Re: CGNAT
Hi Steve We are looking at implementing a similar solution with A10 for CGNAT. We've been in touch with A10. Just wondering if there are some alternative vendors that anyone would recommend. We'd probably be looking at a solution to support 5k to 15k customers and bandwidth up to around 30-40 gig as a starting point. A solution that is as transparent to user experience as possible is a priority. The numbers below are for a similar target of subscriber’s and peak bandwidth. We assumed a couple of numbers: Current Peak Bandwidth = 40G Remaining IPv4 traffic after migration = 20% (Seen references to 10% or 20% on this forum) Future Bandwidth Growth = 2x (no data behind this assumption) Future CGNAT’ed bandwidth = 15Gbps Equipment & budget lifecycle = 7Yr Getting that data led us to this price comparison: Solution Lifecycle/ Term Annual Cost/Sub Product Lifecycle Cost/Sub Lease IPv4 Cogent 7 $ 4.45 $ 31.13 A10 CGNAT 15Gb 7Yr 7 $ 1.21 $ 8.47 A10 CGNAT 40Gb 7Yr 7 $ 1.95 $ 13.68 Purchase @ $25 7Yr 7 $ 3.57 $ 25.00 The current plan is implement an A10 CGNAT solution after upgrading our network for IPv6. In the interim we will have to lease IPv4 to tide us over. I would be curious to see what other’s estimate the costs of various approaches. Feel free to ping me off-list for more specific numbers. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG on behalf of Steve Saner Date: Friday, February 19, 2021 at 9:56 AM To: "nanog@nanog.org" Subject: CGNAT We are starting to look at CGNAT solutions. The primary motivation at the moment is to extend current IPv4 resources, but IPv6 migration is also a factor. We've been in touch with A10. Just wondering if there are some alternative vendors that anyone would recommend. We'd probably be looking at a solution to support 5k to 15k customers and bandwidth up to around 30-40 gig as a starting point. A solution that is as transparent to user experience as possible is a priority. Thanks -- Steve Saner ideatek HUMAN AT OUR VERY FIBER This email transmission, and any documents, files or previous email messages attached to it may contain confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you are not, or believe you may not be, the intended recipient, please advise the sender immediately by return email or by calling 620.543.5026. Then take all steps necessary to permanently delete the email and all attachments from your computer system.
Re: CGNAT
Can you share your cost comparison? If I assume the IPv4 purchased addresses will be useful for the next 15+ years they do make a ton of sense. Estimating the amount of traffic 5+ years from now is not something I have high confidence in. Making predictions is hard, especially about the future. What kind of IPv4/IPv6 traffic ratio's should we expect 5-15 years from now? I assume there is no simple answer for this. An ISP with mostly enterprise customer's would expect different assumptions from a mobile phone provider. This may be one of those times where every answer is correct, just not for everyone. The whole "one size fits some" kind of solution. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT On 3/1/21, 2:38 PM, "NANOG on behalf of Jared Brown" wrote: WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. Kevin, One of the presented options isn't like the others. As such the comparison isn't really fair, especially if you expect to run your business longer than 7 years. If you buy more IPv4 space you will neither have to deal with CGNAT nor worry about traffic growth. Both of those benefits are easily worth the (short term) premium. In the long term, buying more IPv4 blocks now is likely to be cheaper than running CGNAT for the foreseeable future. To echo Owen, in general, the economics today still work out to make purchasing addresses more favorable than CGNAT. - Jared Sent: Tue Feb 2314:36:48 UTC 2021 From: Kevin Burke kburke at burlingtontelecom.com To: nanog@nanog.org Subject: Re: CGNAT We are looking at implementing a similar solution with A10 for CGNAT. We've been in touch with A10. Just wondering if there are some alternative vendors that anyone would recommend. We'd probably be looking at a solution to support 5k to 15k customers and bandwidth up to around 30-40 gig as a starting point. A solution that is as transparent to user experience as possible is a priority. The numbers below are for a similar target of subscriber’s and peak bandwidth. We assumed a couple of numbers: Current Peak Bandwidth = 40G Remaining IPv4 traffic after migration = 20% (Seen