Re: sub $500-750 CPE firewall for voip-centric application

[Warren Kumari]

Yeah, the EdgeRouter series do not suck.
Fast, stable, easy to manage (although the broken tab completion drives me
nuts ('sho ip route' should just work, I'm too old to retrain my
fingers...) - other than that they are great...

W

On Thu, May 5, 2016 at 8:28 PM Jared Mauch  wrote:

>
> > On May 5, 2016, at 4:52 PM, Javier J  wrote:
> >
> > I'm a fan of the EdgeRouterLite3
> >
> >
> > I don't manage many small businesses networks anymore because we now do
> > only 100% cloud and remote work but I started deploying them to all my
> old
> > clients I still have on retainer.
> >
> >
> > It is a wonderful solid set it, and forget it device and you can manage
> it
> > with ssh (it is basically running a fork of Vyatta under the hood on
> Cavium
> > hardware which is nice because it does lots of hardware offload like any
> > other enterprise device.)
>
> I’ll +1 the Edgerouter series.  They are cheap and hit the right price
> performance ratio for most homes.
>
> You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if
> necessary.
>
> If you are looking for more complex blocking rules and services, you need
> to be
> looking at something like the Deteque DNS service or the Cisco/OpenDNS
> services
> instead to nuke outbound malware connections and such.
>
> - Jared
>
>

Re: sub $500-750 CPE firewall for voip-centric application

[Christopher Morrow]

On Thu, May 5, 2016 at 8:27 PM, Jared Mauch  wrote:

>
> > On May 5, 2016, at 4:52 PM, Javier J  wrote:
> >
> > I'm a fan of the EdgeRouterLite3
> >
> >
> > I don't manage many small businesses networks anymore because we now do
> > only 100% cloud and remote work but I started deploying them to all my
> old
> > clients I still have on retainer.
> >
> >
> > It is a wonderful solid set it, and forget it device and you can manage
> it
> > with ssh (it is basically running a fork of Vyatta under the hood on
> Cavium
> > hardware which is nice because it does lots of hardware offload like any
> > other enterprise device.)
>
> I’ll +1 the Edgerouter series.  They are cheap and hit the right price
> performance ratio for most homes.
>
>
​came here to say this, also they do v6, PD and all that jazz.​



> You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if
> necessary.
>
> If you are looking for more complex blocking rules and services, you need
> to be
> looking at something like the Deteque DNS service or the Cisco/OpenDNS
> services
> instead to nuke outbound malware connections and such.
>
>
​also agree whole-heartedly with this sentiment.y​

Re: sub $500-750 CPE firewall for voip-centric application

[Tim Raphael]

The SIP ALG in the Juniper SRXs is definitely one of the best I’ve come across.

I defaulted to turning it off based on my previous experiences with SIP ALGs 
and NAT however it became apparent that it actually worked really well and I 
ended up defaulting it to on.

- Tim


> On 6 May 2016, at 3:37 AM, Andrew Kirch  wrote:
> 
> Both the Juniper SRX, and the Mikrotik will work.
> 
> The problem isn't firewalling, it's NAT.  NAT is evil.
> 
> Perhaps having enough IP Addresses would be a better solution?
> https://www.youtube.com/watch?v=v26BAlfWBm8
> 
> On Thu, May 5, 2016 at 3:09 PM, Matt Freitag  wrote:
> 
>> I'm a huge fan of Juniper's SRX line. I use all the features you point out
>> at home on my SRX210, although that product is end-of-life. A refurbished
>> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
>> support is extra, but I'm not sure how much.
>> 
>> I haven't used it myself but I have seen the packet capture in action.
>> It'll save any traffic you want right out to a pcap file too. I also like
>> "show security flow session" - shows you the source, destination, ports,
>> how long a session has been going, and number of packets and number of
>> bytes transferred.
>> 
>> Matt Freitag
>> Network Engineer I
>> Information Technology
>> Michigan Technological University
>> (906) 487-3696
>> http://www.mtu.edu/
>> http://www.it.mtu.edu/
>> 
>> 
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann
>> Sent: Thursday, May 5, 2016 2:51 PM
>> To: Mel Beckman 
>> Cc: nanog@nanog.org
>> Subject: RE: sub $500-750 CPE firewall for voip-centric application
>> 
>> Your exactly right, Mel. Dell has really turned the Sonicwall platform
>> around in the past few year. We dropped it a year or two before Dell took
>> them over. Back then Sonicwall was full of issues and lacked important
>> features that our enterprise customers required. If you have budget, Palo
>> Alto is something to look at as well, but don't overlook Sonicwall and
>> FortiGate.
>> 
>> 
>> Sincerely,
>> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>> 
>> E: nellerm...@broadaspect.com
>> P: 703-297-4639
>> F: 703-996-4443
>> 
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>> 
>> 
>> -Original Message-
>> From: Mel Beckman [mailto:m...@beckman.org]
>> Sent: Thursday, May 05, 2016 2:49 PM
>> To: Nick Ellermann 
>> Cc: Ken Chase ; nanog@nanog.org
>> Subject: Re: sub $500-750 CPE firewall for voip-centric application
>> 
>> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
>> firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
>> SonicWalls are easier to configure, but have fewer features. Fortigate has
>> many knobs and dials and a very powerful virtual router facility that can
>> do amazing things. The two vendors have equivalent support in my opinion,
>> although Fortigate tends to be more personal (Dell is big and you get
>> random techs).
>> 
>> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
>> but mostly I think because they're Cisco-only. PaloAlto is expensive for
>> what you get. Functionally they are on the same level as Fortigate, with a
>> slightly more elegant GUI. But Fortigate can be configured via a USB
>> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
>> are error-prone and slow.
>> 
>> -mel
>> 
>>> On May 5, 2016, at 11:39 AM, Nick Ellermann 
>> wrote:
>>> 
>>> We have a lot of luck for smaller VOIP customers having all of their
>> services run through a FortiGate 60D, or higher models. 60D is our go to
>> solution for small enterprise. However, if we are the network carrier for
>> a particular customer and they have a voip deployment of more than about
>> 15 phones, then we deploy a dedicated voice edge gateway, which is more
>> about voice support and handset management than anything.  You do need to
>> disable a couple of things on the FortiGate such as SIP Session Helper and
>> ALG.  We never have voice termination, origination or call quality issues
>> because of the firewall.
>>> FortiGate has a lot of advanced features as well as fine tuning and
>> adjustment capabilities for the network engineering type and is still easy
>> enough for our entry level techs to support. Most of our customers have
>> heavy VPN requirements and FortiGates have great IPsec performance.  We
>> leverage a lot of the network security features and have built a
>> successful managed firewall service with good monitoring and analytics
>> using a third-party monitoring platform and Fortinet's FortiAnaylzer
>> platform.
>>> 

