[c-nsp] rate-limit icmp packets

Collins Richard, SLC SBS ITO (SHA) rich.collins at SIEMENS.COM
Tue Jul 26 22:59:12 EDT 2005



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of
cisco-nsp-request at puck.nether.net
Sent: Tuesday, July 26, 2005 12:01 AM
To: cisco-nsp at puck.nether.net
Your configuration should work.  You could apply the rate-limit input
access-group 113 but have exceed-action transmit initially.

Then by periodically looking at show interface xx rate-limit you can see the
icmp traffic patterns, what is within the CIR (i.e. 8000) and what exceeds.
You have
to clear counters from time to time.  Once you get an idea for a reasonable
CIR you can change exceed-action drop.

To see the characteristics of the icmp packets it might be more effective to
"debug ip packet 113" than log-input.

Maybe someone else has a better idea.

Rich

------------------------------

Message: 4
Date: Mon, 25 Jul 2005 16:45:20 eet
From: "Security" <security at cytanet.com.cy>
Subject: [c-nsp] rate-limit icmp packets
To: cisco-nsp at puck.nether.net
Message-ID: <42e4ecf0.6625.0 at cytanet.com.cy>
Content-Type: text/plain; charset="iso-8859-1"

Hello all

I need to rate limit icmp echo and echo reply packets on my interfaces. Any
suggestion on how to do this? Can I do this on asynchronoys interfaces
(Interfaces for PSTN/ISDN connections) also? How can I measure ICMP traffic
undern normal network conditions so as to apply the correct rate limit?

I used the following format for asynchronous Interfaces 
rate-limit input access-group 113 8000 1500 2000 conform-action transmit
exceed-action drop
Extended IP access list 113
    permit icmp any any echo log-input
    permit icmp any any echo-reply log-input

Is this OK?

Thanks for your support

Regards


------------------------------

Message: 5
Date: Mon, 25 Jul 2005 17:27:05 +0300
From: "Jean-Christophe Varaillon" <jcvaraillon at dolnet.gr>
Subject: [c-nsp] Routing table
To: <cisco-nsp at puck.nether.net>
Message-ID:
	<009701c59124$ee575c40$fc95a8c0 at dolusers.internal.dolnet.gr>
Content-Type: text/plain;	charset="us-ascii"

Hi,

I have a question regarding routing tables and a possible optimization.

Internal-Routers<--->Border-Routers<--->Internet

The Border-Routers are BGP speakers:
They are receiving a full routing table from the Internet
They are receiving 10 prefixes from their Internal-Routers. 

The Border-Routers have a routing table of almost 170,000 routes.

The Border-Routers use this routing table to find the best path through
the Internet.

However they also check this huge routing table to route traffic to the
Internal-Routers.

Is there a way to have the Border-routers to check only among the 10
prefixes to route traffic from the Internet to the Internal-Routers?

Thank you,

Christophe



------------------------------

Message: 6
Date: Mon, 25 Jul 2005 09:21:34 -0600
From: John Neiberger <jneiberger at gmail.com>
Subject: [c-nsp] OT: Differences among T1 Internet access carriers
To: cisco-nsp at puck.nether.net
Message-ID: <547ad0fe05072508216c26e950 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I'm not going to renew the contract on one of my Internet access
circuits because the provider (GC) does not provide a useful DDoS
protection mechanism. So, I'll have to replace that circuit with one
from a major provider who does have such a mechanism. I've found that
Sprint, AT&T, and MCI have such mechanisms and I'd bet Level3 does, as
well.

But here's where I need some advice. At the T-1 level, is there really
much difference between these vendors from a technical perspective?
Would I be less happy with an MCI circuit, for example, versus one
from Sprint or AT&T? I'm beginning to think that at this level there
really isn't a significant difference except for perhaps in price.

We already have circuits from Sprint and we'd prefer to maintain some
carrier diversity so we're probably leaning toward MCI or AT&T.

Any thoughts?

Thanks,
John



------------------------------

Message: 7
Date: Mon, 25 Jul 2005 16:25:26 +0100
From: "Steve Wright" <steve.wright at visp.me.uk>
Subject: [c-nsp] MLPPP and bandwidths
To: <cisco-nsp at puck.nether.net>
Message-ID: <035001c5912d$150a7590$0c04a8c0 at STEVEWLTOP>
Content-Type: text/plain;	charset="iso-8859-1"

Hi all,

I'm currently trying to configure up Multilink PPP for ADSL connections.

This is being configured with 2 ADSL circuits terminated onto a 1721. The
LNS is a 7301.

I find that the circuits are bundled, and traffic from the 1721 to the 7301
is balanced over both circuits.

However, from the 7301 to the 1721, only 1 of the circuits are used. These
virtual interfaces are created from the following virtual template...

interface Virtual-Template1
 bandwidth 2272
 ip unnumbered Port-channel1
 ip verify unicast reverse-path
 ip mroute-cache
 no logging event link-status
 load-interval 30
 no snmp trap link-status
 peer default ip address pool default
 no keepalive
 ppp mtu adaptive
 ppp authentication chap pap
 ppp ipcp dns xxx.xxx.4.247 xxx.xxx.96.38
 ppp multilink
 ppp multilink fragment disable
 ppp multilink links minimum 2
 ppp multilink endpoint hostname
 ppp timeout retry 15
 ppp timeout authentication 15
end


With multilink, the virtual-interfaces seem to have their own mind of what
they are configured as (please see below...)


interface Virtual-Access4098
 bandwidth 2272
 ip unnumbered Port-channel1
 ip verify unicast reverse-path
 ip mroute-cache
 no logging event link-status
 load-interval 30
 no snmp trap link-status
 no routing dynamic
end

interface Virtual-Access23
 bandwidth 565
 ip mroute-cache
 no logging event link-status
 no snmp trap link-status
end

interface Virtual-Access4099
 bandwidth 155520
 ip mroute-cache
 no logging event link-status
 no snmp trap link-status
end


Also, if I do a show ppp multilink the weightings seem very biased toward
one circuit...
    lac_02:Vi4099  (xxx.xxx.0.74), since 00:01:50, 583200 weight, 1496 frag
size, unsequenced
    lac_02:Vi23  (xxx.xxx.0.74), since 00:01:56, 2118 weight, 1496 frag
size, unsequenced

Any thoughts of help would be very much appreciated!

