Art and Tech is madness

[Kasper Adel]

In SPRING a time when segment and routing had no mismatch, a time when isis
and ospf ate a forbidden encap, all they had to do was forward bgp like its
hot, but crazy flapping doesnt leave any real LDP without some real FSM
check, My dynamic unnumbered neighbor.


Suddenly, Out of order, an AS is overridden, we see frames dropping, we
sniff a bit and it turns out, sfps are burning, we are in a place right now
where ping and pong are jittery, their latency is tested, they cant
strengthen their icmp bond with a warm bfd message, how can they keep
everyone in ACK, safe from teardown and dampening, with this kind of ixp
relationship??! but oh admin, we know forwarding works in its own
mysterious ways. We are left with two non rfc compliant scavengers, bastard
802.1ah fools in a leaky yet shaped, buffer display of some runts and
nimbles, and a giant too.

They start their life of a packet, leaving one interface to a neighbor,
from an adjacency to a peer, an endless loop, its a prefix hijack, but as
they move from one stack to another, finding their way through a tunnel of
memory failures and RMAs, one hell of an LSP ride, through firewall horrors
and MTU mismatches, leaving behind, a sea of syslog messages and snmp
alarms. Anyway, Their ttl expired and one funny access list abruptly denies
them life, sending them to Null0, where they can be peacefully discarded.


Thats what tech does to yeh

Re: Application or Software to detect or Block unmanaged swicthes

[Kasper Adel]

How about some scripts around fail2ban, if the same account logs in
multiple times, its banning time.

Kasper

On Friday, June 8, 2018, David Hubbard 
wrote:

> This thread has piqued my curiosity on whether there'd be a way to detect
> a rogue access point, or proxy server with an inside and outside
> interface?  Let's just say 802.1x is in place too to make it more
> interesting.  For example, could employee X, who doesn't want their
> department to be back billed for more switch ports, go and get some
> reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth
> to the physical network using their credentials?  They then let their staff
> wifi into it and the traffic is NAT'd.  I'm sure anyone in a university
> setting has encountered this.  Obviously policy can forbid, but any way to
> detect it other than seeing traffic patterns on a port not match historical
> once the other users have been combined onto it, or those other users'
> ports go down?
>
> David
>
>
> On 6/7/18, 10:18 AM, "NANOG on behalf of Mel Beckman" <
> nanog-boun...@nanog.org on behalf of m...@beckman.org> wrote:
>
> When we do NIST-CSF audits, we run an SNMP NMS called Intermapper,
> which has a Layer-2 collection feature that identifies the number and MACs
> of devices on any given switch port. We export this list and cull out all
> the known managed switch links. Anything remaining that has more than one
> MAC per port is a potential violation that we can readily inspect. It’s not
> perfect, because an unmanaged switch might only have one device connected,
> in which case it wont be detected. You can also get false positives from
> hosts running virtualization, if the v-kernel generates synthetic MAC
> addresses. But it’s amazing how many times we find unmanaged switches
> squirreled away under desks or in ceilings.
>
>  -mel
>
> > On Jun 7, 2018, at 4:54 AM, Jason Hellenthal 
> wrote:
> >
> > As someone already stated the obvious answers, the slightly more
> difficult route to be getting a count of allowed devices and MAC addresses,
> then moving forward with something like ansible to poll the count of MAC’s
> on any given port ... of number higher than what’s allowed, suspend the
> port and send a notification to the appropriate parties.
> >
> >
> > All in all though sounds like a really brash thing to do to your
> network team and will generally know and have a very good reason for doing
> so... but not all situations are created equally so good luck.
> >
> >
> > --
> >
> > The fact that there's a highway to Hell but only a stairway to
> Heaven says a lot about anticipated traffic volume.
> >
> >> On Jun 7, 2018, at 03:57, segs 
> wrote:
> >>
> >> Hello All,
> >>
> >> Please I have a very interesting scenario that I am on the lookout
> for a
> >> solution for, We have instances where the network team of my
> company bypass
> >> controls and processes when adding new switches to the network.
> >>
> >> The right parameters that are required to be configured on the
> switches
> >> inorder for the NAC solution deployed to have full visibility into
> end
> >> points that connects to such switches are not usually configured.
> >>
> >> This poses a problem for the security team as they dont have
> visibility
> >> into such devices that connect to such switches on the NAC
> solution, the
> >> network guys usually connect the new switches to the trunk port and
> they
> >> have access to all VLANs.
> >>
> >> Is there a solution that can detect new or unmanaged switches on the
> >> network, and block such devices or if there is a solution that
> block users
> >> that connect to unmanaged switches on the network even if those
> users have
> >> domain PCs.
> >>
> >> Anticipating your speedy response.
> >>
> >> Thank You!
>
>
>

Re: Application or Software to detect or Block unmanaged swicthes

[Kasper Adel]

I guess you can do that and more with a linux based switch like cumulus and
pica8.

They allow you to do all sorts of things like that because they are open.

On Thursday, June 7, 2018,  wrote:

> In my previous life, we used a nac appliance from Bradford Networks
> whereby the mac address of every device needed to be registered or the
> switch port it was plugged into would be disabled.
> This kept spurious devices from appearing on the network and worked quite
> well.
> Cheers, Keith
>
> Sent from my android device.
>
> -Original Message-
> From: Jason Hellenthal 
> To: segs 
> Cc: nanog@nanog.org
> Sent: Thu, 07 Jun 2018 7:54
> Subject: Re: Application or Software to detect or Block unmanaged swicthes
>
> As someone already stated the obvious answers, the slightly more difficult
> route to be getting a count of allowed devices and MAC addresses, then
> moving forward with something like ansible to poll the count of MAC’s on
> any given port ... of number higher than what’s allowed, suspend the port
> and send a notification to the appropriate parties.
>
>
> All in all though sounds like a really brash thing to do to your network
> team and will generally know and have a very good reason for doing so...
> but not all situations are created equally so good luck.
>
>
> --
>
> The fact that there's a highway to Hell but only a stairway to Heaven says
> a lot about anticipated traffic volume.
>
> > On Jun 7, 2018, at 03:57, segs  wrote:
> >
> > Hello All,
> >
> > Please I have a very interesting scenario that I am on the lookout for a
> > solution for, We have instances where the network team of my company
> bypass
> > controls and processes when adding new switches to the network.
> >
> > The right parameters that are required to be configured on the switches
> > inorder for the NAC solution deployed to have full visibility into end
> > points that connects to such switches are not usually configured.
> >
> > This poses a problem for the security team as they dont have visibility
> > into such devices that connect to such switches on the NAC solution, the
> > network guys usually connect the new switches to the trunk port and they
> > have access to all VLANs.
> >
> > Is there a solution that can detect new or unmanaged switches on the
> > network, and block such devices or if there is a solution that block
> users
> > that connect to unmanaged switches on the network even if those users
> have
> > domain PCs.
> >
> > Anticipating your speedy response.
> >
> > Thank You!
>

Re: Intel DPDK vs Broadcom/Mellanox SDK

[Kasper Adel]

Can you please provide examples on issues that you highlighted with
broadcom? Are you saying i may not see the same with mellanox?

Thanks

On Monday, June 4, 2018, McBride, Mack  wrote:

> Use the package that corresponds to the chipset in your equipment.
> Ie. Broadcom/Mellanox chips use that SDK.  Intel chips use DPDK.
> With white box switches using Broadcom chips you will run into issues
> If you don't use the Broadcom SDK.  Obviously your mileage will vary
> based on the actual application.  If it isn't a hardware switch and is CPU
> based
> like a home router, then there are a lot more factors and the CPU factors
> may
> outweigh the chipset factors.  You may want to look at a list related to
> home
> routers for more guidance.
>
> Mack
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Kasper Adel
> Sent: Sunday, June 03, 2018 11:45 PM
> To: NANOG list 
> Subject: Intel DPDK vs Broadcom/Mellanox SDK
>
> Hi
>
> Anothe email thread to get some guidance on points to consider when
> comparing new platforms that advocate using DPDK as the hardware
> acceleration SDK vs the broadcom/mellanox.
>
> The DPDK ones claim enhanced performance but every time i ask questions, i
> get the logical and typical answer of “it depends”
>
> Thx
> Kim
> E-MAIL CONFIDENTIALITY NOTICE:
> The contents of this e-mail message and any attachments are intended
> solely for the addressee(s) and may contain confidential and/or legally
> privileged information. If you are not the intended recipient of this
> message or if this message has been addressed to you in error, please
> immediately alert the sender by reply e-mail and then delete this message
> and any attachments. If you are not the intended recipient, you are
> notified that any use, dissemination, distribution, copying, or storage of
> this message or any attachment is strictly prohibited.
>

Re: VPP-based router vs Hardware assisted ones

[Kasper Adel]

Hi Ross

Did you make a decision to take that direction after reviewing ‘open
networking’ platforms like cumulus and pica8?

Are you trying to use the full routing table?

~kim

On Thursday, May 24, 2018, Ross Tajvar  wrote:

> Hi all,
>
> Has anyone had any luck building their own routers on common compute (x86)
> with VPP? I'm considering it as I'm looking for a cheap, fast peering
> router. I haven't seen much written about that type of solution so I was
> wondering if anyone here has experience to share.
>
> Thanks,
> Ross
>

Intel DPDK vs Broadcom/Mellanox SDK

[Kasper Adel]

Hi

Anothe email thread to get some guidance on points to consider when
comparing new platforms that advocate using DPDK as the hardware
acceleration SDK vs the broadcom/mellanox.

The DPDK ones claim enhanced performance but every time i ask questions, i
get the logical and typical answer of “it depends”

Thx
Kim

Broadcom vs Mellanox based platforms

[Kasper Adel]

Hello

I’m asked to evaluate switching platforms that has different forwarding
chips but the same OS.

Assuming these vendors give the same SDK and similar documentation/support,
then what would be comparison points to consider, other than the obvious
(price, features, bps, pps).

I’m thinking, how do i validate their claims about capability to do
leaf/spine arch, ToR/Gateways, telemetry, serviceability, facilities to
troubleshoot packet drops or FIB programming misses, hidden tools...etc

It would be great if anyonw can give some thoughts around it, specially if
you have tried one or both.

Thanks
Kim

Re: Open Souce Network Operating Systems

[Kasper Adel]

Feedback about Cumulus has been positive :

https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg66192.html

if i am not mistaken, they have added lots of networking enhancements to
the OS, they have videos on youtube that will paint the picture.



