my idea is to advertise each service up
a separate rate-limited VLAN. So if one service is DDoS'd, and its
100mb vlan is hosed, the other 9 services still cope easily with each
of their 100mb vlans.
Seems simple and logical to me, but I wasn't sure what I was missing.
The trick isn't
On Nov 13, 2007, at 11:16 AM, Christopher Morrow wrote:
On 11/13/07, Rodney Joffe [EMAIL PROTECTED] wrote:
Are any of you operators utilizing VLANs to/with your transit
providers in order to isolate traffic types or services, and/or to
assist in traffic shaping before it hits your transit
each service up a separate
rate-limited VLAN. So if one service is DDoS'd, and its 100mb vlan is hosed,
the other 9 services still cope easily with each of their 100mb vlans.
Seems simple and logical to me, but I wasn't sure what I was missing.
The trick isn't the classification part
Are any of you operators utilizing VLANs to/with your transit
providers in order to isolate traffic types or services, and/or to
assist in traffic shaping before it hits your transit connections
(isolating the effects of DDoS's)?
Would you be prepared to share experiences, do's/don'ts
On 11/13/07, Rodney Joffe [EMAIL PROTECTED] wrote:
Are any of you operators utilizing VLANs to/with your transit
providers in order to isolate traffic types or services, and/or to
assist in traffic shaping before it hits your transit connections
(isolating the effects of DDoS's
On Tue, 13 Nov 2007, Christopher Morrow wrote:
There was once a customer at a past job that used a sacrificial T1 to
do this... They'd just announce/next-hop the attacked thing to the T1
interface, apparently remembering that there was BHR community
available (and
Randy Bush wrote:
the only stuff that makes me feel at all safe is what mike hughes
of linx described, or something even stricter, but i bow to mike's
experience.
and folk wonder why the grown-ups use pnis for anything important.
Isn't this due to the fact their engineering scale is bigger?
* [EMAIL PROTECTED] (Randy Bush) [Thu 10 Nov 2005, 03:35 CET]:
[ the voice of experience speaks ]
[..]
thanks! this approaches reassuring. why does it tolerate 100
macs? at first blush, i would think three or four would be a
bad enough sign.
I've seen several cases where a router goes
On Nov 11, 2005, at 4:06 AM, Will Hargrave wrote:
Randy Bush wrote:
the only stuff that makes me feel at all safe is what mike hughes
of linx described, or something even stricter, but i bow to mike's
experience.
and folk wonder why the grown-ups use pnis for anything important.
Isn't this
Who said big carriers don't join IXes? There are plenty of
networks who have more traffic than some teir ones at IXes.
Hell, RANDY has a presence at least one IX.
well, one of my routers does :-) and it moves almost 50kb/sec!
i have spent long enough i don't want to count years trying to
On Nov 11, 2005, at 9:33 AM, Randy Bush wrote:
Who said big carriers don't join IXes? There are plenty of
networks who have more traffic than some teir ones at IXes.
Hell, RANDY has a presence at least one IX.
well, one of my routers does :-) and it moves almost 50kb/sec!
:-)
i have
NAPs these days are stable, scalable, and useful.
IXs (there were only four NAPs, and i'm too old and lazy to
play droid terminology drift) have pretty much always been
scalable (for the then current meaning of scale) and useful.
though i have admiration and sympathy for folk such as
steve,
.
It felt very weird building VLANs inside a router (and I made sure we
only did it once so I would not wake up at night and scream).
We used RPR+ which was pretty nice. And you pretty much can't shake
a stick at an interface card without it popping up with an Ethernet
interface.
I
router is connected to switch B
We use spanning tree across our network to allow the VLANs connectivity
across our network.
The peering exchange has an MoU that only 1 MAC address should be visible on
their switch. However they see 2 MAC addresses on our port.
- MAC address of Peering router
Brilus
Sent: 09 November 2005 10:40
To: nanog@merit.edu
Subject: Peering VLANs and MAC addresses
***
Your mail has been scanned by InterScan VirusWall.
***-***
Hi ,
We are unable to resolve a problem with our peering exchange connection
and would like any
On 09.11.2005 11:50 Ben Butler wrote
***
Your mail has been scanned by InterScan VirusWall.
***-***
Hi,
This should sort you out.
no keepalive
spanning-tree bpdufilter enable
add
no mop enabled
if your IOS also supports DECnet. Having
no ip
On Wed, 2005-11-09 at 12:29 +0100, Arnold Nipper wrote:
no ip gratuitous-arps (general command)
and
no ip proxy-arp (interface subcommand)
makes your IXP-Operator even more happier.
Depends on the IXP operator and the equipment being configured. Speaking
for my particular neck of
setup and I certainly don't know that much about
Cisco L2 features. Is it possible to have topology groups with a master
VLAN (the one that does STP) and member VLANs that don't speak STP? If
so, that may be a way to keep STP traffic from coming out of your IX
port (barring vendor bugs).
