Re: Force10 Gear - Opinions
Subject: Force10 Gear - Opinions Does anyone here have real-world experience with Force 10 gear (Specifically their E-Series and C-Series)? They came and did their whole dog and pony show today, but I wanted to get real-world feedback on their gear. I was at a customer site doing a NAC deployment study recently ( <6 months ago) and there was some Force10 edge gear in place. We had to drop the Force10 gear out of the picture because it didn't support any of the rich features that we needed to get NAC up and running. The customer was perfectly happy with the ability of the stuff to pass packets and act as a not-very-smart edge switch, and hadn't evaluated the feature set for anything beyond that. My conclusion was that if you want to use it at the edge to pass a lot of packets at 'enterprise' line rates and don't care about anything else (we were looking at good 802.1X support with ACLs and all of the other miscellaneous bits that make NAC work, YMMV) then it seems to be fine per this customer's experience. If you want something with a stronger feature set for future expansion, there seem to be other companies that have more experience. In David Newman's test of 10G edge switches (http://www.networkworld.com/reviews/2008/032408-switch-test.html) Force10 elected not to participate, which is often telling. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 [EMAIL PROTECTED]http://www.opus1.com/jms
RE: I don't need no stinking firewall!
On Thu Jan 07, 2010 at 01:04:01PM -0800, Jay Hennigan wrote: Or better: - Allow from anywhere port 80 to server port > 1023 established Adding "established" brings us back to stateful firewall! Not really. It only looks to see if the ACK or RST bits are set. This is different from a stateful firewall which memorizes each outbound packet and checks the return for a match source/destination/sequence. Actually, most firewalls don't check TCP sequence numbers. You are totally correct in that stateless packet filters with "established" are only looking for TCP bits, but the main difference that stateful firewalls add is watching the TCP state machine. Sequence number watching is a bonus, something you can enable on some firewalls, but most of the common ones don't do it by default. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: In wall switches
I love the 3COM NJ220s, but beware of buying them used: there is no way (at least none that I have found) to reset the password if you don't know it. Thus, if you buy them used and the password has been changed from the default, you're outta luck. I'd be pleased to hear from anyone on this list that I'm wrong, by the way... jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: Spamhaus ...
Sharef Mustafa wrote: > What is the title of the white paper you mentioned? > Is it available for free? If not how can I get it? Sorry, I should have put the link to the Best Practices in Reputation Services white paper in. I meant to, but I got distracted writing the disclaimer and forgot to paste the URL. http://www.opus1.com/www/whitepapers/reputationserviceswp.pdf jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: Locations with no good Internet
Patrick Giagnocavo wrote: >Isn't this really an issue (political) with tariffed T1 prices rather >than a technical problem? >I was told that most T1s are provisioned over a DSLAM these days >anyways, and that the key difference between T1 and DSL was the SLA >(99.99% guarantee vs. "when we get it fixed"). I don't know about anything other than Qwest-land in Arizona, but we are seeing the few T1s that are still in service provisioned as you described: a 2-wire DSL connection, although not out of a local DSLAM. I think it depends on your definition of the box that's being used for connections as a DSLAM. It's certainly not the same traffic engineering as DSL, because DSL circuits are muxed at the DSLAM (at least in Qwest-land) and may or may not be subject to congestion when leaving the neighborhood remote terminal DSLAM. We for sure NEVER see any congestion on the T1s that are being provisioned using DSL technology. Now, whether that's the same chassis with engineering over an uplink, or two separate chassis in the same road-side wart for the two different services, that's a deployment issue. In other words, I think you're right about the technology involved (DSL-ish 2 wire circuits) being used to deliver, but there's more to it than repair time SLA when it comes to selling the same 2 wires as DSL for $39.95 and T1 for $399.95. (again, at least out here in the Wild West) That being said, I think your fundamental point is likely correct, something well known to everyone in this business: the cost to a Telco to provide T1 service is not 10x the cost to provide DSL service at similar speeds, and when there is that much additional marginal revenue being generated, they are going to fight with politics, tariffs, and any other tool at their disposal to keep the additional revenue coming in as long as possible. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms