Not a suggestion, just trying to learn something here. Is there an
advantage to use a route reflector in the described setup, which appears to
involve only a small number of routers? I would think that full mesh would
solve the problem and at the same time be easier since you do not have to
On 2/Sep/15 09:30, Baldur Norddahl wrote:
> Not a suggestion, just trying to learn something here. Is there an
> advantage to use a route reflector in the described setup, which appears to
> involve only a small number of routers? I would think that full mesh would
> solve the problem and at
On 1/Sep/15 17:43, Roland Dobbins wrote:
> Until there is.
As with everything in life...
Mark.
On 1/Sep/15 17:59, Rod Beck wrote:
> Roland is correct. With the caveat that your Internet customer traffic may
> flow over the fibers as your separate management circuits. You should aim for
> end to end physical diversity. This is all common sense, but laziness some
> times takes
On 1/Sep/15 19:12, Roland Dobbins wrote:
>
>
>
> Running flow telemetry in-band is penny-wise and pound-foolish, for
> networks of any size, in any circumstances. All management-plane
> traffic (and that's what flow telemetry is) should be segregated from
> the production network data plane.
> "Roland" == Roland Dobbins writes:
Roland> On 2 Sep 2015, at 0:08, Steve Meuse wrote:
>> Your advice is not "one size fits all".
Roland> Actually, it is.
Roland> Large backbone networks have DCNs/OOBs, and that's where they export
Roland> their
We use the VRF approach not because we think this will give us more
stability ie. no fate sharing, but because it is best practice in a
security perspective. We keep our internal network separated from customer
traffic for the same reason our customers run firewalls.
Minimize the attack surface.
Adding VRFs/VLAN's/anything else to separate the traffic to reduce fate
sharing is only adding complexity that will likely result in operator
errors. While many of us have clue, even when we don't agree on the
solutions, there are many more out there typing at routers at 2am, when
even the
On 2/Sep/15 12:11, Roland Dobbins wrote:
>
>
> Sure. But it's better than mixing it in with customer traffic.
Does not make much of a difference - it's the same data plane
infrastructure.
>
> Ideally, it should be - that's what I was trying to get across. I
> understand that this isn't
On 2 Sep 2015, at 22:22, Mark Tinka wrote:
As you, Jared, say, and as I said in a previous post, both MPLS and IP
traffic follows the same data plane. The routing table separation
construct does not survive chassis-wide failures.
Everyone here understands that. We also understand that pps
Hi,
I need a network contact for network issue in Italy.
Can you help me ?
Thanks !
Regards,
--
Marco Paesani
MPAE Srl
Skype: mpaesani
Mobile: +39 348 6019349
Success depends on the right choice !
Email: ma...@paesani.it
On 2 Sep 2015, at 23:29, Serge Vautour wrote:
> I assume if someone has the ability to do so, you've got bigger problems.
This is the key, IMHO.
---
Roland Dobbins
On 2 Sep 2015, at 22:26, Mark Tinka wrote:
When the line card congests, it doesn't care that one bit was part of
a VRF and the other doesn't. It all goes kaboom (even with the best of
QoS intentions).
You don't necessarily have to put everything on the same fiber,
interface, the same ASIC
On 2/Sep/15 16:08, Jared Mauch wrote:
> It’s really because some people who drink the MPLS/VPN/VRF/VLAN kook-aid
> think it’s some magic that undoes fate sharing and proper engineering and
> planning. That a few bytes for a label of VLAN tag make your data more
> secure.
>
> It’s possible
On 2/Sep/15 16:13, Roland Dobbins wrote:
>
>
> But keeping stuff separate at the IP logical network level is better
> than mixing it together, even on the same hardware.
But how, Roland.
When the line card congests, it doesn't care that one bit was part of a
VRF and the other doesn't. It all
On 2 Sep 2015, at 23:20, jim deleskie wrote:
The stats prove out these types of errors are more likely to cause an
outage then DDoS or anything else.
Completely concur that there are always complexity tradeoffs.
And of course, the goal is not to have to type on routers at all, or at
least
Hello again,
Well, this generated a bit more discussion than I was expecting. I've retained
the following from all your comments:
-Doing flow export over an OOB network can help make sure you still "see" your
network during a DDoS
-If we do this over an OOB network, it may not work over the
Can someone from Level 3 (former TW Telecom) please contact me off-list
regarding a possible routing issue with some 172.0.0.0/8 IP space (non RFC
1918)?
Thank you,S.Amato
saam...@frontiernet.net
Colleagues,
Please note the approaching deadline of 13 September 2015 for RIPE 71
plenary programme submissions.
You can find the CFP for RIPE 71 below, or at
https://ripe71.ripe.net/submit-topic/cfp/, for your proposals for
plenary session presentations, tutorials, workshops, BoFs (Birds of a
On 2 Sep 2015, at 20:25, Niels Bakker wrote:
Why? Do your customer packets have cooties?
Because you don't want things which disrupt customer traffic to disrupt
your ability to see what's happening. Just as you don't want it to
disrupt your ability to configure/manage your
> On Sep 2, 2015, at 10:02 AM, Roland Dobbins wrote:
>
> On 2 Sep 2015, at 20:25, Niels Bakker wrote:
>
>> Why? Do your customer packets have cooties?
>
> Because you don't want things which disrupt customer traffic to disrupt your
> ability to see what's happening.
On 2 Sep 2015, at 13:25, Pierfrancesco Caci wrote:
2 out of 2 large backbone networks I've experience with use inband for
flow export.
There was supposed to be a 'should' in there, apologies.
I've already clarified that VLAN/VRF is Good Enough for flow telemetry,
and that most who separate
On 2 Sep 2015, at 13:02, Mark Tinka wrote:
Not very straight forward when you have a network spanning several
continents.
Again, VLANs/VRFs are generally Good Enough, and more than a few
globe-spanning networks do just that.
---
Roland Dobbins
On 2 Sep 2015, at 12:50, Avi Freedman wrote:
+ optimal tweaks include local flow proxy that can also rate
limit / re-sample, and send topk talkers over 'true' OOB.
Yes, a lot of distributed flow collection/analysis architectures are
deployed this way, doing more than top-talkers, even. The
On 2/Sep/15 11:38, Roland Dobbins wrote:
>
>
> Again, VLANs/VRFs are generally Good Enough, and more than a few
> globe-spanning networks do just that.
Those VLAN's and VRF's are following the same path as the global table,
just in a different routing table. That is easy, and we do that
On 2 Sep 2015, at 16:48, Mark Tinka wrote:
Those VLAN's and VRF's are following the same path as the global
table, just in a different routing table. That is easy, and we do that
already.
Sure. But it's better than mixing it in with customer traffic.
Your assertion, before, was that the
* rdobb...@arbor.net (Roland Dobbins) [Wed 02 Sep 2015, 12:12 CEST]:
On 2 Sep 2015, at 16:48, Mark Tinka wrote:
Those VLAN's and VRF's are following the same path as the global
table, just in a different routing table. That is easy, and we do
that already.
Sure. But it's better than mixing
On 2 Sep 2015, at 21:08, Jared Mauch wrote:
I see where Roland is trying to go and he’s in the “magic byte”
realm of the extra label makes it “OOB” where as the rest of us
just see 1’s and 0’s on the wire and know a bit is a bit
regardless of tag-switching (the original name for MPLS) or
* rdobb...@arbor.net (Roland Dobbins) [Wed 02 Sep 2015, 01:06 CEST]:
Sure, or a VRF, or whatever.
You just moved the goalposts.
:>
-- Niels.
29 matches
Mail list logo