Richard's employer is exactly the kind of organization that has not
been able to effectively multi-home their discrete branch-offices on
the IPv4 Internet, because RIR allocation policy set the bar for
receiving IPv4 addresses for those small locations just high enough to
steer us away from that "f
> Most people do not know about the "multi-homing feature" designed into
> IPv6. Most people who do, seem to agree that it may not see enough
> practical use to have meaningful impact on routing table growth, which
> will no longer be kept in check by a limited pool of IP addresses and
> policies
At 22-07-28164 20:59, Richard Barnes wrote:
Hi all,
What IPv6 prefix lengths are people accepting in BGP from
peers/customers? My employer just got a /48 allocation from ARIN, and
we're trying to figure out how to support multiple end sites out of
this (probably around 10). I was thinking abou
On Thu, 13 Jan 2011, Owen DeLong wrote:
Most people do not know about the "multi-homing feature" designed into
IPv6. Most people who do, seem to agree that it may not see enough
practical use to have meaningful impact on routing table growth, which
will no longer be kept in check by a limited
This is way offtopic, but I figured this would be a good place to
ask. Anyone using Netgear GSM7352S-200 in production?
http://www.netgear.com/images/GSM7328Sv2_GSM7352Sv2_23Sept1018-10817.pdf
I know, it's Netgear, but how badly does it blow chunks?
Inquiring minds, etc.
(Disclaimer: I am curre
On Jan 13, 2011, at 10:49 , Owen DeLong wrote:
>> Most people do not know about the "multi-homing feature" designed into
>> IPv6. Most people who do, seem to agree that it may not see enough
>> practical use to have meaningful impact on routing table growth, which
>> will no longer be kept in ch
On Wed, Jan 12, 2011 at 11:10:16PM -0800, Scott Weeks wrote:
> To be fair to Cisco and maybe I'm way off here. But it seems they do
> come out with a way to do things first which then become a standard
> that they have to follow.
>
> ISL/DOT1Q
> HSRP/VRRP
> etherchannel/LACP
Yes, and then they
>From my experience - A key thing to consider from any vendor is their
support - Cisco has great support and a large support organization. I've
seen them turn around complex problems very rapidly for their customers.
Additionally, someone already mentioned investment protection and that Cisco
keep
For ISL, I know they are trying to phase that out. For the exams, they are
based on dot1q.
Even if I had all cisco equipment, I'd try to go with standards because you
never know down the road where you may
need to use another vendor.
I wouldn't use EIGRP if given a choice, I'd go with OSPF
I have been asked to investigate the costs of adding transit capacity for
a national ISP in the middle east/asia.
they have access to a FLAG landing station.
can someone provide pointers as to where to start?
private emails would be good, and i'll summarize.
thanx.
--
Jim Mercerj...@
- Original Message -
From: "Chuck Anderson"
To:
Sent: Thursday, January 13, 2011 7:18 AM
Subject: Re: Is Cisco equpiment de facto for you?
On Wed, Jan 12, 2011 at 11:10:16PM -0800, Scott Weeks wrote:
To be fair to Cisco and maybe I'm way off here. But it seems they do
come out wit
- Original Message -
From: "Brandon Kim"
To: ; "nanog group"
Sent: Thursday, January 13, 2011 8:46 AM
Subject: RE: Is Cisco equpiment de facto for you?
For ISL, I know they are trying to phase that out. For the exams, they are
based on dot1q.
Even if I had all cisco equipm
On 1/13/2011 8:46 AM, Brandon Kim wrote:
For ISL, I know they are trying to phase that out. For the exams, they are
based on dot1q.
Even if I had all cisco equipment, I'd try to go with standards because you
never know down the road where you may
need to use another vendor.
I wouldn't
On 1/12/2011 9:33 PM, Owen DeLong wrote:
If you are proxying everything, then, there isn't any actual NAT. There are
inside sessions and outside sessions.
Depends on the proxy mechanism used. In a transparent firewall proxy
layout, it generally is still considered NAT. The proxy capabilities
On Jan 13, 2011, at 9:59 AM, Jack Bates wrote:
> The proxy capabilities of the firewall are additional security measures on
> top of the NAT (and definitely should be deployed for their higher security
> value).
Not in front of servers, they shouldn't - because they have a negative security
v
On 1/13/2011 10:54 AM, Dobbins, Roland wrote:
Not in front of servers, they shouldn't - because they have a negative security
value in that context.
I agree. Any content checks and reporting should be handled by the
server and not a firewall proxy which might have it's own security
vulnera
ARIN is pleased to offer a Meetings Fellowship Program to bring new
voices and ideas to public policy discussions. This call is for Fellows
to attend ARIN XXVII in San Juan, Puerto Rico from 10-13 April 2011. If
you have never attended an ARIN meeting and are interested in
participating in the
On Thu, Jan 13, 2011 at 11:54 AM, Dobbins, Roland wrote:
> On Jan 13, 2011, at 9:59 AM, Jack Bates wrote:
>> The proxy capabilities of the firewall are additional security
>> measures on top of the NAT (and definitely should be
>> deployed for their higher security value).
