Re: Multi-gigabit edge devices as CPE
L3VPN hand off is the only thing I can think of from the top of my head. But then, there would be no need to have a full table unless you had customers requesting a full table. It sounds like the OP is looking for one device to do multiple roles where two/three different device types and/or sizes would fit better. On 9 Apr 2015, at 10:18 pm, Dave Taht dave.t...@gmail.com wrote: So to return this to a more rational basis - why does an edge network need MPLS in the first place?
Re: Multi-gigabit edge devices as CPE
On Thu, Apr 9, 2015 at 2:37 AM, Tim Raphael raphael.timo...@gmail.com wrote: I find this rather offensive as you clearly have no idea what I have contributed to the OSS community or more specifically to the VyOS project. Among working, studying a masters degree and a little sleep to keep me sane, I already do what I can. My sincere apologies. At the time, that kickstarter was failing, and I was mindblown that nobody had seen the potential of it, and I had spent 3 days, trying to convince more people to throw in, as I had already thrown in all I could. My comment was directed far more at the universe than yourself and was more in the context of my prior bufferbloat-related rant earlier in the day, which I have spent 4 years on, mostly full time, and mostly unpaid. I am still sad that nobody threw in for that get one give one program (who pays for the software engineers?), and that it took events like heartbleed to get the LF´s core infrastructure inititative funded, and, well, frankly, it is a long, long list of things that bug me that have accumulated... that I will try to keep off this list. Tim On 9 Apr 2015, at 10:42 am, Dave Taht dave.t...@gmail.com wrote: On Wed, Apr 8, 2015 at 6:36 PM, Tim Raphael raphael.timo...@gmail.com wrote: Correct. But hopefully not far off now that there are x86 packages for simple MPLS operations. With a bit of luck an RSVP or LDP implementation isn't far behind. So to return this to a more rational basis - why does an edge network need MPLS in the first place? -- Dave Täht Open Networking needs **Open Source Hardware** https://plus.google.com/u/0/107942175615993706558/posts/N8mZ5F5iSPU
Re: Voip encryption
On Thu, Apr 09, 2015 at 11:04:06AM -0400, Christopher Morrow wrote: On Thu, Apr 9, 2015 at 6:21 AM, Simon Brilus sbri...@blueyonder.co.uk wrote: Hi - I have a PCIDSs requirement to encrypt VoIP over a 3rd party VPLS network. Has anyone dealt with this. I'd really not use VPN's over the VPLS so am looking at hardware WAN encrypters. wait, you don't want to do some VPN thing over the VPLS network links, but you think that hardware wan encrypters are going to work on the VPLS links? Did you plan on installing one of these devices at the carrier facility? and at all the other possible hops along the way? or were you hoping that the encrypter would not muddle with the L2 payload, but leave the L2 headers intact? Any guidance appreciated. Lost the original post, but why not SIP+TLS SRTP? Ray
Re: Voip encryption
Hi Simon, My understanding is that since your 3rd party VPLS instance is a private ³MPLS² network, there is no requirement for application-level encryption. However if you wanted to encrypt VOIP that carries credit card data, some PBX/handsets offer application-level media encryption if that¹s the problem you want to solve to minimize your PCI scope. Cheers! Ed On 4/9/15, 6:21 AM, Simon Brilus sbri...@blueyonder.co.uk wrote: Hi - I have a PCIDSs requirement to encrypt VoIP over a 3rd party VPLS network. Has anyone dealt with this. I'd really not use VPN's over the VPLS so am looking at hardware WAN encrypters. Any guidance appreciated. Thanks Simon
RE: Cisco/Level3 takedown
Seems like it this is pretty ineffective. The group already moved subnets once, they will likely do this again, all Cisco/L3 have done is slow them down a bit. Stephen Mikulasik -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Sameer Khosla Sent: Thursday, April 09, 2015 9:31 AM To: nanog@nanog.org Subject: Cisco/Level3 takedown Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider. Thanks Sameer Khosla Managing Director Neutral Data Centers Corp. Twitter: @skhoslaTO
