Yahoo as#10310 reachability problem
Can someone from Yahoo as#10310 contact me off-list, we have some problems reaching Yahoo through Telia and GTT. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: Preferring RSVP for only one l2circuit.
tried this Timothy, and the RSVP didn't appear in the inet.3. Failed to work! - Original Message - From: "Timothy Creswick" <timothy.cresw...@vorboss.com> To: "Mohamed Kamal" <mka...@noor.net>, nanog@nanog.org Sent: Friday, May 27, 2016 3:30:08 PM Subject: RE: Preferring RSVP for only one l2circuit. > I have increased the preference of the RSVP, and it has been taken out of the > inet.3, so the l2circuit didn't prefer > the RSVP path anymore! Just add "no-install-to-address" to the LSP.
Preferring RSVP for only one l2circuit.
I have a full-mesh LDP LSPs between my MX-104 routers, however, between two specific routers and on the same loopbacks I configured RSVP LSP to be used as the transport for only one l2circuit and no more. The problem is, when the RSVP gets signaled, it gets installed in the inet.3 and gets preferred over any other LDP LSP. So all the traffic destined to RSVP tail-end will prefer the RSVP over the LDP. I have increased the preference of the RSVP, and it has been taken out of the inet.3, so the l2circuit didn't prefer the RSVP path anymore! Do anyone has a working configuration for this? or should I configured another loopback address on every pair of routers for the RSVP signalling? -- mk
Re: mrtg alternative
We use Zenoss, pretty awesome and do the job. Mohamed Kamal Core Network Sr. Engineer On 2/27/2016 1:18 AM, Baldur Norddahl wrote: Hi I am currently using MRTG and RRD to make traffic graphs. I am searching for more modern alternatives that allows the user to dynamically zoom and scroll the timeline. Bonus points if the user can customize the graphs directly in the webbrowse. For example he might be able to add or remove individual peers from the graph by simply clicking a checkbox. What is the 2016 tool for this? Regards, Baldur
Re: Cisco's IOS-XE and PCEP implementation
Just to follow-up; Cisco has offered segment-routing and entropy label use starting from 3.16/3.17 respectively. Do Cisco see the 1k platform as an enterprise router?! Am I the only one here that assume that BGP-LS and PCEP support in the XE platforms is a must now after releasing the SR support? Mohamed Kamal Core Network Sr. Engineer On 4/8/2015 6:06 PM, Mohamed Kamal wrote: Yes, indeed! Things like VPLS, full-features ESI and PCEP exist on IOS-XR but not IOS and IOS-XE! ISSU and HA operates differently between IOS-XE and NX-OS! Their claim is not even logical, the ASR1k is supporting 600 TE tunnels head-end, and up-to 10k midpoint! So, if I had an average of 30 ASR1k in the edge, each with 500 TE, there will be over 15000 TE tunnels in the core which will be creating a need for automatic tool such as NorthStar of Juniper! Mohamed Kamal Core Network Sr. Engineer On 4/8/2015 4:11 PM, Phil Bedard wrote: One of the downsides to having four (at least) different control plane operating systems across your product lines. Phil From: Mohamed Kamal <mailto:mka...@noor.net> Sent: 4/8/2015 5:13 AM To: NANOG <mailto:nanog@nanog.org> Subject: Re: Cisco's IOS-XE and PCEP implementation Here is Cisco's reply! “Given PCEP’s main use-case is inter-area TE tunnels (or SDN controller in TE environment) and ASR1K is not marketed for TE, support is unlikely” What is .. "not marketed for TE"?! All in all, I don't mind replacing them with some cheaper, powerful, flexible and SDN-ready juniper MX that are marketed for TE. Mohamed Kamal Core Network Sr. Engineer On 4/5/2015 10:42 PM, Mohamed Kamal wrote: and hence being implemented on IOS-XR within the Cisco environment today I disagree! .. Engineering is all about optimization, and using an ASR1k (which is being marketed as an "edge/PE router") in my edge doesn't mean that my network is not a "high-scale environment", it does mean that it fits my needs in this location, where other IOS-XR (ASR9k) fits in others. Plus, PCEP is no magic, Juniper's MX series starting from the vMX is supporting PCEP. They didn't claim that, a "higher-scale environment" is being required for this. the demand for online calculation has increased - either due to dependencies for new TE path-instantiating protocols (e.g., SR), or more complex constraints that cannot be well met by offline calculation or CSPF That's why PCEP support should be added to the road-map in the near future. Mohamed Kamal Core Network Sr. Engineer On 4/5/2015 8:33 PM, Rob Shakir wrote: On 30 March 2015 at 15:42:59, Mohamed Kamal (mka...@noor.net) wrote: I'm wondering, why there is no MPLS-TE PCE support for IOS-XE till now?! Should I be getting a 9k/CRS on the edge to implement an automatic tool to build MPLS-TE tunnels! In general, PCE(P) implementations have been limited. IMHO the last 10 years of RSVP-TE management has generally been done with auto-mesh tools, or in-house driven offline path calculation tools (e.g., WANDL, Cariden, Aria…). As such, the demand for online calculation has increased - either due to dependencies for new TE path-instantiating protocols (e.g., SR), or more complex constraints that cannot be well met by offline calculation or CSPF (e.g., path-diversity with disjoint head-end PEs). This demand is mainly coming in higher-scale environments - and hence being implemented on IOS-XR within the Cisco environment today. I expect this is why IOS-XE is lagging. There are certainly requests for support - but as Mark says, you’ll need to interface with your account team to figure out when code will be available for your platform. As to whether you should buy an IOS XR device for your edge, I’m not sure what kind of logic would mean that device selection is solely based on PCEP support :-). I would certainly look more into the existing “automatic” tools, and possibilities for offline calculation in the interim period. r.
Re: EoMPLS vlan rewrite between brands; possibly new bug in Cisco IOS 15
Jonas, If the problem is in VC type 4 signalling, then switch to Ethernet interworking or VC type 5. It will work in your case, and VLAN rewrite operation will be done at the AC points. I don't know if you already has this configured or not, but you have to use psudowire-class templates with the "interworking ethernet" underneath. Mohamed Kamal On 11/28/2015 6:55 AM, Jonas Bjork wrote: Dear Mr. Bensley, The platform is Cisco 7600 on side A and HP A5500-HI on side B. I am currently running IOS v12.2-33.SRE5 and I'm trying to upgrade to v15.3-3.S6. In the current version the VC type is Eth VLAN and I have tried all different options on the HP side with no success. On the Cisco side I don't know if there is anything I can do - the negotiation seems to take place without any possible user interference. It's true that I can terminate the tunnel elsewhere and switch the traffic using layer 2 but I don't want to have any "ugly" solutions in the network. Everything works fine even though I rewrite the vlan id (and that is essential for my solution) at the moment and it bothers me that an IOS upgrade triggers this bug. The bug is submitted (against Juniper) as previously mentioned in this thread but Cisco won't do anything about it. Best regards, Jonas Bjork Network Nerd On 16 Nov 2015, at 10:21, James Bensley <jwbens...@gmail.com> wrote: On 15 November 2015 at 01:31, Jonas Bjork <mr.jonas.bj...@me.com <mailto:mr.jonas.bj...@me.com>> wrote: Dear Mr. Jeff, Thank you for your reply. Below is the complete output in question (l2 is short for l2transport). You are mentioning platform capabilities and that the default might have changed. How do I alter this? pe#sh mpls l2 vc 42 d Local interface: Po190.42 up, line protocol up, Eth VLAN 42 up Destination address: X.X.1.89, VC ID: 42, VC status: down Last error: Imposition VLAN rewrite capability mismatch with peer Output interface: none, imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:00:59, last status change time: 00:31:40 Last label FSM state change time: 00:00:18 Last peer autosense occurred at: 00:00:18 Signaling protocol: LDP, peer X.X.1.89:0 up Targeted Hello: X.X.0.2(LDP Id) -> X.X.1.89, LDP is UP Graceful restart: not configured and not enabled Non stop routing: not configured and not enabled Status TLV support (local/remote) : enabled/not supported LDP route watch : enabled Label/status state machine: remote invalid, LruRnd Last local dataplane status rcvd: No fault Last BFD dataplane status rcvd: Not sent Last BFD peer monitor status rcvd: No fault Last local AC circuit status rcvd: No fault Last local AC circuit status sent: DOWN PW(rx/tx faults) Last local PW i/f circ status rcvd: No fault Last local LDP TLV status sent: No fault Last remote LDP TLVstatus rcvd: Not sent Last remote LDP ADJstatus rcvd: No fault MPLS VC