can run the command on your Juniper and find such routes, could you please provider them for us? Sorry, what do you need exactly? A sample? For education purposes are you looking for something specific? You need it to be on Juniper router or other BGP software will do? I have this scenario from Brazil-US, with specifics getting received both ways but it’s not Juniper. Thanks! Regards! Song 在 2015/1/28 16:23, joel jaeggli 写道: On 1/27/15 5:45 AM, Song Li wrote: Hi everyone, Recently I studied the BGP AS path looping problem, and found that in most cases, the received BGP routes containing local AS# are suspicious. However, we checked our BGP routing table (AS23910,CERNET2) on juniper router(show route hidden terse aspath-regex .*23910.* ), and have not found such routes in Adj-RIB-In. Updates with your AS in the path are discarded as part of loop detection, e.g. they do not become candidate routes. https://tools.ietf.org/html/rfc4271 page 77 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP route should be excluded from the Phase 2 decision function. AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path. Operations of a BGP speaker that is configured to accept routes with its own autonomous system number in the AS path are outside the scope of this document. in junos neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number where number is the number of instances of your AS in the path you're willing to accept will correct that. We believe that the received BGP routes containing local AS# are related to BGP security problem. You'll have to elaborate, since their existence is a basic principle in the operation of bgp and they are ubiquitous. Island instances of a distributed ASN communicate with each other by allowing such routes in so that they can be evaluated one the basis of prefix, specificity, AS path length and so forth. Hence, we want to look for some real cases in the wild. Could anybody give us some examples of such routes? Thanks! Best Regards! -- Song Li Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.ls...@gmail.com -- Patrick Tracanelli FreeBSD Brasil LTDA. Tel.: (31) 3516-0800 316...@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br Long live Hanin Elias, Kim Deal!
Re: Alerting systems, Logicmonitor and/or alternatives
The value proposition of all cloud services is that you get instant technical capability without building your own infrastructure. I see cloud NMS services like LogicMonitor and Spiceworks as a good deal for small organizations without their own IT people. But for all the reasons you give, the model doesn't scale very well. For network professionals, the value of self-managed internal monitoring infrastructure far outweighs the temporary ease and low cost of cloud monitoring. In particular, commercial monitoring offerings, such as Intermapper, PRTG, and SolarWinds, are extremely cost effective for business network operations. Their cost is easily justifiable, especially if you have a busy staff. Yes, you can get many of the commercial tool capabilities in open source projects such as OpenNMS and Cacti. But as you note, they can be a pain to configure, and if your labor is worth anything, the commercial options are usually a better deal. One exception I've found recently is Mikrotik's The Dude, which is free, but not FOSS. It's fully graphical, is straightforward to install and configure. It has a client/server architecture like Intermapper, but doesn't run natively on as many platforms (Windows only; other OSes must use emulation). Although it works with any SNMP device, it has special support for Mikrotik, since Mikrotik devised it. To recap, I think cloud monitoring is pointless for managing inside networks for any organization having a reasonably capable IT staff. On Jan 28, 2015, at 10:06 AM, Jay Hennigan j...@west.net wrote: I know that this topic has been kicking around for at least a decade, but wanted to get current opinions of other network operators. Most of us have explored Nagios, MRTG, and several front-ends for MRTG. We are looking into a new player in the space called Logicmonitor. They have a very functional and easy to navigate front end and configuration tool, and I very much like the look-and-feel of their product. What I don't like is that they only offer it as a cloud-based service. Internal probes tie in to a collector which we maintain. The collector then phones home over the Internet to their hosted service periodically and they remotely analyze the data and generate alerts, plot graphs, etc. From a technical standpoint this adds more points of failure in series, will cause missed alerts if their cloud-based service goes down (who is guarding the guards?) will cause false alarms if their service is still up but can't reach the collector, and doesn't give us a full view under the hood. Of course their sales guys are giving us Our time and energy is dedicated to reliability and professionally managed multi-carrier highly secure data centers language to encourage the warm fuzzies. From a scalability standpoint we incur ever-increasing recurring costs as we grow and add monitored devices and services. What's the collective opinion here? Is anyone using them or a similar service? Are there non-cloud-based alternatives that are relatively easy to set up and manage? We've explored Zabbix, Nagios, MRTG and its various wrappers, and Intermapper. Anything else new on the horizon that has a GUI front-end that is configurable without a lot of scripting experience, etc.? We would love to buy something that works for us and pay a reasonable price for it, but I'm not particularly interested in the equivalent of renting a time-share in order to monitor our networks. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Alerting systems, Logicmonitor and/or alternatives
I know that this topic has been kicking around for at least a decade, but wanted to get current opinions of other network operators. Most of us have explored Nagios, MRTG, and several front-ends for MRTG. We are looking into a new player in the space called Logicmonitor. They have a very functional and easy to navigate front end and configuration tool, and I very much like the look-and-feel of their product. What I don't like is that they only offer it as a cloud-based service. Internal probes tie in to a collector which we maintain. The collector then phones home over the Internet to their hosted service periodically and they remotely analyze the data and generate alerts, plot graphs, etc. From a technical standpoint this adds more points of failure in series, will cause missed alerts if their cloud-based service goes down (who is guarding the guards?) will cause false alarms if their service is still up but can't reach the collector, and doesn't give us a full view under the hood. Of course their sales guys are giving us Our time and energy is dedicated to reliability and professionally managed multi-carrier highly secure data centers language to encourage the warm fuzzies. From a scalability standpoint we incur ever-increasing recurring costs as we grow and add monitored devices and services. What's the collective opinion here? Is anyone using them or a similar service? Are there non-cloud-based alternatives that are relatively easy to set up and manage? We've explored Zabbix, Nagios, MRTG and its various wrappers, and Intermapper. Anything else new on the horizon that has a GUI front-end that is configurable without a lot of scripting experience, etc.? We would love to buy something that works for us and pay a reasonable price for it, but I'm not particularly interested in the equivalent of renting a time-share in order to monitor our networks. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Alerting systems, Logicmonitor and/or alternatives
We have used LogicMonitor for a few years to monitor hundreds of network devices with no reliability issues, at all. The agents have proven to be lightweight and rather unobtrusive. I can’t recall a time where we have ever had to intervene during regular operations or one of their upgrades. We do not use the alerting service at this time so no history to report there. We have only a few dislikes. One of them is the new skin and use the prior one still available to us so its a relatively minor issue. The pricing is something I’m also not crazy about though they have been willing to work with us on some pricing tiers. Jeff jeff cornejo blue ridge internetworks 321 east main st • suite 200 charlottesville va 22902 434.817.0707 x 2001 www.briworks.com http://www.briworks.com/ Central Virginia’s technology authority since 2000. On Jan 28, 2015, at 1:06 PM, Jay Hennigan j...@west.net wrote: I know that this topic has been kicking around for at least a decade, but wanted to get current opinions of other network operators. Most of us have explored Nagios, MRTG, and several front-ends for MRTG. We are looking into a new player in the space called Logicmonitor. They have a very functional and easy to navigate front end and configuration tool, and I very much like the look-and-feel of their product. What I don't like is that they only offer it as a cloud-based service. Internal probes tie in to a collector which we maintain. The collector then phones home over the Internet to their hosted service periodically and they remotely analyze the data and generate alerts, plot graphs, etc. From a technical standpoint this adds more points of failure in series, will cause missed alerts if their cloud-based service goes down (who is guarding the guards?) will cause false alarms if their service is still up but can't reach the collector, and doesn't give us a full view under the hood. Of course their sales guys are giving us Our time and energy is dedicated to reliability and professionally managed multi-carrier highly secure data centers language to encourage the warm fuzzies. From a scalability standpoint we incur ever-increasing recurring costs as we grow and add monitored devices and services. What's the collective opinion here? Is anyone using them or a similar service? Are there non-cloud-based alternatives that are relatively easy to set up and manage? We've explored Zabbix, Nagios, MRTG and its various wrappers, and Intermapper. Anything else new on the horizon that has a GUI front-end that is configurable without a lot of scripting experience, etc.? We would love to buy something that works for us and pay a reasonable price for it, but I'm not particularly interested in the equivalent of renting a time-share in order to monitor our networks. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Alerting systems, Logicmonitor and/or alternatives
What's the collective opinion here? Is anyone using them or a similar service? Are there non-cloud-based alternatives that are relatively easy to set up and manage? We've explored Zabbix, Nagios, MRTG and its various wrappers, and Intermapper. Anything else new on the horizon that has a GUI front-end that is configurable without a lot of scripting experience, etc.? Zenoss. I have it monitoring about 4k end points. The documentation is phenomnal. I've not had to touch the command line at all for any operations. I have two cron jobs on the server (one to do a weekly backup to a tar file that gets grabbed by my backup systems, one to run zendisc on only subnets I care about (and not everything in zenoss which is the default). The learning curve was pretty much non existent (you install it (which is apt-get or yum or scripted [i think appliances exist, i dunno]) , connect with default creds, change your creds, scan your network, classify devices, setup alerting rules and contacts). This all presumes you have SNMP already setup of course (which is trivial to do on just about everything). (Oh I did use the CLI to load in mibs, but that's a one time operation (unless you are constantly adding new vendors to your network i guess). We would love to buy something that works for us and pay a reasonable price for it, but I'm not particularly interested in the equivalent of renting a time-share in order to monitor our networks. Indeed. You should be able to find plenty of Linux engineers that could easily set this up. I would probably charge about $250.00 to $500.00 flat rate for a zenoss deployment, and could deliver it in 8 to 30 hours fully ready to go (range depends on size of deployment, HA, multi site etc). I expect most other engineers could do about the same (or maybe a bit longer if they've never worked with Zenoss before). (I'm that weird Linux/Windows/VM/storage/security/app admin type who is now getting his CCIE cause networking looks fun). -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV !DSPAM:54c925874441589320983!
Re: look for BGP routes containing local AS#
On 1/28/15 1:32 AM, Song Li wrote: Hi Joel, It is right that the BGP route containing the local ASN will be droped. However, such routes can still be displayed on router. There is also the non-zero probability that they don't arrive. If this is and edge router if your neighbor is a juniper and the only instance of prefix advertisement with this case is your advertisement from your router your're not going to get it. From: --- https://www.juniper.net/documentation/en_US/junos14.2/topics/topic-map/bgp-route-advertisement.html Disabling Suppression of Route Advertisements Junos OS does not advertise the routes learned from one EBGP peer back to the same external BGP (EBGP) peer. In addition, the software does not advertise those routes back to any EBGP peers that are in the same AS as the originating peer, regardless of the routing instance. You can modify this behavior by including the advertise-peer-as statement in the configuration. To disable the default advertisement suppression, include the advertise-peer-as statement: Note: The route suppression default behavior is disabled if the as-override statement is included in the configuration. If you include the advertise-peer-as statement in the configuration, BGP advertises the route regardless of this check. To restore the default behavior, include the no-advertise-peer-as statement in the configuration: no-advertise-peer-as; If you include both the as-override and no-advertise-peer-as statements in the configuration, the no-advertise-peer-as statement is ignored. You can include these statements at multiple hierarchy levels. For a list of hierarchy levels at which you can include these statements, see the statement summary section for these statements. --- If this is an edge router and your provider is filtering those either from above or other reasons then you won't recieve them. If this in an ibgp session and they're not being accepted on the edge router you will never see them. For example, you can run show route hidden terse aspath-regex .*local ASN.* on Juniper to check them. We are looking for those routes. If you can run the command on your Juniper and find such routes, could you please provider them for us? Thanks! Regards! Song 在 2015/1/28 16:23, joel jaeggli 写道: On 1/27/15 5:45 AM, Song Li wrote: Hi everyone, Recently I studied the BGP AS path looping problem, and found that in most cases, the received BGP routes containing local AS# are suspicious. However, we checked our BGP routing table (AS23910,CERNET2) on juniper router(show route hidden terse aspath-regex .*23910.* ), and have not found such routes in Adj-RIB-In. Updates with your AS in the path are discarded as part of loop detection, e.g. they do not become candidate routes. https://tools.ietf.org/html/rfc4271 page 77 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP route should be excluded from the Phase 2 decision function. AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the autonomous system number of the local system does not appear in the AS path. Operations of a BGP speaker that is configured to accept routes with its own autonomous system number in the AS path are outside the scope of this document. in junos neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number where number is the number of instances of your AS in the path you're willing to accept will correct that. We believe that the received BGP routes containing local AS# are related to BGP security problem. You'll have to elaborate, since their existence is a basic principle in the operation of bgp and they are ubiquitous. Island instances of a distributed ASN communicate with each other by allowing such routes in so that they can be evaluated one the basis of prefix, specificity, AS path length and so forth. Hence, we want to look for some real cases in the wild. Could anybody give us some examples of such routes? Thanks! Best Regards! signature.asc Description: OpenPGP digital signature