Re: Mellanox / Cumulus

[Tom Hill]

On 02/11/2020 17:52, Bryan Holloway wrote:
> Anybody using these in production in an SP environment? And if so, any
> opinions, good or bad?

I haven't used them in an SP environment precisely because the Mellanox
hardware - while miles better than equivalent Broadcom designs - does
not cater to anyone with more than the most basic of QoS requirements.

Realistically, the ASIC designs are brilliant for data
centre/storage/HPC use, but they do not have (last I was briefed) any
hardware that would replace even an access switch, let alone a capable
border router.

I would *love* for that to change, so please correct me if I'm outdated.

On the software side, Cumulus Linux is very capable, and a joy to work
with. However, the business case to support even the Broadcom DNX range
(e.g. Arista 7280R) just wasn't there /before/ their acquisition. Again,
if that's changed it would be a fine software suite to investigate.

Regards,

-- 
Tom

Re: Mellanox / Cumulus

[Tom Hill]

On 04/11/2020 16:02, aar...@gvtc.com wrote:
> One of my CDN caching providers sent a Mellanox SN2700 with their
> servers.  Seems to be running well.  They manage them, I just give
> them rack, power, and a couple 10 gig links into my core


At this point, we may descend into a "what does SP mean" debate, but I
am not at all surprised that CDN providers would like the Spectrum
ASICs: they're excellent at pushing lots of bits, quickly.

Because they lack buffer-laden features (by design) a lot of SPs - say,
access ISPs - will stop and say, "What? This is a DC switch!"

-- 
Tom

Re: CGNAT

[Tom Hill]

On 19/02/2021 20:11, Tony Wicks wrote:
> Because then a large part of the Internet won't work

Hey, look on the bright side: customers won't be able to use Twitter to
complain! :D

Ofc, IPv4aaS has many good success stories out there; Sky Italia are
running MAP-T, many, many mobile ISPs are running 464XLAT with great
success.

We're in a situation where making IPv6 a *prerequisite* of your IPv4
connectivity can realistically improve your margins when some sort of
CGNAT gateway is a requirement.

Yes it requires looking at your CPE support, but if you're doing even
00,000's of subs, I'm sure the benefits aren't trivial when viewed
through the lens of the number of connections that a single Chrome tab
can happily chew through.

-- 
Tom

Re: Famous operational issues

[Tom Hill]

On 16/02/2021 22:08, Jared Mauch wrote:
> I was thinking about how we need a war stories nanog track. My favorite was 
> being on call when the router was stolen. 

Enough time has (probably) elapsed since my escapades in a small data
centre in Manchester. The RFO was ten pages long, and I don't want to
spoil the ending, but ... I later discovered that Cumulus' then VP of
Engineering had elevated me to a veritable 'Hall of Infamy' for the
support ticket attached to that particular tale.

One day I'll be able to buy the guy that handled it a *lot* of whisky.
He deserved it.

-- 
Tom

Re: DPDK and energy efficiency

[Tom Hill]

On 04/03/2021 18:20, Etienne-Victor Depasquale wrote:
> *SECTION 2: Survey results*

I don't see the embedded images, and there's no way to show them inline.
For the sake of simplicity/sharing, are these results presented anywhere
on a web page? :)

Regards,

-- 
Tom

Re: DPDK and energy efficiency

[Tom Hill]

On 05/03/2021 00:26, Eric Kuhnke wrote:
> A great deal of this discussion could be resolved by the use of a $20
> in-line 120VAC watt meter [1] plugged into something as simple as a $500
> 1U server with some of the DPDK-enabled network cards connected to its
> PCI-E bus, running DANOS.

I'm fairly sure Etienne-Victor's email made specific reference to
wattage measurements in both [2] and [3]. It would be fair to assume
that the authors of those (IEEE) papers understood that you could
measure wattage at the wall socket, before embarking on a paper
regarding power efficiency.

> Characterizing the idle load, average usage load, and absolute maximum
> wattage load of an x86-64 platform is excessively difficult or complicated.

It really isn't, particularly when the high figure is 400% of the low
figure. You don't need milliwatt precision to see that your CPU is
wasting power while not actually forwarding any packets.

-- 
Tom

Re: "Tactical" /24 announcements

[Tom Hill]

On 10/08/2021 12:31, Mark Tinka wrote:
> Been waiting for the day when /27's, /28's and /29's are going to make
> it into the DFZ, as was promised 5 or more years ago :-).


2914 permit you to leak prefixes as specific as a /28 between your own
ports with them. Someone once referred to it as a 'sneaky backhaul',
believe. Given that there's no default in 2914, I guess that counts? :D

-- 

I'm really not being serious. A nice feature by NTT, but please let's
never make it OK to populate the _actual_ DFZ with an IPv4 prefix
greater than a /24.

-- 
Tom

Re: "Tactical" /24 announcements

[Tom Hill]

On 10/08/2021 07:15, Lukas Tribus wrote:
>> Are there any big networks that drop or penalize announcements like this?
> It's possible you could get your peering request denied for this. I
> have put *reasonable* prefix aggregation into peering requirements for
> some years now. If you are a small eyeball network with 8192 IP
> addresses and originate 32 /24's, that is *not* reasonable.

It is quite an issue when a network tries to programmatically filter-out
the /24 more-specifics advertisements made from an allocated, .e.g, /20.

Such anti-disaggregation/save-my-TCAM efforts really do not work, and
will spawn all manner of support tickets. I'm saying this in the hope
that it may prevent someone from reading this thread and concluding that
it may be a good idea to try. It is not.

Speaking to your peers is good, as I think you're encouraging there. I
would of course default to asking them if they've read from the Good
Book of RPKI. :)

I also often find that very outdated "Good Security Practice" is as much
to blame for this as anything else, and so when we do talk to our peers
and/or customers, we should always be asking the question: "who told you
this was a good idea?"

-- 
Tom

Re: "Tactical" /24 announcements

[Tom Hill]

On 11/08/2021 14:09, Jon Lewis wrote:
> What sort of hands-on experience is this opinion based on?

Having an upstream provider that did it, in a very aggressive fashion.


> I've done this manually in the past (quite some time ago), and done
> properly, it works fine.
> 
> At least one major network hardware vendor has implemented it as a
> feature.  Turn it on, and the "deaggregates" with same next-hop as an
> aggregate are not programmed into the FIB.  The savings will vary
> depending on the device's connectivity, but I've seen >40%.


Limiting the pruning to cases with the same next-hop does indeed sound
like it would be safer than what I've seen done in the past.

Doing this with per-peer prefix-lists would not (certainly not in
classic IOS) provide you with the ability to compare the next-hop before
rejecting those more-specific prefixes, and likely why the attempts to
do this caused the problems that I'm referring to.

I'm glad to hear a vendor has implemented a useful knob. Which vendor?

-- 
Tom

Re: "Tactical" /24 announcements

[Tom Hill]

On 12/08/2021 18:09, Jon Lewis wrote:
>> 
>> Having an upstream provider that did it, in a very aggressive
>> fashion.
> 
> Odds are, they did it wrong, and you had no control and limited, if
> any, visibility into what they did.  Obviously, if you're going to
> blindly filter routes based on prefix-length, you need to point
> default at something that doesn't...and if you're acting as a transit
> provider, you're likely no longer able to provide "full routes" to
> customers from devices doing this or fed the "not so full table" from
> devices doing it.


Yes. This is precisely why I wrote my initial email, and perhaps I
wasn't specific enough, but it was a fairly generic warning against
"bright ideas" that don't include the proper scrutiny (or _do_ include
unnecessary amounts of arrogance).


> Arista.  They call it FIB compression.  They mention it's a
> trade-off, more memory and CPU utilization (keeping track of things)
> in exchange for being able to keep hardware that might otherwise be
> out of FIB space able to cope with full tables.

Ah, thank you, noted.

-- 
Tom

Re: FYI - Suspension of Cogent access to ARIN Whois

[Tom Hill]

On 08/01/2020 13:53, Joe Provo wrote:
>> This is a disproportionate response IMHO. $0.02
>>
>> YMMV,
>  
> And mine certainly does. Well over a decade of documented 
> misbehavior with requests for them to cease certainly makes
> this an appropriate response. I will always applaud an 
> organization enforcing its anti-abuse policies. 
> 
> Similarly, Cogent has been banned from peeringdb multiple 
> times for the exact same behavior.  Repeated warnings had
> no impact and without the bans, the behavior was not adjusted.