Re: Cisco/Level3 takedown
Wrong. Batman, for example, wears a black hat. vigilantes always wear white hats. i stand corrected
Re: Cisco/Level3 takedown
On Apr 9, 2015, at 11:29 AM, Mel Beckman m...@beckman.org wrote: Wrong. Batman, for example, wears a black hat. Thank you, Mask Man. -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: 100Gb/s TOR switch
On 09/04/2015 21:54, Christopher Morrow wrote: the math on their page is 'interesting'... it's a t2 chipset. should be all forwarded at asic level, i.e. at line rate per port. Nick
Re: Multi-gigabit edge devices as CPE
You’ll be looking at a Juniper MX or a Cisco ASK9K I think. The MXs are targeted as being full-features edge routers. An MX5 will take a full feed just fine and do all the *VPN you want. If you’re talking about multiple full feeds then you’ll need a MX240 with one of the higher-power REs for a decent reconvergence time. On 9 Apr 2015, at 10:42 pm, Daniel Rohan dro...@gmail.com wrote: On Thu, Apr 9, 2015 at 7:25 AM, Tim Raphael raphael.timo...@gmail.com mailto:raphael.timo...@gmail.com wrote: L3VPN hand off is the only thing I can think of from the top of my head. But then, there would be no need to have a full table unless you had customers requesting a full table. I have one customer who needs an L3VPN for some shared private routes along with a full table in inet.0. There are ways of accomplishing this creatively but I'm looking for devices that can handle these types of requests that permit us some level of sanity.
Re: Multi-gigabit edge devices as CPE [TOPIC DRIFT!]
On April 9, 2015 at 09:11 raphael.timo...@gmail.com (Tim Raphael) wrote: VyOS is a community fork of Vyatta and is still being developed very actively and it pushing ahead with many new features! It's pretty stable too imo. http://vyos.net/wiki/Main_Page SPEAKING of OSS routers... Does anyone know of a single OSS project which supports the usual BGP etc kind of things (routing) AND virtual hosting, the terminology is muddled, but one IP in, chooses among one or more IPs for load-balancing (not to be confused with device load-balancing), fail-over, round-robin, other policies? The typical web farm kind of thing, but for other kinds of services also like mail, imap, etc. I know one can piece together more than one project but then one has to get them to play together and learn their quirks and so forth. For example I don't think any Mikrotik (ok not strictly OSS but they seem nice) supports the virtual host stuff unless I'm missing it. I have some very old Alteons that do the virtual host stuff well enough but they are very long in the tooth (no IPv6, BGP is so old it's useless to the point of scary, etc.) P.S. No particular need for fancy WAN interfaces, ethernet presentations are fine. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Multi-gigabit edge devices as CPE
I think e in ren is edu not edge L3vpn or L2vpn for pseudo back haul or l2 extensions State ren I assume to stand for regional education network so likely vrf would be public internet possibly Internet 2 , district traffic, maybe higher Ed access for night class and vice versa. One way to achieve 10g mpls plus full table and stay under 10k you may be better served to break out pre-agg role for mpls and private L3 hand off and for Internet peering step a hop back and peer at agg with a heavy duty juniper or cisco box over a l2vpn extension to the CE Sent from my iPad On Apr 9, 2015, at 9:26 AM, Tim Raphael raphael.timo...@gmail.com wrote: L3VPN hand off is the only thing I can think of from the top of my head. But then, there would be no need to have a full table unless you had customers requesting a full table. It sounds like the OP is looking for one device to do multiple roles where two/three different device types and/or sizes would fit better. On 9 Apr 2015, at 10:18 pm, Dave Taht dave.t...@gmail.com wrote: So to return this to a more rational basis - why does an edge network need MPLS in the first place?
