Community discussions

Search found 15 matches

by dottxt
Fri Mar 29, 2019 5:20 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40230

Re: UKNOF 43 CVE

For CVE-2018-19299, Are systems that do not have IPv6 connection tracking enabled affected?
by dottxt
Mon Apr 20, 2015 3:47 pm
Forum: RouterBOARD hardware
Topic: Wishlist Item: SFP Switches
Replies: 6
Views: 1079

Re: Wishlist Item: SFP Switches

If a pure SFP+ switch was released (with redundant internal power supplies), I'd pick up at least 10.
by dottxt
Sun Jan 11, 2015 6:10 am
Forum: RouterBOARD hardware
Topic: CCR DDOS CPU Load
Replies: 10
Views: 5689

Re: CCR DDOS CPU Load

On 6.24 we can handle about 1.1 or 1.2M PPS of syn flood. After that the packet loss causes the router to lock up. I'm hoping the CCR1072 will double that when it finally arrives. Still, we're probably going to have to move in a different direction for our edge routing since we use 10G ethernet. Oth...
by dottxt
Mon Jan 05, 2015 8:29 am
Forum: RouterBOARD hardware
Topic: CCR DDOS CPU Load
Replies: 10
Views: 5689

Re: CCR DDOS CPU Load

What TCP port is under attack? If it's port 80 then I would suggest signing up for a service like Cloudflare. The services that are targeted aren't http based unfortunately, so couldflare isn't an option. Our total connectivity is 20 gigabits, so ideally we would like to pass any traffic we recieve...
by dottxt
Sun Jan 04, 2015 8:45 pm
Forum: RouterBOARD hardware
Topic: CCR DDOS CPU Load
Replies: 10
Views: 5689

CCR DDOS CPU Load

Hello, I'm hoping theres an easy answer for this. We are seeing some low end DDOS attacks around 1-2 gbit/sec. The attack signature is SYN packets with random source IPs with a destination within the network that the CCRs do edge routing for. The CPU level is basically 100% the whole time. We did so...
by dottxt
Sun Dec 28, 2014 9:25 am
Forum: RouterBOARD hardware
Topic: CCR-1072 release date?
Replies: 71
Views: 13910

Re: CCR-1072 release date?

We never have problems pushing more than 1gig via TCP on a single connection. I don't think I've seen a single core rise above 3 or 4% when routing a few gig. Keep in mind, we have no queues, no firewall, and fastpath is on, so perhaps thats where you're experiencing the ceiling?
by dottxt
Thu Nov 06, 2014 2:33 am
Forum: RouterBOARD hardware
Topic: CCR1036-8G-2S+EM for border/edge router
Replies: 5
Views: 2345

Re: CCR1036-8G-2S+EM for border/edge router

We use the 1036-8G-2S+ models for our edge routers, and they work great. Here's how we have them configured: 1) No firewall rules, so fastpath is enabled. If we need to drop packets, we add a null/blackhole route. We also announce that IP to our upstreams blackhole BGP session. 2) Any filtering via ...
by dottxt
Mon Oct 20, 2014 7:08 am
Forum: General
Topic: CCR issue
Replies: 8
Views: 2121

Re: CCR issue

Is the CPU on the CCR maxed out during the tests?

Also, in Winbox, under Interfaces, add the columns Tx Drops, Rx Drops, Tx Errors, and Rx Errors if they aren't there already. During your testing, check to make sure these are all holding 0.

Let us know how it goes.
by dottxt
Thu Oct 16, 2014 5:41 am
Forum: RouterBOARD hardware
Topic: DO NOT USE CCR1036 WITH 2 BGP SESSIONS
Replies: 6
Views: 1775

Re: DO NOT USE CCR1036 WITH 2 BGP SESSIONS

Ram for the CCR series is pretty inexpensive. I had an 1036-8g-2s+-EM model show similar symptoms. Replaced the 16G with one 8G stick (http://www.neweggbusiness.com/product/product.aspx?item=9b-20-139-976) and its been up for 34 days since pushing a few gb/s average with 3 full tables. My recommenda...
by dottxt
Wed Sep 10, 2014 9:11 am
Forum: General
Topic: CCR Performance
Replies: 5
Views: 1241

Re: CCR Performance

Are you going to be doing just BGP and routing, or are you going to use filters on the traffic as well? We have 3 in production doing multi gigabit routing, each with full BGP tables from at least 3 peers, and they aren't breaking a sweat. We don't have any queues or firewall filters though, so I ca...
by dottxt
Fri Jul 11, 2014 7:09 pm
Forum: RouterBOARD hardware
Topic: Poor routing performance on CCR
Replies: 3
Views: 1304

Re: Poor routing performance on CCR

The lack of outbound packets is via a null route (blackhole), not a firewall rule, so I would think the fastpath should still work. The CPU usage was double what it was in the screenshot prior to the null route being added, so even if a blackhole avoids fastpath, it still wasn't forwarding with the ...
by dottxt
Sun Jul 06, 2014 1:17 am
Forum: RouterBOARD hardware
Topic: Poor routing performance on CCR
Replies: 3
Views: 1304

Poor routing performance on CCR

Hello, We have 2 CCR's in production right now, running ROS v 6.15, and when we receive DDOS traffic to hosts on our network in the 600k PPS range, we are seeing %50-75 CPU usage. At 1G, the systems lock up and restart. IF the systems are supposed to route many millions of packets per second, then I...
by dottxt
Thu May 01, 2014 6:55 pm
Forum: RouterBOARD hardware
Topic: CCR1036 - Routing Tables
Replies: 7
Views: 1665

Re: CCR1036 - Routing Tables

We use 2 CCR's in a production environment replacing 2x vyatta systems. We receive full detailed tables from multiple carriers on each router, in v4 and v6, and take peering carrier routes from about 5 peers on a local IX. So far, no complaints. I can confirm that the table reload time can be anywhe...
by dottxt
Tue Feb 18, 2014 5:00 am
Forum: RouterBOARD hardware
Topic: Fastpath IPv6
Replies: 0
Views: 699

Fastpath IPv6

Hello, Quick question. Do the CCR models support fastpath in IPv6, or is that done in software? We run a good deal of V6 traffic, especially with small packets, so fastpath will be quite useful for us. Currently running a 1036-8g-2s+ and a 1016 in production now for our V4 network. Let me know Thanks
by dottxt
Sun Feb 02, 2014 6:29 pm
Forum: RouterBOARD hardware
Topic: CLOUD CORE ROUTER
Replies: 1374
Views: 1015906

Re: CLOUD CORE ROUTER

Is there any word on the CCR line supporting IPv6 in fastpath? I only see V4 documentation for it.