CALEA

[Justin Wilson]

Does anyone have some up-to-date information on CALEA? 
https://askcalea.fbi.gov/  has a fair amount of 
broken links.  The servicer provider registration is broken. The web-site has 
not been updated. Searches on FBI.gov and the FCC site just point back to 
askcalea.

Are any of you still seeing CALEA requests on the voice or the data 
sides?
What is the community hearing about CALEA?


Justin Wilson
j...@mtin.net

---
http://www.mtin.net Owner/CEO
xISP Solutions- Consulting – Data Centers - Bandwidth

http://www.midwest-ix.com  COO/Chairman
Internet Exchange - Peering - Distributed Fabric

Re: sub $500-750 CPE firewall for voip-centric application

[Jared Mauch]

> On May 5, 2016, at 4:52 PM, Javier J  wrote:
> 
> I'm a fan of the EdgeRouterLite3
> 
> 
> I don't manage many small businesses networks anymore because we now do
> only 100% cloud and remote work but I started deploying them to all my old
> clients I still have on retainer.
> 
> 
> It is a wonderful solid set it, and forget it device and you can manage it
> with ssh (it is basically running a fork of Vyatta under the hood on Cavium
> hardware which is nice because it does lots of hardware offload like any
> other enterprise device.)

I’ll +1 the Edgerouter series.  They are cheap and hit the right price 
performance ratio for most homes.

You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if necessary.

If you are looking for more complex blocking rules and services, you need to be
looking at something like the Deteque DNS service or the Cisco/OpenDNS services
instead to nuke outbound malware connections and such.

- Jared

Re: sub $500-750 CPE firewall for voip-centric application

[g...@1337.io]

If you are considering pfSense, I would urge you to look at OPNsense 
instead. The pfSense code is horrible!


On 5/5/16 11:11 AM, amuse wrote:

What PFSense currently lacks in brand name recognition, they can make up
with by the fact that they offer paid support at very affordable levels.

I'd go with https://store.pfsense.org/SG-2440/ ($499 each) and a quote for
professional services  (
https://store.pfsense.org/Professional-Services.aspx ) to back that up.

On Thu, May 5, 2016 at 10:53 AM, Ken Chase  wrote:


Looking around at different SMB firewalls to standardize on so we can start
training up our level 2/3 techs instead of dealing with a mess of
different vendors
at cust premises.

I've run into a few firewalls that were not sip or 323 friendly however,
wondering
what your experiences are. Need something cheap enough (certainly <$1k,
<$500-750 better)
that we are comfortable telling endpoints to toss current gear/buy
additional gear.

Basic firewalling of course is covered, but also need port range forwarding
(not available until later ASA versions for eg was an issue), QoS
(port/flow
based as well as possibly actually talking some real QoS protocols) and VPN
capabilities (not sure if many do without #seats licensing schemes which
get
irritating to clients).

We'd like a bit of diagnostic capability (say tcpdump or the like, via
shell
preferred) - I realize a PFsense unit would be great, but might not have
enough brand name recognition to make the master client happy plopping
down as
a CPE at end client sites. (I know, "there's only one brand, Cisco."
ASA5506x is a
bit $$ and licensing acrobatics get irritating for end customers.)

/kc
--
Ken Chase - Guelph Canada

Re: ATT Mobile Outage San Juan, PR 8+ hours, 1 Million out.

[Nathan Schrenk]

It looks like www.outages.org stopped being updated with outage data in
January 2013?

Nathan

On Wed, May 4, 2016 at 3:57 PM, Bill Woodcock  wrote:

>
> > On May 4, 2016, at 4:37 PM, Javier J  wrote:
> >
> > If there is a better mailing list please let me know.
>
> outa...@outages.org
>
> -Bill
>
>
>
>
>

Re: sub $500-750 CPE firewall for voip-centric application

[Sean Heskett]

We use Calix gigacenter 844E. It will do everything you listed (and a whole
lot more) except the VPN part.