Quite.

The root cause isn't even the /fault/ of the individual sales personnel,
whom may or may not be inconvenienced by ARIN's actions. Their
management (and likely, *their* directors/VPs) need to see what their
sanctioned behaviour, and/or demands placed upon their employees in
those sales functions, does to the company's reputation in the industry,
and ultimately their bottom line.

ARIN has tried the carrot, and this is the stick. One of the thinnest
sticks that they could have used, I'd add.

Will Cogent stop pestering the community with illicitly harvested
contact information? Will they switch to more nefarious tactics? Who
knows... Everyone likes having money, after-all.

-- 
Tom

Re: FYI - Suspension of Cogent access to ARIN Whois

[Tom Hill]

On 09/01/2020 17:09, Rubens Kuhl wrote:
> But at least Cogent is not a security and/or anti-spam vendor (or is
> it?). A security services company (iThreat) spammed all IANA gTLD
> contacts this week, with the ever lasting excuse of "it's opt-out". 


Everlasting, unless you're operating under the purview of the GDPR (i.e.
emailing long-distance[1]).


-- 
Tom

[1] http://bash.org/?142934

Re: CISCO 0-day exploits

[Tom Hill]

On 10/02/2020 13:40, Saku Ytti wrote:
> There are various L3 packet of deaths where existing infra can be
> crashed with single packet, almost everyone has no or ridiculously
> broken iACL and control-plane protection, yet business does not seem
> to suffer from it.


The cynic in me would suggest that we haven't had a World War in a
while; business is far too good.

-- 
Tom

Re: CISCO 0-day exploits

[Tom Hill]

On 10/02/2020 18:13, Scott Weeks wrote:
> Just because you use cisco devices doesn't mean you have to use 
> their proprietary protocols, such as EIGRP or CDP.  OSPF or LLDP
> work just fine and interoperate with other vendors... :)


The CDPwn vulnerability covers similar vulnerabilities in LLDP, and does
indeed demonstrate that network segmentation (i.e. "dude it's just L2")
is not the last word in mitigating against said vulnerabilities.

You ought to all be far more concerned, IMO.

-- 
Tom

Re: QUIC traffic throttled on AT&T residential

[Tom Hill]

On 21/02/2020 23:37, Owen DeLong wrote:
> What’s next? Why not simply eliminate port numbers altogether in favor
> of a single 16-bit client-side unique session identifier.


I see what you did there.

-- 
Tom

Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies

[Tom Hill]

On 26/03/2020 02:05, JASON BOTHE via NANOG wrote:
> Excellent work. I’m curious to know how many of the big ASs are
> participating to date. If you or anyone on the list knows if this is
> published please let me know.


I am deeply upset that there isn't yet a Wikipedia article entitled,
"List of BGP networks implementing RPKI"... :)

If we can have nerdy lists of GPUs and CPUs, this must be valid also?

-- 
Tom

Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies

[Tom Hill]

On 26/03/2020 10:39, Brandon Butterworth wrote:
> What are you waiting for, someone to say make it so?


I knew someone would come back with the smartarse response ;)

I'm certainly not the authority on this, and I'm not tracking the
deployments with any great detail.

I'm happy to suggest where we could best host this information, however!

-- 
Tom

Re: Traffic destined for 100.114.128.0/24

[Tom Hill]

On 08/04/2020 19:42, Drew Weaver wrote:
> I’ve noticed over the past couple of weeks that some hosts on a network
> I manage appear to be trying to reach hosts in this network 100.114.128.0/24
> 

Short answer: filter 100.64.0.0/10 from your upstreams, as you would
192.168.0.0/16 or 10.0.0.0/8.

Longer answers will no doubt be available. :)

-- 
Tom

Re: Devil's Advocate - Segment Routing, Why?

[Tom Hill]

On 17/06/2020 18:38, Saku Ytti wrote:
>> Why do we really need SR? Be it SR-MPLS or SRv6 or SRv6+?
> I don't like this, SR-MPLS and SRv6 are just utterly different things
> to me, and no answer meaningfully applies to both.
> 
> I would ask, why do we need LDP, why not use IGP to carry labels?
> 
> Less state, protocols, SLOC, cost, bug surface
> 
> And we get more features to boot, with LDP if you want LFA, you need
> to form tLDP to every Q-space node, on top of your normal LDP, because
> you don't know label view from anyone else but yourself. With SR by
> nature you know the label view for everyone, thus you have full LFA
> coverage for free, by-design.
> Also by-design IGP/LDP Sync.
> 
> So no need to justify it by any magic new things, it's just a lot
> simpler than LDP, you don't need to need new things to justify
> SR-MPLS, you need to want to do existing things while reducing
> complexity and state.


Unsurprisingly, there would be no way on Earth that I could have said
that better, so you shall find only loud cheering from over here.

-- 
Tom

Re: BFD for long haul circuit

[Tom Hill]

On 17/07/2020 10:57, Mark Tinka wrote:
> I suppose a lot of customers go for it because they need an Ethernet
> service slower than 1Gbps, and 1Gbps via a DWDM service is pricier.
> 
> Where I've seen it be popular is in intercontinental circuits that
> customers want in order to test a market with as little exposure as
> possible.


The differentiation is: consumer vs. service provider.

If you're a service provider, don't buy a consumer product and hope to
sell it on at a similar (or higher) SLA rate to other consumers; that
way lies ruin.

-- 
Tom

Re: BFD for long haul circuit

[Tom Hill]

On 17/07/2020 16:40, Mark Tinka wrote:
> I don't know of "Consumers" that buy l2vpn's. Most consumers usually go
> for ADSL, FTTH or 4G... all carrying IP :-).
> 
> We have several customers that buy EoMPLS circuits from us both within
> and outside of countries, and between continents. The reasons vary, but
> safe to say they've been happy.

Yes, I rather think that you've drawn comparison to "consumer" as being
in a home somewhere.

Someone that consumes a circuit, and someone that provides the service
(or resells one). A business customer is a consumer in that case - I
won't discriminate against what use someone has for wanting to consume
bandwidth between countries, but I do think the specificity here is in
whether you intend to just use it, or resell it, and that's where the
difference comes in relation to Robert's point.

-- 
Tom

Re: MAP-T in production

[Tom Hill]

On 22/07/2020 22:15, Brian Johnson wrote:
> Has anyone implemented a MAP-T solution in production? I am looking
> for feedback on this as a deployment strategy for an IPv6 only core
> design. My concern is MAP-T CE stability and overhead on the network.
> The BR will have to do overloaded NAT anyway to access IPv4 only
> resources. The idea being that when IPv4 is no longer needed, this
> will be a quicker “clean-up” project than a dual-stack solution.

Richard Patterson did a talk about Sky Italia's 'greenfield' build at
UKNOF45, earlier this year: https://www.youtube.com/watch?v=9Cg3dLR95wY

Lots of interesting stuff in there, but the pertinent broadband
termination parts - which go on to mentioning MAP-T - start at ~15:00.

Regards,

-- 
Tom

Re: Internet Providers in 111 8th Ave, NYC

[Tom Hill]

On 24/07/2020 14:45, J. Hellenthal via NANOG wrote:
> This might be of assistance….


No, it'll force you to sign-up/sign-in before providing any "assistance".

-- 
Tom

Re: Internet Providers in 111 8th Ave, NYC

[Tom Hill]

On 24/07/2020 15:16, Mike Hammett wrote:
> and?
> 

Meh. I haven't got the energy.

But generally speaking, if you're going to harvest personal data, be
more honest about it.


-- 
Tom

Re: Internet Providers in 111 8th Ave, NYC

[Tom Hill]

On 24/07/2020 15:32, Mehmet Akcin wrote:
> No harvesting of personal data.
> 
> This was a requirement for us to prevent spam  when requesting quotes
> from partner networks. 

So your partners demand that you store and process my personal data
(anything that can be used to identify an individual) just for me to use
the site, even if I never intend on requesting any quotes?

There's also no option to use the unrestricted features without
constantly being directed to the sign-up page. How is that anything but
harvesting personal data? It's definitely annoying, if nothing else.

You may think you're doing the right thing, but if you're not explicit
about any of these requirements, no-one else has any idea why they're
being *forced* to sign-up to something. From the outside it looks like a
pretty cheeky way of building a database of persons interested in this
sort of thing

My consultation fees are sizeable, and I expect them to be settled
exclusively in single malt.

-- 
Tom

Re: Internet Providers in 111 8th Ave, NYC

[Tom Hill]

On 24/07/2020 15:58, Mehmet Akcin wrote:
> Infrapedia is 100% free , all code open source, platform made for
> engineers by engineers. 
> https://github.com/infrapedia
> 
> I am sure there are lots of room to improve. I appreciate everyone
> supporting it. If you want to look at the code and help implement a way
> to block spam bots, without overloading the system, I would be
> interested to help.
> 
> No we will never share email, name, etc. 
> 

Be more up-front then. Every opinion I've expressed has been from
opening the URL from the link and not liking what has happened when I've
tried to use the site.

As it stands this does not look like a good for the Internet website
("for engineers by engineers") in the same vein as Wikipedia, PeeringDB,
etc., and it's less functional than the other cable maps because of the
forced redirects.

It looks (and sounds from this thread) as a way to net some referral
bank on inquiries to these "partners", whom also apparently dictate how
you structure the site, and how you collect personal data.

-- 
Tom

Re: Internet Providers in 111 8th Ave, NYC

[Tom Hill]

On 24/07/2020 15:54, Clayton Zekelman wrote:
> If you want to post to this list asking for help, then refusing the
> help you get because you don't have the energy or inclination to use
> one of the suggestions, then move on.
>
> I'd suggest that you switch from single malt to decaf.


I'd suggest that you read the thread a little more closely.

(...and who goes full decaf when giving up single malt? 0_o)

-- 
Tom

Re: 00:aa:bb:01:23:45

[Tom Hill]

On 20/08/2020 09:53, Baldur Norddahl wrote:
> 
> By accident I noticed several of my VPLS instances have
> 00:aa:bb:01:23:45 in the MAC table. We never sent anything just received
> a little traffic from that. Obviously not a real MAC address so I tried
> to search Google for it. I find several hits with apparently ADSL users
> doing pppd (which we do not have).
> 
> Anyone have any idea what this could be?

I do not - but I would isolate the port(s) it's coming from, and pick on
your favourite customer out of the bunch & simply ask them what they
have connected. Given that anyone can pick their own MAC addresses/spoof
MAC addresses, the fastest resolution to this mystery will likely be to
just ask.

Let us know what you find out! :)

-- 
Tom

Re: Ipv6 help

[Tom Hill]

On 25/08/2020 17:13, Mark Tinka wrote:
> If only CPE's could run Android, or Windows :-).

I'd wager that a lot of them already build upon a Linux kernel of some
flavour. Tore (et al) wrote a CLAT for Linux that builds upon TAYGA's
NAT64 functionality:  https://github.com/toreanderson/clatd

-- 
Tom

Re: IP addresses on subnet edge (/24)

[Tom Hill]

On 14/09/2020 22:25, Andrey Khomyakov wrote:
> TL;DR I suspect there are middle boxes that don't like IPs ending in
> .255. Anyone seen that?

Yes, but not for many, MANY years. I would expect that this service
might not like addresses ending in .0 either?

It was ca. 2010, when I started receiving an increasing number of
complaints that connections from addresses ending in .0 or .255 were
failing toward my (at the time) hosted services. This behaviour was
eventually* narrowed to iptables rules carelessly included with 'Atomic
Secured Linux' that purposely blackholed connections if the source
address' most specific octet happened to contain .0 or .255.

I'm sure that 'ASL' wasn't the only piece of software to have shipped
with this default behaviour, so should you discover any box of any sort,
configuration (or age) blindly hampering the connectivity for addresses
with all-1s or all-0s in any of the three most-specific octets, please
take this as infallible permission to promptly introduce it to the
nearest body of water. :)

* I still have AAISP - my home ISP at the time - to thank for routing me
a /30 with a .255 address in it! It wouldn't have been as easy to
resolve without that - very few UK consumers were being assigned
addresses with .255 in them at the time.

-- 
Tom

Re: SPAM: Re: Cogent emails

[Tom Hill]

On 14/09/2020 18:13, Simon Lockhart wrote:
> We gave in and just bought a small amount of transit from them.

Aha! You're the reason they don't stop! :p

-- 
Tom

Re: SRv6

[Tom Hill]

On 15/09/2020 18:00, aar...@gvtc.com wrote:
> And with this v6 SID being smartly divided into
> Locator:Function(Argument), I'm reading that this will carry with it
> much more functionality as well, like network programmability,
> application-to-network interaction or something like that.


"smartly divided"... Did someone else prepare these words for you? ;)

-- 
Tom

Re: SRv6

[Tom Hill]

On 16/09/2020 01:31, aar...@gvtc.com wrote:
> then, yes, I may have and didn't know it.  Hey, was it you? LOL


Very unlikely. You may do well to peruse some of the objections to the
network-programming draft in the SPRING WG. There are many. :)

-- 
Tom

Re: CenturyLink -> Lumen

[Tom Hill]

On 16/09/2020 11:18, Matt Hoppes wrote:
> Quantum Fiber?  Sounds like a misbranding. I highly doubt they are using
> Quantum technology. 


Very prescient for when it becomes commercially possible though, eh? :)

-- 
Tom

Re: SRv6

[Tom Hill]

On 19/09/2020 03:23, Randy Bush wrote:
> i know you truely believe the tunnel k00laid.  the security
> community does not.

At this point, I'm beginning to think that you're trolling us with the
assertion(s) that the 'P' in "Virtual Private Network" has obviously
meant "Privacy" all along, and/or that - as of 2020 - the only suitable
definition of "Private", must now equal "suitably secure".

If you aren't just winding everyone up, then I would say that you're
skirting rather close to the reimagining of SD-WAN. That, or you are
haphazardly musing in a direction that ensures "Encrypted SRv6" will
become the next gigantic pain^Wdraft for the SPRING WG to endur^Wdebate.

One thing that is true: not all present or historical definitions (or
acceptable uses) of the word "private" strictly imply or infer privacy.
One may prefer an alternate history, but you may find more success in
expelling that energy in pursuit of creating a better future.

See/also:

"broadband"
"software defined networks"
"the cloud"

-- 
Tom

Re: SRv6

[Tom Hill]

On 21/09/2020 19:38, Randy Bush wrote:
> newspeak -- 1984

colloquialism
/kəˈləʊkwɪəlɪz(ə)m/

noun: a word or phrase that is not formal or literary and is used in
ordinary or familiar conversation.


-- 
Tom

Re: IPv4 Mismanagement

[Tom Hill]

On 04/10/2020 02:17, Wayne Bouchard wrote:
> Groups that have such things I can only presume do not do a good job
> of periodically going through and auditing their IP allocations or, if
> they do, then they don't do a good enough job of cleaning up all the
> details.

It is a long-winded, laborious, thankless task (well, mostly thankless)
and we should be writing software to do it for us. Of course, we all
know how bad everyone is at that, ergo it isn't often done.

On the other hand, perhaps these ISPs are worried that they might be
audited by an RIR?

-- 
Tom

Re: S.Korea broadband firm sues Netflix after traffic surge

[Tom Hill]

On 01/10/2021 17:05, Laura Smith via NANOG wrote:
> - $certain_large_cdn publishes routes on route server ? Nope.

Many (most?) route servers provide little control over who your routes
are advertised toward. This can be fun where DDoS is concerned.

I've used some that did have deny-list controls for ASNs, fail to
consistently apply those rules. Again, that was a 'fun' surprise.

> - $certain_large_cdn willing to establish direct peering session ? Nope.

There is a non-zero cost to peering. Many CDNs are happy to send cache
boxes/setup peering sessions for small peers, but their definition of
"small" will no doubt vary between CDNs, based on their perspective &
business costs. Some networks may fall well below each individual
network's thresholds, and indeed some networks may have different
thresholds between countries.

It's never as simple as "why don't you peer???"