references to 10% or 20% on this forum) Future Bandwidth Growth = 2x (no data behind this assumption) Future CGNAT’ed bandwidth = 15Gbps Equipment & budget lifecycle = 7Yr Getting that data led us to this price comparison: Solution Lifecycle/ Term Annual Cost/Sub Product Lifecycle Cost/Sub Lease IPv4 Cogent 7 $ 4.45 $ 31.13 A10 CGNAT 15Gb 7Yr 7 $ 1.21 $ 8.47 A10 CGNAT 40Gb 7Yr 7 $ 1.95 $ 13.68 Purchase @ $25 7Yr 7 $ 3.57 $ 25.00 The current plan is implement an A10 CGNAT solution after upgrading our network for IPv6. In the interim we will have to lease IPv4 to tide us over. I would be curious to see what other’s estimate the costs of various approaches. Feel free to ping me off-list for more specific numbers. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT
Re: Integrated WIFI router and phone adapter
They have an Ethernet version and GPON version. The GPON version is the same price their Ethernet version + low end GPON ONT. We stayed away from the GPON version for WiFi reasons. Want the techs thinking about a good RF location. Don't want them thinking about easy/good fiber routing. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT On 5/18/20, 9:46 AM, "NANOG on behalf of Bryan Holloway" wrote: WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. +1 But yes -- GPON. On 5/18/20 9:03 AM, Mark Tinka wrote: > > > On 18/May/20 07:00, K MEKKAOUI wrote: >> >> Hi NANOG Community >> >> Anyone knows about a good integrated WIFI router and phone adapter >> that can be used to provide home and business internet and phone >> service. We tried couple of them but we’ve seen some instability and >> reliability issues (i.e. wifi issues, phone issues, etc.). Also some >> of them are designed to work better over DSL but not over DOCSIS. >> > > Have you looked at Calix: > > https://www.calix.com/platforms/non-exos-premises-systems/gigafamily-overview/gigahubs.html > > You don't mention what last mile you're using. The Calix Giga units are > for GPON. > > Mark.
Re: Layer 3 Switches
+1 to the software & support Within the last year we have learned & deployed Juniper & Extreme. They are easily as good or better than the rest of the crowd. We use Ubiquiti stuff too. Its good on the edge, less so in the core. They don’t keep a product around long enough to work the bugs out. I've liked the price of the Ubiquiti switches I've seen, but haven't gotten to play with them, and based on their EdgeRouter line, am not sure about their maturity either. A switch's maturity is much more dependent on hardware while a router is much more dependent on software, so I suggest assessing a switch on their own merits, regardless of bad experiences with that vendor in the router realm. Rubens Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT
RE: Securing Greenfield Service Provider Clients
Agreed DNS/IP reputation is still about the best. Then move on with everything else we should be doing. Decrypting the content would bring us to the next problem. Malware is commonly encrypted to prevent AntiVirus from pattern matching or hash matching. Decrypting the content always struck me as something that is better suited for spotting exfiltration. Searching for known clear text similar to “FBI Classified” or a watermark in documents sounded like an attainable goal from SSL decryption. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG On Behalf Of Jared Geiger Sent: Friday, October 9, 2020 3:45 PM To: nanog@nanog.org Subject: Re: Securing Greenfield Service Provider Clients WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. DNS filtering might be an easier option to get most of the bad stuff with services like 9.9.9.9 and 1.1.1.2. Paid options like dnsfilter.com<http://dnsfilter.com> will give you better control. Cloudflare Gateway might also be an option. On Fri, Oct 9, 2020 at 12:29 PM Christopher J. Wolff mailto:cjwo...@nola.gov>> wrote: Dear Nanog; Hope everyone is getting ready for a good weekend. I’m working on a greenfield service provider network and I’m running into a security challenge. I hope the great minds here can help. Since the majority of traffic is SSL/TLS, encrypted malicious content can pass through even an “NGFW” device without detection and classification. Without setting up SSL encrypt/decrypt through a MITM setup and handing certificates out to every client, is there any other software/hardware that can perform DPI and/or ssl analysis so I can prevent encrypted malicious content from being downloaded to my users? Have experience with Palo and Firepower but even these need the MITM approach. I appreciate any advice anyone can provide. Best, CJ