Your
to allow the VLANs connectivity
across our network.
The peering exchange has an MoU that only 1 MAC address should be visible on
their switch. However they see 2 MAC addresses on our port.
- MAC address of Peering router
- MAC address of the port they are connected to on switch
IX---SwitchA---SwitchB---Router
ok, i gotta ask. you folk really do this on exchanges? i guess
so. well, if you're gonna shoot people for carrying backpacks,
i guess shooting yourselves and eachother in the foot is small
change, even if the coins are larger.
randy
On 9-Nov-2005, at 16:35, Randy Bush wrote:
IX---SwitchA---SwitchB---Router
ok, i gotta ask. you folk really do this on exchanges?
I seem to think I've seen people doing this at most exchanges ISC has
installed an F-root node at. The motivation is usually the avoidance
of either
On Wed, 2005-11-09 at 11:55 -1000, Randy Bush wrote:
[IX---SwitchA---SwitchB---Router]
I'm not saying that the practice is good, or recommended,
or without peril. But it's certainly not isolated to the
UK.
perhaps it should be :-)
as folk from all over read this list, i just could
What is the problem with this for the IXP, assuming proper
safeguards are in place which are best practice anyway (BPDU
filters, port security, ...)?
Hello Robert :)
Which rule would you suggest for the IXP? The naive connect
only routers wouldn't do of course in nowaday's world of
On Wed, 9 Nov 2005, Robert Kiessling wrote:
Which rule would you suggest for the IXP? The naive connect
only routers wouldn't do of course in nowaday's world of
hybrids.
I've been following this with interest:
* How do you differentiate between a switch/router and a router? A lot of
On Wed, Nov 09, 2005 at 11:59:38PM -, Chris Roberts wrote:
I think the 'connect only routers' adage is probably a good conservative
motto to stick to. There are situations where connecting switches and
hybrids to IXPs is certainly more efficient and better suited, but only if
you know
On Wed, 9 Nov 2005, Robert Kiessling wrote:
Which rule would you suggest for the IXP? The naive connect
only routers wouldn't do of course in nowaday's world of
hybrids.
yick hybrids...
Steven Bakker wrote:
A lot of people are deploying C76xx as peering routers ...
rant
... which should be prohibited by law. Actually, C76xx should be
prohibited by law.
/rant
i know the current sport de jour in nanog is vendor bashing - but what
specifically do you see as faults in the
A lot of people are deploying C76xx as peering routers ...
rant
... which should be prohibited by law. Actually, C76xx should be
prohibited by law.
/rant
I've done my share of Cisco bashing in the past - but I have to say
that 6500/7600 worked pretty well as peering routers at my
larger number of
macs caused by something being broken, or a couple of hundred due to
either a physical loop being applied or leaking other vlans (true
badness).
It's also a relatively sensible default when you apply the restrict
behaviour.
Cheers,
Mike
Mike, All,
I know the changes the LINX has implemented, and I am
curious... and this might affect other folk as well.
What is better - the LINX approach (blocking the port,
trying again in x minutes when too many MACs were seen)
or the Equinix approach (we hardcode your MAC per VLAN/
per port
On Thu, 10 Nov 2005, Alexander Koch wrote:
I know the changes the LINX has implemented, and I am
curious... and this might affect other folk as well.
What is better - the LINX approach (blocking the port,
trying again in x minutes when too many MACs were seen)
or the Equinix approach (we
It's a benefit. I do not want to support 100 different vendors with 100
different sets of bugs, 100 different methods to save / restore
configurations, 100 different ways for authentication, etc etc... Today, it
is a benefit.
3550 runs IOS.
this is a benefit, especially in a switch?
PROTECTED]
Sent: Monday, January 26, 2004 9:10 AM
Subject: Re: Any 1U - 2U Ethernet switches that can handle 4K VLANs?
ISL _DOES NOT CHANGE_ packet size.
An 802.1q tag adds 4 bytes to the Ethernet frame.
ISL encapsulation adds 30 bytes to the Ethernet frame.
Steinar Haug, Nethelp consulting
Sorry; of course, I meant _change MTU_.
Both the ISL _and_ the Dotq headers are stripped off at the trunk
interface so they _both_ change the packet size but neither alters the
payload.
Scott C. McGrath
On Mon, 26 Jan 2004 [EMAIL PROTECTED] wrote:
:10 AM
Subject: Re: Any 1U - 2U Ethernet switches that can handle 4K VLANs?
ISL _DOES NOT CHANGE_ packet size.
An 802.1q tag adds 4 bytes to the Ethernet frame.
ISL encapsulation adds 30 bytes to the Ethernet frame.
Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
--
James Jun
.