-Sean

On Thursday, May 5, 2016, Ken Chase  wrote:

> Looking around at different SMB firewalls to standardize on so we can start
> training up our level 2/3 techs instead of dealing with a mess of
> different vendors
> at cust premises.
>
> I've run into a few firewalls that were not sip or 323 friendly however,
> wondering
> what your experiences are. Need something cheap enough (certainly <$1k,
> <$500-750 better)
> that we are comfortable telling endpoints to toss current gear/buy
> additional gear.
>
> Basic firewalling of course is covered, but also need port range forwarding
> (not available until later ASA versions for eg was an issue), QoS
> (port/flow
> based as well as possibly actually talking some real QoS protocols) and VPN
> capabilities (not sure if many do without #seats licensing schemes which
> get
> irritating to clients).
>
> We'd like a bit of diagnostic capability (say tcpdump or the like, via
> shell
> preferred) - I realize a PFsense unit would be great, but might not have
> enough brand name recognition to make the master client happy plopping
> down as
> a CPE at end client sites. (I know, "there's only one brand, Cisco."
> ASA5506x is a
> bit $$ and licensing acrobatics get irritating for end customers.)
>
> /kc
> --
> Ken Chase - Guelph Canada
>

Re: Patch panel solutions for 4x10GE breakout

[Spencer Ryan]

We generally run a MTP/MPO12 cable to a breakout cassette a few racks down,
and that's where we split out all of the LC pairs. It keeps the mess away
from the routers/traffic generators.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Thu, May 5, 2016 at 10:28 AM, Phil Bedard  wrote:

> So the newer equipment we are looking at uses QSFP+/MTP with 4x10GE
> breakouts to deliver 10G.  We are not wiring these up to things in the same
> rack, they will be going to patch panels and then elsewhere in a facility.
> It could potentially get messy with the panels we have today so we are
> looking at other solutions.  These are all SM LR connections using LC.
> There are a lot of SM MTP to LC options since that’s the way most panels
> are wired, but they typically have 6 duplex LC connectors per MTP and not 4
> which isn’t very efficient in this use case.  I’ve seen others just use an
> intermediate LC to LC panel and just wire the breakouts to those and then
> jumper the other side elsewhere.
>
> Anything else others have used?  The point of the solution is to keep the
> wiring mess in front of or near the device to a minimum.
>
> Thanks,
>
> Phil
>
>
>

Re: Patch panel solutions for 4x10GE breakout

[Shawn Morris]

It's the Corning Edge8 line [
https://www.corning.com/worldwide/en/products/communication-networks/applications/data-center/edge8.html
]

On Thu, May 5, 2016 at 9:45 AM, Jared Mauch  wrote:

> There is a nice Corning panel our facilities team is using now. I can find
> the link and send it to the list when not at my phone.
>
> Jared Mauch
>
> > On May 5, 2016, at 10:28 AM, Phil Bedard  wrote:
> >
> > So the newer equipment we are looking at uses QSFP+/MTP with 4x10GE
> breakouts to deliver 10G.  We are not wiring these up to things in the same
> rack, they will be going to patch panels and then elsewhere in a facility.
> It could potentially get messy with the panels we have today so we are
> looking at other solutions.  These are all SM LR connections using LC.
> There are a lot of SM MTP to LC options since that’s the way most panels
> are wired, but they typically have 6 duplex LC connectors per MTP and not 4
> which isn’t very efficient in this use case.  I’ve seen others just use an
> intermediate LC to LC panel and just wire the breakouts to those and then
> jumper the other side elsewhere.
> >
> > Anything else others have used?  The point of the solution is to keep
> the wiring mess in front of or near the device to a minimum.
> >
> > Thanks,
> >
> > Phil
> >
>
>

Re: sub $500-750 CPE firewall for voip-centric application

[Javier J]

I'm a fan of the EdgeRouterLite3


I don't manage many small businesses networks anymore because we now do
only 100% cloud and remote work but I started deploying them to all my old
clients I still have on retainer.


It is a wonderful solid set it, and forget it device and you can manage it
with ssh (it is basically running a fork of Vyatta under the hood on Cavium
hardware which is nice because it does lots of hardware offload like any
other enterprise device.)


I won't use pfsense anymore because it's project was taken over by a-holes,
but that is just my personal experience.

- Javier

On Thu, May 5, 2016 at 1:53 PM, Ken Chase  wrote:

> Looking around at different SMB firewalls to standardize on so we can start
> training up our level 2/3 techs instead of dealing with a mess of
> different vendors
> at cust premises.
>
> I've run into a few firewalls that were not sip or 323 friendly however,
> wondering
> what your experiences are. Need something cheap enough (certainly <$1k,
> <$500-750 better)
> that we are comfortable telling endpoints to toss current gear/buy
> additional gear.
>
> Basic firewalling of course is covered, but also need port range forwarding
> (not available until later ASA versions for eg was an issue), QoS
> (port/flow
> based as well as possibly actually talking some real QoS protocols) and VPN
> capabilities (not sure if many do without #seats licensing schemes which
> get
> irritating to clients).
>
> We'd like a bit of diagnostic capability (say tcpdump or the like, via
> shell
> preferred) - I realize a PFsense unit would be great, but might not have
> enough brand name recognition to make the master client happy plopping
> down as
> a CPE at end client sites. (I know, "there's only one brand, Cisco."
> ASA5506x is a
> bit $$ and licensing acrobatics get irritating for end customers.)
>
> /kc
> --
> Ken Chase - Guelph Canada
>

Re: sub $500-750 CPE firewall for voip-centric application

[Andrew Kirch]

Both the Juniper SRX, and the Mikrotik will work.

The problem isn't firewalling, it's NAT.  NAT is evil.

