Failover how much complexity will it add?
HI, I was recently brought onto a project where some failover is desired, but I think that the number of connections provisioned is excessive. Also hoping to get some guidance with regards to how well I can get the failover to actually work. So currently 4 X 100Mb/s Internet connections have been provisioned. One is to be used for general Internet, out of the organisation, it also terminates VPNs from remote sites belonging to the organisation and some publicly accessible servers -routed DMZ and translated IPs. Second Internet connection to be used for a separate system which has a site-to-site VPN to a third party support vendor. Internet connections 3 and 4 are currently thought of as providing backups for one and two. Both connections firewalled by a Juniper SSG of some description. Now I couldn't get any good answers as to why Internet connections 1 and 2 need to be separate. I think the idea was to make sure that there was enough bandwidth for the third party support VPN. I feel that I can consolidate this into one connection and just use rate limiting to reserve some portion of the bandwidth on the connection and this should be fine. Now if I was to do this then I can make a case for just having one backup Internet connection. However I'm still concerned about failover and reliability issues. So my questions regarding this are: - Should I make sure that the backup Internet connection is from a separate provider? - How can I acheive a failover which doesn't require me to change all the remote VPN endpoints in case of a failover? Its possible to configure failover VPNs on the Junipers, which should take care of this, but how do I take care of the DMZ hosts and external translation? - In fact I think I'm asking what are my options with regard to failover between one Internet connection and the other? I'm hoping to figure out whether adding an extra Internet connection actually gives us that much, in fact whether it justifies the complexity and spend. Many Thanks for your comments. Adel
Re: Failover how much complexity will it add?
Thanks for all your comments guys. With regards to bgp I did think about placing two bgp routers in front of the ssg's. However my limited understanding makes me think that if I had two bgp connections from different providers I would still have issues. So I guess that if my primary Internet goes down I lose connectivity to all the publicly addressed devices on that connection. Like dmz hosts and so on. I would be interested to hear how this can be avoided if at all or do I have to use the same provider. I should add that we currently have provisioned two ssg in ha mode. Also is terminating bgp on the ssg also an option? I really like the flexibility of route based VPN with addresable tun interfaces. Thanks adel On Sun 3:47 PM , "Joe Maimon" jmai...@ttec.com sent: > > > adel@ > baklawasecrets.com wrote:> HI, > > > > > > Now I couldn't get any good answers as to why > Internet connections 1 and 2 need to be separate. I think the idea was to > make sure that there was enough bandwidth for the third party support VPN. > I feel that I can consolidate this into one connection and just use rate > limiting to reserve some portion of the bandwidth on the connection and > this should be fine. Now if I was to do this then I can make a case for > just having one backup Internet connection. However I'm still concerned > about failover and reliability issues. So my questions regarding this > are:> > > I wouldnt jump to any conclusions that everything will work properly if > you are terminating multiple connections directly on the SSG, what with > egress likely being different than the ingress, even if you are using > the same IP range (BGP) on all the links. > > You could really be asking for trouble if you are planning on using a > different ISP provided IP range on each connection for each purpose. > > Front it all with routers that can policy route, whether or not you also > use BGP. > > > Joe > > > > >
Re: Failover how much complexity will it add?
Thanks Seth and James, Things are getting a lot clearer. The BGP multihoming solution sounds like exactly what I want. I have more questions :-) Now I suppose I would get my allocation from RIPE as I am UK based? Do I also need to apply for an AS number? As the IP block is "mine", it is ISP independent. i.e. I can take it with me when I decide to use two completely different ISPs? Is the obtaining of this IP block, what is referred to as PI space? Of course internally I split the /24 up however I want - /28 for untrust range and maybe a routed DMZ block etc.? Assuming I apply for IP block and AS number, whats involved and how long does it take to get these babies? I know the SSG550's have BGP capabilites. As I have two of these in HA mode, does it make sense to do the BGP on these, or should I get dedicated BGP routers? Fixing the internal routing policy so traffic is directed at the active BGP connection. Whats involved here, preferring one BGP link over the other? Thanks again, I obviously need to do some reading of my own, but all the suggestions so far have been very valuable and definitely seem to be pointing in some fruitful directions. Adel On Sun 6:31 PM , "James Hess" mysi...@gmail.com sent: > On Sun, Nov 8, 2009 at 11:34 AM, baklawasecrets.com> wrote:[..] > > connections from different providers I would > still have issues. So> I guess that if my primary Internet goes down I > lose connectivity> to all the publicly addressed devices on that > connection. Like> dmz hosts and so on. I would be interested > to hear how this> can be avoided if at all or do I have to use the > same provider. > You assign multi-homed IP address space to your publicly addressed > devices,which are not specific to either ISP. You announce to both ISPs, and > you accept some routes from both ISPs. > > You get multi-homed IPs, either by having an existing ARIN allocation, > or getting a /22 from ARIN (special allocation available for > multi-homing), or ask for a /24 from ISP A or ISP B for > multihoming. > > > If Link A fails, the BGP session eventually times out and dies: ISP > A's BGP routers withdraw the routes, the IP addresses are then > associated only with provider B. > > And you design your internal routing policy to direct traffic > within your network to the router with an active BGP session. > > Link A's failure is _not_ a total non-event, but a 3-5 minute partial > disruption, while the BGP session times out and updates occur in other > people's routers, is minimal compared to a 3 day outage, if serious > repairs to upstream fiber are required. > > > -- > -J > > >
Re: Failover how much complexity will it add?
Hi, Thanks for the info on UKNOF. I've started a thread there with regards to RIPE and obtaining ASN numbers and so on., as this is I guess quite UK specific. Adel On Sun 8:40 PM , Arnold Nipper wrote: > Hi Adel, > > On 08.11.2009 21:24 Ken Gilmour wrote > > > There are companies like packet exchange (www.packetexchange.net [1]) > > I could also comment on PacketExchange, but I do not. If you get more UK > specific now you may perhaps want to post to UKNOF > (http://lists.uknof.org.uk/cgi-bin/mailman/listinfo/uknof/) [2] as well. > > For _independant_ consultancy you may want to have a look at Netsumo > (http://www.netsumo.com/) [3] Ask for Andy Davidson. > > Best regards, > Arnold > -- > Arnold Nipper / nIPper consulting, Sandhausen, Germany > email: arn...@nipper.de phone: +49 6224 9259 299 > mobile: +49 172 2650958 fax: +49 6224 9259 333 > > > > Links: > -- > [1] > http://webmail.123-reg.co.uk/parse.php?redirect=http://www.packetexchange.n > et[2] > http://webmail.123-reg.co.uk/parse.php?redirect=http://lists.uknof.org.uk/c > gi-bin/mailman/listinfo/uknof/%29[3] > http://webmail.123-reg.co.uk/parse.php?redirect=http://www.netsumo.com/%29 > >
Re: Failover how much complexity will it add?
Don't think I sent the below to the list, so resending: Thanks Seth and James, Things are getting a lot clearer. The BGP multihoming solution sounds like exactly what I want. I have more questions :-) Now I suppose I would get my allocation from RIPE as I am UK based? Do I also need to apply for an AS number? As the IP block is "mine", it is ISP independent. i.e. I can take it with me when I decide to use two completely different ISPs? Is the obtaining of this IP block, what is referred to as PI space? Of course internally I split the /24 up however I want - /28 for untrust range and maybe a routed DMZ block etc.? Assuming I apply for IP block and AS number, whats involved and how long does it take to get these babies?> I know the SSG550's have BGP capabilites. As I have two of these in HA mode, does it make sense to do the BGP on these, or should I get dedicated BGP routers? Fixing the internal routing policy so traffic is directed at the active BGP connection. Whats involved here, preferring one BGP link over the other? Thanks again, I obviously need to do some reading of my own, but all the suggestions so far have been very valuable and definitely seem to be pointing in some fruitful directions. Adel On Sun 6:31 PM , James Hess wrote: > On Sun, Nov 8, 2009 at 11:34 AM, wrote: > [..] > > connections from different providers I would still have issues. So > > I guess that if my primary Internet goes down I lose connectivity > > to all the publicly addressed devices on that connection. Like > > dmz hosts and so on. I would be interested to hear how this > > can be avoided if at all or do I have to use the same provider. > > You assign multi-homed IP address space to your publicly addressed > devices, > which are not specific to either ISP. You announce to both ISPs, and > you accept some routes from both ISPs. > > You get multi-homed IPs, either by having an existing ARIN allocation, > or getting a /22 from ARIN (special allocation available for > multi-homing), or ask for a /24 from ISP A or ISP B for > multihoming. > > If Link A fails, the BGP session eventually times out and dies: ISP > A's BGP routers withdraw the routes, the IP addresses are then > associated only with provider B. > > And you design your internal routing policy to direct traffic > within your network to the router with an active BGP session. > > Link A's failure is _not_ a total non-event, but a 3-5 minute partial > disruption, while the BGP session times out and updates occur in other > people's routers, is minimal compared to a 3 day outage, if serious > repairs to upstream fiber are required. > > -- > -J > > >
Re: Failover how much complexity will it add?