On Sat, Jan 20, 2018 at 11:26 AM, Colton Conor 
wrote:

> Peter,
>
> Thanks for the information. Do you have a recommendation of which
> distribution of Linux to use for this? Is there one that is more network
> centric than another?
>
> On Sat, Jan 20, 2018 at 1:11 PM, Peter Phaal 
> wrote:
>
> > On Sat, Jan 20, 2018 at 9:32 AM, Colton Conor 
> > wrote:
> >>
> >> My understanding if Free Range Routing is a package of software that
> runs
> >> in linux, but not a full and true NOS right?
> >>
> >
> > Why not consider Linux a NOS? Installing Free Range Routing adds control
> > plane protocols: BGP, OSPF, ISIS, etc.
> >
> >
> >> I looked into Cumulus Linux, but it seems to only run on the supported
> >> hardware which is while box switches. Can you run Cumulus Linux on a X86
> >> server with intel NICs? Can you run Cumulus on a raspberry pi?
> >>
> >
> > Cumulus Linux is basically Ubuntu with Free Range Routing pre-installed
> > along with a daemon that offloads forwarding from the Linux kernel to an
> > ASIC. CumulusVX is a free Cumulus Linux virtual machine that is useful
> for
> > staging / testing configurations since it has the same behavior as the
> > hardware switch.
> >
> > On X86 servers with Intel NICs, just run Linux. Cumulus Host Pack can be
> > installed to add Free Range Routing and other Cumulus tools on the
> server.
> > Alternatively, you can choose any Linux control plane, automation, or
> > monitoring tools and install them on the hosts and Cumulus Linux switches
> > to unify management and control, e.g. Bird, collectd, telegraf, Puppet,
> > Chef, Ansible, etc.
> >
> > Linux distros (including Ubuntu) are available for non-X86 hardware like
> > Raspberry Pi etc.
> >
> >
> >>
> >> Ideally I think I am looking to a Linux operating system that can run on
> >> multiple CPU architectures, has device support for Broadcom and other
> >> Merchant silicon switching and wifi adapters.
> >
> >
> > If you consider Linux as the NOS then it already meets these
> requirements.
> >
>

(Network Orchestrators evaluation) : tail-f vs Anuta vs UBIqube vs OpenDaylight

[Kasper Adel]

Hi,

This is not a vendor bashing thread.

We are a group of networking engineers  less experience with software) in
the middle of the process of procuring a network automation/orchestration
controller, if that is even a good definition and we are clueless on how to
evaluate them.

Other than the obvious, which is to try them out, i wonder what else is
important to consider/watch out for.

We are presented with 3 different vendors and even OpenDayLight was
considered as the open source alternative.

My humble thoughts are given below and i would appreciate getting
'schooled' on what i need to ask the vendors:

1) Are they Model driven : But i still don't know how to evaluate that.
2) Do they parse Cisco/Juniper CLI or they are limited to SNMP and YANG.
3) If they do parse, we want to check if they'll hold us by the balls if
the current parsers need to be updated, i.e: can we change the code
ourselves and add new features to be parsed.
4) Can they work/orchestrate between CLI devices and Non CLI devices (SNMP)
5) How flexible are they to support different Vendors (Cisco, Juniper,
some-weird-firewall...etc)

thanks,
Kim

DevOps workflow for networking

[Kasper Adel]

We are pretty new to those new-age network orchestrators and automation,

I am curious to ask what everyone is the community is doing? sorry for such
a long and broad question.

What is your workflow? What tools are your teams using? What is working
what is not? What do you really like and what do you need to improve? How
mature do you think your process is? etc etc

Wanted to ask and see what approaches the many different teams here are
taking!

We are going to start working from a GitLab based workflow.

Projects are created, issues entered and developed with a gitflow branching
strategy.

GitLab CI pipelines run package loadings and run tests inside a lab.

Tests are usually python unit tests that are run to do both functional and
service creation, modification and removal tests.

For unit testing we typically use python libraries to open transactions to
do the service modifications (along with functional tests) against physical
lab devices.

For our prod deployment we leverage 'push on green' and gating to push
package changes to prod devices.

Thanks

SD-WAN for enlightened

[Kasper Adel]

Hi,

I'm not sure if the buzzword SD-WAN is used to compensate for another
buzzword that got over-utilized (SDN) or it is a true 'new and improved'
way of doing things that has some innovation into it.

I heard different explanation from different vendors:

1) appliances (+ controller) placed in-line to put traffic in tunnels based
on policy, with some DPI and traffic tagging...(to do performance/policy
based routing) over an expensive link (MPLS) and a cheap one (broadband)
with some 'firewall-like' filtering capabilities.
2) same as above, with a flavor of 'machine learning' to find a pattern for
traffic to optimize utilization.
3) a controller that instantiates and tears down tunnels from 'classic
routers' based on external policies and Network based features to do
performance based routing over an expensive link (MPLS) and a cheap one
(broadband) with encryption.

Is the above a decent high-level summary?

Has anyone tried any of these solutions, any general feedback ?

Cheers,
Kim

Brainstorming acceptance issues - WAN impediment

[Kasper Adel]

Hi,

I am in the process of testing an 'automation/sdn' kind of controller, it
will be managing configuration on our routers and also deploying some VNFs
too.

Before accepting it, i'd like to perform some testing, to make sure of the
behavior if there are network issues between the controller and the devices
(routers or servers), during creation of services.

>From the top of my head, I can think of the basic tests like introducing
jitter and delay but i would appreciate more ideas or even test cases that
i can re-use.

Thanks

Accepting a Virtualized Functions (VNFs) into Corporate IT

[Kasper Adel]

Hi,

Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they
refuse to give you root access, or any means necessary to do 'maintenance'
kind of work, whether its applying security updates, or any other similar
type of task that is needed for you to integrate the Linux VM into your IT
eco-system.

Would this be an acceptable offering in today's IT from different type of
Enterprises (Minux the Googles, Facebooks...etc) ?

Thanks

NFV Solution Evaluation Methodology

[Kasper Adel]

Hi,

I am interested in hearing the approach and thought-process that senior
people on NANOG are following when presented with an NFV solution. Assuming
that the exercise at hand is to consider NFV for future expansions of
Firewalls and L3VPNs or stay with the existing model of what is called PNF
(physical network function)...i.e : classic routers and FWs.

There are a lot of factors to consider and Vendors will typically give
their biased opinion, so i'm trying to get my head out of their game, to be
able to think agnostically about the whole thing.

1) Product and Service/Support Cost.
2) Operation Complexity/Learning Curve. (open source products included).
3) X Factors (Those that are never listed but do bite in the back) :
Quality, Integration with Classic, Migration, Usability...etc

The main goal behind us exploring NFV is the promised cost-saving, so a
good method to be able to do the math of whether NFV will save opex/capex
or NOT is definitely needed here and i'm trying to gather guidelines from
the list.

I think its easier to keep this post high-level, and later dig deeper.

Cheers,
K

Thinking Methodically about building a PoC

[Kasper Adel]

hi,

I am asked to build a large lab/test it. I'm provided crazy scale numbers
for lots of technologies (L*VPN, IPv*, IGP*, All Tunnels flavors...etc).

It took me a lot of time to build this lab, because when I got the
request/test plan handed over to me, I did not verify that these scaled
numbers are even possible, not to mention the combination. I assumed some
thought/research were done before.

I'm trying to put together a list of the lessons learned, and the right way
to do this for future reference, specially that this project was time
critical and I got beaten hard because I did not deliver on time.

So my question is, in your extensive experience, what is the right
method/approach to this kind of task:

1) Get started immediately (MVP), things will break, tune it along the way.
2) Do some planning and research first.

I'd appreciate any references to 'software engineering' or other industries/

Thanks

Data Mining/Crawling through a Mailing List

[Kasper Adel]

Hello,

A bit off topic but i was looking for a way/tool that could crawl through
nanog(or other) archives and try to filter most common discussions and
things like that, if anyone is aware of such a tool, pls let me know.

Thanks,
Kim

Parsing Syslog and Acting on it, using other input too

[Kasper Adel]

Hello.

I am looking for a way to do proactive monitoring of my network, what I am
specifically thinking about is receiving syslog msgs from the routers and
the backend engine would correlate certain msgs with output/data that i am
receiving through SSH/telnet sessions. What i am after is not exposed to
SNMP so i need to do it on my own.


I am sure there are many tools that can do parsing of syslog and acting
upon it but i wonder if there is something more flexible out there that I
can just re-use to do the above ? Please point me to known public or
home-grown scripts in use to achieve this.

Regards,

Sam

Vendors CLI Usability vs UNIX Shell

[Kasper Adel]

Hello,

My vendor is giving me speeches on how they are improving their
product Serviceability, Usability and Manageability. They told me they
are adding a lot of new way of doing things, introducing more Unix-like
utilities and over all making CLI smarter by exposing more visibility into
system status and stuff like that.

I rarely look at what other vendors do but i am now interested in what one
might have over the other, specially things that would stand out.

I wouldnt imagine Huawei doing anything advanced there so i guess its J vs
C on this front. But i'd be interested in comparing them to Unix/Linux
Shells too.

Regards,
Kim

Re: Quantifying the value of customer support

[Kasper Adel]

Thanks everyone for the feedback.

Can someone give an example on how i can calculate $ value from improving a
product/service usability and servicability? I am trying to categorize what
we offer :

1) Improve customer experience
2) Reduce service deployment time
3) Improve service availability

Regards
Kim

On Friday, February 15, 2013, Siegel, David wrote:

 There is no such thing as a generic business case that can be applied
 across all companies in an industry.  Every business is unique in its
 product definition and organization structure, but each question is also
 unique and therefore the analysis must be done every time.

 The way to begin is to ask this manager what he believes the possible
 outcomes are (downsize your group, eliminate your group, re-define your
 group, etc.) and then work with each of the key stakeholders that you have
 to estimate the impact of those outcomes.  For example, if 1st line
 operations indicates that eliminating your group would result in decreased
 customer satisfaction and missed SLA's, ask them to quantify it as much as
 possible and go to take the numbers back to your business people to have
 them estimate the impact on revenue.

 The analysis should be constructed and presented in standard finance terms
 (like NPV) so I would suggest that you make friends with someone in finance
 to assist you with the preparation.  You can also take a short two-day
 course like this
 http://executive.mit.edu/openenrollment/program/fundamentals_of_finance_for_the_technical_executive/16that
  will teach you how to build up these analysis yourself (I have taken
 the one referenced and I recommend it to all managers with budget
 responsibility).

 The outcome from these discussions often has surprising but positive
 outcomes for everyone...maintaining the status quo is not always the best
 possible outcome despite the biases we usually have when we begin the
 analysis.  :-)  If you work closely with all of your stakeholders, everyone
 will learn and benefit from the experience.

 Dave

 -Original Message-
 From: Kasper Adel [mailto:karim.a...@gmail.com javascript:;]
 Sent: Thursday, February 14, 2013 2:16 PM
 To: Andrew Latham
 Cc: NANOG list
 Subject: Re: Quantifying the value of customer support

 I used to think that these kind of situations take place when a manager
 was never an engineer so he does not understand how things work but i was
 surprised when i faced these from managers with an intense engineering
 career so i gave up on trying to give conceptual excuses and want to just
 give them the dump tables and numbers that they are looking for.

 Kim

 On Thursday, February 14, 2013, Andrew Latham wrote:

  On Thu, Feb 14, 2013 at 3:52 PM, Kasper Adel
  karim.a...@gmail.com javascript:;javascript:;
  wrote:
   Hello,
  
   We are a 2nd level of escalation in a service provider, trying to
   put a $ value on the support we give to our NOC and other
   implementation teams, when they email us about problems they face.
   But we are merely bits and bytes engineers that cant quantify and
   justify the value of what we do to the management team. I guess
   these smart suits want to see an excel sheet with a table of how
   much they save or gain by the support we do. We
  respond
   to technical questions and simulate problems in a lab.
  
   Can anyone help me with an idea or any material i can reuse? Templates?
  Has
   any one been in a similar situation.
  
   Thanks
   Kim
 
  Kasper/Karim/Kim
 
  Your job is customer retention.  Your value is maintaining all company
  income.  Write the yearly revenue on a piece of paper and hand it to
  them.
 
 
  --
  ~ Andrew lathama Latham lath...@gmail.com javascript:;javascript:;
  http://lathama.net ~
 

Quantifying the value of customer support

[Kasper Adel]

Hello,

We are a 2nd level of escalation in a service provider, trying to put a $
value on the support we give to our NOC and other implementation teams,
when they email us about problems they face. But we are merely bits and
bytes engineers that cant quantify and justify the value of what we do to
the management team. I guess these smart suits want to see an excel sheet
with a table of how much they save or gain by the support we do. We respond
to technical questions and simulate problems in a lab.

