Re: Weekly Routing Table Report

2012-07-20 Thread Ron Broersma 

On Jul 20, 2012, at 1:04 PM, valdis.kletni...@vt.edu wrote:
 On Sat, 21 Jul 2012 05:10:41 +1000, Routing Analysis Role Account said:
 BGP routing table entries examined:  418048
 So, whatever happened to that whole the internet will catch fire when
 we get to 280K routing table entries or whatever it was? :)

We added memory where we could, or bought bigger routers.  The new 
(conventional wisdom) limit is 1M routes.




smime.p7s
Description: S/MIME cryptographic signature

Re: Switch designed for mirroring tap ports

2012-03-01 Thread Ron Broersma 
Be careful when considering the Anue products.  When we evaluated both Anue and 
Gigamon, we had to rule out Anue due to total lack of IPv6 support, and went 
with Gigamon instead.  I have not heard whether the situation has changed in 
the last year.  We liked both products for their functionality and ease of use, 
but for us IPv6 was the distinguishing capability.

--Ron

Ron Broersma
DREN Chief Engineer

On Mar 1, 2012, at 9:50 AM, Slade, Ian wrote:

 Yes, the Cat 6500s are limited to a certain number of SPAN/port
 monitoring sessions.
 
 Another tool, we've switched to after using the Gigamon for many years
 are taps and the Anue 5236 (10Gb) port aggregator.  From this we can
 split the SPAN feeds into different IDS/monitoring servers or load-share
 among several output servers.  It is a great tool and very easy GUI to
 control the feeds and output ports.
 
 
 Ian Slade
 Sr. Network Engineer, SAIC ITS Systems Engineering
 ian.sl...@saic.com  703-676-5234  http://www.saic.com
 
 
 -Original Message-
 From: nanog-bounces+ian.slade=saic@nanog.org
 [mailto:nanog-bounces+ian.slade=saic@nanog.org] On Behalf Of A.
 Pishdadi
 Sent: Thursday, March 01, 2012 3:54 AM
 To: gwoo...@gmail.com
 Cc: NANOG
 Subject: Re: Switch designed for mirroring tap ports
 
 No the issue isnt monitoring many ports at once, its having more then 1
 set of monitoring or 2 sets in the 6500 case. So I am monitoring say
 port channel 1 to ports 1 2 3 4, and port channel 2 , ports 4 5 6 and 7.
 After that I cannot monitor anymore ports.
 
 On Thu, Mar 1, 2012 at 2:34 AM, gwoo...@gmail.com gwoo...@gmail.com
 wrote:
 
 Instead of monitoring the physical interface, monitor the vlan from a 
 Cisco IOS perspective on a CAT6500.  This will capture all physical 
 interfaces associated with that vlan for mirroring/span.
 
 HTH
 
 Jonathan
 #22744
 
 Sent from my HTC on the Now Network from Sprint!
 
 
 - Reply message -
 From: A. Pishdadi apishd...@gmail.com
 Date: Wed, Feb 29, 2012 11:12 pm
 Subject: Switch designed for mirroring tap ports
 To: NANOG nanog@nanog.org
 
 Hello All,
 
 We are looking for a switch or a device that we can use for mirroring 
 tap ports. For example , take a mirror port off of a core router say a
 
 6509, connect it to a port on said device, say port 1. I would like 
 then to be able to mirror port 1 on said device to multiple ports,  
 like port 2 , 3, 4. We have the need to analyze traffic from one port
 on multiple devices.
 Seems most switches are limited to mirroring to a max of 1 or 2 ports.
 
 
 Any suggestions would be great.
 
 Thanks,
 Ameen
 
 
 
 



smime.p7s
Description: S/MIME cryptographic signature

Re: Is Cisco equpiment de facto for you?

2011-01-11 Thread Ron Broersma 

 Brocade device's pre Foundry purchase correct?  I can't see anyone that large 
 using Foundry in large deployments..

Foundry/Brocade is used heavily in portions of DoD's research and engineering 
community.  It is usually preferred where you need high 10Gig port density, 
IPv6, and/or sflow.  But Juniper and Cisco are used heavily as well, depending 
on local requirements and culture.
--Ron



smime.p7s
Description: S/MIME cryptographic signature

Re: [members-discuss] Re: RIPE NCC Position On The ITU IPv6 Group (fwd)

2010-03-01 Thread Ron Broersma 

On Mar 1, 2010, at 9:25 AM, valdis.kletni...@vt.edu wrote:

 On Mon, 01 Mar 2010 16:42:15 +0100, Arjan van der Oest said:
 
 (considering the fact that governments themselves are not capable of
 running anything but a gray-cheese-with-a-dial telephone network
 
 Hm, I was under the impression that ARPANET was a government run
 network...
 