Hi, Ok thanks for clearing that up. I'm getting some good feedback on applying for PI and ASN through Ripe LIRs over on the UKNOF so I think I have a handle on this. With regards to BGP and using separate BGP routers. I am announcing my PI space to my upstreams, but I don't need to carry a full Internet routing table, correct? So I can get away with some "lightweight" BGP routers not being an ISP if that makes sense? Adel On Sun 9:26 PM , Ken Gilmour wrote: > Hey, > > Yes you apply to RIPE for your allocation. You should ask them for a > /20 since it's the same price for that as a /24 if you can justify it > (at least with LACNIC where i now get my allocations)... > > You will also need to apply for an ASN > > Correct- the block belongs to you and as long as you contact the > transit provider from the address listed in WHOIS then you should be > able to set up a new agreement easily. > > Yes the block is PI space (provider independent) > > It can take up to 1 month to get your assignments. > > I would recommend getting some different routers for this. I use > OpenBSD in some of my locations which is extremely easy to work with. > I also have some old NS-208 devices running ScreenOS for internal BGP > in one other location. I would not recommend using any router with > less than 1GB of RAM for BGP. in HA Mode you can connect the two > tails, one to each SSG (if they are in active active mode) and > announce it that way (check out anycast), we also do this :). > > The way BGP works is that both connections are active at the same > time, there is no primary and backup, if one goes down you just have > one less to receive traffic over and more traffic on the other, but > unless you stop announcing from one connection traffic will go over > both. > > Regards, > > Ken > > 2009/11/8 : > > Don't think I sent the below to the list, so resending: > > > > Thanks Seth and James, > > > > Things are getting a lot clearer. The BGP multihoming solution > sounds like exactly what I want. I have more questions :-) > > > > Now I suppose I would get my allocation from RIPE as I am UK based? > > > > Do I also need to apply for an AS number? > > > > As the IP block is "mine", it is ISP independent. i.e. I can take > it with me when I decide to use two > > completely different ISPs? > > > > Is the obtaining of this IP block, what is referred to as PI space? > > > > Of course internally I split the /24 up however I want - /28 for > untrust range and maybe a routed DMZ block > > etc.? > > > > Assuming I apply for IP block and AS number, whats involved and how > long does it take to get these babies?> > > > > I know the SSG550's have BGP capabilites. As I have two of these in > HA mode, does it make sense to do the BGP > > on these, or should I get dedicated BGP routers? > > > > Fixing the internal routing policy so traffic is directed at the > active BGP connection. Whats involved here, > > preferring one BGP link over the other? > > > > Thanks again, I obviously need to do some reading of my own, but > all the suggestions so far have been very valuable > > and definitely seem to be pointing in some fruitful directions. > > > > Adel > > > > > > > > > > On Sun 6:31 PM , James Hess wrote: > > > >> On Sun, Nov 8, 2009 at 11:34 AM, wrote: > >> [..] > >> > connections from different providers I would still have issues. So > >> > I guess that if my primary Internet goes down I lose connectivity > >> > to all the publicly addressed devices on that connection. Like > >> > dmz hosts and so on. I would be interested to hear how this > >> > can be avoided if at all or do I have to use the same provider. > >> > >> You assign multi-homed IP address space to your publicly addressed > >> devices, > >> which are not specific to either ISP. You announce to both ISPs, and > >> you accept some routes from both ISPs. > >> > >> You get multi-homed IPs, either by having an existing ARIN allocation, > >> or getting a /22 from ARIN (special allocation available for > >> multi-homing), or ask for a /24 from ISP A or ISP B for > >> multihoming. > >> > >> If Link A fails, the BGP session eventually times out and dies: ISP > >> A's BGP routers withdraw the routes, the IP addresses are then > >> associated only with provider B. > >> > >> And you design your internal routing policy to direct traffic > >> within your network to the router with an active BGP session. > >> > >> Link A's failure is _not_ a total non-event, but a 3-5 minute partial > >> disruption, while the BGP session times out and updates occur in other > >> people's routers, is minimal compared to a 3 day outage, if serious > >> repairs to upstream fiber are required. > >> > >> -- > >> -J > >> > >> > >> > > > > > > >
Re: Failover how much complexity will it add?
I think partial routes makes perfect sense, makes sense that traffic for customers who are connected to each of my upstreams should go out of the correct BGP link as long as they are up! Now I need to start thinking of BGP router choices, sure I have a plethora of choices :-( On Sun 10:01 PM , Seth Mattinen wrote: > a...@baklawasecrets.com wrote: > > Hi, > > > > Ok thanks for clearing that up. I'm getting some good feedback on > applying for PI and ASN through Ripe LIRs over on the UKNOF so I think I > have a handle on this. > > With regards to BGP and using separate BGP routers. I am announcing my > PI space to my upstreams, but I don't need to carry a full Internet > routing table, correct? > > So I can get away with some "lightweight" BGP routers not being an ISP > if that makes sense? > > > > Most will give you three choices: full routes, partial routes (internal, > their customers) with default, and default only. If you can't swing full > routes then I would go for partial routes as it will at least send > traffic for each ISP and their customers directly to them rather than > randomly over the other link. It all depends on what you're going to use > as your BGP speaking platform. > > ~Seth > > >
Re: Failover how much complexity will it add?
So if my requirements are as follows: - BGP router capable of holding full Internet routing table. (whether I go for partial or full, I think I want something with full capability). - Capable of pushing 100meg plus of mixed traffic. What are my options? I want to exclude openbsd, or linux with quagga. Probably looking at Cisco or Juniper products, but interested in any other alternatives people suggest. I realise this is quite a broad question, but hoping this will provide a starting point. Oh and if I have missed any specs I should have included above, please let me know. Thanks Adel On Sun 10:18 PM , Seth Mattinen wrote: > a...@baklawasecrets.com wrote: > > I think partial routes makes perfect sense, makes sense that traffic > for customers who are connected to each of my upstreams should go out of > > the correct BGP link as long as they are up! Now I need to start > thinking of BGP router choices, sure I have a plethora of choices :-( > > > > Personally I'll always go for full routes if the router has enough > memory (software based) or TCAM space (hardware based). Cheaper to do on > software platforms though. An entry level Cisco 2811 can take full > tables from multiple upstreams with 786MB RAM or even 512. It won't push > 100 meg of mixed traffic though. > > ~Seth > > >
Re: Failover how much complexity will it add?
So if my requirements are as follows: - BGP router capable of holding full Internet routing table. (whether I go for partial or full, I think I want something with full capability). - Capable of pushing 100meg plus of mixed traffic. What are my options? I want to exclude openbsd, or linux with quagga. Probably looking at Cisco or Juniper products, but interested in any other alternatives people suggest. I realise this is quite a broad question, but hoping this will provide a starting point. Oh and if I have missed any specs I should have included above, please let me know. Thanks Adel On Sun 10:18 PM , Seth Mattinen wrote: > a...@baklawasecrets.com wrote: > > I think partial routes makes perfect sense, makes sense that traffic > for customers who are connected to each of my upstreams should go out of > > the correct BGP link as long as they are up! Now I need to start > thinking of BGP router choices, sure I have a plethora of choices :-( > > > > Personally I'll always go for full routes if the router has enough > memory (software based) or TCAM space (hardware based). Cheaper to do on > software platforms though. An entry level Cisco 2811 can take full > tables from multiple upstreams with 786MB RAM or even 512. It won't push > 100 meg of mixed traffic though. > > ~Seth > > >
Re: Failover how much complexity will it add?
Basically the organisation that I'm working for will not have the skills in house to support a linux or bsd box. They will have trouble with supporting the BGP configuration, however I don't think they will be happy with me if I leave them with a linux box when they don't have linux/unix resource internally. At least with a Cisco or Juniper they are familiar with IOS and it won't be too foreign to them. On Sun 11:30 PM , "Renato Frederick" wrote: > There are any problems with quagga+BSD/Linux that you know or something > like that? > > Or in your scenario a "cisco/juniper box" is a requirement? > > I'm asking this because I'm always running BGP with upstreams providers > using quagga on BSD and everything is fine until now. > > -- > From: > Sent: Sunday, November 08, 2009 8:39 PM > To: > Subject: Re: Failover how much complexity will it add? > > > > > So if my requirements are as follows: > > > > - BGP router capable of holding full Internet routing table. (whether I > > > go for partial or full, I think I want something with full capability). > > > > - Capable of pushing 100meg plus of mixed traffic. > > > > What are my options? I want to exclude openbsd, or linux with quagga. > > Probably looking at Cisco or Juniper products, but interested > > in any other alternatives people suggest. I realise this is quite a > broad > > question, but hoping this will provide a starting point. Oh and > > if I have missed any specs I should have included above, please let me > > know. > > > > Thanks > > > > Adel > > >
Re: Failover how much complexity will it add?
You will laugh, but the budget at the moment looks like £13k. Impossible? Do only linux and openbsd solutions remain in the mix for this pittance? On Sun 11:47 PM , Dale Rumph wrote: > What does your budget look like? A pair of Cisco 7246vxr's with G1's > sitting on the edge of the network would be very effective and still allow > expansion. Or you could go up to the 7609. However this gear may be > slightly overkill. You might be ok with a 3660 enterprise and a ton of > ram. I have done single sessions on them but not with the level of HA your > looking for. > > Just my 2c > > - Original Message - > From: a...@baklawasecrets.com > To: nanog@nanog.org > Sent: Sun Nov 08 18:36:31 2009 > Subject: Re: Failover how much complexity will it add? > > Basically the organisation that I'm working for will not have the skills > in house to support a linux or bsd box. They will have trouble > with supporting the BGP configuration, however I don't think they will be > happy with me if I leave them with a linux box when they > don't have linux/unix resource internally. At least with a Cisco or > Juniper they are familiar with IOS and it won't be too foreign to them. > > On Sun 11:30 PM , "Renato Frederick" wrote: > > > There are any problems with quagga+BSD/Linux that you know or something > > > like that? > > > > Or in your scenario a "cisco/juniper box" is a requirement? > > > > I'm asking this because I'm always running BGP with upstreams providers > > > using quagga on BSD and everything is fine until now. > > > > -- > > From: > > Sent: Sunday, November 08, 2009 8:39 PM > > To: > > Subject: Re: Failover how much complexity will it add? > > > > > > > > So if my requirements are as follows: > > > > > > - BGP router capable of holding full Internet routing table. (whether > I > > > > > go for partial or full, I think I want something with full > capability). > > > > > > - Capable of pushing 100meg plus of mixed traffic. > > > > > > What are my options? I want to exclude openbsd, or linux with quagga. > > > > Probably looking at Cisco or Juniper products, but interested > > > in any other alternatives people suggest. I realise this is quite a > > broad > > > question, but hoping this will provide a starting point. Oh and > > > if I have missed any specs I should have included above, please let > me > > > know. > > > > > > Thanks > > > > > > Adel > > > > > > > > >
Re: Failover how much complexity will it add?
Looking at two 100Mbit/s BGP connections, so I think I want something that will do more than 100 but nowhere close to a gig. So full routing table capability with throughput of mixed traffic around 200Mbit/s. If that makes sense. Do the 2850s fall into that sort of price point? Adel On Mon 11:13 AM , Joe Abley wrote: > On 2009-11-09, at 19:53, a...@baklawasecrets.com wrote: > > > You will laugh, but the budget at the moment looks like £13k. > > Impossible? Do only linux and openbsd solutions remain in the mix > > for this pittance? > > I don't see an indication of the traffic you need to push (maybe I > deleted a message too enthusiastically) but check the 2800 series from > cisco. The 2850 will take full tables and has gigabit interfaces, but > don't expect them to do wire speed. Other 2800s suffer from reduced > RAM, but perhaps you don't need full tables. > > Also look at Juniper J-series boxes, and maybe Force10 S-series boxes. > > There's a healthy market in used cisco gear in most places I have ever > visited, if you don't need new. > > Joe > > >
Re: Failover how much complexity will it add?