Can anyone help me with an idea or any material i can reuse? Templates? Has
any one been in a similar situation.

Thanks
Kim

Re: Quantifying the value of customer support

[Kasper Adel]

I used to think that these kind of situations take place when a manager was
never an engineer so he does not understand how things work but i was
surprised when i faced these from managers with an intense engineering
career so i gave up on trying to give conceptual excuses and want to just
give them the dump tables and numbers that they are looking for.

Kim

On Thursday, February 14, 2013, Andrew Latham wrote:

 On Thu, Feb 14, 2013 at 3:52 PM, Kasper Adel 
 karim.a...@gmail.comjavascript:;
 wrote:
  Hello,
 
  We are a 2nd level of escalation in a service provider, trying to put a $
  value on the support we give to our NOC and other implementation teams,
  when they email us about problems they face. But we are merely bits and
  bytes engineers that cant quantify and justify the value of what we do to
  the management team. I guess these smart suits want to see an excel sheet
  with a table of how much they save or gain by the support we do. We
 respond
  to technical questions and simulate problems in a lab.
 
  Can anyone help me with an idea or any material i can reuse? Templates?
 Has
  any one been in a similar situation.
 
  Thanks
  Kim

 Kasper/Karim/Kim

 Your job is customer retention.  Your value is maintaining all company
 income.  Write the yearly revenue on a piece of paper and hand it to
 them.


 --
 ~ Andrew lathama Latham lath...@gmail.com javascript:;
 http://lathama.net ~

Re: Whats so difficult about ISSU

[Kasper Adel]

Hi Frank,

Is it because C5 softswitches have expensive hardware, advanced software
and dual asics? I would have never imagined that any vendor is capable of
upgrading fpd's/ASICs ucode without a hit unless there are multiple chips
continuously syncing with each other.

Regards,
Kim

On Monday, November 12, 2012, Frank Bulk wrote:

 We do it on our Class 5 softswitch ... and it works consistently.  There
 may
 be a few seconds, once, where a new call can't be made, but most people
 will
 re-dial.  It just works.

 It can be done, but the product has to be built with that in mind.

 Frank

 -Original Message-
 From: Kasper Adel [mailto:karim.a...@gmail.com javascript:;]
 Sent: Thursday, November 08, 2012 5:23 PM
 To: NANOG list
 Subject: Whats so difficult about ISSU

 Hello,

 We've been hearing about ISSU for so many years and i didnt hear that any
 vendor was able to achieve it yet.

 What is the technical reason behind that?

 If i understand correctly, the way it will be done would be simply to have
 extra ASICs/HW to be able to build dual circuits accessing the same memory,
 and gracefully switch from one to another. Is that right?

 Thanks,
 Kim

Whats so difficult about ISSU

[Kasper Adel]

Hello,

We've been hearing about ISSU for so many years and i didnt hear that any
vendor was able to achieve it yet.

What is the technical reason behind that?

If i understand correctly, the way it will be done would be simply to have
extra ASICs/HW to be able to build dual circuits accessing the same memory,
and gracefully switch from one to another. Is that right?

Thanks,
Kim

Re: Whats so difficult about ISSU

[Kasper Adel]

What i was asking is full ISSU, even with micro code. I assume between
Major release there will be microcode upgrade most of the time.


On Fri, Nov 9, 2012 at 2:48 AM, Phil bedard.p...@gmail.com wrote:

 The major vendors have figured it out for the most part by moving to
 stateful synchronization between control plane modules and implementing
 non-stop routing.

 ALU has supported ISSU on minor releases for many years and just added
 support for major releases.

 The Cisco Nexus ISSU works well, I've done an upgrade on a 5K switch and
 it was completely hitless.

 Juniper and Cisco with the 9K have gone through some hurdles but ISSU is
 actually usable now if the software versions support it.

 The main remaining hurdle is updating microcode on linecards, they still
 need to be rebooted after an upgrade.

 Phil

 On Nov 8, 2012, at 6:22 PM, Kasper Adel karim.a...@gmail.com wrote:

  Hello,
 
  We've been hearing about ISSU for so many years and i didnt hear that any
  vendor was able to achieve it yet.
 
  What is the technical reason behind that?
 
  If i understand correctly, the way it will be done would be simply to
 have
  extra ASICs/HW to be able to build dual circuits accessing the same
 memory,
  and gracefully switch from one to another. Is that right?
 
  Thanks,
  Kim

Re: Whats so difficult about ISSU

[Kasper Adel]

Does that mean they are the only vendor capable of doing this today?

I am interested in the technology behind this if this is something public,
any ideas?

Thx

On Friday, November 9, 2012, Kenneth McRae wrote:

 I have performed micro code upgrades using ISSU on the Juniper platform.

 On Thu, Nov 8, 2012 at 4:52 PM, Kasper Adel 
 karim.a...@gmail.comjavascript:_e({}, 'cvml', 'karim.a...@gmail.com');
  wrote:

 What i was asking is full ISSU, even with micro code. I assume between
 Major release there will be microcode upgrade most of the time.


 On Fri, Nov 9, 2012 at 2:48 AM, Phil 
 bedard.p...@gmail.comjavascript:_e({}, 'cvml', 'bedard.p...@gmail.com');
 wrote:

  The major vendors have figured it out for the most part by moving to
  stateful synchronization between control plane modules and implementing
  non-stop routing.
 
  ALU has supported ISSU on minor releases for many years and just added
  support for major releases.
 
  The Cisco Nexus ISSU works well, I've done an upgrade on a 5K switch and
  it was completely hitless.
 
  Juniper and Cisco with the 9K have gone through some hurdles but ISSU is
  actually usable now if the software versions support it.
 
  The main remaining hurdle is updating microcode on linecards, they still
  need to be rebooted after an upgrade.
 
  Phil
 
  On Nov 8, 2012, at 6:22 PM, Kasper Adel 
  karim.a...@gmail.comjavascript:_e({}, 'cvml', 'karim.a...@gmail.com');
 wrote:
 
   Hello,
  
   We've been hearing about ISSU for so many years and i didnt hear that
 any
   vendor was able to achieve it yet.
  
   What is the technical reason behind that?
  
   If i understand correctly, the way it will be done would be simply to
  have
   extra ASICs/HW to be able to build dual circuits accessing the same
  memory,
   and gracefully switch from one to another. Is that right?
  
   Thanks,
   Kim
 

CLI Roadmap

[Kasper Adel]

Hello,

I have never used any CLI other than Cisco so i am curious what useful and
creative knobs and bolts are available for other network appliance Vendors.

I guess what makes *NIX CLI/Shell so superior is that you can advanced
stuff from the CLI using sed, awk and all the great tools there so maybe
this is also one thing missing.

Regards,
Kim

Software Bugs

[Kasper Adel]

Good Day,

I have always been exposed to one vendor only so i can never compare but I
am curious to know what every one here have seen in their lives on the
below:

1) Which vendor has more bugs than others, what are the top 3
2) Who is doing a better job fixing them
3) What do you consider is a good job in fixing these bugs :
response from technical support, educated support engineers

Re: Software Bugs

[Kasper Adel]

Good Day,

Sorry, previous email sent by mistake

I have always been exposed to one vendor only so i can never compare but I
am curious to know what every one here have seen in their lives on the
below:

1) Which vendor has more bugs than others, what are the top 3 ?

2) Who is doing a better job fixing/handling these bugs overall

3) What do you consider is a good job in fixing/handling these bugs :

A) Response from technical support
B) Educated support engineers being able to respond to questions
C) Taking less time to identify bugs
D) Less time in fixing them
E) Transparent communication on their issues
F) Transparency from their teams allow us to plan better for our network
G) etc.please add more

4) Specially Huawei, are they doing a good job or its a mess?

I would like to try to do some rating and ranking when it comes to bugs but
i need to know what i have to be looking at?

Regards,
Kim

Re: Software Bugs

[Kasper Adel]

Thanks Valdis.

On Sun, Feb 20, 2011 at 9:43 PM, valdis.kletni...@vt.edu wrote:

 On Sun, 20 Feb 2011 18:05:44 +0200, Kasper Adel said:

 (Disclaimer - I've never filed a bug report with Cisco or Juniper,
 but I've spent 3 decades filing bugs with almost everybody else in
 the computer industry, it seems...  Questions like the ones you asked
 are almost always pointless unless the asker and answerer are sharing
 a set of base assumptions.  In other words, which one is best/worst?
 is a meaningless question unless you either tell us what *your* criteria
 are in detail, or are willing to listen to advice that uses other
 criteria (without stating how they're different from yours).


I tried to put details and criteria below and yes i am mainly interested in
Juniper, Cisco, Alcatel and Huawei Routers and Switches, mostly High End
Equipment and yes i am willing to listen to advice on criteria, why wouldnt
I :) ?


  1) Which vendor has more bugs than others, what are the top 3

 More actual bugs, more known and acknowledged bugs, or more serious bugs
 that
 actually affect day to day operations in a major manner?


What i wanted to ask is from the field experience of experts on the alias if
there is a clear winner on which vendor has throughout history shown more
bugs impacting operation and interrupting trafficpoor written code or
bad internal testing, can we have some sort of a general assumption here or
that is not possible?


 The total number of actual bugs for each vendor is probably unknownable,
 other
 than there's at least one more in there.  The vendor probably can produce
 a
 number representing how many bug reports they've accepted as valid. The
 vendor's number is guaranteed to be different than the customer's number -
 how
 divergent, *and why*, probably tells you a lot about the vendor and the
 customer base. The vendor may be difficult about accepting a bug report, or
 the
 customer base may be clueless about what the product is supposed to be
 doing
 and calling in a lot of non-bugs - almost every trouble ticket closed with
 RTFM
 status is one of these non-bugs. If there's a lot of non-bugs, it usually
 indicates a documentation/training issue, not an actual software quality
 issue.

 And of course, bug severity *has* to be considered.  Router falls over if
 somebody in Zimbabwe sends it a christmas-tree packet is different than
 the
 CLI insists on a ;; where a ; should suffice.  You may be willing to
 tolerate
 or work around dozens or even hundreds of the latter (in fact, there's
 probably
 hundreds of such bugs in your current vendor that you don't know about
 simply
 because they don't trigger in your environment), but it only takes 2 or 3
 of
 the former to render the box undeployable.

  2) Who is doing a better job fixing them

 Again, see the above discussion of severity.  If a vendor is good about
 fixing
 the real show-stoppers in a matter of hours or days, but has a huge backlog
 of
 fixes for minor things, is that better or worse than a vendor that fixes
 half
 of both serious and minor things?

 In addition, the question of how fixes get deployed matters too.  If a
 vendor
 is consistently good about finding a root cause, fixing it, and then saying
 we'll ship the fix in the next dot-rev release, is that good or bad?
 Remember that if they ship a new, updated, more-fixed image every week,
 that
 means you get to re-qualify a new image every week


What you have mentioned is operations headache, so one questions comes to
mind here is what are issues a vendor will never be able to find in their
internal testing, i mean are there issues that will definitely be discovered
on the customer networks or we can assume that software needs to come out
with less number of sev1/2 bugs because internal testing is not doing a good
job?

thanks

Auditing a network to add Voice

[Kasper Adel]

Hi,

My customer would like to add VoIP over their network and they asked us for
an audit. the result of the audit would be simply you guys are ready for
it

Breaking it down [high level] for me sounds like : (suggestions are more
than welcomed) :

1) Looking at hardware computation finite resources (cpu, memory...etc)
2) Looking at available bandwidth
3) QoS policy
4) High Availability and Fast Convergence

Any thing else?