 And let's face it - the Arpa/Milnet was a test network, not a production
 network.  

It may have started as a research network, but was very much used for 
production activities by late 70's and early 80's.

--Ron
(Site coordinator for Arpanet IMP #3)

Re: IPv6 Deployment for the LAN

2009-10-19 Thread Ron Broersma 


On Oct 18, 2009, at 2:38 PM, Ray Soucy wrote:

On Sun, Oct 18, 2009 at 4:28 PM, Steven Bellovin  
s...@cs.columbia.edu wrote:


My question is this: what are your goals?  What are you trying to  
achieve?




As I read this whole thread, I had similar questions coming to mind.


The greater concern is that SLAAC makes IPv6 available to hosts that
may not be prepared for it.  If administrators are asked if they would
like IPv6 enabled, having been explained the implications of such if
SLAAC is used for configuration, the majority of the time they come
back and say thanks, but no thanks.  In this situation, SLAAC is
holding back deployment of IPv6.  I suspect other have seen this as
well.


I do not understand the big concern here, but that is probably because  
my own perspective and approach is somewhat different than yours.  In  
my humble opinion, those of us that are network operators need to  
provide robust IPv6 connectivity and services to our customers today,  
and customers with IPv6-enabled devices should automatically have IPv6  
connectivity (i.e. automatically get an address and default route)  
with minimal hassle and configuration effort on their side.  If they  
decide they don't want IPv6, it is up to them to disable it, because  
they are the exception, not the rule.  Besides, systems administrators  
are probably the wrong ones to ask, because they will most often opt  
for don't change anything that might break something or make me do  
more work.


I just don't see how SLAAC is holding back deployment.  In my  
experience, SLAAC is your friend, given that DHCPv6 is not yet  
available for most of the client world (i.e. Windows XP, Mac OSX).   
I've seen only one case out of thousands of customers where enabling  
IPv6 on the client broke access to a single remote web site, but that  
was because of a flaw in the DNS implementation for that remote site.   
Wait, there was one other case where the problem turned out to be a  
bad NIC.  I think you are overly concerned about breaking someone by  
enabling SLAAC on all your nets.  Rather, focus on making sure that  
you have robust IPv6 connectivity and infrastructure and peering/ 
transit.  If you do find situations where something breaks, then put  
your energies into resolving those situations, which benefits the  
whole community.  Our philosophy has been aggressive IPv6-enablement  
is the right thing to do, and don't be afraid to break some glass.



Part of the problem here is that IPv6 isn't new; it's old.
Implementations have been in place for years on certain systems
without proper testing as they have gone largely unused.  We've seen
cases where older versions of Linux can be crashed by enabling SLAAC
on a network being one example.


Those cases are increasingly rare, and can be fixed.  Don't let such  
concerns stop you from IPv6-enabling your nets.  As a network  
operator, you are doing the right thing by enabling IPv6 on all your  
nets, and it is not your fault if sys admins aren't keeping their  
systems patched.



By using DHCPv6 we gain some advantages: We can automatically update
DNS for hosts so that IPv4 records and IPv6 records match; We have the
ability to roll out DHCPv6 on a per-host basis without causing
problems on the production IP network; and we can roll it in to our
existing [home grown] tools for network management in a way that is
easy for users of the system to understand (keep in mind, we provide
tools to delegate network control to hundreds of sub-administrators
throughout the State).


When I started rolling out IPv6 to my nets many years ago, I was of  
the same mindset.  I wanted the same mechanisms for managing addresses  
and DNS as I had in place for IPv4, and do dynamic DNS updates out of  
DHCP.  But, I quickly changed my approach after seeing the huge lack  
of client side support for DHCPv6, and serious interoperability issues  
where it did exist.  What we did find is a fairly simple means to use  
SLAAC and still keep DNS updated automatically for IPv6 addresses by  
polling the routers and doing the mapping to clone the IPv4 DNS  
entries for IPv6.  That works very well for us.



The original question here wasn't SLAAC vs. DHCPv6.  I think many
network operators here who are tasked with managing anything of scale
will agree that SLAAC doesn't quite cut it and is often a step
backwards.  The overhead of implementing and administering such a
system at this scale generally wins out over not doing so.

The question I was mainly concerned with was if anyone has encountered
issues with the use of an 80-bit prefix to prevent SLAAC from being
active.  While the prefix advertisement does have the autonomous flag
which can be set to false, the underlying problem of IPv6
implementations not being consistent across hosts operating systems
yet doesn't change.  I'm not convinced that there aren't
implementations out there that will enable SLAAC regardless of what
the prefix flag is set to, so using