Re: 100Gb/s TOR switch
Fairly certain thats a typo and supposed to be 960M pps :) On Thu, Apr 9, 2015 at 2:54 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Apr 9, 2015 at 8:54 AM, Nick Hilliard n...@foobar.org wrote: http://whiteboxswitch.com/products/edge-core-as5610-52x the math on their page is 'interesting'... 1.28tbps throughput (which is .08 or so tbps better than 64 10g ports equivalent) 960mbps forwarding err... so for just plain switching line-rate 64 10gbps ports. For forwarding traffic (being a router) ~1gbps. ouch, don't route. -- eSited LLC (701) 390-9638
Re: Cisco/Level3 takedown
Just to add to the noise I think batman wears a black mask/helmet, but I've never considered it a mask. I didn't look at the details on this, but did L3 sink the routes at their border or did they expressly announce the route to sink it? -jim On Thu, Apr 9, 2015 at 3:35 PM, Randy Bush ra...@psg.com wrote: Wrong. Batman, for example, wears a black hat. vigilantes always wear white hats. i stand corrected
Re: Multi-gigabit edge devices as CPE [TOPIC DRIFT!]
You can do this for free with equal cost multi path routing. You announce the same IP from multiple servers with eg. OSPF. Den 09/04/2015 19.34 skrev Barry Shein b...@world.std.com: On April 9, 2015 at 09:11 raphael.timo...@gmail.com (Tim Raphael) wrote: VyOS is a community fork of Vyatta and is still being developed very actively and it pushing ahead with many new features! It's pretty stable too imo. http://vyos.net/wiki/Main_Page SPEAKING of OSS routers... Does anyone know of a single OSS project which supports the usual BGP etc kind of things (routing) AND virtual hosting, the terminology is muddled, but one IP in, chooses among one or more IPs for load-balancing (not to be confused with device load-balancing), fail-over, round-robin, other policies? The typical web farm kind of thing, but for other kinds of services also like mail, imap, etc. I know one can piece together more than one project but then one has to get them to play together and learn their quirks and so forth. For example I don't think any Mikrotik (ok not strictly OSS but they seem nice) supports the virtual host stuff unless I'm missing it. I have some very old Alteons that do the virtual host stuff well enough but they are very long in the tooth (no IPv6, BGP is so old it's useless to the point of scary, etc.) P.S. No particular need for fancy WAN interfaces, ethernet presentations are fine. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Cisco/Level3 takedown
Warrior Nun Areala wears a black hat. http://en.wikipedia.org/wiki/Warrior_Nun_Areala -b On April 9, 2015 at 18:29 m...@beckman.org (Mel Beckman) wrote: Wrong. Batman, for example, wears a black hat. -mel via cell On Apr 9, 2015, at 11:17 AM, Randy Bush ra...@psg.com wrote: It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). vigilantes always wear white hats. randy
Re: Cisco/Level3 takedown
On Apr 9, 2015, at 3:01 PM, Matt Olney (molney) mol...@cisco.com wrote: In response to Sameer Khosla's comment that we should work with the entire service provider community: Talos is the threat intelligence group within Cisco. We absolutely welcome discussions with any network operator on how we can improve the state of security on the Internet. Please contact me directly via email and we can have a discussion about how we can work together going forward. While I agree that the (at least temporary) mitigation of the threat was overall a good thing, I'm not really happy with the method used. Decisions to drop/block/filter traffic should be done locally. I would have appreciated Talos coming to the various *nog lists and saying something like Hey, there's some really bad guys here. Here's the evidence of their bad behavior, you really should block them. That probably would have had a wider reach than just going to Level3. --Chris
Re: Cisco/Level3 takedown
folk are getting kinda bent out of shape about this, and about L3 doing 'something' but look at: https://stat.ripe.net/widget/bgplay#w.resource=23.234.60.140 what's 4134 doing there? This one as well: https://stat.ripe.net/widget/bgplay#w.resource=103.41.124.0w.ignoreReannouncements=truew.starttime=142791w.endtime=1428601200w.instant=nullw.type=bgpw.rrcs=0,1,6,7,11,14,3,4,5,10,12,13,15 wowsa! howdy 4134, having fun there? On Thu, Apr 9, 2015 at 2:39 PM, jim deleskie deles...@gmail.com wrote: Just to add to the noise I think batman wears a black mask/helmet, but I've never considered it a mask. I didn't look at the details on this, but did L3 sink the routes at their border or did they expressly announce the route to sink it? -jim On Thu, Apr 9, 2015 at 3:35 PM, Randy Bush ra...@psg.com wrote: Wrong. Batman, for example, wears a black hat. vigilantes always wear white hats. i stand corrected
Re: Cisco/Level3 takedown
In response to Sameer Khosla's comment that we should work with the entire service provider community: Talos is the threat intelligence group within Cisco. We absolutely welcome discussions with any network operator on how we can improve the state of security on the Internet. Please contact me directly via email and we can have a discussion about how we can work together going forward. Thank you in advance, Matthew Olney Manager, Talos Threat Intelligence Analytics Cisco
Re: Multi-gigabit edge devices as CPE
On Thu, Apr 9, 2015 at 7:25 AM, Tim Raphael raphael.timo...@gmail.com wrote: L3VPN hand off is the only thing I can think of from the top of my head. But then, there would be no need to have a full table unless you had customers requesting a full table. I have one customer who needs an L3VPN for some shared private routes along with a full table in inet.0. There are ways of accomplishing this creatively but I'm looking for devices that can handle these types of requests that permit us some level of sanity.