>
> Not in front of serv
On 1/13/2011 11:56 AM, William Herrin wrote:
So all the folks who use reverse proxies like an http accellerator are wrong?
They have their purpose. However, depending on the security rating of
the accelerator versus the security rating of the backend server will
depend on the negative or p
On Thu, Jan 13, 2011 at 1:11 PM, Jack Bates wrote:
> On 1/13/2011 11:56 AM, William Herrin wrote:
>> So all the folks who use reverse proxies like an http accellerator are
>> wrong?
>
> They have their purpose. However, depending on the security rating of the
> accelerator versus the security rati
if you have multiple sites you should request a direct assignmnet later
than /48. previous $employer recieved a /44 direct assignment on the
basis of north american footprint.
On 1/13/11 4:49 AM, Richard Barnes wrote:
> Hi all,
>
> What IPv6 prefix lengths are people accepting in BGP from
> peer
On Wednesday, January 12, 2011 12:01:27 pm George Bonser wrote:
> With v4 PAT, you can not
> be sure which address/port on the external IP maps to which address/port
> on the inside IP at any given moment and PAT is stateful in that an
> outbound packet is required to start the mapping.
On Cisco
I know where I have worked we have had a mixture of Juniper and Cisco
equipment. Personally buying a Juniper Router like a M or a T series is
like buying a Ferrari. I like Cisco personally and they are cheaper than
buying a Juniper. For example a M-series is always going to cost some
bucks after
Once upon a time, Michael Ruiz said:
> I like Cisco personally and they are cheaper than
> buying a Juniper. For example a M-series is always going to cost some
> bucks after you factor the FPC and the PICS that need to be loaded.
We didn't find that to be the case, after you factor in all the C
On 1/13/2011 1:35 PM, Michael Ruiz wrote:
For example a M-series is always going to cost some
bucks after you factor the FPC and the PICS that need to be loaded.
I find this usually has to do with the fact that there is no "backup to
software processing" on a Juniper. Every feature it supports
On Wednesday, January 12, 2011 12:16:27 pm valdis.kletni...@vt.edu wrote:
> 140 million compromised PC's, most of them behind a NAT, can't be wrong. :)
How many more would there be if most PC's were not behind NAT or stateful
firewalling?
Or, to turn it on its ear, "Windows is the best OS; 25
>I find this usually has to do with the fact that there is no "backup to
>software processing" on a Juniper. Every feature it supports, it does
so
>in hardware. If the hardware won't do it, then JUNOS won't do it.
>The exception has been the multiservices PIC, which is being obsoleted
>with the
On 1/13/2011 1:48 PM, Michael Ruiz wrote:
Yeah another thing I love about the JUNOS is the rollback command. Whew
I can tell you a few times where that has saved my bacon a few times and
the commit and check command.:-)
Cisco IOS has a similar feature.
reload in 5
make changes
verify things a
On Thu, 13 Jan 2011, Michael Ruiz wrote:
Yeah another thing I love about the JUNOS is the rollback command. Whew
I can tell you a few times where that has saved my bacon a few times and
the commit and check command. :-)
Definite +1 for rollback and commit check - and also show | compare
jms
The catch is being able to do it without reloading!
"commit confirm" will help a lot as well. In case your commit
annihilates your ssh session. ;)
Scott
On 1/13/11 2:51 PM, Jack Bates wrote:
> On 1/13/2011 1:48 PM, Michael Ruiz wrote:
>> Yeah another thing I love about the JUNOS is the rollba
In a message written on Thu, Jan 13, 2011 at 01:48:27PM -0600, Michael Ruiz
wrote:
> Yeah another thing I love about the JUNOS is the rollback command. Whew
> I can tell you a few times where that has saved my bacon a few times and
> the commit and check command. :-)
Cisco marketing seems to hav
>Cisco marketing seems to have dropped the ball on this one, but IOS has
had a feature that allows you to save a number of configurations, do
diff's, and >generally behave similar to the JunOS method for quite a
while. You'll want to check out the "archive" command.
>http://blogs.techrepublic.com
at one shop were i considered using Juniper instead of a Cisco internet edge
router, the cost of the Juniper was so close to the Cisco it was a non
consideration.The only reason we went with Cisco that time was due to the
fact most of the other gear was Cisco, and it seemed to make more se
On Wednesday, March 21, 2007 05:41:00 am Tarig Ahmed wrote:
> Is it true that NAT can provide more security?
Blast from the past
Whew, is there any subject more guaranteed to cause a long thread than this? :-)
I have some ideas on this; there are some creative manglings one can do with
NAT
>Cisco IOS has a similar feature.
>
>reload in 5
>make changes
>verify things are working
>reload cancel
There seems to be a better way to do it in IOS that will not reload the router:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtrollbk.html
I haven't tried it since all my g
Subway subs started offering toasted as an option in response to the
success of Quiznos Subs.
So many vendors have been chasing the "me too" feature match behind
Cisco for so many years it interesting to see Cisco doing the same
behind Juniper.
-b
--
Bill Blackford
Network Engineer
Logged in
On Jan 13, 2011, at 11:44 AM, Lamar Owen wrote:
> On Wednesday, January 12, 2011 12:16:27 pm valdis.kletni...@vt.edu wrote:
>> 140 million compromised PC's, most of them behind a NAT, can't be wrong. :)
>
> How many more would there be if most PC's were not behind NAT or stateful
> firewalling?
On Jan 13, 2011, at 11:51 AM, Jack Bates wrote:
> On 1/13/2011 1:48 PM, Michael Ruiz wrote:
>> Yeah another thing I love about the JUNOS is the rollback command. Whew
>> I can tell you a few times where that has saved my bacon a few times and
>> the commit and check command.:-)
>
> Cisco IOS ha
On 1/13/2011 2:58 PM, Owen DeLong wrote:
reload in 5
make changes
verify things are working
reload cancel
It's a little different on a redundant processor system, as you have to reload
both processors. It's also a 2-20 minute outage while you reload, but it does
beat 2 hour drives.
Not
On Jan 13, 2011, at 11:51 AM, Jack Bates wrote:
> On 1/13/2011 1:48 PM, Michael Ruiz wrote:
>> Yeah another thing I love about the JUNOS is the rollback command.
Whew
>> I can tell you a few times where that has saved my bacon a few times
and
>> the commit and check command.:-)
>
> Cisco IOS has
On Wednesday, January 12, 2011 03:50:28 pm Owen DeLong wrote:
> That's simply not true. Every end user running NAT is running a stateful
> firewall with a default inbound deny.
This is demonstrably not correct. Even in the case of dynamic overloaded NAT,
at least on Cisco, there is no firewall
On Jan 13, 2011, at 1:21 PM, Lamar Owen wrote:
> On Wednesday, January 12, 2011 03:50:28 pm Owen DeLong wrote:
>> That's simply not true. Every end user running NAT is running a stateful
>> firewall with a default inbound deny.
>
> This is demonstrably not correct. Even in the case of dynamic
Cheers.. to M.A.R.'s related view
On Jan 13, 2011 12:37 PM, "Michael Ruiz" wrote:
I know where I have worked we have had a mixture of Juniper and Cisco
equipment. Personally buying a Juniper Router like a M or a T series is
like buying a Ferrari. I like Cisco personally and they are cheaper tha
On Thursday, January 13, 2011 04:32:17 pm Owen DeLong wrote:
> No match, no rewrite, no forward.
This is what you're missing; 'no rewrite' does not mean 'no forward'.
Non-rewritten packets along with the rewritten *are* forwarded to routing; in a
firewall they're not forwarded to routing. What
On 1/13/2011 2:44 PM, Thomas Magill wrote:
Cisco IOS has a similar feature.
reload in 5
make changes
verify things are working
reload cancel
There seems to be a better way to do it in IOS that will not reload the router:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtrollb
JC Dill wrote:
Scruz is ~30-45 minutes from the heart of the internet on the west coast
(Silicon Valley). If your $dayjob isn't in scruz, then it's most likely
IN Silicon Valley. So locate your 1U server in Silicon Valley, where
Yes it's in the Valley and I do consider locating it there. Bu
On 1/13/11 11:30 PM, Jeroen van Aart wrote:
> JC Dill wrote:
>> Scruz is ~30-45 minutes from the heart of the internet on the west
>> coast (Silicon Valley). If your $dayjob isn't in scruz, then it's
>> most likely IN Silicon Valley. So locate your 1U server in Silicon
>> Valley, where
>
> Yes
> The problem is, it doesn't seem to support an automated rollback
> function. You'd need OOB to get access in many cases to do the rollback.
I thought that is what 'configure terminal revert timer x' did. It looks like
you have to do a 'configure confirm' before the revert time expires or it
On Wed, Jan 12, 2011 at 10:02 PM, Mark Andrews wrote:
> In message ,
> William
> Herrin writes:
>> There's actually a large difference between something that's
>> impossible for a technology to do (even in theory), something that the
>> technology has been programmed not to do and something that
I know the way I used to do it at a previous company is we
deployed the Cisco 12000 series router with the CHOC12-DS1-IR-SC module
so we can 336 T1 out of that puppy. The only down side is there is a
limitation on the number of channel groups. If doing something other
than just handing off
We used that topology, with an Adtran MX 2800 19" rack version. We
would take our channelize DS-3 from the Telco and the Cisco PA-MC2T3
cards and in turn wire those to a DSX-1 panel. We then did 1 to 1 DS1
X-connects on the panel. That was starting to get too much of a pain as
services grew, so
On Jan 13, 2011, at 5:48 PM, William Herrin wrote:
> On Wed, Jan 12, 2011 at 10:02 PM, Mark Andrews wrote:
>> In message ,
>> William
>> Herrin writes:
>>> There's actually a large difference between something that's
>>> impossible for a technology to do (even in theory), something that the
>>
On 1/13/11 5:48 PM, William Herrin wrote:
On Wed, Jan 12, 2011 at 10:02 PM, Mark Andrews wrote:
In message,
William
Herrin writes:
There's actually a large difference between something that's
impossible for a technology to do (even in theory), something that the
technology has been programm
53 matches
Mail list logo