RE: Amazon peering revisited
Have gotten into the habit of making annual peering requests to Amazon asking turn up a session on a shared IXP peering. Once was able to get a peering session turned up, no traffic was ever shifted onto it before we moved out of that carrier hotel a year or so later. The amazon peering email box does have humans surfing it. Over the years a number of network operators have mentioned getting little response from Amazon about peering requests. For a company like Amazon they have little reason to do peering with small scale operators. They already peer with the tier 1’s and assume I will do what I need to balance my bits. The fancy algorithms they use to balance traffic around does allow them to operate a decent network with fewer staff and less links to the small ISPs. Just a network operator here, trying to get my bytes across the wire. Enjoy your weekend! Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG On Behalf Of Lincoln Dale Sent: Thursday, February 3, 2022 12:20 PM To: Kelly Littlepage Cc: nanog@nanog.org Subject: Re: Amazon peering revisited WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. On Thu, Jan 27, 2022 at 8:22 AM Kelly Littlepage via NANOG mailto:nanog@nanog.org>> wrote: Hi all, a nanog thread started on November 23, 2018 discussed the challenges of getting Amazon peering sessions turned up. Has anyone had luck since/does anyone have a contact they could refer me to — off-list or otherwise? The process of getting PNI in place with other CSPs was straightforward, but I haven't heard back from AWS after a month and several follow-ups. Our customers would really benefit from us getting this sorted. There are many folks that here that are in AWS. Assuming you have followed what is in https://aws.amazon.com/peering/ (and https://aws.amazon.com/peering/policy/) then send me details privately about what/when/who and I'll reach out internally to the relevant folks.
RE: Newbies Question: Do I really need to sacrifice Prefix-aggregation to do BGP Load-sharing? (the case of Multi-homed + Multi-routers + Multi-upstreams)
The inbound traffic will be determined by how the Tier 1’s decide to route, as you are observing they will pick either you or your other upstream. Traffic engineering as the Tier 3 carrier you have described has this kind of unexpected traffic routing. As you have obviously already tried common BGP traffic engineering tool of AS Padding your left with next worst option. Best of luck! Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG On Behalf Of Pirawat WATANAPONGSE via NANOG Sent: Wednesday, October 19, 2022 2:28 AM To: nanog@nanog.org Subject: Newbies Question: Do I really need to sacrifice Prefix-aggregation to do BGP Load-sharing? (the case of Multi-homed + Multi-routers + Multi-upstreams) WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. Dear Guru(s), My apologies if these questions have already been asked; in that case, please kindly point me to the answer(s). I hope the following information sufficiently describes my current "context": - Single customer: ourselves - One big IPv4 block + one big IPv6 block - Native Dual-Stack, Non-tunneling - Non-transit (actually, a “multi-homed Stub”) - “All-green” IRR & RPKI registered (based on IRRexplorer report) - Fully-aggregated route announcement (based on CIDR report) - Two (Cisco) gateway routers on our side - Two upstreams (See the following lines), fully cross-connected to our gateways - One (pure) commercial ISP - One academic consortium ISP (who actually uses the above-mentioned commercial ISP as one of its upstreams as well) My current “situation”: - All inbounds “flock” in through the commercial ISP, overflowing the bandwidth; since (my guess) the academic ISP also uses that commercial ISP as its upstream, there is no way for its path to be shorter. Questions: 1. Do I really have to “de-aggregate” the address blocks, so I can do the “manual BGP load-sharing”? I hate to do it because it will increase the global route-table entries, plus there will be IRR & RPKI “hijack gaps” to contend with at my end. 2. If the answer to the above question is definitely “yes”, please point me to the Best-Practice in doing the “manual BGP load-sharing (on Cisco)”. Right now, all I have is: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#anc52 Thanks in advance for all the pointers and help given (off mailing-list is also welcome). Best Regards, Pirawat.
RE: Newbies Question: Do I really need to sacrifice Prefix-aggregation to do BGP Load-sharing?
Reading between the lines this network’s current lack of diverse providers is consistent with a geographic/monopoly disadvantage. I do agree that your transit provider is in bad form to pad your routes, but it does happen. A phone call or email to understand their limitations may be helpful. Trying to fit all of your traffic into an upstream’s own uplink that is far to small does not provide the best user experience. It could be an bug in the route-map. Speaking of bugs, trying to use communities can cause you to observe bugs in other network’s route-maps (with great power comes great…). Padding much past three usually has little affect. Splitting your advertisement into say four smaller announcements and starting to advertise them one at a time through your preferred provider is a good place to start. Traffic will prefer the more specific route. With luck that was done last night 😊 Once you have balanced this out somewhat, you have bought yourself time. Next fun thing is to understand how this works when one provider fails or similar. Traffic can prefer the oldest route, so a small bump down the road can cause unanticipated traffic changes the next nightly peak. Or to put it another way, this is how the sausage is made. P.S. Both of us top posting is also bad form. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG On Behalf Of Douglas Fischer Sent: Thursday, October 20, 2022 8:51 AM To: Pirawat WATANAPONGSE Cc: nanog@nanog.org Subject: Re: Newbies Question: Do I really need to sacrifice Prefix-aggregation to do BGP Load-sharing? WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. If your Upstream(Transit provider) prepends your routes without you asking or authorizing it to do so, you should SERIOUSLY consider switching providers! In the other email I talked about traffic engineering BGP communities. If those prepends were made from some community you were applying... OK, that's great! Even better if you could apply a community that did something like "apply 2 prepends for south america only". But a Transit Provider changing the AS-PATH (in addition to the mandatory hop) arbitrarily without your consent is not for good people. P.S. Your email replies are breaking threads in email readers. I suggest you review the email client tool. Em qui., 20 de out. de 2022 às 09:16, Pirawat WATANAPONGSE via NANOG mailto:nanog@nanog.org>> escreveu: Dear all, Before all else: thank you all for the lightning-fast responses (even taking the time zone advantage into account). I really, really, really appreciate all your recommendations. Virtually all of you recommend prepending as the first choice. I also get the feeling that you guys consider de-aggregation “distasteful” (at the least) but sometimes unavoidable. I have considered the prepending myself, but dare not implement it yet for the fear that BGP (Human) Community will burn me alive, witch-hunt style, because of the following reasons: 1. I can see from looking glass(es) that my upstreams already practice prepending (some paths) at their level (at least 3 more hops [x4]), supposedly to “balance” their bandwidth. 2. Should I start prepending mine, I might upset their balance, causing them to prepend more, thus starting a “prepend war”. [I imagine that x20+ prepending starts out this way] The way I see it, prepending (or maybe even the whole BGP-Path thing) is a local-optimization problem: it’s only best for someone, not globally. And the Higher-Tiers (Lower Tier-Numbers) will always “engineer” me in the end. Worse yet, I might be out-voted by de-aggregation insider “cultists” anyway. Which forces me to proactively ask you guys questions about ROV-Overlapping and ROV “Hijack Gap” soon, in another posting with separate “Subject:”. Again, Thank you. Cheers, Pirawat. P.S. [Off-Topic] Any comment on the “SCION” System? Any good (I will even take "academically")? [Reference: https://scion-architecture.net/] -- Douglas Fernando Fischer Engº de Controle e Automação