Perhaps having enough IP Addresses would be a better solution?
https://www.youtube.com/watch?v=v26BAlfWBm8

On Thu, May 5, 2016 at 3:09 PM, Matt Freitag  wrote:

> I'm a huge fan of Juniper's SRX line. I use all the features you point out
> at home on my SRX210, although that product is end-of-life. A refurbished
> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
> support is extra, but I'm not sure how much.
>
> I haven't used it myself but I have seen the packet capture in action.
> It'll save any traffic you want right out to a pcap file too. I also like
> "show security flow session" - shows you the source, destination, ports,
> how long a session has been going, and number of packets and number of
> bytes transferred.
>
> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696
> http://www.mtu.edu/
> http://www.it.mtu.edu/
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann
> Sent: Thursday, May 5, 2016 2:51 PM
> To: Mel Beckman 
> Cc: nanog@nanog.org
> Subject: RE: sub $500-750 CPE firewall for voip-centric application
>
> Your exactly right, Mel. Dell has really turned the Sonicwall platform
> around in the past few year. We dropped it a year or two before Dell took
> them over. Back then Sonicwall was full of issues and lacked important
> features that our enterprise customers required. If you have budget, Palo
> Alto is something to look at as well, but don't overlook Sonicwall and
> FortiGate.
>
>
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>
> E: nellerm...@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
>
> -Original Message-
> From: Mel Beckman [mailto:m...@beckman.org]
> Sent: Thursday, May 05, 2016 2:49 PM
> To: Nick Ellermann 
> Cc: Ken Chase ; nanog@nanog.org
> Subject: Re: sub $500-750 CPE firewall for voip-centric application
>
> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
> firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
> SonicWalls are easier to configure, but have fewer features. Fortigate has
> many knobs and dials and a very powerful virtual router facility that can
> do amazing things. The two vendors have equivalent support in my opinion,
> although Fortigate tends to be more personal (Dell is big and you get
> random techs).
>
> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
> but mostly I think because they're Cisco-only. PaloAlto is expensive for
> what you get. Functionally they are on the same level as Fortigate, with a
> slightly more elegant GUI. But Fortigate can be configured via a USB
> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
> are error-prone and slow.
>
>  -mel
>
> > On May 5, 2016, at 11:39 AM, Nick Ellermann 
> wrote:
> >
> > We have a lot of luck for smaller VOIP customers having all of their
> services run through a FortiGate 60D, or higher models. 60D is our go to
> solution for small enterprise. However, if we are the network carrier for
> a particular customer and they have a voip deployment of more than about
> 15 phones, then we deploy a dedicated voice edge gateway, which is more
> about voice support and handset management than anything.  You do need to
> disable a couple of things on the FortiGate such as SIP Session Helper and
> ALG.  We never have voice termination, origination or call quality issues
> because of the firewall.
> > FortiGate has a lot of advanced features as well as fine tuning and
> adjustment capabilities for the network engineering type and is still easy
> enough for our entry level techs to support. Most of our customers have
> heavy VPN requirements and FortiGates have great IPsec performance.  We
> leverage a lot of the network security features and have built a
> successful managed firewall service with good monitoring and analytics
> using a third-party monitoring platform and Fortinet's FortiAnaylzer
> platform.
> >
> > Worth looking at, if you haven't already. If you want to private message
> me, happy to give more info.
> >
> >
> > Sincerely,
> > Nick Ellermann - CTO & VP Cloud Services BroadAspect
> >
> > E: nellerm...@broadaspect.com
> > P: 703-297-4639
> > F: 703-996-4443
> >
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender 

Re: sub $500-750 CPE firewall for voip-centric application

[Mel Beckman]

I should mention that both SonicWall and Fortigate have superb packet capture 
engines. Not only can you do capture view and first-level decode right in the 
web GUI, you can save captures in PCAP format or pipe the capture stream to an 
available Ethernet port. Both have extensive filtering for both capture and 
viewing within capture, and decent-sized capture buffers.

 -mel

> On May 5, 2016, at 12:09 PM, Matt Freitag  wrote:
> 
> I'm a huge fan of Juniper's SRX line. I use all the features you point out
> at home on my SRX210, although that product is end-of-life. A refurbished
> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
> support is extra, but I'm not sure how much.
> 
> I haven't used it myself but I have seen the packet capture in action.
> It'll save any traffic you want right out to a pcap file too. I also like
> "show security flow session" - shows you the source, destination, ports,
> how long a session has been going, and number of packets and number of
> bytes transferred.
> 
> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696
> http://www.mtu.edu/
> http://www.it.mtu.edu/
> 
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann
> Sent: Thursday, May 5, 2016 2:51 PM
> To: Mel Beckman 
> Cc: nanog@nanog.org
> Subject: RE: sub $500-750 CPE firewall for voip-centric application
> 
> Your exactly right, Mel. Dell has really turned the Sonicwall platform
> around in the past few year. We dropped it a year or two before Dell took
> them over. Back then Sonicwall was full of issues and lacked important
> features that our enterprise customers required. If you have budget, Palo
> Alto is something to look at as well, but don't overlook Sonicwall and
> FortiGate.
> 
> 
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
> 
> E: nellerm...@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> 
> 
> -Original Message-
> From: Mel Beckman [mailto:m...@beckman.org]
> Sent: Thursday, May 05, 2016 2:49 PM
> To: Nick Ellermann 
> Cc: Ken Chase ; nanog@nanog.org
> Subject: Re: sub $500-750 CPE firewall for voip-centric application
> 
> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
> firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
> SonicWalls are easier to configure, but have fewer features. Fortigate has
> many knobs and dials and a very powerful virtual router facility that can
> do amazing things. The two vendors have equivalent support in my opinion,
> although Fortigate tends to be more personal (Dell is big and you get
> random techs).
> 
> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
> but mostly I think because they're Cisco-only. PaloAlto is expensive for
> what you get. Functionally they are on the same level as Fortigate, with a
> slightly more elegant GUI. But Fortigate can be configured via a USB
> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
> are error-prone and slow.
> 
> -mel
> 
>> On May 5, 2016, at 11:39 AM, Nick Ellermann 
> wrote:
>> 
>> We have a lot of luck for smaller VOIP customers having all of their
> services run through a FortiGate 60D, or higher models. 60D is our go to
> solution for small enterprise. However, if we are the network carrier for
> a particular customer and they have a voip deployment of more than about
> 15 phones, then we deploy a dedicated voice edge gateway, which is more
> about voice support and handset management than anything.  You do need to
> disable a couple of things on the FortiGate such as SIP Session Helper and
> ALG.  We never have voice termination, origination or call quality issues
> because of the firewall.
>> FortiGate has a lot of advanced features as well as fine tuning and
> adjustment capabilities for the network engineering type and is still easy
> enough for our entry level techs to support. Most of our customers have
> heavy VPN requirements and FortiGates have great IPsec performance.  We
> leverage a lot of the network security features and have built a
> successful managed firewall service with good monitoring and analytics
> using a third-party monitoring platform and Fortinet's FortiAnaylzer
> platform.
>> 
>> Worth looking at, if you haven't already. If you want to private message
> me, happy to give more info.
>> 
>> 
>> Sincerely,
>> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>> 
>> E: nellerm...@broadaspect.com
>> P: 703-297-4639
>> F: 703-996-4443
>> 
>> THIS COMMUNICATION MAY 