They asked us to measure the KPIs (jitter, delay...etc) of their existing
traffic, is there a way to do that?

Thanks,
Kim

Re: Auditing a network to add Voice

[Kasper Adel]

Sorry i forgot to add more detail.

We are not looking for IP Telephony type of voice but RTP from Media
Gateways.

Cheers,
Kim

On Mon, Nov 22, 2010 at 4:59 PM, Kasper Adel karim.a...@gmail.com wrote:

 Hi,

 My customer would like to add VoIP over their network and they asked us for
 an audit. the result of the audit would be simply you guys are ready for
 it

 Breaking it down [high level] for me sounds like : (suggestions are more
 than welcomed) :

 1) Looking at hardware computation finite resources (cpu, memory...etc)
 2) Looking at available bandwidth
 3) QoS policy
 4) High Availability and Fast Convergence

 Any thing else?

 They asked us to measure the KPIs (jitter, delay...etc) of their existing
 traffic, is there a way to do that?

 Thanks,
 Kim

Re: Auditing a network to add Voice

[Kasper Adel]

Hi Bret,

These guys are not looking for measuring traffic generated by a tool, they
want to measure what they have running now (not only Voice). I am not sue if
measuring what they have or generating traffic and measuring it is the same
thing. what do u think?

thanks,
Kim

On Mon, Nov 22, 2010 at 5:54 PM, Bret Clark bcl...@spectraaccess.comwrote:

 Iperf can be used to measure jitter and delay as well as simulate a quasi
 VoIP call. You can also use mtr under Linux which provides jitter and delay
 measurements from one point to another point. A g.729 call (lower quality)
 takes about ~40kbps and a g.711 (high quality) used about ~100Kbps of
 bandwidth. With most of today's networks, the problem isn't bandwidth
 related, but more with jitter, delay, and packet loss through the
 network...personally I'm a big fan of deploying QoS through out an
 infrastructure...well at least in our WAN infrastructure.

 Bret



 On 11/22/2010 09:59 AM, Kasper Adel wrote:

 Hi,

 My customer would like to add VoIP over their network and they asked us
 for
 an audit. the result of the audit would be simply you guys are ready for
 it

 Breaking it down [high level] for me sounds like : (suggestions are more
 than welcomed) :

 1) Looking at hardware computation finite resources (cpu, memory...etc)
 2) Looking at available bandwidth
 3) QoS policy
 4) High Availability and Fast Convergence

 Any thing else?

 They asked us to measure the KPIs (jitter, delay...etc) of their existing
 traffic, is there a way to do that?

 Thanks,
 Kim

Did your BGP crash today?

[Kasper Adel]

Havent seen a thread on this one so thought i'd start one.

Ripe tested a new attribute that crashed the internet, is that true?


Kim

Calculating Cost

[Kasper Adel]

Hello everyone,

How would you calculate the cost of a network outage, specifically if its
related to a software bug or a misconfiguration.

Suppose that this could have been avoided by testing in a lab before
deployment, how  can i calculate that too?

Unicast replies are welcomed.

Cheerio,
Kim

Re: NOC Best Practices

[Kasper Adel]

Thanks for all the people that replied off list, asking me to send them
responses i will get.

I got nothing other than :
http://www.nanog.org/meetings/nanog24/abstracts.php?pt=OTM1Jm5hbm9nMjQ=nm=nanog24
and

Network Management-  Accounting and Performance Strategies - Just the first
three chapters

Which is useful but i am looking for more stuff from the best people that
run the best NOCs in the world.

So i'm throwing this out again.

I am looking for pointers, suggestions, URLs, documents, donations on what a
professional NOC would have on the below topics:

1) Briefly, how they handle their own tickets with vendors or internal
2) How they create a learning environment for their people (Documenting
Syslog, lessons learned from problems...etc)
3) Shift to Shift hand over procedures
4) Manual tests  they start their day with and what they automate (common
stuff)
5) Change management best practices and working with operations/engineering
when a change will be implemented

Should i be looking for ITIL stuff or its not any good?

Thanks,
Kim

On Wed, Jul 14, 2010 at 8:24 PM, Kasper Adel karim.a...@gmail.com wrote:

 Hello Everyone,

 I am currently working on building a NOC so i'm looking for
 materials/pointers to Best Practices documented out there.

 On the top of my head are things like:

 1) Documenting Incidents and handling them
 2) Documenting Syslog messages
 3) Documenting Vendor Software Bugs
 4) Shift to Shift Hand over procedures
 5) Commonly used scripts for monitoring
 6) Frequently testing High Availability
 7) Capturing config changes.
 etc

 I can see that this is years of experience but i am wondering if any of
 this was captured some where.

 Thanks,
 Kim

NOC Best Practices

[Kasper Adel]

Hello Everyone,

I am currently working on building a NOC so i'm looking for
materials/pointers to Best Practices documented out there.

On the top of my head are things like:

1) Documenting Incidents and handling them
2) Documenting Syslog messages
3) Documenting Vendor Software Bugs
4) Shift to Shift Hand over procedures
5) Commonly used scripts for monitoring
6) Frequently testing High Availability
7) Capturing config changes.
etc

I can see that this is years of experience but i am wondering if any of this
was captured some where.

Thanks,
Kim

Common statistics from your NOC

[Kasper Adel]

Hello,

I want to collect experience from the Gurus on this mailer on how they make
use of the data they can get from NOC. what i mean by data, trouble tickets
opened internally or with vendors.

I wonder what would be common or even uncommon type of statistics that a
network operator would like to poll from their NOC to help them in:

1) Optimizing and tuning operations
2) Optimizing and tuning engineering

Example on point 1:
If we were to put all tickets in an excel sheet and take a holistic look at
the type of technology or product, we can see that out of 100 incidents,
there were 50 cases related to routing protocols, this would yield that
either more training is needed for operations team or that the design is
flawed.

Example on point 2:
20 incidents appeared to be related to new configuration lines that when
added, a conflict was seen, so the take away would be that engineering needs
a lab.

Excuse my poor English, unicast replies are welcomed.

Regards,
Kim

Gig Throughput on IPSEC

[adel]

 

 Hi, 

I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre
link.  In the past I've normally used Juniper to terminate VPNs, as I
have found them excellent devices and the route based VPN functionality
very useful.  However looking at their range, only the ISG will do a gig
of IPSEC.  I'm leaning towards keeping my exising Juniper SSG550's for
firewall/routing capability at each site.  Then having a separate
encryption devices to handle the site-to-site vpn requiring the gig
throughput.  Does anyone have any suggestions on devices to use? 

  

Adel
 

Re: Gig Throughput on IPSEC

[adel]

 

 On second thoughts, thinking about this I am probably looking for some
kind of Layer2 encryption devices.  This will make things a lot easier
for the deployment.  Any experiences, thoughts on these types of devices,
would be much appreciated. 

Adel

 On Wed 9:25 AM , a...@baklawasecrets.com sent:

 Hi, 

 I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre
 link.  In the past I've normally used Juniper to terminate VPNs, as I
 have found them excellent devices and the route based VPN functionality
 very useful.  However looking at their range, only the ISG will do a gig
 of IPSEC.  I'm leaning towards keeping my exising Juniper SSG550's for
 firewall/routing capability at each site.  Then having a separate
 encryption devices to handle the site-to-site vpn requiring the gig
 throughput.  Does anyone have any suggestions on devices to use? 

   

 Adel

 

Transit from Cogent - thoughts?

[adel]

 

 Contemplating using Cogent Communications for transit as pricing looks
favourable.  Just trying to get a feel for what sort of a reputation they
have in the network operators community.  I'm sure people have horror
stories for every provider, but just trying to get a general idea of what
sort of regard they are held in the community. 

Thanks 

Adel
 

Resilience - How many BGP providers

[adel]

 

 Hi, 

After recent discussions on the list, I've been thinking about the affects
of multiple BGP feeds to the overall resilience of Internet connectivity
for my organisation.  So originally when I looked at the design
proposals, there was a provision in there for four connections with the
same Internet provider.  Thinking about it and with the valuable input of
members on this list, it was obvious that multiple connections from the
same provider defeated the aim of providing resilience. 

So having come to the decision to use two providers and BGP peer with
both, I'm wondering how much more resilience I would get by peering
with more than two providers.  So will it significantly increase my
resilience by peering with three providers for example, as both of the
upstreams I choose will be multihomed to other providers.  Especially as
I am only looking at peering out of the UK. 

Hope the above makes sense. 

Adel
 

Re: Gig Throughput on IPSEC - alternatively Layer2 encryption devices

[adel]

Hi,

Thanks for the pointers to the Juniper devices.  I think I'm really thinking 
about layer2 encryption, rather than do the encryption using IPSEC.  I feel 
that as its a p-t-p fibre link, this makes 
most sense in terms of throughput and least impact on the network.  Operating 
at layer3 the IPSEC solution introduces more complexity than I would like 
across this link.  As I understand 
it, with layer2 encryption devices VLANs between the sites, would just work.  
I'm interested to hear of peoples experiences with layer 2 encryption devices 
out there, as I don't have that 
much experience with them.

I think my subject line mentioning IPSEC is a bit confusing as I'm really after 
information on Layer2 encryption hardware.

Adel

On Wed   6:45 PM , Brad Fleming bdflem...@kanren.net sent:
 
 On Nov 11, 2009, at 3:25 AM, adel@
 baklawasecrets.com wrote:
 
 
  Hi,
 
  I have a requirement to encrypt data using IPSEC
 over a p-t-p gig   fibre
  link.  In the past I've normally used Juniper to
 terminate VPNs, as I have found them excellent devices and the route
 based VPN   functionality
  very useful.  However looking at their range,
 only the ISG will do a   gig
  of IPSEC.  I'm leaning towards keeping my
 exising Juniper SSG550's for firewall/routing capability at each site.  Then
 having a separate encryption devices to handle the site-to-site
 vpn requiring the gig throughput.  Does anyone have any suggestions on
 devices to use?
 
 
  Adel
 
 
 
 Not knowing all your other needs, I won't swear to it... but would the 
 Juniper SRX650 work for your situation? It can pass 1.5Gbps of  
 encrypted traffic according to their datasheet. I've never actually  
 tried to move that much data through the box so I can't testify to it.
 
 Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted 
 traffic.
 
 Of course, these are JunosES devices as opposed to ScreenOS, but the  
 transition isn't as painful as you might expect. We actually use the J-
 series devices with JunosES as site routers/firewalls with a great  
 deal of success.
 
 
 

RE: Resilience - How many BGP providers

[adel]

I suppose I could take the whole resilience thing further and further and 
further.  One of the replies used a phrase which I thing captured the problem 
quite nicely: diminishing returns.  
Basically I could spend lots and lots of money to try and eliminate all single 
points of failure.  Clearly I don't have the money to do this and what I'm 
really trying to establish is at what 
point do the returns start to diminish with regards to obtaining multiple 
transit providers.  The answer appears to be it depends.  So if getting a 
third BGP peering with divergent paths, 
separate last mile, separate facility and separate router will increase costs 
by 5x but only increase resilience by 0.001% is it really worth it?  I'm trying 
to quantify the resilience of my 
Internet connectivity and quantify the effects of adding more providers.  Now 
to run through my case:

- I have one facility to locate BGP routers at.  Thats not changing for the 
moment.
- I can afford two BGP routers.
- The facility I'm located at tell me they have divergent fibre paths and 
multiple entries into the facility. (Still need to verify this by getting them 
to walk the routes with me)
- I am going to take transit from two upstreams.
- I could ask the question as to whether I can peer with separate routers on 
each of the upstreams.  i.e. to protect against router failures on their side.
- I will make sure that neither upstream peers with the other directly. (Does 
this give me some AS path redundancy?)