RE: Understanding impact of RPKI and ROA on existing advertisements
You may want to set this up yourself anyways. In the effort of making things work, your upstream ISP may have had to setup these records on your behalf. If not now, they may in the future. Having duplicate entries can cause unexpected results. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG On Behalf Of Samuel Jackson Sent: Friday, October 28, 2022 11:00 AM To: nanog@nanog.org Subject: Understanding impact of RPKI and ROA on existing advertisements WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS. My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me? Thanks for your help. Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
RE: Poor mans TAP
Netscout has some EoL ones that are on the cheap these days. These are cheap enough to forget at a customer’s site. https://www.ebay.com/sch/i.html?&_nkw=Netscout+280-0160 Netscout 280-0160 And yes a SPAN port on a switch is where I start sniffing. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG On Behalf Of Dovid Bender Sent: Monday, October 07, 2019 10:17 AM To: NANOG Subject: Poor mans TAP WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. Hi, Funds at my 9-5 are limited. Has anyone tried this and how well does it work? We plan on mirroring about 800 megs of traffic at peak. https://www.amazon.com/Dualcomm-1000Base-T-Ethernet-Regeneration-Network/dp/B0055M5JL8?ref_=ast_bbp_dp TIA. Dovid
RE: FCC proposes $10 Million fine for spoofed robocalls
There are laws against many of these SPAM calls today. I suppose the agencies that are responsible for prosecuting these could answer some of their SPAM calls to see who was calling. Same thing with SPAM faxes, we didn't get a technical fix, just used the law against anyone who tried. Fax SPAM isn't fixed but its not being abused. Technical fixes might will no doubt be part of the problem. But enforcement will also address this. But yes I see everyone's lack of apathy for this problem as only accelerating the death of the PSTN. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT -Original Message- From: NANOG On Behalf Of Troy Martin Sent: Thursday, December 19, 2019 1:54 PM To: Keith Medcalf ; nanog@nanog.org Subject: RE: FCC proposes $10 Million fine for spoofed robocalls WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. On top of that, there's also the issue of many telcos deciding that, no, you can't just shove whatever you want on the wire, it needs to be a DID and name registered on your trunk... unless you pay us an extra fee per month and say you'll be good, then you can spoof to your heart's content. As far as actual enforcement of all this goes, this morning spam and robocall blocking legislation came into force in Canada. Coincidentally, this morning so far I've received six robocalls from the same "your social insurance number has been hacked and you are breaking the law by not paying us to fix it" scam, two of which were before the sun came up. Prior to today I usually got one a day on average. At least one of the big three carriers has said they're going to be rolling out network-side call blocking "in the coming weeks" but I'm expecting my cell to continue to be a source of annoyance for the foreseeable future. -- Troy Martin | tmar...@charter.ca > -Original Message- > From: NANOG On Behalf Of Keith Medcalf > Sent: December 19, 2019 9:43 AM > To: Brandon Martin ; nanog@nanog.org > Subject: RE: FCC proposes $10 Million fine for spoofed robocalls > > > "CallerID" is a misnomer. It is actually the "Advertized ID". > However, the telco's realized you would not pay to receive advertizing > so they renamed it to something they thought you would pay for. > > Pretty canny business model eh? And apparently y'all fell for it, > thinking it was related to the Identification of the Caller, rather > than being what the caller wished to advertize. > > -- > The fact that there's a Highway to Hell but only a Stairway to Heaven > says a lot about anticipated traffic volume.