labels: local 242, remote 1199 Group ID: local 0, remote 0 MTU: local 9216, remote 9216 Remote interface description: Remote VLAN id: 42 Sequencing: receive disabled, send disabled Control Word: Off (configured: autosense) SSO Descriptor: X.X.1.89/42, local label: 242 Dataplane: SSM segment/switch IDs: 0/0 (used), PWID: 142 VC statistics: transit packet totals: receive 0, send 0 transit byte totals: receive 0, send 0 transit packet drops: receive 0, seq error 0, send 0 pe# Anyone else: feel free to join in. Maybe we have any L2VC/PW ninjas watching. Best regards, Jonas Bjork Hi Jonas, In that output you have "Remote VLAN id: 42" -What is the local VLAN ID on your Cisco PE? Do you need to VLAN rewrite here? Since you using different VLANs at each end, can you build the pseudowire at a point in the network stack where the VLAN tag has been popped off already and transport the frames untagged, so they will be pushed on again at the other end? (Is this is a VC type 4 pseudowire, check with "show mpls l2transport binding 42", if so, a dummy VLAN should be pushed on and popped off transparently if all hardware in use supports it). I don't know HP but with the Cisco 7600 for example, if it's VLAN 50 then you could add "interface vlan 50; xconnecy X.X.1.89 42 encaps mpls", if your hardware supports that. Or use mux-uni; "int gix/x.y; encaps dot1q y; xconnecy X.X.1.89 42 encaps mpls". Then add vice versa on the HP kit. What IOS have you tried to upgrade to, 15.2(4)S4a? If this is a VC type 4 pseudowire and either the HP or Cisco isn't supporting inserting a dummy VLAN tag, why is this a VC type 4 pseudowire? The VLAN re-write I guess. Certainly in IOS 15.3 (so probably also in 15.2 but I'm not 100% certain of that) Cisco IOS should be defaulting to VC type 5 unless t
[Discussion] MTU mismatch and impact of data-plane traffic
Suppose you have the below network topology, where PE is connected to P1, P1 is connected to P2 and P2 is connected to GW, all through 1G links. [PE]-15001500-[P1]-16001600-[P2]-15001600-[GW] The numbers represent the MTU values configured in the following order; PE's egress interface to P1, P1 ingress interface, P1 egress interface, P2 ingress, P2 egress and eventually GW ingress. Q1: What do you think would be the impact in terms of data-plane traffic (HTTP/s browsing, Video streaming etc), traversing this network, in the direction from the Internet and going to the PE router? My answer is: If there is a client running Win7 on a machine trying to access a web server out there, the TCP MSS would be adjusted to around 1260-1460 bytes depending on the Operating System's MTU value. Hypothetically, the first packet from the web server destined to the client would be 1460-bytes and will reach the ingress interface of the GW. The GW would receive it in the input_buffer of the ingress interface, strip off the Ethernet header, and move it to the output buffer of the egress interface whose MTU is 1600. Since the largest MSS is 1460, and there is always a one-to-one mapping between segments received from the TCP module and the packets constructed in the IP module, I believe that the largest IP packet would be 1480. GW would cram the Ethernet frame with the 1480-bytes of IP payload data and send it to the P2, which would in the other end, pass it on its way. Q2: However, what about larger MSS sizes? example; above 1500? and larges chunks of payload from a connectionless protocols that don't exchange MSS? UDP for example? or Google's QUIC (which is HTTP over UDP)? -- Mohamed Kamal
[Discussion] MTU mismatch and impact of data-plane traffic
Suppose you have the below network topology, where PE is connected to P1, P1 is connected to P2 and P2 is connected to GW, all through 1G links. [PE]-15001500-[P1]-16001600-[P2]-15001600-[GW] The numbers represent the MTU values configured in the following order; PE's egress interface to P1, P1 ingress interface, P1 egress interface, P2 ingress, P2 egress and eventually GW ingress. Q1: What do you think would be the impact in terms of data-plane traffic (HTTP/s browsing, Video streaming etc), traversing this network, in the direction from the Internet and going to the PE router? My answer is: If there is a client running Win7 on a machine trying to access a web server out there, the TCP MSS would be adjusted to around 1260-1460 bytes depending on the Operating System's MTU value. Hypothetically, the first packet