So from the above:

- I have no resilience with regards to datacentre location.  i.e. if a plane 
fell out of the sky etc., I'm done.
- I can afford some BGP router resilience on my side.  So I should be able to 
continue working if a router failure which only affects one of my routers 
occurs.
- I have some resilience in terms of actual fibre paths to the facilites where 
I will be picking up the BGP feeds from. (to be verified)
- I have some AS resilience if this is the right term.  So if the AS of one 
of my upstreams drops off the face of the Internet, I can still get to the 
Internet through the AS of my other 
provider
- Peering with separate routers may give me some resilience for router failure 
on the side of my upstreams? (not totally sure on this)

In this situation, if I add another peering with another upstream, am I really 
getting much return in terms of resilience?  Or should I spend this money 
examining the many other SPOFs in 
my architecture?  I'm perfectly sure there is absolutely no point me peering 
with 6 providers, but maybe some gains in peering with 3?  I'm trying to figure 
out at what point is adding 
another peering in my case a waste of money.

I haven't gone into switch and power redundancy, because I think I understand 
it.  I wanted to concentrate on the multiple upstreams question.  Heads 
starting to whirl right about now.

Adel


On Wed   5:27 PM , Dylan Ebner dylan.eb...@crlmed.com sent:
 
 You question has many caveats. Just having two providers does not
 necessarily get you more resiliency. If you have two providers and they are
 terminating on the same router, then you still have a SPOF problem. You
 also need to look at pysical paths as well. If you have two (or three)
 providers and they are using a common carrier, then you have a problem as
 well. For example, GLBX has a small prescence in the Minneapolis metro. If
 I were to use them as a provider, they would use Qwest as a last mile. If
 my other provider is Qwest (which it is), I may not have path
 divergence.Facilities are important too. We have three upstreams; Qwest, MCI 
 and ATT.
 The facility only has two entrances, so that means two of these are in the
 same conduit. IF you only have one entrance, all you connections are going
 to run through that conduit, and that makes you susceptable to a rouge
 backhoe.
 You are on the right track to question your resilancy. Some upstreams can
 offer good resilancy with multiple feeds. Others cannot. I would start with
 your provider and see what you are getting. Maybe you already have path
 divergence, sperate last miles, and multiple paths in the isp core.  If you
 go with multiple providers, you want to make sure you don't risk losing
 something you already have.
 
 
 
 -Original Message-
 From: a...@baklawasecrets.com [adel@
 baklawasecrets.com] Sent: Wednesday, November 11, 2009 11:14 AM
 To: na...@nanog.o
 rgSubject: Resilience - How many BGP providers
 
 
 
 Hi, 
 
 After recent discussions on the list, I've been thinking about the
 affectsof multiple BGP feeds to the overall resilience of Internet
 connectivityfor my organisation.  So originally when I looked at the design
 proposals, there was a provision in there for four connections with the
 same Internet provider.  Thinking about it and with the valuable input
 ofmembers on this list, it was obvious that multiple connections from the
 same provider defeated the aim of providing resilience. 
 
 So having come to the decision

Re: BGP Peer Selection Considerations

[adel]

If nothing else by the time this deployment is finished I will surely have 
become extremely cynical.  Now reading through peoples answers, I think the 
general consensus is that
I would be giving too much control to provider A in the scenario I suggested 
below.  So as someone mentioned they have the ability to foul up my connections 
all by themselves.
From all of this I gather that the most resilience would be provided by:

1) Go to two tier 1 carriers myself - say Global Crossing and Level 3.  Arrange 
to get two 100meg BGP feeds, burstable.  Pick them up at different datacentres 
as well I suppose to provide 
datacentre redundancy?  Negotiate pricing, any tips on negotiating appreciated.

2) Arrange cross connects to these providers i.e. get to the datacentres the 
Tier1 providers are in. They are not on net at the colo we are in.  With 
regards to arranging the cross connects 
am I able to ask the cross connect providers for fibre maps?  Is this a done 
thing or will they brush me off with you don't need this our network is 
diverse?

3) Arrange for PI space and ASN myself, so become an LIR through RIPE.

Do I really lose a lot by asking Level3 or GBLX to get the PI and ASN for me?  
I think the failure mode cited by someone was if the PI and ASN provider goes 
out of business.  I would prefer 
not to go through becoming an LIR and maintaining the membership, as they are 
not an ISP and so it is more attractive to do that through one of the Tier 1 
providers.

I'm not sure what my options are in terms of getting to the datacentres to pick 
up the Tier1 providers.   The provider A below has said they run a diverse 
fibre backhaul network etc etc. 
and I should go with them for connectivity to other datacentres.  Now it would 
be easier to go with them just because they are running colo for us and they 
run the datacentre we are in.  
However I assume that I should not be scared of arranging a second cross 
connect with someone else altogether.

In all of the above,  I'm most worried about administrative overhead.  Managing 
two cross connect providers, managing ongoing relationship with two Tier1 
providers and so on.  However 
resilience comes at a cost I suppose is the answer.

Comments appreciated.

Adel

On Mon   7:10 PM , William Herrin herrin-na...@dirtside.com sent:
 On Mon, Nov 9, 2009 at 12:40 PM,  adel@
 baklawasecrets.com wrote: I have an existing relationship with provider A,
 colo, cross connects etc.  Provider A has offered to get the PI
 space, ASN number, purchase the transit for us with provider B and
 manage cross connects to provider B (they say they have a
 diverse fibre backhaul network).  This is quite
 attractive from a support and billing perspective.  Also suspect that
 provider A will be able to get more attractive pricing from
 Provider B than I would be able to.
 
  Am I missing things that I need to
 consider?
 What happens when provider A is bought by provider C and you want to
 dump provider C but keep provider B? You'll have created a conflict of
 interest for provider B in any negotiation you have with them.
 
 Be aware that provider A's diverse network for provider A's service is
 the same diverse network they'll use to connect you to provider B. As
 a result, many or most of the outages which impact provider A will
 also impact your connectivity to provider B, defeating the central
 purpose of having a provider B.
 
 Regards,
 Bill Herrin
 
 
 -- 
 William D. Herrin  her...@di
 rtside.com  b...@herrin.us
 3005 Crane Dr. .. Web: http://bill.herrin.us/Falls 
 Church, VA 22042-3004
 
 
 

Re: BGP Peer Selection Considerations

[adel]

I've decided to get transit from provider B independently of A, so I don't 
create a conflict of interest as mentioned below.  However I think that I will 
have to use provider A's dark fibre network to connect to both peerings.  
Provider A tells me that they will use different routes and different entry 
points to get to their peering and separate routes, entries to get to B's 
peering.  As they own the datacentre and can probably provide the bests costs 
for getting into the datacentres where the second transit provider is, I think 
I will have to use 

I should mention there are no transit providers on net at the datacentre 
facility which has been acquired by the business.  I suspect it will be cheaper 
to get the cross connects to where the transit provider is from provider A, 
(did I mention provider A owns the datacentre?).  I know I'll be sacrificing 
some resilience by using A's network to get to both Internet services, however 
I think I will just have to outline the risks to the business and go with it.  
Moving datacentres isn't an option and as long as I understand exactly what 
resilience I sacrifice by getting A to provide all the cross connects, I can 
explain that to the business.

Adel





On Mon   7:10 PM , William Herrin herrin-na...@dirtside.com wrote:

 On Mon, Nov 9, 2009 at 12:40 PM,  wrote:
  I have an existing relationship with provider A, colo, cross connects
  etc.  Provider A has offered to get the PI space, ASN number,
  purchase the transit for us with provider B and manage cross
  connects to provider B (they say they have a diverse fibre
  backhaul network).  This is quite attractive from a support
  and billing perspective.  Also suspect that provider A will be
  able to get more attractive pricing from Provider B than I
  would be able to.
 
  Am I missing things that I need to consider?
 
 What happens when provider A is bought by provider C and you want to
 dump provider C but keep provider B? You'll have created a conflict of
 interest for provider B in any negotiation you have with them.
 
 Be aware that provider A's diverse network for provider A's service is
 the same diverse network they'll use to connect you to provider B. As
 a result, many or most of the outages which impact provider A will
 also impact your connectivity to provider B, defeating the central
 purpose of having a provider B.
 
 Regards,
 Bill Herrin
 
 -- 
 William D. Herrin  her...@dirtside.com b...@herrin.us
 3005 Crane Dr. .. Web: 
 

Re: Failover how much complexity will it add?

[adel]

You will laugh, but the budget at the moment looks like £13k.  Impossible?  Do 
only linux and openbsd solutions remain in the mix for this pittance?



On Sun  11:47 PM , Dale Rumph da...@ibbs.com wrote:

 What does your budget look like? A pair of Cisco 7246vxr's with G1's
 sitting on the edge of the network would be very effective and still allow
 expansion. Or you could go up to the 7609. However this gear may be
 slightly overkill. You might be ok with a 3660 enterprise and a ton of
 ram. I have done single sessions on them but not with the level of HA your
 looking for.
 
 Just my 2c
 
 - Original Message -
 From: a...@baklawasecrets.com 
 To: nanog@nanog.org 
 Sent: Sun Nov 08 18:36:31 2009
 Subject: Re: Failover how much complexity will it add?
 
 Basically the organisation that I'm working for will not have the skills
 in house to support a linux or bsd box. They will have trouble
 with supporting the BGP configuration, however I don't think they will be
 happy with me if I leave them with a linux box when they
 don't have linux/unix resource internally. At least with a Cisco or
 Juniper they are familiar with IOS and it won't be too foreign to them.
 
 On Sun 11:30 PM , Renato Frederick  wrote:
 
  There are any problems with quagga+BSD/Linux that you know or something
 
  like that?
  
  Or in your scenario a cisco/juniper box is a requirement?
  
  I'm asking this because I'm always running BGP with upstreams providers
 
  using quagga on BSD and everything is fine until now.
  
  --
  From: 
  Sent: Sunday, November 08, 2009 8:39 PM
  To: 
  Subject: Re: Failover how much complexity will it add?
  
  
   So if my requirements are as follows:
  
   - BGP router capable of holding full Internet routing table. (whether
 I
  
   go for partial or full, I think I want something with full
 capability).
  
   - Capable of pushing 100meg plus of mixed traffic.
  
   What are my options? I want to exclude openbsd, or linux with quagga.
 
   Probably looking at Cisco or Juniper products, but interested
   in any other alternatives people suggest. I realise this is quite a
  broad 
   question, but hoping this will provide a starting point. Oh and
   if I have missed any specs I should have included above, please let
 me 
   know.
  
   Thanks
  
   Adel
  
  
  
 
 
 

Re: Failover how much complexity will it add?

[adel]

Looking at two 100Mbit/s BGP connections, so I think I want something that will 
do more than 100 but nowhere close to a gig.  So full routing table capability
with throughput of mixed traffic around 200Mbit/s.  If that makes sense.  Do 
the 2850s fall into that sort of price point?