Brocade SLX Internet Edge
Does anyone have any success with the Brocade SLX 9540 or similar? Its going to be taking full BGP tables from two Tier1's and some peering. The specs and sales rep says its fine, but the price makes me think its too good to be true. We are trying to shepherd an old Cat 6509 out of our core. Kevin Burke 802-540-0979 Burlington Telecom - City of Burlington 200 Church St, Burlington, VT 05401
RE: Brocade SLX Internet Edge
Thanks for everyone who responded on and off list. As a small company that is happy to still be in business the pricing is too good to ignore. A "gently used" ASR-9006 is something like $45k for one plus a shelf spare. A brand new SLX 9540 is something like $30k for one plus a shelf spare. There were some common things. Software is behind where we would like. The occasional bug like that SSH one. Also there are some relatively common features like IPv6 outbound ACL and BGP MED that aren't there. This stuff isn't a showstopper but I will take this a sign of things to come. As for the notes about full tables. Different vendors seem to have used different techniques to get past the hard FIB limit that we are all used to. I had the same question when pawing through the spec sheets. So I asked the sales rep: "We can support 1.5M routes. These platforms support all of the requirements detailed above for Internet routing. In particular, they support a table size of 1.5 million IP routes today, ensuring headroom for the next 5-7 years. This scale is made possible through our new technology called Extreme OptiScale(tm) for Internet Routing that optimizes programmable hardware and software capabilities to accelerate innovation and deliver investment protection. https://www.extremenetworks.com/extreme-networks-blog/internet-routing-in-the-enterprise/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.extremenetworks.com_extreme-2Dnetworks-2Dblog_internet-2Drouting-2Din-2Dthe-2Denterprise_&d=DwMGaQ&c=H-_4ND6xHpqgzcyjh8aroNpgOyofdYsHrgIgJ94I47w&r=8KBJJnyFAhW7tSYonou-hrzJp0AgKIxIroKtTA850eU&m=KQ3bFBpmJxMvk6-gUGIquclVowK5s1yqe6K3DhY5MZw&s=3rfpGQzZ3dJx3KZvPnF21DuFdz569Krg0zdmo1W_Cfg&e=>" Kevin Burke 802-540-0979 Burlington Telecom - City of Burlington 200 Church St, Burlington, VT 05401 -Original Message- From: NANOG On Behalf Of Kevin Burke Sent: Wednesday, October 31, 2018 4:02 PM To: nanog@nanog.org Subject: Brocade SLX Internet Edge Does anyone have any success with the Brocade SLX 9540 or similar? Its going to be taking full BGP tables from two Tier1's and some peering. The specs and sales rep says its fine, but the price makes me think its too good to be true. We are trying to shepherd an old Cat 6509 out of our core. Kevin Burke 802-540-0979 Burlington Telecom - City of Burlington 200 Church St, Burlington, VT 05401
RE: Broadcast television in an IP world
>Does multicast have any future? Nope. We have a couple of gigs of multicast traffic on our network. Its pretty easy. You can't pay me enough to troubleshoot multicast between different ISP's. Multicast network look different from the Internet. One would have to change. On top of that any packet loss is a show stopper. It has no facility for retransmission. Multicast is good because its not much load on the routers. Even thinking about pushing it over WiFi makes me jump right to a server with a TCP stack or similar. So those NetFlix servers seem about as good a long term strategy as any. Save the loud fans. Video is just another application.
RE: FTTH ONTs and routers
I have used a lot of Calix gear. It works good until they decide to EoL your platform. They grow through acquisition, then see which products they want to keep. Adtran seems to have the same features and the same pricepoint. The Calix E7 is a relatively new product...plenty of bugs compared to the much more mature TA5000. Oh and if you don't show these the other guys prices they will dine out on your tab. Funny how much lower people can go when they realize you are bidding something out. Kevin -Original Message- From: NANOG [mailto:nanog-bounces+kburke=burlingtontelecom@nanog.org] On Behalf Of Frank Bulk Sent: Saturday, May 17, 2014 11:18 AM To: 'Pete@TCC'; Jean-Francois Mezei; nanog@nanog.org Subject: RE: FTTH ONTs and routers FYI, Calix has GPON support for the 836GE ONT on the E7 today, and it will be supported in GPON mode in Release 9.0 on the C7. Frank -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Pete@TCC Sent: Friday, May 16, 2014 11:15 AM To: Jean-Francois Mezei; nanog@nanog.org Subject: Re: FTTH ONTs and routers There are many ONTs out there with various abilities. I can only comment on what I deploy, and what various telcos deploy that