On 18 Apr 2018, at 18:03, Ryan Hamel wrote:
Could you explain how this can resolve my issue? I am not sure how
this would work.
You should have iACLs and GTSM enabled, as noted previously.
Ideally, the link should come from an unadvertised range, or a range
which is sunk to null0 at the ed
What is your budget?
I know on the low end many operators are using the
Huawei S6720S-26Q-EI-24S-AC. You can get these new for $2500 to $3500, and
the support all the features and port counts you requested. The also have a
lifetime warranty that includes advanced replacement (10 days), TAC
support
look at these...
* Juniper ACX5048 - I've deployed about ~50 of these over the last couple
years and they are great boxes. I'm using them as mpls p/pe running L3VPN
(v4 and tested 6vpe), L2VPN (manual martini l2circuits and bgp-ad rfc4762,
I'll say that IOS XR asr9k has an occasional problem wi
On Wed, Apr 18, 2018 at 5:51 PM, Florian Weimer wrote:
> * Filip Hruska:
>
> > On 04/14/2018 07:29 PM, Florian Weimer wrote:
> >> * Filip Hruska:
> >>
> >>> EURID (.eu) WHOIS already works on a basis that no information about
> the
> >>> registrant is available via standard WHOIS.
> >>> In order
* Filip Hruska:
> On 04/14/2018 07:29 PM, Florian Weimer wrote:
>> * Filip Hruska:
>>
>>> EURID (.eu) WHOIS already works on a basis that no information about the
>>> registrant is available via standard WHOIS.
>>> In order to get any useful information you have to go to
>>> https://whois.eurid.eu
Juniper ACX 5048 is what we use though you need to license 10g ports
(ACX5K-L-1X10GE) and VPN (ACX5K-L-IPVPN)
QFX does MPLS but I'm pretty sure it doesn't do VPLs.
ns
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brandon Martin
Sent: Wednesday, Apri
Ruckus ICX switches do not do MPLS. They meet all the other requirements
listed, but unfortunately MPLS was listed as the most important one.
On Wed, Apr 18, 2018 at 3:01 PM Brandon Martin
wrote:
> On 04/18/2018 03:49 PM, Eric Litvin wrote:
> > Brocade/arris is eager for business these days. The
On 04/18/2018 03:49 PM, Eric Litvin wrote:
Brocade/arris is eager for business these days. They have a nice switch (10g
ports with 40g stacking) that should meet your needs with very aggressive
pricing.
Does the Brocade/Foundry-lineage stuff that went to Arris actually do
MPLS? I didn't th
Brocade/arris is eager for business these days. They have a nice switch (10g
ports with 40g stacking) that should meet your needs with very aggressive
pricing.
Eric
Sent from my iPhone
> On Apr 18, 2018, at 5:26 AM, Giuseppe Spanò - Datacast Srl
> wrote:
>
> Hello,
>
> we're looking fo
On Wed, Apr 18, 2018 at 7:03 AM, Ryan Hamel wrote:
> The attacks are definitely inbound on the border router interface. I have
> tracked outbound attacks before and wish it was this simple, but its not.
>
>> a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp
>> are sent
Hey,
On 18 April 2018 at 14:03, Ryan Hamel wrote:
>> a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp
>> are sent (policed) to infrastructure addresses
>
> While I can implement an edge filter to drop such traffic, it's impacting our
> clients traffic as well.
I d
I’m forwarding this on behalf of the ANRW Chairs. Some of this research has
been quite interesting, and is on-topic to what NANOG folks are interested in.
Here’s some more details about it: https://irtf.org/anrp
You can find their slides and presentation videos online as well, with the most
r
Hello,
we're looking for some L3 switches to be used as distribution devices.
They should have all (at leaast 24) SFP+ ports 10G and at least a couple
of upstream ports 40G capable, but what is most important, they should
be able to run MPLS, EoMPLS and VPLS. Is there any device you would
sug
On Wed, 18 Apr 2018, Ryan Hamel wrote:
c) do run BGP with GTSM, so you can drop BGP packets with lower TTL than 255
Could you explain how this can resolve my issue? I am not sure how this would
work.
If the issue is flooding to your interface IP, that's not a relevant
countermeasure. You'
Saku,
The attacks are definitely inbound on the border router interface. I have
tracked outbound attacks before and wish it was this simple, but its not.
> a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp
> are sent (policed) to infrastructure addresses
While I can
Job,
Unfortunately, with my current situation, we have stopped exporting our
prefixes with the tier-1 carrier and still use the outbound bandwidth. I highly
doubt they will implement such a solution, but is something to keep in mind for
the future.
Thanks for the tip!
Ryan Hamel
___
Hey Ryan,
I'm assuming edge link in your network facing another administrative domain.
You'll have two scenarios
1) attack coming from your side
2) attack coming from far side
You can easily stop 1, obviously.
But for 2, you really need to have far-side who is cooperative and
understanding of
Hi,
On Wed, 18 Apr 2018 at 11:39, Ryan Hamel wrote:
> I wanted to poll everyones thoughts on how to deal with attacks directly
> on BGP peering ranges (/30's, /127's).
>
> I know that sending an RTBH for our side of the upstream routing range
> does not resolve the issue, and it would actually m
Hello,
I wanted to poll everyones thoughts on how to deal with attacks directly on BGP
peering ranges (/30's, /127's).
I know that sending an RTBH for our side of the upstream routing range does not
resolve the issue, and it would actually make things worse by blackholing all
inbound traffic o
19 matches
Mail list logo