Re: Cisco/Level3 takedown
--- skho...@neutraldata.com wrote: From: Sameer Khosla skho...@neutraldata.com Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. --- The authors lost some of their credibility when they wrote Since then two class C networks have been... At least they used slash notation for the rest of the article. If cisco won't stop using this terminology how will we get others to stop? Should I point them to https://en.wikipedia.org/wiki/Classful_network where they can see when a Class C (when it was a valid term) is all addresses that start with 110 in their leading bits and are in this range: 192.0.0.0 - 223.255.255.255. The addresses mentioned are from the historical Class A range even! G, a pet peeve of mine. Someone here says Class C and I ask them how a Class C is defined and then launch into the whole story. The short of it is they never use that phrase around me again. ;-) Last Gone are the days when detectors and protectors can sit on the Internet’s sidelines when a group is brazenly attacking a wide range of systems around the world. [...] Cisco and Level 3 Communications agreed that it was time to step in and make it stop. Declaration of war? I'm getting my popcorn ready. http://i294.photobucket.com/albums/mm86/JohnLeland1789/Funny/PopcornHugeBags.jpg scott
Re: 100Gb/s TOR switch
So are we expecting these new switches to be the same price or cheaper than the current 40G uplinks models? Do you think the vendors will heavily discount the switches with 10G user port and 40G uplinks? On Wed, Apr 8, 2015 at 9:33 PM, Phil Bedard bedard.p...@gmail.com wrote: Everyone. These should also support 25/50G Ethernet. Phil -- From: Colton Conor colton.co...@gmail.com Sent: 4/8/2015 10:01 PM To: Furst, John-Nicholas jofu...@akamai.com Cc: nanog@nanog.org Subject: Re: 100Gb/s TOR switch From which vendors? On Wed, Apr 8, 2015 at 2:43 PM, Furst, John-Nicholas jofu...@akamai.com wrote: If you can wait, you will see the market flooded with 32x100G with the ability to down-clock to 40g / breakout to 4x10g in the Q3/Q4 timeframe ;) John-Nicholas Furst Hardware Engineer Office: +1.617.274.7212 Akamai Technologies 150 Broadway Cambridge, MA 02142 On 4/8/15, 3:37 PM, Hockett, Roy roy...@umich.edu wrote: I did see these switches at SC14. http://www.corsa.com/products/dp6440/ Thanks, -Roy Hockett Network Architect, ITS Communications Systems and Data Centers University of Michigan Tel: (734) 763-7325 Fax: (734) 615-1727 email: roy...@umich.edu On Apr 8, 2015, at 3:01 PM, Piotr piotr.1...@interia.pl wrote: Hi, There is something like this on market ? Looking for standalone switch, 1/2U, ca 40 ports 10Gb/s and about 4 ports 100Gb/s fixed or as a module. regards, Peter
Re: Multi-gigabit edge devices as CPE
You could possibly look at rolling vMX (if it's even available yet) on x86 hardware. It's licensed by throughput and feature set. If you are doing L3VPN, I think you would need the advanced license. This may fit within your budget. On Thu, Apr 9, 2015 at 10:50 AM, Tim Raphael raphael.timo...@gmail.com wrote: You’ll be looking at a Juniper MX or a Cisco ASK9K I think. The MXs are targeted as being full-features edge routers. An MX5 will take a full feed just fine and do all the *VPN you want. If you’re talking about multiple full feeds then you’ll need a MX240 with one of the higher-power REs for a decent reconvergence time. On 9 Apr 2015, at 10:42 pm, Daniel Rohan dro...@gmail.com wrote: On Thu, Apr 9, 2015 at 7:25 AM, Tim Raphael raphael.timo...@gmail.com mailto:raphael.timo...@gmail.com wrote: L3VPN hand off is the only thing I can think of from the top of my head. But then, there would be no need to have a full table unless you had customers requesting a full table. I have one customer who needs an L3VPN for some shared private routes along with a full table in inet.0. There are ways of accomplishing this creatively but I'm looking for devices that can handle these types of requests that permit us some level of sanity.
