[c-nsp] Per packet load balancing with low latency

Tony Varriale tvarriale at comcast.net
Thu Jan 15 15:10:48 EST 2009 

Unfortuantely, not everything Cisco recommends translates well into real 
world implementations.

Feel free to read RFC 1191.  That should explain everything.  BCP says don't 
turn off for this reason.

As for the security aspect, there have been a few vulnerabilities that were 
not really exploited and then fixed.  The pros of leaving this on far out 
way any potential, never really attacked, security issue.

And, if you do get seriously attacked by this method somehow, there are 
products on the market that can effectively mitigate it (as well as many 
others).

tv

----- Original Message ----- 
From: "Michael Malitsky" <malitsky at netabn.com>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, January 15, 2009 1:42 PM
Subject: Re: [c-nsp] Per packet load balancing with low latency


> Tony,
>
> I'll agree with the comments on uRPF and queuing - you should know why
> you want these changes before making them.
>
> However, disabling IP Unreachables is now one of the baseline measures
> for infrastructure protection, and recommended as such by Cisco.  I'll
> agree in advance that there may be situations where IP unreachables are
> desired, or situations where infrastructure protection is not important,
> but by and large disabling it seems to be a good step.  If you disagree,
> I'd appreciate an explanation.
>
> Sincerely,
> Michael Malitsky
>
>
>> Message: 3
>> Date: Thu, 15 Jan 2009 11:37:38 -0600
>> From: "Tony Varriale" <tvarriale at comcast.net>
>> Subject: Re: [c-nsp] Per packet load balancing with low latency
>> To: <cisco-nsp at puck.nether.net>
>> Message-ID: <B689C067A7794B108D6E78A4A417D585 at flamdt01>
>> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>> reply-type=original
>>
>> William,
>>
>> Note that some of those config items are optional.  The base config
>> from
>> Michael would be:
>>
>> > interface Multilink1
>> > description Multiplexed Logical Connection to remote site
>> > ip address 1.1.1.1 255.255.255.0
>> > no ip redirects
>> > no ip proxy-arp
>> > ppp multilink
>> > ppp multilink fragment disable
>> > ppp multilink group 1
>>
>> > interface Serial1/0/19:0
>> > description Connected to remote site (circuit 1)
>> > no ip address
>> > no ip redirects
>> > encapsulation ppp
>> > ppp multilink
>> > ppp multilink group 1
>>
>>
>> Be careful with URPF.  You may not need to modify your
>> queues...probably
>> don't unless you understand it.
>>
>> And please, do not disable unreachables.
>>
>> tv
>>
>> ----- Original Message -----
>> From: "Michael Malitsky" <malitsky at netabn.com>
>> To: <cisco-nsp at puck.nether.net>
>> Sent: Thursday, January 15, 2009 11:20 AM
>> Subject: Re: [c-nsp] Per packet load balancing with low latency
>>
>>
>> > Don't have a link handy, but here is a sample of the config we use.
>> You
>> > can view status using
>> >
>> > show ppp multilink
>> >
>> >
>> >
>> > interface Multilink1
>> > description Multiplexed Logical Connection to remote site
>> > ip address 1.1.1.1 255.255.255.0
>> > ip access-group inbound in
>> > ip access-group outbound out
>> > ip verify unicast source reachable-via rx
>> > no ip redirects
>> > no ip unreachables
>> > no ip proxy-arp
>> > no peer neighbor-route
>> > fair-queue 1024 256 0
>> > ppp multilink
>> > ppp multilink fragment disable
>> > ppp multilink group 1
>> >
>> > interface Serial1/0/19:0
>> > description Connected to remote site (circuit 1)
>> > no ip address
>> > no ip redirects
>> > no ip unreachables
>> > no ip proxy-arp
>> > encapsulation ppp
>> > no fair-queue
>> > ppp multilink
>> > ppp multilink group 1
>> >
>> > interface Serial1/0/21:0
>> > description Connected to remote site (circuit 2)
>> > no ip address
>> > no ip redirects
>> > no ip unreachables
>> > no ip proxy-arp
>> > encapsulation ppp
>> > no fair-queue
>> > ppp multilink
>> > ppp multilink group 1
>> >
>> >
>> >
>> >
>> >
>> >
>> > Sincerely,
>> > Michael Malitsky
>> >
>> >> Message: 8
>> >> Date: Thu, 15 Jan 2009 16:55:48 +0000
>> >> From: William <willay at gmail.com>
>> >> Subject: Re: [c-nsp] Per packet load balancing with low latency
>> >> applications
>> >> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
>> >> Message-ID:
>> >> <a24358fb0901150855s5a5656b0wa62c017d2864b10b at mail.gmail.com>
>> >> Content-Type: text/plain; charset=ISO-8859-1
>> >>
>> >> Can anyone point me to some decent documentation on setting up
> MLPPP
>> >> with serial links? Google/Cisco.com is not liking my key words
>> today.
>> >>
>> >> Thanks for your time.
>> >>
>> >> W
>> >>
>> >> 2009/1/15  <A.L.M.Buxey at lboro.ac.uk>:
>> >> > Hi,
>> >> >> Yes, age old question.
>> >> >>
>> >> >> Use layer 2 technologies such as MLPPP.
>> >> >
>> >> > yep - you caan then choose the appropriate load balancing
>> >> > method so media streams for the same target go down them same
>> pipe.
>> >> > missing packets are generally okay for most modern streaming
>> >> > systems...they ignore them..you might get a little glitch if you
>> >> > are unlucky....but packets arriving out of order? ouch.
>> >> >
>> >> > alan
>> >> >
>> >
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list