There is only one product in the 3550 line that is pricewise worth getting
is the 3550-12G if you need to do L2 gig aggregation to 1gig uplink and
you do not have many VLANs.
There are three issues I see where the 3550 actually has a selling point:
VRFs (even though they are too few)
Q-in-Q (limited
Roudnev [EMAIL PROTECTED]
Cc: ken emery [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, January 25, 2004 10:17 PM
Subject: Re: Any 1U - 2U Ethernet switches that can handle 4K VLANs?
On Sun, 25 Jan 2004, Alexei Roudnev wrote:
:
:L3 switchiong is just term for idiots - it is ROUTING in old terms
want to deliver a 2meg service over ethernet to a
customer, this is a big issue.
There is only one product in the 3550 line that is pricewise worth getting
is the 3550-12G if you need to do L2 gig aggregation to 1gig uplink and
you do not have many VLANs.
There are three issues I see where
On Mon, 26 Jan 2004, Alexei Roudnev wrote:
PS. How much ethernet ports do you have in the office? Do you have 100 K
ports? If not, why do you need 128K MAC's? (I know only one case, when I
need so much - some kind of DSL service...
I guess you're not into metro networking.
(just as
3550 runs IOS. That's an answer. I never allow any non-IOS router in
production environment (except high end devices, such as Juniper, when
benefits are very high). And 3550 is not expansive (yes, it is not cheap).
If you believe that IOS solves all problems, we live on different
planets.
3550 runs IOS.
this is a benefit, especially in a switch?
randy
3550 runs IOS.
this is a benefit, especially in a switch?
If your whole support organization is geared towards IOS, and unable
to learn other CLIs, it may well be. Fortunately, not all support
organizations are like that :-)
Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
On Sun, 25 Jan 2004, Jeff Kell wrote:
We're running 30 SVIs on a 3550-12 (only 10 active at the moment, we're
in a transition). It is an aggregation switch that feeds back via L3.
According to the documentation on the Cisco site:
http://www.cisco.com/warp/public/473/145.html
The 3550-12
Subject: Re: Any 1U - 2U Ethernet switches that can handle 4K VLANs?
On Sun, 25 Jan 2004, Alexei Roudnev wrote:
:
:L3 switchiong is just term for idiots - it is ROUTING in old terms.
So,
:VLAN's means _routing_.
Um, no, VLAN does not infer routing. 802.1q and even Cisco's ugly
proprietary ISL both
ISL _DOES NOT CHANGE_ packet size.
Is it April 1st? ISL changes the size of packets, does it not? So know
you have to deal with MTU issues. What happens when I want the biggest
MTU possible? I know it is not much a difference in size, but for some
people, size does matter.
I am quite
1) Cisco ISL is much better than urgly 802.1q - first of all, it was
designed many years before 802.1q. I am not even talking abiout those
idiots, who designed 802.1q as a _spanning tree on the trunk level_,
which
made many configurations (which we used with ISL ain 199x years)
ISL _DOES NOT CHANGE_ packet size.
An 802.1q tag adds 4 bytes to the Ethernet frame.
ISL encapsulation adds 30 bytes to the Ethernet frame.
Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
PS. How much ethernet ports do you have in the office? Do you have 100 K
ports? If not, why do you need 128K MAC's? (I know only one case, when I
need so much - some kind of DSL service...
I guess you're not into metro networking.
This is one of my exceptions - you really need 128K MAC's
Both the ISL _and_ the Dotq headers are stripped off at the trunk
interface so they _both_ change the packet size but neither alters the
payload.
Scott C. McGrath
On Mon, 26 Jan 2004 [EMAIL PROTECTED] wrote:
ISL _DOES NOT CHANGE_ packet size.
An 802.1q tag
Both the ISL _and_ the Dotq headers are stripped off at the trunk
interface so they _both_ change the packet size but neither alters the
payload.
Obviously. But the fact that ISL adds 26 bytes more than 802.1q means
that multiple levels of ISL encapsulation is somewhat less practical
than
Does anybody know of 1U - 2U form factor Ethernet switches that can
handle 4K VLANs, or at a minimum 2000 VLANs? Note that we're
specifically looking for the ability to handle this number of VLANs
operating simultaneously, not only VLAN *IDs* in the full 4K range.
(This rules out popular
On Sun, 25 Jan 2004 [EMAIL PROTECTED] wrote:
Does anybody know of 1U - 2U form factor Ethernet switches that can
handle 4K VLANs, or at a minimum 2000 VLANs? Note that we're
specifically looking for the ability to handle this number of VLANs
operating simultaneously, not only VLAN *IDs
On Sun, Jan 25, 2004 at 08:13:45PM +0100, [EMAIL PROTECTED] wrote:
Does anybody know of 1U - 2U form factor Ethernet switches that can
handle 4K VLANs, or at a minimum 2000 VLANs? Note that we're
specifically looking for the ability to handle this number of VLANs
operating simultaneously
:
Does anybody know of 1U - 2U form factor Ethernet switches that can
handle 4K VLANs, or at a minimum 2000 VLANs? Note that we're
specifically looking for the ability to handle this number of VLANs
operating simultaneously, not only VLAN *IDs* in the full 4K range.