I am familiar with. A few years ago, all of our AE and GPON ONTs were deployed as bridges. Port 1 was generally an Internet VLAN, and port 2,3,4 were IPTV VLANs. We have been using Occam (now Calix), but are considering other options at this point. Currently we bridge all services on GPON deployments, but rent routers for the Internet service if customers do not wish to provide their own. The 700-series ONTs are able to bounce between GPON and AE deployments with a firmware change, so they are very flexible. Calix has apparently released RG code (Residential Gateway, basic home router functionality) for for the 700s, but we don't use that code. We also deploy 836 ONTs, which had RG code built-in on release, and also WiFi.The 836s currently only do AE, but were originally supposed to do GPON/AE similar to the 700-series. Today, the standard AE deployment is an 836 with RG code enabled for WiFi and Port 1. WAN is DHCP, authorized with Option 82/RADIUS for bandwidth profiles. LAN does NAT, and hands out a 192.168.88.0/24 subnet to break as few consumer routers as possible. We have no problem enabling bridging for Port 1 if the customer requests it. We bridge Port 2,3,4 for IPTV because the RG functionality breaks certain features, namely call display on the TVs. The 836s can do Static, PPPoE, or DHCP on the WAN side. We use MGCP for voice. -- Pete Baldwin On 14-05-15 01:11 PM, Jean-Francois Mezei wrote: > It had been my impression that ONTs, like most other consumer modems, > came with built-in router capabilities (along with ATA for voice). > > The assertion that ONTs have built-in routing capabilities has been > challenged. > > Can anyone confirm whether ONTs generally have routing (aka: home > router that does the PPPoE or DHCP and then NAT for home) capabilities? > > Are there examples where a telco has deployed ONTs with the router > built-in and enabled ? Or would almost all FTTH deployments be made > with any routing disabled and the ONT acting as a pure ethernet bridge ? > > > (I appreciate your help on this as I am time constrained to do research). >
Rack Locks
What kind of experience do people have with rack access control systems (electronic locks)? Anything I should pay attention to with the products? Hope this questions hasn't already been answered. Not to picky about what/who. The APC solution seems to start getting pricy with multiple racks. I see arduino has an RFID reader but haven't found the door opener. The racks in question are standard APC (SX?) racks. Background We have half a dozen racks, mostly ours. Mostly I want something to log who opened what door when. Cooling overhaul is next on the list but one at a time. Even with cameras those janky make nobody happy. If someone knows a better place to ask this that would be nice too. Thanks for your time! Kevin Burke 802-540-0979 Burlington Telecom - City of Burlington 200 Church St, Burlington, VT 05401
RE: CALEA Requirements
Ignore it until you get the paperwork. The local law enforcement can not get a warrant for the real time, full data capture. Only FBI or other national agencies can get those subpeona's. We went through this with our local police department. They wanted to make sure we were prepared and wanted a test for the real time number capture on phone calls. They didn't mention they don't have any equipment on their side to connect the T1. Ask your local neighbors. Some area's have a number of local federal investigations. If you get the deer in the headlights look from your competition then you may never get one of these. The full data captures are rare. Kevin Burke 802-540-0979 Burlington Telecom - City of Burlington 200 Church St, Burlington, VT 05401 -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Lorell Hathcock Sent: Monday, March 14, 2016 4:47 PM To: 'NANOG list' Subject: CALEA Requirements NANOG: Can someone point me to the current CALEA requirements? As an ISP, should I be recording all internet traffic that passes my routers? Or do I only have to record when and if I receive a court order? I'm not under any court order now, I just want to be sure that I am compliant going forward in my capabilities. Thanks! Lorell Hathcock
RE: TACACS+ server recommendations?
Is anyone using two factor authentication for network devices? Getting ready to re-do our authentication infrastructure and was curious if this is common. We are noticing a lot of Active Directory based two factor solutions as well as some TACACS solutions that have already been mentioned that can use AD as the backend. Also curious if others have tried this and noticed any obvious downsides. Thanks! Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT
