NSA able to compromise Cisco, Juniper, Huawei switches
Found some interesting news on one of the Australia news websites. http://www.scmagazine.com.au/News/368527,nsa-able-to-compromise-cisco-juniper-huawei-switches.aspx Regards, Steven.
Re: The Making of a Router
Hello Baldur, Your design regarding proxy arp for every VLAN might hit some issues. If you look at the nanog history you will find people having issues with proxy arp for large number of VLANs, what is your requirement for proxy arp? Doing something at the access switch will most likely be better for you such as PVLAN or Brocade IP follow ve statement. If you are planning to put clients on the same subnet what are you planning to put in place to limit client stealing each other’s IPs? Only a few Brocade devices support the ARP ACLs rules which are a really nice feature, IP Source Guard works reasonable if using a DHCP server otherwise you need to specify the MAC address. Some other brand switches support filtering the ARP packets per access port. Regards, Steven. Date: Sat, 28 Dec 2013 02:18:55 +0100 From: Baldur Norddahl To: "nanog@nanog.org" Subject: Re: The Making of a Router Message-ID: Content-Type: text/plain; charset=ISO-8859-1 On Sat, Dec 28, 2013 at 12:56 AM, Jon Sands wrote: > Yes, and in that world, one should probably not start up a FTTH ISP when > one has not even budgeted for a router, among a thousand other things. And > if you must, you should probably figure out your cost breakdown beforehand, > not after. Baldur, you mention $200k total to move 10gb with Juniper (which > seems insanely off to me). Look into Brocades CER line, you can move 4x > 10gbe per chassis for under 12k. > I was saying $100k for two Juniper routers total. Perhaps we could get back on track, instead of trying to second guess what we did or did not budget for. You have absolute no information about our business plans. The Brocade BR-CER-2024F-4X-RT-AC - Brocade NetIron CER 2024F-4X goes for about $21k and we need two of them. That is enough to buy a full year of unlimited 10G internet. And even then, we would be short on 10G ports. It is not that we could not bring that money if that was the only way to do it. It is just that I have so many other things that I could spend that money on, that would further our business plans so much more. I can not even say if the Juniper or the Brocade will actually solve my problem. I need it to route to ten of thousands of VLANS (Q-in-Q), both with IPv4 and IPv6. It needs to act as IPv6 router on every VLAN, and very few devices seems to like having that many IP-addresses assigned. It also needs to do VRRP and proxy arp for every VLAN. The advantage of a software solution is that I can test it all before buying. Also to some limited degree, I am able to fix shortcomings myself. Regards, Baldur
Re: The Making of a Router
There has been a lot of conversation lately regarding 10Gbps+ routing without higher cost devices such as the junipers. I have been looking into a few options myself, below are my opinions so far. What are your recommendations, real life experiences and ideas? -Mikrotik Cloud Core Router The Mikrotik CCR might have 2 SFP+ ports but with any ACLs, etc fast path is disabled, this already limits the functionality a lot. The BGP calculations only happen on a single core which provides very slow performance for full routing tables. RouterOS is very unstable and had a large number of bugs even with version 6. I have had issues using them even on some small test environments, would not recommend this hardware for nearly any setup. -Linux Based Software Routing Quagga is great for BGP with the correct CPUs and configurations. Vyatta or VyOS provides a stable and simple configuration method for Quagga. The issues with all of the options currently available is forwarding plane performance, you are only looking at 1Gbps+ at line rate. Most providers will have to deal with DDOS attacks at one point or another and would not recommend taking the chance. If you are only looking at 1Gbps or less worth of traffic this is a great option. DDOS attacks information from just the Arbor Networks hardware. http://www.digitalattackmap.com/ Userspace processing of the forwarding plane will help a lot to overcome this issue. There are a few different solutions out there but the most common is Intel DPDK. Some of you would