Regards,

-- 
Tom

Re: PowerSwitch S4100 (S4148-ON) chipset

[Tom Hill]

On 19/10/2021 14:50, Tim Jackson wrote:
> It's a lower bandwidth Trident2+ with some different I/O options iirc.
> Same featureset, but a mix of 10G and 25G serdes, targeted at like
> 48x10g+4x100G boxes.

That was my understanding of Maverick... For some reason there's
something in my head that said Extreme had one. Was it the X450-G2?

-- 
Tom

Re: PowerSwitch S4100 (S4148-ON) chipset

[Tom Hill]

On 20/10/2021 16:50, Tom Hill wrote:
> On 19/10/2021 14:50, Tim Jackson wrote:
>> It's a lower bandwidth Trident2+ with some different I/O options iirc.
>> Same featureset, but a mix of 10G and 25G serdes, targeted at like
>> 48x10g+4x100G boxes.
> 
> That was my understanding of Maverick... For some reason there's
> something in my head that said Extreme had one. Was it the X450-G2?
> 

Also, worth keeping the Cumulus HCL handy for the older BRCM chipset
references. :)

https://www.nvidia.com/en-us/networking/ethernet-switching/hardware-compatibility-list/

(Filter by ASIC, et voila.)

-- 
Tom

Re: IPv6 and CDN's

[Tom Hill]

On 22/10/2021 17:08, t...@pelican.org wrote:
> I don't think it'll ever make money, but I think it will reduce
> costs.  CGNAT boxes cost money, operating them costs money, dealing
> with the support fallout from them costs money.  Especially in the
> residential space, where essentially if the customer calls you, ever,
> you just blew years' worth of margin.

There aren't enough folk thinking along these lines, so thank you for
writing it.

Every flow you can route exclusively with 6, is one flow you aren't
having to pay extra for so it can sit in a CGNAT state table.

... And that's before they call you, as Tim also rightly points out.

-- 
Tom

Re: AWS and IPv6

[Tom Hill]

On 29/11/2021 02:23, William Herrin wrote:
> This technique does in fact work for IPv6, allowing you to insert a
> firewall at the edge. Interestingly though, it won't receive IPv6
> packets for an address that isn't attached to a running instance in
> the interior subnet.

That sounds remarkably sensible given that the AWS customer base will be
dipping their toes into the world of IPv6 very cautiously.

(No good for a honeypot, but we have many other means for that.)

-- 
Tom

Re: Class D addresses? was: Redploying most of 127/8 as unicast public

[Tom Hill]

On 20/11/2021 19:59, Michael Thomas wrote:
> but starving the beast doesn't have a great track record. We are talking
> about 20% of the address space that's being wasted so it's not nothing.

Starving the beast is actively working to make IPv4 cost-prohibitive. I
only wish those whom Jay refers to, had fewer addresses to buy & sell -
definitely not more.

There are ~4.3B addresses in the entire 32-bit IPv4 space, and there are
~4.3B /64s in every IPv6 /32.

The D/E IPv4 space would make speculators rich, nothing else of note.

-- 
Tom

Re: CC: s to Non List Members (was Re: 202203080924.AYC Re: 202203071610.AYC Re: Making Use of 240/4 NetBlock)

[Tom Hill]

On 09/03/2022 00:25, Tom Beecher wrote:
The only way IPv6 will ever be ubiquitous is if there comes a time where 
there is some forcing event that requires it to be.


In about two years time, IPv4 addresses will be worth on the order of 
$100/IP, assuming current trends hold.


That's a lot of revenue in leasing IPv4 to the business customers that 
refuse to think about IPv6 because $reason.


It's also a lot of unit cost to add to a consumer-grade service, where 
your margins are distastefully thin already (well, in some markets) and 
set to get thinner when you need to buy a swathe of CGNAT boxes to keep 
routing IPv4.


Even at todays's dollar price, this dilemma holds true, but I largely 
suspect that there are too few fixed-line ISPs that have been forced 
into CGNAT yet - the more that are, the more will wonder why they're 
buying so many of them.


--
Tom

Re: V6 still not supported

[Tom Hill]

Loose translation:

On 09/03/2022 22:46, Andy Ringsmuth wrote:

“We’re working on it.” they say.


"There is only 1.5 of us; we're overworked and underpaid and this allows 
us to postpone this workstream for a while."



“We’re waiting for wider adoption.” they say.


"Not enough of you are complaining about the lack of IPv6, but we're 
still pushing 8.8.8.8 as our resolver so we have to fix that first."



“We’re waiting for our upstream to support it.” they say (and HE is their 
upstream).


"Our BGP edge router is a 7600 pieced together from several eBay 
purchases, and might blow up if we add the IPv6 DFZ."



The first one is all-too-common where I live, too. Fake it until you 
make it is rife. Getting fibre into the ground - past as many homes as 
possible - is the sole priority.


--
Tom

Re: 10 Do's + Don'ts for Visiting Québec + Register Now for N85!

[Tom Hill]

On 08/05/2022 15:28, Laura Smith via NANOG wrote:

but poutine most certainly is not. A culinary abomination that deserves to be 
confined to the history books.


It is but the refined variant of 'cheesy chips & [british] gravy' and 
no-one will convince me otherwise, especially at 3am following four 
hours of swearing, sweating and more swearing in a data centre.


Poutine uber alles.

--
Tom

Re: [External] Open source tool for network map visualization

[Tom Hill]

On 27/05/2022 14:32, Tom Krenn via NANOG wrote:

A little simple, but maybe Network Weathermap?

https://www.network-weathermap.com/


With some tuning of your variables, it's really easy to automate a very 
useful topographical network diagram from practically any source of 
data. You do need to make sure that you think about that topography, 
however. Do you care about individual links in a LAG? Or could you 
aggregate those into a single link, with a click URL that 'drills down' 
to another specific map for that router/data centre/metro?


My only bugbear would be that there's no 'easy' way to overlay it on a 
world map *and* have the fidelity needed to view it all at a distance 
(like on a NOC screen). The choices above would only go so far, and 
you'd eventually find yourself with a lot of screens in the NOC just for 
maps.


Something like a Google Earth overlay would be wonderful, but I never 
found myself capable and/or with sufficient time to make that real. 
Other (commercial) products have no doubt done something like that.


--
Tom

Re: bfd & IPv6 on Cisco 4948E-E / IOS 15.2

[Tom Hill]

On 07/06/2023 04:13, Jason Canady wrote:


Using this on the interface of each switch:

  ospfv3 1 bfd
  ospfv3 1 ipv6 area 0
  ospfv3 1 ipv6 bfd
  bfd interval 500 min_rx 500 multiplier 40

#show bfd neighbors details
IPv6 Sessions
NeighAddr  LD/RD RH/RS State Int
FE80::A2EC:F9FF:FE2B:B33F  68/0  Down Down  Te1/52
Session Host: Software
OurAddr: FE80::BA38:61FF:FE65:20BF



There's literally one command here in the docs, and it doesn't look like 
you're using it. You are using one that isn't documented, too. Woo!


https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-15-e-book/ip6-route-ospfv3.html

I'd suggest taking the 'ospfv3 1 ipv6 bfd' command out and seeing if 
that still gives you an IPv6 session attempt? If in doubt, add the 'all- 
interfaces' to 'ospfv3 1 bfd' & look again.


Old IOS and old hardware. Great gear at the time, but I can't imagine 
anyone at Cisco will be interested in fixing it if it's not quite 
working right.


The only other thing I've be interested to know is if you can specify a 
pair of static link-local neighbour addresses under 'ospfv3 1 ipv6 bfd 
...'?  Something like fe80::1 and fe80::2? As opposed to relying on 
autoconf addresses.


--
Tom

Re: Incoming SSDP UDP 1900 filtering

[Tom Hill]

On 25/03/2019 09:17, Sean Donelan wrote:
> Its always a bad idea to do packet filtering at your bgp border.


Wild assertion. Why?

DoS mitigation, iACLs, BGP security... I can think of lots of very
sensible reasons.

-- 
Tom

Re: Flexible OTN / fractional 100GbE

[Tom Hill]

On 28/05/2019 11:41, Jérôme Nicolle wrote:
> I'm looking for a muxponder that would take OTU4s on the network side
> and provide 10/40/100GbE on the client side, with some kind of
> oversubscription, as to provide a "fractional 100GbE" e.g. starting with
> 30-60Gbps commit that could be upgraded to 100GbE when network capacity
> is available.