Re: Cisco/Level3 takedown
Wrong. Batman, for example, wears a black hat. -mel via cell On Apr 9, 2015, at 11:17 AM, Randy Bush ra...@psg.com wrote: It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). vigilantes always wear white hats. randy
Re: Voip encryption
On Thu, Apr 9, 2015 at 6:21 AM, Simon Brilus sbri...@blueyonder.co.uk wrote: Hi - I have a PCIDSs requirement to encrypt VoIP over a 3rd party VPLS network. Has anyone dealt with this. I'd really not use VPN's over the VPLS so am looking at hardware WAN encrypters. wait, you don't want to do some VPN thing over the VPLS network links, but you think that hardware wan encrypters are going to work on the VPLS links? Did you plan on installing one of these devices at the carrier facility? and at all the other possible hops along the way? or were you hoping that the encrypter would not muddle with the L2 payload, but leave the L2 headers intact? Any guidance appreciated.
Re: Cisco/Level3 takedown
I think that, properly, Batman wears a cowl, not a hat. On 4/9/2015 11:29 AM, Mel Beckman wrote: Wrong. Batman, for example, wears a black hat. -mel via cell
Re: Cisco/Level3 takedown
On Thu, Apr 9, 2015 at 11:31 AM, Sameer Khosla skho...@neutraldata.com wrote: Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider. are you sure they aren't engaged with a wider SP community? (the dictionary seems relevant for: Oh crap, my root account DOES have password123 as the password :()
Re: Multi-gigabit edge devices as CPE
On Thu, Apr 9, 2015 at 7:25 AM, Tim Raphael raphael.timo...@gmail.com wrote: L3VPN hand off is the only thing I can think of from the top of my head. But then, there would be no need to have a full table unless you had customers requesting a full table. Well my interpretation was that IPv4 address space had become so scarce that other methods were becoming more needed even on the high end edge networks. It sounds like the OP is looking for one device to do multiple roles where two/three different device types and/or sizes would fit better. But that seems more plausible. On 9 Apr 2015, at 10:18 pm, Dave Taht dave.t...@gmail.com wrote: So to return this to a more rational basis - why does an edge network need MPLS in the first place? -- Dave Täht Open Networking needs **Open Source Hardware** https://plus.google.com/u/0/107942175615993706558/posts/N8mZ5F5iSPU
Voip encryption
Hi - I have a PCIDSs requirement to encrypt VoIP over a 3rd party VPLS network. Has anyone dealt with this. I'd really not use VPN's over the VPLS so am looking at hardware WAN encrypters. Any guidance appreciated. Thanks Simon
G/L Coding for RIR resources
Group. How do your respective bean counting teams code RIR resources, ASN's, Addr allocations, etc.? Software subscription? Licensing? Thank you -- Bill Blackford Logged into reality and abusing my sudo privileges.