from the web server destined to the client would be 1460-bytes and will reach the ingress interface of the GW. The GW would receive it in the input_buffer of the ingress interface, strip off the Ethernet header, and move it to the output buffer of the egress interface whose MTU is 1600. Since the largest MSS is 1460, and there is always a one-to-one mapping between segments received from the TCP module and the packets constructed in the IP module, I believe that the largest IP packet would be 1480. GW would cram the Ethernet frame with the 1480-bytes of IP payload data and send it to the P2, which would in the other end, pass it on its way. Q2: However, what about larger MSS sizes? example; above 1500? and larges chunks of payload from a connectionless protocols that don't exchange MSS? UDP for example? or Google's QUIC (which is HTTP over UDP)? -- Mohamed Kamal
Re: BGP advertise-best-external on RR
Hi, Diverse-path will only send the second best path, and in my case I have three routes not two. In addition to that, every PE will have to peer with the RR via a second session (on the same RR, as I will not deploy a new standalone shadow RR) and this will increase the BGP sessions to the double. Add-path will have a network-wide IOS upgrade for this BGP capability to be supported which is not viable now. So, is there any other recommendation other than the internet VRF with different RDs solution? Regards, Mohamed Kamal Core Network Sr. Engineer On 8/25/2015 11:37 AM, Jeff Tantsura wrote: Hi, In your case I¹d recommend to use diverse path, due to its simplicity and non disruptive deployment characteristics. As you know - diverse path requires additional BGP session per additional (second, next, etc) path, in most cases not a problem, however mileage might vary. To my memory, in Cisco land - it has only been implemented in IOS, not XR, please check. Cheers, Jeff -Original Message- From: Diptanshu Singh <diptanshu.si...@gmail.com> Date: Monday, August 24, 2015 at 10:53 PM To: Mohamed Kamal <mka...@noor.net> Cc: "nanog@nanog.org" <nanog@nanog.org> Subject: Re: BGP advertise-best-external on RR Yes . In the case of diverse path , shadow route reflector will be the one wherever you enable commands to trigger diverse path computation. Good thing with diverse path is that the RR-Clients don't have to have any support but bad thing is that it can only reflect One additional best-path( second best path ) . Sent from my iPhone On Aug 24, 2015, at 2:31 PM, Mohamed Kamal <mka...@noor.net> wrote: It's only supported on the 15.2(4)S and later not the SRE train. I might consider an upgrade. One more question regarding this, can you configure the RR to be the main and shadow RR? Mohamed Kamal Core Network Sr. Engineer On 8/24/2015 9:16 PM, Diptanshu Singh wrote: BGP Add-Path might be your friend . You can look at diverse-path as well .
BGP advertise-best-external on RR
Hi, I have a classic network design with 3 gateways, each receive a default route from different upstream provider. Each gateway has a BGP session with a route-reflector, which in turns reflects the best BGP route to the other PE routers in the network. The route-reflectors are running the SRE train (12.2(33)SRE1) and here exist the problem. I need to leak all the default routes (3 default routes) from the gateways into the PE routers. I have done this via bgp advertise-best-external on the gateways. So far, the default routes exist on the route-reflector, however it's suppressed as the RR will only send the best path. I have configured bgp advertise-best-external also on the RR but it didn't work, because the RR didn't see that the different default routes received are of external type. Cisco didn't state that clearly and it only stated that bgp best external feature won't work on the RR unless you get an ASR loaded with an IOS-XE 3.4 or later! Anyhow, do anyone here has a suggestion of how to get this done without replacing my RR sticking to this classical network design? Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: BGP advertise-best-external on RR
It's only supported on the 15.2(4)S and later not the SRE train. I might consider an upgrade. One more question regarding this, can you configure the RR to be the main and shadow RR? Mohamed Kamal Core Network Sr. Engineer On 8/24/2015 9:16 PM, Diptanshu Singh wrote: BGP Add-Path might be your friend . You can look at diverse-path as well .