When I was looking at something like this, this time last year, I got as
far as Packet Light:


https://www.packetlight.com/products/100g-200g-dwdm-transport/200g-single-wavelength-muxponder

A big part of my usecase was reselling the spare capacity, so I really
didn't want anything learning MACs at either end. :)


> I've read that Broadcom' StrataDNX (Qumran / Jericho) chips have OTN
> support in addition to ethernet now, is there some vendor who leverages
> this, preferably with OCP gear ?


Unsure about those product lines, but I believe the Facebook (Adva?)
"Voyager" fits the 'open' bill. Here's a PDF specific to running Cumulus
on it:

  https://cumulusnetworks.com/documents/553/2018-03-07_DS_Voyager.pdf

HTH,

-- 
Tom

Re: Flexible OTN / fractional 100GbE

[Tom Hill]

On 29/05/2019 15:09, Jérôme Nicolle wrote:
> I don't find what I need there. I just want to plug an OTU4 uplink in a
> standard QSFP28 port, no fancy photonics are required, and benefit from
> inband monitoring and management, FEC and trafic isolation.
> 
> It would idealy be represented in ONL or Cumulus as a new type of
> interfaces, with OSC and every muxponded ODU as sub-interfaces, and a
> new type of bridge to patch them to other ODUs or map them to ethernet
> service ports… Every sub-if having SNMP OIDs for load, FEC reporting and
> latency measurement.
> 
> I hope it's a bit more clear now ?


Very clear. If you do find this veritable moon-on-a-stick device, please
do let me know.

Asking PacketLight to fix their software might not be a bad start, or
perhaps asking their competition if they can do better (see Infinera,
Coriant, Adva, Ciena, etc.)

Regards,

-- 
Tom

Re: Abuse from Vodaphone AS30722

[Tom Hill]

On 25/07/2019 14:37, John Von Essen wrote:
> We are experiencing a massive DDoS from three Vodafone /16’s. The DDoS
> is spread throughout the entire range.

You say *Distributed*, from that I would expect that this traffic is
ingressing at multiple locations in your network?

I'd be surprised if Vodafone's domestic Italian network would spread
traffic to your ASN over multiple paths, and so if it is coming in from
multiple ingress points, you're probably looking at spoofed-source traffic.

-- 
Tom

Re: UK, NL, & Asia LTE Providers for Opengear Console Servers

[Tom Hill]

On 01/08/2019 03:19, Mehmet Akcin wrote:
> Google Fi

Are you suggesting Fi because of:

"When outside the United States, cellular phone calls cost $0.20 per
minute, data costs the same $10 per gigabyte (i.e. there are no extra
data charges outside of the US), and texting is free."

Ergo, relative to the countries stated, permanently roaming?

I'd love to know if you've found that reliable - it seems too good to be
true.

-- 
Tom

Re: UK, NL, & Asia LTE Providers for Opengear Console Servers

[Tom Hill]

On 01/08/2019 15:14, Nick Olsen wrote:
> It roams on 3UK. And works fine. Albeit the LTE deployment isn't near as
> wide there as it is in the US. And you end up on HSDPA pretty frequently.

To the this point, I've a Three contract here (UK). It has slightly been
frustrating recently, I'll admit.

It does look like they're aiming to address that, however. More
re-farming 3G frequencies to 4G, additional bands:

https://www.ispreview.co.uk/index.php/2019/08/three-uk-in-l-band-rollout-as-mobile-data-usage-per-user-hits-9-1gb.html

-- 
Tom

Re: Mx204 alternative

[Tom Hill]

On 08/08/2019 04:02, Mehmet Akcin wrote:
> 
> I am looking for some suggestions on alternatives to mx204. 
> 
> Any recommendations on something more affordable which can handle full
> routing tables from two providers?
> 
> Prefer Juniper but happy to look alternatives.
> Min 6-8 10G ports are required
> 1G support required


No-one has mentioned it yet, so for completeness big C have the ASR 9901
(not 9001) with traditional router bits in it.

A portion of the 10G ports on it are capable of 1/10G.

Regards,

-- 
Tom

Re: [j-nsp] MX10003 rack size

[Tom Hill]

On 07/08/2019 17:15, Anderson, Charles R wrote:
> 1000mm deep.  APC AR3100 racks are 600mm x 1070mm.  APC also makes
> 1200mm deep ones, and 750mm wide ones, and both together.

Unsure as to why this was cross-posted, but...

Many vendors do these sizes now. 600x1200 is rather useful when you have
meter-long servers and need to get four 0U PDUs in at the back. :)

Neatly fits on to common 600mm² footprints, too.

I quite liked 750mm APCs, but last I looked I recall that they've
shifted to 800mm wide now?

Instead of having to do 4x750 racks in 5x600 footprints to line them up,
you can now do 3x800 racks in 4x600 footprints. Fewer snowflake racks
messing up the rack/footprint alignment, and you get more room per rack.

-- 
Tom

Re: This DNS over HTTP thing

[Tom Hill]

On 01/10/2019 08:40, Stephane Bortzmeyer wrote:
> Note that the UK is probably the country in Europe with the biggest
> use of lying DNS resolvers for censorship. No wonder that the people
> who censor don't like anti-censorship techniques.


Do you have a (reputable) source to go with that claim? :)

-- 
Tom

Re: This DNS over HTTP thing

[Tom Hill]

On 02/10/2019 21:44, Masataka Ohta wrote:
> The Internet was working very well to suppress child porn by
> making video freely distributed, which made child porn industry
> a lot less profitable.


I will say this very clearly: abusing children for sexual gratification
doesn't stop when it is unprofitable.


> Freely distributed video also makes investigation of victims
> easier.


It also aides the normalisation of an entirely detestable practice.


> So, people who want to make money from child porn has been
> trying to have censorship of various degree.
> 
> In UK, they are very successful.


Sources, please. (Disclaimer: I'm in the UK.)

-- 
Tom

Re: This DNS over HTTP thing

[Tom Hill]

On 03/10/2019 12:11, Masataka Ohta wrote:
>> Sources, please. (Disclaimer: I'm in the UK.)
> 
> John Levine already mentioned "Internet Watch Foundation".


Sure, but the IWF was always intended to stop people accessing
paedophilia accidentally. It has always been well understood for there
to be many ways around that filtering. The IWF's more important role is
to identify these sources and to work with the authorities against them.

There's more here:

https://www.iwf.org.uk/what-we-do/why-we-exist/our-remit-and-vision



> So, people who want to make money from child porn has been
> trying to have censorship of various degree.
> 
> In UK, they are very successful. 


Importantly, and I am happy to accept this was simply a translation
issue, but what you said here with both paragraphs together, made it
look as if you were suggesting that in the UK we are very successful in
making money from child pornography *by censoring* child pornography?

-- 
Tom

Re: This DNS over HTTP thing

[Tom Hill]

On 03/10/2019 13:36, Masataka Ohta wrote:
>> It also aides the normalisation of an entirely detestable practice.
> 
> IWF does not aide so.


No, the normalisation of an entirely detestable practice comes from the
opposite of IWF involvement; you suggested that we should permit child
pornography on the Web/Internet, as opposed to censoring it? To catch
criminals, and to make it unprofitable?

I had stated that a lack of profit does not stop those inclined to abuse
children for sexual gratification, and also that doing absolutely
nothing to prohibit child pornography serves to normalise its existence.


>> look as if you were suggesting that in the UK we are very successful in
>> making money from child pornography *by censoring* child pornography?
> 
> "they" means those who are likely to be guests of Epstein.


Oh yes, I forgot that the possibility that one member of the Royal
Family sharing the alleged inclination of Epstein to abuse underage
children, made the whole United Kingdom a profiteering empire of child
pornography.

If you're going to call out the whole of the UK for something
defamatory, at the very least take the time to think about it without
your tinfoil hat. ;)

-- 
Tom

Re: Recommended DDoS mitigation appliance?

[Tom Hill]

On 18/11/2019 13:50, Mike Hammett wrote:
> I would like the list to know that not all targets attract such large
> attacks. I know many eyeball ISPs that encounter less than 10 gig
> attacks, which can be reasonably absorbed\mitigated. Online gamers
> looking to boot someone else from the game aren't generally committing
>>100 gigs of resources to an attack.