Adel


On Mon  11:13 AM , Joe Abley jab...@hopcount.ca wrote:

 On 2009-11-09, at 19:53, a...@baklawasecrets.com wrote:
 
  You will laugh, but the budget at the moment looks like £13k. 
  Impossible? Do only linux and openbsd solutions remain in the mix 
  for this pittance?
 
 I don't see an indication of the traffic you need to push (maybe I 
 deleted a message too enthusiastically) but check the 2800 series from 
 cisco. The 2850 will take full tables and has gigabit interfaces, but 
 don't expect them to do wire speed. Other 2800s suffer from reduced 
 RAM, but perhaps you don't need full tables.
 
 Also look at Juniper J-series boxes, and maybe Force10 S-series boxes.
 
 There's a healthy market in used cisco gear in most places I have ever 
 visited, if you don't need new.
 
 Joe
 
 
 

Re: Failover how much complexity will it add?

[adel]

Thanks,

Their offering certainly looks appealing.  Will be interested to hear user 
experiences of the Vyatta BGP router range.  Having said that
I will still be examining the Cisco offering, just because of the support, 
larger user community and skills base issue.  However if I can't
meet the price point using Cisco, obviously other solutions are going to come 
into the picture.

Adel




On Mon  11:39 AM , Arnold Nipper arn...@nipper.de wrote:

 On 09.11.2009 11:53 a...@baklawasecrets.com wrote
 
  You will laugh, but the budget at the moment looks like £13k.
  Impossible? Do only linux and openbsd solutions remain in the mix
  for this pittance?
  
 
 Do you know Vyatta (http://www.vyatta.com/)? [1] CLI and config is
 Cisco-ish. Prices e.g.
 
 Vyatta Appliance, Vyatta 2502, Enterprise Subscription, Basic Warranty,
 1 Year (ships with US Power Cord as standard) (Typically ships in 10-12
 business days)
 Price: $2,997.00
 
 Best regards,
 Arnold
 -- 
 Arnold Nipper / nIPper consulting, Sandhausen, Germany
 email: arn...@nipper.de phone: +49 6224 9259 299
 mobile: +49 172 2650958 fax: +49 6224 9259 333
 
 
 
 Links:
 --
 [1]
 http://webmail.123-reg.co.uk/parse.php?redirect=http://www.vyatta.com/%29%3
 F
 

Re: Failover how much complexity will it add?

[adel]

Thanks,

I've taken your advice and decided to reconsider my requirement for a full 
routing table.  I believe I'm being greedy and a partial table will be 
sufficient.  With regards to Linux/BSD, its not the CLI of quagga that will be 
an issue, rather the sysadmin and lack of supporting infrastructure for Linux 
boxes within the organisation.  So things like package management, syslog 
servers, monitoring, understanding of security issues etc.  I don't want to 
leave them with a linux/bsd solution that they won't be able to maintain/manage 
effectively when I am gone.

Thanks for your comments.  Look forward to hearing which solutions come back 
into the mix having dropped the full routing table requirement.

Regards,

Adel



On Mon  11:45 AM , Joe Greco jgr...@ns.sol.net wrote:

Basically the organisation that I'm working for will not have the
 skills
in house to support a linux or bsd box. They will have trouble
with supporting the BGP configuration, however I don't think they
 will be
happy with me if I leave them with a linux box when they
don't have linux/unix resource internally. At least with a Cisco or
Juniper they are familiar with IOS and it won't be too foreign to
 them.
 
   On Sun 11:47 PM , Dale Rumph  wrote:
   
   What does your budget look like? A pair of Cisco 7246vxr's with G1's
   sitting on the edge of the network would be very effective and still
 allow
   expansion. Or you could go up to the 7609. However this gear may be
   slightly overkill. You might be ok with a 3660 enterprise and a ton
 of
   ram. I have done single sessions on them but not with the level of HA
 your
   looking for.
   
   Just my 2c
 
  You will laugh, but the budget at the moment looks like £13k. 
  Impossible? Do only linux and openbsd solutions remain in the mix 
  for this pittance?
 
 No, you have the buy-it-off-eBay solutions as well. Beware the
 fakes.
 
 If they're familiar with IOS, then they can be familiar with Quagga
 about as easily as they could be familiar with a switch or other 
 network gizmo that had a Ciscoesque CLI but wasn't actually Cisco.
 
 You've painted yourself into a corner. I have a word for you:
 
 Reconsider.
 
 I don't care what you reconsider, but reconsider something. You can
 reconsider taking BGP with a full table. You can reconsider Quagga.
 Or you can reconsider your budget. This is the end result of the
 pick any two problem.
 
 Most end user organizations have no need of full routes in BGP. To
 try to take them dooms TCAM-based equipment at some future point,
 though if you have a lot of money to throw at it, you can make that
 point be years in the future. It is essentially planned obsolescence.
 If you discard the requirement for full routes, you open up a bunch
 of reasonably-priced possibilities.
 
 Finding someone knowledgeable in BSD or Linux isn't that rough. 
 Unlike a Cisco 76xx router, the hardest part of a Quagga-based 
 solution is finding the right mix of hardware and software at the
 beginning. PC hardware has a lot going for AND against it. There is
 no reason you can't make a good router out of a PC. If you buy the
 Cisco software-based routers, you're essentially buying a prepackaged
 version, except that it'll be specced to avoid any real competition 
 with their low-end TCAM-based offerings. A contemporary PC can 
 easily route gigabits. Vyatta makes what I hear is a fantastic
 canned solution of some sort, for a reasonable cost, and they will
 sell just software or software/hardware. If you really can't put
 it together yourself, there's someone to do it for you.
 
 Reconsidering your budget is probably the most painful thing to do,
 but also opens up the just buy big Cisco option. I think my point
 here would have to be that what you're looking for would have needed
 big Cisco... ten years ago. Now, dealing with a few hundred megs of
 traffic, that's not that big a deal, the thing that's killing you is
 the BGP table size.
 
 Your best option may be to see if you can settle for partial routes
 plus a default.
 
 ... JG
 -- 
 Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
 [1]
 We call it the 'one bite at the apple' rule. Give me one chance [and]
 then I
 won't contact you again. - Direct Marketing Ass'n position on e-mail
 spam(CNN)
 With 24 million small businesses in the US alone, that's way too many
 apples.
 
 
 
 Links:
 --
 [1] http://webmail.123-reg.co.uk/parse.php?redirect=http://www.sol.net
 
 

Re: Failover how much complexity will it add?

[adel]

Actually thinking about this, I still need to understand the implications of 
not taking a full routing table to my setup.  So what is the likely impact 
going to be if I take partial instead of full routing table.  Would appreciate 
any feedback on this.  My organisation is only looking at using BGP as a means 
of failover between two separate upstream ISPs.  We are not an ISP.

Thanks

Adel



On Mon   1:32 PM , a...@baklawasecrets.com wrote:

 Thanks,
 
 I've taken your advice and decided to reconsider my requirement for a
 full routing table. I believe I'm being greedy and a partial table will be
 sufficient. With regards to Linux/BSD, its not the CLI of quagga that will
 be an issue, rather the sysadmin and lack of supporting infrastructure for
 Linux boxes within the organisation. So things like package management,
 syslog servers, monitoring, understanding of security issues etc. I don't
 want to leave them with a linux/bsd solution that they won't be able to
 maintain/manage effectively when I am gone.
 
 Thanks for your comments. Look forward to hearing which solutions come
 back into the mix having dropped the full routing table requirement.
 
 Regards,
 
 Adel
 
 On Mon 11:45 AM , Joe Greco  wrote:
 
 Basically the organisation that I'm working for will not have the
  skills
 in house to support a linux or bsd box. They will have trouble
 with supporting the BGP configuration, however I don't think they
  will be
 happy with me if I leave them with a linux box when they
 don't have linux/unix resource internally. At least with a Cisco
 or
 Juniper they are familiar with IOS and it won't be too foreign to
  them.
  
On Sun 11:47 PM , Dale Rumph wrote:

What does your budget look like? A pair of Cisco 7246vxr's with
 G1's
sitting on the edge of the network would be very effective and
 still
  allow
expansion. Or you could go up to the 7609. However this gear may be
slightly overkill. You might be ok with a 3660 enterprise and a ton
  of
ram. I have done single sessions on them but not with the level of
 HA
  your
looking for.

Just my 2c
  
   You will laugh, but the budget at the moment looks like £13k. 
   Impossible? Do only linux and openbsd solutions remain in the mix 
   for this pittance?
  
  No, you have the buy-it-off-eBay solutions as well. Beware the
  fakes.
  
  If they're familiar with IOS, then they can be familiar with Quagga
  about as easily as they could be familiar with a switch or other 
  network gizmo that had a Ciscoesque CLI but wasn't actually Cisco.
  
  You've painted yourself into a corner. I have a word for you:
  
  Reconsider.
  
  I don't care what you reconsider, but reconsider something. You can
  reconsider taking BGP with a full table. You can reconsider Quagga.
  Or you can reconsider your budget. This is the end result of the
  pick any two problem.
  
  Most end user organizations have no need of full routes in BGP. To
  try to take them dooms TCAM-based equipment at some future point,
  though if you have a lot of money to throw at it, you can make that
  point be years in the future. It is essentially planned obsolescence.
  If you discard the requirement for full routes, you open up a bunch
  of reasonably-priced possibilities.
  
  Finding someone knowledgeable in BSD or Linux isn't that rough. 
  Unlike a Cisco 76xx router, the hardest part of a Quagga-based 
  solution is finding the right mix of hardware and software at the
  beginning. PC hardware has a lot going for AND against it. There is
  no reason you can't make a good router out of a PC. If you buy the
  Cisco software-based routers, you're essentially buying a prepackaged
  version, except that it'll be specced to avoid any real competition 
  with their low-end TCAM-based offerings. A contemporary PC can 
  easily route gigabits. Vyatta makes what I hear is a fantastic
  canned solution of some sort, for a reasonable cost, and they will
  sell just software or software/hardware. If you really can't put
  it together yourself, there's someone to do it for you.
  
  Reconsidering your budget is probably the most painful thing to do,
  but also opens up the just buy big Cisco option. I think my point
  here would have to be that what you're looking for would have needed
  big Cisco... ten years ago. Now, dealing with a few hundred megs of
  traffic, that's not that big a deal, the thing that's killing you is
  the BGP table size.
  
  Your best option may be to see if you can settle for partial routes
  plus a default.
  
  ... JG
  -- 
  Joe Greco - sol.net Network Services - Milwaukee, WI -
 http://www.sol.net [1]
  [1]
  We call it the 'one bite at the apple' rule. Give me one chance [and]
  then I
  won't contact you again. - Direct Marketing Ass'n position on e-mail
  spam(CNN)
  With 24 million small businesses in the US alone, that's way too many
  apples.
  
  
  
  Links:
  --
  [1] http://webmail.123-reg.co.uk

Re: Failover how much complexity will it add?

[adel]

Hi Joe,

I agree with most of what you say below regarding linux sysadmin, BSD etc.  I'm 
quite happy and actually would prefer building a linux solution on our own 
hardware.  However, politically I think this is going to be difficult.  I just 
feel that they will be more comfortable with embedded network boxes as a pose 
to a linux solution.  I guess what I'm saying is this is partially a political 
thing.

Adel




On Mon   3:20 PM , Joe Greco jgr...@ns.sol.net wrote:

  
  Thanks,
  
  I've taken your advice and decided to reconsider my requirement for a
 full 
  routing table. I believe I'm being greedy and a partial table will be 
  sufficient. With regards to Linux/BSD, its not the CLI of quagga that
 will 
  be an issue, rather the sysadmin and lack of supporting infrastructure
 for 
  Linux boxes within the organisation. So things like package management,
 
 
 You don't need to run Apache on your router.
 
  syslog servers, 
 
 If you didn't have syslog servers for the Cisco, you don't need one for 
 the Quagga.
 
  monitoring,
 
 If you didn't monitor the Cisco, you don't need to monitor the Quagga.
 
  understanding of security issues etc.
 