Re: Cisco's IOS-XE and PCEP implementation
Here is Cisco's reply! “Given PCEP’s main use-case is inter-area TE tunnels (or SDN controller in TE environment) and ASR1K is not marketed for TE, support is unlikely” What is .. not marketed for TE?! All in all, I don't mind replacing them with some cheaper, powerful, flexible and SDN-ready juniper MX that are marketed for TE. Mohamed Kamal Core Network Sr. Engineer On 4/5/2015 10:42 PM, Mohamed Kamal wrote: and hence being implemented on IOS-XR within the Cisco environment today I disagree! .. Engineering is all about optimization, and using an ASR1k (which is being marketed as an edge/PE router) in my edge doesn't mean that my network is not a high-scale environment, it does mean that it fits my needs in this location, where other IOS-XR (ASR9k) fits in others. Plus, PCEP is no magic, Juniper's MX series starting from the vMX is supporting PCEP. They didn't claim that, a higher-scale environment is being required for this. the demand for online calculation has increased - either due to dependencies for new TE path-instantiating protocols (e.g., SR), or more complex constraints that cannot be well met by offline calculation or CSPF That's why PCEP support should be added to the road-map in the near future. Mohamed Kamal Core Network Sr. Engineer On 4/5/2015 8:33 PM, Rob Shakir wrote: On 30 March 2015 at 15:42:59, Mohamed Kamal (mka...@noor.net) wrote: I'm wondering, why there is no MPLS-TE PCE support for IOS-XE till now?! Should I be getting a 9k/CRS on the edge to implement an automatic tool to build MPLS-TE tunnels! In general, PCE(P) implementations have been limited. IMHO the last 10 years of RSVP-TE management has generally been done with auto-mesh tools, or in-house driven offline path calculation tools (e.g., WANDL, Cariden, Aria…). As such, the demand for online calculation has increased - either due to dependencies for new TE path-instantiating protocols (e.g., SR), or more complex constraints that cannot be well met by offline calculation or CSPF (e.g., path-diversity with disjoint head-end PEs). This demand is mainly coming in higher-scale environments - and hence being implemented on IOS-XR within the Cisco environment today. I expect this is why IOS-XE is lagging. There are certainly requests for support - but as Mark says, you’ll need to interface with your account team to figure out when code will be available for your platform. As to whether you should buy an IOS XR device for your edge, I’m not sure what kind of logic would mean that device selection is solely based on PCEP support :-). I would certainly look more into the existing “automatic” tools, and possibilities for offline calculation in the interim period. r.
Re: Cisco's IOS-XE and PCEP implementation
Yes, indeed! Things like VPLS, full-features ESI and PCEP exist on IOS-XR but not IOS and IOS-XE! ISSU and HA operates differently between IOS-XE and NX-OS! Their claim is not even logical, the ASR1k is supporting 600 TE tunnels head-end, and up-to 10k midpoint! So, if I had an average of 30 ASR1k in the edge, each with 500 TE, there will be over 15000 TE tunnels in the core which will be creating a need for automatic tool such as NorthStar of Juniper! Mohamed Kamal Core Network Sr. Engineer On 4/8/2015 4:11 PM, Phil Bedard wrote: One of the downsides to having four (at least) different control plane operating systems across your product lines. Phil From: Mohamed Kamal mailto:mka...@noor.net Sent: 4/8/2015 5:13 AM To: NANOG mailto:nanog@nanog.org Subject: Re: Cisco's IOS-XE and PCEP implementation Here is Cisco's reply! “Given PCEP’s main use-case is inter-area TE tunnels (or SDN controller in TE environment) and ASR1K is not marketed for TE, support is unlikely” What is .. not marketed for TE?! All in all, I don't mind replacing them with some cheaper, powerful, flexible and SDN-ready juniper MX that are marketed for TE. Mohamed Kamal Core Network Sr. Engineer On 4/5/2015 10:42 PM, Mohamed Kamal wrote: and hence being implemented on IOS-XR within the Cisco environment today I disagree! .. Engineering is all about optimization, and using an ASR1k (which is being marketed as an edge/PE router) in my edge doesn't mean that my network is not a high-scale environment, it does mean that it fits my needs in this location, where other IOS-XR (ASR9k) fits in others. Plus, PCEP is no magic, Juniper's MX series starting from the vMX is supporting PCEP. They didn't claim that, a higher-scale environment is being required for this. the demand for online calculation has increased - either due to dependencies for new TE path-instantiating protocols (e.g., SR), or more complex constraints that cannot be well met by offline calculation or CSPF That's why PCEP support should be added to the road-map in the near future. Mohamed Kamal Core Network Sr. Engineer On 4/5/2015 8:33 PM, Rob Shakir wrote: On 30 March 2015 at 15:42:59, Mohamed Kamal (mka...@noor.net) wrote: I'm wondering, why there is no MPLS-TE PCE support for IOS-XE till now?! Should I be getting a 9k/CRS on the edge to implement an automatic tool to build MPLS-TE tunnels! In general, PCE(P) implementations have been limited. IMHO the last 10 years of RSVP-TE management has generally been done with auto-mesh tools, or in-house driven offline path calculation tools (e.g., WANDL, Cariden, Aria…). As such, the demand for online calculation has increased - either due to dependencies for new TE path-instantiating protocols (e.g., SR), or more complex constraints that cannot be well met by offline calculation or CSPF (e.g., path-diversity with disjoint head-end PEs). This demand is mainly coming in higher-scale environments - and hence being implemented on IOS-XR within the Cisco environment today. I expect this is why IOS-XE is lagging. There are certainly requests for support - but as Mark says, you’ll need to interface with your account team to figure out when code will be available for your platform. As to whether you should buy an IOS XR device for your edge, I’m not sure what kind of logic would mean that device selection is solely based on PCEP support :-). I would certainly look more into the existing “automatic” tools, and possibilities for offline calculation in the interim period. r.