Thanks, Their offering certainly looks appealing. Will be interested to hear user experiences of the Vyatta BGP router range. Having said that I will still be examining the Cisco offering, just because of the support, larger user community and skills base issue. However if I can't meet the price point using Cisco, obviously other solutions are going to come into the picture. Adel On Mon 11:39 AM , Arnold Nipper wrote: > On 09.11.2009 11:53 a...@baklawasecrets.com wrote > > > You will laugh, but the budget at the moment looks like £13k. > > Impossible? Do only linux and openbsd solutions remain in the mix > > for this pittance? > > > > Do you know Vyatta (http://www.vyatta.com/)? [1] CLI and config is > Cisco-ish. Prices e.g. > > Vyatta Appliance, Vyatta 2502, Enterprise Subscription, Basic Warranty, > 1 Year (ships with US Power Cord as standard) (Typically ships in 10-12 > business days) > Price: $2,997.00 > > Best regards, > Arnold > -- > Arnold Nipper / nIPper consulting, Sandhausen, Germany > email: arn...@nipper.de phone: +49 6224 9259 299 > mobile: +49 172 2650958 fax: +49 6224 9259 333 > > > > Links: > -- > [1] > http://webmail.123-reg.co.uk/parse.php?redirect=http://www.vyatta.com/%29%3 > F >
Re: Failover how much complexity will it add?
Thanks, I've taken your advice and decided to reconsider my requirement for a full routing table. I believe I'm being greedy and a partial table will be sufficient. With regards to Linux/BSD, its not the CLI of quagga that will be an issue, rather the sysadmin and lack of supporting infrastructure for Linux boxes within the organisation. So things like package management, syslog servers, monitoring, understanding of security issues etc. I don't want to leave them with a linux/bsd solution that they won't be able to maintain/manage effectively when I am gone. Thanks for your comments. Look forward to hearing which solutions come back into the mix having dropped the full routing table requirement. Regards, Adel On Mon 11:45 AM , Joe Greco wrote: > > > > Basically the organisation that I'm working for will not have the > skills > > > > in house to support a linux or bsd box. They will have trouble > > > > with supporting the BGP configuration, however I don't think they > will be > > > > happy with me if I leave them with a linux box when they > > > > don't have linux/unix resource internally. At least with a Cisco or > > > > Juniper they are familiar with IOS and it won't be too foreign to > them. > > > > On Sun 11:47 PM , Dale Rumph wrote: > > > > > > What does your budget look like? A pair of Cisco 7246vxr's with G1's > > > sitting on the edge of the network would be very effective and still > allow > > > expansion. Or you could go up to the 7609. However this gear may be > > > slightly overkill. You might be ok with a 3660 enterprise and a ton > of > > > ram. I have done single sessions on them but not with the level of HA > your > > > looking for. > > > > > > Just my 2c > > > You will laugh, but the budget at the moment looks like £13k. > > Impossible? Do only linux and openbsd solutions remain in the mix > > for this pittance? > > No, you have the buy-it-off-eBay solutions as well. "Beware the > fakes." > > If they're familiar with IOS, then they can be familiar with Quagga > about as easily as they could be familiar with a switch or other > network gizmo that had a Ciscoesque CLI but wasn't actually Cisco. > > You've painted yourself into a corner. I have a word for you: > > Reconsider. > > I don't care what you reconsider, but reconsider something. You can > reconsider taking BGP with a full table. You can reconsider Quagga. > Or you can reconsider your budget. This is the end result of the > "pick any two" problem. > > Most end user organizations have no need of full routes in BGP. To > try to take them dooms TCAM-based equipment at some future point, > though if you have a lot of money to throw at it, you can make that > point be years in the future. It is essentially planned obsolescence. > If you discard the requirement for full routes, you open up a bunch > of reasonably-priced possibilities. > > Finding someone knowledgeable in BSD or Linux isn't that rough. > Unlike a Cisco 76xx router, the hardest part of a Quagga-based > solution is finding the right mix of hardware and software at the > beginning. PC hardware has a lot going for AND against it. There is > no reason you can't make a good router out of a PC. If you buy the > Cisco software-based routers, you're essentially buying a prepackaged > version, except that it'll be specced to avoid any real competition > with their low-end TCAM-based offerings. A contemporary PC can > easily route gigabits. Vyatta makes what I hear is a fantastic > canned solution of some sort, for a reasonable cost, and they will > sell just software or software/hardware. If you really can't put > it together yourself, there's someone to do it for you. > > Reconsidering your budget is probably the most painful thing to do, > but also opens up the "just buy big Cisco" option. I think my point > here would have to be that what you're looking for would have needed > big Cisco... ten years ago. Now, dealing with a few hundred megs of > traffic, that's not that big a deal, the thing that's killing you is > the BGP table size. > > Your best option may be to see if you can settle for partial routes > plus a default. > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > [1] > "We call it the 'one bite at the apple' rule. Give me one chance [and] > then I > won't contact you again." - Direct Marketing Ass'n position on e-mail > spam(CNN) > With 24 million small businesses in the US alone, that's way too many > apples. > > > > Links: > -- > [1] http://webmail.123-reg.co.uk/parse.php?redirect=http://www.sol.net > >
Re: Failover how much complexity will it add?
Actually thinking about this, I still need to understand the implications of not taking a full routing table to my setup. So what is the likely impact going to be if I take partial instead of full routing table. Would appreciate any feedback on this. My organisation is only looking at using BGP as a means of failover between two separate upstream ISPs. We are not an ISP. Thanks Adel On Mon 1:32 PM , a...@baklawasecrets.com wrote: > Thanks, > > I've taken your advice and decided to reconsider my requirement for a > full routing table. I believe I'm being greedy and a partial table will be > sufficient. With regards to Linux/BSD, its not the CLI of quagga that will > be an issue, rather the sysadmin and lack of supporting infrastructure for > Linux boxes within the organisation. So things like package management, > syslog servers, monitoring, understanding of security issues etc. I don't > want to leave them with a linux/bsd solution that they won't be able to > maintain/manage effectively when I am gone. > > Thanks for your comments. Look forward to hearing which solutions come > back into the mix having dropped the full routing table requirement. > > Regards, > > Adel > > On Mon 11:45 AM , Joe Greco wrote: > > > > > > Basically the organisation that I'm working for will not have the > > skills > > > > > in house to support a linux or bsd box. They will have trouble > > > > > with supporting the BGP configuration, however I don't think they > > will be > > > > > happy with me if I leave them with a linux box when they > > > > > don't have linux/unix resource internally. At least with a Cisco > or > > > > > Juniper they are familiar with IOS and it won't be too foreign to > > them. > > > > > > On Sun 11:47 PM , Dale Rumph wrote: > > > > > > > > What does your budget look like? A pair of Cisco 7246vxr's with > G1's > > > > sitting on the edge of the network would be very effective and > still > > allow > > > > expansion. Or you could go up to the 7609. However this gear may be > > > > slightly overkill. You might be ok with a 3660 enterprise and a ton > > of > > > > ram. I have done single sessions on them but not with the level of > HA > > your > > > > looking for. > > > > > > > > Just my 2c > > > > > You will laugh, but the budget at the moment looks like £13k. > > > Impossible? Do only linux and openbsd solutions remain in the mix > > > for this pittance? > > > > No, you have the buy-it-off-eBay solutions as well. "Beware the > > fakes." > > > > If they're familiar with IOS, then they can be familiar with Quagga > > about as easily as they could be familiar with a switch or other > > network gizmo that had a Ciscoesque CLI but wasn't actually Cisco. > > > > You've painted yourself into a corner. I have a word for you: > > > > Reconsider. > > > > I don't care what you reconsider, but reconsider something. You can > > reconsider taking BGP with a full table. You can reconsider Quagga. > > Or you can reconsider your budget. This is the end result of the > > "pick any two" problem. > > > > Most end user organizations have no need of full routes in BGP. To > > try to take them dooms TCAM-based equipment at some future point, > > though if you have a lot of money to throw at it, you can make that > > point be years in the future. It is essentially planned obsolescence. > > If you discard the requirement for full routes, you open up a bunch > > of reasonably-priced possibilities. > > > > Finding someone knowledgeable in BSD or Linux isn't that rough. > > Unlike a Cisco 76xx router, the hardest part of a Quagga-based > > solution is finding the right mix of hardware and software at the > > beginning. PC hardware has a lot going for AND against it. There is > > no reason you can't make a good router out of a PC. If you buy the > > Cisco software-based routers, you're essentially buying a prepackaged > > version, except that it'll be specced to avoid any real competition > > with their low-end TCAM-based offerings. A contemporary PC can > > easily route gigabits. Vyatta makes what I hear is a fantastic > > canned solution of some sort, for a reasonable cost, and they will > > sell just software or software/hardware. If you really can't put > > it together yourself, there's someone to do it for
Re: Failover how much complexity will it add?