 What security issues?
 
 The thing is, people get all tied up over this idea that it is some major
 ongoing burden to support a Linux based device.
 
 I have a shocker for you. The CPE your residential broadband relies on
 may
 well run Linux, and you didn't even know it. The wifi router you use may
 run
 Linux. There are thousands of embedded uses for Linux. I highly doubt
 that
 the average TiVo user has a degree in Linux. Many different things you
 use
 in day-to-day life run Linux, BSD, VxWorks, or whatever ... mostly
 without any
 need of someone to handhold them on security issues.
 
 Of course, security issues do come up. But they do with Cisco as well. 
 
 A proper Linux router doesn't have ports open, aside from bgp and ssh,
 and
 those can be firewalled appropriately. This makes it very difficult to
 have
 any meaningful security problems relating to the platform...
 
 You can expect the occasional issue. Just like anything else. But trying
 to
 compare it to security issues on a general Linux platform is only
 meaningful
 if you're trying to argue against the solution.
 
 (I'm a BSD guy myself, but I don't see any reason for undue Linux
 paranoia)
 
  I don't want to leave them with a linux/bsd solution that they won't be
 
  able to maintain/manage effectively when I am gone.
 
 If they're unable to maintain something as straightforward as BSD or
 Linux 
 when you're gone, this raises alarm bells as to whether or not BGP is 
 really suited for them. BGP is *much* more arcane, relatively speaking.
 You can go to your local bookstore and pick up a ton of Linux or BSD
 sysadm
 books, but you'll be lucky to find a book on BGP.
 
  Thanks for your comments. Look forward to hearing which solutions come 
  back into the mix having dropped the full routing table requirement.
 
 There's a whole plethora of BGP-capable gear that becomes possible once 
 you make that call. Cisco and Juniper both make good gear. A variety
 of other mfrs do as well. Something as old as an Ascend GRF 400 (fast
 ethernet, line speed, 150K routes, ~1998?) is perfectly capable of
 dealing
 with the load, though I mention this primarily to make the point that
 there
 is a lot of equipment within the last decade that can support this.
 
 ... JG
 -- 
 Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
 [1]
 We call it the 'one bite at the apple' rule. Give me one chance [and]
 then I
 won't contact you again. - Direct Marketing Ass'n position on e-mail
 spam(CNN)
 With 24 million small businesses in the US alone, that's way too many
 apples.
 
 
 
 Links:
 --
 [1] http://webmail.123-reg.co.uk/parse.php?redirect=http://www.sol.net
 
 

BGP Peer Selection Considerations

[adel]

Hi,

Thanks to everyone that replied to my post on failover configuration.  This has 
lead me to this post.  I'm at a point now where I'm looking at dual-homing with 
two BGP peers upstream.  Now what I am looking at doing is as follows:

BGP Peer with Provider A who is multihomed to other providers.
BGP Peer with Provider B who is not peered with provider A

I have an existing relationship with provider A, colo, cross connects etc.  
Provider A has offered to get the PI space, ASN number, purchase the transit 
for us with provider B and manage cross connects to provider B (they say they 
have a diverse fibre backhaul network).  This is quite attractive from a 
support and billing perspective.  Also suspect that provider A will be able to 
get more attractive pricing from Provider B than I would be able to.

Am I missing things that I need to consider?

Failover how much complexity will it add?

[adel]

HI,

I was recently brought onto a project where some failover is desired, but I 
think that the number of connections provisioned is excessive.  Also hoping to 
get some guidance with regards to how well I can get the failover to actually 
work.  So currently 4 X 100Mb/s Internet connections have been provisioned.  
One is to be used for general Internet, out of the organisation, it also 
terminates VPNs from remote sites belonging to the organisation and some 
publicly accessible servers -routed DMZ and translated IPs.  Second Internet 
connection to be used for a separate system which has a site-to-site VPN to a 
third party support vendor.  Internet connections 3 and 4 are currently thought 
of as providing backups for one and two.  Both connections firewalled by a 
Juniper SSG of some description.

Now I couldn't get any good answers as to why Internet connections 1 and 2 need 
to be separate.  I think the idea was to make sure that there was enough 
bandwidth for the third party support VPN.  I feel that I can consolidate this 
into one connection and just use rate limiting to reserve some portion of the 
bandwidth on the connection and this should be fine.  Now if I was to do this 
then I can make a case for just having one backup Internet connection.  However 
I'm still concerned about failover and reliability issues.  So my questions 
regarding this are:

- Should I make sure that the backup Internet connection is from a separate 
provider?

- How can I acheive a failover which doesn't require me to change all the 
remote VPN endpoints in case of a failover?  Its possible to configure failover 
VPNs on the Junipers, which should take care of this, but how do I take care of 
the DMZ hosts and external translation?

- In fact I think I'm asking what are my options with regard to failover 
between one Internet connection and the other?


I'm hoping to figure out whether adding an extra Internet connection actually 
gives us that much, in fact whether it justifies the complexity and spend.

Many Thanks for your comments.

Adel

Re: Failover how much complexity will it add?

[adel]

Thanks for all your comments guys.  With regards to bgp I did
think about placing two bgp routers in front of the ssg's.  However
my limited understanding makes me think that if I had two bgp
connections from different providers I would still have issues.  So
I guess that if my primary Internet goes down I lose connectivity
to all the publicly addressed devices on that connection. Like
dmz hosts and so on.  I would be interested to hear how this 
can be avoided if at all or do I have to use the same provider.

I should add that we currently have provisioned two ssg in ha
mode.  Also is terminating bgp on the ssg also an option? I really
like the flexibility of route based VPN with addresable tun interfaces.

Thanks

adel
On Sun   3:47 PM , Joe Maimon jmai...@ttec.com sent:
 
 
 adel@
 baklawasecrets.com wrote: HI,
 
 
  Now I couldn't get any good answers as to why
 Internet connections 1 and 2 need to be separate.  I think the idea was to
 make sure that there was enough bandwidth for the third party support VPN. 
 I feel that I can consolidate this into one connection and just use rate
 limiting to reserve some portion of the bandwidth on the connection and
 this should be fine.  Now if I was to do this then I can make a case for
 just having one backup Internet connection.  However I'm still concerned
 about failover and reliability issues.  So my questions regarding this
 are:
 
 I wouldnt jump to any conclusions that everything will work properly if
 you are terminating multiple connections directly on the SSG, what with
 egress likely being different than the ingress, even if you are using 
 the same IP range (BGP) on all the links.
 
 You could really be asking for trouble if you are planning on using a 
 different ISP provided IP range on each connection for each purpose.
 
 Front it all with routers that can policy route, whether or not you also
 use BGP.
 
 
 Joe
 
 
 
 
 

Re: Failover how much complexity will it add?

[adel]

Thanks Seth and James,

Things are getting a lot clearer.  The BGP multihoming solution sounds like 
exactly what I want.  I have more questions :-)

Now I suppose I would get my allocation from RIPE as I am UK based?

Do I also need to apply for an AS number?

As the IP block is mine, it is ISP independent.  i.e. I can take it with me 
when I decide to use two completely different ISPs?

Is the obtaining of this IP block, what is referred to as PI space?

Of course internally I split the /24 up however I want - /28 for untrust range 
and maybe a routed DMZ block etc.?

Assuming I apply for IP block and AS number, whats involved and how long does 
it take to get these babies?

I know the SSG550's have BGP capabilites.  As I have two of these in HA mode, 
does it make sense to do the BGP on these, or should I get dedicated BGP 
routers?

Fixing the internal routing policy so traffic is directed at the active BGP 
connection.  Whats involved here, preferring one BGP link over the other?

Thanks again, I obviously need to do some reading of my own, but all the 
suggestions so far have been very valuable and definitely seem to be pointing 
in some
fruitful directions.

Adel



On Sun   6:31 PM , James Hess mysi...@gmail.com sent:
 On Sun, Nov 8, 2009 at 11:34 AM,  adel@
 baklawasecrets.com wrote:[..]
  connections from different providers I would
 still have issues.  So I guess that if my primary Internet goes down I
 lose connectivity to all the publicly addressed devices on that
 connection. Like dmz hosts and so on.  I would be interested
 to hear how this can be avoided if at all or do I have to use the
 same provider.
 You assign multi-homed IP address space to your publicly addressed
 devices,which are not specific to either ISP. You announce to both ISPs,  and
 you accept some routes from both ISPs.
 
 You get multi-homed IPs, either by having an existing ARIN allocation,
 or getting a /22 from ARIN  (special allocation available for
 multi-homing), or  ask for a /24 from  ISP A or ISP B  for
 multihoming.
 
 
 If  Link A fails, the BGP session eventually times out and dies: ISP
 A's  BGP routers withdraw the routes,  the IP addresses are then
 associated only with provider B.
 
 And you design your internal routing policy  to  direct  traffic
 within your network to the router with an active BGP session.
 
 Link A's failure is _not_ a total non-event,  but a 3-5 minute partial
 disruption, while the BGP session times out and updates occur in other
 people's routers, is minimal compared to  a  3 day outage, if serious
 repairs to upstream fiber are required.
 
 
 --
 -J
 
 
 

Re: Failover how much complexity will it add?

[adel]

Hi,

Thanks for the info on UKNOF.  I've started a thread there with regards to RIPE 
and obtaining ASN numbers and so on., as
this is I guess quite UK specific.

Adel




On Sun   8:40 PM , Arnold Nipper arn...@nipper.de wrote:

 Hi Adel,
 
 On 08.11.2009 21:24 Ken Gilmour wrote
 
  There are companies like packet exchange (www.packetexchange.net [1])
 
 I could also comment on PacketExchange, but I do not. If you get more UK
 specific now you may perhaps want to post to UKNOF
 (http://lists.uknof.org.uk/cgi-bin/mailman/listinfo/uknof/) [2] as well.
 
 For _independant_ consultancy you may want to have a look at Netsumo
 (http://www.netsumo.com/) [3] Ask for Andy Davidson.
 
 Best regards,
 Arnold
 -- 
 Arnold Nipper / nIPper consulting, Sandhausen, Germany
 email: arn...@nipper.de phone: +49 6224 9259 299
 mobile: +49 172 2650958 fax: +49 6224 9259 333
 
 
 
 Links:
 --
 [1]
 http://webmail.123-reg.co.uk/parse.php?redirect=http://www.packetexchange.n
 et[2]
 http://webmail.123-reg.co.uk/parse.php?redirect=http://lists.uknof.org.uk/c
 gi-bin/mailman/listinfo/uknof/%29[3]
 http://webmail.123-reg.co.uk/parse.php?redirect=http://www.netsumo.com/%29
 
 

Re: Failover how much complexity will it add?

[adel]

Don't think I sent the below to the list, so resending:

Thanks Seth and James,

 Things are getting a lot clearer.  The BGP multihoming solution sounds like 
exactly what I want.  I have more questions :-)

Now I suppose I would get my allocation from RIPE as I am UK based?

Do I also need to apply for an AS  number?

As the IP block is mine, it is ISP  independent.  i.e. I can take it with me 
when I decide to use two
completely different ISPs?

 Is the obtaining of this IP block, what is referred to as PI space?