RE: sub $500-750 CPE firewall for voip-centric application

[Matt Freitag]

I'm a huge fan of Juniper's SRX line. I use all the features you point out
at home on my SRX210, although that product is end-of-life. A refurbished
SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
support is extra, but I'm not sure how much.

I haven't used it myself but I have seen the packet capture in action.
It'll save any traffic you want right out to a pcap file too. I also like
"show security flow session" - shows you the source, destination, ports,
how long a session has been going, and number of packets and number of
bytes transferred.

Matt Freitag
Network Engineer I
Information Technology
Michigan Technological University
(906) 487-3696
http://www.mtu.edu/
http://www.it.mtu.edu/


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann
Sent: Thursday, May 5, 2016 2:51 PM
To: Mel Beckman 
Cc: nanog@nanog.org
Subject: RE: sub $500-750 CPE firewall for voip-centric application

Your exactly right, Mel. Dell has really turned the Sonicwall platform
around in the past few year. We dropped it a year or two before Dell took
them over. Back then Sonicwall was full of issues and lacked important
features that our enterprise customers required. If you have budget, Palo
Alto is something to look at as well, but don't overlook Sonicwall and
FortiGate.


Sincerely,
Nick Ellermann - CTO & VP Cloud Services BroadAspect

E: nellerm...@broadaspect.com
P: 703-297-4639
F: 703-996-4443

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.


-Original Message-
From: Mel Beckman [mailto:m...@beckman.org]
Sent: Thursday, May 05, 2016 2:49 PM
To: Nick Ellermann 
Cc: Ken Chase ; nanog@nanog.org
Subject: Re: sub $500-750 CPE firewall for voip-centric application

I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
SonicWalls are easier to configure, but have fewer features. Fortigate has
many knobs and dials and a very powerful virtual router facility that can
do amazing things. The two vendors have equivalent support in my opinion,
although Fortigate tends to be more personal (Dell is big and you get
random techs).

Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
but mostly I think because they're Cisco-only. PaloAlto is expensive for
what you get. Functionally they are on the same level as Fortigate, with a
slightly more elegant GUI. But Fortigate can be configured via a USB
cable, which is a huge advantage in the field. Legacy RS-232 serial ports
are error-prone and slow.

 -mel

> On May 5, 2016, at 11:39 AM, Nick Ellermann 
wrote:
>
> We have a lot of luck for smaller VOIP customers having all of their
services run through a FortiGate 60D, or higher models. 60D is our go to
solution for small enterprise. However, if we are the network carrier for
a particular customer and they have a voip deployment of more than about
15 phones, then we deploy a dedicated voice edge gateway, which is more
about voice support and handset management than anything.  You do need to
disable a couple of things on the FortiGate such as SIP Session Helper and
ALG.  We never have voice termination, origination or call quality issues
because of the firewall.
> FortiGate has a lot of advanced features as well as fine tuning and
adjustment capabilities for the network engineering type and is still easy
enough for our entry level techs to support. Most of our customers have
heavy VPN requirements and FortiGates have great IPsec performance.  We
leverage a lot of the network security features and have built a
successful managed firewall service with good monitoring and analytics
using a third-party monitoring platform and Fortinet's FortiAnaylzer
platform.
>
> Worth looking at, if you haven't already. If you want to private message
me, happy to give more info.
>
>
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>
> E: nellerm...@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog@nanog.org
> Subject: sub $500-750 CPE firewall for voip-centric application
>
> Looking around at different SMB firewalls to standardize on so we can
start training up our level 2/3 techs instead of dealing with a mess of
different vendors at cust premises.
>
> I've run 

RE: sub $500-750 CPE firewall for voip-centric application

[Nick Ellermann]

Your exactly right, Mel. Dell has really turned the Sonicwall platform around 
in the past few year. We dropped it a year or two before Dell took them over. 
Back then Sonicwall was full of issues and lacked important features that our 
enterprise customers required. If you have budget, Palo Alto is something to 
look at as well, but don't overlook Sonicwall and FortiGate.  


Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect
 
E: nellerm...@broadaspect.com 
P: 703-297-4639
F: 703-996-4443
 
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-Original Message-
From: Mel Beckman [mailto:m...@beckman.org] 
Sent: Thursday, May 05, 2016 2:49 PM
To: Nick Ellermann 
Cc: Ken Chase ; nanog@nanog.org
Subject: Re: sub $500-750 CPE firewall for voip-centric application

I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto 
firewalls.  The best SMB devices are definitely SonicWall and Fortigate. 
SonicWalls are easier to configure, but have fewer features. Fortigate has many 
knobs and dials and a very powerful virtual router facility that can do amazing 
things. The two vendors have equivalent support in my opinion, although 
Fortigate tends to be more personal (Dell is big and you get random techs). 

Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but 
mostly I think because they're Cisco-only. PaloAlto is expensive for what you 
get. Functionally they are on the same level as Fortigate, with a slightly more 
elegant GUI. But Fortigate can be configured via a USB cable, which is a huge 
advantage in the field. Legacy RS-232 serial ports are error-prone and slow.

 -mel

> On May 5, 2016, at 11:39 AM, Nick Ellermann  
> wrote:
> 
> We have a lot of luck for smaller VOIP customers having all of their services 
> run through a FortiGate 60D, or higher models. 60D is our go to solution for 
> small enterprise. However, if we are the network carrier for a particular 
> customer and they have a voip deployment of more than about 15 phones, then 
> we deploy a dedicated voice edge gateway, which is more about voice support 
> and handset management than anything.  You do need to disable a couple of 
> things on the FortiGate such as SIP Session Helper and ALG.  We never have 
> voice termination, origination or call quality issues because of the 
> firewall. 
> FortiGate has a lot of advanced features as well as fine tuning and 
> adjustment capabilities for the network engineering type and is still easy 
> enough for our entry level techs to support. Most of our customers have heavy 
> VPN requirements and FortiGates have great IPsec performance.  We leverage a 
> lot of the network security features and have built a successful managed 
> firewall service with good monitoring and analytics using a third-party 
> monitoring platform and Fortinet's FortiAnaylzer platform. 
> 
> Worth looking at, if you haven't already. If you want to private message me, 
> happy to give more info. 
> 
> 
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>  
> E: nellerm...@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
>  
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
> MATERIAL and is thus for use only by the intended recipient. If you received 
> this in error, please contact the sender and delete the e-mail and its 
> attachments from all computers.
> 
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog@nanog.org
> Subject: sub $500-750 CPE firewall for voip-centric application
> 
> Looking around at different SMB firewalls to standardize on so we can start 
> training up our level 2/3 techs instead of dealing with a mess of different 
> vendors at cust premises.
> 
> I've run into a few firewalls that were not sip or 323 friendly however, 
> wondering what your experiences are. Need something cheap enough (certainly 
> <$1k, <$500-750 better) that we are comfortable telling endpoints to toss 
> current gear/buy additional gear.
> 
> Basic firewalling of course is covered, but also need port range forwarding 
> (not available until later ASA versions for eg was an issue), QoS (port/flow 
> based as well as possibly actually talking some real QoS protocols) and VPN 
> capabilities (not sure if many do without #seats licensing schemes which get 
> irritating to clients).
> 
> We'd like a bit of diagnostic capability (say tcpdump or the like, via 
> shell
> preferred) - I realize a PFsense unit would be great, but might not 
> have enough brand name recognition to make the master client happy 
> plopping down as a CPE at end client sites. (I know, 

Re: sub $500-750 CPE firewall for voip-centric application

[Mel Beckman]

I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto 
firewalls.  The best SMB devices are definitely SonicWall and Fortigate. 
SonicWalls are easier to configure, but have fewer features. Fortigate has many 
knobs and dials and a very powerful virtual router facility that can do amazing 
things. The two vendors have equivalent support in my opinion, although 
Fortigate tends to be more personal (Dell is big and you get random techs). 

Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but 
mostly I think because they’re Cisco-only. PaloAlto is expensive for what you 
get. Functionally they are on the same level as Fortigate, with a slightly more 
elegant GUI. But Fortigate can be configured via a USB cable, which is a huge 
advantage in the field. Legacy RS-232 serial ports are error-prone and slow.

 -mel

> On May 5, 2016, at 11:39 AM, Nick Ellermann  
> wrote:
> 
> We have a lot of luck for smaller VOIP customers having all of their services 
> run through a FortiGate 60D, or higher models. 60D is our go to solution for 
> small enterprise. However, if we are the network carrier for a particular 
> customer and they have a voip deployment of more than about 15 phones, then 
> we deploy a dedicated voice edge gateway, which is more about voice support 
> and handset management than anything.  You do need to disable a couple of 
> things on the FortiGate such as SIP Session Helper and ALG.  We never have 
> voice termination, origination or call quality issues because of the 
> firewall. 
> FortiGate has a lot of advanced features as well as fine tuning and 
> adjustment capabilities for the network engineering type and is still easy 
> enough for our entry level techs to support. Most of our customers have heavy 
> VPN requirements and FortiGates have great IPsec performance.  We leverage a 
> lot of the network security features and have built a successful managed 
> firewall service with good monitoring and analytics using a third-party 
> monitoring platform and Fortinet's FortiAnaylzer platform. 
> 
> Worth looking at, if you haven't already. If you want to private message me, 
> happy to give more info. 
> 
> 
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services
> BroadAspect
>  
> E: nellerm...@broadaspect.com 
> P: 703-297-4639
> F: 703-996-4443
>  
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
> MATERIAL and is thus for use only by the intended recipient. If you received 
> this in error, please contact the sender and delete the e-mail and its 
> attachments from all computers.
> 
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog@nanog.org
> Subject: sub $500-750 CPE firewall for voip-centric application
> 
> Looking around at different SMB firewalls to standardize on so we can start 
> training up our level 2/3 techs instead of dealing with a mess of different 
> vendors at cust premises.
> 
> I've run into a few firewalls that were not sip or 323 friendly however, 
> wondering what your experiences are. Need something cheap enough (certainly 
> <$1k, <$500-750 better) that we are comfortable telling endpoints to toss 
> current gear/buy additional gear.
> 
> Basic firewalling of course is covered, but also need port range forwarding 
> (not available until later ASA versions for eg was an issue), QoS (port/flow 
> based as well as possibly actually talking some real QoS protocols) and VPN 
> capabilities (not sure if many do without #seats licensing schemes which get 
> irritating to clients).
> 
> We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
> preferred) - I realize a PFsense unit would be great, but might not have 
> enough brand name recognition to make the master client happy plopping down 
> as a CPE at end client sites. (I know, "there's only one brand, Cisco." 
> ASA5506x is a bit $$ and licensing acrobatics get irritating for end 
> customers.)
> 
> /kc
> --
> Ken Chase - Guelph Canada