Re: Cisco's IOS-XE and PCEP implementation
and hence being implemented on IOS-XR within the Cisco environment today I disagree! .. Engineering is all about optimization, and using an ASR1k (which is being marketed as an edge/PE router) in my edge doesn't mean that my network is not a high-scale environment, it does mean that it fits my needs in this location, where other IOS-XR (ASR9k) fits in others. Plus, PCEP is no magic, Juniper's MX series starting from the vMX is supporting PCEP. They didn't claim that, a higher-scale environment is being required for this. the demand for online calculation has increased - either due to dependencies for new TE path-instantiating protocols (e.g., SR), or more complex constraints that cannot be well met by offline calculation or CSPF That's why PCEP support should be added to the road-map in the near future. Mohamed Kamal Core Network Sr. Engineer On 4/5/2015 8:33 PM, Rob Shakir wrote: On 30 March 2015 at 15:42:59, Mohamed Kamal (mka...@noor.net) wrote: I'm wondering, why there is no MPLS-TE PCE support for IOS-XE till now?! Should I be getting a 9k/CRS on the edge to implement an automatic tool to build MPLS-TE tunnels! In general, PCE(P) implementations have been limited. IMHO the last 10 years of RSVP-TE management has generally been done with auto-mesh tools, or in-house driven offline path calculation tools (e.g., WANDL, Cariden, Aria…). As such, the demand for online calculation has increased - either due to dependencies for new TE path-instantiating protocols (e.g., SR), or more complex constraints that cannot be well met by offline calculation or CSPF (e.g., path-diversity with disjoint head-end PEs). This demand is mainly coming in higher-scale environments - and hence being implemented on IOS-XR within the Cisco environment today. I expect this is why IOS-XE is lagging. There are certainly requests for support - but as Mark says, you’ll need to interface with your account team to figure out when code will be available for your platform. As to whether you should buy an IOS XR device for your edge, I’m not sure what kind of logic would mean that device selection is solely based on PCEP support :-). I would certainly look more into the existing “automatic” tools, and possibilities for offline calculation in the interim period. r.
Re: PoC for shortlisted DDoS Vendors
Hello Pavel, I'm certainly biased to the open-source tools if they do the job required, and I appreciate your effort exerted on this project. However, based upon what I saw under the features list of your tool, I assume that it can detect only volumetric DDoS attacks based upon anomalies such as excessive number of packets/bits/connections/flows per second based upon some previously learnt or set threshold values. But what about the protocol types of attack, which, in my humble opinion is becoming more aggressive day after day? Mohamed Kamal Core Network Sr. Engineer On 4/2/2015 5:03 PM, Pavel Odintsov wrote: Hello! What about open source alternatives? Main part of commercial ddos filters are simple high performace firewalls with detection logic (which much times more stupid than well trained network engineer). But attacks for ISP is not arrived so iften and detection part coukd be executed manually (or with oss tools like netflow analyzers or my own FastNetMon toolkit). For wire speed filtration on 10ge (and even more if you have modern cpu; up to 40ge) you could use netmap-ipfw with linux or freebsd with simple patches (for enabling multy process mode). On Thursday, April 2, 2015, den...@justipit.com mailto:den...@justipit.com den...@justipit.com mailto:den...@justipit.com wrote: You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net javascript:; To: NANOG nanog@nanog.org javascript:; Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer -- Sincerely yours, Pavel Odintsov
PoC for shortlisted DDoS Vendors
In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Cisco's IOS-XE and PCEP implementation
I'm wondering, why there is no MPLS-TE PCE support for IOS-XE till now?! Should I be getting a 9k/CRS on the edge to implement an automatic tool to build MPLS-TE tunnels! -- Mohamed Kamal Core Network Sr. Engineer
Carrier-grade DDoS Attack mitigation appliance
Have anyone tried any DDoS attack mitigation appliance rather than Arbor PeakFlow TMS? I need it to be carrier-grade in terms of capacity and redundancy, and as far as I know, Arbor is the only product in the market which offers a clean pipe volume of traffic, so if the DDoS attack volume is, for example, 1Tbps, they will grant you for example 50Gbps of clean traffic. Anyway, I'm open to other suggestions, and open-source products that can do the same purpose, we have network development team that can work on this. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
TE offline tools
Hello, I'm curious what is the tools for computing and validating TE tunnels over the network. I read on MPLS Enabled Applications that there are tools out there that can be used to do so. Anyone has a suggestion? Regards, -- Mohamed Kamal Network Engineer, Core Team NOOR Data Networks, SAE City Stars Capital 5 A4 Omar Ibn El Khattab Street Heliopolis, Cairo, Egypt Mobile GSM.: +2 0100 29 49 691 Land Line.: +20 2 16700 Ext.: 139 Fax.:+20 2 3748 2816 Email.: mka...@noor.net
Re: TE offline tools
I'm aware about the Cisco MATE software, but I'd prefer an open-source, vendor-agnostic one, something that in-house imporvements can also be achieved. On 11/2/2014 12:01 PM, mohamed Osama Saad Abo sree wrote: You can use Caridan tool, Cisco own it currently and it does all the computation needed and can draw your network topology Mohamed Kamal Core Network Engineer
Re: CEF problem - Traffic forwarding
On 9/15/2014 2:50 PM, lek wrote: Hello Mohamed, Your cef has load sharing disabled on the interface. no ip load-sharing per-longest-match-prefix Yes, and when I try to configure ip load-sharing per-destination, I get the following error message: %Cannot change the load sharing mode: Per-session QoS Regards, Mohamed Kamal Network Engineer, Core Team NOOR Data Networks, SAE City Stars Capital 5 A4 Omar Ibn El Khattab Street Heliopolis, Cairo, Egypt Mobile GSM.: +2 0100 29 49 691 Land Line.: +20 2 16700 Ext.: 139 Fax.:+20 2 3748 2816 Email.: mka...@noor.net
CEF problem - Traffic forwarding
Hello, I have a very strange problem on my ASR-1006 BRAS router. This router is having two equal paths toward a P router via IS-IS. The BRAS is seeing the P router over the two paths and the two paths are installed in the RIB and FIB as follows: bng.rams.ca.asr1#sh ip cef 10.10.10.141 internal 10.10.10.141/32, epoch 3, RIB[I], refcount 6, per-longest-match-prefix sharing sources: RIB, LTE feature space: IPRM: 0x00028000 Broker: linked, distributed at 1st priority LFD: 10.10.10.141/32 1 local label local label info: global/592 contains path extension list disposition chain 0x7FCE5CB8C440 label switch chain 0x7FCE5CB82FC0 ifnums: GigabitEthernet0/0/0(8): 172.17.11.9 GigabitEthernet1/0/0(24): 172.17.11.17 path 7FCE67248388, path list 7FCE5FF51A40, share 1/1, type attached nexthop, for IPv4 MPLS short path extensions: MOI flags = 0x0 label implicit-null nexthop 172.17.11.9 GigabitEthernet0/0/0, adjacency IP adj out of GigabitEthernet0/0/0, addr 172.17.11.9 7FCE5C406958 path 7FCE6724B5B8, path list 7FCE5FF51A40, share 1/1, type attached nexthop, for IPv4 MPLS short path extensions: MOI flags = 0x0 label implicit-null nexthop 172.17.11.17 GigabitEthernet1/0/0, adjacency IP adj out of GigabitEthernet1/0/0, addr 172.17.11.17 7FCE5079A540 output chain: IP adj out of GigabitEthernet0/0/0, addr 172.17.11.9 7FCE5C406958 The problem is, CEF is seeing the two paths equal, but the output chain is only having one exit interface and the traffic is traversing this interface only! This is the interface config: bng.rams.ca.asr1#sh run all | sec 0/0/0 interface GigabitEthernet0/0/0 description Connected to p1 router mtu 1600 ip address 172.17.11.10 255.255.255.252 ip redirects ip unreachables ip proxy-arp ip mtu 1600 no ip load-sharing per-longest-match-prefix ip cef accounting non-recursive internal ip router isis ip flow monitor adsl input ip flow monitor adsl output ip pim dr-priority 1 ip pim query-interval 30 ip mfib forwarding input ip mfib forwarding output ip mfib cef input ip mfib cef output ip route-cache cef ip route-cache ip split-horizon ip igmp last-member-query-interval 1000 ip igmp last-member-query-count 2 ip igmp query-max-response-time 10 ip igmp version 2 ip igmp query-interval 60 ip igmp tcn query count 2 ip igmp tcn query interval 10 interface GigabitEthernet1/0/0 description Connected to p1 router mtu 1600 ip address 172.17.11.18 255.255.255.252 ip redirects ip unreachables ip proxy-arp ip mtu 1600 no ip load-sharing per-longest-match-prefix ip cef accounting non-recursive internal ip router isis ip flow monitor adsl input ip flow monitor adsl output ip pim dr-priority 1 ip pim query-interval 30 ip mfib forwarding input ip mfib forwarding output ip mfib cef input ip mfib cef output ip route-cache cef ip route-cache ip split-horizon ip igmp last-member-query-interval 1000 ip igmp last-member-query-count 2 ip igmp query-max-response-time 10 ip igmp version 2 ip igmp query-interval 60 ip igmp tcn query count 2 ip igmp tcn query interval 10 So, what do you think? Regards, Mohamed Kamal
BGP selection criteria in a VXR-G2 running SB code
Hi, In brief, I have a VRF configured on a PE router which is a 7200-G2 router running 12.2(31)SB18, I import two route targets, one of them belongs to another VRF. Now, when I receive two default routes from both VRFs, and my question is, why did the PE router preferred the default route from 192.168.253.252:20500:0.0.0.0/0 although it's the newer one as presented below (I have removed the RT and then added it again, so that the route becomes the more recent) Any ideas? pe1#sh ip bg vpnv4 vrf network 0.0.0.0/0 BGP routing table entry for 192.168.253.210:10:0.0.0.0/0, version 43143585 Paths: (1 available, best #1, table network) Flag: 0x420 Advertised to update-groups: 3 Local, imported path from 192.168.253.252:10:0.0.0.0/0 192.168.253.251 (metric 2010) from 192.168.253.110 (192.168.253.110) Origin incomplete, metric 0, localpref 100, valid, internal, best Extended Community: RT:20500:10 Originator: 192.168.253.252, Cluster list: 192.168.253.110 mpls labels in/out nolabel/719 pe1#conf t Enter configuration commands, one per line. End with CNTL/Z. pe1(config)#ip vrf network pe1(config-vrf)# route-target import 20500:20500 pe1(config-vrf)#^Z pe1#sh ip bg vpnv4 vrf network 0.0.0.0/0 BGP routing table entry for 192.168.253.210:10:0.0.0.0/0, version 43146664 Paths: (2 available, best #1, table network) Flag: 0x420 Advertised to update-groups: 3 Local, imported path from 192.168.253.252:20500:0.0.0.0/0 192.168.253.251 (metric 2010) from 192.168.253.110 (192.168.253.110) Origin incomplete, metric 0, localpref 100, valid, internal, best Extended Community: RT:20500:20500 Originator: 192.168.253.252, Cluster list: 192.168.253.110 mpls labels in/out nolabel/825 Local, imported path from 192.168.253.252:10:0.0.0.0/0 192.168.253.251 (metric 2010) from 192.168.253.110 (192.168.253.110) Origin incomplete, metric 0, localpref 100, valid, internal Extended Community: RT:20500:10 Originator: 192.168.253.252, Cluster list: 192.168.253.110 mpls labels in/out nolabel/719 -- Mohamed Kamal Network Engineer, Core Team NOOR Data Networks, SAE City Stars Capital 5 A4 Omar Ibn El Khattab Street Heliopolis, Cairo, Egypt Mobile GSM.: +2 0100 29 49 691 Land Line.: +20 2 16700 Ext.: 139 Fax.:+20 2 3748 2816 Email.: mka...@noor.net