Of course internally I split the /24 up however  I want - /28 for untrust range 
and maybe a routed DMZ block
 etc.?

Assuming I apply for IP block and AS number, whats involved and how long does 
it take to get these babies?

I know the SSG550's have BGP capabilites.  As I have two of these in HA mode, 
does it make sense to do the BGP
 on these, or should I get dedicated BGP routers?

 Fixing the internal routing policy so traffic is  directed at the active BGP 
connection.  Whats involved here,
 preferring one BGP link over the other?

 Thanks again, I obviously need to do some  reading of my own, but all the 
suggestions so far have been very valuable
 and definitely seem to be pointing in some fruitful directions.

 Adel




On Sun   6:31 PM , James Hess mysi...@gmail.com wrote:

 On Sun, Nov 8, 2009 at 11:34 AM,  wrote:
 [..]
  connections from different providers I would still have issues.  So
  I guess that if my primary Internet goes down I lose connectivity
  to all the publicly addressed devices on that connection. Like
  dmz hosts and so on.  I would be interested to hear how this
  can be avoided if at all or do I have to use the same provider.
 
 You assign multi-homed IP address space to your publicly addressed
 devices,
 which are not specific to either ISP. You announce to both ISPs, and
 you accept some routes from both ISPs.
 
 You get multi-homed IPs, either by having an existing ARIN allocation,
 or getting a /22 from ARIN (special allocation available for
 multi-homing), or ask for a /24 from ISP A or ISP B for
 multihoming.
 
 If Link A fails, the BGP session eventually times out and dies: ISP
 A's BGP routers withdraw the routes, the IP addresses are then
 associated only with provider B.
 
 And you design your internal routing policy to direct traffic
 within your network to the router with an active BGP session.
 
 Link A's failure is _not_ a total non-event, but a 3-5 minute partial
 disruption, while the BGP session times out and updates occur in other
 people's routers, is minimal compared to a 3 day outage, if serious
 repairs to upstream fiber are required.
 
 --
 -J
 
 
 

Re: Failover how much complexity will it add?

[adel]

Hi,

Ok thanks for clearing that up.  I'm getting some good feedback on applying for 
PI and ASN through Ripe LIRs over on the UKNOF so I think I have a handle on 
this.
With regards to BGP and using separate BGP routers.  I am announcing my PI 
space to my upstreams, but I don't need to carry a full Internet routing table, 
correct?
So I can get away with some lightweight BGP routers not being an ISP if that 
makes sense?

Adel



On Sun   9:26 PM , Ken Gilmour ken.gilm...@gmail.com wrote:

 Hey,
 
 Yes you apply to RIPE for your allocation. You should ask them for a
 /20 since it's the same price for that as a /24 if you can justify it
 (at least with LACNIC where i now get my allocations)...
 
 You will also need to apply for an ASN
 
 Correct- the block belongs to you and as long as you contact the
 transit provider from the address listed in WHOIS then you should be
 able to set up a new agreement easily.
 
 Yes the block is PI space (provider independent)
 
 It can take up to 1 month to get your assignments.
 
 I would recommend getting some different routers for this. I use
 OpenBSD in some of my locations which is extremely easy to work with.
 I also have some old NS-208 devices running ScreenOS for internal BGP
 in one other location. I would not recommend using any router with
 less than 1GB of RAM for BGP. in HA Mode you can connect the two
 tails, one to each SSG (if they are in active active mode) and
 announce it that way (check out anycast), we also do this :).
 
 The way BGP works is that both connections are active at the same
 time, there is no primary and backup, if one goes down you just have
 one less to receive traffic over and more traffic on the other, but
 unless you stop announcing from one connection traffic will go over
 both.
 
 Regards,
 
 Ken
 
 2009/11/8 :
  Don't think I sent the below to the list, so resending:
 
  Thanks Seth and James,
 
   Things are getting a lot clearer.  The BGP multihoming solution
 sounds like exactly what I want.  I have more questions :-)
 
  Now I suppose I would get my allocation from RIPE as I am UK based?
 
  Do I also need to apply for an AS  number?
 
  As the IP block is mine, it is ISP  independent.  i.e. I can take
 it with me when I decide to use two
  completely different ISPs?
 
   Is the obtaining of this IP block, what is referred to as PI space?
 
  Of course internally I split the /24 up however  I want - /28 for
 untrust range and maybe a routed DMZ block
   etc.?
 
  Assuming I apply for IP block and AS number, whats involved and how
 long does it take to get these babies?
 
  I know the SSG550's have BGP capabilites.  As I have two of these in
 HA mode, does it make sense to do the BGP
   on these, or should I get dedicated BGP routers?
 
   Fixing the internal routing policy so traffic is  directed at the
 active BGP connection.  Whats involved here,
   preferring one BGP link over the other?
 
   Thanks again, I obviously need to do some  reading of my own, but
 all the suggestions so far have been very valuable
   and definitely seem to be pointing in some fruitful directions.
 
   Adel
 
 
 
 
  On Sun   6:31 PM , James Hess  wrote:
 
  On Sun, Nov 8, 2009 at 11:34 AM,  wrote:
  [..]
   connections from different providers I would still have issues.  So
   I guess that if my primary Internet goes down I lose connectivity
   to all the publicly addressed devices on that connection. Like
   dmz hosts and so on.  I would be interested to hear how this
   can be avoided if at all or do I have to use the same provider.
 
  You assign multi-homed IP address space to your publicly addressed
  devices,
  which are not specific to either ISP. You announce to both ISPs, and
  you accept some routes from both ISPs.
 
  You get multi-homed IPs, either by having an existing ARIN allocation,
  or getting a /22 from ARIN (special allocation available for
  multi-homing), or ask for a /24 from ISP A or ISP B for
  multihoming.
 
  If Link A fails, the BGP session eventually times out and dies: ISP
  A's BGP routers withdraw the routes, the IP addresses are then
  associated only with provider B.
 
  And you design your internal routing policy to direct traffic
  within your network to the router with an active BGP session.
 
  Link A's failure is _not_ a total non-event, but a 3-5 minute partial
  disruption, while the BGP session times out and updates occur in other
  people's routers, is minimal compared to a 3 day outage, if serious
  repairs to upstream fiber are required.
 
  --
  -J
 
 
 
 
 
 
 
 

Re: Failover how much complexity will it add?

[adel]

I think partial routes makes perfect sense, makes sense that traffic for 
customers who are connected to each of my upstreams should go out of
the correct BGP link as long as they are up!  Now I need to start thinking of 
BGP router choices, sure I have a plethora of choices :-(




On Sun  10:01 PM , Seth Mattinen se...@rollernet.us wrote:

 a...@baklawasecrets.com wrote:
  Hi,
  
  Ok thanks for clearing that up. I'm getting some good feedback on
 applying for PI and ASN through Ripe LIRs over on the UKNOF so I think I
 have a handle on this.
  With regards to BGP and using separate BGP routers. I am announcing my
 PI space to my upstreams, but I don't need to carry a full Internet
 routing table, correct?
  So I can get away with some lightweight BGP routers not being an ISP
 if that makes sense?
  
 
 Most will give you three choices: full routes, partial routes (internal,
 their customers) with default, and default only. If you can't swing full
 routes then I would go for partial routes as it will at least send
 traffic for each ISP and their customers directly to them rather than
 randomly over the other link. It all depends on what you're going to use
 as your BGP speaking platform.
 
 ~Seth
 
 
 

Re: Failover how much complexity will it add?

[adel]

So if my requirements are as follows:

- BGP router capable of holding full Internet routing table.  (whether I go for 
partial or full, I think I want something with full capability).

- Capable of pushing 100meg plus of mixed traffic.

What are my options?  I want to exclude openbsd, or linux with quagga.  
Probably looking at Cisco or Juniper products, but interested
in any other alternatives people suggest.  I realise this is quite a broad 
question, but hoping this will provide a starting point.  Oh and
if I have missed any specs I should have included above, please let me know.

Thanks

Adel


On Sun  10:18 PM , Seth Mattinen se...@rollernet.us wrote:

 a...@baklawasecrets.com wrote:
  I think partial routes makes perfect sense, makes sense that traffic
 for customers who are connected to each of my upstreams should go out of
  the correct BGP link as long as they are up! Now I need to start
 thinking of BGP router choices, sure I have a plethora of choices :-(
  
 
 Personally I'll always go for full routes if the router has enough
 memory (software based) or TCAM space (hardware based). Cheaper to do on
 software platforms though. An entry level Cisco 2811 can take full
 tables from multiple upstreams with 786MB RAM or even 512. It won't push
 100 meg of mixed traffic though.
 
 ~Seth
 
 
 

Re: Failover how much complexity will it add?

[adel]

So if my requirements are as follows:

- BGP router capable of holding full Internet routing table.  (whether I go for 
partial or full, I think I want something with full capability).

- Capable of pushing 100meg plus of mixed traffic.

What are my options?  I want to exclude openbsd, or linux with quagga.  
Probably looking at Cisco or Juniper products, but interested
in any other alternatives people suggest.  I realise this is quite a broad 
question, but hoping this will provide a starting point.  Oh and
if I have missed any specs I should have included above, please let me know.

Thanks

Adel


On Sun  10:18 PM , Seth Mattinen se...@rollernet.us wrote:

 a...@baklawasecrets.com wrote:
  I think partial routes makes perfect sense, makes sense that traffic
 for customers who are connected to each of my upstreams should go out of
  the correct BGP link as long as they are up! Now I need to start
 thinking of BGP router choices, sure I have a plethora of choices :-(
  
 
 Personally I'll always go for full routes if the router has enough
 memory (software based) or TCAM space (hardware based). Cheaper to do on
 software platforms though. An entry level Cisco 2811 can take full
 tables from multiple upstreams with 786MB RAM or even 512. It won't push
 100 meg of mixed traffic though.
 
 ~Seth
 
 
 

Re: Failover how much complexity will it add?

[adel]

Basically the organisation that I'm working for will not have the skills in 
house to support a linux or bsd box.  They will have trouble
with supporting the BGP configuration, however I don't think they will be happy 
with me if I leave them with a linux box when they
don't have linux/unix resource internally.  At least with a Cisco or Juniper 
they are familiar with IOS and it won't be too foreign to them.




On Sun  11:30 PM , Renato Frederick freder...@dahype.org wrote:

 There are any problems with quagga+BSD/Linux that you know or something 
 like that?
 
 Or in your scenario a cisco/juniper box is a requirement?
 
 I'm asking this because I'm always running BGP with upstreams providers 
 using quagga on BSD and everything is fine until now.
 
 --
 From: 
 Sent: Sunday, November 08, 2009 8:39 PM
 To: 
 Subject: Re: Failover how much complexity will it add?
 
 
  So if my requirements are as follows:
 
  - BGP router capable of holding full Internet routing table. (whether I
 
  go for partial or full, I think I want something with full capability).
 
  - Capable of pushing 100meg plus of mixed traffic.
 
  What are my options? I want to exclude openbsd, or linux with quagga. 
  Probably looking at Cisco or Juniper products, but interested
  in any other alternatives people suggest. I realise this is quite a
 broad 
  question, but hoping this will provide a starting point. Oh and
  if I have missed any specs I should have included above, please let me 
  know.
 
  Thanks
 
  Adel
 
 
 

sniffing x.25 on SUN/Solaris

[Kasper Adel]

Hello,

I am trying to capture x.25 traffic from a Sun Machine and i wonder if snoop
supports it because i asked my customer to capture it and send it over but
the trace doesnt include anything x/25 related.

Regards,
Kas