RE: sub $500-750 CPE firewall for voip-centric application

[Nick Ellermann]

We have a lot of luck for smaller VOIP customers having all of their services 
run through a FortiGate 60D, or higher models. 60D is our go to solution for 
small enterprise. However, if we are the network carrier for a particular 
customer and they have a voip deployment of more than about 15 phones, then we 
deploy a dedicated voice edge gateway, which is more about voice support and 
handset management than anything.  You do need to disable a couple of things on 
the FortiGate such as SIP Session Helper and ALG.  We never have voice 
termination, origination or call quality issues because of the firewall. 
FortiGate has a lot of advanced features as well as fine tuning and adjustment 
capabilities for the network engineering type and is still easy enough for our 
entry level techs to support. Most of our customers have heavy VPN requirements 
and FortiGates have great IPsec performance.  We leverage a lot of the network 
security features and have built a successful managed firewall service with 
good monitoring and analytics using a third-party monitoring platform and 
Fortinet's FortiAnaylzer platform. 

Worth looking at, if you haven't already. If you want to private message me, 
happy to give more info. 


Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect
 
E: nellerm...@broadaspect.com 
P: 703-297-4639
F: 703-996-4443
 
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
Sent: Thursday, May 05, 2016 1:54 PM
To: nanog@nanog.org
Subject: sub $500-750 CPE firewall for voip-centric application

Looking around at different SMB firewalls to standardize on so we can start 
training up our level 2/3 techs instead of dealing with a mess of different 
vendors at cust premises.

I've run into a few firewalls that were not sip or 323 friendly however, 
wondering what your experiences are. Need something cheap enough (certainly 
<$1k, <$500-750 better) that we are comfortable telling endpoints to toss 
current gear/buy additional gear.

Basic firewalling of course is covered, but also need port range forwarding 
(not available until later ASA versions for eg was an issue), QoS (port/flow 
based as well as possibly actually talking some real QoS protocols) and VPN 
capabilities (not sure if many do without #seats licensing schemes which get 
irritating to clients).

We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
preferred) - I realize a PFsense unit would be great, but might not have enough 
brand name recognition to make the master client happy plopping down as a CPE 
at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a 
bit $$ and licensing acrobatics get irritating for end customers.)

/kc
--
Ken Chase - Guelph Canada

RE: sub $500-750 CPE firewall for voip-centric application

[Ray Orsini]

We deploy SonicWALL TZ300 or SOHO using Dell's Security as a Service. That
way our monthly cost per customer is under $50 and includes all security
services plus GMS centralized management. Works great with our VOIP service.

Regards,
Ray Orsini – CEO
Orsini IT, LLC – Technology Consultants
VOICE DATA  BANDWIDTH  SECURITY  SUPPORT
P: 305.967.6756 x1009   E: r...@orsiniit.com   TF: 844.OIT.VOIP
7900 NW 155th Street, Suite 103, Miami Lakes, FL 33016
http://www.orsiniit.com | View My Calendar | View/Pay Your Invoices | View
Your Tickets



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
Sent: Thursday, May 5, 2016 1:54 PM
To: nanog@nanog.org
Subject: sub $500-750 CPE firewall for voip-centric application

Looking around at different SMB firewalls to standardize on so we can start
training up our level 2/3 techs instead of dealing with a mess of different
vendors at cust premises.

I've run into a few firewalls that were not sip or 323 friendly however,
wondering what your experiences are. Need something cheap enough (certainly
<$1k, <$500-750 better) that we are comfortable telling endpoints to toss
current gear/buy additional gear.

Basic firewalling of course is covered, but also need port range forwarding
(not available until later ASA versions for eg was an issue), QoS (port/flow
based as well as possibly actually talking some real QoS protocols) and VPN
capabilities (not sure if many do without #seats licensing schemes which get
irritating to clients).

We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
preferred) - I realize a PFsense unit would be great, but might not have
enough brand name recognition to make the master client happy plopping down
as a CPE at end client sites. (I know, "there's only one brand, Cisco."
ASA5506x is a bit $$ and licensing acrobatics get irritating for end
customers.)

/kc
--
Ken Chase - Guelph Canada

Re: sub $500-750 CPE firewall for voip-centric application

[amuse]

What PFSense currently lacks in brand name recognition, they can make up
with by the fact that they offer paid support at very affordable levels.

I'd go with https://store.pfsense.org/SG-2440/ ($499 each) and a quote for
professional services  (
https://store.pfsense.org/Professional-Services.aspx ) to back that up.