know about the Intel DPDK from the upcoming brocade vRouter 5600 which supports 10Gbps line rate per core. I can see Intel DPDK being used for other solutions such as DDOS filtering as currently you require specialised hardware such as Arbor Networks or NSFOCUS. It would be much cheaper if you could do some filtering from x86 hardware at line rate. http://blog.lukego.com/blog/2013/01/04/kernel-bypass-networking/ Brocade vRouter 5600 might be an option when it is released depending on price. As you still need to get all the hardware required and make sure you do your research regarding the chipsets, etc. Most Intel SFP+ NIC will handle around 9MPPS but has great support for drivers. Solarflare have some nice NICs that can handle 16MPPS but I can see a lot more reviews for different manufacturers coming out after the vRouter release. Hopefully VyOS or some other open source project can integrate Intel DPDK. -OpenFlow OpenFlow is a great method for really high PPS but the major limiting factor is the flow entries and flow mods. I personally like this architecture as it allows the control plane to run on X86 and the Data Plane to run on specialised hardware. For providers with 1 IP transit provider and a few peering IX most OpenFlow hardware will support enough flow entries. The issue is supporting providers with a reasonable number of full routing tables; I think summarization will help a decent amount to lower the flow entries required. NoviSwitch 1248 supports 1 million flow entries which is a reasonable number for smaller providers. I have only started to get my hand dirty with OpenFlow and would like to know if anyone is using it in production for routing? What OpenFlow controller are you using? E.g. RouteFlow https://sites.google.com/site/routeflow/ -Brocade CER The older model CER devices had a lot of issues/bugs but the newer models such as BR-CER-2024C-4X-RT-AC seem to be a lot more stable. There are reviews on webhostingtalk with people pushing more than 30Gbps on the newer models without issue. Based on other people’s comments such as Jon Sands the units should be around 10K each new which makes the units cost affective for a lot of implementations. If you are lucky enough to find one second hand you would only be looking around $5-6K. The 2024C-4X-RT has 4 SFP+ ports which is alright but would really like to see some larger options. Currently a lot of people just create a port channel with all 4 ports to a SFP+ switch which allow them to connect more ports up but need to be careful about overprovisioning. -Layer 3 SFP+ Switch Great for providers with only one uplink as they just use a default route but most providers require more than one uplink. There are lot of cheap options out there even the junipers are not that costly. Regards, Steven. Date: Fri, 27 Dec 2013 21:34:00 -0500 (EST) From: "Justin M. Streiner" To: William Waites Cc: nanog@nanog.org Subject: Re: The Making of a Router Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Sat, 28 Dec 2013, William Waites wrote: > On Fri, 27 Dec 2013 07:23:36 -0500 (EST), "Justin M. Streiner" < strei...@cluebyfour.org> said: > >> You end up combining some of the downsides of a hardware-based >> router with some of the downsides of a server (new attack >> vectors, another device that needs to be backed up, patched, and >> monitored... > > Might be a good idea to back up, patch and monitor your rout
10G Router
Hello, I am currently looking into a 10G router that will support the below requirements and hopefully not be too costly. Do you know of any models to stay away due to issues or that you would recommend? - 4x+ 10GBE ports - BGPv4/v6 - Small number of RU preferred - Support for 2-4 full routing tables - 2 10GBE ports down to switches - 2 10GBE for up-streams but would prefer more to support IXs. I have been looking into a few options including; Brocade CER 2024C-4X, Broacde MLXE-4 with 10Gx8-X, Juniper MX80, Cumulus Linux, etc. Some quick notes: - 4x 10GBE ports is a bit low for the Brocade CER - Not sure how the CER will handle a few routing tables and 10G+ traffic - The MLX and MX80 is very high costs from what I have seen - The MX80 has 4x 10GBE ports but at less allows an extra 4 via MIC - Decent number of real use case reviews for the MX80 - Possibly use cumulus networks if there are any systems that meet the requirements Thanks Steven