Re: CGNAT - Seeking Real World Experience
Don't try detereministic NAT, it's not worth it. You'll waste a lot of port capacity on most users, and it might still be problematic for power users. Just try to match one user to one real IP, many sites/applications don't like when there are several requests from one user with different IPs. After that just stack as many users on one IP as you can and that's it. It's the only way CGN can be worth the trouble. If you really need to know who was using which port, just log them and correlate them when/if the need arises. On 24.11.2016 00:17, Adam wrote: I'm crunching the numbers on the cost effectiveness of implementing CGN vs IPv4 auctions. The determining factor is how many ephemeral ports are reserved for each customer. This is for a residential broadband environment. Is anybody doing deterministic NAT/PAT (i.e. each customer gets X ports - no more, no less)? My thinking is that X=8192 would cover even the power users. However, with only 8 customers per public IPv4 address, CGN is not worth the trouble. With X=8192, our money and time would better be spent acquiring additional IPv4 space. Are people successfully using a smaller deterministic port allocation? What's your X? If I can't make the numbers work for deterministic NAT, I might be able to live with dynamic port assignments. Specifically, I'm referring to what vendor J calls "Port Block Allocation". I was thinking 1024 ports per block, with up to 8 blocks per customer (and a bunch of log correlation to determine who was using which ip:port tuple at a given datetime). I *can* make the math work out in favor of CGN if the average customer uses <= 3072 ports (3 blocks). But is that going to be enough? I'd love to hear other people's experiences. Thanks! -Adam
Re: strategies to mitigate DNS amplification attacks in ISP network
flowspec. Probably the best method if you have competent engineers and uplinks who can give you bgp flowspec. Makes bandwitdh attacks amusing instead of annoying.
Re: OPM Data Breach - Whitehouse Petition - Help Wanted
18.06.2015 18:00, shawn wilson wrote: I'd actually be interested in a discussion of how much you can possibly improve / degrade on a network that big from a management position. That's quite an interesting topic, isn't it ? Dilbert still has his job so it might as well be immutable. :-)
Re: Enterprise network as an ISP with a single huge customer
13.06.2015 05:35, Randy Bush wrote: i have seen a lot of this done with firewall devices and vlans. with vlans or mpls, you can make spaghetti without wires, one wheat and one semolina. oh absolutely. you can use many tools to lop off your fingers, my point was that things like mpls (or vlans) provide a nice other tool to use along with your firewalls and such. of course you ought not willy-nilly go crazy with this, but... imagine if the 'hr department' were in one contiguous 'VRF' which had a defined set of 2-3 exit points to control access through... while those willy 'engineers' could be stuck in their own ghetto/VRF and have a different set of 2-3 exit points to control. Expand your network over many locations and in large buildings and ... it can be attractive to run a 2547 network that the company is a 'customer' of, or so I was thinking :) i have seen people successful with this with mpls and with vlans with non-mpls tunnel tech (e.g. ipsec for the paranoid). i have seen them screw the pooch with both. randy You can compartmentalize your network in lots of ways. What I'd like to know is what ways failed harder in other peoples experience (or at least faster). I'm not sure doing it ISP style is better, but I think it has some benefits. Then again, the opposite is true as well, less complexity means more stability. Usually.
Enterprise network as an ISP with a single huge customer
Hello, I'm sure lots of you work for big enterprises, and some of you work for biggest of them. How many of you architect your network as an ISP, with that enterprise as the biggest customer ? Office networks in l3vpn, VPLS/EVPN on top of your own network for DCI, etc ? Or is it usually just a single IGP domain with no unnecessary bells and whistles ? Do you think one approach is better than the other ? If so, why ? I understand that it usually comes down to specific circumstances and most likely scale but I'd still love to hear about your experience.