Hi Joe, I agree with most of what you say below regarding linux sysadmin, BSD etc. I'm quite happy and actually would prefer building a linux solution on our own hardware. However, politically I think this is going to be difficult. I just feel that they will be more comfortable with embedded network boxes as a pose to a linux solution. I guess what I'm saying is this is partially a political thing. Adel On Mon 3:20 PM , Joe Greco wrote: > > > > Thanks, > > > > I've taken your advice and decided to reconsider my requirement for a > full > > routing table. I believe I'm being greedy and a partial table will be > > sufficient. With regards to Linux/BSD, its not the CLI of quagga that > will > > be an issue, rather the sysadmin and lack of supporting infrastructure > for > > Linux boxes within the organisation. So things like package management, > > > You don't need to run Apache on your router. > > > syslog servers, > > If you didn't have syslog servers for the Cisco, you don't need one for > the Quagga. > > > monitoring, > > If you didn't monitor the Cisco, you don't need to monitor the Quagga. > > > understanding of security issues etc. > > What security issues? > > The thing is, people get all tied up over this idea that it is some major > ongoing burden to support a Linux based device. > > I have a shocker for you. The CPE your residential broadband relies on > may > well run Linux, and you didn't even know it. The wifi router you use may > run > Linux. There are thousands of embedded uses for Linux. I highly doubt > that > the average TiVo user has a degree in Linux. Many different things you > use > in day-to-day life run Linux, BSD, VxWorks, or whatever ... mostly > without any > need of someone to handhold them on security issues. > > Of course, security issues do come up. But they do with Cisco as well. > > A proper Linux router doesn't have ports open, aside from bgp and ssh, > and > those can be firewalled appropriately. This makes it very difficult to > have > any meaningful "security problems" relating to the platform... > > You can expect the occasional issue. Just like anything else. But trying > to > compare it to security issues on a general Linux platform is only > meaningful > if you're trying to argue against the solution. > > (I'm a BSD guy myself, but I don't see any reason for undue Linux > paranoia) > > > I don't want to leave them with a linux/bsd solution that they won't be > > > able to maintain/manage effectively when I am gone. > > If they're unable to maintain something as straightforward as BSD or > Linux > when you're gone, this raises alarm bells as to whether or not BGP is > really suited for them. BGP is *much* more arcane, relatively speaking. > You can go to your local bookstore and pick up a ton of Linux or BSD > sysadm > books, but you'll be lucky to find a book on BGP. > > > Thanks for your comments. Look forward to hearing which solutions come > > back into the mix having dropped the full routing table requirement. > > There's a whole plethora of BGP-capable gear that becomes possible once > you make that call. Cisco and Juniper both make good gear. A variety > of other mfrs do as well. Something as old as an Ascend GRF 400 (fast > ethernet, line speed, 150K routes, ~1998?) is perfectly capable of > dealing > with the load, though I mention this primarily to make the point that > there > is a lot of equipment within the last decade that can support this. > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > [1] > "We call it the 'one bite at the apple' rule. Give me one chance [and] > then I > won't contact you again." - Direct Marketing Ass'n position on e-mail > spam(CNN) > With 24 million small businesses in the US alone, that's way too many > apples. > > > > Links: > -- > [1] http://webmail.123-reg.co.uk/parse.php?redirect=http://www.sol.net > >
BGP Peer Selection Considerations
Hi, Thanks to everyone that replied to my post on failover configuration. This has lead me to this post. I'm at a point now where I'm looking at dual-homing with two BGP peers upstream. Now what I am looking at doing is as follows: BGP Peer with Provider A who is multihomed to other providers. BGP Peer with Provider B who is not peered with provider A I have an existing relationship with provider A, colo, cross connects etc. Provider A has offered to get the PI space, ASN number, purchase the transit for us with provider B and manage cross connects to provider B (they say they have a diverse "fibre backhaul network"). This is quite attractive from a support and billing perspective. Also suspect that provider A will be able to get more attractive pricing from Provider B than I would be able to. Am I missing things that I need to consider?
Re: BGP Peer Selection Considerations
If nothing else by the time this deployment is finished I will surely have become extremely cynical. Now reading through peoples answers, I think the general consensus is that I would be giving too much control to provider A in the scenario I suggested below. So as someone mentioned they have the ability to foul up my connections all by themselves. >From all of this I gather that the most resilience would be provided by: 1) Go to two tier 1 carriers myself - say Global Crossing and Level 3. Arrange to get two 100meg BGP feeds, burstable. Pick them up at different datacentres as well I suppose to provide datacentre redundancy? Negotiate pricing, any tips on negotiating appreciated. 2) Arrange cross connects to these providers i.e. get to the datacentres the Tier1 providers are in. They are not on net at the colo we are in. With regards to arranging the cross connects am I able to ask the cross connect providers for fibre maps? Is this a done thing or will they brush me off with "you don't need this our network is diverse?" 3) Arrange for PI space and ASN myself, so become an LIR through RIPE. Do I really lose a lot by asking Level3 or GBLX to get the PI and ASN for me? I think the failure mode cited by someone was if the PI and ASN provider goes out of business. I would prefer not to go through becoming an LIR and maintaining the membership, as they are not an ISP and so it is more attractive to do that through one of the Tier 1 providers. I'm not sure what my options are in terms of getting to the datacentres to pick up the Tier1 providers. The "provider A" below has said they run a diverse fibre backhaul network etc etc. and I should go with them for connectivity to other datacentres. Now it would be easier to go with them just because they are running colo for us and they run the datacentre we are in. However I assume that I should not be scared of arranging a second cross connect with someone else altogether. In all of the above, I'm most worried about administrative overhead. Managing two cross connect providers, managing ongoing relationship with two Tier1 providers and so on. However resilience comes at a cost I suppose is the answer. Comments appreciated. Adel On Mon 7:10 PM , "William Herrin" herrin-na...@dirtside.com sent: > On Mon, Nov 9, 2009 at 12:40 PM, baklawasecrets.com> wrote:> I have an existing relationship with provider A, > colo, cross connects> etc. Provider A has offered to get the PI > space, ASN number,> purchase the transit for us with provider B and > manage cross> connects to provider B (they say they have a > diverse "fibre> backhaul network"). This is quite > attractive from a support> and billing perspective. Also suspect that > provider A will be> able to get more attractive pricing from > Provider B than I> would be able to. > > > > Am I missing things that I need to > consider? > What happens when provider A is bought by provider C and you want to > dump provider C but keep provider B? You'll have created a conflict of > interest for provider B in any negotiation you have with them. > > Be aware that provider A's diverse network for provider A's service is > the same diverse network they'll use to connect you to provider B. As > a result, many or most of the outages which impact provider A will > also impact your connectivity to provider B, defeating the central > purpose of having a provider B. > > Regards, > Bill Herrin > > > -- > William D. Herrin her...@di > rtside.com b...@herrin.us > 3005 Crane Dr. .. Web: <http://bill.herrin.us/>Falls > Church, VA 22042-3004 > > >
Re: BGP Peer Selection Considerations
I've decided to get transit from provider B independently of A, so I don't create a conflict of interest as mentioned below. However I think that I will have to use provider A's dark fibre network to connect to both peerings. Provider A tells me that they will use different routes and different entry points to get to their peering and separate routes, entries to get to B's peering. As they own the datacentre and can probably provide the bests costs for getting into the datacentres where the second transit provider is, I think I will have to use I should mention there are no transit providers on net at the datacentre facility which has been acquired by the business. I suspect it will be cheaper to get the cross connects to where the transit provider is from provider A, (did I mention provider A owns the datacentre?). I know I'll be sacrificing some resilience by using A's network to get to both Internet services, however I think I will just have to outline the risks to the business and go with it. Moving datacentres isn't an option and as long as I understand exactly what resilience I sacrifice by getting A to provide all the cross connects, I can explain that to the business. Adel On Mon 7:10 PM , William Herrin wrote: > On Mon, Nov 9, 2009 at 12:40 PM, wrote: > > I have an existing relationship with provider A, colo, cross connects > > etc. Provider A has offered to get the PI space, ASN number, > > purchase the transit for us with provider B and manage cross > > connects to provider B (they say they have a diverse "fibre > > backhaul network"). This is quite attractive from a support > > and billing perspective. Also suspect that provider A will be > > able to get more attractive pricing from Provider B than I > > would be able to. > > > > Am I missing things that I need to consider? > > What happens when provider A is bought by provider C and you want to > dump provider C but keep provider B? You'll have created a conflict of > interest for provider B in any negotiation you have with them. > > Be aware that provider A's diverse network for provider A's service is > the same diverse network they'll use to connect you to provider B. As > a result, many or most of the outages which impact provider A will > also impact your connectivity to provider B, defeating the central > purpose of having a provider B. > > Regards, > Bill Herrin > > -- > William D. Herrin her...@dirtside.com b...@herrin.us > 3005 Crane Dr. .. Web: >
Gig Throughput on IPSEC
Hi, I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre link. In the past I've normally used Juniper to terminate VPNs, as I have found them excellent devices and the route based VPN functionality very useful. However looking at their range, only the ISG will do a gig of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's for firewall/routing capability at each site. Then having a separate encryption devices to handle the site-to-site vpn requiring the gig throughput. Does anyone have any suggestions on devices to use? Adel
Re: Gig Throughput on IPSEC
On second thoughts, thinking about this I am probably looking for some kind of Layer2 encryption devices. This will make things a lot easier for the deployment. Any experiences, thoughts on these types of devices, would be much appreciated. Adel On Wed 9:25 AM , a...@baklawasecrets.com sent: Hi, I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre link. In the past I've normally used Juniper to terminate VPNs, as I have found them excellent devices and the route based VPN functionality very useful. However looking at their range, only the ISG will do a gig of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's for firewall/routing capability at each site. Then having a separate encryption devices to handle the site-to-site vpn requiring the gig throughput. Does anyone have any suggestions on devices to use? Adel
Transit from Cogent - thoughts?
Contemplating using Cogent Communications for transit as pricing looks favourable. Just trying to get a feel for what sort of a reputation they have in the network operators community. I'm sure people have horror stories for every provider, but just trying to get a general idea of what sort of regard they are held in the community. Thanks Adel
Resilience - How many BGP providers
Hi, After recent discussions on the list, I've been thinking about the affects of multiple BGP feeds to the overall resilience of Internet connectivity for my organisation. So originally when I looked at the design proposals, there was a provision in there for four connections with the same Internet provider. Thinking about it and with the valuable input of members on this list, it was obvious that multiple connections from the same provider defeated the aim of providing resilience. So having come to the decision to use two providers and BGP peer with both, I'm wondering how much more resilience I would get by peering with more than two providers. So will it significantly increase my resilience by peering with three providers for example, as both of the upstreams I choose will be multihomed to other providers. Especially as I am only looking at peering out of the UK. Hope the above makes sense. Adel
Re: Gig Throughput on IPSEC - alternatively Layer2 encryption devices
Hi, Thanks for the pointers to the Juniper devices. I think I'm really thinking about layer2 encryption, rather than do the encryption using IPSEC. I feel that as its a p-t-p fibre link, this makes most sense in terms of throughput and least impact on the network. Operating at layer3 the IPSEC solution introduces more complexity than I would like across this link. As I understand it, with layer2 encryption devices VLANs between the sites, would "just work". I'm interested to hear of peoples experiences with layer 2 encryption devices out there, as I don't have that much experience with them. I think my subject line mentioning IPSEC is a bit confusing as I'm really after information on Layer2 encryption hardware. Adel On Wed 6:45 PM , Brad Fleming bdflem...@kanren.net sent: > > On Nov 11, 2009, at 3:25 AM, adel@ > baklawasecrets.com wrote: > > > > > > Hi, > > > > I have a requirement to encrypt data using IPSEC > over a p-t-p gig > fibre > > link. In the past I've normally used Juniper to > terminate VPNs, as I> have found them excellent devices and the route > based VPN > functionality > > very useful. However looking at their range, > only the ISG will do a > gig > > of IPSEC. I'm leaning towards keeping my > exising Juniper SSG550's for> firewall/routing capability at each site. Then > having a separate> encryption devices to handle the site-to-site > vpn requiring the gig> throughput. Does anyone have any suggestions on > devices to use?> > > > > > > Adel > > > > > > Not knowing all your other needs, I won't swear to it... but would the > Juniper SRX650 work for your situation? It can pass 1.5Gbps of > encrypted traffic according to their datasheet. I've never actually > tried to move that much data through the box so I can't testify to it. > > Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted > traffic. > > Of course, these are JunosES devices as opposed to ScreenOS, but the > transition isn't as painful as you might expect. We actually use the J- > series devices with JunosES as site routers/firewalls with a great > deal of success. > > >
RE: Resilience - How many BGP providers
I suppose I could take the whole resilience thing further and further and further. One of the replies used a phrase which I thing captured the problem quite nicely: "diminishing returns". Basically I could spend lots and lots of money to try and eliminate all single points of failure. Clearly I don't have the money to do this and what I'm really trying to establish is at what point do the returns start to diminish with regards to obtaining multiple transit providers. The answer appears to be "it depends". So if getting a third BGP peering with divergent paths, separate last mile, separate facility and separate router will increase costs by 5x but only increase resilience by 0.001% is it really worth it? I'm trying to quantify the resilience of my Internet connectivity and quantify the effects of adding more providers. Now to run through my case: - I have one facility to locate BGP routers at. Thats not changing for the moment. - I can afford two BGP routers. - The facility I'm located at tell me they have divergent fibre paths and multiple entries into the facility. (Still need to verify this by getting them to walk the routes with me) - I am going to take transit from two upstreams. - I could ask the question as to whether I can peer with separate routers on each of the upstreams. i.e. to protect against router failures on their side. - I will make sure that neither upstream peers with the other directly. (Does this give me some AS path redundancy?) So from the above: - I have no resilience with regards to datacentre location. i.e. if a plane fell out of the sky etc., I'm done. - I can afford some BGP router resilience on my side. So I should be able to continue working if a router failure which only affects one of my routers occurs. - I have some resilience in terms of actual fibre paths to the facilites where I will be picking up the BGP feeds from. (to be verified) - I have some "AS resilience" if this is the right term. So if the AS of one of my upstreams drops off the face of the Internet, I can still get to the Internet through the AS of my other provider - Peering with separate routers may give me some resilience for router failure on the side of my upstreams? (not totally sure on this) In this situation, if I add another peering with another upstream, am I really getting much return in terms of resilience? Or should I spend this money examining the many other SPOFs in my architecture? I'm perfectly sure there is absolutely no point me peering with 6 providers, but maybe some gains in peering with 3? I'm trying to figure out at what point is adding another peering in my case a waste of money. I haven't gone into switch and power redundancy, because I "think" I understand it. I wanted to concentrate on the multiple upstreams question. Heads starting to whirl right about now. Adel On Wed 5:27 PM , "Dylan Ebner" dylan.eb...@crlmed.com sent: > > You question has many caveats. Just having two providers does not > necessarily get you more resiliency. If you have two providers and they are > terminating on the same router, then you still have a SPOF problem. You > also need to look at pysical paths as well. If you have two (or three) > providers and they are using a common carrier, then you have a problem as > well. For example, GLBX has a small prescence in the Minneapolis metro. If > I were to use them as a provider, they would use Qwest as a last mile. If > my other provider is Qwest (which it is), I may not have path > divergence.Facilities are important too. We have three upstreams; Qwest, MCI > and ATT. > The facility only has two entrances, so that means two of these are in the > same conduit. IF you only have one entrance, all you connections are going > to run through that conduit, and that makes you susceptable to a rouge > backhoe. > You are on the right track to question your resilancy. Some upstreams can > offer good resilancy with multiple feeds. Others cannot. I would start with > your provider and see what you are getting. Maybe you already have path > divergence, sperate last miles, and multiple paths in the isp core. If you > go with multiple providers, you want to make sure you don't risk losing > something you already have. > > > > -Original Message- > From: a...@baklawasecrets.com [adel@ > baklawasecrets.com] Sent: Wednesday, November 11, 2009 11:14 AM > To: na...@nanog.o > rgSubject: Resilience - How many BGP providers > > > > Hi, > > After recent discussions on the list, I've been thinking about the > affectsof multiple BGP feeds to the overall resilience of Internet > connectivityfor my organisation. So originally when I looked at the design > proposals, there was a provision in there
Art and Tech is madness
In SPRING a time when segment and routing had no mismatch, a time when isis and ospf ate a forbidden encap, all they had to do was forward bgp like its hot, but crazy flapping doesnt leave any real LDP without some real FSM check, My dynamic unnumbered neighbor. Suddenly, Out of order, an AS is overridden, we see frames dropping, we sniff a bit and it turns out, sfps are burning, we are in a place right now where ping and pong are jittery, their latency is tested, they cant strengthen their icmp bond with a warm bfd message, how can they keep everyone in ACK, safe from teardown and dampening, with this kind of ixp relationship??! but oh admin, we know forwarding works in its own mysterious ways. We are left with two non rfc compliant scavengers, bastard 802.1ah fools in a leaky yet shaped, buffer display of some runts and nimbles, and a giant too. They start their life of a packet, leaving one interface to a neighbor, from an adjacency to a peer, an endless loop, its a prefix hijack, but as they move from one stack to another, finding their way through a tunnel of memory failures and RMAs, one hell of an LSP ride, through firewall horrors and MTU mismatches, leaving behind, a sea of syslog messages and snmp alarms. Anyway, Their ttl expired and one funny access list abruptly denies them life, sending them to Null0, where they can be peacefully discarded. Thats what tech does to yeh
Thinking Methodically about building a PoC
hi, I am asked to build a large lab/test it. I'm provided crazy scale numbers for lots of technologies (L*VPN, IPv*, IGP*, All Tunnels flavors...etc). It took me a lot of time to build this lab, because when I got the request/test plan handed over to me, I did not verify that these scaled numbers are even possible, not to mention the combination. I assumed some thought/research were done before. I'm trying to put together a list of the lessons learned, and the right way to do this for future reference, specially that this project was time critical and I got beaten hard because I did not deliver on time. So my question is, in your extensive experience, what is the right method/approach to this kind of task: 1) Get started immediately (MVP), things will break, tune it along the way. 2) Do some planning and research first. I'd appreciate any references to 'software engineering' or other industries/ Thanks
NFV Solution Evaluation Methodology
Hi, I am interested in hearing the approach and thought-process that senior people on NANOG are following when presented with an NFV solution. Assuming that the exercise at hand is to consider NFV for future expansions of Firewalls and L3VPNs or stay with the existing model of what is called PNF (physical network function)...i.e : classic routers and FWs. There are a lot of factors to consider and Vendors will typically give their biased opinion, so i'm trying to get my head out of their game, to be able to think agnostically about the whole thing. 1) Product and Service/Support Cost. 2) Operation Complexity/Learning Curve. (open source products included). 3) X Factors (Those that are never listed but do bite in the back) : Quality, Integration with Classic, Migration, Usability...etc The main goal behind us exploring NFV is the promised cost-saving, so a good method to be able to do the math of whether NFV will save opex/capex or NOT is definitely needed here and i'm trying to gather guidelines from the list. I think its easier to keep this post high-level, and later dig deeper. Cheers, K
Accepting a Virtualized Functions (VNFs) into Corporate IT
Hi, Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they refuse to give you root access, or any means necessary to do 'maintenance' kind of work, whether its applying security updates, or any other similar type of task that is needed for you to integrate the Linux VM into your IT eco-system. Would this be an acceptable offering in today's IT from different type of Enterprises (Minux the Googles, Facebooks...etc) ? Thanks
Brainstorming acceptance issues - WAN impediment
Hi, I am in the process of testing an 'automation/sdn' kind of controller, it will be managing configuration on our routers and also deploying some VNFs too. Before accepting it, i'd like to perform some testing, to make sure of the behavior if there are network issues between the controller and the devices (routers or servers), during creation of services. >From the top of my head, I can think of the basic tests like introducing jitter and delay but i would appreciate more ideas or even test cases that i can re-use. Thanks
Re: Open Souce Network Operating Systems