Thanks,

Steve



This message has been scanned for viruses by MailController -
www.MailController.altohiway.com


------------------------------

Message: 8
Date: Mon, 25 Jul 2005 11:36:17 -0400 (EDT)
From: "Bill Wichers" <billw at waveform.net>
Subject: Re: [c-nsp] OT: Differences among T1 Internet access carriers
To: "John Neiberger" <jneiberger at gmail.com>
Cc: cisco-nsp at puck.nether.net
Message-ID: <38046.204.11.32.10.1122305777.squirrel at 204.11.32.10>
Content-Type: text/plain;charset=iso-8859-1

> But here's where I need some advice. At the T-1 level, is there really
> much difference between these vendors from a technical perspective?
> Would I be less happy with an MCI circuit, for example, versus one
> from Sprint or AT&T? I'm beginning to think that at this level there
> really isn't a significant difference except for perhaps in price.

IMHO, there is little difference between the major carriers in performance
and basic functionality. They're all selling themselves based on added
extras these days, or what they think their customers think makes them
better (mostly marketing it seems). You might want to try XO too if they
serve your area -- I'm not affiliated with them but I do work with them
alot as we use some of their services and have had generally good luck
with them.

I'm not sure if Level3 sells T1s any longer. Last time I spoke with one of
their engineering guys I was told that they really only want to sell DS3
and larger circuitry, but that might have just been for transport and not
general Internet access service.

> We already have circuits from Sprint and we'd prefer to maintain some
> carrier diversity so we're probably leaning toward MCI or AT&T.

Unless you are in an on-net building for a carrier, all your circuits are
likely to come in on facilities owned by your local ILEC regardless of the
carrier you order from. This limits how much "extra reliability" you will
get by ordering services from several carriers. In 2003 when the big
eastern US blackout happened, one area near here lost an entire ILEC CO
(their generator seized apparently), which wiped out telecom service for
an entire area. Just a thought... If you are in a building that is on-net
for several carriers then you should consider ordering service from those
carriers in your building since you're likely to actually be on diverse
equipment (and possibly paths too) that way.

     -Bill

*****************************
Waveform Technology
Systems Engineer



------------------------------

Message: 9
Date: Mon, 25 Jul 2005 09:45:46 -0600
From: John Neiberger <jneiberger at gmail.com>
Subject: Re: [c-nsp] OT: Differences among T1 Internet access carriers
To: Bill Wichers <billw at waveform.net>
Cc: cisco-nsp at puck.nether.net
Message-ID: <547ad0fe050725084538fb5e5a at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

We have diverse paths into our building from two COs but that's only
for the fiber local loop stuff. We don't have diverse connections to
multiple carriers but we can terminate a new T1 onto one of our
existing DS3s for diversity.

We also tend to like geographic diversity when ordering multiple
circuits from a single provider. For example, we have two Sprint
circuits that terminate (logically) in two different cities. There
have been times where Sprint had problems in one location that had no
effect on the other.

I think I'll just pick the provider who has the services I require at
the lowest price. I see no reason to spend any time on this since
we're just talking about a T1. I'd spend more time on it if we were
talking about a DS3 or OC3.

Thanks,
John

On 7/25/05, Bill Wichers <billw at waveform.net> wrote:
> > But here's where I need some advice. At the T-1 level, is there really
> > much difference between these vendors from a technical perspective?
> > Would I be less happy with an MCI circuit, for example, versus one
> > from Sprint or AT&T? I'm beginning to think that at this level there
> > really isn't a significant difference except for perhaps in price.
> 
> IMHO, there is little difference between the major carriers in performance
> and basic functionality. They're all selling themselves based on added
> extras these days, or what they think their customers think makes them
> better (mostly marketing it seems). You might want to try XO too if they
> serve your area -- I'm not affiliated with them but I do work with them
> alot as we use some of their services and have had generally good luck
> with them.
> 
> I'm not sure if Level3 sells T1s any longer. Last time I spoke with one of
> their engineering guys I was told that they really only want to sell DS3
> and larger circuitry, but that might have just been for transport and not
> general Internet access service.
> 
> > We already have circuits from Sprint and we'd prefer to maintain some
> > carrier diversity so we're probably leaning toward MCI or AT&T.
> 
> Unless you are in an on-net building for a carrier, all your circuits are
> likely to come in on facilities owned by your local ILEC regardless of the
> carrier you order from. This limits how much "extra reliability" you will
> get by ordering services from several carriers. In 2003 when the big
> eastern US blackout happened, one area near here lost an entire ILEC CO
> (their generator seized apparently), which wiped out telecom service for
> an entire area. Just a thought... If you are in a building that is on-net
> for several carriers then you should consider ordering service from those
> carriers in your building since you're likely to actually be on diverse
> equipment (and possibly paths too) that way.
> 
>     -Bill
> 
> *****************************
> Waveform Technology
> Systems Engineer
> 
>



------------------------------

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp


End of cisco-nsp Digest, Vol 32, Issue 92
*****************************************


More information about the cisco-nsp mailing list