Re: cpu needed to NAT 45mbs
A second CPU or core will help tremendously. We used to use single-CPU boxes for this and we noticed that traffic sometimes stalls when the machine has to do some task other than NATting, such as expiring idle flows. Having a second CPU or core will help keep latency much more uniform. We have a few dual 3.2Ghz Xeon boxes (not the ones based on Core, the older ones) that NAT/FW across two GE interfaces. They do quite well up to about 300Mb/s, then we start to see issues. We believe the issues are due to overloading the NB-SB link. A more modern mobo probably wouldn't have this problem. Since we are talking about PC Routers... 300Mb/s is a limitation we've seen before... especially related to Interrupts overwhelming the system. Modern ethernet cards (non-interrupt based) and a modern OS with support for all of their offloading and zero-copy functions will improve this greatly. Current FreeBSD is signficantly faster than current Linux implementations for this kind of work. But (as I told the OP privately) 45mb/s is a joke and doesn't really need anything more than a 400mhz P-II with two Intel EtherExpress cards and 1GB of RAM. Even for 4,000 downstream connections. A few $200-$300 L3 switches can do this just as well. Deepak Jain AiNET
RE: cpu needed to NAT 45mbs
> From my experience, a fast P4 linux box with 2 good NICs can NAT > 45Mbps easily. I am NAT/PATing >4,000 desktops with extensive > access control lists and no speed issues. This isn't over a 45Mb > T3--this is over 100 Mb Ethernet. > > --Patrick Darden > --ARMC, Internetworking Manager A second CPU or core will help tremendously. We used to use single-CPU boxes for this and we noticed that traffic sometimes stalls when the machine has to do some task other than NATting, such as expiring idle flows. Having a second CPU or core will help keep latency much more uniform. We have a few dual 3.2Ghz Xeon boxes (not the ones based on Core, the older ones) that NAT/FW across two GE interfaces. They do quite well up to about 300Mb/s, then we start to see issues. We believe the issues are due to overloading the NB-SB link. A more modern mobo probably wouldn't have this problem. DS
Re: cpu needed to NAT 45mbs
On 11/8/07, Carl Karsten <[EMAIL PROTECTED]> wrote: > > I do the networking in my house, and hang out with guys that do networking in > small offices that have a few T1s. Now I am talking to people about a DS3 > connection for 500 laptops*, and I am bing told "a p4 linux box with 2 nics > doing NAT will not be able to handle the load." I am not really qualified to > say one way or the other. I bet someone here is. how about just looking at what a production MSSP would roll out for a similar situation.. a nokia ip530-class box (I think it's a ip580 these days) with Checkpoint as the 'firewall'... Certainly (poke fbsd fanboys) a fbsd box of similar config can perform as well, yes? :) I recall the ip530 being an intel P3-ish system (http://www.google.com/search?hl=en&q=nokia+ip530&btnG=Google+Search) I think we selected these at a past job because it could handle 2 quad FE cards and a DS3 card...
Could a earthlink e-mail admin please contact me off list
Greetings, Could a earthlink e-mail admin please contact me off list, or someone that could get me in contact with one. Thanks, Bill Sehmel -- Bill Sehmel -- [EMAIL PROTECTED] -- 1-206-438-5900 x4302 Systems Administrator, HopOne Internet Corp. SEA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.netASN 14361
Re: cpu needed to NAT 45mbs
Darden, Patrick S. wrote: > > From my experience, a fast P4 linux box with 2 good NICs can NAT > 45Mbps easily. I am NAT/PATing >4,000 desktops with extensive access > control lists and no speed issues. This isn't over a 45Mb T3--this > is over 100 Mb Ethernet. NAT processing requirement thresholds are all about *flows* per second, not *bytes* per second. Once you have a cached flow, it's trivial. The overhead of statefully tracking flows, setup, teardown, timeouts, housecleaning, etc., are the limiting factors. If you want to stress-test it, you should benchmark it with SQL Slammer :-) Jeff
Re: cpu needed to NAT 45mbs
> I do the networking in my house, and hang out with guys that do networking in > small offices that have a few T1s. Now I am talking to people about a DS3 > connection for 500 laptops*, and I am bing told "a p4 linux box with 2 nics > doing NAT will not be able to handle the load." I am not really qualified > to > say one way or the other. I bet someone here is. So, are they Microsoft fans, or Cisco fans, or __ fans? For any of the above, you can make the corresponding product fail too. :-) The usual rules for PC's-as-routers apply. You can find extensive discussions of this on lists such as the Quagga list (despite the list being intended for routing _protocols_ rather than routing platforms) and the Soekris (embedded PC) lists. Briefly, 1) Small packet traffic is harder than large packet traffic, 2) Good network cards and competent OS configuration will help extensively, 3) The more firewall rules, the slower things will tend to be (highly implementation-dependent) 4) In the case of NAT, it would seem to layer some additional delays on top of #3. We've successfully used a carefully designed FreeBSD machine (PIII-850, dual fxp) as a load balancer in the past, which shares quite a few similarities to a NAT device. The great upside is complete transparency as to what's happening and why, and the ability to affect this as desired. I don't know how close we ran to 100Mbps, but I know we exceeded 45. With sufficient speed, you can make up for many sins, including a relatively naive implementation. With that in mind, I'd guess that you are more likely to be successful than not. The downside is that if it doesn't work out, you can recycle that PC into a more traditional role. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
RE: cpu needed to NAT 45mbs
>From my experience, a fast P4 linux box with 2 good NICs can NAT 45Mbps >easily. I am NAT/PATing >4,000 desktops with extensive access control lists >and no speed issues. This isn't over a 45Mb T3--this is over 100 Mb Ethernet. --Patrick Darden --ARMC, Internetworking Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Carl Karsten Sent: Thursday, November 08, 2007 2:25 PM To: nanog@merit.edu Subject: cpu needed to NAT 45mbs I do the networking in my house, and hang out with guys that do networking in small offices that have a few T1s. Now I am talking to people about a DS3 connection for 500 laptops*, and I am bing told "a p4 linux box with 2 nics doing NAT will not be able to handle the load." I am not really qualified to say one way or the other. I bet someone here is. * for wifi, going to be using this system: http://wavonline.com/vendorpages/extricom.htm March 13-17 (testing a week or 2 before) for PyCon in Chicago. If anyone wants to see it in action, etc. drop me a line. Carl K
cpu needed to NAT 45mbs
I do the networking in my house, and hang out with guys that do networking in small offices that have a few T1s. Now I am talking to people about a DS3 connection for 500 laptops*, and I am bing told "a p4 linux box with 2 nics doing NAT will not be able to handle the load." I am not really qualified to say one way or the other. I bet someone here is. * for wifi, going to be using this system: http://wavonline.com/vendorpages/extricom.htm March 13-17 (testing a week or 2 before) for PyCon in Chicago. If anyone wants to see it in action, etc. drop me a line. Carl K
update [Re: routeviews down?]
We're back now. Please let us know ([EMAIL PROTECTED]) if you notice anything "strange". Thanks, and sorry again for the inconvenience. Dave signature.asc Description: Digital signature
Re: Abusive traffic from Microsoft China?
What are you seeing? port 80 traffic? port 25? thousands of random connections sounds like web indexing to me. -Dan On Thu, 8 Nov 2007, David Hubbard wrote: Just wondering if anyone else is seeing huge random floods of traffic from: inetnum: 202.96.51.128 - 202.96.51.255 netname: MICROSOFT-CO descr:Microsft (China) Co.Ltd country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: MAINT-CNCGROUP-BJ changed: [EMAIL PROTECTED] 20060926 status: ALLOCATED NON-PORTABLE source: APNIC changed: [EMAIL PROTECTED] 20060926 On a nearly daily basis we see them randomly open thousands of connections from a variety of addresses in that block to multiple servers. I've emailed of coruse but that results in nothing. Probably will just end up blocking them. Thanks, David
RE: Abusive traffic from Microsoft China?
I am seeing what I can find out about this block. Thanks, Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Pooser Sent: Thursday, November 08, 2007 9:59 AM To: nanog@merit.edu Subject: Re: Abusive traffic from Microsoft China? > Looks fishy. Why would a company the size of Microsoft register a > single /25? I doubt MS really owns that block. especially since I think MS knows how to spell its own name: > descr:Microsft (China) Co.Ltd -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
Re: Abusive traffic from Microsoft China?
On 11/8/07, Dave Pooser <[EMAIL PROTECTED]> wrote: > > > Looks fishy. Why would a company the size of Microsoft register a > > single /25? I doubt MS really owns that block. > > especially since I think MS knows how to spell its own name: > > descr:Microsft (China) Co.Ltd they provider (CNC group) does all of this, MS/the-customer-in-question doesn't touch this...(sure they can complain 'you spelled me wrong', but)
Re: Abusive traffic from Microsoft China?
> Looks fishy. Why would a company the size of Microsoft register a > single /25? I doubt MS really owns that block. especially since I think MS knows how to spell its own name: > descr:Microsft (China) Co.Ltd -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
Re: Least Sucky Backbone Provider
Adding a bit to this, folks who give their experiences with the transits might want to mention whether they are predominantly an eyeball or content network. For example, our experience with Cogent is the reverse of the original poster's, but we are 90%ish eyeballs. I suspect that might be the difference. Others? John At 12:38 AM 11/6/2007, Adam Rothschild wrote: On 2007-11-05-10:51:58, Gregory Boehnlein <[EMAIL PROTECTED]> wrote: > I'm considering dropping Cogent completely [...] Always a good idea. > 1. Level 3 > 2. MCI/Verizon > 3. AT&T > > I'm looking for comments from actual customers of the above providers in > relation to; > > 1. Network reliability and performance As Vijay reminds us time and time again, engineering a large, reliable, network isn't particularly difficult these days. Indeed, none of the candidates you name above suffer from major reliability problems. > 2. Responsiveness to outages > 3. Proactive notification of network maintenance All large providers lack in these areas, some more than others. Even with preferred support, it's not uncommon to get asked if you get dial tone on your OC-48, or if 10GE is "like a T1" -- I do, weekly. Plan accordingly. With that in mind, key differentiators I'd focus on when selecting a transit provider include provisioning intervals, tools/automation, routing policy/feature support, and reachability to specific ASNs. I'd summarize the above vendors as follows. Please forgive the rambling, and if you deem any of this off topic, kindly hit the 'd' key and spare us the chatter. (Me personally, I consider vendor reviews and pseudo-arch discussions like this fascinating and acutely on-topic, though I can see where others may disagree...) Level(3) (AS 3356, not legacy Wiltel, Broadwing): All in all, thoroughly "gets it". Robust implementation of inbound and outbound BGP communities; prefix-list auto-generation off IRR; working blackhole community; IPv6 support, though tunneled. Support folk are smarter than average; provisioning times are slower than average. Large collection of "eyeball" customers. Verizon Business (AS 701, formerly UUNET, MCI, et al): Solid as a rock, though beginning to show its age. Supports a blackhole community (kudos to cmorrow, et al, for setting the trend there), though few/coarse others outbound. No inbound communities; 1995 called and asked for its as-path filters back :-). Older equipment (Juniper M40, Cisco 12008 w/ E0-E3 cards, ...) is still common in the edge, thus availability of 10GE customer ports is sparse outside of specific hotels. Presents frequently on, but is not yet equipped to offer, IPv6 customer connectivity. Significant eyeball base, specifically Verizon DSL and FTTx customers. AT&T (AS 7018): Solid connectivity and architecture; sharp folk who are also active in the NANOG community (tscholl, ren, jayb, ...). Significant eyeball base as represented by AT&T (SBC, Ameritech, BellSouth) DSL/FTTx customers and various cable MSOs, though the latter is slowly dwindling. With that said, it is important to realize that their commodity IP product is tailored towards enterprises with leased lines, not your typical NANOG/SP demographic. Accordingly, some friendly advice here would be to lay out your specific requirements (wrt communities, prefix listing, source address verification, IP ACLs, dampening, ...) as a part of the contract/RFP process, lest you might find yourself frustrated by various defaults. HTH, -a (speaking on behalf of himself only)
Re: Abusive traffic from Microsoft China?
Yeah.. I would nmap it, see whats there and check for web sites etc. Also check revdns/fwddns for the address space and see if they match and have microsoft registered domains. -- Leigh Church, Charles wrote: > Looks fishy. Why would a company the size of Microsoft register a > single /25? I doubt MS really owns that block. Sounds more like a > hacker playground to me. > > Chuck > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > David Hubbard > Sent: Thursday, November 08, 2007 12:23 PM > To: nanog@merit.edu > Subject: Abusive traffic from Microsoft China? > > > > Just wondering if anyone else is seeing huge random > floods of traffic from: > > inetnum: 202.96.51.128 - 202.96.51.255 > netname: MICROSOFT-CO > descr:Microsft (China) Co.Ltd > country: CN > admin-c: CH455-AP > tech-c: SY21-AP > mnt-by: MAINT-CNCGROUP-BJ > changed: [EMAIL PROTECTED] 20060926 > status: ALLOCATED NON-PORTABLE > source: APNIC > changed: [EMAIL PROTECTED] 20060926 > > On a nearly daily basis we see them randomly open > thousands of connections from a variety of addresses > in that block to multiple servers. I've emailed > of coruse but that results in nothing. Probably > will just end up blocking them. > > Thanks, > > David >
Re: Abusive traffic from Microsoft China?
On 11/8/07, Church, Charles <[EMAIL PROTECTED]> wrote: > > Looks fishy. Why would a company the size of Microsoft register a > single /25? I doubt MS really owns that block. Sounds more like a They have a small office there serviced by a dsl link to the local telco (CNCGroup)... This happens all the time. > hacker playground to me. > maybe, probably not though. > Chuck > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > David Hubbard > Sent: Thursday, November 08, 2007 12:23 PM > To: nanog@merit.edu > Subject: Abusive traffic from Microsoft China? > > > > Just wondering if anyone else is seeing huge random > floods of traffic from: > > inetnum: 202.96.51.128 - 202.96.51.255 > netname: MICROSOFT-CO > descr:Microsft (China) Co.Ltd > country: CN > admin-c: CH455-AP > tech-c: SY21-AP > mnt-by: MAINT-CNCGROUP-BJ > changed: [EMAIL PROTECTED] 20060926 > status: ALLOCATED NON-PORTABLE > source: APNIC > changed: [EMAIL PROTECTED] 20060926 > > On a nearly daily basis we see them randomly open > thousands of connections from a variety of addresses > in that block to multiple servers. I've emailed > of coruse but that results in nothing. Probably > will just end up blocking them. > > Thanks, > > David >
RE: Abusive traffic from Microsoft China?
Looks fishy. Why would a company the size of Microsoft register a single /25? I doubt MS really owns that block. Sounds more like a hacker playground to me. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Hubbard Sent: Thursday, November 08, 2007 12:23 PM To: nanog@merit.edu Subject: Abusive traffic from Microsoft China? Just wondering if anyone else is seeing huge random floods of traffic from: inetnum: 202.96.51.128 - 202.96.51.255 netname: MICROSOFT-CO descr:Microsft (China) Co.Ltd country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: MAINT-CNCGROUP-BJ changed: [EMAIL PROTECTED] 20060926 status: ALLOCATED NON-PORTABLE source: APNIC changed: [EMAIL PROTECTED] 20060926 On a nearly daily basis we see them randomly open thousands of connections from a variety of addresses in that block to multiple servers. I've emailed of coruse but that results in nothing. Probably will just end up blocking them. Thanks, David
Abusive traffic from Microsoft China?
Just wondering if anyone else is seeing huge random floods of traffic from: inetnum: 202.96.51.128 - 202.96.51.255 netname: MICROSOFT-CO descr:Microsft (China) Co.Ltd country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: MAINT-CNCGROUP-BJ changed: [EMAIL PROTECTED] 20060926 status: ALLOCATED NON-PORTABLE source: APNIC changed: [EMAIL PROTECTED] 20060926 On a nearly daily basis we see them randomly open thousands of connections from a variety of addresses in that block to multiple servers. I've emailed of coruse but that results in nothing. Probably will just end up blocking them. Thanks, David
Brief update [Re: routeviews down?]
I'm down in the Oregon Hall switch room and what I see is that it appears one of the power transfer switches we had failed and shorted out between two UPSs. Most things are back up, with the notable exception of archive.routeviews.org (which is fscking at the moment; which is going to take awhile). I'll update you all as soon as I have additional information. Thank you for your patience, and sorry about the inconvenience. Dave signature.asc Description: Digital signature
Re: routeviews down?
On Thu, Nov 08, 2007 at 09:09:56AM -0600, Ryan Harden wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Our BGP Session to them has been up and down several times over the last > few days, but is currently up. Yeah, the problem was power in the UO switch room power distribution. Suffice it to say that there have been multiple failures over the past few days. Dave signature.asc Description: Digital signature
Re: routeviews down?
On Thu, Nov 08, 2007 at 06:54:27AM -0800, Randy Bush wrote: > > it seems to be broken in a number of ways. i reported a few hours ago. We're having problems with switch room power. We're working on it. Sorry about the inconvenience. Dave signature.asc Description: Digital signature
Re: Getting DSL at your datacenter for OOB
I don't understand why stand alone (naked) DSL is so hard to get in non-Qwest territory. Qwest will provision one no questions asked or needed. Alex Pilosov wroteth on 11/7/2007 11:15 PM: On Wed, 7 Nov 2007, David Ulevitch wrote: We had a great experience doing this with Sonic.net at PAIX in Palo Alto but have had no success at our other sites. (Sonic.net isn't a national DSL provider) Has anyone found providers who can provision DSL circuits at: EQNX ASH, the MMR at 111 8th, and the Westin in Seattle? Speakeasy, after trying valiantly, finally just gave up saying they just couldn't make it happen. It's not rocket science. You order POTS line from the LEC. Then you order DSL from your favorite shared-line DSL provider on that POTS line. Trying to get non-lineshared-dsl might be a challenge. However, I recommend POTS + DSL, for additional OOB-ness, you can plug your DSL modem into the OOB ethernet and your analog modem into OOB serial network. fwiw, we are providing dsl to 111 8th MMR, the one running the free wifi there :) -alex [not posting as mlc anything]
Re: routeviews down?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Our BGP Session to them has been up and down several times over the last few days, but is currently up. /Ryan Randy Bush wrote: > it seems to be broken in a number of ways. i reported a few hours ago. > > randy - -- Ryan M. Harden, BS, KC9IHX Office: 217-265-5192 CITES - Network Engineering Cell: 630-363-0365 2130 Digital Computer Lab Fax:217-244-7089 1304 W. Springfield email: [EMAIL PROTECTED] Urbana, IL 61801 University of Illinois at Urbana/Champaign University of Illinois - ICCN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFHMybEtuPckBBbXboRAjL6AJsHAkdP7576pWMArJ2DOys85rg4qgCfWnkm /JUFrGPQ+E93Ipgl0JlwnBw= =W/B0 -END PGP SIGNATURE-
Re: routeviews down?
it seems to be broken in a number of ways. i reported a few hours ago. randy
routeviews down?
I can ping routeviews.org but can't connect via http. Just looking for comfirmation it isn't just me. jas
Re: AS 7018 BGP blackhole / AT&T contact sought
I too have received nothing but blank stares from 7018 MIS on this. Surprising considering the NANOG presentation on how to do community based bitbuckets was co-authored by someone from ATT (yeah, I know, mega company and all). Please post back to list if you get anywhere. On 11/7/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > I am sorry to hear you have encountered difficulties Nathan. Your > > > request will be forward to team members within AT&T today for > > > assistance. > > > > Thanks, Ren. I will wait to hear from one of these team > > members you referred to. > > I went to http://puck.nether.net/netops/ and tried to search for AT&T. > > Nothing. > > Then I tried AT and I got a list that included 4 entries for AT&T. I > wonder whether those AT&T entries are up to date and whether someone is > planning to update them, if not. > > Also, a suggestion for Jared. Perhaps you could drop the search > function, which clearly is inferior to Ctrl-F in my browser, and just > provide a bunch of links for all possible first letters of the names in > your database. > > --Michael Dillon >