There are two very good reasons to use 'surgical' amounts of traffic in
attacks:

 1. Concealing the size of your botnet

 2. Reducing the damage to the end user's ISP, and thus reducing the
likelihood that they escalate the attack to the authorities (because
who's got the time to do that for an individual subscriber?)

The shift to "just enough to knock the customer off without killing the
whole network" happened around ~2015 in my capacity, at least.

-- 
Tom

Re: Arista Routing Solutions

[Tom Hill]

On 20/04/16 15:37, Colton Conor wrote:
> Can the Arista EOS software combine with their hardware based on the
> Broadcom Jericho chipset truly compete  with the custom chipsets and
> accompanying software from the big guys?

In broad strokes: for your money you're either getting port density, or
more features per port. The only difference here is that there's
suddenly more TCAM on the device, and I still don't see the above
changing too drastically.

If it works* for you, use it. :)


* Assuming that you've done your due diligence before purchasing, and
not just skim-read the vendor PDF.

-- 
Tom

Re: NCS5K?

[Tom Hill]

On 19/04/16 14:46, Chris Welti wrote:
> According to some slides from a russian cisco connect event, the 
> upcoming small-size NCS 5501 and NCS 5502 will support 1M+ FIB and
> 50ms per port buffers. Seem to be killer boxes. 48x100GE in 2RU with
> large FIB & buffers? Loving it already. I wonder what prices will
> look like for those.

I'd heard rumours... But those are interesting specifications. The
NCS5501 isn't too far away from the Arista 7280R, and is probably
Jericho underneath, too. But with a good MPLS stack, as is the case for
the other NCS devices.

Some might be thinking "9001 upgrade!" but it's more likely direct
competition to Arista's recent moves. That and I still hope there will
be a MOD200-ish 9001 replacement to come at some point.

Oh - and it's NCS 55k, not NCS 5k. The NCS 5508 is already a product,
noted for its better buffers than the NCS 5001 & 5002 (which also
already exist).

-- 
Tom

Re: NCS5K?

[Tom Hill]

On 26/04/16 15:02, Colton Conor wrote:
> Do you actually think that Cisco would sell at NCS 5501 at the price
> point that Arista is going to sell a 7280R for? Spec wise they are very
> similar (except Arista has 8 more SFP+ ports and two more 100G ports).
> Arista is pricing the 7280R inline with Ciscos ASR9001. I doubt Cisco
> will offer a NCS 5501 for the same price as an ASR9001. 

In addition to Saku's comments - I've only really been hypothesising by
looking at the features available on the platforms, and comparing it to
the current list prices that we already have. I've no other insider
knowledge.

Take the line cards in ASR 9000 chassis, vs. NCS 5500 chassis:

 A9K-8X100GE-TR,  8x100G   = $ 1,000,000
 A9K-36X10GE-TR,  36x10G   = $   375,000
 NC55-36X100G-BA, 36x100G  = $   360,000

The list price for a 36x10G line card for the ASR 9000 is *cheaper than*
the 36x100G card for the NCS 5500. There are massive gains in Gbits/$ by
having fewer features in your device. (And the SE scale A9k cards are
priced even higher than these TR models...)

More to the second half of your question though, and probably the most
pertinent; the NCS 5001 & 5002 pricing is already out, and they are
smack-back either side of the ASR 9001:

 NCS-5001, 40x10G + 4x100G  = $ 40,000
 ASR-9001, 4x10G + nothing  = $ 53,600
 NCS-5002, 80x10G + 4x100G  = $ 60,000

So, personally, I'm not ruling out the NCS 5501 landing on or around the
9001's price point - particularly if that's Arista's game.

The NCS 55k is obviously being targeted at dense MPLS P roles, and/or
simple BGP edge routers, which may be of enough use to you, in your
environment - it may not.

-- 
Tom

Re: NCS5K?

[Tom Hill]

On 26/04/16 14:27, Chris Welti wrote:
> Judging from the NCS 5001 configuration guides they (NCS5K) don't support
> any VPLS, is that correct? Just EoMPLS?

It's not targeted as a full-feature box AFAIK. You've got the ASR9k and
ASR9xx series for this sort of thing.

I do recall some mention of NCS5k supporting Segment Routing though -
that seemed quite handy for future MPLS P requirements.

>> Some might be thinking "9001 upgrade!" but it's more likely direct
>> competition to Arista's recent moves. That and I still hope there will
>> be a MOD200-ish 9001 replacement to come at some point.
> 
> I had hoped for MOD400-ish 9001 replacement for a while,
> however, I was told an ASR9001 successor is highly unlikely
> in the next few years unless a very large customer asks for it.

I've heard some rumours to the contrary - presumably it could still be
canned. Tomahawk is still quite new, and the 9001 still sells well, so
perhaps the market just isn't ready yet. I guarantee Cisco's sales of
any given product proceed along these lines:

 1. Product sales for flagship $model are good
 2. Announce flagship $model+1 to public
 3. Product sales for $model plummet, whilst everyone waits for $model+1

Sometimes that's good, sometimes that's really bad. :)

>> Oh - and it's NCS 55k, not NCS 5k. The NCS 5508 is already a product,
>> noted for its better buffers than the NCS 5001 & 5002 (which also
>> already exist).
>  
> Does the NCS 5508 support VPLS?

I don't recall looking closely, but I very much doubt it due to the
reasons mentioned above.

-- 
Tom

Re: NANOG67 - Tipping point of community and sponsor bashing?

[Tom Hill]

On 16/06/16 15:40, Dave Temkin wrote:
> Nothing in my presentation said "Netflix seeks to get better port fees".
> You'll find that I, not once, in my deck or oral presentation, mentioned
> Netflix. I spoke at length with LINX after the presentation and pointed out
> that I seek to help the entire market, not just my employer, better
> understand how IXPs price their services, what things are negotiable, and
> what things need to change. Call it thinly-veiled, but I didn't even use my
> employer slide master - this was geared as a community discussion.

I wasn't sure if you were talking on behalf of Netflix either. Mainly
because the first thing you said at the Nanog presentation was to
correct everyone on your title at Netflix. ;)

Rather than alluding to it, letting everyone come to their own
conclusion, you'd have been better off just saying it outright.

Definitely do not be surprised when anyone's confused as to this fact,
however.

-- 
Tom

Re: Real world power consumption of a 7604-S or 7606-S

[Tom Hill]

On 28/06/16 00:26, Eric Kuhnke wrote:
> Example:
> 7604S chassis with dual 2700W DC power - chassis and fans use how much
> power?
> 2 x RSP720-3CXL at 310W each
> WS-X6704 with DFC4 - ???W each

Way too much, is the simple answer.

I did have a 7604 (non-S) with the same PSUs, 1x SUP720-3BXL, 1x
WS-X6724-SFP and 1x WS-X6708-3CXL was drawing near 2kW.

It's not healthy, please consider how much you'll spend in electricity
vs. something else. For example, the ASR9001 uses a 5th of the power.


Cisco do also have a power calculator, too. It's conservative but not
overly so:

 http://cpc.cloudapps.cisco.com/cpc/launch.jsp

-- 
Tom

Re: Optical Wave Providers

[Tom Hill]

On 01/09/16 22:45, Matthew Petach wrote:
> (I'm half hoping to get a flurry of replies telling me
> I'm completely wrong, and then explaining the real
> issues to me.  If nobody replies, it might mean I'm
> not entirely wrong).

You were not wrong on any particular point, but I don't think you may
have heard about muxponders previously.

I *think* technically it's TDM'd on the coloured side, but I'm not
sure... ODU/OTU stuff is somewhat removed from $dayjob. Someone might
want to correct me.

Have a look at the data sheet for the Ciena WaveServer though; it should
give a good idea of how this fits together. Of course, I'm sure more
comprehensive muxponder solutions are available for the [inter]national
carriers. :)

-- 
Tom

Re: Netflow/sFlow generator for Linux with BGP support

[Tom Hill]

On 29/01/17 06:43, Peter Phaal wrote:
> You might want to try pmacct:
> http://www.pmacct.net/

That's definitely a good idea. +1

-- 
Tom

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Tom Hill]

On 17/05/18 14:24, Mike Hammett wrote:
> There's some industry hard-on with having a few ginormous routers instead of 
> many smaller ones.