On Thu, May 5, 2016 at 10:53 AM, Ken Chase  wrote:

> Looking around at different SMB firewalls to standardize on so we can start
> training up our level 2/3 techs instead of dealing with a mess of
> different vendors
> at cust premises.
>
> I've run into a few firewalls that were not sip or 323 friendly however,
> wondering
> what your experiences are. Need something cheap enough (certainly <$1k,
> <$500-750 better)
> that we are comfortable telling endpoints to toss current gear/buy
> additional gear.
>
> Basic firewalling of course is covered, but also need port range forwarding
> (not available until later ASA versions for eg was an issue), QoS
> (port/flow
> based as well as possibly actually talking some real QoS protocols) and VPN
> capabilities (not sure if many do without #seats licensing schemes which
> get
> irritating to clients).
>
> We'd like a bit of diagnostic capability (say tcpdump or the like, via
> shell
> preferred) - I realize a PFsense unit would be great, but might not have
> enough brand name recognition to make the master client happy plopping
> down as
> a CPE at end client sites. (I know, "there's only one brand, Cisco."
> ASA5506x is a
> bit $$ and licensing acrobatics get irritating for end customers.)
>
> /kc
> --
> Ken Chase - Guelph Canada
>

sub $500-750 CPE firewall for voip-centric application

[Ken Chase]

Looking around at different SMB firewalls to standardize on so we can start
training up our level 2/3 techs instead of dealing with a mess of different 
vendors
at cust premises.

I've run into a few firewalls that were not sip or 323 friendly however, 
wondering
what your experiences are. Need something cheap enough (certainly <$1k, 
<$500-750 better)
that we are comfortable telling endpoints to toss current gear/buy additional 
gear.

Basic firewalling of course is covered, but also need port range forwarding
(not available until later ASA versions for eg was an issue), QoS (port/flow
based as well as possibly actually talking some real QoS protocols) and VPN
capabilities (not sure if many do without #seats licensing schemes which get
irritating to clients).

We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
preferred) - I realize a PFsense unit would be great, but might not have
enough brand name recognition to make the master client happy plopping down as
a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x 
is a
bit $$ and licensing acrobatics get irritating for end customers.)

/kc
-- 
Ken Chase - Guelph Canada

RE: Patch panel solutions for 4x10GE breakout

[Jameson, Daniel]

Might be worth having a look at the Corning centrix modules.  Very high 
densities. 72 terminations  per u. Front side mpo/mtp connections.  Have some 
great slack storage and management options.


From: NANOG on behalf of Phil Bedard
Sent: Thursday, May 05, 2016 9:28:55 AM
To: nanog@nanog.org
Subject: Patch panel solutions for 4x10GE breakout

So the newer equipment we are looking at uses QSFP+/MTP with 4x10GE breakouts 
to deliver 10G.  We are not wiring these up to things in the same rack, they 
will be going to patch panels and then elsewhere in a facility.  It could 
potentially get messy with the panels we have today so we are looking at other 
solutions.  These are all SM LR connections using LC.  There are a lot of SM 
MTP to LC options since that’s the way most panels are wired, but they 
typically have 6 duplex LC connectors per MTP and not 4 which isn’t very 
efficient in this use case.  I’ve seen others just use an intermediate LC to LC 
panel and just wire the breakouts to those and then jumper the other side 
elsewhere.

Anything else others have used?  The point of the solution is to keep the 
wiring mess in front of or near the device to a minimum.

Thanks,

Phil

Re: Patch panel solutions for 4x10GE breakout

[Jared Mauch]

There is a nice Corning panel our facilities team is using now. I can find the 
link and send it to the list when not at my phone. 

Jared Mauch

> On May 5, 2016, at 10:28 AM, Phil Bedard  wrote:
> 
> So the newer equipment we are looking at uses QSFP+/MTP with 4x10GE breakouts 
> to deliver 10G.  We are not wiring these up to things in the same rack, they 
> will be going to patch panels and then elsewhere in a facility.  It could 
> potentially get messy with the panels we have today so we are looking at 
> other solutions.  These are all SM LR connections using LC.  There are a lot 
> of SM MTP to LC options since that’s the way most panels are wired, but they 
> typically have 6 duplex LC connectors per MTP and not 4 which isn’t very 
> efficient in this use case.  I’ve seen others just use an intermediate LC to 
> LC panel and just wire the breakouts to those and then jumper the other side 
> elsewhere.  
> 
> Anything else others have used?  The point of the solution is to keep the 
> wiring mess in front of or near the device to a minimum.  
> 
> Thanks, 
> 
> Phil  
> 

Patch panel solutions for 4x10GE breakout

[Phil Bedard]

So the newer equipment we are looking at uses QSFP+/MTP with 4x10GE breakouts 
to deliver 10G.  We are not wiring these up to things in the same rack, they 
will be going to patch panels and then elsewhere in a facility.  It could 
potentially get messy with the panels we have today so we are looking at other 
solutions.  These are all SM LR connections using LC.  There are a lot of SM 
MTP to LC options since that’s the way most panels are wired, but they 
typically have 6 duplex LC connectors per MTP and not 4 which isn’t very 
efficient in this use case.  I’ve seen others just use an intermediate LC to LC 
panel and just wire the breakouts to those and then jumper the other side 
elsewhere.  

Anything else others have used?  The point of the solution is to keep the 
wiring mess in front of or near the device to a minimum.  

Thanks, 

Phil  

Re: Netnod RD announcing misoriginate routes

[Ca By]

On Thursday, May 5, 2016, Ca By  wrote:

> I have contacted noc@ and peering contacts for Netnod and Mainloop
> AS43893 24 hours ago, but no response or remediation
>
> If you have a contact, please ask tell to stop originating and announcing
> space 172.32.x.x space that belongs to 21928
>
> It would also be good if they responded to me yesterday or had bgp filters
>
> Thanks!
>

All fixed, thanks Internet!

But, really should have bgp filters, it's dangerous out there

Netnod RD announcing misoriginate routes

[Ca By]

I have contacted noc@ and peering contacts for Netnod and Mainloop AS43893
24 hours ago, but no response or remediation

If you have a contact, please ask tell to stop originating and announcing
space 172.32.x.x space that belongs to 21928

It would also be good if they responded to me yesterday or had bgp filters

Thanks!