Feedback about Cumulus has been positive : https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg66192.html if i am not mistaken, they have added lots of networking enhancements to the OS, they have videos on youtube that will paint the picture. On Sat, Jan 20, 2018 at 11:26 AM, Colton Conor wrote: > Peter, > > Thanks for the information. Do you have a recommendation of which > distribution of Linux to use for this? Is there one that is more network > centric than another? > > On Sat, Jan 20, 2018 at 1:11 PM, Peter Phaal > wrote: > > > On Sat, Jan 20, 2018 at 9:32 AM, Colton Conor > > wrote: > >> > >> My understanding if Free Range Routing is a package of software that > runs > >> in linux, but not a full and true NOS right? > >> > > > > Why not consider Linux a NOS? Installing Free Range Routing adds control > > plane protocols: BGP, OSPF, ISIS, etc. > > > > > >> I looked into Cumulus Linux, but it seems to only run on the supported > >> hardware which is while box switches. Can you run Cumulus Linux on a X86 > >> server with intel NICs? Can you run Cumulus on a raspberry pi? > >> > > > > Cumulus Linux is basically Ubuntu with Free Range Routing pre-installed > > along with a daemon that offloads forwarding from the Linux kernel to an > > ASIC. CumulusVX is a free Cumulus Linux virtual machine that is useful > for > > staging / testing configurations since it has the same behavior as the > > hardware switch. > > > > On X86 servers with Intel NICs, just run Linux. Cumulus Host Pack can be > > installed to add Free Range Routing and other Cumulus tools on the > server. > > Alternatively, you can choose any Linux control plane, automation, or > > monitoring tools and install them on the hosts and Cumulus Linux switches > > to unify management and control, e.g. Bird, collectd, telegraf, Puppet, > > Chef, Ansible, etc. > > > > Linux distros (including Ubuntu) are available for non-X86 hardware like > > Raspberry Pi etc. > > > > > >> > >> Ideally I think I am looking to a Linux operating system that can run on > >> multiple CPU architectures, has device support for Broadcom and other > >> Merchant silicon switching and wifi adapters. > > > > > > If you consider Linux as the NOS then it already meets these > requirements. > > >
Broadcom vs Mellanox based platforms
Hello I’m asked to evaluate switching platforms that has different forwarding chips but the same OS. Assuming these vendors give the same SDK and similar documentation/support, then what would be comparison points to consider, other than the obvious (price, features, bps, pps). I’m thinking, how do i validate their claims about capability to do leaf/spine arch, ToR/Gateways, telemetry, serviceability, facilities to troubleshoot packet drops or FIB programming misses, hidden tools...etc It would be great if anyonw can give some thoughts around it, specially if you have tried one or both. Thanks Kim
Intel DPDK vs Broadcom/Mellanox SDK
Hi Anothe email thread to get some guidance on points to consider when comparing new platforms that advocate using DPDK as the hardware acceleration SDK vs the broadcom/mellanox. The DPDK ones claim enhanced performance but every time i ask questions, i get the logical and typical answer of “it depends” Thx Kim
Re: VPP-based router vs Hardware assisted ones
Hi Ross Did you make a decision to take that direction after reviewing ‘open networking’ platforms like cumulus and pica8? Are you trying to use the full routing table? ~kim On Thursday, May 24, 2018, Ross Tajvar wrote: > Hi all, > > Has anyone had any luck building their own routers on common compute (x86) > with VPP? I'm considering it as I'm looking for a cheap, fast peering > router. I haven't seen much written about that type of solution so I was > wondering if anyone here has experience to share. > > Thanks, > Ross >
Re: Intel DPDK vs Broadcom/Mellanox SDK
Can you please provide examples on issues that you highlighted with broadcom? Are you saying i may not see the same with mellanox? Thanks On Monday, June 4, 2018, McBride, Mack wrote: > Use the package that corresponds to the chipset in your equipment. > Ie. Broadcom/Mellanox chips use that SDK. Intel chips use DPDK. > With white box switches using Broadcom chips you will run into issues > If you don't use the Broadcom SDK. Obviously your mileage will vary > based on the actual application. If it isn't a hardware switch and is CPU > based > like a home router, then there are a lot more factors and the CPU factors > may > outweigh the chipset factors. You may want to look at a list related to > home > routers for more guidance. > > Mack > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Kasper Adel > Sent: Sunday, June 03, 2018 11:45 PM > To: NANOG list > Subject: Intel DPDK vs Broadcom/Mellanox SDK > > Hi > > Anothe email thread to get some guidance on points to consider when > comparing new platforms that advocate using DPDK as the hardware > acceleration SDK vs the broadcom/mellanox. > > The DPDK ones claim enhanced performance but every time i ask questions, i > get the logical and typical answer of “it depends” > > Thx > Kim > E-MAIL CONFIDENTIALITY NOTICE: > The contents of this e-mail message and any attachments are intended > solely for the addressee(s) and may contain confidential and/or legally > privileged information. If you are not the intended recipient of this > message or if this message has been addressed to you in error, please > immediately alert the sender by reply e-mail and then delete this message > and any attachments. If you are not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or storage of > this message or any attachment is strictly prohibited. >
Re: Application or Software to detect or Block unmanaged swicthes
I guess you can do that and more with a linux based switch like cumulus and pica8. They allow you to do all sorts of things like that because they are open. On Thursday, June 7, 2018, wrote: > In my previous life, we used a nac appliance from Bradford Networks > whereby the mac address of every device needed to be registered or the > switch port it was plugged into would be disabled. > This kept spurious devices from appearing on the network and worked quite > well. > Cheers, Keith > > Sent from my android device. > > -Original Message- > From: Jason Hellenthal > To: segs > Cc: nanog@nanog.org > Sent: Thu, 07 Jun 2018 7:54 > Subject: Re: Application or Software to detect or Block unmanaged swicthes > > As someone already stated the obvious answers, the slightly more difficult > route to be getting a count of allowed devices and MAC addresses, then > moving forward with something like ansible to poll the count of MAC’s on > any given port ... of number higher than what’s allowed, suspend the port > and send a notification to the appropriate parties. > > > All in all though sounds like a really brash thing to do to your network > team and will generally know and have a very good reason for doing so... > but not all situations are created equally so good luck. > > > -- > > The fact that there's a highway to Hell but only a stairway to Heaven says > a lot about anticipated traffic volume. > > > On Jun 7, 2018, at 03:57, segs wrote: > > > > Hello All, > > > > Please I have a very interesting scenario that I am on the lookout for a > > solution for, We have instances where the network team of my company > bypass > > controls and processes when adding new switches to the network. > > > > The right parameters that are required to be configured on the switches > > inorder for the NAC solution deployed to have full visibility into end > > points that connects to such switches are not usually configured. > > > > This poses a problem for the security team as they dont have visibility > > into such devices that connect to such switches on the NAC solution, the > > network guys usually connect the new switches to the trunk port and they > > have access to all VLANs. > > > > Is there a solution that can detect new or unmanaged switches on the > > network, and block such devices or if there is a solution that block > users > > that connect to unmanaged switches on the network even if those users > have > > domain PCs. > > > > Anticipating your speedy response. > > > > Thank You! >
Re: Application or Software to detect or Block unmanaged swicthes
How about some scripts around fail2ban, if the same account logs in multiple times, its banning time. Kasper On Friday, June 8, 2018, David Hubbard wrote: > This thread has piqued my curiosity on whether there'd be a way to detect > a rogue access point, or proxy server with an inside and outside > interface? Let's just say 802.1x is in place too to make it more > interesting. For example, could employee X, who doesn't want their > department to be back billed for more switch ports, go and get some > reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth > to the physical network using their credentials? They then let their staff > wifi into it and the traffic is NAT'd. I'm sure anyone in a university > setting has encountered this. Obviously policy can forbid, but any way to > detect it other than seeing traffic patterns on a port not match historical > once the other users have been combined onto it, or those other users' > ports go down? > > David > > > On 6/7/18, 10:18 AM, "NANOG on behalf of Mel Beckman" < > nanog-boun...@nanog.org on behalf of m...@beckman.org> wrote: > > When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, > which has a Layer-2 collection feature that identifies the number and MACs > of devices on any given switch port. We export this list and cull out all > the known managed switch links. Anything remaining that has more than one > MAC per port is a potential violation that we can readily inspect. It’s not > perfect, because an unmanaged switch might only have one device connected, > in which case it wont be detected. You can also get false positives from > hosts running virtualization, if the v-kernel generates synthetic MAC > addresses. But it’s amazing how many times we find unmanaged switches > squirreled away under desks or in ceilings. > > -mel > > > On Jun 7, 2018, at 4:54 AM, Jason Hellenthal > wrote: > > > > As someone already stated the obvious answers, the slightly more > difficult route to be getting a count of allowed devices and MAC addresses, > then moving forward with something like ansible to poll the count of MAC’s > on any given port ... of number higher than what’s allowed, suspend the > port and send a notification to the appropriate parties. > > > > > > All in all though sounds like a really brash thing to do to your > network team and will generally know and have a very good reason for doing > so... but not all situations are created equally so good luck. > > > > > > -- > > > > The fact that there's a highway to Hell but only a stairway to > Heaven says a lot about anticipated traffic volume. > > > >> On Jun 7, 2018, at 03:57, segs > wrote: > >> > >> Hello All, > >> > >> Please I have a very interesting scenario that I am on the lookout > for a > >> solution for, We have instances where the network team of my > company bypass > >> controls and processes when adding new switches to the network. > >> > >> The right parameters that are required to be configured on the > switches > >> inorder for the NAC solution deployed to have full visibility into > end > >> points that connects to such switches are not usually configured. > >> > >> This poses a problem for the security team as they dont have > visibility > >> into such devices that connect to such switches on the NAC > solution, the > >> network guys usually connect the new switches to the trunk port and > they > >> have access to all VLANs. > >> > >> Is there a solution that can detect new or unmanaged switches on the > >> network, and block such devices or if there is a solution that > block users > >> that connect to unmanaged switches on the network even if those > users have > >> domain PCs. > >> > >> Anticipating your speedy response. > >> > >> Thank You! > > >
SD-WAN for enlightened
Hi, I'm not sure if the buzzword SD-WAN is used to compensate for another buzzword that got over-utilized (SDN) or it is a true 'new and improved' way of doing things that has some innovation into it. I heard different explanation from different vendors: 1) appliances (+ controller) placed in-line to put traffic in tunnels based on policy, with some DPI and traffic tagging...(to do performance/policy based routing) over an expensive link (MPLS) and a cheap one (broadband) with some 'firewall-like' filtering capabilities. 2) same as above, with a flavor of 'machine learning' to find a pattern for traffic to optimize utilization. 3) a controller that instantiates and tears down tunnels from 'classic routers' based on external policies and Network based features to do performance based routing over an expensive link (MPLS) and a cheap one (broadband) with encryption. Is the above a decent high-level summary? Has anyone tried any of these solutions, any general feedback ? Cheers, Kim
DevOps workflow for networking
We are pretty new to those new-age network orchestrators and automation, I am curious to ask what everyone is the community is doing? sorry for such a long and broad question. What is your workflow? What tools are your teams using? What is working what is not? What do you really like and what do you need to improve? How mature do you think your process is? etc etc Wanted to ask and see what approaches the many different teams here are taking! We are going to start working from a GitLab based workflow. Projects are created, issues entered and developed with a gitflow branching strategy. GitLab CI pipelines run package loadings and run tests inside a lab. Tests are usually python unit tests that are run to do both functional and service creation, modification and removal tests. For unit testing we typically use python libraries to open transactions to do the service modifications (along with functional tests) against physical lab devices. For our prod deployment we leverage 'push on green' and gating to push package changes to prod devices. Thanks
(Network Orchestrators evaluation) : tail-f vs Anuta vs UBIqube vs OpenDaylight
Hi, This is not a vendor bashing thread. We are a group of networking engineers less experience with software) in the middle of the process of procuring a network automation/orchestration controller, if that is even a good definition and we are clueless on how to evaluate them. Other than the obvious, which is to try them out, i wonder what else is important to consider/watch out for. We are presented with 3 different vendors and even OpenDayLight was considered as the open source alternative. My humble thoughts are given below and i would appreciate getting 'schooled' on what i need to ask the vendors: 1) Are they Model driven : But i still don't know how to evaluate that. 2) Do they parse Cisco/Juniper CLI or they are limited to SNMP and YANG. 3) If they do parse, we want to check if they'll hold us by the balls if the current parsers need to be updated, i.e: can we change the code ourselves and add new features to be parsed. 4) Can they work/orchestrate between CLI devices and Non CLI devices (SNMP) 5) How flexible are they to support different Vendors (Cisco, Juniper, some-weird-firewall...etc) thanks, Kim
Auditing a network to add Voice
Hi, My customer would like to add VoIP over their network and they asked us for an audit. the result of the audit would be simply "you guys are ready for it" Breaking it down [high level] for me sounds like : (suggestions are more than welcomed) : 1) Looking at hardware computation finite resources (cpu, memory...etc) 2) Looking at available bandwidth 3) QoS policy 4) High Availability and Fast Convergence Any thing else? They asked us to measure the KPIs (jitter, delay...etc) of their existing traffic, is there a way to do that? Thanks, Kim
Re: Auditing a network to add Voice
Sorry i forgot to add more detail. We are not looking for IP Telephony type of voice but RTP from Media Gateways. Cheers, Kim On Mon, Nov 22, 2010 at 4:59 PM, Kasper Adel wrote: > Hi, > > My customer would like to add VoIP over their network and they asked us for > an audit. the result of the audit would be simply "you guys are ready for > it" > > Breaking it down [high level] for me sounds like : (suggestions are more > than welcomed) : > > 1) Looking at hardware computation finite resources (cpu, memory...etc) > 2) Looking at available bandwidth > 3) QoS policy > 4) High Availability and Fast Convergence > > Any thing else? > > They asked us to measure the KPIs (jitter, delay...etc) of their existing > traffic, is there a way to do that? > > Thanks, > Kim >
Re: Auditing a network to add Voice
Hi Bret, These guys are not looking for measuring traffic generated by a tool, they want to measure what they have running now (not only Voice). I am not sue if measuring what they have or generating traffic and measuring it is the same thing. what do u think? thanks, Kim On Mon, Nov 22, 2010 at 5:54 PM, Bret Clark wrote: > Iperf can be used to measure jitter and delay as well as simulate a quasi > VoIP call. You can also use mtr under Linux which provides jitter and delay > measurements from one point to another point. A g.729 call (lower quality) > takes about ~40kbps and a g.711 (high quality) used about ~100Kbps of > bandwidth. With most of today's networks, the problem isn't bandwidth > related, but more with jitter, delay, and packet loss through the > network...personally I'm a big fan of deploying QoS through out an > infrastructure...well at least in our WAN infrastructure. > > Bret > > > > On 11/22/2010 09:59 AM, Kasper Adel wrote: > >> Hi, >> >> My customer would like to add VoIP over their network and they asked us >> for >> an audit. the result of the audit would be simply "you guys are ready for >> it" >> >> Breaking it down [high level] for me sounds like : (suggestions are more >> than welcomed) : >> >> 1) Looking at hardware computation finite resources (cpu, memory...etc) >> 2) Looking at available bandwidth >> 3) QoS policy >> 4) High Availability and Fast Convergence >> >> Any thing else? >> >> They asked us to measure the KPIs (jitter, delay...etc) of their existing >> traffic, is there a way to do that? >> >> Thanks, >> Kim >> >> > > >
Quantifying the value of customer support
Hello, We are a 2nd level of escalation in a service provider, trying to put a $ value on the support we give to our NOC and other implementation teams, when they email us about problems they face. But we are merely bits and bytes engineers that cant quantify and justify the value of what we do to the management team. I guess these smart suits want to see an excel sheet with a table of how much they save or gain by the support we do. We respond to technical questions and simulate problems in a lab. Can anyone help me with an idea or any material i can reuse? Templates? Has any one been in a similar situation. Thanks Kim
Re: Quantifying the value of customer support
I used to think that these kind of situations take place when a manager was never an engineer so he does not understand how things work but i was surprised when i faced these from managers with an intense engineering career so i gave up on trying to give conceptual excuses and want to just give them the dump tables and numbers that they are looking for. Kim On Thursday, February 14, 2013, Andrew Latham wrote: > On Thu, Feb 14, 2013 at 3:52 PM, Kasper Adel > > > wrote: > > Hello, > > > > We are a 2nd level of escalation in a service provider, trying to put a $ > > value on the support we give to our NOC and other implementation teams, > > when they email us about problems they face. But we are merely bits and > > bytes engineers that cant quantify and justify the value of what we do to > > the management team. I guess these smart suits want to see an excel sheet > > with a table of how much they save or gain by the support we do. We > respond > > to technical questions and simulate problems in a lab. > > > > Can anyone help me with an idea or any material i can reuse? Templates? > Has > > any one been in a similar situation. > > > > Thanks > > Kim > > Kasper/Karim/Kim > > Your job is customer retention. Your value is maintaining all company > income. Write the yearly revenue on a piece of paper and hand it to > them. > > > -- > ~ Andrew "lathama" Latham lath...@gmail.com > http://lathama.net ~ >
Re: Quantifying the value of customer support
Thanks everyone for the feedback. Can someone give an example on how i can calculate $ value from improving a product/service usability and servicability? I am trying to categorize what we offer : 1) Improve customer experience 2) Reduce service deployment time 3) Improve service availability Regards Kim On Friday, February 15, 2013, Siegel, David wrote: > There is no such thing as a generic business case that can be applied > across all companies in an industry. Every business is unique in its > product definition and organization structure, but each question is also > unique and therefore the analysis must be done every time. > > The way to begin is to ask this manager what he believes the possible > outcomes are (downsize your group, eliminate your group, re-define your > group, etc.) and then work with each of the key stakeholders that you have > to estimate the impact of those outcomes. For example, if 1st line > operations indicates that eliminating your group would result in decreased > customer satisfaction and missed SLA's, ask them to quantify it as much as > possible and go to take the numbers back to your business people to have > them estimate the impact on revenue. > > The analysis should be constructed and presented in standard finance terms > (like NPV) so I would suggest that you make friends with someone in finance > to assist you with the preparation. You can also take a short two-day > course like this > http://executive.mit.edu/openenrollment/program/fundamentals_of_finance_for_the_technical_executive/16that > will teach you how to build up these analysis yourself (I have taken > the one referenced and I recommend it to all managers with budget > responsibility). > > The outcome from these discussions often has surprising but positive > outcomes for everyone...maintaining the status quo is not always the best > possible outcome despite the biases we usually have when we begin the > analysis. :-) If you work closely with all of your stakeholders, everyone > will learn and benefit from the experience. > > Dave > > -Original Message- > From: Kasper Adel [mailto:karim.a...@gmail.com ] > Sent: Thursday, February 14, 2013 2:16 PM > To: Andrew Latham > Cc: NANOG list > Subject: Re: Quantifying the value of customer support > > I used to think that these kind of situations take place when a manager > was never an engineer so he does not understand how things work but i was > surprised when i faced these from managers with an intense engineering > career so i gave up on trying to give conceptual excuses and want to just > give them the dump tables and numbers that they are looking for. > > Kim > > On Thursday, February 14, 2013, Andrew Latham wrote: > > > On Thu, Feb 14, 2013 at 3:52 PM, Kasper Adel > > > > > wrote: > > > Hello, > > > > > > We are a 2nd level of escalation in a service provider, trying to > > > put a $ value on the support we give to our NOC and other > > > implementation teams, when they email us about problems they face. > > > But we are merely bits and bytes engineers that cant quantify and > > > justify the value of what we do to the management team. I guess > > > these smart suits want to see an excel sheet with a table of how > > > much they save or gain by the support we do. We > > respond > > > to technical questions and simulate problems in a lab. > > > > > > Can anyone help me with an idea or any material i can reuse? Templates? > > Has > > > any one been in a similar situation. > > > > > > Thanks > > > Kim > > > > Kasper/Karim/Kim > > > > Your job is customer retention. Your value is maintaining all company > > income. Write the yearly revenue on a piece of paper and hand it to > > them. > > > > > > -- > > ~ Andrew "lathama" Latham lath...@gmail.com > > http://lathama.net ~ > > >
CLI Roadmap
Hello, I have never used any CLI other than Cisco so i am curious what useful and creative knobs and bolts are available for other network appliance Vendors. I guess what makes *NIX CLI/Shell so superior is that you can advanced stuff from the CLI using sed, awk and all the great tools there so maybe this is also one thing missing. Regards, Kim
Whats so difficult about ISSU
Hello, We've been hearing about ISSU for so many years and i didnt hear that any vendor was able to achieve it yet. What is the technical reason behind that? If i understand correctly, the way it will be done would be simply to have extra ASICs/HW to be able to build dual circuits accessing the same memory, and gracefully switch from one to another. Is that right? Thanks, Kim
Re: Whats so difficult about ISSU
What i was asking is full ISSU, even with micro code. I assume between Major release there will be microcode upgrade most of the time. On Fri, Nov 9, 2012 at 2:48 AM, Phil wrote: > The major vendors have figured it out for the most part by moving to > stateful synchronization between control plane modules and implementing > non-stop routing. > > ALU has supported ISSU on minor releases for many years and just added > support for major releases. > > The Cisco Nexus ISSU works well, I've done an upgrade on a 5K switch and > it was completely hitless. > > Juniper and Cisco with the 9K have gone through some hurdles but ISSU is > actually usable now if the software versions support it. > > The main remaining hurdle is updating microcode on linecards, they still > need to be rebooted after an upgrade. > > Phil > > On Nov 8, 2012, at 6:22 PM, Kasper Adel wrote: > > > Hello, > > > > We've been hearing about ISSU for so many years and i didnt hear that any > > vendor was able to achieve it yet. > > > > What is the technical reason behind that? > > > > If i understand correctly, the way it will be done would be simply to > have > > extra ASICs/HW to be able to build dual circuits accessing the same > memory, > > and gracefully switch from one to another. Is that right? > > > > Thanks, > > Kim >
Re: Whats so difficult about ISSU