Re: Recommended L2 switches for a new IXP
Is there any particular reason you prefer EX4600 over QFX5100 ? Not counting obvious differences like ports and upgrade options. It's the same chipset after all, and with all upgrades they have the same 10G density (with breakouts). Is that because you can have more 40G ports with EX4600 ? I'm still trying to find out if there are any noticeable software or feature differences. On 13.01.2015 09:01, Mark Tinka wrote: On Monday, January 12, 2015 11:41:20 PM Tony Wicks wrote: People seem to be avoiding recommending actual devices, well I would recommend the Juniper EX4600 - http://www.juniper.net/us/en/products-services/switching/ ex-series/ex4600/ They are affordable, highly scalable, stackable and run JunOS. We've been quite happy with the EX4550, but the EX4600 is good too, particularly if you're coming from its younger brother. Mark.
Re: Tech Laptop with DB9
I want to reiterate on AirConsole because it IS amazing. I don't even grab a laptop when I go onsite anymore, just an AirConsole, its usb-serial cable and a tablet. Laptop can be a requirement if you need more than a serial, but using serial-over-wifi and a tablet is an incredible quality of life upgrade if you only need a quick reconfigure most of the time. Even if you have to use a laptop, it's so much better to not be attached to the rack so you can find a more comfortable place to work. Although it's kinda strange that Andoid app is free but IOS one isn't. Also I wish I could use their wifi as a simple bridge without its own DHCP while using a serial, it'd be even more nice for troubleshooting.
Re: Cheap LSN/CGN/NAT444 Solution
On 30.06.2014 14:12, Roland Dobbins wrote: I've seen huge problems from compromised machines completely killing NATs from the southbound side. It depends on CGN solution used. Some of them will just block new translations for that user after reaching the limit, and that's it. On 30.06.2014 09:59, Skeeve Stevens wrote: I am after a LSN/CGN/NAT444 solution to put about 1000 Residential profile NBN speeds (fastest 100/40) services behind. I am looking at a Cisco ASR1001/2, pfSense and am willing to consider other options, including open source Obviously the cheaper the better. ASR1k NAT is known to be problematic (nat overload specifically), don't know if they fixed it yet. I recommend to check this with the vendor first. New Juniper MS-MIC/MS-MPC multiservices cards can be used but feature-parity with MS-DPC isn't there yet. For example, you can have a working CGN with most bells and whistles, but you can't use IDS. You can (probably) use deterministic nat with max ports/sessions per user, but sometimes it's not enough. Again, ask the vendor for details/roadmaps/solutions. Both those options aren't really cheap though. Cheaper would be something like Mikrotik but I wouldn't touch that sh*t with a ten-foot pole. It might work but you'll pay for that with your sanity and sleep hours. Speaking of cheap and open-source, I know several relatively large implementations using Linux boxes. One Linux NAT box can chew on at least 1Gb/s of traffic, or even more with a careful selection of hardware and even more careful tuning, and you can load-balance between them, but it's much more effort and it isn't robust enough (which is the reason why they all migrate to better solutions later). BTW, I agree that you should speak in PPS and bandwidth instead of number of users, those are much better as a metric. This solution is for v4 only, and needs to consider the profile of the typical residential users. Any pitfalls would be helpful to know - as in what will and and more importantly wont work - or any work-arounds which may work. Try to pair a user IP with a public IP, that way you'll workaround most websites/games/applications expecting publicly visible user IP to be the same for all connections. Start with selected few active customers, check how much connections they use with different NAT settings. Double/triple that. Then do the math of how many ports/IPs you need per X users, don't just guess it. Then try to limit it and see if anything breaks. By working with them you can also workaround some of the problems you didn't think about before. Seriously. Fix it before you roll it out. What anyone implementing CGN should expect is complaints from users for any number of reasons, like their IPSEC or L2TP tunnel stopped working, or some application behaves strangely and so on. Prepare your techsupport for that. This solution is not designed to be long lasting (maybe 6-9 months)... it is to get the solution going for up to 1000 users, and once it reaches that point then funds will be freed up to roll out a more robust, carrier-grade and long term solution (which will include v6). So no criticism on not doing v6 straight up please. Heh. Nothing lasts longer than temporary solutions. You should implement it like you're going to live it for years (probably true) or you'll create yourself a huge PITA very soon.