"Industry hard-on", ITYM "Greedy vendors".

Try finding a 'small' router with a lot of ports (1 & 10GE) for your
customers, and the right features/TCAM/CP performance, for a price that
permits you to buy a lot of them.

-- 
Tom

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Tom Hill]

On 19/05/18 21:51, Ben Cannon wrote:
> Isn’t that the ASR9010?  (And before that 7609?)

I can't tell if you're taking the piss or not.

-- 
Tom

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Tom Hill]

On 18/05/18 14:55, Stephen Satchell wrote:
> What happened when you sent out your last RPQ to the vendors with these
> requirements?

Why bother? There are so few products, with so few vendors, and their
list prices & discount levels are easily researchable in less than a
day. If you thought someone was going to build you a tailored device of
that ilk then you're surely going to need to commit to buying a lot more
than you actually need...

Whilst small-to-medium providers still need to play in the DFZ, they
don't often buy hundreds (let alone thousands) of small edge routers.


-- 
Tom

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Tom Hill]

On 21/05/18 17:10, Large Hadron Collider wrote:
> I would go as far as to say that Tier 1 is a derogatory designation, but
> I have a beef with Cogent because they're expecting otherwise Tier 1
> IPv6 ISP Hurricane Electric to bow to the altar of Cogent.

Owen, is dat yew?!

-- 
Tom

Re: Broadcom vs Mellanox based platforms

[Tom Hill]

On 04/06/18 06:41, Kasper Adel wrote:
> I’m thinking, how do i validate their claims about capability to do
> leaf/spine arch, ToR/Gateways, telemetry, serviceability, facilities to
> troubleshoot packet drops or FIB programming misses, hidden tools...etc

I'd start with a software vendor that supports both. The Cumulus Linux
docs are pretty good, and available online:

  https://docs.cumulusnetworks.com/display/DOCS

Caveats for Mellanox Spectrum, and various Broadcom ASICs, are usually
listed in boxouts where appropriate. There's a whole page on *tested*
scales.

The software vendors are the ones that get access to the people at both
companies that /really/ know where the limitations are, so you're more
likely to find the best information dealing with one of them.

HTH,

-- 
Tom

Re: 3rd party QSFP-100G-LR4-S for Cisco

[Tom Hill]

On 2018-05-29 13:48, Ryugo Kikuchi wrote:
Does anyone have a recommended model of 3rd party's "QSFP-100G-LR4-S" 
for

Cisco ASR and Nexus?

Cisco's original 100G SFP costs us an arm and a leg, so we want to try 
to

use 3rd party 100g SFP.
But we are not sure which manufacturer's SFP is reliable or has good
performance.



FlexOptix (.net) are an excellent third-party provider for your first 
foray into non-vendor optics.


Tom

Re: Level3 IRR contact

[Tom Hill]

On 17/09/18 15:15, Brian Rak wrote:
> I used to use routing@level3 to get this done, however they don't seem
> to reply anymore.
> 
> http://www.irr.net/docs/list.html directs me to r...@level3.net, which has
> an autoreply that says "open a ticket"


You may wish to start by swapping the Level3 domain for the CenturyLink
one?

-- 
Tom

Re: Amazon now controls 3.0.0.0/8

[Tom Hill]

On 09/11/2018 00:46, Eric Kuhnke wrote:
> 3.4.5.6/24  could be an interesting block to put
> easily memorable IP services in...


My upbringing in the 90s makes '5.6.7.8' far more memorable. :)

-- 
Tom

Re: Cheap switch with a couple 100G

[Tom Hill]

On 25/11/2018 18:16, Mike Hammett wrote:
> I haven't seen anyone selling 25G or 50G transport.


That's because, in active transport at least, 100G makes far more sense.

You may start seeing passive 25G WDM soon. Finisar have a DWDM tunable,
I believe.

-- 
Tom

Re: Cheap switch with a couple 100G

[Tom Hill]

On 25/11/2018 18:59, Mike Hammett wrote:
> It wouldn't be hard to do any standard wavelength, really. They just
> need an appropriate mux.


I'm really not sure that your statement makes sense by itself.

-- 
Tom

Re: Cheap switch with a couple 100G

[Tom Hill]

On 25/11/2018 21:22, Baldur Norddahl wrote:
> If it is passive, you could tell them it is for 10G but use it for 25G?


The mux isn't the problem, it's that there aren't SFP28 optics commonly
available in C/DWDM wavelengths. Yet. If they were, well maybe...

... However, your trouble then is that 25G will have similar loss
characteristics to 4x25 100GBASE, which to put it simply, isn't as
favourable as your existing 10G transceivers. You will *really* begin to
care about how 'direct' your cross-connects are.

Coherent optical transport has become far more common in recent years
for the same reasons, and pizza-box solutions for this are even coming
in whitebox guise now (see Facebook/Cumulus).

On the retail side, if you're buying 'grey' wavelength services from
optical network operators as opposed to running your own transport, they
now tend to be bundling everything into coherent line sides through the
use of muxponders.  The problem with buying 25G services then becomes
"our vendor doesn't discount as hard for the 4x25G muxponder part as
they do for the 10x10G part!", or "we'll have to buy this for you
especially, and so you're footing >25% of the bill".

Chicken & egg: someone has to move first... And I don't see the ASR9k
and Juniper MX BUs rushing to support 25 & 50G.

-- 
Tom

Re: Cheap switch with a couple 100G

[Tom Hill]

On 25/11/2018 21:43, Ben Cannon wrote:
> At this point, with 400g coherent in production never mind long-haul
> testing; why bother lighting with anything slower than 100g coherent,
> especially at essentially the same price.  It just makes no sense.
> It got skipped.  We’re better for it IMO.


To be fair, I did say that to begin with. ;)

Outside of the US, in our quaint little European countries, passive
muxing with direct detect does often make more sense financially Those
coherent hardware providers have some eye-watering price lists, and only
begin to make sense on spans >100km. Or if you actually need 400G
transport to make use of N*100G services.

-- 
Tom

Re: Cheap switch with a couple 100G

[Tom Hill]

On 25/11/2018 21:52, Ben Cannon wrote:
> Single Wavelength Coherent or 4x10g coherent?


SFP28... So 1x25G, and direct detect.


> Actually FS has SFP28 CWDM optics (1270-1330) available but they are
> not up on the website, just as an FYI.


Missed that original mail, Tony. Good to know, thank you.

-- 
Tom

Cheap switch with a couple 100G

[Tom Hill]

On 25/11/2018 22:38, Aled Morris wrote:
> Juniper have launched a Trident based switch with 48 x 25G ports (the
> QFX5120-48Y.)


I very specifically said "Juniper MX". ;)

-- 
Tom

Re: [ROUTING] Settle a pointless debate - more commonly used routing protocol in total deployments - OSPF vs IS-IS

[Tom Hill]

On 25/01/2019 04:47, Steven Bahnsen wrote:
> First time poster looking for some input on a debate


This won't settle anything. You've just started the same old debate
again, from the beginning. Again. :)

There are almost certainly indexed threads of this mailing list with
enough answers to this question to last a life time of arguments. (See
also, c-nsp, probably j-nsp, UKNOF, etc.)

-- 
Tom

Re: RTBH no_export

[Tom Hill]

On 31/01/2019 20:17, Nick Hilliard wrote:
> you should implement a different community for upstream blackholing.
> This should be stripped at your upstream links and replaced with the
> provider's RTBH community.  Your provider will then handle export
> restrictions as they see fit.


This works wonderfully, from past experience. :)

-- 
Tom

Re: Cisco ASR's with RSP440 engines...

[Tom Hill]

On 18/02/2019 21:50, John Von Essen wrote:
> If anyone on here has experience with the ASR series running the
> RSP440-SE or -TR, please contact me off-list. I'm trying to better
> understand real world performance when it comes to handling a few full
> BGP tables on these, it would be running as very basic edge router
> primarily just doing BGP. I know the RSP440 is EOL, but the plan would
> be to upgrade to RSP880 within a year.

The 440 is a beast. Faster even than the 9001's RP. You'll be fine with
a LOT of BGP edge work. :)

The RSP880 is faster on paper, but I'll be impressed if you notice a
difference over the 440 in terms of solely basic BGP edge functions. It
of course has support for other things that you might need, however.

(No idea why this would need to be offlist...)

-- 
Tom

Re: Cisco ASR's with RSP440 engines...

[Tom Hill]

On 19/02/2019 15:26, Tom Hill wrote:
> I know the RSP440 is EOL, but the plan would
> be to upgrade to RSP880 within a year.

Also, the RSP880-RL is available for the same price as 440 on list. If
you certainly need 880 later, I might be wondering if Cisco will 'help'
with securing a discount for the upgrade license later in the day.  Just
a thought. :)

Regards,

-- 
Tom

Re: Anyone using Arista 7280R as edge router?

[Tom Hill]

On 14/04/17 14:51, David Hubbard wrote:
> I’m looking at the ASR9001 with add-on ports since I need (10) 10gig.

Be careful here; the 9001 won't support IOS-XR 64-bit as far as anyone
can make out, and there is a semi-confirmed successor already on its way
up ("9901"). Be sure to mention this if you're speaking to Cisco. :)

At that sort of bandwidth, however, something that wasn't viable when I
last looked at it was Juniper's vMX. I'd be very intrigued in that as a
solution today, assuming your requirements fit into 9001-sized chunks
right now.

The 7280R might suit you though, so don't rule it out on my account. The
feature count has been coming on fast since I last evaluated it, late
last year.

-- 
Tom

Re: 10G MetroE 1-2U Switch

[Tom Hill]

On 13/04/17 23:47, Aaron Gould wrote:
> Pretty sure I looked at the ciena 51xx and I found that it does not have
> mpls in it... pretty sure Erik needs mpls...

The 5150 will 'do MPLS', which is pretty clear from their website. The
references 5160, too.

I wouldn't recommend it personally, but it is there.

-- 
Tom

Re: Russian diplomats lingering near fiber optic cables

[Tom Hill]

On 01/06/17 20:44, Rod Beck wrote:
> There is a website showing where most of the Trans-Atlantic cables land on 
> the West Coast of Britain at towns like Bude in Wales. Hiding is not an 
> option.

Bude is in Cornwall, a county of England. It's not in Wales.

-- 
Tom

Re: Russian diplomats lingering near fiber optic cables

[Tom Hill]

On 04/06/17 23:32, Rod Beck wrote:
> And when you get over trying to score cheap points, you can view the map

I'm not the one that needs to look at a map ;)


-- 
Tom

Re: NANOG70 tee shirt mystery

[Tom Hill]

On 05/06/17 00:55, Matthew Petach wrote:
> Or is there some other cultural reference at
> play that I'm not aware of?

It could be this:

  https://en.wikipedia.org/wiki/Music_of_Washington_(state)#Grunge

Nirvana & Pearl Jam (amongst others) came out of Seattle, it seems. TIL!

-- 
Tom

Re: Looking for Cisco ASR9000v feedback

[Tom Hill]

On 06/06/17 15:34, Erik Sundberg wrote:
> Looking for the pro's, con's, and the gotcha's of moving our 1G ports to the 
> 9000V.

The nV licenses for one. Talk about printing money.

-- 
Tom

Re: list blockchain

[Tom Hill]

On 28/01/18 18:38, Todd Underwood wrote:
> Moderators: even when posts are by long term members of the community can
> you remind them of the list purpose when they forget, please? Thanks!

Randy's post has provided more commentary on our industry than most of
the other drivelling nonsense that befalls this mailing list every other
day.

Reminder: satire can be relevant.

-- 
Tom

Re: 1/2u 100g Metro-E Aggregation Switch

[Tom Hill]

On 14/02/18 19:47, Aaron Gould wrote:
> What does this include ?
> 
> 17828 (part#) - X870 MPLS Feature Pack (product name) - ExtremeXOS
> X870 MPLS Feature Pack (firmware license)

I was going to say, 'JFGI', but Extreme really don't make these things
easy to find any more...

Features in the MPLS feature pack:

https://documentation.extremenetworks.com/FLR_22.4/EXOS_21_1/Feature_License_Requirements/r_feature-pack-features.shtml


And MPLS configuration (scroll down for the tree on the left):

https://documentation.extremenetworks.com/exos_22.4/EXOS_21_1/MPLS/mpls.shtml

-- 
Tom

Re: Request Spamhaus contact

[Tom Hill]

On Mon, 2011-01-17 at 17:12 -0500, Jeffrey Lyon wrote:
> Our listing is misleading. They show me specifically what needs to be
> done and why and we will act on it. The problem is that they expect me
> to dig through our customer database and correlate various customers
> to ROKSO listings. I don't have the resources for this.

Is it really? They list the domains in question and the IPs they resolve
to.

You should not need such resources, if you have a system that ties the
accountability of your users to either a domain name OR an IP address.

(Or at the very least, narrows it down to the point where you have
little to no guesswork remaining.)

I agree that this can be highly frustrating, but it sounds more like a
hosting company unprepared for the inevitable 'oh god the sales guys
have sold servers to a ROKSO spammer!'.

Good luck. :)

Tom

Re: open source with flowspec ?

[Tom Hill]

On 2014-03-13 23:13, joel jaeggli wrote:

exabgp from ripe labs can inject flowspec routes.


You mean from Exa Networks[1], not RIPE: 
https://github.com/Exa-Networks/exabgp


Tom

[1] http://www.exa.net.uk/

Re: Experience with Third-Party memory (Cisco)?

[Tom Hill]

On 08/05/14 17:46, Shawn L wrote:

Does anyone have experience using third-party "guaranteed compatible"
memory.

With Cisco's discount it looks like I can upgrade for $5k vs $700 with
third party memory. I'm just wondering if others have used it, and how it's
performed, or if it isn't worth the risk.


As far as I'm aware, there are up to four ISR 3825s still operating 
somewhere I've worked previously, with Crucial DIMMs in them. The stuff 
that came out looked pretty bog-standard OEM stuff, too.


I suppose it could depend on what type of memory it is, but when it's 
just regular DDR SDRAM, I don't see any cause for concern for the few 
tens of pounds it cost (versus £hundreds for Cisco's own) to find out.


Tom

Re: Observations of an Internet Middleman (Level3) (was: RIP Network Neutrality (was: Wow its been quiet here...

[Tom Hill]

On 10/05/14 20:40, Phil Bedard wrote:

The UK only does this with BT OpenReach since they were the telco monopoly
that originated as a government entity.  Virgin Media (well all the people
who now form Virgin Media) built and operates their own fiber/HFC access
networks, the same as MSOs in the US, and does not offer wholesale access
and isn't treated as a utility.  There are areas in the UK Virgin serves
where the wholesale network does not, and areas where they offer much
faster speeds, which is the same exact scenario as we have here


I think Patrick was more trying to highlight that there is nothing 
stopping Openreach and Virgin Media from building their last miles in 
the same markets, side by side. They do so in many cases, and compete 
fairly equally for that business.


Or, for that matter, anyone else: Metronet[1] are busy building their 
own wireless infrastructure around the UK, and City Fibre[2] are running 
fibre up to everyone's door in a number of cities. Wholesale agreements 
are part and parcel of the business, as is the consumer choice to switch 
provider without penalty.


(And, just to clarify, you *can* buy wholesale Ethernet leased lines 
from Virgin Media Business, just not the DOCSIS access services.)


These examples are really only scratching the surface; the point is that 
you can switch providers to your heart's content. Or just build your 
own, should you have the means. There isn't a granted monopoly on 
end-user access in the UK (anything else is due to economics, and for 
that, see B4RN[3]).


I won't claim to hold the magic recipe for ensuring fair choice for 
consumers, and the UK market is far from perfect, but so far it's 
sounding a hell of a lot saner than what's happening in the US.


Tom


[1] http://www.metronet-uk.com
[2] http://www.cityfibre.com
[3] http://b4rn.org.uk/

Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff

[Tom Hill]

On 13/05/14 19:01, Owen DeLong wrote:

I didn’t see the NSA telling us what we had to buy are demanding
advance approval rights on our maintenance procedures.


Because they didn't (don't) need to...?

Tom