(This rules out popular
Extreme box didnt experience the same problems (of course there
are cases where it's the other way around). Overall I have more confidence
in the Extreme access boxes for L3 than Ciscos equivlanent, and they
definately kick ciscos ass when it comes to L2 (mac address table size and
number of vlans
On Sun, 25 Jan 2004, Alexei Roudnev wrote:
1) Use Cisco 2924 or 3524
Didnt you mean 2950 and 3550?
--
Mikael Abrahamssonemail: [EMAIL PROTECTED]
On Sun, 2004-01-25 at 14:44, Will Hargrave wrote:
I would check the Foundry Fastiron series - maybe the 4802. Everything
I've read appears to indicate they support all 4096 vlans
simultaneously, although you will of course want to verify this.
I don't think this is true. Those of you
* [EMAIL PROTECTED] (Jeff S Wheeler) [Sun 25 Jan 2004, 22:10 CET]:
On Sun, 2004-01-25 at 14:44, Will Hargrave wrote:
I would check the Foundry Fastiron series - maybe the 4802. Everything
I've read appears to indicate they support all 4096 vlans
simultaneously, although you will of course
Alexei Roudnev wrote:
1) Use Cisco 2924 or 3524
2) Redesign your network to fit into 1024 VLANs
3) Do not spend time with junk (non Cisco, for the switches).
U1 switch have only 24 - 48 ports, so you never need to handle 2000 VLAN's
on it. And I suspect, that the whole design is wrong.
Do
access boxes for L3 than Ciscos equivlanent, and they
definately kick ciscos ass when it comes to L2 (mac address table size and
number of vlans for instance).
The 'recommended max' number of SVIs for the 3550 is something low like 8.
There is no limited stated in the datasheet for the 3750
On Mon, 26 Jan 2004, Niels Bakker wrote:
* [EMAIL PROTECTED] (Jeff Kell) [Mon 26 Jan 2004, 00:35 CET]:
Using 3550-48s you can have L3 links between VTP domains.
The point of using VLANs is that you don't need to route. There's
probably a good reason for switching instead of routing
Will Hargrave wrote:
The 'recommended max' number of SVIs for the 3550 is something low like 8.
There is no limited stated in the datasheet for the 3750 - is anyone
running more than 8 SVIs on a 3750?
We're running 30 SVIs on a 3550-12 (only 10 active at the moment, we're
in a transition). It
On Sun, 25 Jan 2004, Bill Nash wrote:
On Sun, 25 Jan 2004, ken emery wrote:
The point of using VLANs is that you don't need to route. There's
probably a good reason for switching instead of routing in the original
poster's scenario. (Perhaps a FTTH-like project?)
Correct me
/ L3 switches/routers (and almost the same in switches).
- Original Message -
From: Mikael Abrahamsson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, January 25, 2004 12:40 PM
Subject: Re: Any 1U - 2U Ethernet switches that can handle 4K VLANs?
On Sun, 25 Jan 2004, Alexei
On Sun, 25 Jan 2004, Alexei Roudnev wrote:
:
:L3 switchiong is just term for idiots - it is ROUTING in old terms. So,
:VLAN's means _routing_.
Um, no, VLAN does not infer routing. 802.1q and even Cisco's ugly
proprietary ISL both operate at layer two.
As to L3 switching and the spin involved
On Mon, 26 Jan 2004, Will Hargrave wrote:
I'd be very interested to hear what conditions you've found cause
problems for Cat3550s. We're planning to buy quite a few more of this range
(probably 3750-24) to reduce L2 size in our network and for CPE-type
uses.
Well, we're not really sure. We
On Mon, Jul 14, 2003 at 10:46:01AM -0500, Ejay Hire wrote:
Hi all. I've got a 7206 in a remote collocation facility that's running
dot1q back to the community switch. When MRTG's cfgmaker only finds
the physical interface, not the vlan sub interfaces. The other devices
in the network use
Hi all. I've got a 7206 in a remote collocation facility that's
running dot1q back to the community switch. When MRTG's cfgmaker
only finds the physical interface, not the vlan sub interfaces. The other
devices in the network use ISL, and don't have this problem. Does
anyone have
Hi all. I've got a 7206 in a remote collocation facility that's running dot1q back
to the community switch. When MRTG's cfgmaker only finds the physical interface,
not the vlan sub interfaces. The other devices in the network use ISL, and don't
have this problem. Does anyone have
69 matches
Mail list logo