Does that mean they are the only vendor capable of doing this today? I am interested in the technology behind this if this is something public, any ideas? Thx On Friday, November 9, 2012, Kenneth McRae wrote: > I have performed micro code upgrades using ISSU on the Juniper platform. > > On Thu, Nov 8, 2012 at 4:52 PM, Kasper Adel > > > wrote: > >> What i was asking is full ISSU, even with micro code. I assume between >> Major release there will be microcode upgrade most of the time. >> >> >> On Fri, Nov 9, 2012 at 2:48 AM, Phil >> > >> wrote: >> >> > The major vendors have figured it out for the most part by moving to >> > stateful synchronization between control plane modules and implementing >> > non-stop routing. >> > >> > ALU has supported ISSU on minor releases for many years and just added >> > support for major releases. >> > >> > The Cisco Nexus ISSU works well, I've done an upgrade on a 5K switch and >> > it was completely hitless. >> > >> > Juniper and Cisco with the 9K have gone through some hurdles but ISSU is >> > actually usable now if the software versions support it. >> > >> > The main remaining hurdle is updating microcode on linecards, they still >> > need to be rebooted after an upgrade. >> > >> > Phil >> > >> > On Nov 8, 2012, at 6:22 PM, Kasper Adel >> > > >> wrote: >> > >> > > Hello, >> > > >> > > We've been hearing about ISSU for so many years and i didnt hear that >> any >> > > vendor was able to achieve it yet. >> > > >> > > What is the technical reason behind that? >> > > >> > > If i understand correctly, the way it will be done would be simply to >> > have >> > > extra ASICs/HW to be able to build dual circuits accessing the same >> > memory, >> > > and gracefully switch from one to another. Is that right? >> > > >> > > Thanks, >> > > Kim >> > >> > >
Re: Whats so difficult about ISSU
Hi Frank, Is it because C5 softswitches have expensive hardware, advanced software and dual asics? I would have never imagined that any vendor is capable of upgrading fpd's/ASICs ucode without a hit unless there are multiple chips continuously syncing with each other. Regards, Kim On Monday, November 12, 2012, Frank Bulk wrote: > We do it on our Class 5 softswitch ... and it works consistently. There > may > be a few seconds, once, where a new call can't be made, but most people > will > re-dial. It just works. > > It can be done, but the product has to be built with that in mind. > > Frank > > -----Original Message- > From: Kasper Adel [mailto:karim.a...@gmail.com ] > Sent: Thursday, November 08, 2012 5:23 PM > To: NANOG list > Subject: Whats so difficult about ISSU > > Hello, > > We've been hearing about ISSU for so many years and i didnt hear that any > vendor was able to achieve it yet. > > What is the technical reason behind that? > > If i understand correctly, the way it will be done would be simply to have > extra ASICs/HW to be able to build dual circuits accessing the same memory, > and gracefully switch from one to another. Is that right? > > Thanks, > Kim > > >
Vendors CLI Usability vs UNIX Shell
Hello, My vendor is giving me speeches on how they are improving their product Serviceability, Usability and Manageability. They told me they are adding a lot of new way of doing things, introducing more Unix-like utilities and over all making CLI smarter by exposing more visibility into system status and stuff like that. I rarely look at what other vendors do but i am now interested in what one might have over the other, specially things that would stand out. I wouldnt imagine Huawei doing anything advanced there so i guess its J vs C on this front. But i'd be interested in comparing them to Unix/Linux Shells too. Regards, Kim
Parsing Syslog and Acting on it, using other input too
Hello. I am looking for a way to do proactive monitoring of my network, what I am specifically thinking about is receiving syslog msgs from the routers and the backend engine would correlate certain msgs with output/data that i am receiving through SSH/telnet sessions. What i am after is not exposed to SNMP so i need to do it on my own. I am sure there are many tools that can do parsing of syslog and acting upon it but i wonder if there is something more flexible out there that I can just re-use to do the above ? Please point me to known public or home-grown scripts in use to achieve this. Regards, Sam
Data Mining/Crawling through a Mailing List
Hello, A bit off topic but i was looking for a way/tool that could crawl through nanog(or other) archives and try to filter most common discussions and things like that, if anyone is aware of such a tool, pls let me know. Thanks, Kim
NOC Best Practices
Hello Everyone, I am currently working on building a NOC so i'm looking for materials/pointers to Best Practices documented out there. On the top of my head are things like: 1) Documenting Incidents and handling them 2) Documenting Syslog messages 3) Documenting Vendor Software Bugs 4) Shift to Shift Hand over procedures 5) Commonly used scripts for monitoring 6) Frequently testing High Availability 7) Capturing config changes. etc I can see that this is years of experience but i am wondering if any of this was captured some where. Thanks, Kim
Re: NOC Best Practices
Thanks for all the people that replied off list, asking me to send them responses i will get. I got nothing other than : http://www.nanog.org/meetings/nanog24/abstracts.php?pt=OTM1Jm5hbm9nMjQ=&nm=nanog24 and Network Management- Accounting and Performance Strategies - Just the first three chapters Which is useful but i am looking for more stuff from the best people that run the best NOCs in the world. So i'm throwing this out again. I am looking for pointers, suggestions, URLs, documents, donations on what a professional NOC would have on the below topics: 1) Briefly, how they handle their own tickets with vendors or internal 2) How they create a learning environment for their people (Documenting Syslog, lessons learned from problems...etc) 3) Shift to Shift hand over procedures 4) Manual tests they start their day with and what they automate (common stuff) 5) Change management best practices and working with operations/engineering when a change will be implemented Should i be looking for ITIL stuff or its not any good? Thanks, Kim On Wed, Jul 14, 2010 at 8:24 PM, Kasper Adel wrote: > Hello Everyone, > > I am currently working on building a NOC so i'm looking for > materials/pointers to Best Practices documented out there. > > On the top of my head are things like: > > 1) Documenting Incidents and handling them > 2) Documenting Syslog messages > 3) Documenting Vendor Software Bugs > 4) Shift to Shift Hand over procedures > 5) Commonly used scripts for monitoring > 6) Frequently testing High Availability > 7) Capturing config changes. > etc > > I can see that this is years of experience but i am wondering if any of > this was captured some where. > > Thanks, > Kim >
Calculating Cost
Hello everyone, How would you calculate the cost of a network outage, specifically if its related to a software bug or a misconfiguration. Suppose that this could have been avoided by testing in a lab before deployment, how can i calculate that too? Unicast replies are welcomed. Cheerio, Kim
Did your BGP crash today?
Havent seen a thread on this one so thought i'd start one. Ripe tested a new attribute that crashed the internet, is that true? Kim
sniffing x.25 on SUN/Solaris
Hello, I am trying to capture x.25 traffic from a Sun Machine and i wonder if snoop supports it because i asked my customer to capture it and send it over but the trace doesnt include anything x/25 related. Regards, Kas
Common statistics from your NOC
Hello, I want to collect experience from the Gurus on this mailer on how they make use of the data they can get from NOC. what i mean by data, trouble tickets opened internally or with vendors. I wonder what would be common or even uncommon type of statistics that a network operator would like to poll from their NOC to help them in: 1) Optimizing and tuning operations 2) Optimizing and tuning engineering Example on point 1: If we were to put all tickets in an excel sheet and take a holistic look at the type of technology or product, we can see that out of 100 incidents, there were 50 cases related to routing protocols, this would yield that either more training is needed for operations team or that the design is flawed. Example on point 2: 20 incidents appeared to be related to new configuration lines that when added, a conflict was seen, so the take away would be that engineering needs a lab. Excuse my poor English, unicast replies are welcomed. Regards, Kim
Software Bugs
Good Day, I have always been exposed to one vendor only so i can never compare but I am curious to know what every one here have seen in their lives on the below: 1) Which vendor has more bugs than others, what are the top 3 2) Who is doing a better job fixing them 3) What do you consider is a good job in fixing these bugs : response from technical support, educated support engineers
Re: Software Bugs
Good Day, I have always been exposed to one vendor only so i can never compare but I am curious to know what every one here have seen in their lives on the below: 1) Which vendor has more bugs than others, what are the top 3 ? 2) Who is doing a better job fixing/handling these bugs overall 3) What do you consider is a good job in fixing/handling these bugs : A) Response from technical support B) Educated support engineers being able to respond to questions C) Taking less time to identify bugs D) Less time in fixing them E) Transparent communication on their issues F) Transparency from their teams allow us to plan better for our network G) etc.please add more 4) Specially Huawei, are they doing a good job or its a mess? I would like to try to do some rating and ranking when it comes to bugs but i need to know what i have to be looking at? Regards, Kim
Re: Software Bugs
Thanks Valdis. On Sun, Feb 20, 2011 at 9:43 PM, wrote: > On Sun, 20 Feb 2011 18:05:44 +0200, Kasper Adel said: > > (Disclaimer - I've never filed a bug report with Cisco or Juniper, > but I've spent 3 decades filing bugs with almost everybody else in > the computer industry, it seems... Questions like the ones you asked > are almost always pointless unless the asker and answerer are sharing > a set of base assumptions. In other words, "which one is best/worst?" > is a meaningless question unless you either tell us what *your* criteria > are in detail, or are willing to listen to advice that uses other > criteria (without stating how they're different from yours). > I tried to put details and criteria below and yes i am mainly interested in Juniper, Cisco, Alcatel and Huawei Routers and Switches, mostly High End Equipment and yes i am willing to listen to advice on criteria, why wouldnt I :) ? > > > 1) Which vendor has more bugs than others, what are the top 3 > > More actual bugs, more known and acknowledged bugs, or more serious bugs > that > actually affect day to day operations in a major manner? > What i wanted to ask is from the field experience of experts on the alias if there is a clear winner on which vendor has throughout history shown more bugs impacting operation and interrupting trafficpoor written code or bad internal testing, can we have some sort of a general assumption here or that is not possible? > > The total number of actual bugs for each vendor is probably unknownable, > other > than "there's at least one more in there". The vendor probably can produce > a > number representing how many bug reports they've accepted as valid. The > vendor's number is guaranteed to be different than the customer's number - > how > divergent, *and why*, probably tells you a lot about the vendor and the > customer base. The vendor may be difficult about accepting a bug report, or > the > customer base may be clueless about what the product is supposed to be > doing > and calling in a lot of non-bugs - almost every trouble ticket closed with > RTFM > status is one of these non-bugs. If there's a lot of non-bugs, it usually > indicates a documentation/training issue, not an actual software quality > issue. > > And of course, bug severity *has* to be considered. "Router falls over if > somebody in Zimbabwe sends it a christmas-tree packet" is different than > "the > CLI insists on a ;; where a ; should suffice". You may be willing to > tolerate > or work around dozens or even hundreds of the latter (in fact, there's > probably > hundreds of such bugs in your current vendor that you don't know about > simply > because they don't trigger in your environment), but it only takes 2 or 3 > of > the former to render the box undeployable. > > > 2) Who is doing a better job fixing them > > Again, see the above discussion of severity. If a vendor is good about > fixing > the real show-stoppers in a matter of hours or days, but has a huge backlog > of > fixes for minor things, is that better or worse than a vendor that fixes > half > of both serious and minor things? > > In addition, the question of how fixes get deployed matters too. If a > vendor > is consistently good about finding a root cause, fixing it, and then saying > "we'll ship the fix in the next dot-rev release", is that good or bad? > Remember that if they ship a new, updated, more-fixed image every week, > that > means you get to re-qualify a new image every week > > What you have mentioned is operations headache, so one questions comes to mind here is what are issues a vendor will never be able to find in their internal testing, i mean are there issues that will definitely be discovered on the customer networks or we can assume that software needs to come out with less number of sev1/2 bugs because internal testing is not doing a good job? thanks