Re: Voip encryption
On Thu, Apr 9, 2015 at 1:21 PM, Simon Brilus sbri...@blueyonder.co.uk wrote: Hi - I have a PCIDSs requirement to encrypt VoIP over a 3rd party VPLS network. Has anyone dealt with this. I'd really not use VPN's over the VPLS so am looking at hardware WAN encrypters. SafeNet and Thales sell L2 WAN encryptors for sure. There is AEP and SINA which also do hardware WAN encryption, but I do not know if they do Layer2. Eugeniu
Re: BGP offloading (fixing legacy router BGP scalability issues)
Hi Frederik, On 09 Apr 2015, at 13:24, Frederik Kriewitz frede...@kriewitz.eu wrote: Thank you very much for all your responses. First of all, the problems we see are really RIB (Processor memory) and CPU related. The TCAM/FIB limits are properly configured. From the FIB capacity view they should last a couple of more years. Software routing doesn't cause the problem. The most extreme case of Cisco 6500/SUP720 abuse I'm aware of is a setup with 4 full table transit connections + 2 RR sessions + ~20 peerings, no downstreams. Besides the IPv4 and IPv6 peerings it's pretty much only handling a small amount of OSPF and MPLS (5k prefixes ~500 routers). No netflow or any other memory hog. Under normal condition it's running at 20% CPU and 90% processor memory (1G/SUP720 XL). The main limit here apart from the rather slow CPU for RP is the amount of memory you can have. I’d setup a CSR1000v as RR and offload the 6500 from the control-plane completely. It’s nice box to do very fast hardware forwarding as long as the FIB fits in the TCAMs, which it seems it does in your scenario. In case a session with a lot of prefixes (e.g. a transit) fails, it takes up to 5 minutes for the BGP Router process to recompute the RIB, etc.. During that time it's running at 100% CPU. Low priority processes are completely ignored (e.g. SNMP based monitoring stops working). Occasionally it even drops OSPF neighbours or other BGP sessions due to expired hold timers causing further havoc. You can tune this with process time tweaks. Applying a /22 filter was suggested. In order to actually safe the RIB memory we would have to disable soft-reconfiguration on the corresponding sessions. I don't like that option for various reasons as it trades less memory usage for longer convergence times and significant bigger impacts on route map updates. Due to the IPv4 exhaustion we expect to see more small prefixes in the future which can't be aggregated (considering the AS path). Simply dropping them would result in less optimal routing. If you have to filter somewhere on something, I’d rather try to filter by AS_PATH (neighbors, etc) than prefix lengths. -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net
Re: 100Gb/s TOR switch
On 09/04/2015 13:30, Colton Conor wrote: So are we expecting these new switches to be the same price or cheaper than the current 40G uplinks models? Do you think the vendors will heavily discount the switches with 10G user port and 40G uplinks? like this? http://whiteboxswitch.com/products/edge-core-as5610-52x BCOM trident 2 chipset - 48x10G + 4x40G, $5095 for one-off purchases. Nick
RE: Multi-gigabit edge devices as CPE
I didn’t research the full feature list, but you might take a quick look at Mikrotik. www.mikrotik.com -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Tim Raphael Sent: Thursday, April 9, 2015 10:51 AM To: Daniel Rohan Cc: nanog@nanog.org Subject: Re: Multi-gigabit edge devices as CPE You’ll be looking at a Juniper MX or a Cisco ASK9K I think. The MXs are targeted as being full-features edge routers. An MX5 will take a full feed just fine and do all the *VPN you want. If you’re talking about multiple full feeds then you’ll need a MX240 with one of the higher-power REs for a decent reconvergence time. On 9 Apr 2015, at 10:42 pm, Daniel Rohan dro...@gmail.com wrote: On Thu, Apr 9, 2015 at 7:25 AM, Tim Raphael raphael.timo...@gmail.com mailto:raphael.timo...@gmail.com wrote: L3VPN hand off is the only thing I can think of from the top of my head. But then, there would be no need to have a full table unless you had customers requesting a full table. I have one customer who needs an L3VPN for some shared private routes along with a full table in inet.0. There are ways of accomplishing this creatively but I'm looking for devices that can handle these types of requests that permit us some level of sanity.
Re: Multi-gigabit edge devices as CPE
I find this rather offensive as you clearly have no idea what I have contributed to the OSS community or more specifically to the VyOS project. Among working, studying a masters degree and a little sleep to keep me sane, I already do what I can. Tim On 9 Apr 2015, at 10:42 am, Dave Taht dave.t...@gmail.com wrote: On Wed, Apr 8, 2015 at 6:36 PM, Tim Raphael raphael.timo...@gmail.com wrote: Correct. But hopefully not far off now that there are x86 packages for simple MPLS operations. With a bit of luck an RSVP or LDP implementation isn't far behind. Just sitting around whining and waiting for someone else to do the job is nowhere near as effective as chipping in and helping... or funding the efforts that exist. -- Dave Täht Open Networking needs **Open Source Hardware** https://plus.google.com/u/0/107942175615993706558/posts/N8mZ5F5iSPU
Re: BGP offloading (fixing legacy router BGP scalability issues)
Thank you very much for all your responses. First of all, the problems we see are really RIB (Processor memory) and CPU related. The TCAM/FIB limits are properly configured. From the FIB capacity view they should last a couple of more years. Software routing doesn't cause the problem. The most extreme case of Cisco 6500/SUP720 abuse I'm aware of is a setup with 4 full table transit connections + 2 RR sessions + ~20 peerings, no downstreams. Besides the IPv4 and IPv6 peerings it's pretty much only handling a small amount of OSPF and MPLS (5k prefixes ~500 routers). No netflow or any other memory hog. Under normal condition it's running at 20% CPU and 90% processor memory (1G/SUP720 XL). In case a session with a lot of prefixes (e.g. a transit) fails, it takes up to 5 minutes for the BGP Router process to recompute the RIB, etc.. During that time it's running at 100% CPU. Low priority processes are completely ignored (e.g. SNMP based monitoring stops working). Occasionally it even drops OSPF neighbours or other BGP sessions due to expired hold timers causing further havoc. I had a look at David Barroso's SDN Internet Router project. While it's definitely a very interesting project it focuses on FIB limitations, in our case the RIB is the problem. Using netflow and traffic stats as additional metric is something I'm missing from today's routers too (not to work around FIB limits but to allow more intelligent load balancing/avoid congested ports). Applying a /22 filter was suggested. In order to actually safe the RIB memory we would have to disable soft-reconfiguration on the corresponding sessions. I don't like that option for various reasons as it trades less memory usage for longer convergence times and significant bigger impacts on route map updates. Due to the IPv4 exhaustion we expect to see more small prefixes in the future which can't be aggregated (considering the AS path). Simply dropping them would result in less optimal routing. Having a hardware router with just a small subset of routes to handle most of the traffic and send remaining traffic via a default route to a software router with a full table is a different approach to FIB limits. It shares similar problems as mentioned in the original post (how to make two routers appear as one, ...). On the edge towards the end customers we already make heavy use of Linux routers based on standard servers. While we would love to replace all hardware routers with feature rich software routers we still consider them necessary towards the internet facing edge in order to allow us the mitigation certain (D)DoS attacks. Dropping entire ASs is not an option as already discussed here. Another suggestion was to use OpenFlow PacketIn/Out messages to inject/extract the BGP packets. That probably would be a nice way to do it but unfortunately legacy routers typically don't support OpenFlow. The Cisco 6500/SUP720 is no exception. I'll probably will setup a small test environment to see if this actually works as expected. Best Regards, Freddy
Cisco/Level3 takedown
Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider. Thanks Sameer Khosla Managing Director Neutral Data Centers Corp. Twitter: @skhoslaTO
RE: G/L Coding for RIR resources
I don’t use a credit card. I expense through finance RIR fees go under a Maintenance code Database stuff would go under a Contractor code Cheers Marla -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Christopher Morrow Sent: Thursday, April 09, 2015 11:13 AM To: Bill Blackford Cc: nanog@nanog.org Subject: Re: G/L Coding for RIR resources On Thu, Apr 9, 2015 at 2:09 PM, Bill Blackford bblackf...@gmail.com wrote: Group. How do your respective bean counting teams code RIR resources, ASN's, Addr allocations, etc.? Software subscription? Licensing? honestly I bet in a lot of places: Office Supplies because: 1) no one's finance department accounts for this sort of expense request 2) it ends up on someone's 'corporate card' 3) this is all easier than explaning to 'finance' how an RIR works and why it's important to pay them this year, again...
Re: 100Gb/s TOR switch
On Thu, Apr 9, 2015 at 8:54 AM, Nick Hilliard n...@foobar.org wrote: http://whiteboxswitch.com/products/edge-core-as5610-52x the math on their page is 'interesting'... 1.28tbps throughput (which is .08 or so tbps better than 64 10g ports equivalent) 960mbps forwarding err... so for just plain switching line-rate 64 10gbps ports. For forwarding traffic (being a router) ~1gbps. ouch, don't route.
Re: Multi-gigabit edge devices as CPE [TOPIC DRIFT!]
There is no redirecting as all the hosts have the same IP (typically on the loopback interface). Traffic goes back directly. You can even do priority but I would not. You get host down detection as the route will be withdrawn. You do not get server overload. On the other hand I am not sure I want such feature. I would use it to load balance the load balancers / web cache / ssl proxy and it should be quite good for that purpose. Regards Baldur Den 09/04/2015 21.48 skrev Barry Shein b...@world.std.com: On April 9, 2015 at 20:50 baldur.nordd...@gmail.com (Baldur Norddahl) wrote: You can do this for free with equal cost multi path routing. You announce the same IP from multiple servers with eg. OSPF. True, and thanks, but that's just the beginning of an implementation, you still need all the gunk that detects and reacts to down or overloaded hosts, whether you want to do MAC or IP level redirecting, how data travels back to the remote host (directly or via the box's IP, NAT-like?), priority management, firewall functions, statistics gathering, blame apportionment (if I build it myself who do I get to blame?), etc. -b Den 09/04/2015 19.34 skrev Barry Shein b...@world.std.com: On April 9, 2015 at 09:11 raphael.timo...@gmail.com (Tim Raphael) wrote: VyOS is a community fork of Vyatta and is still being developed very actively and it pushing ahead with many new features! It's pretty stable too imo. http://vyos.net/wiki/Main_Page SPEAKING of OSS routers... Does anyone know of a single OSS project which supports the usual BGP etc kind of things (routing) AND virtual hosting, the terminology is muddled, but one IP in, chooses among one or more IPs for load-balancing (not to be confused with device load-balancing), fail-over, round-robin, other policies? The typical web farm kind of thing, but for other kinds of services also like mail, imap, etc. I know one can piece together more than one project but then one has to get them to play together and learn their quirks and so forth. For example I don't think any Mikrotik (ok not strictly OSS but they seem nice) supports the virtual host stuff unless I'm missing it. I have some very old Alteons that do the virtual host stuff well enough but they are very long in the tooth (no IPv6, BGP is so old it's useless to the point of scary, etc.) P.S. No particular need for fancy WAN interfaces, ethernet presentations are fine. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Multi-gigabit edge devices as CPE
On Thu, Apr 9, 2015 at 7:25 AM, Tim Raphael raphael.timo...@gmail.com wrote: It sounds like the OP is looking for one device to do multiple roles where two/three different device types and/or sizes would fit better. Yes, correct. And thanks for your work and suggestions.
Re: Cisco/Level3 takedown
Reading the article, I assumed that perhaps Level 3 was an upstream carrier, but RIPE stats shows that the covering prefix (103.41.120.0/22) is announced by AS63509, an Indonesian organization. It looks like they're fighting back by announcing their own /24 now. I love the AS's address: descr:Jl. Marcedes Bens No.258 descr:Gunung Putri, Bogor descr:Jawa Barat 16964 country:ID While a Level 3 /24 announcement will certainly have a world wide impact, I agree that it seems misguided when the originating AS can announce their own /24. It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). --Blake Sameer Khosla wrote on 4/9/2015 10:31 AM: Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider. Thanks Sameer Khosla Managing Director Neutral Data Centers Corp. Twitter: @skhoslaTO
Re: Cisco/Level3 takedown
It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). vigilantes always wear white hats. randy